On 7/11/09, James Gray <james / grayproductions.net> wrote:
> On Jul 11, 2009, at 11:10 AM, Caleb Clausen wrote:
>> I wonder if you could say a word about security, since it's obviously
>> a big concern with a service of this type...
>
> Is it?
>
> I suspect David has the EC2 image saved on S3.  If you screw up his
> instance he can stop it, load a fresh copy from the S3 image, and move
> the elastic IP to point at the new instance.

I assumed this was more or less the case, but it's nice to have it
stated explicitly.

> It's not like you'll be stealing his data or breaking into his
> computer, right?

I think there are still many security issues to consider. What if one
user manages to crack the root account? This attacker can then mess
the service up for other users in many subtle or not-so-subtle ways,
steal passwords, etc. This extra privilege will only last as long as
the current instance is running, but that may be for a good long
while. David may not notice anything wrong and just leave the same
instance running for weeks... Even if he makes it a policy to reboot
just in case periodically, what's to prevent the attacker from just
reexecuting the same attack against the new instance?

Even without root privs, rogue users can launch attacks on other
systems. Hopefully, there's a least a log being kept. Better yet would
be to forbid network traffic altogether (other than incoming ssh,
clearly).