Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ayup. We use AWS CloudHSM to hold our private signing keys for deploying field upgrades to our hardware. And when we break the CI scripts I see Cavium in the AWS logs.

Now I gotta take this to our security team and figure out what to do.



I'd be surprised if you get anything more than generic statements about how they take security very seriously and they are open to suggestions, but avoid addressing the mentioned concerns directly (and this applies to all cloud providers out there, not just AWS).

I'm sure a few others here would like to see their response as well.


We've had other issues with our CloudHSM instance, especially with the PKCS1.5 deprecation on January 1. And their support has been pretty dismal. Not expecting much from them at this point.


AWS support is pretty fucking terrible generally. We’re a very high rolling enterprise customer and it’s pretty obvious that some of their shit is being managed by two guys in a shed somewhere who don’t talk to each other.


As someone who was IN AWS premium support, I got the distinct impression they had no idea what they're doing

I was a Linux Sysadmin for a decade. They initially hired me to work on the "BigData" support team

Then after hiring threw me into CI/CD instead. I told them I don't know python or ruby and would be a terrible fit

I asked if I can join the Linux team. EC2 is bread and butter, that's easy stuff

"Oh we're actually shutting that team down soon. I'll move you into containers instead"

Spoiler: they didn't "shut down" the Linux group


Thank you for this. Next time AWS try and tempt me over to them I’ll tell them literally fuck off. Not up for those games.


Another satisfied user of AWS Glue, I see. On a scale of 10 to “I have no mouth and I must scream” how much do you hate their error messages?


The famous one poke bowl team. Saved costs on pizzas.


Have you had the pleasure of working with Azure? I'll take AWS any day over that dumpster fire.


As someone that is deciding between AWS, Google and Azure - could give an outline of some of the Azure painpoints? Are there any blogs or other articles that outlines what your concerns would be?

I'm pretty aware of how painful it can be to configure AWS well, IAM roles, the overly large eco-system that we won't need and unmitigated complexity to configure it all. It's not comforting to think Azure is worse yet.


They’re just different. People like the devil they know.

The Azure Resource Manager system is much easier to use than the fragmented mess that is AWS.

The problem with Azure is that they’re still catching up to AWS. They have fewer products and the quality is worse.

Really basic issues will remain unaddressed for years.


I work on and off with both, AWS may be more feature complete in some areas but Azure is frankly easier to work with for me, I can actually get support on issues I have from Microsoft. And while I've generally only done so from the large enterprise account perspective, Microsoft is way more open to feature requests/enhancements than Amazon is. I don't have any experience with GCP so I can't speak on that.


We selected AWS for very modest needs, but sometimes I glance over at Azure and wonder if the grass is greener. I'll take your word on it though.


We work with Azure and don't have any major complaints about it - what were your issues?


AWS Client VPN and Ubuntu 22.04... Need I say more?


What issues are you having?


the required old version of libssl is no longer in Ubuntu's repos


Using AWS Greengrass?


Greengrass was so bad we built an entire edge platform.


Never even heard of that one!


It's a cloud to edge system. Like hosting some of your stuff on the edge, think like a cloud that lives inside your factory.

It confused me when researching it.


Imagine doing a job interview they ask do you know AWS. Sure, I know AWS, and explain what you built with Greengrass, Lambda's, RDS etc. and then get rejected for not knowing AWS lol


Hate Greengrass; Love joy.


wouldnt such a backdoor invalidate all promises made by external audits e.g. https://cloud.google.com/security/compliance/offerings and more importantly wouldn't it violate safe harbor agreement with the EU or whatever sham this safe-harbor was replaced with?


As you say, a sham : as long as the Patriot Act is still effectively ongoing, everyone else is still trying really hard to look the other way, (especially while the war is still ongoing !), ignoring the CJUE, which has no choice but to shoot down one agreement after another, since they automatically violate the EU Charter of Fundamental Rights : https://en.wikipedia.org/wiki/Max_Schrems#Schrems_I


I mean, if you can detect it.


And you’re allowed to notice it without dudes in suits And dark sunglasses convincing you it’s a bad idea to do so.


  The Intel Management Engine always runs as long as the motherboard is 
  receiving power, even when the computer is turned off. This issue can be 
  mitigated with deployment of a hardware device, which is able to disconnect 
  mains power.

  Intel's main competitor AMD has incorporated the equivalent AMD Secure 
  Technology (formally called Platform Security Processor) in virtually all of 
  its post-2013 CPUs.
https://en.wikipedia.org/wiki/Intel_Management_Engine

  Ylian Saint-Hilaire, principal Engineer working on remote management software 
  including hardware manageability:
https://youtu.be/1seNMSamtxM?feature=shared

https://github.com/Ylianst


I think Ylian Saint-Hilaire hasn’t been with Intel for about a year now, after some layoffs. As a result the software ecosystem around AMT/vPro is lagging these days.

Hardware wise nothing changed, it’s just even harder for the actual owner of the hardware to use the legitimate management features while presumably easier for whoever could illegitimately abuse them.


Nothing?

I mean, you are already in US-based cloud, so if NSA is interested, they will just request information directly, no backdoors needed.

(This is a good test for your security team, btw: if they say anything other that "we do nothing", you know its all security theater)


But being able to request it and having a built-in backdoor for anyone with a key are different things. It has happened before that the Chinese government figured out network equipment backdoors that were put in for the US government. All your company secrets are there for the taking for anyone with the resources to figure out that backdoor. Especially now that people know it exists. Shouldn't this at least start the clock on expiring this hardware?


Considering the scales of Amazon and Google, and their involvements with US government agencies in the US, I think it is fair to suspect that there is a lot we don't know about...


Very good point. That was the consensus from our team, so I think we're okay.

Ironically, the data we're securing is because of US government requirements. So if the government wants to spy on itself, who are we to say?


The fact that this backdoor could leak and be used by a foreign government needs to be taken seriously.


Nobody cares. If caring gets in the way of easy money. Spoiler...it does.


more accurately, nobody (with sufficient agency to act) cares.

you wouldn’t be cynical if you didn’t care, or felt able to do anything about it.


future you will care and facepalm




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: