[Cialug] Access credentials for new cloud instances

Zachary Kotlarek zach at kotlarek.com
Mon Jan 23 16:58:21 CST 2012


On Jan 23, 2012, at 2:23 PM, Thomas Kula wrote:

> Ah, but the problem here is how do you know that the thing
> you are now sshing into and are generating magic bits is
> actually the thing you mean to be logging into and generating
> magic bits? I.e. this isn't someone between you and your cloud
> provider who's gotten your image and is making traffic for that
> ip head over to this rogue image?


That is a possible attack vector. And really they don't even need your image unless you've got secrets on it.

But if you're going to extend your protection to "attackers that can convincingly impersonate interactive comm" you need to take it a lot further -- how do you know someone didn't hijack your Firefox download and add their own SSL CA? Or mangle your distro download to replace the SSH client with one that steals your secrets? Or mangle your GPG download to provide false validation for package signatures? Or mangle your gcc download to compile a backdoor into all your programs?

My point is just that there are lots of tools/systems you probably already use that are subject to the same sort of attack, and I don't think there's any reason to believe that this particular service would be more susceptible to such an attack.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20120123/1458b103/attachment.bin>


More information about the Cialug mailing list