Your Cloud Provider (Probably) Isn't Spying On You 85
jfruh writes "Last week the CEO ServiceNow made a minor splash by claiming that it was awfully easy for a cloud provider to spy on the data they stored for you or discriminate based on pricing. But while that's possible, in many cases it turns out to be simply not practical enough to be beneficial. Even moves like restoring outages for higher-paying customers first turn out to be more trouble than they're worth."
encryption (Score:5, Informative)
Re:encryption (Score:5, Insightful)
The solution which is always repeated is to encrypt any sensitive data.
If you need to actually use your data at some point, the cloud provider could snoop the data from your virtual machine's RAM. And they could probably find the decryption key to your data somewhere in memory too if they looked hard enough.
Re: (Score:2, Insightful)
Then why would you need a cloud vm in the first place? Then all you need is just a cloud storage.
Re: (Score:2)
Re: (Score:2)
Since Service Now is a cloud hosted Application, so the just storage concept does not work well in this context.
Re: (Score:2)
Re: (Score:2)
Am I missing something? I don't see VM mentioned in the article at all, just cloud, which to me just means storage.
It's because you skipped over the words you didn't understand... from the first article:
Assuming that your business is using infrastructure-as-a-service (IaaS), the cloud knows: where, when and how often your users connect;
...
If you’re using platform-as-a-service (PaaS), your cloud provider could know: the number of payments that you process
You can look up IaaS and PaaS here: http://en.wikipedia.org/wiki/Cloud_computing [wikipedia.org]
Re: (Score:1)
There has actually been research to do data processing on encrypted data. Basically the idea has been to convert data in some other form that has the same properties as the original data for the operations that need to be calculated in the cloud.
Obviously this approach has several limitations but perhaps for most common uses such methods can be found.
Re: (Score:2)
Re: (Score:3)
So only decrypt the file locally. Crisis averted.
Unless you're trying to avoid the problem noted in the articles linked from the summary which was clearly involving a complete cloud infrastructure provider, not a cloud storage provider.
Re: (Score:2)
That depends on if you're talking about cloud storage or cloud computing.
Encrypting your data is pointless for cloud computing. You're better off asking whether your data is stored in an encrypted file system of some sort. Encrypting your data for putting onto cloud storage is more practical. Yes, the "client" you install may have the ability to root your computer on command, but you might as well unplug the cable going out to the WAN from your home network if you're that afraid of people getting access to
Re: (Score:3)
That depends on if you're talking about cloud storage or cloud computing.
Encrypting your data is pointless for cloud computing. You're better off asking whether your data is stored in an encrypted file system of some sort. Encrypting your data for putting onto cloud storage is more practical. Yes, the "client" you install may have the ability to root your computer on command, but you might as well unplug the cable going out to the WAN from your home network if you're that afraid of people getting access to your data.
Encryption is not pointless even in cloud computing. When I encrypt my data, I know that no matter what bugs or faulty procedures the cloud provider may have (i.e. selling old hardware without erasing the hard drives) that exposes my data to a third party, I know that no one can read my sensitive data. It's just another layer of protection.
Re: (Score:2)
except of course for that vmswap file that you have no control over (IE.. not the system swap partitions or page file, but the one the Hypervisor uses.)
Re: (Score:2)
Cloud providers won't go to these extremes because they are expensive. They are looking for low hanging fruit, not trying to pick apart your life like a CIA target. Besides, people are all too willing to leave things unencrypted, they don't need to bother with the 1% of users who encrypt their data.
Encryption works for the same reason that image sharing sites add watermarks to their photos. A watermark won't stop a determined abuser, but it will stop other sites from doing wholesale copies of all their i
Re: (Score:2, Insightful)
The whole point of cloud computing is the computing part of it. We do not have any practical fully homomorphic encryption system to date. You just can't reasonably perform computation on encrypted data without decrypting it at some stage.
Re: (Score:1)
An encrypted filesystem with block striped volumes across multiple different providers would be a pretty good protection. Even if they had your key, they only had a partial block of data which is impossible to reconstruct without all of the blocks.
Re: (Score:2)
Re: (Score:1)
Yes. GlusterFS with HekaFS.
Re: (Score:2)
Yes. GlusterFS with HekaFS.
Tahoe-LAFS FTW!
FTW is an anagram of WTF. Coincidence? I don't think so.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Actually you'd be better off encrypting ALL your data. Encrypting only some of it can give Eve all sorts of clues, even being able to guess part of the plaintext in some cases.
Re: (Score:2)
And possibly messing up any advantages that the service offers you.
Unless you are just using them for storage then you are not really need a cloud service, just an offsite storage.
Concern isn't the companies position on spying. (Score:3, Insightful)
My concern isn't that the company as a policy is spying on me, it's the fear that a disgruntled employee would start copying all of the data for their own use.
Re:Concern isn't the companies position on spying. (Score:5, Funny)
I already have all of your porn, but it's nice to know you're thinking of me.
Sincerely,
Disgruntled Employee
Re: (Score:3)
so what kind of cool data do you have that would interest someone?
back when i was in the army i worked in the command group of a 2 star general. i was in the office down the hall and next to the chief of staff. when they needed computer help i saw their email. it was the most boring crap you can imagine.
Password recovery (Score:2)
Why bother using ssl on facebook, email, or any other "social" site? I mean who would be interested in that?
IMAP and webmail connections are probably the first thing I'd encrypt in transit because it's commonly used by web sites as a password recovery mechanism.
Re: (Score:2)
Re: (Score:2)
But during that time there have been several employees from other companies we supported who moved to the competition with data in their pocket.
Re: (Score:1)
back when i was in the army i worked in the command group of a 2 star general. i was in the office down the hall and next to the chief of staff. when they needed computer help i saw their email. it was the most boring crap you can imagine.
And that is the secret. How many Slashdotters do you think will go to join the army cybercorps now they know this?
Useless data (Score:3)
Priorities (Score:3)
Nobody gives a damn about your data, with good statistical confidence.
OTOH I suspect it is quite important to be able to get your data should the need arise, which is a different concept.
That's, at least, what I desume from seemingly grossly inefficient developments in IT, e.g. the cloud where your machines are not part of the nodes, or the UI downloaded from the server, instead of having everything available locally and a remote db for syncing data.
It's a parallel with the development of laws where cronyism replaces democracy. In those system it is not important to put a lot of people in jail, it is vital to make anybody potentially a criminal so you have an excuse to lock people up if the need arises.
Re:Priorities (Score:4, Insightful)
Nobody gives a damn about your data, with good statistical confidence.
I wouldn't be so sure about that. There are tens of thousands of small high-tech companies with trade secrets that the "cloud" providers would like to gain as customers. From source code to email and customer data such companies have all kinds of valuable data. The solution is, of course, not to put any of this data into the cloud except in fully encrypted form for georedundant backups.
Re: (Score:1)
Wow, no that's simply not true as a broad, blanket statement. I currently work for a company where we have at least one competitor that actively tries to steal our customer lists, with some success (and has lead to successful lawsuits). Attempts have ranged from scraping websites to actually physically stealing backup tapes or paper records.
Now we're in a small enough industry that I very much doubt that information in the cloud would change the risk vector, but these things do happen depending on the ind
thats the half of it (Score:1)
While spying/corporate espionage from a cloud supplier is a concern, the bigger concern is the US gov who have proved time and time again that if your data is in their jurisdiction they can look/take all they like and with the provisions in the "patriot" act they don't even need a warrant or tell anybody they looked at it.
say no to the cloud, and moreso if the data or supplier is based in the USA
Re: (Score:2)
Spies in the sky (Score:5, Informative)
"Your Cloud Provider (Probably) Isn't Spying On You"......
But your government probably is.
Re:Spies in the sky (Score:4)
The simple fact is : the vast majority of the populace just isn't that interesting.
Thereby, TFA can easily and honestly say that they're probably not spying on you, because for any given value of "you," it's likely to fall into the uninteresting segment.
Re: (Score:1)
Yes, it's true. They aren't specifically spying on "you". They are spying on EVERYONE. There is a reason why the NSA has direct interconnects with all the major ISPs. They find some group of keywords passing through, trace the connection back to your home, then they go through everything you have "just in case".
Re: (Score:2)
It's what happens if you somehow become interesting that matters. Involved in an accident with a powerful official or wealthy person? The ability to examine your supposedly private information for some leverage against you would be useful. Decide to participate in an "Occupy" event? Your dossier will be much easier to fill with easy access to all your "private" information. It's not that hard to come up with realistic scenarios in which an "uninteresting" person could be put at risk by unfettered acces
Re: (Score:2)
exactly, as i point out to the people holding out on Facebook accounts due to eavesdropping, first I show that they pretty much are already there, plus I also point out that they are now the short list of people to be spied upon.
Re: (Score:2)
But your government probably is.
Quite possible several foreign governments. Either because your government trusts them or the CP is happy for them to do so. Especially if the CP is a transnational corporation...
Spideroak (Score:1)
Depends on how much you trust unverified claims (Score:2)
The problem with any cloud provider is that you have to trust that their claims about privacy are true without any verifiable evidence that they are in fact true.
Startpage and Duck Duck Go *claim* searches are private, but there is no actual evidence this is true. Believe so at your own peril.
Likewise, Spideroak's claim that they can't even look at your data themselves is comforting, but still just a claim. It may be true and they may believe it to be true (their site is very convincing), but without an a
where is the money? (Score:2)
why pay people over $100,000 per employee per year when accounting for taxes and benefits to spy on data? if dropbox were to spy on your data how would they use it to make more money?
Re: (Score:2)
Its like casinos and poker dealers. Could a morally bankrupt poker room have mechanic dealers working with professional players to cheat people? Sure they could... but they are making so much money playing it straight that it doesn't make sense. If you can pay the dealers an hourly rate and let them keep tips, and make money hand over fist, why risk that in a scheme that requires you to pay them, and some other people, a lot more?
I think this analogy is apt because it shows the real problem isn't the casino
CSP isn't the problem (Score:4, Informative)
The cloud service provider isn't the worry. They couldn't care less. It's the government I'm concerned about. They do care and they have a history of spying and want the right to do so.
The internet is a postcard. Don't store or transmit anything you don't want seen.
Re: (Score:2)
Weighing in (Score:2)
Re: (Score:2)
Other things which are probably true (Score:2)
Humans working in government are probably not listening to your unencrypted phone calls or reading your unencryped emails.
If you forgot to lock your front door this morning, a burglar is probably not taking advantage of the situation.
Even if you skip your dog's rabies vaccinations, it probably won't get rabies.
If you drive home drunk tonight, you will probably arrive safely, and without hurting anyone else or facing serious criminal consequences.
North Korea probably doesn't intend to nuke anyone.
If you run
ROI vs ROR (Score:2)
Rate of Investment vs Rate of Return.
Going through all the trouble to spy on Joe Pimpleface Teenager: ROI > ROR.
Going through all the trouble to spy on a user whose browsing profile and typing habits match Julian Assange or Frank Whizbang, Stock Investor of the Year: ROR > ROI.
By an order of magnitude.
So technically, yes, cloud providers probably aren't spying on 90% of the users.
But if I know I'm one of those 10% of extraordinarily high-interest persons? I'd call it a given that you're being spied
Only if they're into advertising (Score:2)
Do I believe Google does? Of course. In fact they're pretty open about a lot of snooping and they try pushing real name policies and other shit to make it easier to shill crap on the web. Why would I not believe they're not snooping on me every single chance they get?
Your Cloud Provider (Probably) Isn't Spying On You (Score:2)
That's how the internet works. (Score:1)