Paco Hope @paco@infosec.exchange

@nspanti @angristan What's the argument: no one should use CDNs because CDN providers can lie and surveil traffic when they say they don't?

Some people might call this "parody". In my world, it's a bit more like "Tuesday". https://www.youtube.com/watch?v=JMOOG7rWTPg

@WPalant I just saw this reply. But I answered it in my post. It's one EC2 instance at AWS. The IP range it comes from is a /14 range (250K IPs). I own 1 IP address from Amazon and outlook.com has no way to verify that. They did eventually get back to me after a week. They put in a mitigation. But when you're the little guy, life is hard. I only have 20 users or so.

I had a non-delivery notification from my personal mail server to outlook.com. It said "your ISP's network is on our block list.' My ISP is AWS and the network is a /14. It's bonkers.

It's like living in a 500-unit apartment complex and a company says "unit 402 didn't pay for their purchases last month, so we're not selling anything to anyone in that complex any more."
#spam #isp #email #smtp

Green text, meet red text. Red text, meet green text. Now that you guys are acquainted, would you like to go off, have a little chat, and come back to me with a USEFUL error message?

If you have some spare compute cycles and you want to donate them to fighting #covid19, there's a medical research programme called "Folding@Home" which is similar to SETI@Home, but for medical research: https://foldingathome.org/2020/03/15/coronavirus-what-were-doing-and-how-you-can-help-in-simple-terms/

This is a fascinating C2 vector. But I gotta admit: it's hard to take it seriously with this diagram. https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/

Not mine. But absolutely appropriate for this forum. :) #infosec

That’s big news. #OpenSSH adds support for Fido/U2F tokens. https://www.zdnet.com/article/openssh-adds-support-for-fidou2f-security-keys/

@jjbaumgartner yeah I’ll just add another protocol where we disagree. There’s no need to slice and dice and imagine that things unsaid are implied in the worst possible way. Even NIST recanted it’s recommendation to change passwords for government and enterprises. Do some research on it. It was never founded in anything. Someone just sorta made it up and it stuck. There is not a lot of justification for it.

I wrote a blog post on how to use KMS key policies to act as a separate access control for data in Amazon S3. https://aws.amazon.com/blogs/security/how-to-use-kms-and-iam-to-enable-independent-security-controls-for-encrypted-data-in-s3/

@ebel I feel your pain. After 10 years living in Europe I moved back to the US. It's infuriating. Makes me want to get European cookbooks / recipe books. It'll all be in millilitres and sane units.

I see a lot of articles say things like "They now run this service in the cloud—which brings its own set of security challenges." I wish they would equivalently write "They run their IT in their own data centres—which brings its own set of security challenges."

DIY infrastructure? Oh that's obviously secure. Professionally-run commercial clouds? Whoa, they're risky.

The physical affects the virtual affects the physical. Performance artist creates virtual traffic jams by pulling a wagon full of second-hand phones all using Google maps app. http://www.simonweckert.com/googlemapshacks.html

Why do #infosec people go around insulting everyone? Everyone who uses the cloud "blindly trust the cloud providers"? Nobody is doing due diligence? Nobody has a long list of security risks they track and controls and mitigations, huh? And they want to "disprove the assumption that cloud infrastructures are secure". Because the existence of one bug means what? It's "insecure"? The research is legit, but the preamble is garbage from an out-of-touch techie. https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/

@starbright @natecull Side-effect of mastodon: you name both of us in the toot, but it isn't clear who you're addressing. :)

@natecull Let me pivot a little. You and I probably agree on a few things. When one company controls massive amounts of IPv4 space and that company's Ts&Cs govern what may or may not run on its servers/networks, that company has a significant influence over Internet norms. That's not the old school internet we grew up with. I have servers co-lo'ed in old school data centres because that's what the Internet is about. But no $20Bn is gonna shoot itself in the head by granting access like that.

@natecull So you only use things that have had all vulnerabilities proved impossible? That's not actually possible. OpenSSL was secure until it wasn't. Linux was secure until it wasn't. Then we patched and moved on. It's all cost/benefit tradeoffs. The layers of controls between your theoretical scenario and a practical, actual exploit are huge, well-documented, and well understood. Audited by third parties. You could download them self-service. Requires an AWS account and click-thru NDA.

@natecull This is like arguing with Fox News. This is pure conspiracy theory. How does one prove a negative? How do I prove to you that I'm not a millionaire? How do we prove to you that we don't have a master key? You literally believe we will lie publically, in writing, in contracts, to customers, to staff, and to everyone else. This is why I asked up front what evidence would convince you. There is no evidence you would believe. That makes the whole argument fairly pointless.

@natecull All the nitro instances. There is no open source hypervisor there any more. Nitro also does crypto on the network card. There is no human access to the hypervisor any more—in any way. Customers who want that security need to pick that instance type. https://perspectives.mvdirona.com/2019/02/aws-nitro-system/