[lug] Why is it SO easy to destroy cloud environments?

Thu Oct 18 12:39:35 MDT 2012

It's a deeper question than it first appears.

Let's say you can set a 'no-delete' flag to prevent accidental destruction.
I think that's a "my god why haven't they done this already?!" idea - it
will keep someone from fumble-fingered accidents.

But it won't stop anybody who knows enough to unclick that flag first.

You can make it harder but the harder you make it (and I agree that it
should be optional) the more you open up someone to the hassles of having
instances that they /can't/ destroy. It reminds me of the problems many of
us had with Network Solutions many years ago - they would only allow you to
transfer your domain to a new registrar if you sent them a letter on your
letterhead.  Uh, fine, but what exactly is the letterhead for an individual
or the type of small business that many of us use for our side projects? We
all had to create bogus letterhead just for them and if it's that easy to
circumvent the system (since they didn't have samples of our letterhead on
file) then why did they bother with the requirement in the first place.

Even if you somehow solve that problem it's all irrelevant if an attacker
gets into the cloud's management system and issues the takedown commands
anyway. You have the appearance of better security but it's an illusion if
you're dealing with hostile agents (malevolent hackers, foreign
governments, etc.).

Another idea is keeping the internal backups for, e.g., the minimum of the
lifetime of the instance and 2 weeks, with a 4 hour floor. The idea is that
you probably won't miss anything that's only been around for a few hours
but it will give you time to recover from a rogue employee. It's an easy
thought but it means that your low-level hosts have access to account
information (one point of failure) and there's no way to guarantee that
that information hasn't been compromised (second point of failure). So
again it might give you some warm-and-fuzzies but not really improved the
situation.

The bottom line is that there should definitely be some protection from
fumble-fingers. But I don't know how much else is anything more than window
dressing. Your best defense is the fact that access to the management
functions requires cryptographic keys so (legitimate) access can be kept to
the senior sysadmins. That may be why you've gotten a cool reaction - it
might not be that they don't care but that they've looked at it and haven't
found anything that's actually useful.

On Thu, Oct 18, 2012 at 11:48 AM, David L. Anselmi <anselmi at anselmi.us>wrote:

> Paul E Condon wrote:
> > It seems to me that your concern is much more than an annoyance to a
> > programmer. Leon Panetta (sp?) is in the news recently raising
> > alarums about terrorists attacking our cyber infrastructure.  Your's
> > is an issue of national importance.
>
> I don't think I'd go that far.  I think it's easy to wipe out your cloud
> environment because it can
> be.  As a user of the environment you figure out how to avoid doing that
> or recover when it happens.
>   It's the same principle as there being no undelete on most Unix file
> systems.
>
> Dave
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20121018/a75b6f30/attachment.html>