Posts in category "amazon"

Aka DARK WEB HACKER COST ME $1600 SHOCK HORROR !

After I set up my Jekyll site and uploaded the content to Amazon S3 using s3website, I remember thinking I must re-read that section about securing the configuration file with AWS credentials in plain text'.

If the source code of your website is publicly available, ensure that the s3website.yml file is in the list of ignored files. For git users this means that the file .gitignore should mention the s3website.yml file.

So, I duly added 's3website.yml' to .gitignore and pushed to GitHub. I wasn't sure whether this file exclusion only took effect from now so I checked if the file was still in the repository. Unsurprisingly, it was but GitHub provided detailed instructions on how to resolve this.

So, job done and as my AWS credentials were only exposed for 57 minutes, no harm done.

I went for lunch and returned to a voicemail from Amazon customer services asking me to contact them urgently about a 'security issue'. I also had an email and an AWS support case titled 'Your AWS account is compromised' describing, in detail, what corrective action I should take to promptly resolve the situation.

My heart sank a little as I followed the instructions and examined the list of EC instances running. 'Hmm, that's strange, I don't remember setting up 10 instances called "Ghost" in every region...'

I quickly terminated each instance and went to check my billing information. Phew. Usage for today was $0.00. Then I remembered a possible reason; in the dim and distant past, I experimented with a pre-built EC instance running Ghost. Maybe that was the reason but, deep down, I knew this wasn't the case as they had all been started today and I don't think 'ghost' was referring to the blogging platform.

Next I had to lockdown my AWS setup. First, although I already had a user account, I deleted the access keys associated with the 'root' account and changed my Amazon password. I also deleted the existing user and group, re-created them with new keys and followed the guidelines and best practice recommendations in the Identity and Access Management user guide.

Then I enabled multi-factor authentication (MFA) for the AWS root account. This means that access is secured by the requirement to enter a 6 digit code from my mobile phone using Google Authenticator.

The following morning, I logged onto AWS and checked my bill. In a short period of time, the imposter had clocked up $1600 worth of charges despite Amazon locking down the account once they detected the compromise. I contacted Amazon customer support who said they would refund the excess charges due to this 'mishap' and would notify me once this was 'approved'. A little ambiguous but hopefully, I will get reimbursed although strictly speaking, this 'mishap' was down to my own stupidity.

Finally, I did what I should have done in the first place and move the s3website configuration file elsewhere completely outside of the project directory and specify the location when sync'ing the site.

    $ s3_website push --config-dir ~/.s3_website

Otherwise, I can anticipate that if I change themes or platforms, I will repeat this idiotic error and Amazon may not be as understanding next time.

Now, that it looks like the episode might be over, I am struck at how quickly Amazon detected the appearance of my AWS keys on GitHub. I presume they have a automated bot looking for this type of data so maybe it's not uncommon. Secondly, what benefit did the hacker gain ?

He ran 40 EC instances for a while before being detected and shutdown. Why ? Just because he could ? In a way, I wish I'd more time to investigate precisely what was running on the instances.

I am currently hosting this site on Amazon Simple Storage Service (S3). For the first 12 months I am eligible for the Free Usage Tier pricing.

The Free Tier isn't completely free but includes '5 GB of Amazon S3 standard storage, 20,000 Get Requests, and 2,000 Put Requests'.

Initially, I had to test, review and deploy the entire site a few times before I got things right and Google's crawler was busy re-indexing the site so I wasn't wholly surprised when September's bill was a measly 15 cents.

The breakdown was as follows:

• S3 storage $0.01
• GET requests $0.03
• PUT requests $0.08
• Tax $0.03

The only element that puzzled me was the S3 storage which is free for up to 5GB. I checked the size of the site which is just 21MB (all images are outsourced to Picasa).

$ du -sh public
21M    public

I sent an email to Amazon customer service asking for clarification - not because I can't afford a penny - but because I would like to understand the pricing structure ready for when the 12 month Free Tier period expires.

In the interim period, I found the answer on the AWS FAQ - the Free Tier assumes Standard S3 Storage will be used and I was using the following 's3cmd' to deploy my site.

    s3cmd sync --acl-public --reduced-redundancy public/* s3://#{s3_bucket}/

The choice of the Reduced Redundancy Storage option makes sense as this normally costs less ($0.093 per GB) than standard storage ($0.125 per GB) and this is a low traffic website (and I have multiple backups).

However, this caveat is actually covered in the last section of the FAQ

Does the AWS free tier include Amazon S3 Reduced Redundancy Storage (RRS)?

No, the AWS free tier does not include Amazon S3 RRS storage. The AWS free tier includes 5 GB of Amazon S3 standard storage, which offers the highest Amazon S3 durability.

A couple of days later I received a response from a Amazon Customer Service rep who confirmed that Reduced Redundancy Storage wasn't covered by the free tier, apologised for the misunderstanding and applied a $5 credit to my AWS account for the 'inconvenience caused'. For me, this will probably equate to 3 years 'free' hosting.

Once again, fantastic customer service from Amazon. I was originally thinking of investigating altenative hosting options when the 12 month period expires but, on reflection, I don't think I will bother.

Shamefully, I dont read many books so an eBook reader has never been high on my list of priorities as it would probably become a moderately expensive white elephant and yet another gadget to carry around.

However, Amazon's high profile marketing campaign for the Kindle eBook reader sparked my interest sufficiently to download the free Kindle Reader application for Android to sample the experience of reading an eBook on a mobile device.

In addition, I've just purchased a higher capacity (16GB) SD card for the Android phone which means it could replace my iPod Touch as I can now store all my music on the Android phone and start to consolidate two of my mobile devices. If the Android Kindle Reader application is usable, could the HTC Legend also fulfill the role of an eBook Reader ?

I downloaded Tom Reynold's 'Blood Sweat and Tea' mainly because it was free and I had previously enjoyed Reynolds' blog about his experiences as a paramedic working for the London Ambulance Service.

I have had (courtesy of my employer) an HTC Legend for 3 months and I have been staggered at the razor sharp quality and resilence of the screen. Even without a screen protector, the display is pristine and crystal clear despite moderate use during that period.

Reading text on the Android is pretty easy on the eye. The font is large enough and clear enough for me to read easily and the contrast is excellent. Also, I am only reading for short periods (up to half an hour on my commute into the city) and the fact that 'Blood Sweat and Tea' is merely a compilation of blog posts means each story is a very short and manageable chunk. This light, casual reading may be slightly easier on the eyes than ploughing through 'War and Peace' for prolonged periods.

The larger screen on the Kindle does look great and I have heard great things about the screen technology but there's one reason I would currently not even contemplate buying a Kindle.

I selected a popular book being advertised for Christmas - 'The Fry Chronicles' by Stephen Fry. The paper edition of this book costs £8.20 at Amazon (UK). To my amazement, the Kindle version of the same book costs a staggering £12.99.

Yes - you read that correctly. £8.20 for the hardback book and £12.99 for the electronic version of the same book for the Kindle.

Now let's think about this. For the paper edition, the publisher has to print a book on 448 pages of paper. The book also has to be bound and this is the hardback edition. For the Kindle edition, the publisher has to, err, well, create an electronic copy of the book.

How in God's name can the publisher/Amazon justify charging an additional, extortionate, staggering premium of 58% for the Kindle edition ?

Now this may be a one-off rare example and it's true that some books are cheaper on Kindle than for the paper book. For example, the popular 'Girl with the Dragon Tattoo' is slightly cheaper on Kindle (£2.68) versus £3.89 for the paperback edition. Now I don't have the time or inclination to exhaustively check the comparative prices of paper versus Kindle editions for the remainder of the best seller lists and it is true that some classic texts (e.g. Treasure Island, Sherlock Holmes) are freely available for eBooks.

However, in a sense that's irrelevant - the Kindle edition should always, always be cheaper than the paper book - guaranteed, 100%, every time for every book regardless. Until that is the case, I won't be buying a Kindle or any other eBook reader.

Dear Jeff Bozos

It is 39 years and 7 months since my last confession.

Back in 2001, I opened an Amazon Associates account, placed a link to a wonderful Oracle book I wanted to buy on my personal Web site, clicked through on the link and purchased the book from Amazon (UK). This abuse of the referral program credited my newly opened Amazon Associates account with the princely sum of 1.55 GBP.

I have never claimed the money which has subsequently sat dormant for over 4 years in my Amazon Associates account. This was partly because I was wracked and tormented by feelings of guilt. Even when I tried to forget about my heinous crime, the Quarterly Associates Newsletter email from Amazon kept reminding me of my sin.

Another reason was that the paltry amount was below the minimum required by Amazon before you can actually withdraw the money.

I could have continued to abuse this system more fully to make even more money (maybe even as much as a fiver) when I consider all the purchases I have ever made from my favourite online retailer.

However, now is the time to reveal my secret and take my punishment like a man.

Shamefully yours

Norman Brightside

Returned from holiday to find correspondence lying on my doorstep from two internet companies. Both were big names and continually in the news during the internet boom in 1999.

Firstly, two cheques resulting from travelocity's takeover of lastminute.com. Back in 2000, I applied to buy shares in lastminute.com for me, my wife, my auntie and my dog. Thankfully, the share offering was massively oversubscribed and I only received the minimum allocation which reduced my subsequent losses five years later. In fact, the lastminute takeover was very timely as I had two separate, small shareholdings which I was stuck with as dealing costs would have swallowed up most of the proceeds.

Secondly, a thick wad of legalese all the way from the United States of America regarding a class action by shareholders (and corporate lawyers) against Amazon. I couldn't be bothered to read all the twenty seven pages of small print but the gist appeared to be that people bought shares expecting to become dollar millionaires overnight and, unsurprisingly, were bitterly disappointed when this failed to materialise. Remember, people, the price of shares can go down as well as up. If you want to become a dollar millionaire, don't buy shares become a corporate lawyer.