Aye i was just refering to where he said they would physically steal it

I'm sure if it was a high enough profile target, it being in another country wouldn't stop anyone. Any real intelligence agency has spies in all countries and will just send someone to steal the drives or data, with complete plausible deniability.

Of course, for Joe bloggs and his website, totally not worth it...

Aye it's the only thing where i concede you can't have 100% security, someone dedicated enough will physically access your server, even if it the only option is armed intervention, not much you can do against that as a civilian entity but then again it's not a risk worth mitigating for pretty much everyone.

I'm sure if it was a high enough profile target, it being in another country wouldn't stop anyone. Any real intelligence agency has spies in all countries and will just send someone to steal the drives or data, with complete plausible deniability. Of course, for Joe bloggs and his website, totally not worth it...

No need for force, they'll just call the local authorities, and tell them they want it because of... terror, or some other reason. After all, we're all amigos who help each other. So the local equivalent of a Homeland agent would knock at the datacenter which has "secure" and "biometric access control" prominently in its advertizing material, and demand the geek-on-duty to put his thumb on the door scanner. Geek-on-duty will of course do it because he doesn't want more Homeland-equivalent attention than absolutely necessary on his person.
Then the agent will just pull out your server, and the one above and below it as well, to be sure. The hoster will replace the servers that had hardware failure within 24 hours, as per the service level agreement.

Aye it's the only thing where i concede you can't have 100% security

You can't have 100% security otherwise either. Especially I'm convinced that you can't have what you described earlier.

I had been thinking about whether it was possible and worthwhile to do such a SaaS thingie as you described a month or two ago when this Thai hoster started a topic on here and suggested that Thailand was basically an "empty" market. It seemed tempting to take advantage of that. However, having had one or the other real life experience with south-east Asia in the past, my estimate was that chances were someone will just steal and rebrand (or even steal and resell without rebranding!) anything of value. I've had this happen with humanitarian aids, entire containers just gone, they "never arrived" at the harbour, and suitcases full of medical supplies that I had hauled over in my private suitcase which "disappeared" over night from the hospital's storage room. If people obviously aren't afraid that people will die when they steal stuff, why would they worry stealing software. Add to that a military regime which is not precisely the most stable environment overall (and which I have a little experience with, too).

All in all, my consideration was that putting anything marginally valuable on a server in such a location was unwise, unless it was reasonably secured (against theft, first and foremost).

So how would you mitigate risk in that situation? Assume that "data" (like player levels or highscores) is indeed not very valuable, but the software, which you sell as service, is. That is, if I understood your earlier post correctly, exactly your premise.

How do you prevent someone from cloning the disk and using a hex editor to change the company name and payment details, and booting the disk in another server next door? You don't.
Encryption doesn't help because the disk must be decryptable or the software will not run. For that, the key must be on the server (which is as good as no encryption), or it must be pulled from a trusted server on the network (located in a place that you control).

Except there is no such thing as a trusted server if the client and the network cannot be trusted (well, the server is trusted, it just doesn't mean anything for the net result). Someone cloning the disk will have your private SSL keys (otherwise the server/client couldn't connect to the trusted server), so you cannot ever be sure you talk to the "genuine" server or to a proxy or to a completely different one. Anyone can download the decryption keys any time they need them. You could as well store the decryption key on the server right away. No, you cannot manually log into the system from your end to provide a key either (well you can, but it's the same situation). Yeah, you could use one-time-pads for authentication. Unluckily, anyone stealing your disk will also have the OTP...

Obviously, the only secure approach is that the software is never saved to disk. I will ignore cold boot attacks since they're a somewhat ridiculous approach for pirating software (it may work for a single bitlocker key, but for several megabytes of executable...?), even more so in a country where the average room temperature is 30°C. But for the sake of it, let's assume you even encrypt/decrypt modules on the fly in memory.

So.. what isn't stored on the disk cannot be stolen, sounds great.

Still, the software must come from somewhere. So you must download it from the network. Back to step #1.

I'm sure if it was a high enough profile target, it being in another country wouldn't stop anyone. Any real intelligence agency has spies in all countries and will just send someone to steal the drives or data, with complete plausible deniability. Of course, for Joe bloggs and his website, totally not worth it...

No need for force, they'll just call the local authorities, and tell them they want it because of... terror, or some other reason. After all, we're all amigos who help each other. So the local equivalent of a Homeland agent would knock at the datacenter which has "secure" and "biometric access control" prominently in its advertizing material, and demand the geek-on-duty to put his thumb on the door scanner. Geek-on-duty will of course do it because he doesn't want more Homeland-equivalent attention than absolutely necessary on his person.
Then the agent will just pull out your server, and the one above and below it as well, to be sure. The hoster will replace the servers that had hardware failure within 24 hours, as per the service level agreement.

Aye it's the only thing where i concede you can't have 100% security

You can't have 100% security otherwise either. Especially I'm convinced that you can't have what you described earlier.

I had been thinking about whether it was possible and worthwhile to do such a SaaS thingie as you described a month or two ago when this Thai hoster started a topic on here and suggested that Thailand was basically an "empty" market. It seemed tempting to take advantage of that. However, having had one or the other real life experience with south-east Asia in the past, my estimate was that chances were someone will just steal and rebrand (or even steal and resell without rebranding!) anything of value. I've had this happen with humanitarian aids, entire containers just gone, they "never arrived" at the harbour, and suitcases full of medical supplies that I had hauled over in my private suitcase which "disappeared" over night from the hospital's storage room. If people obviously aren't afraid that people will die when they steal stuff, why would they worry stealing software. Add to that a military regime which is not precisely the most stable environment overall (and which I have a little experience with, too).

All in all, my consideration was that putting anything marginally valuable on a server in such a location was unwise, unless it was reasonably secured (against theft, first and foremost).

So how would you mitigate risk in that situation? Assume that "data" (like player levels or highscores) is indeed not very valuable, but the software, which you sell as service, is. That is, if I understood your earlier post correctly, exactly your premise.

How do you prevent someone from cloning the disk and using a hex editor to change the company name and payment details, and booting the disk in another server next door? You don't.
Encryption doesn't help because the disk must be decryptable or the software will not run. For that, the key must be on the server (which is as good as no encryption), or it must be pulled from a trusted server on the network (located in a place that you control).

Except there is no such thing as a trusted server if the client and the network cannot be trusted (well, the server is trusted, it just doesn't mean anything for the net result). Someone cloning the disk will have your private SSL keys (otherwise the server/client couldn't connect to the trusted server), so you cannot ever be sure you talk to the "genuine" server or to a proxy or to a completely different one. Anyone can download the decryption keys any time they need them. You could as well store the decryption key on the server right away. No, you cannot manually log into the system from your end to provide a key either (well you can, but it's the same situation). Yeah, you could use one-time-pads for authentication. Unluckily, anyone stealing your disk will also have the OTP...

Obviously, the only secure approach is that the software is never saved to disk. I will ignore cold boot attacks since they're a somewhat ridiculous approach for pirating software (it may work for a single bitlocker key, but for several megabytes of executable...?), even more so in a country where the average room temperature is 30°C. But for the sake of it, let's assume you even encrypt/decrypt modules on the fly in memory.

So.. what isn't stored on the disk cannot be stolen, sounds great.

Still, the software must come from somewhere. So you must download it from the network. Back to step #1.

First of you don't store your sensitive server in a place where other people's staff can access it (including staff of the Datacenter itself).

Second encrypting the disk is a bonus but it's not that usefull if given physical access as as you said there are cold boot attacks against that.

And yes you're correct the exe is never stored on disk in my case but only in ram during execution, and not quite usable if retrieved from ram by cold boot exploit unless you manage to retrieve a "lot" of the ram, more than is feasible as far as i know in such a short time (gigabytes needed)

The software doesn't have to come just from somewhere, it can come from somewheres :) It's loaded in ram at physical installation time and doesn't support rebooting / shutdown (so yea any incident is a pain), on top of that it requires an additional outside key (on top of, not instead of the security i described).

So the tradeoff is if there's a power failure, it requires going to the datacenter and reinstalling locally.

They can't do that if you aint hosting in the usa

Correct. That's the CIA's job.

First of you don't store your sensitive server in a place where other people's staff can access it (including staff of the Datacenter itself).

That's always the case, however... unless you "own the datacenter" in a sense that you have a 10Gbps internet connection at home and keep the rack locked in your basement, with the key on a chain around your neck. In every other case, you have to place the network accessible server somewhere, and it will be physically accessible by someone (someone whom you do not necessarily trust).

Second encrypting the disk is a bonus but it's not that usefull if given physical access as as you said there are cold boot attacks against that.

Well, it's not just not that useful, it is not useful at all. Because encryption either means the system cannot boot without you entering a key, or it means that anyone can access the data anyway, encrypted or not. There is nothing in between. Entering a key (or downloading it from a trusted server) or any such thing always reverts to the same initial problem, making it useless.

The software doesn't have to come just from somewhere, it can come from somewheres :) It's loaded in ram at physical installation time

Which is exactly what I said, and which has exactly the problems that I stated. Physical installation really means "over a network". You can only ever do a real "physical" install if you co-lo (since then you have the physical server in your hands initially). And if you do a RAM-only install, then it will be lost when you pull the plug and hand it over to the datacenter personnel. Unless you have builtin UPS and can guarantee that datacenter personnel will restore power supply within the time that the UPS can cover (and that they're not doing anything funny with it otherwise). Which of course you cannot know for certain as the precondition is that you don't trust them!

For every other server (which you rent, and which sits in some rack in a locked no-public-access datacenter), you only ever have access via KVM-over-IP or a similar thing. KVM is the "most physical" thing you ever have. Or you can choose from a number of install images which are 1:1 copied onto the server, then the password file is set up accordingly, and you can SSH. Or something similar. You are never going to be allowed to go anywhere near your server, physically.

So the tradeoff is if there's a power failure, it requires going to the datacenter and reinstalling locally.

Which of course you cannot do, unless you own the datacenter. I don't know any datacenter where they will let a client enter the rack room. Which means you must SSH or KVM-over-IP, and then you are back to field #1. There's no way of knowing that you are talking to the machine you think you are talking to.

I agree, then again a lot of this can be solved (once again in the case of a website), by not transmiting anything risky on the cable, for example if the whole service is self contained on the server (no multi-server communication or sensitive data), then nothing would go "out" on the cable outside of what is meant for the internet to begin with

Okay, that MIGHT do the job... might as well take the machine completly offline then, as when nothing sensitive needs to be transferred, the server/datastore holding the sensitive information does not need to be online anyway.

Kinda lost track of the usecase here... are we now talking about how to make static sensitive data as save as possible in a datastore, or are we talking about a website that might need to, you know, transfer sensitive data as this might be the data the user is actually interested in?

In the end, there is only one way to make information unhackable and unobtainable: not creating or storing the information in the first place. Or destroying the datastore containing the information by throwing it into a volcano (or more secure, into the sun). Ideally you had the MiB flashing apparatus to also erase the memories of anyone who might have come in contact with the information during the time it existed (you could use less high-tech and far deadlier methods, but I wont mention these).

As soon as the information exists SOMEWHERE, it can be hacked and obtained. The fact that someone actually wants to use this information for something, so the information has to be interfaced with or needs to be transferred to somewhere else is just making this fact much, much worse.

Who can tell if NSA is not also doing some industry espionage sponsored by big US companies?

You make it sound like that was a mere possibility

What do you think has been happening every day in Bad Aibling since the 1950s? Is it a coincidence that GE all of a sudden came up with a patent every time Siemens invented something, over decades? The SPIEGEL wrote a big well-researched article about large-scale industry espionage some 15 or so years ago (in fact, 'tis so long ago that I'm not sure it was SPIEGEL, could have been another magazine, too). But of course, the USA don't ask. They just do what they want, this is a reality.

What do you want to do about it?

Well, I think the EU start doing what it should have done long ago... calling the US out for it. They should go farther and dismantle the NSA Bases in germany and other EU countries, and slap anyone in their own intelligence agencies cooperating "too much" with the NSA very, very hard (or better fire them... if they haven't done that already).

Of course US companies will bleed for it (that might, or might not have profitted from the US sniffing in other peoples suff for decades), while the US politicians are still in denial.

And of course, none of the countires whining about the rampant US espionage is any better... they might just have less money to get the highest-tech expionage, they are still doing it. They should also get the slap on the wrist they deserve.

Point is: as long as intelligence agencies actions are a secret, and the politicians still believe they do more good than harm for the country and thus keep their actions secret, we cannot really know what led to what when it comes to industry espionage.

Common Sense says that you don't build a huge freaking espionage center in germany to just intercept the russians secrets... after all, your NATO friends secrets are just at your fingertips... its like sending a sugar-junkey into the candy store and telling him to leave the candy's alone

A lot of things are too much of a coincidence. I give you that.

Still... we don't know for sure, and as the US will never be able to make anyone believe they are NOT doing something bad (who will believe them?), they will keep their mouths shut for sure. So all we can say is "might" and "could".... not even more documents from another wisthleblower can change that really (how many of these documents where fake?)

First of you don't store your sensitive server in a place where other people's staff can access it (including staff of the Datacenter itself).

That's always the case, however... unless you "own the datacenter" in a sense that you have a 10Gbps internet connection at home and keep the rack locked in your basement, with the key on a chain around your neck. In every other case, you have to place the network accessible server somewhere, and it will be physically accessible by someone (someone whom you do not necessarily trust).

Second encrypting the disk is a bonus but it's not that usefull if given physical access as as you said there are cold boot attacks against that.

Well, it's not just not that useful, it is not useful at all. Because encryption either means the system cannot boot without you entering a key, or it means that anyone can access the data anyway, encrypted or not. There is nothing in between. Entering a key (or downloading it from a trusted server) or any such thing always reverts to the same initial problem, making it useless.

The software doesn't have to come just from somewhere, it can come from somewheres It's loaded in ram at physical installation time

Which is exactly what I said, and which has exactly the problems that I stated. Physical installation really means "over a network". You can only ever do a real "physical" install if you co-lo (since then you have the physical server in your hands initially). And if you do a RAM-only install, then it will be lost when you pull the plug and hand it over to the datacenter personnel. Unless you have builtin UPS and can guarantee that datacenter personnel will restore power supply within the time that the UPS can cover (and that they're not doing anything funny with it otherwise). Which of course you cannot know for certain as the precondition is that you don't trust them!

For every other server (which you rent, and which sits in some rack in a locked no-public-access datacenter), you only ever have access via KVM-over-IP or a similar thing. KVM is the "most physical" thing you ever have. Or you can choose from a number of install images which are 1:1 copied onto the server, then the password file is set up accordingly, and you can SSH. Or something similar. You are never going to be allowed to go anywhere near your server, physically.

So the tradeoff is if there's a power failure, it requires going to the datacenter and reinstalling locally.

Which of course you cannot do, unless you own the datacenter. I don't know any datacenter where they will let a client enter the rack room. Which means you must SSH or KVM-over-IP, and then you are back to field #1. There's no way of knowing that you are talking to the machine you think you are talking to.

I guess you're talking about dedicated hosting? I'm obviously not talking about renting servers from a Datacenter but about renting an actual room there else obviously you can't do any of it, but yes that's what i mean, it's also what i mean by the staff of the datacenter not having access, some datacenters offer private rooms that are "yours" for all intent an purpose but you usually need to rent a whole room (multiple full bays's Worth).

I agree, then again a lot of this can be solved (once again in the case of a website), by not transmiting anything risky on the cable, for example if the whole service is self contained on the server (no multi-server communication or sensitive data), then nothing would go "out" on the cable outside of what is meant for the internet to begin with

Okay, that MIGHT do the job... might as well take the machine completly offline then, as when nothing sensitive needs to be transferred, the server/datastore holding the sensitive information does not need to be online anyway.

Kinda lost track of the usecase here... are we now talking about how to make static sensitive data as save as possible in a datastore, or are we talking about a website that might need to, you know, transfer sensitive data as this might be the data the user is actually interested in?

Of course you can't protect sensitive data if it has to travel from you to the user, but it's often not the case that it needs to, in the case i was giving as an example the user data was not sensitive but the program that ran on the server was, so what mattered was to make the actual program unstealable (and thus the actual server unhackable, regardless of if someone can or can not sniff your outgoing data).

In the case of a website there are similar use cases for example, if your users have to enter their CC info once to purchase on your website then this means if your server can't be hacked even if someone manages to find a way to put himself in the middle and "sniff" all data he would never get access to current customers credit card infos, only future ones, this is a pretty major risk reduction for your users and something you can defend against if you're not the party that got hacked but somewhere on the net outside of your control as the blame will transfer too. So this is a good example use case for a website, it allows for example a third party's security being responsible over the wire for a small amount of user CC info loss vs you being fully responsible for 100% of your users CC detail loss. That works for any one way data transmission that you need to store but not necessarily make available again.

So, how exactly would you make a server that can't be hacked? I have ties to government and several rather large businesses, and they would all like to know the correct answers to such a problem.

Of course you can't protect sensitive data if it has to travel from you to the user, but it's often not the case that it needs to, in the case i was giving as an example the user data was not sensitive but the program that ran on the server was, so what mattered was to make the actual program unstealable (and thus the actual server unhackable, regardless of if someone can or can not sniff your outgoing data).

In the case of a website there are similar use cases for example, if your users have to enter their CC info once to purchase on your website then this means if your server can't be hacked even if someone manages to find a way to put himself in the middle and "sniff" all data he would never get access to current customers credit card infos, only future ones, this is a pretty major risk reduction for your users and something you can defend against if you're not the party that got hacked but somewhere on the net outside of your control as the blame will transfer too. So this is a good example use case for a website, it allows for example a third party's security being responsible over the wire for a small amount of user CC info loss vs you being fully responsible for 100% of your users CC detail loss. That works for any one way data transmission that you need to store but not necessarily make available again.

Ok, I see your usecase now... but I still think "unhackable" and "unstealable" are a little bit big words for what is only a "harder to hack" target and a "harder to steal" program. As long as there are connections to the outside world (which would in the extreme case include power cords), and the server is not standing in a room deep below earth surface with all entrances to the room sealed, "un-anything" is a gross oversimplification and marketing stunt at best, or a blatant lie at worst.

Hard and maybe even expensive to break in, thus not making sense to even try to do so for anything besides high-profile targets? Yes. Impossible? No.

Then in your second usecase you use the words "risk reduction" and "not fully responsible"... doesn't sound fully hackproof to me.

I second Luckless: if you know how to make servers 100% hackproof, tell us... we would love to know the secret to getting rich, because governments and private companies all over the world would waste billions on such tech!

Better yet, don't tell us, and sell it yourself.