Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


More Pale Moon drama. Insists BuyVM being responsible for the breach. - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

More Pale Moon drama. Insists BuyVM being responsible for the breach.

24

Comments

  • BlaZeBlaZe Member, Host Rep

    All this drama for his Internet Explorer looking web browser?

    Pffftt.. need something more serious & important, pass.

  • joepie91joepie91 Member, Patron Provider

    Gamma17 said: With unencrypted "hdd" getting into VM from the host is as easy as shutting down VM for "node reboot required for updates" or whatever and mounting VM "hdd" on the host.

    "Unencrypted" barely even matters there. The host also has access to the memory of the VMs, so extracting any full-disk encryption keys is trivial.

  • @joepie91 said:

    "Unencrypted" barely even matters there. The host also has access to the memory of the VMs, so extracting any full-disk encryption keys is trivial.

    Obviously it is impossible to protect VM from actions performed by node admin.
    But still there are differences between encrypted/unencrypted. First one being that it 100% identifies malicious intent from provider. Just looking at VM disk can be explained by administrative/support purposes, breaking encryption cannot. Second one - it still requires some extra effort/skill.
    Also for me personally reason to encrypt is not protecting against "evil provider", but against someone pulling data from hdd's sold on ebay and such.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Gamma17 said: Honestly i see > no way how a write could happen to a vm disk from outside with running OS and 100% > guarantee that it will not crash or break something.

    let me just assure you it is trivial.

    Thanked by 2EAgency Lee
  • joepie91joepie91 Member, Patron Provider

    Gamma17 said: But still there are differences between encrypted/unencrypted. First one being that it 100% identifies malicious intent from provider. Just looking at VM disk can be explained by administrative/support purposes, breaking encryption cannot.

    This is an irrelevant technicality in nearly every case, especially in the low-end hosting industry, where pretty much nobody ever goes to court over anything.

    Gamma17 said: Second one - it still requires some extra effort/skill.

    It requires running two commands instead of one. There are automated tools for extracting secrets from RAM.

    Gamma17 said: Also for me personally reason to encrypt is not protecting against "evil provider", but against someone pulling data from hdd's sold on ebay and such.

    Sure, that's a valid reason to do full-disk encryption. So long as you understand that the encryption is basically only useful for at-rest encryption (which means not for an active service), it can be a perfectly valid choice. Just don't underestimate how trivial it is to bypass it on a live system.

    Thanked by 1captainwasabi
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    A master key? To his windows install? I'm going back to bed.

    I'll let my own reputation and long history of supporting my customers do the talking on this one.

    We have tickets from him where he admits he didnt login to the server "for ages". Theres been plenty of nasty as hell exploits over the years and he got popped in 2017.

    Theres been multiple RDP exploits in the past year, nevermind stuff like wannacry and similar.

    Whatever :)

    Francisco

  • deankdeank Member, Troll

    No need to defend yourself, Master Fran.

    Anyone with an ounce of a brain can see that the guy is shitting in his pants to divert the heat from him.

    Thanked by 1captainwasabi
  • ITLabsITLabs Member

    It's cristal clear to me that @Francisco saw an opportunity to dominate the world by changing ShitMoonBrowser's code, invading an twisting his own network of Windows 3.11 BuyVMs. In his diabolic mind, he wanted to change the moon's course by sending a DDoS attack from all corrupted browsers. Luckily he was busted and decided to go back to bed and now this non sense thread can be finally closed.

  • hzrhzr Member
    edited July 2019

    joepie91 said: "Unencrypted" barely even matters there. The host also has access to the memory of the VMs, so extracting any full-disk encryption keys is trivial.

    I feel like hacking a single specific mirror by the provider for no gain that gets 1 download a year and no one notices it's compromised for 2 years because no one downloads it is really stupid and pointless.

    There are much easier targets to replace a binary. Their official downloads page basically eschews the free software hosting and build services/CI/etc to produce this:

    image

    And they don't enforce HTTPS and default to HTTP and the author has argued about how he won't enforce or redirect to HTTPS either.

    Thanked by 1vimalware
  • naingnaing Member

    joepie91 said: Sure, that's a valid reason to do full-disk encryption. So long as you understand that the encryption is basically only useful for at-rest encryption (which means not for an active service), it can be a perfectly valid choice. Just don't underestimate how trivial it is to bypass it on a live system.

    There are security through obscurity methods, such as various Digital Restrictions Management schemes, that make it non-trivial to bypass encryption. It's not security, but deterrence.

  • joepie91joepie91 Member, Patron Provider

    @naing said:

    joepie91 said: Sure, that's a valid reason to do full-disk encryption. So long as you understand that the encryption is basically only useful for at-rest encryption (which means not for an active service), it can be a perfectly valid choice. Just don't underestimate how trivial it is to bypass it on a live system.

    There are security through obscurity methods, such as various Digital Restrictions Management schemes, that make it non-trivial to bypass encryption. It's not security, but deterrence.

    DRM systems have absolutely nothing to do with full-disk encryption. They're entirely different systems with entirely different technical characteristics, and most importantly, the (very limited) 'deterrence' effect of DRM is not portable to FDE.

    So no, FDE remains trivially easy to get around on a live system when you control the host node, and always will be.

    Thanked by 1saibal
  • naingnaing Member

    @joepie91 said:

    @naing said:

    joepie91 said: Sure, that's a valid reason to do full-disk encryption. So long as you understand that the encryption is basically only useful for at-rest encryption (which means not for an active service), it can be a perfectly valid choice. Just don't underestimate how trivial it is to bypass it on a live system.

    There are security through obscurity methods, such as various Digital Restrictions Management schemes, that make it non-trivial to bypass encryption. It's not security, but deterrence.

    DRM systems have absolutely nothing to do with full-disk encryption. They're entirely different systems with entirely different technical characteristics, and most importantly, the (very limited) 'deterrence' effect of DRM is not portable to FDE.

    No, it's not portable to FDE, but the DRM scheme is applicable to sensitive data (for DRM it's a movie file, but for VPS it can be a database or virtual disk).

    In my estimation, the characteristic that AES key never appears in the RAM in full is an effective (albeit very limited) deterrence for most low-end hosting providers.

  • hjlowhjlow Member

    @Learntolive said:

    @AnthonySmith said:
    3 Mistakes.

    1. He/she/they OBVIOUSLY left the fucking window open.

    2. He/she/they assumed someone else took responsibility for locking his own door.

    3. He/she/they assumed it was the hosts responsibility to secure the empty apartment they rented with NO pre-installed locks and its own individual door not in any way connected to the apartment entrance.

    1 Conclusion.

    idiot.

    /thread.

    I Agree, The hosting provider is not responsible If you just buy server and dont Even hardening it.

    The op probably American who thinks he can blame other people for his own shit.

    don't blanket blame Americans you idiot

  • If what Fran says is the case, disk encryption or any other measures are beyond this person's thinking. It sounds like this person might not have even been keeping up with Windows patches. Where I work, we have rolling downtimes on our Windows servers once a month. If this person had a habit of not logging into a server "for ages", who knows what exploits he/she ignored?

    Thanked by 1captainwasabi
  • deankdeank Member, Troll
    edited July 2019

    Well, to be reasonably fair, I believe it was an archive server that got hacked.

    If the team is small or even one man, chances are that such a server is overlooked.

    Though, from what I can tell from blame-shifting game he is pulling, he is pretty much incapable of anything.

    Thanked by 2willie uptime
  • WebProjectWebProject Host Rep, Veteran

    AnthonySmith said: He/she/they assumed it was the hosts responsibility to secure the empty apartment they rented with NO pre-installed locks and its own individual door not in any way connected to the apartment entrance.

    some people don't have clue what you are talking as much easier to pretend to be stupid - tell that is complicated and blame someone else.

  • @AnthonySmith said:

    Gamma17 said: With unencrypted "hdd" getting into VM from the host is as easy as shutting down VM for "node reboot required for updates" or whatever and mounting VM "hdd" on the host.

    Sorry to burst your bubble but no reboot, shutdown required, for at 'least' 4 years the ability for a KVM host to have full view of your filesystem has been trivial, it might as well be OpenVZ.

    The ability for any one with a KVM VPS to prevent that is also trivial though, people make a choice to trust hosts, they also make a choice to use that as an excuse not to make basic "just in case" efforts.

    This is why I never understood the whole "bare metal kvm". Defeats the security of a properly configured dedicated server.

    I've also been considering moving my KVMs to a dedicated server for this reason but it's such a pain i the ass to deal with a failure of a dedicated server.

    I need more research into how to setup an easy to maintain virtual system on a dedicated server. Esx came to mind but backing it up became also annoying. Need a solution thatcan work well with a deduplication backup platform

  • HarambeHarambe Member, Host Rep

    @sureiam said:
    I need more research into how to setup an easy to maintain virtual system on a dedicated server. Esx came to mind but backing it up became also annoying. Need a solution thatcan work well with a deduplication backup platform

    I'd suggest Proxmox, got it running on about a dozen servers at this point. Not sure about de-duped backups, never attempted that, but it might be possible.

    Thanked by 1sureiam
  • IonSwitch_StanIonSwitch_Stan Member, Host Rep

    This is specifically why you digitally sign your releases. This developer sounds like a risk to his users

  • @Francisco fucked my bitch I concur

    Thanked by 2Harambe uptime
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @SirFoxy said:
    @Francisco fucked my bitch I concur

    Fake news.

    I'm not into furry stuff.

    Francisco

  • uptimeuptime Member

    Pale moon been sippin' lean

    Thanked by 1SirFoxy
  • Seems like the moon is extra pale with this one..

  • @uptime said:
    Pale moon been sippin' lean

    pale moon off the sizzurp

  • @Francisco said:

    @SirFoxy said:
    @Francisco fucked my bitch I concur

    Fake news.

    I'm not into furry stuff.

    Francisco

    my bitch waxes, @Francisco

    thank u v much

    issue my direct admin license thnx

    Thanked by 1Hxxx
  • donlidonli Member

  • uptimeuptime Member

    thing is .... when their weak shit eventually, inevitably gets pwned yet again

    will they still be looking to blame Francisco for their woes ...?

    Seems to be the epitome of insecurity ...

    A poster-child of vulnerability, if you will.

    (Or even if you won't - it don't make no nevermind to me!)

  • JanevskiJanevski Member
    edited July 2019

    SirFoxy said:
    my bitch waxes

    What about during the winter?

  • @Janevski said:

    SirFoxy said:
    my bitch waxes

    What about during the winter?

    my bitch still finna wax the beaver fur

    Thanked by 1Janevski
  • ITLabsITLabs Member

    @SirFoxy said:

    @Janevski said:

    SirFoxy said:
    my bitch waxes

    What about during the winter?

    my bitch still finna wax the beaver fur

    Ya bitch does the brazilian wax style?

    Thanked by 1Janevski
Sign In or Register to comment.