Code Spaces Hosting Shutting Down After Attacker Deletes All Data

An anonymous reader writes Code Spaces [a code hosting service] has been under DDOS attacks since the beginning of the week, but a few hours ago, the attacker managed to delete all their hosted customer data and most of the backups. They have announced that they are shutting down business. From the announcement: An unauthorized person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a Hotmail address. Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS.

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.

The cloud

Good thing people hosted their stuff on the cloud...

Re:The cloud

[SQLGuru]

Single account to rule them all......the best approach is the separation of concerns (user management, server management, backup / restore, etc.) so that it is a lot harder to compromise everything.

Re:The cloud

[i+kan+reed]

But that would have cost the company a little more money.

Re:The cloud

This cloud is certainly full of meatballs.

.

Re:The cloud

[Dishevel]

The real problem was that they still had access to their stuff and never bothered to look at the number of accounts on the system before changing the password.

The concept was good but the people in charge were in way over their heads and it became suddenly clear to them that they had no business securing other peoples data. Good for them. At least they know what they suck at.

Re:The cloud

[roc97007]

Good thing people hosted their stuff on the cloud...

No kidding. Their backups also, apparently.

Re:The cloud

[Penguinisto]

Good thing people hosted their stuff on the cloud...

I don't think their problem is necessarily because it was "on the cloud" - the same thing could have happened if someone penetrated a corporate network and got hold of a VM farm. A bigger obstacle to be sure, but if your corporation has partner/vendor access and a not-so-sharp security guy...

One question I have though - instead of changing a password, why couldn't they have called Amazon, had the thing universally locked out for that company, replaced all root-level access with a new account, and sent the new username and p/w by phone back to the company?

Also, why didn't they have an offline (think: off-cloud) backup of the stuff? Sure it costs time/money/skull-sweat to do that, but it's worth the time and trouble in the end. After all, if your family jewels are hanging out there, it always pays to have a DR plan for 'em...

If nothing else, they could have set up a separate and distinct AWS account/rigging as a "DR" of sorts, with DB replication and the works feeding it as a warm DR site. That way if some jackass compromises the first, you only need to stop DB replication, turn on the rest of the DR servers, do a quick test, and shift your DNS to the backup site - 15 mintues later, you can delete the objects yourself in the original site if you want (while you set up yet a different site and build a new backup site to replace the one you just put into production.)

We have a sizable AWS setup where I work, and first/foremost we back that shit up (the DB contents) to machinery that we control. We also have a means of re-deploying/rebuilding if necessary; sure it takes time, but it's better to have it and not need it...

Re:The cloud

[AGMW]

Off Topic ... but I like your sig. I've been leaning that way myself for some time now. Much like the US president can only run for two terms, wouldn't it be grand if there was something similar for the politicians lower down the tree! Politicians _should_ be people who've been out in the real World. They should _not_ be people who go to university with the desire to be politicians.

Re:The cloud

[rwven]

It has nothing to do with the cloud. It could have been any un-managed hosting.

The fact that they went with un-managed hosting in the first place is what really screwed them. If they had a real support team they could turn to, steps could have been taken to keep this from happening as soon as the DDOS started, and they would have had "offsite" or at least "offline" backups.

This happened because it appears that code spaces had some knee-jerk reactions and didn't think through how they were handling this (like changing the password before making sure there weren't other methods of access already established). They should have straight-up called amazon, explained what was going on, and paid for support for amazon put access to their account and instances on lockdown until the situation was resolved. Shoulda, woulda, coulda though...

Re:The cloud

[NatasRevol]

More likely, actual planning would have to be involved.

Re:The cloud

[ArmoredDragon]

I don't think that was a money thing, rather it was an oversight of risk management. Hindsight is always 20/20.

(Besides, where does this "blame the victim" attitude always come from? It's ridiculous. This is equal to saying that wearing scantily clad clothing means a woman deserves to get raped.)

Re:The cloud

[Dishevel]

More of us are becoming aware all the time. There is a need for people to fill political offices. There is no need for politicians.

Re:The cloud

The comment was more in reference to their customers. Must be nice for them all to wake up and find their code base gone because the cloud service they were using got hacked.

Re:The cloud

[Kagato]

AWS has one of the best security systems out there. IF you decide to enable the features. The production AWS configs I've used have mandated multi factor auth (using the number generator on the phone) as well as network source network restrictions. You can also setup a large number of ACLs to restrict things like the ability to create additional accounts.

It's hard for me to feel bad for these guys.

Re:The cloud

[vux984]

I don't think their problem is necessarily because it was "on the cloud"

No. The cloud was a key part of the problem. They had as much access and control over the system as the hacker did with no physical fall back.

A VM farm on an onsite rack or even a colo rack? You knock out the hacker by unplugging it from the router to the internet, and then audit and reset security to your hearts content.

Re:The cloud

[nullchar]

You should always have an offline backup (even if slightly out of date).

In this case, they could have used a separate "cloud" provider just for backups.

Cloud or not, everything under one umbrella was the problem.

Re:The cloud

[Mister_Stoopid]

Having an offline backup isn't 20/20 hindsight, it's the absolute basics of the basics.

This is equal to saying that wearing scantily clad clothing means a woman deserves to get raped.

It's more like saying that a guy who dies in a car accident because he was street racing while drunk, high, and not wearing a seatbelt got what he deserved.

Re:The cloud

With Amazon's service you can contact them and have all access blocked until there is time to sort things out, and authenticate the real admin with billing information or the root SSH key you're given, etc.

Re:The cloud

[LWATCDR]

Isn't the real problem the criminals that made the attack?

Re:The cloud

Also, why didn't they have an offline (think: off-cloud) backup of the stuff? Sure it costs time/money/skull-sweat to do that, but it's worth the time and trouble in the end.

It costs money that some customers don't want to pay? I'm not familiar with their site and business, and if their prices and advertised services suggests one should expect reasonable backup policy. But there are customers that want to go as cheap as possible at the expense of reasonable policy, and as a result services that provide what they want. The problem is most such customers will still blame the company even if they explicitly avoided security and backup practices to save money.

Re:The cloud

[pla]

Besides, where does this "blame the victim" attitude always come from? It's ridiculous.

Bad people exist. Plan accordingly, or don't come crying when you get hacked.

Otherwise, I agree with you, this looks more like an oversight of risk management: When wandering around the park at 2am in a mini-dress... don't.

Re:The cloud

Good thing people hosted their stuff on the cloud...

"heisted" in the cloud? or from management perspective "hoisted" in the cloud?

Re:The cloud

If they'd used MFA I doubt that the attacker would have gained access in the first place.

Re:The cloud

[Dishevel]

Sure it is a real problem. The issue is that if you are going to wait for their to be no criminal behavior out there nothing can ever get done.

So you have to take some responsibility for the security of your users data in spite of the fact that there are criminals out there.

Re:The cloud

[Dishevel]

Like I said. These guy were in way over their heads. You just can not be responsible for the hard work of a bunch of people and do what these guys did.

Re:The cloud

Good thing people hosted their stuff on the cloud...

yeah, because we all know that hackers can't get into servers people manage themselves..

Re: The cloud

Wow. Another one of those "she was asking for it" people.

Re:The cloud

[Jhon]

"Much like the US president can only run for two terms, wouldn't it be grand if there was something similar for the politicians lower down the tree! Politicians _should_ be people who've been out in the real World."

Unintended consequences -- you don't have people in office long enough to be RESPONSIBLE for anything. All "bombs" get pushed off until the next election cycle when Councilman A is termed out and becomes State Senator A, or Assemblyman A.

Look to California for everything you need to fear.

Re:The cloud

I don't think their problem is necessarily because it was "on the cloud"

No. The cloud was a key part of the problem. They had as much access and control over the system as the hacker did with no physical fall back.

A VM farm on an onsite rack or even a colo rack? You knock out the hacker by unplugging it from the router to the internet, and then audit and reset security to your hearts content.

Which you in effect also can do on AWS.

Re:The cloud

A "backup" that isn't separated from the online system by at least the flip of a physical switch is redundancy, but not a backup.

Re:The cloud

[Munchr]

Exactly this. They state in the article that they had off-site backups. What use are off-site backups if the "on-site" control panel has direct online access to them? "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."

Re:The cloud

The cloud system practically made sure that they didn't have an actual backup, one that can't be gotten to online.

Re:The cloud

[Albanach]

Good thing people hosted their stuff on the cloud...

Hosting stuff on the cloud wasn't the problem. It's really no different from hosting anywhere else. The problem was a lack of off-site backups.

Something as simple as s3cmd and cron would have protected them. Or if really necessary they could have backed up servers to an independent s3 account.

This is a simple case of someone keeping all their eggs in a single basket, breaking the fundamental rule of backups needing to be independent of their source.

Re:The cloud

[Noah+Haders]

100% wrong. Maybe the company should have been better prepared, but the fact is they were attacked by a criminal who first hijacked and then destroyed possibly an enormous amount of value in people's data. He, she or they committed a horrible crime and should go to jail for a long time.

Re:The cloud

[TheCarp]

I see this come up a lot and honestly..... I mean.... is it really wrong to suggest that a person should think about self-protection?

Do you lock the door to your house? Your car? I do. I generally wont even leave my phone in the locked car unless I expect I will not be out of view of the car for more than a minute, I even look around first when making such a decision. Why? Because people I know, including myself, have had shit stolen from their cars!

And you know what.... I, the victim, was stupid for thinking it was going to be ok to leave my GPS on the cradle in the car overnight. The person who stole it is still an asshole, still deserves to be punished, but you know what....that doesn't make me smart for exposing myself to his actions.

Should a woman be able to wear what she wants? Should she be able to walk down the street at night alone? Yes. Absolutely. However, when my wife clips a knife on her belt before going for walks at night, when she tells me what streets she avoids at night because she knows its where alot of the rapes are reported.... it makes me think I married a smart girl.

But hey maybe I am odd, I don't say "don''t wear that" I say "don't forget your knife"

Because its true, she shouldn't ever have to use it, and I hope she never does.... but if it ever happens, I hope she spills entrails on the sidewalk.

Re:The cloud

[spire3661]

NO, their own stupidity, lack of training and foresight made sure they didnt have a viable backup.

Re:The cloud

And with has lax as this company was, it sounds like the hacker had even more access than they.

Re:The cloud

Thus, it wasn't the clouds fault....it was Code Spaces fault for not having the proper infrastructure.

Thus, it's not AWS.....

Re:The cloud

[Jawnn]

Backups, accessible via the same system that made them, are not backups. A backup is a thing that lives elsewhere and is not affected by anything that might happen on the primary system. All they had were "copies".

Re:The cloud

[Oligonicella]

And the company and it's owners should have their asses sued off for failing to take normal precautions for the data they promised to protect. I have sympathy and pity for the owners of the data (although I have always thought "the cloud" was a stupid idea), but none for the company. Unconnected archiving is a universally recognized good practice. Why in hell don't the new guys understand this?

Re:The cloud

[pla]

100% wrong. Maybe the company should have been better prepared, but the fact is they were attacked by a criminal who first hijacked and then destroyed possibly an enormous amount of value in people's data. He, she or they committed a horrible crime and should go to jail for a long time.

You'll notice that at no point did I excuse the criminal. I agree with you completely that we as a society should dedicate the resources to hunting him down and punishing him.

That doesn't change the fact that Code Spaces sold a project hosting solution, using all the "safety" and "redundancy" and ease of access of "the cloud" as direct marketing points, and as a result bear direct liability for negligence in failing to secure their systems. Why did they opt to close up shop? Not because they got hacked and lost their current customers' data, but because they know with 100% certainty that in the next few weeks, they will get sued into oblivion.

Yes, of course we still go after the bad guys... But sorry, the morons leaving the front door open don't just get a pass. If someone gets food poisoning from McDonald's, they don't get to pass the buck to the electric company for their refrigerators going off for a few hours, nor do they get to blame the "real" culprit, e coli. They should have known better, and so should Code Spaces.

Re:The cloud

[smooth+wombat]

(Besides, where does this "blame the victim" attitude always come from? It's ridiculous.

You obviously missed the comments I made to the same effect back in April and had folks respond that yes, the victim is partially to blame no matter what.

Here, read the torturous and twisted excuses people make trying to justify why the victim is to blame, whether a hacking event such as this or having your house broken into.

Re:The cloud

I don't think that was a money thing, rather it was an oversight of risk management. Hindsight is always 20/20.

(Besides, where does this "blame the victim" attitude always come from? It's ridiculous. This is equal to saying that wearing scantily clad clothing means a woman deserves to get raped.)

Well, you won't find many who literally say that women dressing provocatively deserve to get raped, but you will find many eager to point out that rape happens more often to those dressing provocatively, and therefore choosing not to dress that way is a proxy for choosing to reduce the risk of get raped. Whether or not women who choose to dress provocatively are choosing to increase their rape risk on purpose (seeking that outcome, as you suggest) is an exercise left to the reader.

Flame suit on.

Re: The cloud

[Aighearach]

At some point, you have to ascribe *some* responsibility on the [victim], no?

No.

Re:The cloud

[Aighearach]

Bad people exist. It doesn't matter if you cry, it does matter if you seek Justice or not.

Changing your life to accommodate them is ill advised.

Re:The cloud

[pnutjam]

Don't hold back with the reference or contact number.

Re:The cloud

[synapse7]

When you say this had nothing to do with the "cloud" do you mean gases in the atmosphere? If not, what hell is the difference between the "cloud" and amazon hosted services? Also, if Amazon is unable to offer a "real support team" who the hell can?

Re:The cloud

Yeah, keep telling yourself that. When you've been around long enough, you learn that providing the option to the right thing isn't good enough. The right thing has to be the easy thing to do for something (programming language, API, OS, machine, etc.) to work right in practice.

Re:The cloud

[the_B0fh]

Unconnected archiving is a universally recognized good practice. Why in hell don't the new guys understand this?

Every generation, someone gets to learn this lesson all over again.

Re:The cloud

[Aighearach]

I see this come up a lot and honestly..... I mean.... is it really wrong to suggest that a person should think about self-protection?

No, it is wrong to claim that they're expected to. See the difference? No?

Why bloviate for dozens of words if you're going to fall on your face in the first sentence?

You can't even tell the difference between prerogatives and coercion, so you have no moral or ethical foundation to build anything on. You have no points, because they're suspended in space and everybody else is on planet Earth.

And yes, it is really "very" wrong to attempt to exercise other people's prerogatives. It is a less extreme example of the same sort of horribles you consider! So no, you shouldn't be telling people to live in fear, or that it is somehow required for them to put reacting to crime, or giving up their freedom by reacting to it in the way you would desire them to. It is their prerogative, and theirs only, if they will continue to live their own life with their head held high, or cower in fear over protecting a pile of stuff, or something in between.

Re:The cloud

[Xaedalus]

When wandering around the park at 2am in a mini-dress... don't.

Your analogy works to a point. The predators who are lurking around said metaphorical park at 2 AM waiting for said irresponsible hot chicks in mini-dresses will quickly realize that their prey has gone to somewhere safer, like a nightclub or bar where it is both appropriate and safe for metaphorical hot chicks in mini-dresses to be safely irresponsible (e.g. having fun). Then they will evolve their tactics to take advantage, like roofies or excessive plying of alcohol or flat-out assault. Your analogy ultimately fails because while there is something to be said for taking personal responsibility, the fact is that predators -adapt-, or they die. And since they don't want to die, they will adapt, they will continue to hunt, and they will infiltrate the "safe" places. It is ultimately not someone's fault that they are a victim if they honestly thought they were both safe and in a place/situation/enacting a policy that is supposed to be safe (and verified by independent experts to be safe).

Re:The cloud

they probably thought thought since CLOUD, so no need for real IT people to handle anything. Any monkey can click on the control panel... and apparently did

Re:The cloud

[DutchUncle]

well, yes, they do, if anyone thinks it was reasonable for them to have taken precautions. "I assumed you actually LOCKED those locks on the door when you went out . . ."

Re:The cloud

[Ksevio]

That's a very strange definition of backup. Sounds more like you're talking about an offline backup. Typically backup systems are connected to the system that made them so they can be restored easily.

Re:The cloud

yes but then you need an IT department who would know this stuff... wasn't the idea to go to cloud/outsurce so you could fire the IT and save GAZILLIOINS of dollars

Re:The cloud

[Aighearach]

(Besides, where does this "blame the victim" attitude always come from? It's ridiculous. This is equal to saying that wearing scantily clad clothing means a woman deserves to get raped.)

After the neckbeard reaches at least 6 inches, it grows into the nervous system and implants these ideas directly. This is an attempt to force the host into breeding behavior, so that the infection can spread.

Re:The cloud

"Nobody has any obligation to prevent crime. Nobody."

Bullshit. When its someone elses property youre supposedly safe-guarding, yes you are obligated to take steps to prevent anything happening to it.

Re:The cloud

When logging onto the root account, the features are right in front of one's face, be it setting up a password policy or setting up MFA (multi-factor authentication). Since the protocol used by Amazon works with Google's authenticator and other TOTP devices, not to mention hardware items, this is a no-brainer to have.

Amazon even kicks you in the nads to do it "right", with limited authorization credential keys on the root user, so one is encouraged to create users for various services.

I can't blame them 100%... they did set up a useful service, and did the best they could with resources available. Not everyone expects a backstabber in their group who would go out of their way to utterly destroy a project or a business out of spite.

Re:The cloud

[Xaedalus]

What will you do when she gets assaulted in a place or situation she didn't expect to, from a person she never expected it of? Here's the thing with personal responsibility--while it's good to have and practice, everyone's got to let their guard down sometime. We all try to do so in safe environments and places--and the predators know that. It's the problem with blaming the victim--many times the victim is blameless precisely because the victim honestly thought he/she was SAFE, and with SAFE people. It's what predators count on. It's one thing for your wife to avoid the streets with the reported rapes, which is wise. But committed rapists (to use your example) don't sit on the same street corner in the same neighborhoods--they're always looking for prey in NEW environments. Prey that isn't expecting to be assaulted. Blaming the victim in that instance is like adding insult to injury--and that's what generally happens. It's also why women don't generally report rape or sexual assault--the amount of second-guessing by people who are unfamiliar with the situation, let alone the context and circumstances is staggering and destroys one's self esteem.

Re: The cloud

[Penguinisto]

At some point, you have to ascribe *some* responsibility on the [victim], no?

No.

So according to you, the jackass who jumps the fence into the lion's pit at the zoo has no responsibility for getting mauled? The text-obsessed driver who wraps his car and lungs around a tree bears no responsibility for getting his dumb ass killed?

Really?

Re:The cloud

"Nobody has any obligation to prevent crime. Nobody."

While I don't know if there's a legal case to be made against the people hosting the data, they failed to take reasonable precautions to prevent this event. Or failed to realize it was a possibility.

If a bank accidentally leaves the doors unlocked, leaves their keys out, or makes the "code" to some vault "1234" then they would rightly be held responsible for their callous disregard for proper protection of their customers property.

Re:The cloud

Nobody has any obligation to prevent crime.

...except regulated corporations. Oops.

As someone who does backup/recovery work for a living, I should probably thank the government every day for the Sarbanes-Oxley Act.

Re:The cloud

Do you lock the doors and windows to your house and car?

Because, if you do, you're letting the bad people control your life! Oh nos

Re:The cloud

Bad people exist. It doesn't matter if you cry, it does matter if you seek Justice or not.

Indeed, seeking justice will totally bring back their data.

Changing your life to accommodate them is ill advised.

It must be blissful to be so naive. I'm absolutely certain that you sleep well at night, without a worry in the world.

Re:The cloud

Do you lock the door to your house? Your car?

Neither. I've discovered that there aren't many people that are willing to steal but unwilling to break a window. Replacing windows is expensive.

Re: The cloud

[seebs]

Of course she's responsible for how she looks and dresses, it's just that neither of those can ever be, in any way, a justification for rape. They're totally irrelevant. She's also responsible for what she has for breakfast, and that's every bit as relevant to your decision as to whether or not you want to be a rapist. Which, given that you're playing apologetics for it, presumably you do.

Re: The cloud

[seebs]

Good job shifting the goalposts, but that's pretty much totally unrelated. See, the lions are generally not considered to be moral actors. Humans usually are.

Re:The cloud

[idontgno]

"Just world" hypothesis. The mental model that says "that guy got victimized because he brought it on himself, whereas I'm perfectly safe because I don't."

Cowards blame the victim so that they can reassure themselves (falsely) that it just can't happen to them.

Re:The cloud

[rwa2]

I'll just leave this here:
http://www.despair.com/mistake...

Re:The cloud

[seebs]

The blame-the-victim thing comes from the just world fallacy. People don't want to think that bad things happen to innocent people, so they declare the people non-innocent.

You can reproduce this beautifully in lab conditions. Play people a recording of someone being tortured and they will start disliking the person and thinking badly of them.

Re:The cloud

You certainly do have a responsibility to make sure the assets under your care are reasonably protected. Or do you think a bank has no responsibility to keep your money in a vault? "Oh, we just left your stack of cash out on the sidewalk with a sign that it was not free for the taking. It's not our problem that someone committed a crime and stole it." I call BS.

Re:The cloud

You insist criminals will adapt, yet a large part of property related crime is done when convenient or when someone made a mistake or lapse in their precautions. For man criminals, crime is a matter of convenience, and only a small number of them will change their tactics by a lot unless it makes things even easier. It takes a lot to stop a smart criminal, but that doesn't prevent tons of stupid ones getting caught or blocked by much simpler protection schemes.

In this case here, if they had proper off line backups, and had called Amazon with proper authentication beyond just passwords to pull the plug on their setup, how would the criminal "adapted" to deal with that such that they would have lost their data anyway?

Re:The cloud

yes but then you need an IT department who would know this stuff... wasn't the idea to go to cloud/outsurce so you could fire the IT and save GAZILLIOINS of dollars

Why, yes. Yes, it was. I trust that all are pleased with the outcome.

Re:The cloud

[chthon]

Your insurance agent would like a word with you.

Re: The cloud

[SecurityGuy]

Which, given that you're playing apologetics for it, presumably you do.

I don't think it's that, it's that in some people's minds, the pendulum has swung too far. I read that some beauty contestant is getting lambasted for saying women should learn self defense. Claims are being made that that promotes "rape culture". It doesn't, it's just the commonsense realization that while in the ideal world there wouldn't be bad people, in the actual world, there are. It's fine to work towards the ideal world, but we also need to live in the real one.

To put another spin on it, there's a trail around here that used to be a great place to run. It's become a great place to get a beating and your phone/ipod/wallet stolen. I could go run there with my expensive earbuds and $600 phone, secure in the knowledge that I have every moral right to do so unmolested, but I don't. I run with my cheaper earbuds and an iPod shuffle in places muggings don't happen.

Re: The cloud

So you are in no way responsible for the outcome of decisions you made knowing they were risky. You must be a bank executive. That lack of responsibility you insist upon of course doing nothing to prevent the real consequences of what happened. "Your data is gone and we could have prevented it, but its not our fault."

Re:The cloud

[sjames]

A locally hosted farm offers better options to recover. For example, once you realize you are hacked, you can take it off the network while checking it out and re-securing it. That would also disconnect it from the backup system so the backups are safe. When it's in the cloud, you can't really do that.

The locally hosted backup you spoke of is a decent next best solution, but may depend on the rate that data changes. Bandwidth into and out of the cloud generally costs while data over a lan cable doesn't.

Re:The cloud

[roc97007]

That's a very strange definition of backup. Sounds more like you're talking about an offline backup. Typically backup systems are connected to the system that made them so they can be restored easily.

An effective backup system must have both online and offline backups. Having all of your backups online violates the "integrity" part of basic security (confidentiality, integrity, availability) as you can't guarantee integrity if all data sets are subject to attack from a single source.

Even when "backing up" your PC at home to another disk drive, you aren't safe until you disconnect the drive. And that's only a little bit safe. Safer is to put it in a different room. Even safer, a different house. (This is what I do.) Safest of all, a different geological area.

Re:The cloud

[kesuki]

i believe the information is here https://aws.amazon.com/premiumsupport/ and yes i realize it's just a 'plan comparison' page, and that only 2 of the 4 tiers include a phone plan

Re:The cloud

[mpe]

AWS has one of the best security systems out there. IF you decide to enable the features. The production AWS configs I've used have mandated multi factor auth (using the number generator on the phone) as well as network source network restrictions. You can also setup a large number of ACLs to restrict things like the ability to create additional accounts.

It's more a case of "if you understand how to actually use that feature". Such complex systems are unlikely to be an enable/disable case.
Similarly MS Windows, since NT, has a highly sophisticated "security model". Which many people, including those writing programs which could make effective use of it, don't really have much of a clue about.

Re:The cloud

Nobody has any obligation to prevent crime. Nobody.

People are only responsible for acting in a legal manner themselves.

Isn't that how they do it on your planet, too? No? You can sue the victim there? Wow, no wonder you left! By the way, you left. You're on Earth now. No, crime victims don't get sued by their friends and partners here.

wrong .. you can't just leave important data in an unlocked building and say that anything that happens was done by criminals. you have an obligation to protect the data and to keep the business running.

that's why businesses have doors with locks on them

Re:The cloud

No firearm carry in your state? Supplement that blade with some OC resin pepper spray...at least 10% OC / 2 mil Scoville Units. It's look better in court that she tried to stop the rapist before disemboweling it. Great for dogs too... Just like a network, you need multi lines of defense. Oh BTW, totally agree with your comments. Can't hole-up because of lurking danger. But with reasonable precautions and some wisdom and discernment, carry-on and be prepared with contingencies.

Re:The cloud

What will you do when she gets assaulted in a place or situation she didn't expect to, from a person she never expected it of?

Mostly the same thing as if they had been doing something stupid? E.g. console the victim, do what is necessary for them to move on with their lives, and pursue the criminal with full force of the law. The fact that people need and have safe places to let their guard down doesn't change the idea that some places need to be more careful. It isn't a case of people are just as likely to be screwed either way because the bad guys try to find "safe" places too. There is a continuum of possible impact reasonable self-protection can provide, from cases where shit happens and it wasn't preventable, to cases where an action of the victim directly causes the problem.

Most people in the US don't do anything to protect themselves from bears, even though a large number of live in an area with a nonzero chance of an encounter. And that is completely reasonable. But it is also reasonable to expect people in certain situations to carry an airhorn or other protection from a bear when in an area that has had warnings and multiple human-bear encounters. Even more so to expect someone not to climb into a bear enclosure at a zoo. And in this story, since it is not about just a single person screwing around with a personal project but a business that should understand their field and responsibilities. People have different expectations of a business that specializes in something, as opposed to a single person on their own. A company offering tours of woods with known bear problems would be expected to handle things better than some random person visiting the area.

Re:The cloud

[mpe]

Much like the US president can only run for two terms, wouldn't it be grand if there was something similar for the politicians lower down the tree! Politicians _should_ be people who've been out in the real World. They should _not_ be people who go to university with the desire to be politicians.

It might make more sense to have a "term limit" more along the lines of "Maximum of X years total in any elected office".
A rule to the effect of "You can't be a candidate for position Y if you currently hold position Z" would also work against "career politicans".

Re:The cloud

Safest of all, a different geological area.

A different geological area? Does the type of rock under the building really impact backup safety? Safer still might be a different geographical area.

Re:The cloud

You really can't blame the tool not making something easy. It's on them to either design off-site backups into their architecture such that it works with their tool, or find a different tool.

"I'm sorry I crashed into you but I chose the car without breaks" doesn't fly.

Re: The cloud

There is a room with a serial killer inside. I show him to you through the glass, I tell you that if you went inside he will probably kill you. You decide to walk inside and are killed but are in no way responsible for your own death. Interesting. How can suicide by cop be considered suicide then?

Re: The cloud

[Kaenneth]

And Prison inmate are considered paragons of morality?

Talk about moving the goalposts...

Re:The cloud

[Swistak]

How?

Re:The cloud

[xaxa]

Safest of all, a different geological area.

A different geological area? Does the type of rock under the building really impact backup safety? Safer still might be a different geographical area.

Maybe he's reminding us it would be unwise to put it elsewhere on the same floodplain, same faultline or under the same volcano?

Re:The cloud

[brainnolo]

But since the topic at hand has nothing to do with rape, let's get stop with unfitting analogies. A company that is offering HOSTING must take have a solid backup plan and security policies in place. Otherwise, even if the criminal who attacked them is solely responsible for the act, the attacked company is 100% responsible in front of their clients, just as it should be.

In the business world being totally incompetent to offer the service you want to offer is not justified. It has nothing to do with rape, burglary or anything else, really.

Re:The cloud

A car which makes not crashing into people difficult is not a good car, and choosing it is a mistake. We're judging the tool and the idiots who chose to use it. The convenience of managing a complex system of servers and backups in the cloud through a single interface makes mistakes of the sort that killed Code Spaces much too easy.

Re:The cloud

[St.Creed]

They were a business taking other people's data, and those people entrusted them with its safekeeping.

If my bank accepts my valuables and stores them, they're legally and morally responsible for taking reasonable precautions. Piranha moats are probably out, but vaults with timed locks are not. If the bank doesn't put locks on the doors and leaves the vault open then yes the thief is responsible for the theft, but the bank is responsible for the theft *succeeding*.

Same here. While the attackers is as asshole and responsible for extortion and destruction of property, it's the companies unsafe practices that allowed this to succeed and be more than a minor disruption of service. And having full control over *all* data AND their backups from one single, internet-accessible control panel is not just unsafe, but idiotic. It sounds like this company was started by some kids that liked to "play business" or a bunch of finance managers with a nephew that "did something with computers". But not by serious sysadmins.

Re:The cloud

[Cacadril]

I think much of this discussion misses the point. The company did have offline backups. However, they had an insufficient threat model. Their threat model probably included such disasters like disk crashes, software errors wiping the data, regular hacker break ins, and a row of other similar mundane threats.

If you want to compare with scantly clad girls in the park at 2 AM, I think this is more similar to the girl who wore long robes and arranged for a friend to go along, but was shot to death by a mugger. Of course she should have carried a helmet and a bullet-proof jacket.

The point is that this enterprise met an aggressor way out of the ordinary. It's a low probability, high consequence event.

That said, they should have done a few things that cost little to do (unlike carrying helmets and bulletproof jackets in the metaphorical case), and this is an opportunity for the rest of us to learn from their bad luck and to think over and discuss what exactly those few things should have been.

It would also be interesting to find out if they could have handled the attempted recovery differently. Should they have disconnected the entire site from the internet, and done the recovery purely on-site?

Re:The cloud

Are you still salty over that? It was months ago. So you purposefully misinterpreted someone's argument, failed to grasp a simple concept multiple times, and approached a complex concept with all the finesse of a child playing with GI Joes. NBD, it happens, let it go and move on.

Re:The cloud

[St.Creed]

Or they blame the victim because the victim made some seriously stupid decisions. Such as in this case.

Re:The cloud

but if it ever happens, I hope she spills entrails on the sidewalk.

And goes to prison for murder or assault with a deadly weapon. She'll get sued if the attacker lives, too. LOL!

Fag. You misspelled "a lot" too.

Re:The cloud

https://en.wikipedia.org/wiki/Contributory_negligence

Re:The cloud

[TheCarp]

> What will you do when she gets assaulted in a place or situation she didn't expect to, from a person she never expected it of?

I will be mad. I really don't know how to answer that better. What would I do if she expected it and was overpowered? What would I do if she expected it, but they had a gun? What if what if? The end result is the same either way. Thing is, nobody gets to choose whether or not they will be assaulted, only whether they watch out or what they do when it happens.

> Blaming the victim in that instance is like adding insult to injury--and that's what generally happens.

Who said blame? I never said blame. Can a person not recognize that they could have done better without blame coming into it? Its not a matter of blame, its a matter of recognizing that some things carry more risk than others.

I mean fuck, I used to (and plan to again once I get a few minor technical/financial issues sorted) ride motorcycles. 80% of riding a motocycle is looking out for risks. Should I have to worry about car doors flying open or assholes swerving into my lane without looking? No I really shouldn't, but you know what....thats not much consolation when you are laid up in a hospital bed or casket.

So you know what, when on a motorcycle, I pay extra attention to things car drivers gleefully ignore with abandon because being right is less important than being alive.

Re:The cloud

[spire3661]

I have spent considerable time and expense co-locating and properly backing up my personal photographs and other data. I also still burn them to optical disc just to have a copy that isnt on a hard drive. I spent hours discussing on Slashdot what the best practices are. As a HOME user, I am co-located, with offline backups on disparate media. I couldnt imagine running a business without AT LEAST that level of backup.

Go ahead excuse morons, but I wont.

Re: The cloud

Insurance covers stupidity.

Re:The cloud

[Jane+Q.+Public]

Single account to rule them all......the best approach is the separation of concerns (user management, server management, backup / restore, etc.) so that it is a lot harder to compromise everything.

Yes, and no.

The BEST approach is to back up your stuff in more than one place. Then if everything disappears... voila! You just put it back once your server is straightened out.

I am currently working on some web projects. We take regular snapshots of our code AND data, and keep backups not just online, but also offline in 2 different countries. And all sensitive data is well-encrypted.

And you know what? Not only is not not hard to do, it hardly takes any time.

Re:The cloud

[roc97007]

Yes. I was specifically thinking of earthquakes. If you live in an area prone to earthquakes, try to have a set of backups in an area not prone to earthquakes. (Even if it's prone to some other, unrelated type of disaster.)

Re:The cloud

Agreed. I'm not sure I would even call it off-site backup if it can be accessed and erased from the central system.

Re:The cloud

...So no, you shouldn't be telling people to live in fear, or that it is somehow required for them to put reacting to crime, or giving up their freedom by reacting to it in the way you would desire them to. It is their prerogative, and theirs only, if they will continue to live their own life with their head held high, or cower in fear...

Your argument against condemnation of other's prerogatives regarding expectations of self protection falls down when you're talking about a company that claims to do otherwise. If Code Spaces Hosting claims to be a "secure cloud service" then the purveyors of said service are expected to act in a way that is consistent with that assertion, regardless of their personal views on the sociological implications of living in fear of attack.

In other words, if you walk down a dark ally waving a $100 bill in the air and get mugged, that's one thing. If you're carrying your friend's newborn baby and do the same... that's irresponsible and unacceptable, despite your prerogative to hold your head high and not live in fear. In that situation, much like Code Spaces Hosting, you have a greater responsibility that requires you to consider the ramifications of your actions beyond yourself, namely, the things to which you've been entrusted to hold secure.

It's called being an adult in the real world.

Re:The cloud

Quite fucking easily. Assuming EC2, either/or:

1. Change security groups to disallow some/all traffic.
2. Setup ACLs to disallow some/all traffic.
3. Change public IPs or disassociate all public IPs from all running instances or load balancers. You can use the Java terminal for shell access from inside VPC (private LAN) you setup.
4. Do all of the above and use a VPN back to your VPC (private LAN).

There are probably a number of other ways, but this is what I know being an amateur running a minecraft server for his friends on EC2. Costs me $6 a month in spot pricing. It seems I know more than the operators of this commercial site.

And BTW, multiple users are setup in the IAM section. The fact they didn't check this section for user accounts and lock out all of their access says a lot. They probably only changed the root account password (which shouldn't be used except for checking/changing billing info).

Re:The cloud

[zeugma-amp]

But hey maybe I am odd, I don't say "don''t wear that" I say "don't forget your knife"

Because its true, she shouldn't ever have to use it, and I hope she never does.... but if it ever happens, I hope she spills entrails on the sidewalk.

100% agreement. Well said.

Re:The cloud

[TheCarp]

> There is a continuum of possible impact reasonable self-protection can provide, from cases where shit happens
> and it wasn't preventable, to cases where an action of the victim directly causes the problem.

Yes. And if you listen to anyone who has familiarity with non-domestic assaults, muggings, rapes, etc, its commonly pointed out that criminals have profiles that THEY use to identify victims. Just the act of paying attention to your surroundings, where you are, who is around you, whats going on, just that is often enough to get them to decide you are not a good target.

Its like dealing with a predator animal, if you act like easy prey, they are more likely to treat you like easy prey.

Re:The cloud

[TheCarp]

No I didn't, that is a common spelling. Don't blame me because your vocabulary is incomplete.

Re:The cloud

[i+kan+reed]

To an owner planning is identical to cost.

Re: The cloud

[Penguinisto]

See, the lions are generally not considered to be moral actors.

Neither is a rapist. Your point?

Re: The cloud

[seebs]

I think it's very much that, in this particular case. The anon didn't say that women should be in some way responsible for choices like "walking alone in dangerous neighborhoods at night", but for how they look or dress. That's... actually not at all justifiable. I am okay with suggesting that people ought to lock their houses, learn self defense, and so on, because in practice they ought to. I'm less okay with saying that if they fail to do so, that makes it their fault if they get mugged, raped, or otherwise attacked.

Re:The cloud

It's unmanaged, cheap hosting. Their support is quite good if you pay for it. There are several tiers. Personally, I like it this way since I don't need their support.

Re:The cloud

[david_thornley]

The company is a victim, because the people running it did stupid things. The company's customers are victims, because they trusted a company to do what it said it would. There's a difference here.

Re:The cloud

[david_thornley]

Do women who dress provocatively get raped more? I'd like to see some evidence for that.

Re:The cloud

[david_thornley]

I've also read that a rape victim may accept some responsibility as a way of coping. If it's completely not her responsibility, then she had no way to prevent it, and it could happen again at any time. If it's partly her responsibility, then she can feel safer by doing things differently. People like having some control of their lives, and particularly some ability to avoid future traumatic experiences.

Re:The cloud

[david_thornley]

My definition: a backup is a copy of something that won't get destroyed by the same thing that destroys the original. In this case, the originals and backups could be destroyed from the same place. I'm not impressed.

Re:The cloud

[dnavid]

When you say this had nothing to do with the "cloud" do you mean gases in the atmosphere? If not, what hell is the difference between the "cloud" and amazon hosted services? Also, if Amazon is unable to offer a "real support team" who the hell can?

I think he means the problem wasn't that the systems were hosted in a cloud environment, so you can't blame the cloud. The problem was that Cloud Spaces deployed their systems without a dedicated systems management and security team, and without using a service provider that could have provided one. If the systems were hosted in AWS but with integrated systems management and security protocols in place, this problem may not have had catastrophic consequences. Conversely, if Code Spaces was a bunch of servers in some racks in an office building instead of hosted in the cloud, the problem could have still been about as severe without those management protections.

However, I will say that physicality does have some intrinsic protections that virtual hosting in the cloud lacks, although even those tend to be last resort elements. For example, if the stuff was a bunch of real servers in a real location that was dedicated to Code Spaces and not shared with anyone else, they could have just pulled the plug on networking or even power, an option that is straight forward for conventional dedicated systems and often difficult or impossible to simulate with shared hosted or cloud-based systems (particularly on the hypervisor or cloud control side). One of the things I tend to strongly recommend to people contemplating deploying public or private clouds is to work out well ahead of time an incident response plan that includes as its last resort how they would kill all access to the system for a period of time to allow them to gain control of a fast-moving situation. Kill as in stop all servers, shutdown everything running, and even suspend all access to the hypervisor or cloud control systems. Kill everything, and kill everyone's access to change anything. Basically, the cloud equivalent of pulling the power on the entire building. If you can't do that, you had better have one stellar incident response team.

Re:The cloud

I wish your wife all the best, but beware using a knife (or any other implement of self-defense) without training. They are not magic talismans and escalate situations (even if that escalation is only an equalizing of power) - many times the predator doesn't not want to be in an escalated situation and leaves forthwith; when the predator is OK with the escalation it is imperative that the victim is able to act decisively. Knives make that difficult (in all situations, even with a trained person given their necessary closeness), guns make that difficult as well, but, when properly trained and applied, are far more likely to prevent the victim from being victimized. If you aren't able to provide a gun (or be willing to use knife, hands, feet to intentionally injure with intent to kill) please rethink why and how you're (or your wife) are carrying implements of self-defense.

Re:The cloud

[Kjella]

I don't think that was a money thing, rather it was an oversight of risk management. (...) Besides, where does this "blame the victim" attitude always come from?

Because it's pretty hard to criticize/discuss/improve someone's risk management without at the same time assigning part of the blame to them. I mean if I was entirely without fault that means I did nothing wrong which means I don't have to change my ways, yet here you are arguing I should take greater precautions which means I did do something stupid which means it's partly my own fault right? It's pretty hard to say that you could and should avoid danger, yet it doesn't matter if you sought and exposed yourself to danger instead.

If we forget all about rapists and imagine I was struck by lightning, you'd probably say it was a freak accident. If you heard I went to the highest vantage point nearby with my kite during a thunderstorm, you'd probably call me pretty damn stupid and say I did a great job of bringing lightning down on myself. Are you really not going to ridicule me if I fall for a 419 scam with a Nigerian prince? That one involves being exploited by another person too, are you sure you won't put any responsibility on my shoulders?

I know I'd blame myself if I left my laptop visible in the car and it got broken into, not because it broken into as such - that happens - but because I made it so much more likely it was my car getting broken into. It doesn't mean I deserved it, it's still 100% the thief's fault for stealing it but somehow my inner statistician is screaming something about conditional probability. And I don't choose the risk factors, the thief decides that a visible laptop makes it interesting. The rapists decide if mini skirts is a risk factor, not the potential victims.

No, it's not just but it's about not becoming the victim in an unjust world. And even if the perpetrator is caught and punished so justice is served it doesn't restore my health or life or trauma that another person is now in prison. I don't want any shit like that to happen to me nor anyone I care about, so I don't think I can help sending out mixed messages saying both "it's not your fault" yet "try harder not to become a victim". If you got a means that doesn't rub anyone the wrong way, I'd love to hear it.

Re:The cloud

Who's excusing morons? Choosing the wrong tool doesn't absolve them of blame.

Re:The cloud

You wife is stupid to use a knife. She more likely to cut herself trying to fend off an attacker or lose the knife and have someone opportunistically slice her up. Take that knife away from her now. Replace it with a dog.

Re:The cloud

He used the word "suggest" not "order" or "force" - so I have to say that you are wrong in this instance.

Re: The cloud

Ever heard of "Buyer Beware"? Trusting humans is not a smart thing to do...never has been. Assuming they're moral is equivalently erroneous.

Re:The cloud

[Darinbob]

But they had backups! In the cloud!

Re:The cloud

However, when my wife clips a knife on her belt before going for walks at night, when she tells me what streets she avoids at night because she knows its where alot of the rapes are reported.... it makes me think I married a smart girl.

it makes me think, "What part of hell are you from?

It reminds me of the skit about the haunted house Eddie Murphy did in delirious. When you hear a voice that says get out, you get the fuck out.

Re: The cloud

it's just that neither of those can ever be, in any way, a justification for rape

maybe not to you and me, of sound mind, maybe. But to that person that has that look in its eye, well, guess who looks more appealing? Scantily clad is a phrase that holds a very real meaning.

Re:The cloud

You have the obligation to act in good faith in business deals. You say you have backups and are secure you better be backed up and secure. This was a series of horrible mistakes and they were the victim yes but hell yes they the business was promising something that at a basic level was untrue. If i had lost all my data ( and who would rely 100% on the cloud!?!) i would go after them til they cried.

Re:The cloud

[Darinbob]

Some of it is too much trust in the marketing. Amazon cloud services _sound_ like a great idea, same as any marketing that is trying to sell you something. More skepticism helps, as that can lead to adding in risk management as part of the plan.

This should also happen at Amazon and other cloud services thingies; make sure there's a good risk management plan, allow the customers to call up (even with video so you can see their faces) and have an account locked down, have off-site backups that can't be erased automatically, and so forth.

Re:The cloud

[Darinbob]

I think the offsite backups where not their own offsite backups, but managed by Amazon. Which is really not what I would consider an offsite backup.

"where's your data"
"in the cloud"
"where do you keep your backups"
"um, in the cloud..."

Re:The cloud

[HiThere]

In this case I think it's people going:
Now let's see...if I was setting up that kind of a service, how could I avoid that problem.

Mind you. your comment about hindsight was dead accurate, but I don't think it's exactly "blame the victim", more "How could I avoid being the next victim?".

Re:The cloud

[Darinbob]

But people should realize that criminals exist, and further that there may be non-criminal related distasters. If you're going to build a business make sure it is not based upon a single point of failure, you need to make sure that not even a member of your own staff can destroy the business.

Sure, you don't blame the victim for committing the crime, but that doesn't mean that victim shouldn't have locked the door.

(the minidress doesn't matter one bit, it's the walking around in the park at 2am that's the problem, rapists aren't encouraged by the style of dress but the opportunity and desire for dominance; rapes are not restricted to hot chicks in sexy clothes)

Re:The cloud

[Darinbob]

Sure you can sue the victim. Bank gets robbed and it turns out they forgot to turn on the security alarm at the end of the day, then hell yes they can legitimately be sued. If I put my money in a bank they absolutely have an obligation to make a good faith effort to protect that money rather than a half assed attempt.

Re:The cloud

[Darinbob]

Wait, that's the same combination I have on my luggage!

Re:The cloud

[Darinbob]

Blaming a victim often implies that there's only one victim. In this case the customers of the web site are also the victims, they're a victim of poor security practices of the first victim. So the rape analogies are just way off base here.

Re:The cloud

Well I use a longer password so I know I'm safe.

Re:The cloud

[stoborrobots]

Besides, where does this "blame the victim" attitude always come from? It's ridiculous.

Different analogy: if you walk across a known-to-be-landmined field, who is to blame? The person who put the landmines there 30 years ago, the person who left the gate unlocked last night, or you?

Re:The cloud

No, this is nothing like saying "wearing scantily clad clothing means a woman deserves to get raped"

The correlation between women showing off their body and being raped is much higher than the correlation between having a single account and it being hacked via password guessing / secret question guessing.

Re:The cloud

[vux984]

All that presupposes you do this and the hacker never gets in.

But

a) once the hacker is in they can do all that, they can change the billing info, they can change the ACLs to lock you out too, etc.

b) Its clearly more more sophisticated to both prevent a hacker getting in and knocking them out once they are, making the cloud riskier than more traditional methods of hosting.

Re:The cloud

[vux984]

Thus, it wasn't the clouds fault....it was Code Spaces fault for not having the proper infrastructure.

Nobody is "blaming the cloud". The cloud is just inherently riskier.

You need to setup more sophisticated infrastructure up front to keep someone out, because you can't fall back to "pull the plug on them".

Re: The cloud

[I'm+New+Around+Here]

Not if they don't have to.

Re: The cloud

[kwbauer]

Not asking for it but intentionally putting herself into a dangerous situation.

Please answer this. If you have a teenage daughter, do you teach her about being careful about putting herself into dangerous situations or do you simply tell her to do whatever she wants because if something bad happens, the perpetrator will be punished after its over.

Re: The cloud

[kwbauer]

Again, we are saying that the rapist should go free or his sentence be lessened because the victim's provocative dress should be considered a mitigating circumstance.

We are saying that bad people exist and people should act accordingly. Dressing provocatively and walking alone in certain areas at certain times may lead to undesirable things happening, so we should council women to be consider not doing it for their own safety. An ounce of prevention and all that.

Re: The cloud

[kwbauer]

Correction: NOT saying that the rapist should go free...

Re:The cloud

As an aside, part of the problem here is that nobody's family jewels were hanging out there at all. Part of the problem in the modern corporate world is that there's no real liability. Why would any employee of XYZ Corp ultimately care if, due to a low-probability technological or security failure, the company goes under and costs their customers millions? Worst case the company folds up and files for bankruptcy and the clients get to fight each other in court for their shares of whatever corporate assets remain (if any! in many tech startup cases, all that's left is debt liabilities). The employees just go find new jobs at ABC Corp and keep drawing paychecks. For private companies all you can do is take back what cash/assets the company has on hand and let it vaporize. For publicly-traded companies, they're only worth, at most, the value of driving their stock price to $0. It can't go negative even if, by virtue of the employees' irresponsibility, the corporation is effectively in the red because they caused far more harm than any profits they ever made.

Re:The cloud

[kwbauer]

Please don't tell me you work for a security firm or Brinks or anything.

Have you ever wondered why they call them "armored trucks" and don't simply deliver all that cash in a family sedan or keep the vaults locked at night in a bank? Their insurance companies require them (have placed them under an obligation) to do all they reasonably can to prevent theft (a crime in most jurisdictions).

I would also argue that all parents have two moral obligations in this area as well. First, they are morally obligated to not put their minor children in situations where they reasonably believe a crime might be perpetrated against them. Example: Don't hire the serial, self-confessed child rapist as a baby-sitter. Second, they are morally obligated to teach their children not to harm others (harming others is frequently a crime).

Re:The cloud

[kwbauer]

Only an uncivilized society would charge a victim with a crime for defending themselves.

Re: The cloud

[lucm]

There is a room with a serial killer inside. I show him to you through the glass, I tell you that if you went inside he will probably kill you. You decide to walk inside and are killed but are in no way responsible for your own death. Interesting.

This is pretty much the Ingrid Betancourt story, with the exception that she survived and is now called a heroine.

Re:The cloud

[kwbauer]

Or we try to learn from mistakes the victim made so that maybe we can all (including the victim) not make the same ones in the future. Granted, that might not be all who appear to be "blaming" the victim but I'll assume that it is a significant percentage.

We also have to remember that there were two victims: the hosting company and the customers of the hosting company. If the hosting company made representations that they had proper security and backup procedures in place and didn't, then yes their customers can blame them for any losses suffered by the customers.

Re:The cloud

[kwbauer]

Well, only if she was the victim of the very first mugger ever or that this was the very first mugging ever to have happened in said town. If said town was full of muggers in said park during the hours of midnight to sunrise, then possibly the precautions you mention might have been reasonable.

To offer a hosting company analogy to the mugging analogy... If this was the first time that a cloud provider had ever been attacked then maybe the hosting company had taken all reasonable precautions. If, however, other similar attacks had previously been committed against other cloud providers and information about such attacks and ways to reduce exposure to them had been widely available early enough for the hosting company to have known this hypothetical information and to act on it and still ignored them, then maybe the company is partially to blame (in the eyes of the hosting companies customers).

Re:The cloud

[rtb61]

As a hosting company security is their responsibility, they got penetrated, their fault. When you claim to provide security and you fail it is your fault. They are not victim, they are professional who failed to provide the service they claimed to provide, secure hosting.

Re:The cloud

[Noah+Haders]

I don't know anything about the security and backup practices other than what I read in the summary. but I'm sure that the industry has "standards of care" which define what reasonable precautions should be taken, and it would be a matter for a lawsuit whether or not the company lived up to the standard of care or if they didn't and should be liable for damages. It would be unsurprising if a startup went broke before they could pay any damages, and if the case turns out to be that the owner fled in the night, then he'll be tracked down and sued personally. it's a non-story.

the interesting part is about the criminal. First he hacks in and tries to extort money. That at least is rational. he wanted an easy buck, he saw an opportunity, so he went to take what he could. but in this case, when the guy couldn't get his money, he went in and destroyed everything. it's like somebody who breaks into a bank and burns all the money. what kind of person does that? its irrational and the sign of a fundamentally unbalanced person.

put it another way, pardon the rush to extremist analogies. It's reasonable to expect a bank to take precautions to keep all the money safe, but is it reasonable to expect them to protect against people walking in and shooting up the place? not to take money, but just to take lives and cause destruction. some may argue that banks are high value and should plan on being secure from any threat. ok, then what about schools? or a playground? or a mcdonalds? when you're dealing with people who are ready to burn things down, you can't prepare for or defend against that. And that is scary.

Re:The cloud

Actually that's the problem. You can't get hacked if your computers are off the internet. The fact they hadn't taken themselves down and backed up indicates that they were using virtual servers which they couldn't physically intervene on.

Re:The cloud

[tigersha]

I agree. Whenever some hacker whackjob here destroys things /. always goes into "blame the victim" and "they should have had better security" and "hackers can do whatever they want because they are attacking 'the system'". No. Screw the hackers. I am fully for the British government's idea of making the punishment proportional to the damage caused which would basically entail life-long imprisonment. Actually I am all for the death penalty for serious hacking and virus cases. Start shooting the bastards.

Re:The cloud

[tigersha]

No they should not go to prison for a long time. They should be shot.

Re:The cloud

All that presupposes you do this and the hacker never gets in.

But

a) once the hacker is in they can do all that, they can change the billing info, they can change the ACLs to lock you out too, etc.

b) Its clearly more more sophisticated to both prevent a hacker getting in and knocking them out once they are, making the cloud riskier than more traditional methods of hosting.

No. If you follow Amazon's guidelines you should have verifiable ID that the hacker can't get by hacking your account (and did this company use recommended multi-factor authentication for their account?). And you can get Amazon to pull the plug completely for you, regardless of ACLs and hacker access. Which is just the same as calling your co-location datacenter and asking them to do it (unless you are arguing that the only viable solution is to have your server right next to you).

Re:The cloud

Nobody has any obligation to prevent crime. Nobody.

People are only responsible for acting in a legal manner themselves.

You clearly have no understanding of the legal concepts of 'negligence'...

Re:The cloud

[hawkinspeter]

Even worse, they claimed to have offsite backups which they clearly didn't have.

Re:The cloud

b) Its clearly more more sophisticated to both prevent a hacker getting in and knocking them out once they are, making the cloud riskier than more traditional methods of hosting.

If you really believe it requires less sophistication to prevent hacker access and kick a successful hacker out when you manage your own physical server, I hope you don't manage anything important on that server.

Re:The cloud

Yep, can't beat those online backups for speed of restoration and total destruction of everything ability. JC, even I know to keep a duplicate, at least one but preferably more, offline. FFS, some people just ask for trouble. Still, that's the cloud mentality these days - "with so much uptime that'd just cost me more and for what?". Business continuity I guess.

Re:The cloud

This has everything to do with the cloud. They couldn't just pull the network and access it locally like they could an onsite system could they? To anyone stating Amazon can isolate the system etc etc. - not as fast as I can pull connectivity on something in-house. Cloud schmoud.

Re:The cloud

[TheCarp]

Even in nice places bad things happen, and college towns, sometimes attract certain kinds of scumbags, despite being, otherwise, pretty good and safe places to live, if you don't mind the occasional loud music or puke on the sidewalk.

Re: The cloud

[godefroi]

How about extortionists? Are they moral actors? I don't see how going from extortion on the internet to rape of a woman isn't shifting the goalposts.

I think Q put it best, when he said, about the internet:

"It's not safe out there. It's wondrous, with treasures to satiate desires both subtle and gross. But it is NOT for the timid."

Re:The cloud

No as a customer of theirs. Yeah it sucks. I had a backup of the main app rep. slightly dated. But, its a big friggin hassle. Now going to set my own up that is only accessible in my office or via VPN. Its just another thing on my todo list.

Re:The cloud

Good thing people hosted their stuff on the cloud...

yeah, because we all know that hackers can't get into servers people manage themselves..

Nope. But you can always pull the plug like now. No "your call is very important to us." Also being on Amazon or other big cloud platform makes you a bigger target more likely to get noticed.

Re:The cloud

[lsatenstein]

But that would have cost the company a little more money.

Sometimes there just isn't that little more money. And what commercial/financial value does Codespace have/had?

Re:The cloud

there was a woman who went to the ER, was sent up to imaging and was raped by the tech. women are raped by cops all the time. there was a woman who called the police for a domestic dispute, was taken to a hotel by a cop and raped. elderly 80 something year old women are raped in home invasions. women are raped by family members. It can happen anywhere, to anyone at anytime and acting like it's a woman's fault for not being careful enough is really stupid.

imagine you get hit by a drunk driver when you're in the crosswalk with the right of way and all of these people tell you that you should have been watching out for drunk drivers, you should have dodged the car, you should have guess that he would hit you, you should have even shot him before he managed to hit you, you should have been in a car. doesn't that sound kind of insane? like they're expecting you to have superpowers and omniscience instead of just blaming the drunk driver who hit you?

Not everyone has a choice about where they live or their exposure to crime. Are you going to tell some girl who lives in the ghetto that if she didn't want to be gangraped that she shouldn't live in the ghetto?

Re:The cloud

[TheCarp]

Am I? No and I don't see why you would even ask that.

Did I once talk about blame or fault? No; and I would appreciate you not trying to put words in my mouth thanks.

The world is what it is and that is not and never will be one of perfect safety. Blame is 100% on the attacker but, blame doesn't fix anything. Blame doesn't prevent attacks. However mindfulness of ones situation can prevent a lot of situations...even ones that would have been someone elses fault.

Should I, as a motorcycle rider, avoid staying too far to the right where a car door could open in front of me? Or is it enough to know I can blame the car driver for not looking before opening his door. Law says he is wrong....so that should totally fix any injuries I might sustain. Right Thats how it works in your myopic little world eh?

Re:The cloud

Good thing people hosted their stuff on the cloud...

yeah, because we all know that hackers can't get into servers people manage themselves..

Nope. But you can always pull the plug like now. No "your call is very important to us." Also being on Amazon or other big cloud platform makes you a bigger target more likely to get noticed.

Disregarding that you can do the equivalent of pulling the plug on Amazon too, exactly how does hosting your service on Amazon make you a bigger target more likely to get noticed? You have to look pretty close in the first place to find out where you are hosted.

Re:The cloud

Sorry, AWS must not have one of the best security systems because it failed to require it use. Therefore it does not. I have a great alarm system, maybe I should turn it on sometime when I leave for a week. Let's face it, users have responsibility of their own data as well (trust no one with your most precious gems). So I hope the true victims, the end-user customers have their own backups. The company offering services have responsibility. Code Spaces for what they were selling and AWS for not enforcing the security, and if it costs more for that security than shame on AWS. Security is the basics, all you can handle, and oh by the way, yes you must use it, or you are not on our systems. For the victims, sure Code Spaces and sue Amazon for all you can get. And if you didn't backup your own data, shame on you, good luck with your next business endeavor.

Signed - Long Time in IT

Re:The cloud

Bad people exist. It doesn't matter if you cry, it does matter if you seek Justice or not.

Changing your life to accommodate them is ill advised.

I assume that means you never lock your doors, close your car windows when you're shopping at the mall, or avoid driving through a bad part of town if it would cut your trip shorter....

Re: The cloud

[cbiltcliffe]

See, the lions are generally not considered to be moral actors. Humans usually are.

You must know a different bunch of humans than I do.......

Re: The cloud

[bitterblackale]

A moral hacker would not have done this. Yes, that person is a total jerk. However, a moral business would have taken security more seriously. Your bank is responsible for your money, and it's a crime to leave the vault open and unattended. Having bad security practices is no different.

Re: The cloud

Not even. Read up in the kidnappings...

Re:The cloud

[mtthwbrnd]

I doubt their T&C stated that they take responsibility for the users data. Most T&C absolve the company from all responsibilities.

Re:The cloud

[cwsumner]

Besides, where does this "blame the victim" attitude always come from? It's ridiculous.

Different analogy: if you walk across a known-to-be-landmined field, who is to blame? The person who put the landmines there 30 years ago, the person who left the gate unlocked last night, or you?

Just like the the answer to a test, back in school, the answer is:

D: All of the Above.

Re: The cloud

Fail to plan, plan to fail.

Re: The cloud

Heard in a bar:

I wouldn't sleep with you if you were the last man on earth!

If I was the last man on earth, I wouldn't be asking...It would just be time to start repopulating.

Re:The cloud

[HornWumpus]

The customers are really only victims in a big way, if they didn't keep their own backups. In which case they also did stupid things.

Re:The cloud

[HornWumpus]

Your not a moron.

I've walked in on a Monday and found the tape changer hard at work backing up the CD tower (this was a long time ago). Hadn't got to dev or live yet.

Backups should be the last thing handed to a 'new guy'.

Re:The cloud

[HornWumpus]

One party rule?

Re:The cloud

[HornWumpus]

How about: 'If you want to be a candidate for an office that involves writing laws, you must forever give up your license to practice law.' Get to the heart of the problem. Lawyers writing laws to benefit lawyers.

Re:The cloud

[HornWumpus]

When your former employer get sued and you spend months giving depositions and otherwise wasting your time while not getting paid, you will understand the true cost of working for a chickenshit organization.

You don't have to be personally liable for lawsuits to splash shit on you. Best bet is to work with competent people. Saves your health too.

If you are starting out, you might have to take any job. But once they start assigning you responsibility, you have choices. Exercise them.

Re:The cloud

[tibit]

They did have offsite backups, but the credentials required to wipe those backups were the same as the credentials needed to access the live site.

Re:The cloud

[hawkinspeter]

If the backups were offsite, then how did they get wiped?

Re:The cloud

[tibit]

They were in an offsite Amazon data center - offsite from the instances running the live site. Still, they are not immutable, if you have right credentials you can erase them. So, if the data center hosting their live instances was wiped out by a tornado, the data would survive in the offsite location. Here a criminal with a password was more powerful than a natural disaster. Of course this was because they used one set of credentials for everything. They shouldn't have.

Re:The cloud

[hawkinspeter]

That sounds more like an online backup (although geographically distinct) than an offsite backup.

Re:The cloud

[snip all the bullshit - look, nothing is left!]

Talk about bloviating. Shut the fuck up.

Backing up your cloud in your cloud...

[QilessQi]

...doesn't seem to work so well.

Re:Backing up your cloud in your cloud...

[gstoddart]

Yo dawg, I hear you like clouds.

Re:Backing up your cloud in your cloud...

It's clouds all the way down.

Re:Backing up your cloud in your cloud...

[frank_adrian314159]

Yo!

I like big clouds and I cannot lie...

Re:Backing up your cloud in your cloud...

It's clouds all the way down.

So, it's like Jupiter?

Just unplug your server from the internet...

So you just unplug your server's network connection from the internet while you fix the damage... oh. cloud stuff needs constant internet connection? hm. well I guess that's it then. It was an honor to serve with you. BOOM!

Re: Just unplug your server from the internet...

Well, sounds like they first attempted to fix it themselves using ther mad 1337 skills. Amazon cloud is run by adults, and they must have a large staff of top notch security experts. This might sound like monday morning quarterbacking, but if they really feared this threat, they should have called amazon so that not only could they put their instance on ice, they might have gotten some help in hunting down the creep.

Re: Just unplug your server from the internet...

[BUL2294]

Who do you "call" with most cloud vendors? After all, sounds like whoever was doing the DDOS to extort Code Spaces could have also "called" Amazon to do any number of things, as whoever it was had the passwords, other accounts, etc.

Unless you're one of Amazon EC3's largest customers (e.g. Netflix), you're one of thousands of low-paying customers with rudimentary authentication. Amazon should have an "oh shit" master key that relies on old-school technology, like a RSA number keyfob that the client's president keeps in a locked drawer. That would be the nuclear option. But if something like that were available, it might have cost the client an extra $10/month...

Re: Just unplug your server from the internet...

[Penguinisto]

Who do you "call" with most cloud vendors? After all, sounds like whoever was doing the DDOS to extort Code Spaces could have also "called" Amazon to do any number of things, as whoever it was had the passwords, other accounts, etc..

I've actually worked with them once - sure someone could impersonate them, but you could just as easily call up, explain the situation, and then prove you're the rightful owner of the account (using info that most script kiddies aren't going to think of gathering in the first place, let alone spoof the original contact phone #.)

To their credit, Amazon is actually fairly intelligent and responsive, even to small accounts.

BTW - if you use/handle it right, each instance comes pre-made with a specific SSH auth keyset for root, and you're the only one with the private key (even Amazon doesn't have it) - store/use that as your proof by logging into an instance with one (it's something the script kiddie definitely won't have).

Re: Just unplug your server from the internet...

Well, if i was just joe plummer goofing about on the cloud, i wouldnt have a number to call, but if i was a compqny with paying customers, and all of the companys working capital stored in amazon cloud, i would at least want to have certainly have offline backups, plus a callback number that could be reached in case of a breakin. The same way people secure their houses with commercial security companies.

Re: Just unplug your server from the internet...

[ZeroPly]

Have you worked with service providers? From the time you've dialed their number, what is your estimate of how long it takes to get someone on the line who can lock down an entire corporate account? Remember that there's a big authentication issue there - how do they know it's not a prank call?

By comparison, I can get to our server center and completely isolate us and all our data from the Internet in under 10 minutes.

Re: Just unplug your server from the internet...

As someone who's never worked with AWS, how do they send you that SSH key? I venture it would eventually be digitally stored on a networked machine.

Re: Just unplug your server from the internet...

[rnswebx]

The funny thing here is that Amazon offers two factor auth with an RSA key (or app for smartphone)

Re: Just unplug your server from the internet...

Have you worked with service providers? From the time you've dialed their number, what is your estimate of how long it takes to get someone on the line who can lock down an entire corporate account?

For services that I have an actual paid business contract with, it is less than 10 minutes, with no hold time and mostly just time spent getting transferred assuming I didn't have specific phone number in the first place. If it was some consumer product, then it involves an hour or more on hold, or if a free product involves no phone contact at all. But that wouldn't have mattered much in this case, where the hacker obviously was going to give them time to respond, which is plenty of time to call up the provider and have the access shutdown. If the hacker wasn't going to give that time anyway, you would need to pull the plug a lot faster than the time it takes to pick up a phone anyway before serious damage could be done. This does assume you don't have an absolutely bare minimum service provider that doesn't have 24 hour phone service, etc., but then I've seen internal departments that would take a lot longer to get the signatures on a form needed to pull the plug than you would spend on hold even with the likes of a residential cable company.

Re:Just unplug your server from the internet...

AWS instances can quite easily be disconnected from the internet at any time. There are multiple ways to do it and still have access to the servers via VPN. IP restrictions work too.

Derp.

Re: Just unplug your server from the internet...

The key is downloaded through the web browser the moment it is created. It cannot be downloaded ever again. It's possible that Amazon has it stored, but unlikely and not relevant to your assertion. There is no need for them to store it.

Re: Just unplug your server from the internet...

"like a RSA number keyfob that the client's president keeps in a locked drawer"

The USA is so broke that Obama is doing key escrow for cash?

I can't think of a better argument...

[Lab+Rat+Jason]

for air gapped backups.

Re:I can't think of a better argument...

[Russ1642]

If your backups are sitting right next to your active files they aren't backups. They're just copies sitting there.

Re:I can't think of a better argument...

[Richy_T]

There may be better ones but this is sufficient all on its own. As the poster above me says, if it's not offline, it's not a backup.

Re:I can't think of a better argument...

[CAIMLAS]

Or for in-house networks.

Pretty trivial to just pull the cable when your kit has been compromised and you're facing extortion.

Re:I can't think of a better argument...

[gsslay]

Why isn't this standard procedure for all data repositories?

Doesn't matter how efficient and secure you are, if one person can wipe absolutely everything from one control panel then you have a risk that is not being addressed. And one that isn't even difficult to address.

Re:I can't think of a better argument...

[Charliemopps]

for air gapped backups.

It has to be more than that. We had a policy of air gapped backups that everyone followed. But we had several different sites with several different admins. There was a large hurricane and we found some flaws in the system to say the least.

In several cases, the backups were kept IN the drive... they were gone.
In others, they removed the backups, put them on top of the server or in a desk draw.... gone as well.

In others, they actually removed the tapes from the site, but often they were taken home by the admin or other staff... in those cases we faired slightly better because both the site and the staffs house would have to be under water. Hurricanes are big however, so we had about a 50% success rate there.

In some cases they had a safe on site. This proved marginally better... the tapes were safe in most cases. In one instance we had a rather brave Admin fly across the country, take a cab out to the site and the literally SWIM to get the tape. But in a lot of cases the tape was OK, but the safe was under water. So we weren't able to retrieve it for days.

The sites where local admins stored the tapes at local banks faired the best. So now that's our policy. Backups get stored off-site, in a vault. Technology is better now so we also do remote backups across the net now as well in case the bank is under water as well. But no matter what, we can always head to the bank vault. Ok, I guess a meteor would ruin our day, but you cant plan for everything.

Re:I can't think of a better argument...

[DoofusOfDeath]

If your backups are sitting right next to your active files they aren't backups. They're just copies sitting there.

I think that's an oversimplification. They're still backups. They're just not backups against some failure modes that people would have expected.

Re:I can't think of a better argument...

[nine-times]

There was a large hurricane and we found some flaws in the system to say the least.

That's why you have backups in different geographical areas.

The sites where local admins stored the tapes at local banks faired the best.

Have you considered a service like Iron Mountain? They'll send out a truck to pick up your backups every day, if you like, and store it in a very safe location.

Re:I can't think of a better argument...

They're backups that would protect you against the most common sources of data loss. Fat fingers and disk failures. It's clearly not a back up against theft or the building burning down, but to say that they aren't backups is misleading as they cover you for the most common cases.

Re:I can't think of a better argument...

[Charliemopps]

There was a large hurricane and we found some flaws in the system to say the least.

That's why you have backups in different geographical areas.

The sites where local admins stored the tapes at local banks faired the best.

Have you considered a service like Iron Mountain? They'll send out a truck to pick up your backups every day, if you like, and store it in a very safe location.

Iron Mountain doesn't serve most of the areas involved. We have dozens of VERY rural sites. Like the top of a mountain, or out in the desert, or along the Mexican border kind of rural. One remote on a mountain gets so much snow build up on it we have a local guy contracted to shovel snow off of it weekly so it doesn't overheat. Another is at the bottom of a canyon on an Indian reservation. The tech has to ride once a week on a helicopter to get to it. In the event of an outage he literally takes a mule down the face of a cliff to get to it. Places like that really do still exist in the United States, as hard as it is to believe.

Re:I can't think of a better argument...

http://taobackup.com/

Re:I can't think of a better argument...

This.

Insurance that doesn't cover tornadoes is still insurance... that doesn't cover tornadoes. You can't complain when you save money on the insurance (by excluding that part) and then get hit with a tornado.\

-Kris

Re:I can't think of a better argument...

[Nkwe]

In the event of an outage he literally takes a mule down the face of a cliff to get to it. Places like that really do still exist in the United States, as hard as it is to believe.

Good example of a high bandwidth, high latency data transfer.

Re:I can't think of a better argument...

[pnutjam]

I'm considering starting an offline/offsite backup service using flash media and mail, with some other options. Storage would be encrypted and hashed to prevent bitrot. Just curious if anyone has some constructive criticism.

Re:I can't think of a better argument...

I hope you fair (sic) better next time.

Re:I can't think of a better argument...

[operagost]

IP over equine carrier?

Re:I can't think of a better argument...

[nine-times]

The idea has some potential. Figure out the best media for it-- a specific model of external drive that's rugged, high capacity, but also light/thin for cheap shipping costs. Figure out a fitting rotation scheme to keep the price down. For example, if you dropped a new backup in the mail every morning and kept them all offsite for a month, you would need at least 30 drives (ignoring the time it takes to ship the drive offsite and back). That's potentially a lot of money, plus shipping and warehousing costs.

Alternatively, you could do something where you try to time it so they drop it in the mail at the end of each week, and they receive it back two weeks later-- basically they ship it to you and you almost immediately ship it back-- so then they'd only need 2-3 drives. If you held onto one drive per month for 3 months, and then 3 monthly snapshots per year, indefinitely, then that means you'd need 3 drives to be in the weekly rotation plus 3 for the monthly rotation, plus 3/year for permanent offsite, it means you (or the client) need to buy 6 drives + 3/year. That doesn't seem so bad.

Like you said, make sure they're encrypted and hashed, not just to guard against bitrot, but to guard against snooping and damage in transport. All in all, that might not be a bad solution for areas that are rural enough that you can't get Iron Mountain, and your Internet connection is too slow to push your backups over the Internet. I don't know how large that market is or how much they'd be willing to pay.

Re:I can't think of a better argument...

[pnutjam]

I'm thinking what your describing is a small part of the market, which I will probably pursue also. My main thrust is going to be for archival type backups, family photos, legal documents, etc. Things that are stored for years and rarely looked at. I want to start with annual and quarterly plans. I see alot of potential customers in the sub 32GB market, judging from past restores I've done where clients have almost lost data.

I also want to offer something for larger data sets, but it would be expensive and hence a limited market.

Thanks for your feedback. I am working on a pilot site at http://www.o2ark.com/ (probably won't be up for a week or so, but check back if your interested).

Re:I can't think of a better argument...

[nine-times]

I feel like archival settings might be even trickier. There are two additional problems that jump to my mind.

First, it would mean you'd want to recheck the hash on a regular basis, and doing that cheaply is a bit of a logistical problem to solve in itself, but it only raises the question: what do you do when the hash comes back bad? The best solution that I can think of is to develop a system where the data is automatically duplicated to another medium and both are checked regularly, and if either one turns up defective, you restore it from the other copy. I don't know if this is what you had in mind, but the best option in this case might be to load all the data from the flash media you receive into your own server and use a filesystem with it's own check-summing to prevent bitrot. You could then keep that server backed up effectively and efficiently and reuse the USB keys. All this would increase the complexity of the operation, but probably work better.

The second problem is making sure clients can manage, find, recall, and decrypt their data once you have it. Imagine I periodically ship a 32 GB drive to you, and eventually I've shipped 20 of them out to you. I'm a good customer, spending a bunch of money with you. Now I go, "Hey, I want this specific file back, but I don't remember what key it's on, and I don't have the decryption key anymore." Yes, if I do this, I'm an idiot, but when you're dealing with customer service for the general public, you're dealing with idiots. So my question would be, how are you going to keep that from happening?

So there are a couple different problems here. One might already be solved by the software you plan on using to encrypt/hash the data. Does it keep an index of all of these archives that the user can search? Ideally, if you dumped things to a server like I mentioned earlier, there would also be a way for clients to connect remotely and view the contents of their archive, assuming that they have the correct encryption key or password. But then there's a second problem: If you're safeguarding against people losing this data due to a computer crash, fire, flood, etc., how do you make sure they have a backup of that index and the encryption keys? I kind of feel like, now you need a second service that does the same thing, just so I can ship the index and keys to *that* service. Or only require a password and not encryption keys, I suppose.

Re:I can't think of a better argument...

[pnutjam]

Yes, my plan is to move the data to offline servers to perform the checks, probably two to begin with. I would love to avoid both file indexing and storing encryption keys. Which I will try first, that way I can avoid any warrant issues. I don't plan to support incremental backups. I will store multiple volumes, but what's in them is your business. Ideally I would like to rotate out the old volume when a new volume comes in, that's why I am marketing this as archival backup. I suppose I should plan for some multiple set system. Ideally the multiple sets would be onsite and archives would go offsite less frequently. I'm not targeting the backup every week crowd, although I should make an option available.

Re:I can't think of a better argument...

[tibit]

family photos

sub 32GB market

My wife's camera has a 32GB SD card, and she fills it up regularly. We have terabytes of family photos, and it's just occasional shooting, she's not much into photography, and those aren't raw files either. I don't think it's a very unique kind of a situation.

Re:I can't think of a better argument...

[pnutjam]

Do you use any sort of cloud storage for those? My brother does video production and most of the offsite storage products are prohibitively expensive once you get into that territory.

Re:I can't think of a better argument...

[tibit]

I have my own offsite storage: a few encrypted hard drives distributed among friends. Works great.

Re:I can't think of a better argument...

[pnutjam]

yes, I agree. Obviously your not my target market.

Whoever pulled this off

would you mind going into ebay.com & deleting my account?

Ebay refuses to close it.

Re:Whoever pulled this off

[sexconker]

would you mind going into ebay.com & deleting my account?

Ebay refuses to close it.

Move to Europe and sue them under your new right to be forgotten.

Well that escalated quickly

[ACK!!]

At least they had backups of their cloud data in a safe place where no random asshat could just go in and waste the data. That is a code hosting company you can trust with your stuff that is for sure!

Well....

A back-up that can be deleted so easily is no back-up at all.

That's a disadvantage of the cloud

Definitely a strong reminder to have at least some off cloud presence, unreal to think a hacker could ruin your business by stealing your thunder (cloud).

No offsite backups?

[cHALiTO]

They didn't have offline backups? tapes? I'm not familiar with codespaces service, but how come the backups could be deleted remotely?

Re:No offsite backups?

[gstoddart]

No, because it was all in Amazon. Who needs tape when you have the cloud, right?

So the stuff they had backed up from Amazon to Amazon, was still controlled by the same logins (or the ones the hacker had created).

So when he/she/they started deleting stuff, the backups also got deleted.

Sounds like a brilliant strategy, and an epic demonstration of what can go wrong with the cloud.

If you host your own stuff, you do your own backups. If you backup your cloud data to the cloud using the same stuff as the rest of it ... well, your backups are hardly secure, are they.

So unless Amazon has offsite tape backups (which I highly doubt) ... they're pretty much screwed.

I think this is about the same as backing up your hard drive to itself so you have a spare copy.

Re:No offsite backups?

[Threni]

You mean if you copy "file.txt" to "file-copy.txt" in the same folder you've not performed a backup? Wow! I learned something today!

I hope their customers get their money back! Or did the attackers copy "all our bank details.txt" as well?

Re:No offsite backups?

[Bengie]

No, because it was all in Amazon. Who needs tape when you have the cloud, right?

A rule of thumb that I've heard was "It's not backed up until on at least 2 different media types, at least 2 different file systems, and stored in at least 2 different physical locations".

Re:No offsite backups?

>

I think this is about the same as backing up your hard drive to itself so you have a spare copy.

This is the crux of the matter... they had backups meant for accidental delete events (like copying a file you edit over to file.orig just in case you fuck it up) but that is of absoultely zero use in a malicius delete event.

Re:No offsite backups?

[jeffmflanagan]

>Sounds like a brilliant strategy, and an epic demonstration of what can go wrong with the cloud.

No, it's just an example of what can happen to incompetent people. There's no reason to believe that these people would not have also failed to have offline backup with local servers. There was nothing to prevent them from keeping backups locally or on another cloud.

Blaming cloud computing for this is completely idiotic, and about what I expect on the dumbed down Slashdot these days.

Re:No offsite backups?

[Anne+Thwacks]

You have been short-changed.

If its worth money:

Hve three copies, on three media types in three locations.

Not so sure about file systems. If you have proprietry backup software, then you will never get the data when you really need it. tar loves you!

Re:No offsite backups?

The reason the cloud is to blame is because it causes this sort of complacency. The cloud cures 99% (maybe even 99.9%) of problems at some fraction of the cost of achieving the same 99% yourself. The problem is if you actually account for the other 1% of problems the cloud does not fix, you generally are back at or above the cost of doing everything in house.

Financial cost benefit analysis of the cloud is being done on an apples to oranges basis and this does help demonstrate that. This is an example of what additional costs need to be considered when computing how much you will save by switching to the cloud. This case study demonstrates that you need frequent, air gapped, backups that are in your physical control.

Re:No offsite backups?

[anolisporcatus]

I agree, there always need to be multiple backups in multiple locations, especially if it is someone elses information.

Re:No offsite backups?

I'd add another requirement: to have checked that backup with an independent system. Because if your computer is encrypted with the Cryptolocker malware, then your backup has been encrypted too, as you were making it. And it would look perfectly normal until Cryptolocker deletes the private key on your machine to start the ransom process. And only then would you find your backup was unreadable. So you have to check your backup with a different machine entirely.

Re:No offsite backups?

[nine-times]

I don't think you necessarily need to backup to tapes yourself. If you backed up your Amazon stuff to Rackspace, for example, you would be protected both against someone gaining access to your Amazon account, as well as a systemic problem with Amazon. Just so long as there's nothing in your Amazon account that would allow an attacker to access your Rackspace account, that should be a pretty good solution.

No solution is perfect. You're just looking for one that's extremely unlikely to break.

Re:No offsite backups?

[freeze128]

So now it's a double tragedy? Codespace doesn't have offsite backups AND Amazon doesn't have offsite backups? Shame on BOTH of them!

Re:No offsite backups?

[gstoddart]

Blaming cloud computing for this is completely idiotic

Now now, do try not be be such an ass.

To me cloud computing has offered more hype than actual benefits. It allows certain kinds of risks to be turned into mere abstractions you can gloss over.

You lose control of your data, and can give yourself the illusion of safety when there is none.

about what I expect on the dumbed down Slashdot these days.

Funny, smarmy assholes with 7 digit IDs and a Google+ login ID is what I expect from the dumbed down Slashdot these days.

So it's all good.

Re:No offsite backups?

[gstoddart]

You know, I've actually heard people championing cloud stuff saying "we don't need to keep backups, it's in the cloud".

People act like the cloud is full of unicorns and rainbows, and makes all problems go away, and then they do really stupid things like this and realize that isn't the case.

The problem, is that people buy into it, and then when they realize they've made poor decisions, it's too damned late.

It sounds like Codespace more or less created their own mess, but it's their clients who are really getting screwed.

Re:No offsite backups?

[pnutjam]

maybe glacier?

Re:No offsite backups?

[pnutjam]

one online, one backup, on archive if it's important

Pretend your Noah, god has commanded you to take 2 copies of all your data and put it on an ark.

Re:No offsite backups?

[Rakarra]

"We don't need those computer guys! The cloud service will handle our IT needs, then we can get rid of our IT people."

Except at that point you're getting rid of your IT expertise who can tell you what you actually need.

Re:No offsite backups?

[Rakarra]

Funny, smarmy assholes with 7 digit IDs and a Google+ login ID is what I expect from the dumbed down Slashdot these days.

Ouch! :-)

Re:No offsite backups?

[ZombieBraintrust]

I 'm sure Amazon does. I probably just costs more.

Re:No offsite backups?

No offsite backups?

Of course they do. They just have to ask the NSA to release them!

Re:No offsite backups?

[afairch]

about what I expect on the dumbed down Slashdot these days.

Funny, smarmy assholes with 7 digit IDs and a Google+ login ID is what I expect from the dumbed down Slashdot these days.

Funny, I expect the ones with 6 digit IDs...

Re:No offsite backups?

[david_thornley]

My personal important stuff is on two computers and on Dropbox*. I figure that a legal issue that wipes out Dropbox is highly unlikely to coincide with a disaster that destroys my two home computers.

There's nothing wrong with a cloud backup. As long as the originals aren't in the cloud. Similarly, there's nothing wrong with originals in the cloud - as long as you've got a local backup.

*If the NSA looks at what I've got on Dropbox, they're using time and resources they could be using to pry into something somebody else wants to keep private from them. I'm providing a very small public service here.

Re:No offsite backups?

[thejynxed]

In this day and age of ransoming extortionists, folding companies, and natural disasters, you better have the paranoid amount and never do fewer than 6 backups.

Re:No offsite backups?

[I'm+New+Around+Here]

Watch your back. There's still double and triple digit IDs floating around here. Someone may yell at you to get off their lawn. :^)

Re:No offsite backups?

[I'm+New+Around+Here]

No, you do Save As..., and add a number at the end of the filename. That's how the pro's do it.

MS

ah a hotmail account

Like MS will not give up the IPs that accessed that account...

Someone is going to jail...

Re:MS

You mean the IP of the pawned access point? It's probably your mother's.

Re:MS

[lucm]

That jail must be very crowded with all the nigerian scammers and fake craigslist landlords who use hotmail to scam people.

Re:MS

[dale.furno]

Any self respecting bassmint dweller would not have used their home network to do this.

Re:MS

ah a hotmail account

Like MS will not give up the IPs that accessed that account...

Someone is going to jail...

Unfortunately the person going to jail won't be the attacker because the police will not make the case a priority. There is no child exploitation, terrorism claim, or national security interest at stake. By lo-and-behold the police will will drop a bomb on anyone trying to release pay-walled research papers. The cloud company should request the IP address of the person's email account and initiate a bloodbath civil litigation case which seeks not only restitution but will ensure the attacker never touches anything again after the court orders his hands and eyes removed. Justice frontier style.

Re: MS

I doubt very much the ip adress hotmail has on file, or those present in mail headers means anyting. Unless the greedy skript kiddie was completely kluless, she would have accessed hotmail from a proxy, via a compromized innocent third party, and after that wiped the system of that third party. Of course they need to look at it, but the likelyhood of finding the pasty faced juut is small.

Re:MS

[sexconker]

Any self respecting bassmint dweller would not have used their home network to do this.

Basement dwellers don't leave the basement.
Basement dwellers are self-loathing, not self-respecting.
Basement dwellers use their own network to connect to proxies, which just makes it more of a pain in the ass to trace back.
Extreme basement dwellers will use other means of accessing a separate network - a cantenna pointed at a neighbors house, a spliced line, whatever. This just means the cops track down the victim, figure out they're not computer literate, and ask "Any people who could have done this?" and learn about the freak in the neighbor's basement.

Hackers don't get caught because law enforcement doesn't care.
When the cops, the government, or a corporation cares, hackers get caught or disappeared.

Re:MS

You would think that, but I've seen a surprising number of DoS type attacks that come from a single IP address, once that IP address gets blocked as a simple fix, they repeat the DoS from some proxy and/or try something more advanced. In a couple cases where the original IP address was from a university campus, their IT department is not too happy and quickly finds both original DoS and a connection to the proxies coming from a single dorm room...

Re:MS

You have misdiagnosed the situation. This is real money here form an actual company. If they are a publicly traded company they have a board of directors. If the board of directors sit on multiple boards (as many do) that means they are actually PEOPLE WHO MATTER. In that case expect to see various police organizations at various local and national levels mobilized to combat thsi great threat to the PEOPLE WHO MATTER...um I mean national security and puppies and kittens everywhere.

Of this could just be a group of geeks in over thier heads in a wholy owned private company which means they'll get teh police support that you said.

Re:MS

I used to think that. But many times people are not that smart.

Your 919 scammer not so easy to trace. But someone who made a hotmail account usually screws up and ends up using it from a known ip. Or connecting to a proxy that I find a way to own myself.

I have sent more than one cease and desist letter from my lawyer to people who think the internet is anonymous. 99% of the time they are that dumb. Most of the time that is enough to scare them off and I dont have to involve the police.

Changing the password would not have been my first choice as that seems to incense people to become malicious. I usually isolate then fix.

Re:MS

an extreme basement dweller would be behind 7 proxies

EC2

I still don't get the logic of running your business in the cloud as a company. Sure it makes sense when your small and it gives you global presence with no investment, but people don't realize how much security / freedom they give up doing this. and EC2 ensures it will cost a lot to move out of their space. Good luck with the founders of code space. Glad I didn't put my repo there.

Re:EC2

[Richy_T]

The trade-offs can be really good even for a large company. It has to be done right though and many companies don't even do their local IT properly.

Re:EC2

[tibit]

I don't know what kind of magic sauce would allow one to have "IT in the cloud" setup. Windows clients with roaming profiles quickly get to be a drain even on a gigabit network. Even without a roaming profile, anything that isn't the boring old secretarial style work will require a decent bandwidth. Most media work or CAD work can't really be done over your typical cable internet. Those who would most benefit from an "IT in the cloud" type of a service - small businesses - really can't afford having gigabit links to their premises. Neither do I think that the bandwidth from any particular Amazon instance is where it needs to be. Does Amazon run their instances on machines/blades with 10Gbit links?

MS

yes, because using a proxy to access hotmail is the most difficult thing ever...

If your operation is compromised, shut it down

The guys behind Code Spaces should be issued a citation for Operating While Pwned. If you know admin access is compromised, shut it down out-of-band.

A Cloud backup of Cloud data is not a backup

I assume that this is probably becoming a relatively common practice, but, to me, if it is not reliably written on offline physical media of which I have control, it is not a backup.

So what to do about it

[bugs2squash]

Presumably when they realized that the attacker had access to their control panel they shoulda coulda (yes I know I hate that too) called Amazon and had them shut everything down until order could be restored.

backups deleted?

Yeah, that is what I was wondering. Did the hosting company have offline backups? Too expensive to implement? Too time consuming to copy gigabytes of data to an off-line storage disk? Just asking.

The dog ate my homework.

[Thanshin]

I must be a cynic but my first reaction is to think:

1 - Create cloud based system.
2 - Sell subscriptions for hundreds of $.
3 - Announce hacker attack!
4 - Profit.

Re:The dog ate my homework.

I must be a cynic but my first reaction is to think:

1 - Create cloud based system.
2 - Sell subscriptions for hundreds of $.
3 - Announce hacker attack!
4 - Profit.

Yeah but you are forgetting

5 - The law firm of Lawyer, Lawyer, and Lawyer.

Re:The dog ate my homework.

Hardly. It seems it was a monthly recurring pricing model...

https://web.archive.org/web/20140328015841/http://www.codespaces.com/pricing

Re:The dog ate my homework.

Since they are apparently refunding all the customer's money for their subscriptions, I don't think there is going to be much profit involved.

Re:The dog ate my homework.

[Megane]

I particularly like the bit about "real-time backup". Backup to where, exactly? If it's "real-time", it's probably not to something off-line like tape, and may even be just a filesystem that keeps old versions around.

Re:The dog ate my homework.

It's all past profit where they got to basically lie to people and it never mattered.

Re:The dog ate my homework.

Don't worry, I'm sure there will be lawsuits.

Not a Great Response

[Edrick]

If you're a hosted site with important data and your site is compromised, the first & best move is to cut the cord immediately. Contact Amazon (or whomever is hosting the data) and get all access shut down instantly and immediately, thereby ending the attacker's ability to do anything further. This will cause an outage, but at least everything is safe.

Working with Amazon, they can create a new account, give it a strong password, and begin cleaning up the mess with the new account (which the hacker will be unaware of). Now they can, at their own leisure, change passwords, administer accounts, delete crap created by the hacker, etc...Trying to outpace a professional hacker at their own game is a gamble that isn't worth it---especially if no offsite backups exist!!!

Lastly, they should be forwarding all of the email/attacker info to Amazon, Microsoft (Hotmail), and to the authorities. Whether they can be caught or not is up in the air, but odds are almost certain that this attacker has hit other sites and would eventually have different cases correlated to each other.

Safety & security of data is #1, fixing damage caused is #2, and accountability is #3. Securing the site against future attacks is part of #3---there's no reason to put the site up (or leave it up) and risk further attacks, thereby risking data loss or a security breach.

Re:Not a Great Response

[jader3rd]

Contact Amazon (or whomever is hosting the data) and get all access shut down instantly and immediately, thereby ending the attacker's ability to do anything further.

But what if the attacker is the one contacting Amazon to shutdown everything? Do you want your business shut down by random teenagers calling Amazon, telling them to shut everything down?

Re:Not a Great Response

If you're a hosted site with important data and your site is compromised, the first & best move is to cut the cord immediately. Contact Amazon (or whomever is hosting the data) and get all access shut down instantly and immediately, thereby ending the attacker's ability to do anything further.

How do you propose Amazon distinguishes between the owners and the hacker impersonating them, once the hacker has obtained their logins and passwords?

Re:Not a Great Response

[Nemyst]

If the attacker has access to the financial details used by the company to pay for the hosting, which is generally how you can authenticate people safely, you have much bigger problems.

Re:Not a Great Response

Hotmail doesn't give two shits what people did with their service. Neither does google. That's why people use them for throwaway email accounts to harass people on the internet.

Re:Not a Great Response

[drinkypoo]

How do you propose Amazon distinguishes between the owners and the hacker impersonating them, once the hacker has obtained their logins and passwords?

The same way literally everyone else on the planet does it, by verifying the billing information.

Re:Not a Great Response

[Oligonicella]

Which - for the benefit of the buffoon you're responding to - is kept by Amazon and is out of reach, unless the subscribers are beyond abysmally stupid and had files with said information in blatant view on their cloud, making them culpable again.

Re:Not a Great Response

[T.E.D.]

Working with Amazon, they can create a new account, give it a strong password, and begin cleaning up the mess with the new account (which the hacker will be unaware of). Now they can, at their own leisure, change passwords, administer accounts, delete crap created by the hacker, etc...

I'm missing something. In order for you to use that nice new account with the strong password, Amazon is going to have to connect your data servers back up with the internet, right? And the instant they do that, the hacker has all their access restored too, right? What's stopping them from immediately changing this new account's password to something they know? Or deleting it? Or doing all sorts of other nasty things before you discover each and every hidey-hole they made for themselves?

Really, I don't see how you can cleanup an attack in realtime with the network up without it turning into a game of corewars (which your side is not likely to win).

Re:Not a Great Response

[FilmedInNoir]

That seems logical and intelligent,so I'm going to suggest two possibilities.
Either the people running Code Spaces are morons or they cooked up this hacker story to cover their tracks because of something else.
Either, again that they screwed up because they are morons, or that they are hemorrhaging money and wanted to shut down.

Re:Not a Great Response

[guruevi]

The billing information is most likely right there in the control panel in order to make your cloud payments. It was stupid of them to not anticipate this attack but a lot of companies are vulnerable to this.
- Imagine this happens with an Amazon/Microsoft/Google... admin account; they could blow away entire data centers
- Imagine this happens to someone's Office365 hybrid account - now they not only have access to your Cloud products but also your linked local Exchange servers

Re:Not a Great Response

[Fruit]

But what if the attacker is the one contacting Amazon to shutdown everything? Do you want your business shut down by random teenagers calling Amazon, telling them to shut everything down?

Well, at least you'll still have your data.

shut down immediately and lock up

[stenvar]

If someone has penetrated your system so that they have root or admin privileges over all your machine, you shut down immediately. In the physical world, you pull the plug. On Amazon, you immediately tell Amazon to lock things down, disable all passwords and administrative control, and then work back up to fixing things.

Re:shut down immediately and lock up

[tlhIngan]

If someone has penetrated your system so that they have root or admin privileges over all your machine, you shut down immediately. In the physical world, you pull the plug. On Amazon, you immediately tell Amazon to lock things down, disable all passwords and administrative control, and then work back up to fixing things.

But that's so 20th century! I mean, in the 21st century, if you can't do everything yourself without having to deal with another human being, then it's broken! Interacting with other humans is so... icky.

Re:shut down immediately and lock up

Does Amazon have a safe word so they know the request is legit?

Re:shut down immediately and lock up

[klode]

I have vague memories of a case from a long time ago, where an attacker had put some sort of data encryption in place with the key only in memory. Assuming that memory isn't from a fever dream...

1) While the system was up and running, data could be copied to/from the server in unencrypted form.
2) Pulling the plug meant losing access to the data, because it meant losing the encryption key to the on-disk information.

Re:shut down immediately and lock up

[Lab+Rat+Jason]

My safe word is "Apples."

Re:shut down immediately and lock up

[stenvar]

Well, you look at all the possible risks of each of your actions and then make the best decision. That kind of attack is unlikely compared to many others, so you're better of shutting down.

Picard and Dathon at El-Adrel

[Thud457]

Lord Kril at Rylos.

Ahahahahaha.

I arrived on the Internet in 1994 and took a part in developing a couple well-known web sites. I loved the idea of a network empowering individuals to both control and share their data rather than relying on some big mainframe company. "Peer-to-peer" wasn't just a technical achievement, but a social achievement.

As "the cloud" emerged, I decided to pack my shit up and move to another career. I don't even begin to understand how billions of dollars are invested into this retrograde leap.

The cloud

Normally things form clouds AFTER going up in smoke. With the 'new technology' it is the opposite.

Facking Idiots

[l0ungeb0y]

Not providing for your own OFFLINE BACKUPS is a reckless oversight of such magnitude that I am entirely incapable of having sympathy for these asshats. We need a few examples such as these to serve as cautionary tales for those who think the Cloud is the answer to everything.

Re:Facking Idiots

[iggymanz]

nothing to do with being cloud based or not, just proper attention to good systems operations practices was lacking.

even not doing the obvious and blocking all newly created accounts after certain time is just incredibly irresponsible.

Re:Facking Idiots

[locotx]

Well there is something wrong when people believe "the cloud" is the solution. It's a misinterpretation of a concept applied. I think the marketing push for "cloud" services being sold as a end all solution for backups, security and data storage gives off the feeling from the early 2000's where websites were being sold for all the things they could deliver, which they didn't. So to say it has nothing to do with "cloud based", I agree from the technical side, but i disagree from the "cloud" concept and marketing pitch side.

Re:Facking Idiots

The definition of "good operating habits" is not universally shared. Here on Slashdot, where 90% of the userbase does not work in the industry, but loves to play Monday Morning quarterback, you're not taking care of your data unless you have an entire storeroom full of wax cylinders showing audits of every person's file edits on a bi-minute basis. This storeroom, of course, is laced with thermite in case of physical hacker attack or your off-site backup facility experiences a siege from Mongol warlords attempting to read customer data. The thermite, is, of course, triple salt hashed on its own operating system with over 700 user accounts per potential detonator and none of them have admin rights.

Then AND ONLY THEN, can your grandmother start her antique business with accompanying kitten-gif-laden website that shows inventory but does not track sales.

Re:Facking Idiots

These guys sound like they are just cloud resellers. Looks like a lot of $10 type hosting outfits with a lot of style on their page to upsell grandma on a place to put her new domain. In other words they didn't really care aside from riding something hot. "These asshats" won't suffer much (probably already have multiple companies with different names or will just change names and are already restarting) but some of their users probably will.

Re:Facking Idiots

[Rakarra]

nothing to do with being cloud based or not, just proper attention to good systems operations practices was lacking.

I thought a big "plus" of the cloud was that you could fire your IT staff because all these concerns were the cloud providers now, not yours.

Re:Facking Idiots

[iggymanz]

but here we're talking about cloud staff being incompetent

Secure. Responsive. 24/7/365. the Cloud.

[swschrad]

and our admin password is "letmein"

Git

[blackiner]

This is why git is such an effective code hosting solution. Everyone who has cloned the repository is a potential backup copy.

Re:Git

[JigJag]

Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)

        Torvalds, Linus (1996-07-20). Message. linux-kernel mailing list. IU. Retrieved on 2014-04-26.

I guess we should update that quote and replace ftp with git

Re:Git

[140Mandak262Jamuna]

Why git? Even clearcase snap shot views are full copies of the repository. (Granted, snapshot views dont have history in themselves and levels of roll backs will be limited). Almost all the source control systems that clone the source repository create full backups. Of course git is much nicer and has replicated history as well.

Re:Git

[sjames]

Well other than "Of course git is much nicer and has replicated history as well", anyone can afford git.

Re:Git

[david_thornley]

And, unlike ClearCase, git is actually reasonably easy to use for what it does.

Re:Git

Because if you don't use Git, you're a git. Git it?

wrong order?

[roc97007]

Someone else mentioned having offline backups, so I won't belabor that. But once they knew they were compromised, perhaps a smarter thing to do would have been to contact the service provider and take countermeasures (ask for a snapshot of the site as it was, examine and disable accounts, change admin passwords, perhaps contact authorities) before reaching out to the perp. I'm not sure reaching out to the perp was a good idea in any case.

For awhile I hosted a number of websites from a rental space, and I did get compromised once. (security hole in a popular web admin tool) As soon as I detected it, I drove to the physical site, unplugged the server from the internet, and worked from the console. It occurs to me that this might be a difficult strategy to implement with cloud services.

Re:wrong order?

[Anomalyst]

a difficult strategy to implement with cloud services.

Any competent hosting provider has a TCP/IP KVM in their datacenter. They hook it up, give you a password and the IP address and you have console access $500 worth of hardware, money well spent, I'd say

Re:wrong order?

[roc97007]

a difficult strategy to implement with cloud services.

Any competent hosting provider has a TCP/IP KVM in their datacenter. They hook it up, give you a password and the IP address and you have console access $500 worth of hardware, money well spent, I'd say

That really depends on the implementation. It's my understanding that cloud hosting leans heavily on VM, meaning your actual servers are unlikely to be physical. What the "console" means in this case could be problematic, as the "console" is not physical and is generally available in some fashion over the network. The cloud service is unlikely to give you direct access to the host machine's console, because the machine may be (probably is) hosting for several unrelated customers.

What you're describing is what's used in small current installations (smaller than the huge datacenters typical of cloud services) or really old machine rooms. A competent hosting provider wouldn't be pushing a crash cart around -- they would have built "console" access into the infrastructure; using a hardware or software solution as appropriate.

The point being, if the owner could get to the machine's console from the outside, so, potentially, could the perp. Again, depending on implementation.

backup training

[tommyatomic]

So these guys apparently had no training on proper backup policies and procedures.

This is definitely a training issue. Clearly no one taught them how to do proper backups or even what a proper backup policy should look like.

I feel bad for them, but at the point that they have done nothing to protect themselves I cannot bring myself to feel too bad.

Why does no one take their backups offsite anymore or backup to a NAS device that backs itself up to something that can be taken offsite?

Backups Backups BACKUPS!!!

wtf... stuff evaporated!

looks like someone got fired and was pissed!

i bet they didn't read http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html when creating their accounts, so pissed ppl still had access ....

Now things have "gone away" .... go figure ....

ofc, this may or may not have been the problem.

RTFM

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#lock-away-credentials

Contact Amazon to lock entire account

Why didn't they first contact Amazon to lock everything down and reset all the passwords?

Also, STOP USING THE SAME PASSWORD FOR EVERY WEBSITE

No offline backups?

[krelvin]

Seriously.... no offline backups? Not a real business in that case.

Re:No offline backups?

So in your ignorant black and white Republican world, what other things make a business "not a real business?" Hiring blacks? Trying for diversity? Not sexually harassing women? I know your kind hates men that don't harass women. That is the way of your kind. It is embedded deep in your culture. It's so deep that it is a great reason for any business that wants to be successful to never hire a white male. They're just toxic. They cant' get past their violent, sexist, and racist beliefs. Just as they gleefully did the Holocaust, they are still continuing that white tradition. They invented slavery, and there are now twenty times as many slaves as there were when the blacks in the US successfully fought to make it illegal. The whites just didn't stop with their actions.

If this company had been smart enough to not hire a white person to be in charge of backups, they would probably still be in business. Instead, the white people are so racist and consider themselves so superior, they won't even do back things like make reliable backups. Their culture makes them unsuitable for any sort of operations position.

Could Amazon have handled it better?

[Max+Threshold]

Instead of trying to take back control themselves, shouldn't they have contacted Amazon and let them handle it? Perhaps they could have frozen the entire account, locking out both the rightful owner and the attacker, until things were sorted.

Re:Could Amazon have handled it better?

[thejynxed]

They should have tracked down who was responsible, and had a baseball bat liberally applied to their kneecaps.

We have Bunnie. Gather one million dollars...

[steak]

This is a bummer, man.

Re:We have Bunnie. Gather one million dollars...

[Megane]

Oh noes! Now I won't ever be able to get a Novena laptop!

Additional Evidence

Is there additional evidence that this is what happened or is the only narrative the one on Code Space's homepage?

Use Git

[stewsters]

This is why distributed version control is important (git/mercurial), even if you think SVN is easier. Sometimes your remote server will disappear, whether its hackers, fires, or someone forgot to pay the bill.

Competitors?

What other services can former customers go to for SVN and issue tracking services?

Re:Competitors?

Atlassian?

Cloud as an example of a bad infrastructure design

Any business infrastructure that has data of any value of the cloud is fundamentally flawed.
1) data can be tampered with (NSA, blackhats, competitors)
2) data can be lost
3) data can be stolen and/or misused.
4) access can be denied.
5) cloud company may deny access to data for either their own purposes or governmental purposes.
The first rule of security is physical security, if you don't control physical security you don't *have* security.
Period.

This must be where IRS stored backups

[Culture20]

This must be where the IRS stored backups of emails.

Messed up, not hacked

The only sensible thing to do would of course be to pull the plug and have Amazon reset admin controls for them. I think they messed up and are trying to cover up with the good old hacker excuse.

Now what?

What are better services which former CodeSpaces users can go to?

Re:Secure. Responsive. 24/7/365. the Cloud.

[FictionPimp]

My password is "invalid" so when I type it wrong I get a message: "Your password is invalid."

Not so easy with a corporate network...

[ZeroPly]

Our offsite backups are put in a metal box and taken offsite. Unless you plan on hijacking a truck, it's a lot harder deleting our data than using a nice control panel on the web.

I have no pity

[cyberspittle]

So, after getting blackmail email, first course of action was to take matters into your own hands? The Cloud is just a tool to allow us to be tracked online. I'm going back to dial up and UUCP to select individuals in similar configuration. He he he

Site gap, not air gap

[mcrbids]

IMHO:

1) Backups that don't get done automatically often don't get done regularly, so they should be automatically performed via scripts.

2) Offline isn't as important as offsite. Buildings catch fire, get flooded, disappear into sink holes, get hit by falling jet airplanes.

3) Security matters. Paranoia should be the order of the day.

Just unplug the server

[grimmy]

....oh never mind.

No regular backups?

[xenobyte]

Nothing copied elsewhere or onto tape? - Guess not. The cloud is SOOOO secure...

Re:No regular backups?

[ttucker]

They probably were not even using the MFA provided by Amazon. It is kind of shitty to blame hosting providers for clients that do not even perform the bare minimum of suggested best practices.

Re:Secure. Responsive. 24/7/365. the Cloud.

[zlives]

this changes everything, well atleast my default password

Picard and Dathon at El-Adrel

Lord Kril at Rylos. [imdb.com]

Amazon, when the firewalls fell.

Re:Secure. Responsive. 24/7/365. the Cloud.

My password is "invalid" so when I type it wrong I get a message: "Your password is invalid."

And it shows you your password in plain text? Well, thats not very secure. I'd suggest at least changing your password to ******* so that its obscured.

HA HA!

They and their customers got exactly what they deserved. Backups connected to the internet? How stupid can you be?? What a bunch of dumbasses!

Full Circle

1950s - IBM, Bell, Big gov't = Centralized, government and institutional.
1980s - MIT, Apple, HTTP, Internet, WWW = Decentralized, knowledge everywhere. Hacker = one who creates
2010s - Google, Amazon = Centralized "cloud". Hacker = one who destroys

Is it me, or are we reverting?

Re:Full Circle

[viperidaenz]

You forgot to put Apple in the centralised category too.
HTTP, Internet and WWW didn't exist in the 80s either.

Re:Full Circle

[david_thornley]

The Internet existed in the 80s, and was descended from a 70s project. HTTP and the WWW came later.

Re:Full Circle

[viperidaenz]

It wasn't anything like what it is today until 1989 when BGP was introduced and the last of the centralised routing was removed when ARPANET was decommissioned in the early 90's

The term "internet" was short for "inter-networking" and described any situation where two or more networks were connected.

Poor response.

[viperidaenz]

Would the correct response not have been to contact Amazon and have them immediate suspend all access and reset the passwords for them?

Re:Poor response.

[RGRistroph]

Amazon doesn't normally do that -- they just rent the (virtual) servers, the dashboard and other software including the OS would have been installed by the customer, at most they might reboot or shutdown and restart a machine . . . but they provide a self-serve API to do that, so probably not even that.

Unless the access involved the attackers getting the AWS account credentials, I don't think there's much Amazon could do.

Re:The cloud ; how would a good admin handle this?

[volvox_voxel]

Out of curiosity, lets say you find yourself in the same position where you have a hacker/hackers with multiple accounts, and you want to change passwords, etc. How would you lock the system down so they could not do damage in this case? Is there a way to quickly purge all unknown users ? Could they have spoofed known good users? ..Is it possible to blow everyone else away except for the administrator, and reference an older archive of users? I'm very curious about how you could safely contain such of contagion.

Also, lets say you do have an off-line back-up, but you have a situation where a hacker has access to the usernames and passwords because they somehow got root access. How do you protect all their data once you decide to turn back on-line? Do you send out notice to all your users over their email accounts?

I'm curious about how admins deal with this in the real world.

Good read

This article and it's comments give me an idea for a story for my Shadowrun game. Thanks.

Trolls attack the City! The police blame the population for living in a city in the Trolls' war path.

Re:The cloud ; how would a good admin handle this?

They just changed the root AWS account password. They apparently didn't bother to check the IAM section where other user accounts can be created. They would have been clearly displayed there and could have been deleted.

The whole operation was probably ran by one guy. They could have purchased a DDoS protection service and changed their DNS record(s). Done. They were just in over their head.

A case for tape backup.

[bjgreenberg]

If you never heard of the many cases for tape backup, here it is.

That's not a backup

[dutchwhizzman]

Sorry, but a backup is something you keep *off line* for a good reason. This is a near-line copy, possibly at another site we're talking about here.

Re:That's not a backup

[L4t3r4lu5]

Not necessarily. I have a very limited budget, but even I manage to have both online and offline backup. There is a weekly full backup of all data and daily incremental backups to NAS devices on the network. Monday of every week, I copy the full backup done over the weekend to an encrypted USB drive and take it home. Two of these drives rotated weekly ensures there's always a backup off site, and it being encrypted satisfies data protection requirements. On-line backup is good for file recovery, off-line if there's a serious disaster.

The whole lot costs less than £1000 including software, and isn't particularly complicated. I don't see any reason for this kind of breach to cause loss of so much data unless there were some extremely incompetent people involved.

better businesses prepare for disasters

[Chirs]

Nobody is saying they were legally responsible to prevent crime.

People *are* saying that they were poor businessmen who didn't plan for disasters. (What if the cloud provider failed catastrophically, or they lost all the passwords, or any number of other catastrophic events?)

distinction between managed and unmanaged

[Chirs]

With managed hosting, the provider handles support, backup/restore, etc. Typically with "the cloud" the resources are unmanaged. The end-user is responsible for all of that stuff.

I don't believe Amazon themselves offer managed services, but there are lots of other companies that will sell you managed services built on AWS.

Re:Secure. Responsive. 24/7/365. the Cloud.

[Calydor]

Dammit. Time to update my password to hunter3.

Obligatory

Hahahahahaha--[gasp, gasp]--Bahahahahaha!

cloud computing

Enjoy it, dumb asses.

Serves them right for being such silly dicks.

Common Security Practise

[muphin]

I believe the owner of the EC2 had 1 single account (root account) when he should have setup 2 factor authentication for such an account and then created separate accounts, this would have prevented his issue using the security policies AWS has in place....
AWS is always targeted and being reliant on a single account for security is negligent.
So you people out there that use AWS, PLEASE don't use the default account, secure it with 2 factor and then create individual accounts for the services, using security policies to allow communication between each other. - from an AWS certified engineer :)

Re:Common Security Practise

Actually, first set up multiple accounts and then turn on 2 factor authentication one account at a time... in case something goes wrong during account alteration.

AWS HA and 2FA

[mrklamarr]

Bit of a shame code spaces weren't geared up with som AWS HA configuration hoping companies take note of this attack and how to limit the risk to their organisations. A simple AWS cli command could have been implemented here to force all IAM accounts with only read only access until AWS could be involved. Also master and all IAM accounts should have 2FA enabled to stop this happening.

Re:The cloud ; how would a good admin handle this?

[Enigma2175]

Also, lets say you do have an off-line back-up, but you have a situation where a hacker has access to the usernames and passwords because they somehow got root access. How do you protect all their data once you decide to turn back on-line? Do you send out notice to all your users over their email accounts?

I'm curious about how admins deal with this in the real world.

If a hacker can recover plaintext passwords by compromising your admin account you have failed as an admin. The most they should be able to recover is a (hopefully salted) password hash.

Call amazon

Why didn't they call amazon so amazon could shutdown their servers and help them gain access and change passwords? They should have realized they could not win the war and realize the data was in serious danger. They gave the attackers too much time while they were trying to get it back...

Hanlon's razor

[mikeroySoft]

"Never attribute to malice that which is adequately explained by stupidity."

Idiots!

If you want secure AWS clusters, you DO NOT rely upon passwords - you require the use of multi-factor authentication as well. Without the appropriately keyed MFA device (physical or virtual), your password alone will not get someone into the system. I managed multiple EC2 clouds for several years and this is something I am very familiar with. An MFA device used in this way is very hard to duplicate. Yes, a virtual MFA device (usually a cell-phone application) can be pwnd if the user is careless and gets a serious infection, but it isn't simple to do.

Back To Where They Were

Code Spaces ended their explanatory comment with, "We hope that one day we will be able to and reinstate the service and credibility that Code Spaces once had!" Don't these people understand what they "once had" was an illusion? They had best NOT get back to the disastrous what they "once had". What they had better do is create something better and more secure. But given their stated goal is to get back to where they were, it seems to me they are utterly and totally lost. Who will trust the again ... ever?

Microsoft Danger v2.0

[Mondor]

This reminds me the cloud service of Microsoft, called Danger. It died the same way - they simply lost all customer information, with no backups made (and, actually, the size of full backup could be less than 1Tb).

In my humble opinion, these people are too lame to stay in business. Having offline backups couldn't be the only problem of their service. As I can conclude from the article, they also had problems with security and lack of common sense and strategic thinking.

https://en.wikipedia.org/wiki/...

AWS support

[yacc143]

That makes one wonder, why these gits did not call AWS support to have their account completely locked down first?

Password Security

The summary fails to mention the initial breach was due to the attacker being able to login with an administrator password. That, and apparently their hosting service does not allow for restoring from an image.

Welcome to Reality!

[rea1l1]

Yes, you do have to account for yourself, but the exception is honest naivety.

It is everyone's responsibility, including the victim's, to ensure their own safety in this dangerous world, because ultimately we're all alone here. If you haven't yet realized this very real truth then now would be a great time. If you have a power in this world you also have a responsibility to use it rightly. If you have the power to predict a bad scenario then it is your responsibility to do your best to ensure it never comes about.

This is not a social law. This has nothing to do with society. This is selective pressure coming from the deformed animal within humanity that does indeed make a strong appearance in today's sick society. There is a great separation of those who have too much and those who have too little. Look into Maslow's Hierarchy of Needs if you want some sort of psychological understanding. We act out when we lack!

We are independent individuals: depending on others is a weakness as it places you at their mercy.Not actively protecting yourself when you are aware of being in a dangerous environment is called neglect, and in the end it doesn't matter who's fault it is - you were exposed, attacked and defeated because you live in a fairy tale idealistic illusion that left you a target.

If you were never taught this you can blame your parents for your naievity for they are without a doubt ultimately responsible for your future.

There is so much discussion about who's to blame and none about solving the problem!

Today's world is supported by the 80's generation. What happened to you, 80's generation?
Where is your wisdom and correctness? You justness with righteous reality?
Are you so socialized and drugged that you've forgotten the truth?
I think there's little point in addressing the Slashdot crowd with this question - they seem to be a better, more finely informed group than the greater populace.

New Cloud Offering: SaaDS

Software as a Disservice

The guy will get caught.

[mtthwbrnd]

Everything is monitored. EVERYTHING. The only way that he will not get caught is if "they" (you know, them!) don't want him to get caught.

Deleted backups?

[nurb432]

How? If they were not off-line, they really were not backups.