digg

Facebook Connect Join Digg About

Amazon EC2 data leak

sa.muel.org Amazon provides beta Elastic Cloud Computing service where you can get a new server allocated in minutes, but does not wipe out the hard drives every time the server is requested. The result? Private data gets leaked.

Who dugg this? Made popular Oct 3, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

24 Comments

show profanity settings
expand all
  • cbostick, on 10/12/2007, -0/+4beta services = don't upload "private" data
  • afex, on 10/12/2007, -0/+4no kidding. all i can think about when people trust things like this is that one poster with the minivan that says "CANDY" and at the bottom it says 'don't be such a pussy, this guy seems legit."
  • ICSU, on 10/12/2007, -5/+8Didn't AOL taught us that leaking personal data is a feature?
  • samtc, on 10/12/2007, -1/+4Unixes let you access raw (unformatted) data on hard drive by accessing a file handler (/dev/sda1, /dev/hda). By using simple tools like strings (http://www.freebsd.org/cgi/man.cgi?query=strings) and dd (http://www.freebsd.org/cgi/man.cgi?query=dd), we were able to extract data.
  • pvtjohndoe, on 10/12/2007, -0/+2Let's not forget that Amazon's EC2 service is still only in beta. This issue will probably be resolved very soon.
  • pvtjohndoe, on 10/12/2007, -0/+2The problem with this is, when an EC2 instance crashes, there is no possibility for the owner to erase their data. The only way to keep data safe from this is to not use the hard drive, which would make EC2 just about useless. EC2 is a paid service and Amazon should implement a system that either clears the drive in case of a shutdown or crash, or reserves the drive for it's old owner to reuse.
  • samtc, on 10/12/2007, -0/+2Hello,

    They just (20:00 PDT) fixed the problem. Now you get random bits on freshly booted instances.
  • anonydigg, on 10/12/2007, -0/+2can u give reference please? (link to forum or other)
  • wbreim, on 10/12/2007, -2/+4who cares... the government has everything on you already
  • felderado, on 10/12/2007, -0/+1perhaps you need to read the ***** comments. the filesystem is FRESH but the hard drive still contains the DATA. you can recover the files with strings and dd, for example. It's not like there are actual files poking you in the face. dumbass....
  • anonydigg, on 10/12/2007, -0/+1huh?
  • ABadInAlbany, on 10/12/2007, -1/+2why, b/c you can't figure out how to steal someone else's data on your own? just about any half decent open source data recovery util will pull this stuff.
  • mannoo2009, on 04/10/2009, -0/+1web hosting reviews: http://www.webhostingreviewz.com
  • soapboy, on 10/12/2007, -1/+2yeah, why do anything, it's already been done before......
  • Jack9, on 10/12/2007, -0/+1they definately need to do something about this. we don't want to see another AOL
    If you're stupid enough to leave critical or sensitive information on a foreign beta system, you aren't qualified to use it. It's like saying "wow that system administrator left data on a harddrive, where people could GET TO IT we need to prevent that kind of thing!" I wish these morons would shut up.
  • Dotnetsky, on 10/12/2007, -1/+1I wonder if you can download the PDF manual that gives you the administrator password so you can make it think it's dispensing fives instead of twenties?
  • oxyrubber, on 10/12/2007, -2/+2How is this "leaking" data?

    This is a complete oversight on the customers' end. This is almost as stupid as throwing away a hard drive full of data (into a dumpster) and assuming that the data will never again see the light of day.

    Any high-tech security employee should know to secure all data (no matter where it is stored).
  • quinwound, on 10/12/2007, -0/+0Well it depends who runs the beta. There are plenty of services out there that are beta and are safe and secure. One example of this is gmail. Just because something is beta does not mean that it should be avoided. I consider Gmail Beta more secure than the out of beta e-mail package that comes with the web hosting package that I pay for.

    Beta just means that they will fix problems as they arise.
  • velox, on 10/12/2007, -1/+1Who's to say this wouldn't affect all Xen-based VPS hosting providers? I think we should carefully evaluate this guy's claims before jumping to accusations of an AOL-level disaster. I really doubt it's anywhere near that bad.

    Re: abadincrotch

    I was just requesting a better explanation as to how he found these files. It'd be one thing to randomly find tons of sensitive data after innocently spawning an instance on their service. It's much less alarming if you actually have to search for raw data on the storage devices.

    Wow, people are really quick to criticize on Digg these days.
  • dvshadow, on 10/12/2007, -2/+1I had a friend mention something about this a couple weeks ago, very interesting issue as it does take time to wipe the disks, and having Amazon do that is only a hassle for them...
  • inactive, on 10/12/2007, -3/+2they definately need to do something about this. we don't want to see another AOL
  • dkavanagh, on 10/12/2007, -1/+0I say. Prove it. I've been using this service since June (yes, private beta) and never seen anything show up that wasn't mine.
  • velox, on 10/12/2007, -4/+1Whoa, this is really scary news. I really wish he would've gone a bit more in-depth in explaining how he uncovered this private info. I guess I better get to finding a way to make sure my old instances are fully wiped.
  • Yez70, on 10/12/2007, -7/+1My English teacher TEACHED me all kinds of things too.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.