View Count: 146 |  Publish Date: December 30, 2013
IaaS provider DigitalOcean finds itself back in security trouble
.boilerplate-after {color: #000;font-size: 120%;line-height: 25px;margin-bottom: 18px;}
Fast-growing Infrastructure-as-a-Service (IaaS) provider DigitalOcean is updating its code to make sure its fast storage doesn’t inadvertently expose one customer’s data to any other customer.
The scramble comes as the company is growing fast in the public cloud market — faster than major player Amazon Web Services, by one metric — and needs to look reliable.
The issue arose last night, when Jeffrey Paul, a self-described hacker and researcher based in Berlin, took to GitHub to point out that DigitalOcean does not automatically wipe the data off of fast solid-state disk (SSD) drives used for storage alongside DigitalOcean’s virtual servers. Beyond that, Paul showed how it was possible for the next person who uses a given DigitalOcean virtual server to pull down some data from the previous customer.
“I was able to recover someone else’s webserver logs from yesterday,” Paul wrote.
Within the capabilities of the application programming interface (API) that developers can use to control their assets on DigitalOcean’s cloud, it’s possible to instruct DigitalOcean to completely clean off the data on a droplet, or virtual server, once a customer has finished using it. The “scrub_data” command is “optional,” according to DigitalOcean’s API documentation. It “will strictly write 0s to your prior partition to ensure that all data is completely erased,” the documentation states.
In the GitHub thread, some developers expressed that they would like to see the storage scrubbed by default, not just whenever a developer instructs DigitalOcean to do it.
Today DigitalOcean cofounder Moisey Uretsky published a blog post in response to the issues and explained how the company’s policies have changed this year. DigitalOcean implementing storage scrubbing, although as the company became more popular, the company decided that scrubbing would not be the default, so performance would be optimal. This, Uretsky wrote, was a mistake.
Another mistake was not letting customers know about changes to the API, Uretsky wrote.
And so now the company is in the process of updating its code, he explained:
Our first and immediate update is to ensure that a clean system is provided during creates, regardless of what method was taken for initiating a destroy. Engineers are updating the code base right now to ensure that will be the default behavior, and we will provide another notice when that code is live.
Uretsky did not say when exactly the changes will be implemented.
This isn’t the first time DigitalOcean has dealt with security concerns. A similar issue over erasing all data surfaced in April. The company announced a resolution within hours. Now the company has more work to do to prove its cloud is secure.VentureBeat is creating an index of the top arms merchants of the cloud. Take a look at our initial suggestions and complete the survey to help us build a definitive index. We’ll publish the official index later this month, and for those who fill out surveys, we’ll send you an expanded report free of charge.


Picture Keywords
 cloud   code   company   customer   DigitalOcean   fast   server   storage   sure   the company   updating its code   Uretsky 
Time: 21:16  |  News Code: 360728  |  Site: venturebeat
Collecting News by Parset Crawler
Know more about Parset crawler