By: David

David — Sat, 12 Oct 2013 00:05:52 +0000

Hey Oran! Didn’t know you read this blog. But yeah, serve me up a giant-sized rant. I’ve only gazed on such obnoxious devices from afar, and mostly looked away even so.

Meanwhile I got an unconvincing response from Rackspace, in which the guy focused on all the things it could be aside from a MitM attack, decided on the basis of experimentation/logic that they were unlikely, and concluded all was well in their datacenters. Which strikes me as both unjustified and unhelpful.

I mean…just for starters, if I were building/configuring such a device I’d only intercept traffic coming from -outside- the datacenter. That’d partly be ’cause it makes sense to do so from most perspectives I can think of, and also partly ’cause I might not have a choice (depending on architecture/access). So his playing around from the inside is interesting but far from conclusive.

Assuming he’s correct, though? I’m using AT&T at the moment but have had the same issues via Cable One and Comcast. And via VPNs terminating in Ireland, Canada, the US, Germany, and Latvia (because I like Latvia). It’s fairly likely that all of the above are traveling through the same pipe at some point, and I guess I could start doing traceroutes…but I wouldn’t trust the results and I’m not sure there’s much I could do about ’em anyway.

I’m very close to concluding that I should host my own data/servers literally in-house. As it is I do most of my browsing via Tor/Tails/Orbot, using XPrivacy on Android and also starting off with a variety of VPNs. And I messed with runlevels/scripts months ago on my Rackspace-hosted VMs so Rackspace’s “imaging” utilities don’t work (it’d also be very difficult for them to leverage “physical” access to get root). It just struck me that their ability to invisibly image a server and change the root pwd in the process was about the biggest security hole I could imagine, so I made sure they’d at least have to write a special script. I’ve even considered installing an OS on an encrypted partition that’d require me to log in and give a passphrase to boot it up, but if they can defeat my current setup they could easily compromise the outer non-encrypted device and set up–for example–a keylogger anyway. So it’d be fun but pointless.

At this point I don’t trust any variety of commercial cert, but have more confidence in my self-generated stuff. Which is being spoofed in a sorta clumsy way right now. So I’m very interested in your rant.

-D

In reply to <a href="https://dhyoung.net/2013/10/11/psa-i-think-rackspace-chicago-dallas-datacenters-are-seriously-compromised/#comment-17074">Oran Dennison</a>.

Hey Oran! Didn't know you read this blog. But yeah, serve me up a giant-sized rant. I've only gazed on such obnoxious devices from afar, and mostly looked away even so.

I mean...just for starters, if I were building/configuring such a device I'd only intercept traffic coming from -outside- the datacenter. That'd partly be 'cause it makes sense to do so from most perspectives I can think of, and also partly 'cause I might not have a choice (depending on architecture/access). So his playing around from the inside is interesting but far from conclusive.

Assuming he's correct, though? I'm using AT&T at the moment but have had the same issues via Cable One and Comcast. And via VPNs terminating in Ireland, Canada, the US, Germany, and Latvia (because I like Latvia). It's fairly likely that all of the above are traveling through the same pipe at some point, and I guess I could start doing traceroutes...but I wouldn't trust the results and I'm not sure there's much I could do about 'em anyway.

I'm very close to concluding that I should host my own data/servers literally in-house. As it is I do most of my browsing via Tor/Tails/Orbot, using XPrivacy on Android and also starting off with a variety of VPNs. And I messed with runlevels/scripts months ago on my Rackspace-hosted VMs so Rackspace's "imaging" utilities don't work (it'd also be very difficult for them to leverage "physical" access to get root). It just struck me that their ability to invisibly image a server and change the root pwd in the process was about the biggest security hole I could imagine, so I made sure they'd at least have to write a special script. I've even considered installing an OS on an encrypted partition that'd require me to log in and give a passphrase to boot it up, but if they can defeat my current setup they could easily compromise the outer non-encrypted device and set up--for example--a keylogger anyway. So it'd be fun but pointless.

At this point I don't trust any variety of commercial cert, but have more confidence in my self-generated stuff. Which is being spoofed in a sorta clumsy way right now. So I'm very interested in your rant.

-D

By: Oran Dennison

Oran Dennison — Fri, 11 Oct 2013 23:35:34 +0000

Yep, sounds like a possible MitM to me. Both the State of Alaska and ANTHC tried to turn on an automated HTTPS MitM (Blue Coat and WebSense) which is only partially successful if they’re able to push out their own CA cert via group policy. Yes this is the same technique used by Iran (and now the NSA) to spy on its citizens. I have a giant rant on all the things that are broken with these corporate MitM cert spoofers if you’re interested. You can use a browser plugin such as Perspectives to be notified of spoofed certs.

Comments on: PSA: I think Rackspace Chicago & Dallas datacenters are seriously compromised

By: David

By: Oran Dennison