AWS

AWS S3 storage bucket with unlucky name nearly cost developer $1,300

Amazon, amazon s3, AWS, Biz & IT, Cloud Storage, Tech / Mike M. / May 1, 2024

Not that kind of bucket list —

Amazon says it’s working on stopping others from “making your AWS bill explode.”

Kevin Purdy – Apr 30, 2024 7: 43 pm UTC

A blue bucket, held by red and yellow brackets, being continuously filled and overflowing — Enlarge / Be careful with the buckets you put out there for anybody to fill.

Getty Images

If you’re using Amazon Web Services and your S3 storage bucket can be reached from the open web, you’d do well not to pick a generic name for that space. Avoid “example,” skip “change_me,” don’t even go with “foo” or “bar.” Someone else with the same “change this later” thinking can cost you a MacBook’s worth of cash.

Ask Maciej Pocwierz, who just happened to pick an S3 name that “one of the popular open-source tools” used for its default backup configuration. After setting up the bucket for a client project, he checked his billing page and found nearly 100 million unauthorized attempts to create new files on his bucket (PUT requests) within one day. The bill was over $1,300 and counting.

Nothing, nothing, nothing, nothing, nothing … nearly 100 million unauthorized requests.

“All this actually happened just a few days after I ensured my client that the price for AWS services will be negligible, like $20 at most for the entire month,” Pocwierz wrote over chat. “I explained the situation is very unusual but it definitely looked as if I didn’t know what I’m doing.”

Pocwierz declined to name the open source tool that inadvertently bum-rushed his S3 account. In a Medium post about the matter, he noted a different problem with an unlucky default backup. After turning on public writes, he watched as he collected more than 10GB of data in less than 30 seconds. Other people’s data, that is, and they had no idea that Pocwierz was collecting it.

Some of that data came from companies with customers, which is part of why Pocwierz is keeping the specifics under wraps. He wrote to Ars that he contacted some of the companies that either tried or successfully backed up their data to his bucket, and “they completely ignored me.” “So now instead of having this fixed, their data is still at risk,” Pocwierz writes. “My lesson is if I ever run a company, I will definitely have a bug bounty program, and I will treat such warnings seriously.”

As for Pocwierz’s accounts, both S3 and bank, it mostly ended well. An AWS representative reached out on LinkedIn and canceled his bill, he said, and was told that anybody can request refunds for excessive unauthorized requests. “But they didn’t explicitly say that they will necessarily approve it,” he wrote. He noted in his Medium post that AWS “emphasized that this was done as an exception.”

In response to Pocwierz’s story, Jeff Barr, chief evangelist for AWS at Amazon, tweeted that “We agree that customers should not have to pay for unauthorized requests that they did not initiate.” Barr added that Amazon would have more to share on how the company could prevent them “shortly.” AWS has a brief explainer and contact page on unexpected AWS charges.

The open source tool did change its default configuration after Pocwierz contacted them. Pocwierz suggested to AWS that it should restrict anyone else from creating a bucket name like his, but he had yet to hear back about it. He suggests in his blog post that, beyond random bad luck, adding a random suffix to your bucket name and explicitly specifying your AWS region can help avoid massive charges like the one he narrowly dodged.

AWS S3 storage bucket with unlucky name nearly cost developer $1,300 Read More »

Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just $1M

AWS, azure, Biz & IT, Cloud Computing, cryptojacking, Security / Blake Jones / April 15, 2024

SHOCKING CRYPTOCURRENCY SCAM —

Indictment says man tricked cloud providers into giving him services he never paid for.

Dan Goodin – Apr 15, 2024 7: 46 pm UTC

Federal prosecutors indicted a Nebraska man on charges he perpetrated a cryptojacking scheme that defrauded two cloud providers—one based in Seattle and the other in Redmond, Washington—out of $3.5 million.

The indictment, filed in US District Court for the Eastern District of New York and unsealed on Monday, charges Charles O. Parks III—45 of Omaha, Nebraska—with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme. Parks has yet to enter a plea and is scheduled to make an initial appearance in federal court in Omaha on Tuesday. Parks was arrested last Friday.

Prosecutors allege that Parks defrauded “two well-known providers of cloud computing services” of more than $3.5 million in computing resources to mine cryptocurrency. The indictment says the activity was in furtherance of a cryptojacking scheme, a term for crimes that generate digital coin through the acquisition of computing resources and electricity of others through fraud, hacking, or other illegal means.

Details laid out in the indictment underscore the failed economics involved in the mining of most cryptocurrencies. The $3.5 million of computing resources yielded roughly $1 million worth of cryptocurrency. In the process, massive amounts of energy were consumed.

Parks’ scheme allegedly used a variety of personal and business identities to register “numerous accounts” with the two cloud providers and in the process acquiring vast amounts of computing processing power and storage that he never paid for. Prosecutors said he tricked the providers into allotting him elevated levels of services and deferred billing accommodations and deflected the providers’ inquiries regarding questionable data usage in unpaid bills. He allegedly then used those resources to mine Ether, Litecoin, and Monero digital currencies.

The defendant then allegedly laundered the proceeds through cryptocurrency exchanges, an NFT marketplace, an online payment provider, and traditional bank accounts in an attempt to disguise the illegal scheme. Once proceeds had been converted to dollars, Parks allegedly bought a Mercedes-Benz, jewelry, first-class hotel and travel accommodations, and other luxury goods and services.

From January to August 2021, prosecutors allege, Parks created five accounts with the Seattle-based “on-demand cloud computing platform” using different names, email addresses, and corporate affiliations. He then allegedly “tricked and defrauded” employees of the platform into providing elevated levels of service, deferring billing payments, and failing to discover the activity.

During this time, Parks repeatedly requested that the provider “provide him access to powerful and expensive instances that included graphics processing units used for cryptocurrency mining and launched tens of thousands of these instances to mine cryptocurrency, employing mining software applications to facilitate the mining of tokens including ETH, LTC and XMR in various mining pools, and employing tools that allowed him to maximize cloud computing power and monitor which instances were actively mining on each mining pool,” prosecutors wrote in the indictment.

Within a day of having one account suspended for nonpayment and fraudulent activity, Parks allegedly used a new account with the provider. In all, Parks allegedly consumed more than $2.5 million of the Seattle-based provider’s services.

The prosecutors went on to allege that Parks used similar tactics to defraud the Redmond provider of more than $969,000 in cloud computing and related services.

Prosecutors didn’t say precisely how Parks was able to trick the providers into giving him elevated services, deferring unpaid payments, or failing to discover the allegedly fraudulent behavior. They also didn’t identify either of the cloud providers by name. Based on the details, however, they are almost certainly Amazon Web Services and Microsoft Azure. Representatives from both providers didn’t immediately return emails seeking confirmation.

If convicted on all charges, Parks faces as much as 30 years in prison.

Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just $1M Read More »

Redis’ license change and forking are a mess that everybody can feel bad about

Amazon AWS, Amazon Web Services, AWS, Biz & IT, cloud services, data stores, elasticsearch, Google Cloud Services, opensearch, opentofu, redis, Tech, terraform / Blake Jones / April 1, 2024

Licensing is hard —

Cloud firms want a version of Redis that’s still open to managed service resale.

Kevin Purdy – Apr 1, 2024 5: 47 pm UTC

AWS data centers built right next to suburban cul-de-sac housing — Enlarge / An Amazon Web Services (AWS) data center under construction in Stone Ridge, Virginia, in March 2024. Amazon will spend more than $150 billion on data centers in the next 15 years.

Getty Images

Redis, a tremendously popular tool for storing data in-memory rather than in a database, recently switched its licensing from an open source BSD license to both a Source Available License and a Server Side Public License (SSPL).

The software project and company supporting it were fairly clear in why they did this. Redis CEO Rowan Trollope wrote on March 20 that while Redis and volunteers sponsored the bulk of the project’s code development, “the majority of Redis’ commercial sales are channeled through the largest cloud service providers, who commoditize Redis’ investments and its open source community.” Clarifying a bit, “cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge.”

Clarifying even further: Amazon Web Services (and lesser cloud giants), you cannot continue reselling Redis as a service as part of your $90 billion business without some kind of licensed contribution back.

This generated a lot of discussion, blowback, and action. The biggest thing was a fork of the Redis project, Valkey, that is backed by The Linux Foundation and, critically, also Amazon Web Services, Google Cloud, Oracle, Ericsson, and Snap Inc. Valkey is “fully open source,” Linux Foundation execs note, with the kind of BSD-3-Clause license Redis sported until recently. You might note the exception of Microsoft from that list of fork fans.

As noted by Matt Asay, who formerly ran open source strategy and marketing at AWS, most developers are “largely immune to Redis’ license change.” Asay suggests that, aside from the individual contributions of AWS engineer and former Redis core contributor Madelyn Olson (who contributed in her free time) and Alibaba’s Zhao Zhao, “The companies jumping behind the fork of Redis have done almost nothing to get Redis to its current state.”

Olson told TechCrunch that she was disappointed by Redis’ license change but not surprised. “I’m more just disappointed than anything else.” David Nally, AWS’ current director for open source strategy and marketing, demurred when asked by TechCrunch if AWS considered buying a Redis license from Redis Inc. before forking. “[F]rom an open-source perspective, we’re now invested in ensuring the success of Valkey,” Nally said.

Shifts in open source licensing have triggered previous keep-it-open forks, including OpenSearch (from ElasticSearch) and OpenTofu (from Terraform). With the backing of the Linux Foundation and some core contributors, though, Valkey will likely soon evolve far beyond a drop-in Redis replacement, and Redis is likely to follow suit.

If you’re reading all this and you don’t own a gigascale cloud provider or sit on the board of a source code licensing foundation, it’s hard to know what to make of the fiasco. Every party in this situation is doing what is legally permissible, and software from both sides will continue to be available to the wider public. Taking your ball and heading home is a longstanding tradition when parties disagree on software goals and priorities. But it feels like there had to be another way this could have worked out.

Redis’ license change and forking are a mess that everybody can feel bad about Read More »