If you don't host your data, how can you be sure you own it?

sysadmin caught selling access to users' accounts

@kzimmermann Yandex sucks anyway, it is a FSB honeypot nowadays

@derp never used it, but heard it's similar to Baidu to the Chinese in purpose.

@kzimmermann it used to be fine, just a neutral email service. It used to allow anonymous signup. Things changed a couple of years ago when it started to blackmail users to provide personal info.

@kzimmermann Hm, agree. I would encrypt the disk as well if possible. VPS providers can have access too.

The bad deed was done by a sysadmin and at least the company is taking steps:

"The Russian company said it's now in the process of notifying the owners of the 4,887 mailboxes that were compromised ...

The Russian company said that a "thorough internal investigation" of the incident is currently underway and that it plans to make changes to how its administrator staff can access user data."

@adnan360 @kzimmermann VPS disk encryption doesn't really do anything in this case. All it does it prevent someone from reading the data off old discarded datacenter harddrives if they're improperly disposed of.

The only way to know if someone has access is to host it in your physical possession.

@rune @kzimmermann
I thought it was possible. For example, if I have a NextCloud instance and I didn't enable encryption (either on NC or disk), they should be able to see all my files and contents.

@adnan360 @kzimmermann Well, Nextcloud has a end-to-end encrypted mode, which would work.

But disk encryption by itself only protects against someone taking a physical disk and reading it.

If the provider can start the VPS instance up, then they can decrypt it, which means they can get full control over the system (e.g. by booting in single user mode and resetting root password).

It's not that disk encryption isn't valuable to have. It just doesn't matter for this scenario.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.