nihilist/blog-contributions
3
2
Fork 18
Code Issues 70 Pull Requests 1 Packages Projects 2 Releases Wiki Activity

Deniability - When the Adversary is the cloud provider himself #36

New Issue
Open
opened 2024-09-17 21:05:33 +02:00 by nihilist · 1 comment
nihilist commented 2024-09-17 21:05:33 +02:00
Owner
Copy Link
No description provided.
nihilist added this to the OPSEC Tutorials (paid contributions) project 2024-09-17 21:05:33 +02:00
nihilist added the
Doable
 label 2024-09-23 10:40:43 +02:00
nihilist commented 2024-09-28 16:01:31 +02:00
Author
Owner
Copy Link

the idea is what to consider when you have a VPS, and a dedicated server, what can the cloud provider actually see and do ?

  1. on a VPS and on a dedicated server: dedicated server is potentially safer as you have lower access to the server (meaning the cloud provider has less software capability to spy on what you do inside the machine, than on he did on the VPS

  2. With and without custom host OS (malicious kernel modules allowing the cloud provider to spy on what users do

  3. the cloud provider has physical access to the server so:

  • so he can pull the plug on it, plug and unplug usb devices, monitors, he can pull out the harddrives to try and read whats been stored into it (Host OS and other
  • and do a cold boot attack to read the contents of the RAM >>> need a way to encrypt everything that is in the contents of the ram, without physical access to the hardware

TLDR the ideal setup is :
-dedicated server
-custom host OS with integrity checks (kernel modules, physical changes monitoring, etc)
-encrypted harddrives

the idea is what to consider when you have a VPS, and a dedicated server, what can the cloud provider actually see and do ? 1) on a VPS and on a dedicated server: dedicated server is potentially safer as you have lower access to the server (meaning the cloud provider has less software capability to spy on what you do inside the machine, than on he did on the VPS 2) With and without custom host OS (malicious kernel modules allowing the cloud provider to spy on what users do 3) the cloud provider has physical access to the server so: - so he can pull the plug on it, plug and unplug usb devices, monitors, he can pull out the harddrives to try and read whats been stored into it (Host OS and other - and do a cold boot attack to read the contents of the RAM >>> need a way to encrypt everything that is in the contents of the ram, without physical access to the hardware TLDR the ideal setup is : -dedicated server -custom host OS with integrity checks (kernel modules, physical changes monitoring, etc) -encrypted harddrives
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
/!\ On Priority - High Quality Tutorial

   
? Impossible Currently ?

   
Complex

   
Doable

   
Simple

   
To be improved / simplified / finished / fixed

   
pushed to prod (1 month external review)
No Label
/!\ On Priority - High Quality Tutorial
? Impossible Currently ?
Complex
Doable
Simple
To be improved / simplified / finished / fixed
pushed to prod (1 month external review)
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
OPSEC Tutorials (paid contributions)
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: nihilist/blog-contributions#36
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?