S5E13: "Who Watches the Hypervisors?"
|Previous Episode||Next Episode|
|S5E12: "Bad Developer! No Biscuit!"||S5E14: "Self-Projection"|
|Recorded (UTC)||Aired (UTC)||Editor|
|2020-08-06 02:32:33||2020-08-16 00:13:42||"Edita"|
We talk about the issues present in trying to keep security, privacy, and integrity for data-at-rest on hardware that you don’t own.
Just the Tip
- Paden wants to remind you to actually check to make sure your backups are working.
Starts at 14m31s.
I was drinking water. Paden was drinking 2% milk. Jthan was drinking Corona.
- How can you guarantee privacy and integrity of a volume on e.g. a VPS provider?
- You can’t! Not perfectly, anyways.
- If a malicious party has access to the hardware or hypervisor level, there are many opportunities for tampering or even outright breaking your expectations of disk encryption.
- A lot of the issues present here are considered Evil Maid attacks.
- You need plaintext somewhere in the booting process. (This applies to any full-disk encryption including VPS/VMs. Or, technically, any disk encryption.)
- Access to the above and more – direct virtual console access, they control the kernel for paravirt, etc.
- Hosts can also affect character devices (direct input flow, etc.)
- You can check for integrity/tampering a little more reliably than preventing data leaking; Arch has a package in the AUR that serves as a good starting point.
- Remote audit logs to a device only you/your org controls can help a lot as well.
In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)
Starts at 54m40s.
Jthan talks about remotely unlocking a LUKS FDE.
- Paden was talking about this comic.
- Jthan, in his pursuit of glorifying The Cloud™ instead of a VM lab, doesn’t understand why 640+MB > 512MB.
- He also doesn’t understand that following processes verbatim teach nothing.
- He also doesn’t know how to read. This says 530 MB RAM as the minimum, not 512 MB. (Plus the inherent overhead you’d have with ZoL.)
- Also speaking of, the August release of the Arch installation ISO is 671MB, not 640-something.
- Jthan says to not FDE your router, but you absolutely can. There’s nothing stopping you from remotely unlocking your full-box router (see the link in 15 Clams).
|Intro||Boh||TNKS||click||CC-BY-NC-SA 4.0||Outro||Navidub||The Dubbstyle||click||CC-BY-ND 4.0|