If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Slashdot)   So a "fundamental problem" with Windows could allow anyone with a little coding knowledge to copy data from Amazon Web Services. Hosting providers everywhere reach for the Pepto-Bismol   (slashdot.org) divider line 62
    More: Interesting, AWs, Windows, flaw, Pepto Bismol, Amazon, Sam, user ID  
•       •       •

3411 clicks; posted to Geek » on 11 Sep 2013 at 10:20 AM (45 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



62 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2013-09-11 10:25:24 AM
What is this derp? Yes, you can take a harddrive from windows and mount it in Linux and get most everything out unless you encrypt it. DUH!.

The argument here is that a Amazon employee could easily steal your data.

Duh.
 
2013-09-11 10:30:30 AM
Wait.  Wait.  Waitwaitwait.

Administrators have administrative access?

My mind is farking blown.
 
2013-09-11 10:36:15 AM
I was able to do this with my own volumes, but I don't have access to other users' volumes. An employee at Amazon, however, could potentially have that access, and therefore could reproduce these steps. Or what about the government and the NSA? If they can get a copy of the volume, they could go to town on your data.

Nevermind.
 
2013-09-11 10:40:23 AM
If you don't encrypt it yourself with your own key, generated by software you personally understand, it's not safe.  The end.
 
2013-09-11 10:40:33 AM
People that have physical access to your data have physical access to your data?
 
2013-09-11 10:40:55 AM
Concern Trolling by a Linux fanboi.  Nothing new here.
 
2013-09-11 10:42:01 AM

MindStalker: What is this derp? Yes, you can take a harddrive from windows and mount it in Linux and get most everything out unless you encrypt it. DUH!.

The argument here is that a Amazon employee could easily steal your data.

Duh.




Maybe the government should get involved. Their data is never stolen.
 
2013-09-11 10:43:33 AM
The fundamental problem with Windows is MicroSoft.
 
2013-09-11 10:50:48 AM
Maybe the dumbest, fud article I've seen in a while.

"This just in, you can do what you want with your own machines!"
 
2013-09-11 10:55:47 AM
I like how he went on about running things through psexec, as if you can do that as a normal user (which would obviously be Really Bad), and then suddenly said "Oh, you need to have an administrator account to run psexec".
 
2013-09-11 10:57:06 AM
The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened

Employees can do malicious things that normal people can't?
Shut.
Down.
Everything.
 
2013-09-11 10:58:08 AM
So data hosted by someone else can be misused? WTF, man I thought we'd already been through this stuff of "If you want your data secure than keep it yourself".
 
2013-09-11 10:59:40 AM
Anyone with local access and time can eventually access your data, the attack is OS agnostic, news at 11


//yes with good crypto that time increases well beyond a life time assuming no major break in quantum computing
///Much like bank vaults, crypto should be measured in hours to crack instead of assume unbreakable
 
2013-09-11 11:02:21 AM
This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.
 
2013-09-11 11:07:24 AM

itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.


Yep, no websites have password-protected sections.  Absolutely.
 
2013-09-11 11:09:16 AM

ikanreed: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

Yep, no websites have password-protected sections.  Absolutely.


He's being sarcastic.
 
2013-09-11 11:17:44 AM

itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.


$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

i2.kym-cdn.com
 
2013-09-11 11:21:25 AM
I agree that the "OMG fundamental Windows security flaw" angle of the article is overblown, there are some interesting tidbits there. I thought the chntpw tweak was good stuff, and the registry edit was useful too.

But yeah, if someone can mount your drive the CIA of your data has been compromised, regardless of operating system.
 
2013-09-11 11:26:19 AM

MindStalker: ikanreed: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

Yep, no websites have password-protected sections.  Absolutely.

He's being sarcastic.


Thank you.
 
2013-09-11 11:27:48 AM

Pharque-it: The fundamental problem with Windows is MicroSoft.


You forgot to change the s in Microsoft into a dollar sign.
 
2013-09-11 11:33:08 AM
That's why I store all of my sensitive data on USB drives and leave those in my front yard, far from any computer that someone could hack into!
 
2013-09-11 11:37:13 AM
someone has never heard of bitlocker.
 
2013-09-11 11:46:01 AM
The author's concerns are valid; for that reason, I only run Linux servers, which will require use of a third-party program for reading extfs partitions in Windows before a hacker who gains access to the drive can read my data. I am therefore entirely secure and safe.
 
rpm
2013-09-11 11:46:40 AM

serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]


wget

i0.kym-cdn.com
 
2013-09-11 11:49:54 AM

rpm: serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]

wget

[i0.kym-cdn.com image 639x483]


this curls my blood
 
2013-09-11 12:11:10 PM
Wasn't the article about virtual drives or volumes in the cloud -- not a hardware drive in the computer.  I believe that there are different ramifications.  I am responsible for a corporate database -- I want hands on - not a big fan of the "Cloud".  Clouds always imply storms.
 
rpm
2013-09-11 12:13:19 PM

zedster: rpm: serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]

wget

[i0.kym-cdn.com image 639x483]

this curls my blood


Don't worry, the feeling is ethereal.
 
2013-09-11 12:14:49 PM

PainInTheASP: Concern Trolling by a Linux fanboi.  Nothing new here.


Though if you mount a linux partition in another copy of linux that you have root on, you can do all these same things. Its not even a "windows" issue, its an issue of having access to the hardware (or at least virtual hardware in this case)
 
2013-09-11 12:19:58 PM

skinink: So data hosted by someone else can be misused? WTF, man I thought we'd already been through this stuff of "If you want your data secure than keep it yourself".




How many years did it take for people to get it through their heads that smoking is bad for you.
 
2013-09-11 12:21:00 PM
Keeping in mind that Slashdot isn't loading for me, so I'm just basing this off what everyone's saying in the comments.

1) If the attacker has physical access, you are owned.  End of Story.  No ifs, ands, or buts.
2) Yes, the administrator employees at Amazon have access to your accounts and data.  I work at a Big Data startup, and yes, if we so desired, we could totally screw with you.  However, because we like eating food, and we aren't that stupid, we don't.
 
2013-09-11 12:21:08 PM

rpm: zedster: rpm: serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]

wget

[i0.kym-cdn.com image 639x483]

this curls my blood

Don't worry, the feeling is ethereal.


why're sharks involved?
 
2013-09-11 12:27:21 PM
WTF is this shiat?
 
2013-09-11 12:32:56 PM
I haven't been able to read Slashdot for a few years now without a growing sense of how entitled and out of touch its community has become in terms of 'news for nerds'.  These days its a thinly veiled platform for stalmanites harping about everything they don't like and letting their little impotent rage-quits/fanboyisms turned articles vent in an echo chamber of safety.

You just can't take the site seriously any more, I'm surprised the article wasn't filled with S->$ replacements, which just further reinforces how low the bar has gotten over there.  They are the Linux_yes of technology news sites, a parody of what they used to be, nothing more.
 
2013-09-11 12:42:08 PM
*reads headline*

GAH

*reads article*

MEH
 
2013-09-11 12:47:36 PM
It's like this guy just discovered that an NDA is just a piece of paper.
 
2013-09-11 12:58:19 PM

meyerkev: 1) If the attacker has physical access, you are owned.  End of Story.  No ifs, ands, or buts.


Not necessarily.  If someone steals a harddrive or a file that is encrypted (reasonably) but doesn't have the keys the risk of data exposure is minimal.

/the key word here is "reasonably"
//the author and subby are complete idiots
 
2013-09-11 01:02:53 PM

serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]


NoScript.
 
2013-09-11 01:05:30 PM
Wait, so my Windows login password doesn't protect me in the event someone just mounts my HDD as a slave and reads directly off it?!?

Dear Tebow, this is an outrage. What if they did that to my external drive?!
 
2013-09-11 01:21:10 PM

exboyracer: I want hands on - not a big fan of the "Cloud". Clouds always imply storms.


Good thinking. Don't make copies of your data, and keep it all in one location.

Otherwise you're just increasing the number of ways something could go wrong.
 
2013-09-11 01:25:02 PM

PainInTheASP: Concern Trolling by a Linux fanboi.  Nothing new here.


As someone who has been using Linux for 21 years, this.

I'm also a /. reader.  The site has just gotten embarrassing since Cmdr. Taco left.  Like making me wish for the days of Jon Katz.
 
2013-09-11 01:26:47 PM

jaytkay: exboyracer: I want hands on - not a big fan of the "Cloud". Clouds always imply storms.

Good thinking. Don't make copies of your data, and keep it all in one location.

Otherwise you're just increasing the number of ways something could go wrong.


Exactly!  That's why RAID devices are such a scam...  For example, by using a very minimal RAID 5 array, you have just tripled the likelihood of a hard disk failure!
 
2013-09-11 01:31:52 PM

SansNeural: jaytkay: exboyracer: I want hands on - not a big fan of the "Cloud". Clouds always imply storms.

Good thinking. Don't make copies of your data, and keep it all in one location.

Otherwise you're just increasing the number of ways something could go wrong.

Exactly!  That's why RAID devices are such a scam...  For example, by using a very minimal RAID 5 array, you have just tripled the likelihood of a hard disk failure!


RAID 5?  What, is it 1997 again?
 
2013-09-11 01:47:23 PM
Huh? Oh, this is written by someone with a basic knowledge of the AWS API.

Doesn't affect me and my tools that root around deep in the AWS API in order to forecast product sales.
 
2013-09-11 01:49:24 PM
anfrind
serial_crusher: itsdan:
This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]

NoScript.


That code ("ev.which") might not even work in all browsers; although I guess JQuery could add the "which" if the browser only has "button" for mouse events.

Oh, and:
Mozilla browsers like Firefox since at least(!) Netscape 4:

i.imgur.com
Firefox probably hides those options behind an "Advanced" button or even in about:config
 
2013-09-11 01:52:44 PM
So, basically, that idiotic screed boils down to you've discovered that physical security is an important consideration for servers and data that are housed in locations you don't have direct control over?

Good job. For your next trick maybe you could try discovering your own ass?
 
2013-09-11 01:54:12 PM

The Voice of Doom: anfrind
serial_crusher: itsdan: This is nothing. Every single web hosting company hands over all your website's html codes when asked for them. No warrant or anything.

$(document).mousedown(function(ev){ if(ev.which == 3) { alert("Right clicking is disabled on this website."); }});

[i2.kym-cdn.com image 273x234]

NoScript.

That code ("ev.which") might not even work in all browsers; although I guess JQuery could add the "which" if the browser only has "button" for mouse events.

Oh, and:
Mozilla browsers like Firefox since at least(!) Netscape 4:

[i.imgur.com image 342x272]
Firefox probably hides those options behind an "Advanced" button or even in about:config


At this point I've really lost track of whether people are playing along with the joke or taking it seriously.  Nevertheless, that particular pref never thwarted the right click nag scripts, at least not on any browsers I ever used.  It just blocked the oncontextmenu event, IIRC.
 
2013-09-11 02:21:11 PM
serial_crusher
Nevertheless, that particular pref never thwarted the right click nag scripts, at least not on any browsers I ever used. It just blocked the oncontextmenu event, IIRC.

The alert will appear, but so will the context menu (either before the alert or after you clicked it away).

Interestingly enough though, in my browser the context menu will appear with right-click "disabled" whether I use that option or not.
So maybe that option is indeed just for the contextmenu event, but - at least in my browser - stopping the propagation of the right-click event won't stop the browser from opening the context menu.
 
2013-09-11 02:28:05 PM

The Voice of Doom: serial_crusher
Nevertheless, that particular pref never thwarted the right click nag scripts, at least not on any browsers I ever used. It just blocked the oncontextmenu event, IIRC.

The alert will appear, but so will the context menu (either before the alert or after you clicked it away).

Interestingly enough though, in my browser the context menu will appear with right-click "disabled" whether I use that option or not.
So maybe that option is indeed just for the contextmenu event, but - at least in my browser - stopping the propagation of the right-click event won't stop the browser from opening the context menu.


Probably has changed in recent years.  Used to be that the popping up of the alert dialog made the menu go away (on Windows.  no guarantees about other OSes).  This was back when browsers used the basic system dialog APIs for whatever reason, and the alert box was fully modal.  About 10 years too late Firefox finally implemented their own alert box that's only tab-modal.
 
2013-09-11 03:14:27 PM
So what? It's Windows, we're not talking about real servers here.
 
2013-09-11 04:25:12 PM

gingerjet: meyerkev: 1) If the attacker has physical access, you are owned.  End of Story.  No ifs, ands, or buts.

Not necessarily.  If someone steals a harddrive or a file that is encrypted (reasonably) but doesn't have the keys the risk of data exposure is minimal.

/the key word here is "reasonably"
//the author and subby are complete idiots


I disagree.  This tries to reverse the hash: https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwor d s-in-seconds/  Sure, not everyone has a 25 GPU monster, but most people have 1 or 2.  They'll just take 10-15 times as long.  Two minutes for weak hashes, and what, 3 billion passwords / sec for SHA1 hashes?

Throw in cloud password / hash breaking services and you're laughing.
 
Displayed 50 of 62 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report