cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daan Hoogland <daan.hoogl...@gmail.com>
Subject Re: [DISCUSS] Freezing master for 4.11
Date Tue, 16 Jan 2018 10:48:48 GMT
please discuss on the VOTE thread Kristian. Give your -1 with explanation
there.

On Tue, Jan 16, 2018 at 11:40 AM, Kristian Liivak <kris@wavecom.ee> wrote:

> Daan,
>
> For us and i guess for many others public cloud and vps providers its very
> big hole.
> Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are
> provisioned.
> We dealing with fradulent orders daily basis.
> Some time later abusers will get catch in the act and vpses will be
> terminated.
> If your customer increase is considerable, most probably one or more ips
> will be given to new customers during same day.
> Newly created instances get then abusers keys and root passwords.
> If new instance uses only keys, root password will be never changed.
> Abusers need just log in with them old passwords and bitcoin mining or
> spamming will be started again.
> Some of smarter customers are able to connect dots and serviceprovider
> reputation will be damaged seriously.
>
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> Tegevjuht / Executive director
>
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: kris@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> ----- Original Message -----
> From: "Daan Hoogland" <daan.hoogland@gmail.com>
> To: "users" <users@cloudstack.apache.org>
> Cc: "dev" <dev@cloudstack.apache.org>
> Sent: Monday, January 15, 2018 1:49:04 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> Kristian,
>
>
>
> On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <kris@wavecom.ee> wrote:
> >>
> > ...
>
>
>
> As for this one:
>
> > Also there is major security hole. When instance is destroyd and expunged
> >> > and new instance is created with old IP all old data is unaffected in
> VR
> >> > New instance will get then old root password and  ssh key if they were
> >> > present in VR
> >>
> > I don't see how this is a security issue. The user won't get in and
> update the key and password to get in. No harm done or am I overlooking
> something?
>
>
> --
> Daan
>



-- 
Daan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message