by Karl Denninger, Market Ticker: Recently there have been claims made on Reddit from a person who says he was a former Amazon IT employee.
He alleged that there are intentional back door connections into their “public” side from a “private” side run by, ostensibly, the NSA. Said systems were intentionally connecting to same and did have root access to said public side machines.
Folks, I’ve said this before and nobody wants to pay attention to it but you had better listen up. It’s simple, really:
IF YOU HAVE ADMINISTRATIVE (e.g. “root”) ACCESS TO A MACHINE RUNNING A HYPERVISOR AND HOSTING CLIENTS YOU CAN TRIVIALLY READ ANY OF THE MEMORY IN USE BY SAID CLIENTS WITHOUT BEING DETECTED. THIS IN TURN MEANS YOU CAN TRIVIALLY READ ANY ENCRYPTION KEYS USED BY SAID CLIENTS AND STEAL THEM UNDETECTED.
HAVING DONE SO YOU CAN NOW READ EVEN SO-CALLED ENCRYPTED DATA STORED ON THE DISKS OF SAID CLOUD SERVICE COMPLETELY UNDETECTED.
ALL CLOUD SERVERS ARE BUILT ON THIS ARCHITECTURE.
There is no such thing as a secure encryption key, ever, on a cloud server.
All such keys must be presumed to have been stolen immediately upon being put on said machine. If said key is a signing key, such as for a Certificate Authority (“CA”) or similar then the person who steals it can trivially create new authentication credentials that the system will accept as legitimate even though they are entirely forged.
There is exactly zero a customer can do to protect against this in a “cloud” environment. Leaving aside the fact that firms like Amazon employ a huge number of people with legitimate administrative access to said machines, that you have no ability (or right) to vet any of them and you will never be told if any who have ever accessed any machine on which your data resides are terminated or quit, with or without cause, the fact remains that there is now an allegation that Amazon intentionally allowed our “three letter agencies” a back door into said machines and it was actively used on a regular, ongoing basis and thus all your keys that ever touched any of those cloud providers must be assumed to now be in the possession of multiple other people, including, I remind you, other than US government actors since the NSA, CIA and similar cannot manage to keep their own contractors from stealing and handing over said material.
Specifically both Russia and China must be presumed to have any such key along with others and you must presume that they will use it and there isn’t crap you can do about it when they do.
You are a ****ing idiot if you have any sort of confidential business information on any of the public cloud company machines.