Jump to content

  • Recently Browsing   0 members

    No registered users viewing this page.

braindead0

Be wary of using the cloud

Recommended Posts

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/#p3

Summary: DJI offers bug bounty for finding flaws.   bounty hunter finds HUGE data risk, complete compromise of DJI infrastructure ... DJI response is the threaten the guy that was trying to help them secure their systems.

They leaked flight log data (from .gov and .mil domains no less), passports, drivers licenses and identification cards.  Why they had passports, drivers license or ID's???

also related: https://arstechnica.com/gadgets/2017/08/army-tells-troops-to-stop-using-dji-drones-immediately-because-cyber/

 

I hear their's a thriving DJI drone hacking community, I'll be going there before purchasing anything from DJI just to make sure I can remove their crapware/spyware..

Share this post


Link to post
Share on other sites

Not everything is vulnerable, only things that are exposed and available.  Private data should never be on a publicly facing server without reason, and when there is reason it should be secured.  DJI's security practices are pathetic, and their response is unacceptable IMO.

Share this post


Link to post
Share on other sites

One could say: Anything that is connected to a publicly accessible network is subject to attack.

That's entirely true. 

In this particular example, DJI failed to meet any reasonable security standards.
 

Share this post


Link to post
Share on other sites

Will admit, that I do not know a whole lot about cloud.

And it is pathetic of them going after someone willing to help, and solved probably pretty quickly I would assume.

Share this post


Link to post
Share on other sites

It's a huge problem, solutions are simple but changing the culture of a business from "whatever increases profits" to "balancing profit and security" is extremely difficult.  They may fix this problem but will create the same issue over and over most likely. 

Share this post


Link to post
Share on other sites

Yep, its always the profit. Get something out quickly and forget about the critical functions, because it costs them.

Share this post


Link to post
Share on other sites

The only clouds I like enhance sunsets and those that bring rain or snow. Otherwise, man made clouds I don’t trust nor do I use them.

Share this post


Link to post
Share on other sites
On 11/18/2017 at 1:38 PM, David A. Wright said:

The only clouds I like enhance sunsets and those that bring rain or snow. Otherwise, man made clouds I don’t trust nor do I use them.

Excellent policy, you're miles ahead of most folks..

Share this post


Link to post
Share on other sites

I assume there are those common things like card readers that send and retrieve data to the cloud, now that it has become an industry standard, so I know there is no way to be truley cloud free. But I don’t seek it out and use it. If I desire a reasonably secure way to deliver data to some one, I drop a USB thumb drive in the mailbox.

Share this post


Link to post
Share on other sites

Part of the problem is that the term 'cloud' means nothing to consumers.  'Cloud' services are just another name for shared hosting on a grand scale.  As far as the specific example of card readers.. I can shed some light on that (it's what I've been doing for 2 decades now).

PCI compliant card readers do not ever put your information 'in the cloud'.  Anything with a chip reader will be PCI compliant.  If you see a reader attached/built into a keyboard or a monitor.. those are NOT likely very secure.. I use cash whenever I see one of those being used.  Card readers are injected with a set of keys for public key encryption, one for the device and the other for the server that the device interacts directly with.  Even the point of sale system doesn't have access to the data on your card beyond name and whether or not the transaction was processed (and some systems don't even provide name). 

A point of sale transaction with one of these devices looks roughly like this:

  1. POS System -> sends request to card terminal (the thing you interact with), includes amount and often an invoice or reference number.
  2. Card terminal connects to remote card processor server via public key encryption, submits for processing and receives a response that includes whether is was approved/denied as well as a token to identify the transaction with the processor
  3. POS system receives token and status from card terminal, and marks the sale paid without ever having access to your card number/mag stripe data.

Step 2 is the only point where your personal information enters into the picture (unless you give the business personal info, that's on you ;-).   The interaction is protected by extremely strong encryption.  The only known attack at this point is a man in the middle attack, which would require being able to write a new key to the card terminal AND write a new key to the card processors system without being detected.  Because this is the only attack vector, it's monitored very carefully.

That's not to say some new/novel attack might be found, however typically these are known by researchers way before criminals find out.   Criminal attacks on card systems have always been fairly simple, because the targets have been very easy.  PCI certifications/compliance is going to make that a lot harder, time will tell if it's enough. 

The most recent data breaches have all been personal information, not CC numbers..  I think the criminals are moving toward more ID theft, because that's relatively easy compared to credit cards.

Share this post


Link to post
Share on other sites

So far, I'm incredibly unimpressed with the cloud - at least AWS.  It's all DevOps driven, which means "Feature/Functionality X - Here today, gone tomorrow, no announcement". 

Just getting a basic VPC with a few EC2 instances, NAT and HTTP/S load balancers working has been an exercise in absolute frustration.  Their "architectural" people are no goddamn help - they always come back with "Well...I don't know - what are you trying to do?"  This, after a long, detailed email of "This is what I'm trying to do, based on what YOU told me in our last meeting, and it doesn't work.  WHY NOT?" 

'Cloud' is the latest phenomenon in the race to the bottom, yet in a perverse way it's the 1970's all over again - time-sharing, per-CPU/per-byte cost structure, thin-provisioned storage, and a very 'black box' mentality.  The big difference is that systems analysts/admins from 1975 knew their shit, inside and out.  In 2017, their only required certification is that they be buzzword-compliant. 

Share this post


Link to post
Share on other sites

And they 'sell' it to businesses as more reliable, able to scale..etc..  We've had decent success using S3 for software distribution and database replication (we wrote our own replication system, just using S3 for storage).  However new owners have sold much of our IT to an 'MSP' and they are complete idiots.  We told them flat out to to not touch of dev servers, no updates no software installation.  They keep doing it, and then lying to the director of IT.. when I showed him the event log entries showing they installed updates to their crappy software..  crickets...

The moved our domain controllers to 'the cloud' and I get failures to talk to them all the time. The idiots at the MSP keep locking their own accounts out (hilarious I tell you) and they don't monitor the system except for 'is it running'.. no service monitoring, no IDS/IPS..   

They were supposed to deploy a new hyper-v host server in house (strangely I wasn't involved in any of this, yet I manage all of the dev servers).  The idiot shows up with hardware, no discs and asked out IT guys to allocated some SAN space..  Well, our SAN is overprovisioned already, and running over gb ethernet and is in no way suitable for backing build/VCS servers.  Last I heard it was going to take them a MONTH to properly configure a new server... doooh.. install some freaking HD's and a RAID controller idiots..

Lucky for me, I'm just a developer..  I manage our servers because I have experience doing this, it's not technically my job so they could crash/burn and leave our dev department twiddling thumbs.. and it's not my problem really.  That may change, VP of development is retiring.. my 'boss' is temporarily moving into the position.  Good odds I'll get proper authority, budget, etc to do the job right..

Nice to see someone else hasn't drank the cloud poison, when these chickens come home to roost I expect chaos..

Share this post


Link to post
Share on other sites

So far, at AWS re:Invent, I'm not feeling much love for their crap. 

I can't put my finger on it, but something doesn't sit quite right with me.  Maybe it's the whole DevOps 'model', which is nothing more than 'beta test on the customer', IMO.  Maybe it's the flurry of solutions looking for problems in combination with the semi-opaque nature of Getting Things Done.  Just as an example, I tried to set up a VPC with Internet and NAT gateways, a couple of EC2 instances, and ELB.  Holy Hell To All, it took a week to get things sorted.  I could have built the same physical infrastructure (and then some) in 2 days or less. 

The PHB's think "MONEY SAVING!" because they figure they'll roll out t2.micro instances and then autoscale as-needed.  Sure they will.  And the rectal removal of corporate funds will autoscale along with the instances, usage charges, etc. 

Or maybe it's that most of the PM's and coders (for AWS, not partners) I'm seeing are so naive that they just make me want to puke all day.  "This is SOOOOO SIMPLE!"  Sure, sweetheart, if you got 6 months and nothing but time on your hands to learn your byzantine 'best practices' way of doing things.  Most of us don't. 

Share this post


Link to post
Share on other sites

I suspect you've been around long enough to have experienced the great outsourcing movement of the 90's... same thing, false economy driven by BS marketing...  Management ran head long into these deals and got nailed hard in the long run,  I think we're just seeing the same thing driven by the ignorance of current management.

Luckily I don't have to deal with much of this except some of the fallout, however the other devs know I have no authority or official mandate.  I'm giving these derps all the rope they need to hang themselves..

Share this post


Link to post
Share on other sites

I remember the outsourcing of the 90's with great chagrin.  Whether you'd include the offshoring in that trend or not, I recall having more issues with that than with 3rd party onshore support issues - but neither was optimal. 

I also remember how in the early 2000's and late 90's every other job listed seemed to be for Flash 'programmers'.  Look where that got us. 

I finally got fed up with the AWS mobile app for this conference - I was using it to track my session schedule.  I finally slurped the schedule down as a CSV file, wrote a quick CGI (and by quick I mean ugly) and dropped it on my own server.  Now I can just look up my schedule at will, no need to rely on their app.  Monday was great.  iOS and Android users were experiencing failures in the app - turns out they made some changes to the back end DB Sunday night in dev, pushed to production shortly thereafter, and then started to break everything (db_connect table did not scale or some such). 

DevOps - Beta Testing On The Customer Since 2012(TM).

Share this post


Link to post
Share on other sites

The term DevOps has no real meaning any longer.  In my experience it used to mean operations support for developers (one of the things I do at work), keeping build/VCS servers running.  Optimizing continuous build/integration.. perhaps managing code branching and versions... thus DEVeloper OPerations.  Now they're using the term for anything they can because it's the hot thing I guess.

During the 90's I was consulting for the Southern California Gas Company, helping build a new modern customer information system.  They outsourced development to IBM, who burned through over a million dollars a month.. for years...developed the program under SmallTalk for OS/2.. AFAIK they are still managing/maintaining over 5000 desktop systems running OS/2 Warp 4.0.  The system worked pretty well, and compared to what we'd have today (a clunky and slow web interface) they are likely better off still ;-).

It amazes me how people have adjusted to the poor performance of online systems, where you click something and wait compared to desktop software with sub 10ms response times.. which for years was the standard for 'responsiveness'.   The people have been retrained to accept this as normal...bugs the hell out of me every time I have to work on systems like that......  Almost seems like an effort to dumb down people, make them think as slow as the web apps..

Share this post


Link to post
Share on other sites

and here's an epic fail: https://arstechnica.com/information-technology/2017/11/army-red-disk-intel-sharing-system-left-exposed-in-open-aws-data-store/#p3

Summary, contractor put top secret data in S3 bucket.. fails to secure.. and this isn't the first time.  The freaking government can't get their crap together in this regard...  I feel sorry for average people who have no clue how to keep a reasonable level of security.. 

Share this post


Link to post
Share on other sites

Well, I got lost in all the acronyms, but I get the basic message. And I agree. There are many things my old Tandy 8086 running DOS 2 could do. Something as simple as EDIT>DELETE and double click or hit ENTER and wow! The file was in the trash.

Comared to my late model iPad running OS 11.1 (latest update). Since I don’t have Internet at home and having to use the library, and being a holiday weekend, I spent those days putting together a photo essay email with about 40 photos to send to multiple users (I have a Gmail account, but use Apple’s OEM Mail app). I tinkered with it all weekend, adding, subtracting, changing, etcetera. All was fine until I went back online. When I went to retrieve what was originally the only draft to send, I found in my drafts folder four drafts, each with different dates and times. Each was different in what photos were there. So I chose the newest draft, checked it to make sure it was my final, and sent. I put in the trash the other irrelevant drafts.

And then, I find that Google said ... :16DAMNIT: ... and took it upon itself to go dumpter diving and retrieve my drafts, placing them in both my sent box and inbox stuck in the thread of emails under the same heading. It made for a very long scroll to read the latest incoming messages. So, I trashed them again. And again Google told me to my face ... :middle_finger: ... Again I trashed. Again ... :middle_finger: I’ve tried three times today with the same results.

Another example. I installed the Gmail for iPad app recently, thinking I would have more control over fonts and such. I quickly tired of its trying to dominate me into its mold and trashed it. If I want to write an email with photos, I simply take a USB/Apple Lightning flash drive, transfer my desired images over from my computer to my tablet and embed into my email. When I attempted that with Gmail’s app, I got popup boxes telling me that I had to be online to transfer an image stored on my tablet, send it to the cloud and drop it back to my tablet. Gee ... my old 286 SX comuter with Windows 3.0 could do that simple task of placing my image in my email all day long, after I updated to a newer version of Juno freeware that could handle attachments and media with HTML instead of text only (and on dial-up!). And previous to my Juno upgrade, I could attatch any file in basic Juno email. And it simply obeyed my command instead of disobeying and telling me what to go do with myself.

My point and opinion is, back in the 1980s and 1990s computers were better than now. They simply did what you told them to do and you didn’t get told ... :middle_finger:.  ... by what should be my inanimate possesion, and one that tries to make me mold to its way of thinking and compromise or create work arounds and reinvent the wheel to write a short note.

And my inbox is still full of trash. :Various_Artists-blowup:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Who's Online   0 Members, 0 Anonymous, 4 Guests (See full list)

    There are no registered users currently online



×