Automation and Smart Card Protected SSH
Ablative makes heavy use of Ansible, this allows us to push changes to servers quickly, ensure that all instances are hardened appropriately and, by following a secure software development lifecycle, we can automate all interaction with customer servers meaning no human (beyond the customer themselves) ever has access to a server.
One of the biggest issues with automation is protecting the credentials that grant access to the customer servers. We’ve seen APTs target MSPs and we can’t ignore the possibility that the UK Government can interfere with our equipment or even seize our infrastructure.
Hashing, Cloaking and Destruction - Data Management at Ablative.Hosting
At Ablative we make an effort to minimize the amount of data we need to store about our customers and the amount of meta-data needed to manage the service.
As we use Cryptocurrency instead of taking card payments we don’t need to be PCI compliant but we are concerned that there is a meta-data trail between every Bitcoin transaction (and Monero transaction if an adversary acquires your private keys) and you.
Proxying Monero
One of the key elements of Ablative Hosting is that it will primarily use cryptocurrencies so it can’t have it’s funding sources pulled as happened to FetLife.
Bitcoin transactions are entirely public, ZCash has issues when moving funds between shielded and normal addresses so for the customer who demands the utmost privacy the obvious choice is Monero. When I first set about implementing support for generating Monero addresses (and monitoring transactions to the that address) I had standardised on using nginx to reverse proxy connections to various daemons.