Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon's Cloud Is Full of Holes

Posted by CmdrTaco on from the so-are-donuts-and-they-are-delicious dept.

itwbennett writes "Amazon's Web Services is so easy to use that customers create virtual machines without following Amazon's 'very detailed' security guidelines, says Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt. Most notably, Schneider and his fellow researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines. '[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

66 comments

  1. How does that mean it is full of holes? by Ignominous · · Score: 1

    I don't get it. It's more like sending a letter to someone with your housekeys in the envelope.

    1. Re:How does that mean it is full of holes? by Anonymous Coward · · Score: 0

      Not just that - it's like sending your house keys to someone and then blaming the post office, even when the post office has a sign that says "DON'T MAIL YOUR HOUSE KEYS."

    2. Re:How does that mean it is full of holes? by Anonymous Coward · · Score: 0

      It means it's like your sister, ready and willing to give her cookies away to any and all.

    3. Re:How does that mean it is full of holes? by Anonymous Coward · · Score: 0

      I agree, the subject and the actual content of the article does not match. It's not "Amazon Cloud"s fault that users who desides to publish their AMIs (modified instances) forgets to remove credential data.

    4. Re:How does that mean it is full of holes? by ChrisKnight · · Score: 3, Insightful

      No, your example posits a situation where you are privately sending your physical keys to a known individual in a 1:1 transaction. Apples to oranges.

      The situation being described is where people build server images, and them publish them to share, without first having striped them of their security keys.

      A better comparison is if you wrote up an email for your dog walker with very detailed instructions on how to take care of your dog and you included the security code for your alarm. Then, you thought it would be a terrific idea to share your great dog walking tips with an email list and forwarded your original email without editing out your security code. Now anyone who accesses your dog walking tips has access to your house.

      --
      -- This sig is only a test. If this were a real sig it would say something witty. --
    5. Re:How does that mean it is full of holes? by ep32g79 · · Score: 2

      Your analogy is confusing. Can I get one with cars?

    6. Re:How does that mean it is full of holes? by vlm · · Score: 2

      Your analogy is confusing. Can I get one with cars?

      A better comparison is if you wrote up an email for your driver with very detailed instructions on how to run over a dog and you included the security code for your garage door. Then, you thought it would be a terrific idea to share your great dog running over tips with an email list and forwarded your original email without editing out your garage door code. Now anyone who accesses your dog running over tips has access to your garage.

      Better now?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    7. Re:How does that mean it is full of holes? by blair1q · · Score: 1

      They're building their own cars using plans and parts from Amazon, and leaving the keys in the plastic bag that was taped to the top of the sunroof at the factory.

    8. Re:How does that mean it is full of holes? by myurr · · Score: 1

      Lets say your dog has a car but because he doesn't have opposable thumbs he struggles to use a key. Instead the car is fitted with a dog paw sized keypad that allows him to type an entry code in to gain access to the car and start the engine. Thinking that this setup is the bees knees your dog posts the details of this system on his blog, but includes his key code. Now any other man or his dog who reads this blog post will be able to access your dog's car.

    9. Re:How does that mean it is full of holes? by mark_elf · · Score: 1

      It would be like you loaned me your car.

    10. Re:How does that mean it is full of holes? by blair1q · · Score: 1

      Albeit, it's not taped to the top of the sunroof; it's more like it's stuffed in a dark magnetized box in one of the bumpers, so you never notice it if you aren't looking for it, but anyone else who's built one correctly knows exactly where to check when they see your car in the parking lot at the mall.

    11. Re:How does that mean it is full of holes? by chemicaldave · · Score: 2

      Bad phrasing. When they say Amazon's cloud they really mean the customers in the cloud, not Amazon themselves.

    12. Re:How does that mean it is full of holes? by JamesTKirk · · Score: 1

      It's more like tweeting a picture of your bulging underwear to everyone rather than sending it privately to just one person.

    13. Re:How does that mean it is full of holes? by Hylandr · · Score: 1

      What if I wanted to set the dog on fire and have the fire dept run over it instead?

      - Dan.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    14. Re:How does that mean it is full of holes? by Mister+Whirly · · Score: 1

      Visit Michael Vick's blog for great tips on this and more!

      --
      "But this one goes to 11!"
    15. Re:How does that mean it is full of holes? by brantondaveperson · · Score: 1

      Wrong use of 'Albeit'. You probably meant 'Although' or just 'Though'.

      'Albeit' is kind of a shortened form of 'All be it'. For instance;

      "It was sunny, albeit rather cold and windy."

      Not trying to be snotty, though I'm sure it comes off that way. Just trying to help.

      And can we stop with the analogies already? - we are computer professionals for the most part and don't need analogies to understand what it means to leave your private keys in a publicly accessible spot. Yours was a rather good one, but really, we don't need them and we just end up with threads in which the only topic of conversation is which imaginary scenario involving cars or flaming dogs or whatever most closely resembles the matter under discussion.

    16. Re:How does that mean it is full of holes? by arglebargle_xiv · · Score: 1

      Your analogy is confusing. Can I get one with cars?

      Can I get one with fries?

    17. Re:How does that mean it is full of holes? by blair1q · · Score: 1

      Er, http://www.etymonline.com/index.php?search=albeit&searchmode=none

      You don't really want to know what onelook.com has to say about it either.

      I did kind of misuse it to mean "on the contrary" rather than "in spite of", which is its more accurate sense.

      And you'll never get rid of analogies the way you'll never get rid of people who want to drive their cars despite the noise, cost, danger, waste, and pollution.

    18. Re:How does that mean it is full of holes? by ajs · · Score: 1

      A better comparison is if...

      A better comparison is you left your damned storage keys in your published machine image. This is a security blunder. That security key is, in simplistic terms, a password. Don't give out your passwords on the Web.

      This has nothing to do with the security of Amazon's infrastructure or services.

  2. So, Amazon not actually full of holes by Anonymous Coward · · Score: 0

    But some users are sloppy and thus are.

  3. Configure things poorly and... by Anonymous Coward · · Score: 0

    they will suck.

    - Love, Every Technology Vendor Ever

  4. Please get better names. by Anonymous Coward · · Score: 0

    Thomas Schneider, Bruce Schneier - it's all too confusing for us morals. One of you needs to change his name to Mr. Security McSmartypants.

    1. Re:Please get better names. by broginator · · Score: 1

      LOL I had (roughly) the same thought when i read it.

      --
      s/[stupid comments]/[intelligent discourse]/gi
    2. Re:Please get better names. by element-o.p. · · Score: 1

      At risk of being pedantic, sed "s/morals/mortals/". Everyone knows there is no one with morals here on /. (Q.E.D.).

      --
      MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
    3. Re:Please get better names. by snspdaarf · · Score: 1

      Maybe the AC works in a dark cubicle, and meant morels?

      --
      Why, without your clothes, you're naked, Miss Dudley!
  5. ah cloud storage.... by Anonymous Coward · · Score: 0

    with many cloud providers try buying a large chunk of disk space with ur VM and see what standard data recovery tools can do ....and what previous customers leave behind.

  6. Known issue by Mullen · · Score: 3, Informative

    This is a known issue and when Amazon.com finds out that certain AMIs have preinstalled root ssh keys, they send you an email letting you know, along with instructions on how to remove the root ssh key. Non-issue.

    --
    Linux O Muerte!
    1. Re:Known issue by Ignominous · · Score: 2

      You can also deactivate your account credentials just in case you did do this.

    2. Re:Known issue by Slashdot+Parent · · Score: 1

      Actually, this sounds like users leaving their AWS API keys on public AMIs. This could be a very expensive mistake for the AMI creators!

      Amazon provides ways to mitigate this risk. For instance:

      1. You are allowed to revoke keys. If you think you might have put your keys on a public AMI, even if you deleted those keys, you should revoke the keys immediately. Remember, deleting is different from wiping.
      2. You can use Identity and Access Management (IAM) to limit the functions that a giving API keypair is authorized to perform. This is extremely good practice, especially if you ever need to have keys on an instance (after all, what happens if your instance is hacked and the attacker is able to retrieve your keys?) As an example of this, all of my instances snapshot all of their EBS volumes at regular intervals. I created a keypair specifically for this function, and all those credentials are allowed to do is create snapshots. So if some attacker able to obtain my keypair, the worst he could do with them is create a bunch of snapshots (assuming he can guess some of my EBS volume IDs).

      But I agree with the basic premise of the article: AWS has some pretty serious pitfalls for those who haven't yet fully ascended the learning curve!

      --
      They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
    3. Re:Known issue by kmac06 · · Score: 1
      Sounds like this issue became known because of these guys:

      Once the problem was evident, Schneider said they contacted Amazon Web Services at the end of April. Amazon acted in a professional way, the researchers said, by notifying those account holders of the security issues.

      So it certainly was an issue until they looked into it (and still is an issue if some fraction of their users are too lazy to fix it).

  7. Clouds... by madhatter256 · · Score: 1

    I don't know, the cloud looks like a safe to me..... or a pad lock.

    Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

    --
    Previewing comments are for sissies!
    1. Re:Clouds... by Sulphur · · Score: 1

      I don't know, the cloud looks like a safe to me..... or a pad lock.

      Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

      And next to it is a cloud that looks like a bird.

    2. Re:Clouds... by NatasRevol · · Score: 1

      Sometimes the bird looks like a failwhale.

      --
      There are two types of people in the world: Those who crave closure
  8. Easy to use? by BradleyUffner · · Score: 2

    If it allows you to do something incorrectly then it isn't very easy to use.

    1. Re:Easy to use? by ackthpt · · Score: 2

      If it allows you to do something incorrectly then it isn't very easy to use.

      Nonsense. Windows has been allowing people to get things wrong for decades and millions claim it's easy to use ... nevermind.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Easy to use? by Snarky+McButtface · · Score: 1

      So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.

    3. Re:Easy to use? by The+Dawn+Of+Time · · Score: 1

      That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

    4. Re:Easy to use? by element-o.p. · · Score: 2

      I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

      Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

      --
      MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
    5. Re:Easy to use? by Nerdfest · · Score: 2

      It's becoming more common and accepted these days though ... Apple seems to use that philosophy in a lot of their products. I think the drawbacks outweigh the benefits, but there are those that don't.

    6. Re:Easy to use? by cognoscentus · · Score: 1

      I agree. Private elements of a configuration such as API keys should be kept separate to public ones. Whatever is used to generate the image should only publish the public stuff by default.

    7. Re:Easy to use? by Anonymous Coward · · Score: 0

      You saying my penis isn't very easy to use?

    8. Re:Easy to use? by Daniel_Staal · · Score: 1

      I actually blame this on Asimov. His three-law robots were a great idea, and people loved the simple and 'obviously right' three laws that made them 'safe' around humans. People praise them, and actually say that they are trying to work them into their designs. At this point, even designs made by people who have never heard of the stories are following the same philosophy of design that they helped inspire.

      Except we never actually want our machines to follow the three laws as he wrote them. We want rules 1 and 2 switched, in nearly all cases: It's more important that the machine does what we ask it to do than for it to second-guess what that might mean to our safety.

      I'm sure Asimov's not the first person to come up with the idea, but he definitely codified it and encouraged it.

      --
      'Sensible' is a curse word.
    9. Re:Easy to use? by dkf · · Score: 1

      That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

      Yes, he must be a computer security expert.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    10. Re:Easy to use? by BradleyUffner · · Score: 1

      So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.

      I would say yes. If you can literally kill yourself by sticking a piece of metal in to a toaster, then the toaster could be designed better.

    11. Re:Easy to use? by BradleyUffner · · Score: 1

      That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

      If you think about it, it's not really that impractical. If, given very clear instructions on how to use something, people still manage to use it incorrectly, then it isn't really easy to use. I'm not arguing that everything NEEDS to be easy to use, just that some of the things people claim are easy are not really all that easy.

    12. Re:Easy to use? by BradleyUffner · · Score: 1

      I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

      Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

      I think it depends on your definition of "easy to use". If a significant number of people manage to use something incorrectly despite given clear instructions on its use, then you shouldn't try to claim that it is easy to use. The harshness of the consequences of improper use also factor in here. An easy to make mistake that has extremely harsh consequences may raise the difficulty rating of a task.

      With your pencil example, how many people actually mistake the eraser for the point? Children understand pencils very quickly. I would say pencils are easy to use.

    13. Re:Easy to use? by return+42 · · Score: 1

      On the other hand, the smart user will unplug the toaster whenever possible before reaching into it, thus ensuring personal safety even if the manufacturer screwed up. Not sure what the analogous safe practice would be with AWS, aside from RTFM and generally being cautious.

  9. Nothing to do with anything of relevance by Anonymous Coward · · Score: 0

    This is people bundling their own AMIs and publishing them publicly without reading security docs. Has nothing to do with Amazon's greater cloud infrastructure or what 99% of the people use it for. In fact, is the article arguing that allowing people to publish their own AMIs is a bad thing?

    Article title is very misleading and irresponsible...

  10. Full of holes? by Anonymous Coward · · Score: 0

    Full of holes? I think the title of the article should be "People don't always read instructions." Duh.

  11. No, here's an example of why this is a problem by hellfire · · Score: 1

    It's actually like a building company selling prefab bank buildings, and then selling it to your local bank, and the bank forgot to lock the back door they used to get into the building all the while inviting you to come into their new fangled ultra safe and secure bank where you can store personal stuff.

    The problem is that Amazon gave someone a super easy way to set up a site... so easy, even idiots can set it up. And idiots will set it up and forget to close the back door, and those idiot will sell services and what not with users who log in using a customer ID and password, and then someone can come in and steal it using a very basic back door. The problem is that it's too easy to forget to do or completely ignore this last part. That's what needs to be fixed.

    This is a process problem that makes it too easy for users to shoot themselves in the foot. Sure, those who bought web services should know better, but that doesn't mean Amazon bears no responsibility to make it easier to secure the site. In terms of managing risk, it's too likely that people will forget to secure this. Amazon, logically, has a responsibility to minimize this risk through any number of means, like an education program to it's hosted companies, a redesigned tool, or something similar. But by putting this 100% on the customer fails to acknowledge that the problem is not necessarily people, but the process.

    --

    "All great wisdom is contained in .signature files"

  12. is this Amazon-specific? by Trepidity · · Score: 2

    This seems like basically the same issue as "forgot to remove my SQL password from the config file in the code I uploaded to github", which is also quite common. If you upload a working version of some of your infrastructure somewhere, you need to be careful about whether it contains any sort of authentication tokens.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    1. Re:is this Amazon-specific? by Graham+J+-+XVI · · Score: 1

      You're right, SQL is full of holes! Stop the presses!

  13. This is why you need a good Admin by sl4shd0rk · · Score: 1

    It's not too difficult to plug a LAMP stack (or a windows/BSD/Solaris equiv.) into the net but the average lamer isn't going to know about hardening, updating, monitoring and troubleshooting. Amazon apparently could care less as well.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  14. All I have to say is... by iago · · Score: 1

    Yay cloud!

    --
    Worst Sig Ever
    1. Re:All I have to say is... by JamesP · · Score: 1

      Relevant: http://dilbert.com/strips/comic/2011-01-07/

      --
      how long until /. fixes commenting on Chrome?
  15. Clouds are dangerous... by cloudssuck · · Score: 0

    Like, this guy got his Amazon EC2 server owned, and was arrested for distributing child porn... (hackers put it on his server)

    1. Re:Clouds are dangerous... by Anonymous Coward · · Score: 0

      Goatse :(

    2. Re:Clouds are dangerous... by Anonymous Coward · · Score: 0

      Fired.

  16. Silver Linings by Anonymous Coward · · Score: 0

    If there were no holes, how could it have a silver lining?

  17. With all the ISP's capping downloads.... by bobjr94 · · Score: 1

    Amazon wants you to store all your videos and music on their servers but with ISPs capping traffic and lowering limits that idea may be short lived. "I have that movie but we can't watch it until the 18th when my limit resets for the month"

  18. Don't blame the tool. by Anonymous Coward · · Score: 0

    Blame the person who uses the tool incorrectly.

    Take some personal responsibility for goodness sakes.

  19. Blame by grayn0de · · Score: 1
    "...'[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

    Sure... blame the users... /sarcasm

  20. the title is terrible by Anonymous Coward · · Score: 0

    amazon's cloud is full of holes? come on..

  21. AWS is an IaaS after all? by bmullan · · Score: 1

    As an IaaS it is YOUR responsibility to design security etc into YOUR servers on EC2. I think the title of this thread is misleading in that it makes it sound like AWS is at fault for implementation of someone's poor practices. "Amazon's Cloud is Full of Holes" That's like saying Intel's processor's are Full of Holes because people do stupid things using machines that have them.

  22. Ford Mustang is full of holes by lemur3 · · Score: 1

    It has been reported that certain ford mustangs allow the owner to leave the doors unlocked and the keys in the ignition..

    a large recall is expected once the ford motor company finishes studying the problem.