Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
johnmaguire 5 days ago

> And I don’t remember any story of them ever doing it even for the NSA. Do you?

Is this meant to be tongue in cheek?

EGreg 5 days ago | parent [-]

No, I am serious.

Do you have links to stories of AWS breaking into EC2 instances to eg read RAM for data that is encrypted at rest?

And even if they do, this would present an issue for privacy, but the protocols would still enforce their own permissions (eg no custom amazon DRM for books).

johnmaguire 5 days ago | parent [-]

Most of how the NSA operates is classified but this does not sound far-fetched to me in the slightest. Cloud providers frequently provide law enforcement information via subpoena. It's not really "breaking in."

From 2015, AWS asserted they were not involved in the PRISM program, but they would be under a gag order if they were, so you've gotta take it with a grain of salt: https://www.crn.com/news/cloud/300077146/aws-finally-release...

Meanwhile:

> From the start of this calendar year through May, AWS received 813 subpoenas from the U.S. government seeking access to customer accounts. In those five months, the Seattle-based cloud provider fully complied with 542 of those court orders, submitted partial information in response to 126 and didn't respond at all to 145.

> Through the same period, Amazon received 25 search warrants from federal authorities and turned over all the data sought by about half of them, partially fulfilled eight others and withheld information requested by four of the warrants.

> AWS fully responded to only four out of 13 court orders that weren't subpoenas or warrants, while refusing to turn over any data related to four of those.

> Foreign governments were more successful with their solicitations to Amazon. Of the 132 non-U.S. requests fielded by the cloud provider, more than 80 percent yielded complete data disclosures, while just 13 percent hit a dead end. Amazon also complied with the only request it received during the five months under review to actually remove a user's data from its servers.

EGreg 5 days ago | parent [-]

Alright mate, so for the 99.9% of cases encryption at rest is enough. For data you truly don’t want cloud providers to see, just use end-to-end encryption.

But no one has to run their own servers. The only reason I see them doing so is to provide redundancy in case the cloud providers want to DELETE some data or take nodes offline.