×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Amazon's Cloud Is Full of Holes

CmdrTaco posted about 2 years ago | from the so-are-donuts-and-they-are-delicious dept.

Cloud 66

itwbennett writes "Amazon's Web Services is so easy to use that customers create virtual machines without following Amazon's 'very detailed' security guidelines, says Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt. Most notably, Schneider and his fellow researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines. '[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

66 comments

How does that mean it is full of holes? (1)

Ignominous (2105114) | about 2 years ago | (#36515790)

I don't get it. It's more like sending a letter to someone with your housekeys in the envelope.

Re:How does that mean it is full of holes? (0)

Anonymous Coward | about 2 years ago | (#36515836)

Not just that - it's like sending your house keys to someone and then blaming the post office, even when the post office has a sign that says "DON'T MAIL YOUR HOUSE KEYS."

Re:How does that mean it is full of holes? (0)

Anonymous Coward | about 2 years ago | (#36515906)

It means it's like your sister, ready and willing to give her cookies away to any and all.

Re:How does that mean it is full of holes? (-1)

Anonymous Coward | about 2 years ago | (#36516130)

And she's also full of holes. (I've been in every one of them.)

Re:How does that mean it is full of holes? (0)

Anonymous Coward | about 2 years ago | (#36515968)

I agree, the subject and the actual content of the article does not match. It's not "Amazon Cloud"s fault that users who desides to publish their AMIs (modified instances) forgets to remove credential data.

Re:How does that mean it is full of holes? (3, Insightful)

ChrisKnight (16039) | about 2 years ago | (#36516054)

No, your example posits a situation where you are privately sending your physical keys to a known individual in a 1:1 transaction. Apples to oranges.

The situation being described is where people build server images, and them publish them to share, without first having striped them of their security keys.

A better comparison is if you wrote up an email for your dog walker with very detailed instructions on how to take care of your dog and you included the security code for your alarm. Then, you thought it would be a terrific idea to share your great dog walking tips with an email list and forwarded your original email without editing out your security code. Now anyone who accesses your dog walking tips has access to your house.

Re:How does that mean it is full of holes? (2)

ep32g79 (538056) | about 2 years ago | (#36516184)

Your analogy is confusing. Can I get one with cars?

Re:How does that mean it is full of holes? (2)

vlm (69642) | about 2 years ago | (#36516270)

Your analogy is confusing. Can I get one with cars?

A better comparison is if you wrote up an email for your driver with very detailed instructions on how to run over a dog and you included the security code for your garage door. Then, you thought it would be a terrific idea to share your great dog running over tips with an email list and forwarded your original email without editing out your garage door code. Now anyone who accesses your dog running over tips has access to your garage.

Better now?

Re:How does that mean it is full of holes? (1)

ajs (35943) | more than 2 years ago | (#36572612)

A better comparison is if...

A better comparison is you left your damned storage keys in your published machine image. This is a security blunder. That security key is, in simplistic terms, a password. Don't give out your passwords on the Web.

This has nothing to do with the security of Amazon's infrastructure or services.

Re:How does that mean it is full of holes? (1)

blair1q (305137) | about 2 years ago | (#36516286)

They're building their own cars using plans and parts from Amazon, and leaving the keys in the plastic bag that was taped to the top of the sunroof at the factory.

Re:How does that mean it is full of holes? (1)

blair1q (305137) | about 2 years ago | (#36516336)

Albeit, it's not taped to the top of the sunroof; it's more like it's stuffed in a dark magnetized box in one of the bumpers, so you never notice it if you aren't looking for it, but anyone else who's built one correctly knows exactly where to check when they see your car in the parking lot at the mall.

Re:How does that mean it is full of holes? (1)

brantondaveperson (1023687) | more than 2 years ago | (#36522016)

Wrong use of 'Albeit'. You probably meant 'Although' or just 'Though'.

'Albeit' is kind of a shortened form of 'All be it'. For instance;

"It was sunny, albeit rather cold and windy."

Not trying to be snotty, though I'm sure it comes off that way. Just trying to help.

And can we stop with the analogies already? - we are computer professionals for the most part and don't need analogies to understand what it means to leave your private keys in a publicly accessible spot. Yours was a rather good one, but really, we don't need them and we just end up with threads in which the only topic of conversation is which imaginary scenario involving cars or flaming dogs or whatever most closely resembles the matter under discussion.

Re:How does that mean it is full of holes? (1)

blair1q (305137) | more than 2 years ago | (#36531592)

Er, http://www.etymonline.com/index.php?search=albeit&searchmode=none [etymonline.com]

You don't really want to know what onelook.com has to say about it either.

I did kind of misuse it to mean "on the contrary" rather than "in spite of", which is its more accurate sense.

And you'll never get rid of analogies the way you'll never get rid of people who want to drive their cars despite the noise, cost, danger, waste, and pollution.

Re:How does that mean it is full of holes? (1)

myurr (468709) | about 2 years ago | (#36516316)

Lets say your dog has a car but because he doesn't have opposable thumbs he struggles to use a key. Instead the car is fitted with a dog paw sized keypad that allows him to type an entry code in to gain access to the car and start the engine. Thinking that this setup is the bees knees your dog posts the details of this system on his blog, but includes his key code. Now any other man or his dog who reads this blog post will be able to access your dog's car.

No, here's an example of why this is a problem (1)

hellfire (86129) | about 2 years ago | (#36516302)

It's actually like a building company selling prefab bank buildings, and then selling it to your local bank, and the bank forgot to lock the back door they used to get into the building all the while inviting you to come into their new fangled ultra safe and secure bank where you can store personal stuff.

The problem is that Amazon gave someone a super easy way to set up a site... so easy, even idiots can set it up. And idiots will set it up and forget to close the back door, and those idiot will sell services and what not with users who log in using a customer ID and password, and then someone can come in and steal it using a very basic back door. The problem is that it's too easy to forget to do or completely ignore this last part. That's what needs to be fixed.

This is a process problem that makes it too easy for users to shoot themselves in the foot. Sure, those who bought web services should know better, but that doesn't mean Amazon bears no responsibility to make it easier to secure the site. In terms of managing risk, it's too likely that people will forget to secure this. Amazon, logically, has a responsibility to minimize this risk through any number of means, like an education program to it's hosted companies, a redesigned tool, or something similar. But by putting this 100% on the customer fails to acknowledge that the problem is not necessarily people, but the process.

Re:How does that mean it is full of holes? (2)

chemicaldave (1776600) | about 2 years ago | (#36516622)

Bad phrasing. When they say Amazon's cloud they really mean the customers in the cloud, not Amazon themselves.

Re:How does that mean it is full of holes? (1)

JamesTKirk (876319) | about 2 years ago | (#36517014)

It's more like tweeting a picture of your bulging underwear to everyone rather than sending it privately to just one person.

So, Amazon not actually full of holes (0)

Anonymous Coward | about 2 years ago | (#36515806)

But some users are sloppy and thus are.

Configure things poorly and... (0)

Anonymous Coward | about 2 years ago | (#36515852)

they will suck.

- Love, Every Technology Vendor Ever

Please get better names. (0)

Anonymous Coward | about 2 years ago | (#36515866)

Thomas Schneider, Bruce Schneier - it's all too confusing for us morals. One of you needs to change his name to Mr. Security McSmartypants.

ah cloud storage.... (0)

Anonymous Coward | about 2 years ago | (#36515886)

with many cloud providers try buying a large chunk of disk space with ur VM and see what standard data recovery tools can do ....and what previous customers leave behind.

Known issue (3, Informative)

Mullen (14656) | about 2 years ago | (#36515946)

This is a known issue and when Amazon.com finds out that certain AMIs have preinstalled root ssh keys, they send you an email letting you know, along with instructions on how to remove the root ssh key. Non-issue.

Re:Known issue (1)

Slashdot Parent (995749) | about 2 years ago | (#36518928)

Actually, this sounds like users leaving their AWS API keys on public AMIs. This could be a very expensive mistake for the AMI creators!

Amazon provides ways to mitigate this risk. For instance:

  1. You are allowed to revoke keys. If you think you might have put your keys on a public AMI, even if you deleted those keys, you should revoke the keys immediately. Remember, deleting is different from wiping.
  2. You can use Identity and Access Management (IAM) to limit the functions that a giving API keypair is authorized to perform. This is extremely good practice, especially if you ever need to have keys on an instance (after all, what happens if your instance is hacked and the attacker is able to retrieve your keys?) As an example of this, all of my instances snapshot all of their EBS volumes at regular intervals. I created a keypair specifically for this function, and all those credentials are allowed to do is create snapshots. So if some attacker able to obtain my keypair, the worst he could do with them is create a bunch of snapshots (assuming he can guess some of my EBS volume IDs).

But I agree with the basic premise of the article: AWS has some pretty serious pitfalls for those who haven't yet fully ascended the learning curve!

Re:Known issue (1)

kmac06 (608921) | about 2 years ago | (#36521952)

Sounds like this issue became known because of these guys:

Once the problem was evident, Schneider said they contacted Amazon Web Services at the end of April. Amazon acted in a professional way, the researchers said, by notifying those account holders of the security issues.

So it certainly was an issue until they looked into it (and still is an issue if some fraction of their users are too lazy to fix it).

Clouds... (1)

madhatter256 (443326) | about 2 years ago | (#36515986)

I don't know, the cloud looks like a safe to me..... or a pad lock.

Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

Re:Clouds... (1)

Sulphur (1548251) | about 2 years ago | (#36516358)

I don't know, the cloud looks like a safe to me..... or a pad lock.

Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

And next to it is a cloud that looks like a bird.

Easy to use? (2)

BradleyUffner (103496) | about 2 years ago | (#36516092)

If it allows you to do something incorrectly then it isn't very easy to use.

Re:Easy to use? (2)

ackthpt (218170) | about 2 years ago | (#36516228)

If it allows you to do something incorrectly then it isn't very easy to use.

Nonsense. Windows has been allowing people to get things wrong for decades and millions claim it's easy to use ... nevermind.

Re:Easy to use? (1)

Snarky McButtface (1542357) | about 2 years ago | (#36516236)

So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.

Re:Easy to use? (1)

BradleyUffner (103496) | about 2 years ago | (#36521664)

So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.

I would say yes. If you can literally kill yourself by sticking a piece of metal in to a toaster, then the toaster could be designed better.

Re:Easy to use? (1)

return 42 (459012) | more than 2 years ago | (#36525334)

On the other hand, the smart user will unplug the toaster whenever possible before reaching into it, thus ensuring personal safety even if the manufacturer screwed up. Not sure what the analogous safe practice would be with AWS, aside from RTFM and generally being cautious.

Re:Easy to use? (1)

The Dawn Of Time (2115350) | about 2 years ago | (#36516360)

That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

Re:Easy to use? (2)

Nerdfest (867930) | about 2 years ago | (#36516484)

It's becoming more common and accepted these days though ... Apple seems to use that philosophy in a lot of their products. I think the drawbacks outweigh the benefits, but there are those that don't.

Re:Easy to use? (1)

Daniel_Staal (609844) | about 2 years ago | (#36517462)

I actually blame this on Asimov. His three-law robots were a great idea, and people loved the simple and 'obviously right' three laws that made them 'safe' around humans. People praise them, and actually say that they are trying to work them into their designs. At this point, even designs made by people who have never heard of the stories are following the same philosophy of design that they helped inspire.

Except we never actually want our machines to follow the three laws as he wrote them. We want rules 1 and 2 switched, in nearly all cases: It's more important that the machine does what we ask it to do than for it to second-guess what that might mean to our safety.

I'm sure Asimov's not the first person to come up with the idea, but he definitely codified it and encouraged it.

Re:Easy to use? (1)

dkf (304284) | about 2 years ago | (#36518156)

That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

Yes, he must be a computer security expert.

Re:Easy to use? (1)

BradleyUffner (103496) | about 2 years ago | (#36521708)

That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

If you think about it, it's not really that impractical. If, given very clear instructions on how to use something, people still manage to use it incorrectly, then it isn't really easy to use. I'm not arguing that everything NEEDS to be easy to use, just that some of the things people claim are easy are not really all that easy.

Re:Easy to use? (2)

element-o.p. (939033) | about 2 years ago | (#36516460)

I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

Re:Easy to use? (1)

BradleyUffner (103496) | about 2 years ago | (#36521840)

I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

I think it depends on your definition of "easy to use". If a significant number of people manage to use something incorrectly despite given clear instructions on its use, then you shouldn't try to claim that it is easy to use. The harshness of the consequences of improper use also factor in here. An easy to make mistake that has extremely harsh consequences may raise the difficulty rating of a task.

With your pencil example, how many people actually mistake the eraser for the point? Children understand pencils very quickly. I would say pencils are easy to use.

Re:Easy to use? (1)

cognoscentus (1628459) | about 2 years ago | (#36516514)

I agree. Private elements of a configuration such as API keys should be kept separate to public ones. Whatever is used to generate the image should only publish the public stuff by default.

Re:Easy to use? (0)

Anonymous Coward | about 2 years ago | (#36516560)

You saying my penis isn't very easy to use?

Nothing to do with anything of relevance (0)

Anonymous Coward | about 2 years ago | (#36516194)

This is people bundling their own AMIs and publishing them publicly without reading security docs. Has nothing to do with Amazon's greater cloud infrastructure or what 99% of the people use it for. In fact, is the article arguing that allowing people to publish their own AMIs is a bad thing?

Article title is very misleading and irresponsible...

Full of holes? (0)

Anonymous Coward | about 2 years ago | (#36516226)

Full of holes? I think the title of the article should be "People don't always read instructions." Duh.

is this Amazon-specific? (2)

Trepidity (597) | about 2 years ago | (#36516332)

This seems like basically the same issue as "forgot to remove my SQL password from the config file in the code I uploaded to github", which is also quite common. If you upload a working version of some of your infrastructure somewhere, you need to be careful about whether it contains any sort of authentication tokens.

This is why you need a good Admin (1)

sl4shd0rk (755837) | about 2 years ago | (#36516394)

It's not too difficult to plug a LAMP stack (or a windows/BSD/Solaris equiv.) into the net but the average lamer isn't going to know about hardening, updating, monitoring and troubleshooting. Amazon apparently could care less as well.

Clouds are dangerous... (0)

cloudssuck (2292232) | about 2 years ago | (#36516546)

Like, this guy [aeonity.com] got his Amazon EC2 server owned, and was arrested for distributing child porn... (hackers put it on his server)

Re:Clouds are dangerous... (0)

Anonymous Coward | about 2 years ago | (#36516592)

Goatse :(

Re:Clouds are dangerous... (0)

Anonymous Coward | about 2 years ago | (#36516792)

Fired.

Silver Linings (0)

Anonymous Coward | about 2 years ago | (#36516616)

If there were no holes, how could it have a silver lining?

With all the ISP's capping downloads.... (1)

bobjr94 (1120555) | about 2 years ago | (#36516960)

Amazon wants you to store all your videos and music on their servers but with ISPs capping traffic and lowering limits that idea may be short lived. "I have that movie but we can't watch it until the 18th when my limit resets for the month"

Don't blame the tool. (0)

Anonymous Coward | about 2 years ago | (#36517476)

Blame the person who uses the tool incorrectly.

Take some personal responsibility for goodness sakes.

Blame (1)

grayn0de (1301165) | about 2 years ago | (#36517702)

"...'[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

Sure... blame the users... /sarcasm

the title is terrible (0)

Anonymous Coward | more than 2 years ago | (#36523516)

amazon's cloud is full of holes? come on..

AWS is an IaaS after all? (1)

bmullan (1425023) | more than 2 years ago | (#36537412)

As an IaaS it is YOUR responsibility to design security etc into YOUR servers on EC2. I think the title of this thread is misleading in that it makes it sound like AWS is at fault for implementation of someone's poor practices. "Amazon's Cloud is Full of Holes" That's like saying Intel's processor's are Full of Holes because people do stupid things using machines that have them.

Ford Mustang is full of holes (1)

lemur3 (997863) | more than 2 years ago | (#36594864)

It has been reported that certain ford mustangs allow the owner to leave the doors unlocked and the keys in the ignition..

a large recall is expected once the ford motor company finishes studying the problem.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...