DigitalOcean - Transparency Regarding Data Security (opens in new tab)

(digitalocean.com)

21 pointsfomb12y ago14 comments

14 comments

12 comments · 6 top-level

diminoten12y ago· 3 in thread

I've seen the TRIM recommendation pop up a few times, and never with a reply from DO - is this probably how they're going to handle this, or is there a possible reason for not using TRIM?

rgbrenner12y ago

TRIM is equivalent to 'mark as free'. there's no guarantee it will zero the data, and whether it is zero'd depends on the manufacturer/model of the drive.

If that's how they implement it, then I look forward to reading their future security advisory.

diminoten12y ago

Ah yes, I'm not super familiar with the terminology, a sibling comment to yours specifies that you'd need to use zdat (zero after TRIM) for what I'm talking about to be effective.

mmmooo12y ago

its more about zero after trim support (dzat), and sounds like they maybe use ssd's that don't support it, and are handling it by zeroing the block device on create instead of wipe. At least that's how I read it. I suppose easy enough to check by seeing if new droplets take longer to create after this is deployed.

rgbrenner12y ago· 2 in thread

At no time was customer data "leaked" between accounts. This would require that a user not scrub their volume after destroying their server; in this instance data would be recoverable and should be considered not sensitive.

Is it just me, or is this contradictory? "Data wasn't leaked.. but if it was it was because you didn't check scrub, so it must not have been important." These are two completely different things. Even if the data was not sensitive, it could still be leaked between accounts (which is what happened here).

Kudos for committing to fixing the problem though.

diminoten12y ago

A lot of the talk was theoretical and the examples run were I think all within a user's own space.

If not though, then you're absolutely right that those are contradictory. If, even during disclosure, one user's data was made available to another user, that constitutes a data leak.

rgbrenner12y ago

https://github.com/fog/fog/issues/2525

https://f.cloud.github.com/assets/408977/1820859/8658298e-71...

  These are some of the strings I pulled off the root blockdev 
  - I have no such /var/deploy/chegou, or any of these files. I was
  able to recover someone else's webserver logs from yesterday, as well.

1 more reply

aioprisan12y ago· 1 in thread

And they forgot to add a date on their security updates. How are you supposed to know when issues are discovered and subsequently addressed?

warp12y ago

The linked blog post says "Posted on December 30th, 2013", were you referring to the blog post or something else?

eridius12y ago

* Our first and immediate update is to ensure that a clean system is provided during creates, regardless of what method was taken for initiating a destroy [...] The scrub feature will remain, allowing customers to take an extra level of precaution if they choose to scrub the data after the delete.

What is a "clean system", if not a scrubbed one? And if they're scrubbing during create, why leave the scrub option in during destroy? I have to assume that when they say "clean system" they don't mean a scrubbed one, and that worries me.

If, as they said, their reason for not scrubbing is because of customers creating and destroying a lot of volumes during the onboarding process, then it seems to me the best solution is one that I believe was suggested in the previous thread. Namely, scrub a volume always whenever it's being used by a new customer. But if the volume is being reused by the same customer, don't bother scrubbing (unless requested), as presumably there are no concerns about leaking information from a user back to the same user.

thirsteh12y ago

Previous thread: https://news.ycombinator.com/item?id=6986155

unionizenow12y ago

Why not use whole disk encryption in the hypervisor and switch the key between accounts?

j / k navigate · click thread line to collapse

14 comments

12 comments · 6 top-level

diminoten12y ago· 3 in thread

I've seen the TRIM recommendation pop up a few times, and never with a reply from DO - is this probably how they're going to handle this, or is there a possible reason for not using TRIM?

rgbrenner12y ago

TRIM is equivalent to 'mark as free'. there's no guarantee it will zero the data, and whether it is zero'd depends on the manufacturer/model of the drive.

If that's how they implement it, then I look forward to reading their future security advisory.

diminoten12y ago

Ah yes, I'm not super familiar with the terminology, a sibling comment to yours specifies that you'd need to use zdat (zero after TRIM) for what I'm talking about to be effective.

mmmooo12y ago

rgbrenner12y ago· 2 in thread

Kudos for committing to fixing the problem though.

diminoten12y ago

A lot of the talk was theoretical and the examples run were I think all within a user's own space.

If not though, then you're absolutely right that those are contradictory. If, even during disclosure, one user's data was made available to another user, that constitutes a data leak.

rgbrenner12y ago

https://github.com/fog/fog/issues/2525

https://f.cloud.github.com/assets/408977/1820859/8658298e-71...

  These are some of the strings I pulled off the root blockdev 
  - I have no such /var/deploy/chegou, or any of these files. I was
  able to recover someone else's webserver logs from yesterday, as well.

1 more reply

aioprisan12y ago· 1 in thread

And they forgot to add a date on their security updates. How are you supposed to know when issues are discovered and subsequently addressed?

warp12y ago

The linked blog post says "Posted on December 30th, 2013", were you referring to the blog post or something else?

eridius12y ago

thirsteh12y ago

Previous thread: https://news.ycombinator.com/item?id=6986155

unionizenow12y ago

Why not use whole disk encryption in the hypervisor and switch the key between accounts?

j / k navigate · click thread line to collapse