Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Video How 'The Cloud' Eats Away at Your Online Privacy (Video) 86

Video no longer available.
Tom Henderson, Principal Researcher at ExtremeLabs Inc., is not a cloud fan. He is a staunch privacy advocate, and this is the root of his distrust of companies that store your data in their memories instead of yours. You can get an idea of his (dis)like of vague cloud privacy protections and foggy vendor service agreements from the fact that his Network World columnn is called Thumping the Clouds. We called Tom specifically to ask him about a column entry titled The downside to mass data storage in the cloud.

Today's video covers only part of what Tom had to say about cloud privacy and information security, but it's still an earful and a half. His last few lines are priceless. Watch and listen, or at least read the transcript, and you'll see what we mean.

Robin Miller: I’m Robin Miller for Slashdot. And today we’re talking with Tom Henderson. And not too long ago, he wrote an article for Network World titled “The Downside to Mass Data Storage in the Cloud.” Now, I know you love the cloud beyond life itself. And I know you’ve been waiting for it ever since, years ago, Scott McNealy said, “The network is the computer,” and the cloud is the personification of that. But Tom warns us the cloud is a privacy problem. How, Tom? How?

Tom Henderson: Well, the cloud is a wonderful place to store your data, but here is what the buts are around. The buts are that we unfortunately face these days whether you are a consumer or a business. You have no standards in terms of what kind of data is encrypted in place; or is the connection between your site and whatever you are storing in the cloud encrypted. What level of encryption is going to be employed? You might be able to find out some of the technical details, but sometimes vendors even charge for those... worse is what happens when a vendor goes belly-up. How long will you be able to run your site while you are desperately downloading stuff back to good old home base again, in a place where you really didn’t plan to put it?

We’ve had any number of these sites go dead and we have more of them popping up all the time. Yes, there are some decidedly huge companies that are not going to go out of business, and some of them have some details about what happens with your assets should you die or if your company goes bankrupt or if you’re subject to litigation and suddenly subpoenas start flying around. But sometimes we also have the desire to just be left alone. They Europeans usually have a better handle on what data privacy life is supposed to be like, and assets that people glean about you both [on purpose] by your desire, but also because 'Oh, you didn’t know that you’re storing the stuff.' How long do those details live?

People make incorrect correlations based upon data that they discovered. We have many different questions, but unfortunately we have neither legislation nor best practices, nor guidelines except in a few jurisdictions – one of them usually not the United States, which I personally believe is costing U.S. cloud providers a lot of revenue because people have gone away from U.S. cloud not knowing whether or not the NSA is looking at their data. Number two, in a multitenant environment -- which is what many clouds are like – people next door to you might be kind of breaking in your windows and snooping around.

What we have is a dilemma. That dilemma of course surrounds trust, and trust with a specific vendor, and it gets down into the storage service and also whether or not we believe that the vendors that we’re hiring to do this job are going to follow their terms of service. And if they shouldn’t, do we have any recourse because they didn’t follow those terms of service or do we just get a credit on our bill because 'Oh, sorry, about that.'

So in this era of industrial espionage; of good guesses, bad guesses and bad data correlation, we really don’t have any standards for what happens with our data as it goes outside our own computers. Now, does this mean that I don’t have my cloud storage? In fact, I do. All of it really constitutes pictures that I wouldn’t mind my dear sainted grandmothers to take a look at.

Now I know some organizations really don’t have a choice and they need very fast, rapid storage expansion. Why they have archived material that they feel is correctly encrypted and protected in place before they even decide to send it. So, my consumer case is not necessarily a case of corporate governance; it’s not the case of the organizations who already have taken best practices and steps to ensure that their stuff is at least moderately safe. Of course, moderately safe until we come across something like the FREAK crack where you could downgrade encryption to the point where if you capture a conversation, it only takes 7 hours and 20 bucks on AWS to go and crack your account. And these sorts of exploits continue to occur. And encryption nowadays has continued to be a problem. So, if privacy of those assets is something that’s extremely important to you, then you’re going to have to cover all the assets yourself before you decide to leave them up in the cloud, where man in the middle attacks are becoming more frequent.

Robin Miller: Yeah.

Tom Henderson: With people, unavoidably using XFINITY Comcast, Bright House, Time Warner, Charter and other Wi-Fi equipment right in their homes without even realizing it, they jeopardize their home office workers and those who work diligently – after hours, of course, which doesn't happen in Germany but we won’t go into that. Was it data they might upload? Their work products then becomes potentially violated. Worse, we don’t have any knowledge that some of these access points that I just mentioned are susceptible to the kind of home router exploits that have infected lots of Cisco and Netgear and other Wi-Fi home products. Unless you want to believe that they are okay, how do we know? How do we know that the NSA hasn’t cracked all of RSS and Motorola stuff? We don’t.

Robin Miller: Well, wait, stop. I interviewed a security – actually a general computer business consultant – in West Palm Beach about security for small businesses and he said the biggest problem he sees, when he goes to a new client, is that a huge percentage of them still have the default non-password set that is so, what it is – which one has user and password and another one is 123456. These are just your basic little home routers... And so you know, this is not a secured conversation because I’m on Verizon FiOS. It’s hardwired, but still.

Tom Henderson: Well, yes, admin as a password. (Sigh) You can’t fix stupid.

This discussion has been archived. No new comments can be posted.

How 'The Cloud' Eats Away at Your Online Privacy (Video)

Comments Filter:
  • by Anonymous Coward on Friday March 20, 2015 @02:57PM (#49304455)

    a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory
    b) hint, people not on Slashdot won't see the article, so posting it is irrelevant
    c) video articles suck balls, nobody wants to hear some dork talk when they could read the piece in 1/4 of the time

    • a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory

      Unless they know about encryption.

  • by Anonymous Coward

    ... it's already become entrenched. Facebook, Steam, MMO's, F2P, etc. The only way to put this back in the box would be to take over these companies and I simply don't see that happening. Technology has advanced to the point that corporations will share everything as long as it makes them a buck and they've gotten too used to having exact information about everything. The market is totally transparent to companies. Who you are, where you live, etc. Because you have to provide them with things like yo

  • by Anonymous Coward on Friday March 20, 2015 @03:12PM (#49304597)

    Old man yells at cloud

  • ownCloud 8 on my Raspberry Pi is working just fine for me.
    • by Rich0 ( 548339 )

      ownCloud 8 on my Raspberry Pi is working just fine for me.

      If only. It is lacking most of the features of Gmail/Google Docs/Google Play/Google Music.

      I'd really love to have open-source alternatives to the cloud. The problem is that the best anybody seems to come up with are X11 apps plus some kind of dropbox synchronizer or something. If it doesn't work entirely from a browser, then it is a non-starter.

  • by Roman Mamedov ( 793802 ) on Friday March 20, 2015 @03:15PM (#49304619) Homepage
    The Google Plus logo in the corner gives this video a special kind of hilarity.
    • by Roblimo ( 357 )

      Believe me, both Tom (a friend *and* a /. reader) and I are 100% aware of the irony.

  • Been hearing this argument for years. It's still valid, but comes down to how much you care. I store my music with Amazon, but that's mostly because I want to have access to it everywhere. My CDs were ripped years ago and exist on my home server and Amazon and Google. I use Amazon and Google, but if something happens to either of those, I still have my originals. It's more likely that my home RAID array will eat itself before Amazon or Google get corrupted.

    • They're *your* assets, CDs, pics, but also the personal bits about your identity. What's your identity worth?

  • by Anonymous Coward

    Old man yells at cloud.

  • by itzly ( 3699663 ) on Friday March 20, 2015 @03:21PM (#49304673)

    Your facial features, voice and speech patterns have now been included in the cloud databases. Thank you for your cooperation.

  • If private data is defined as what you don't want others to see and public data is defined as what you want others to see, which is appropriate for the cloud? Seems easy to me: if you need to keep secrets, keep it off the internet. And you might think about how easy security is if you only use your powers for good not evil.
  • by Karmashock ( 2415832 ) on Friday March 20, 2015 @03:50PM (#49304905)

    I have a raspberry pi that I use to host a personal website. It is just for me and a couple friends and it associates a free subdomain with my home dynamic IP.

    I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.

    That's the trick. Remove the third party.

    Is it more expensive to self host? Not really. I want these things stored locally anyway. So I just link my local drives to the pi. So self hosting cost me about 25 dollars... total and done.

    The only thing I use the cloud for is offsite backups and only of a few critical things.

    Beyond that, why involve a third party?

    • by Rich0 ( 548339 )

      I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.

      There is a lot more to the cloud than a page full of links behind .htaccess or whatever.

      I'd love to self-host, but I don't see any FOSS options that are equivalent to the likes of Gmail or Google Docs or Google Music. There are some web-based email applications, but they're pretty weak. I've yet to find one that lets me archive/delete/spam an email with a single keystroke.

      • Name a feature you want and it exists. I grant the listings are often poorly organized but what do you expect from FOSS? They're almost always poorly organized.

        You get good at searching through that stuff. You learn the terms. And it all comes into focus.

        What you want to do is archive, delete, or send to spam on a single keystroke?

        That's more a matter of the email client itself than the server. I suppose you're looking for a good webmail client?

        Not a fan of them personally. Email clients simply do a better

        • by Rich0 ( 548339 )

          Name a feature you want and it exists...What you want to do is archive, delete, or send to spam on a single keystroke?...I suppose you're looking for a good webmail client?...But I'm sure you could find a good webmail client that is FOSS if you wanted.

          So, obviously you've never looked for them. I have. The best options right now are Roundcube and Squirrelmail, or the less-FOSS Zimbra. None of them let you archive/delete/spam email with a single keystroke, and I don't think any of them support tag-based email either. That function in Gmail lets me blast through an inbox in about a minute or two, has an offline cached client for Android, and works in a browser.

          A proper email client donkey stomps gmails webclient and always has.

          And it won't work on a Chromebook or a mobile device with only a browser.

          The vast majority of mail that arrives at my email accounts is automatically sorted. I can receive hundreds of mails in a day and know what I got that matters in about 5 seconds...And that is entirely independent of the server.

          If you're doing it o

          • I'm familiar with them, I just don't use them because email clients are superior.

            As to not working on a chromebox... why would I use such a thing. They're trash. I can get a laptop for the same money that can run real software. The only value of the chrome box is that it is arbitarily limited in its ability. And I can get the same effect by installing a Kiosk GUI ontop of windows or linux. So there's no point to the chromeboxes. I've looked at them a few times and that anyone buys them can only be attribute

            • by Rich0 ( 548339 )

              I've looked at them a few times and that anyone buys them can only be attributed to ignorance.

              I already own one and am thinking about buying another. Given a standard laptop I could build my own, but it would be a royal PITA and missing most of the features I care about (secure boot, transparent encryption, trivial re-provisioning, automated updates, etc). I'll probably run a distro in a chroot on the side as well, though I try not to use them too much since those are a pain to re-provision and the whole point of something like a chromebook is to not need to be running backups/etc.

              It is a bit arro

              • The intent is not to offend but to be honest.

                As to getting those features on a laptop... if you have very specific requirements you could set it up once and then ghost the image. There after, the only thing you'd have to do is manage some drivers if you installed it on a new machine.

                Explain to me the utility of Secure Boot? When you say transparent encryption, what do you mean? What reprovisioning are you doing on a chrome book? Most OS's have automated updates.

                • by Rich0 ( 548339 )

                  Explain to me the utility of Secure Boot?

                  Secure boot ensures that only the software I want on the device is actually present on the device, precluding the ability of a rootkit/etc to be intruding on it (unless that rootkit is housed in the firmware, which I'll grant is a problem). I would prefer if Chromebooks allowed the use of secure boot with a different set of keys - I believe you're stuck with it either on with Google's keys or off.

                  When you say transparent encryption, what do you mean?

                  I mean that the user data on the drive is encrypted using a strong key (ie not just a hash of a simple-to-remem

                  • In regards to rootkits, I think the real issue with them is when they get in the firmware and then lock the firmware.

                    I believe apple products were shown to have a vulnerability where a rootkit could get into the firmware and then write lock the firmware.

                    My only real worry with nonsense like this is that it can't be fixed. I'm not so worried about rootkits unless I can't get rid of them. So long as the firmware can't be writelocked BY the firmware... I'm happy. Ideally some sort of hardware button override d

        • I'm sure you have a fine and awesome solution but most people only ever used webmail. Can check e-mail from any place, without having to (at worst) ask for the root or admin password so you can install and configure your beloved mail client.

          • Don't be silly, every smartphone comes with a built in mail client.

            This is a stupid conversation. You're not being honest and I have no patience for incompetent deceit.

            • Smartphone, what's that?
              A computer without a keyboard, without security updates, without battery life, with a high recurring fee to access the network and that wants you to sign up to a google account. I'll pass, it's too immature for me.

              • This discussion is tedious. I've led a mule to water and you are far too stubborn to drink it.

                So I'm done. Whatever dude.

    • "Remove the third party"

      You ran point-to-point network links to everyone who want to get to your website? Impressive!

    • How did you get the subdomain to point to a home dynamic IP? Mine changes every day or so, do you ping the pi or have the pi ping a webserver and update it or something?

      • Look up a category of products called "Dynamic DNS".. the concept is that your router or your home server pings a third party every ten minutes. That associates a subdomain on their system with your current IP. You can this service for free. It doesn't really cost them anything.

  • why do these videos start at 11 and have no visible volume control? My ears work fine thank you. I don't need max volume.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...