Deniability - When the Adversary is the cloud provider himself #36

Open
opened 2024-09-17 21:05:33 +02:00 by nihilist · 1 comment
Owner
No description provided.
nihilist added this to the OPSEC Tutorials (paid contributions) project 2024-09-17 21:05:33 +02:00
nihilist added the
Doable
label 2024-09-23 10:40:43 +02:00
Author
Owner

the idea is what to consider when you have a VPS, and a dedicated server, what can the cloud provider actually see and do ?

  1. on a VPS and on a dedicated server: dedicated server is potentially safer as you have lower access to the server (meaning the cloud provider has less software capability to spy on what you do inside the machine, than on he did on the VPS

  2. With and without custom host OS (malicious kernel modules allowing the cloud provider to spy on what users do

  3. the cloud provider has physical access to the server so:

  • so he can pull the plug on it, plug and unplug usb devices, monitors, he can pull out the harddrives to try and read whats been stored into it (Host OS and other
  • and do a cold boot attack to read the contents of the RAM >>> need a way to encrypt everything that is in the contents of the ram, without physical access to the hardware

TLDR the ideal setup is :
-dedicated server
-custom host OS with integrity checks (kernel modules, physical changes monitoring, etc)
-encrypted harddrives

the idea is what to consider when you have a VPS, and a dedicated server, what can the cloud provider actually see and do ? 1) on a VPS and on a dedicated server: dedicated server is potentially safer as you have lower access to the server (meaning the cloud provider has less software capability to spy on what you do inside the machine, than on he did on the VPS 2) With and without custom host OS (malicious kernel modules allowing the cloud provider to spy on what users do 3) the cloud provider has physical access to the server so: - so he can pull the plug on it, plug and unplug usb devices, monitors, he can pull out the harddrives to try and read whats been stored into it (Host OS and other - and do a cold boot attack to read the contents of the RAM >>> need a way to encrypt everything that is in the contents of the ram, without physical access to the hardware TLDR the ideal setup is : -dedicated server -custom host OS with integrity checks (kernel modules, physical changes monitoring, etc) -encrypted harddrives
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: nihilist/blog-contributions#36
No description provided.