[kwlug-disc] Russia seizes VPN servers
Mark Steffen
rmarksteffen at gmail.com
Tue Jul 12 07:40:31 EDT 2016
>
> On 07/11/2016 10:33 PM, Mark Steffen wrote:> I've got a VPS hosted in
> the basement of a big black building halfway
>
>> between Washington and Baltimore just off the 295, it's apparently a
>> VERY secure facility. Throughput is great, though I do get ssh
>> complaining sometimes, I have to clear some stuff out in ~/.ssh/ for
>> it to stop complaining and connect. Weird. It was a great price
>> though, and secure. I keep all of my passwords, and router configs
>> there as an offsite backup as well as archives of all my email,
>> financial information, and evil plans.
>>
>
> You're mostly talking about physical security. In theory a given - doesn't
> speak to non-physical access. Again, it seems to go back to how trustworthy
> a vendor is - and under sufficient duress, they aren't, so it comes down to
> how interesting your data is and how motivated they are. (If the
> authorities say give me your disks or face fines or jail or worse, you're
> going to give them your disks.) Presumably they need court orders /
> probable cause to take such possession, but that doesn't have to be for
> your data - it could be on another customer's, and you get caught up in
> that net.
>
> I wonder if you're running into ssh key / cert changes. That could be part
> of a regular rotation (presumably documented somewhere that they do that),
> or casual changes, which makes one wonder about their procedures. At the
> least there should be a different band key / cert fetch process - although
> I don't remember ever seeing such for ssh. (Usually I end up taking the
> line out of known_hosts and just knee-jerk saying yes to the new key at
> next connection. I guess I probably shouldn't, at least not without a
> different band fetch / verification of the change.) [This is much like
> fetching the gpg keys for a repository separately, which are then used to
> verify the files coming down via apt-get - both checksum, and verification
> sourced from the expected producer.]
>
> I suppose I should investigate such ssh connection key rotation processes
> some day. e.g. some ssh parameter to fetch a new cert from a different
> source path, and updated known_hosts before next connecting.
I appreciate the advice, but I was trying to be humorous. If you've ever
been to the Ft Meade area of Maryland along the 295 you'll know the
building I'm talking about and my jest will become more clear. :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20160712/1dbbfb17/attachment.htm>
More information about the kwlug-disc
mailing list