Video How 'The Cloud' Eats Away at Your Online Privacy (Video) 86
Today's video covers only part of what Tom had to say about cloud privacy and information security, but it's still an earful and a half. His last few lines are priceless. Watch and listen, or at least read the transcript, and you'll see what we mean.
Robin Miller: I’m Robin Miller for Slashdot. And today we’re talking with Tom Henderson. And not too long ago, he wrote an article for Network World titled “The Downside to Mass Data Storage in the Cloud.” Now, I know you love the cloud beyond life itself. And I know you’ve been waiting for it ever since, years ago, Scott McNealy said, “The network is the computer,” and the cloud is the personification of that. But Tom warns us the cloud is a privacy problem. How, Tom? How?
Tom Henderson: Well, the cloud is a wonderful place to store your data, but here is what the buts are around. The buts are that we unfortunately face these days whether you are a consumer or a business. You have no standards in terms of what kind of data is encrypted in place; or is the connection between your site and whatever you are storing in the cloud encrypted. What level of encryption is going to be employed? You might be able to find out some of the technical details, but sometimes vendors even charge for those... worse is what happens when a vendor goes belly-up. How long will you be able to run your site while you are desperately downloading stuff back to good old home base again, in a place where you really didn’t plan to put it?
We’ve had any number of these sites go dead and we have more of them popping up all the time. Yes, there are some decidedly huge companies that are not going to go out of business, and some of them have some details about what happens with your assets should you die or if your company goes bankrupt or if you’re subject to litigation and suddenly subpoenas start flying around. But sometimes we also have the desire to just be left alone. They Europeans usually have a better handle on what data privacy life is supposed to be like, and assets that people glean about you both [on purpose] by your desire, but also because 'Oh, you didn’t know that you’re storing the stuff.' How long do those details live?
People make incorrect correlations based upon data that they discovered. We have many different questions, but unfortunately we have neither legislation nor best practices, nor guidelines except in a few jurisdictions – one of them usually not the United States, which I personally believe is costing U.S. cloud providers a lot of revenue because people have gone away from U.S. cloud not knowing whether or not the NSA is looking at their data. Number two, in a multitenant environment -- which is what many clouds are like – people next door to you might be kind of breaking in your windows and snooping around.
What we have is a dilemma. That dilemma of course surrounds trust, and trust with a specific vendor, and it gets down into the storage service and also whether or not we believe that the vendors that we’re hiring to do this job are going to follow their terms of service. And if they shouldn’t, do we have any recourse because they didn’t follow those terms of service or do we just get a credit on our bill because 'Oh, sorry, about that.'
So in this era of industrial espionage; of good guesses, bad guesses and bad data correlation, we really don’t have any standards for what happens with our data as it goes outside our own computers. Now, does this mean that I don’t have my cloud storage? In fact, I do. All of it really constitutes pictures that I wouldn’t mind my dear sainted grandmothers to take a look at.
Now I know some organizations really don’t have a choice and they need very fast, rapid storage expansion. Why they have archived material that they feel is correctly encrypted and protected in place before they even decide to send it. So, my consumer case is not necessarily a case of corporate governance; it’s not the case of the organizations who already have taken best practices and steps to ensure that their stuff is at least moderately safe. Of course, moderately safe until we come across something like the FREAK crack where you could downgrade encryption to the point where if you capture a conversation, it only takes 7 hours and 20 bucks on AWS to go and crack your account. And these sorts of exploits continue to occur. And encryption nowadays has continued to be a problem. So, if privacy of those assets is something that’s extremely important to you, then you’re going to have to cover all the assets yourself before you decide to leave them up in the cloud, where man in the middle attacks are becoming more frequent.
Robin Miller: Yeah.
Tom Henderson: With people, unavoidably using XFINITY Comcast, Bright House, Time Warner, Charter and other Wi-Fi equipment right in their homes without even realizing it, they jeopardize their home office workers and those who work diligently – after hours, of course, which doesn't happen in Germany but we won’t go into that. Was it data they might upload? Their work products then becomes potentially violated. Worse, we don’t have any knowledge that some of these access points that I just mentioned are susceptible to the kind of home router exploits that have infected lots of Cisco and Netgear and other Wi-Fi home products. Unless you want to believe that they are okay, how do we know? How do we know that the NSA hasn’t cracked all of RSS and Motorola stuff? We don’t.
Robin Miller: Well, wait, stop. I interviewed a security – actually a general computer business consultant – in West Palm Beach about security for small businesses and he said the biggest problem he sees, when he goes to a new client, is that a huge percentage of them still have the default non-password set that is so, what it is – which one has user and password and another one is 123456. These are just your basic little home routers... And so you know, this is not a secured conversation because I’m on Verizon FiOS. It’s hardwired, but still.
Tom Henderson: Well, yes, admin as a password. (Sigh) You can’t fix stupid.
Re: (Score:2)
Nowadays there's nothing it can't mean, but I originally understood it to mean "Virtual machine hosted on lots of identical nodes with no guarantee of uptime for any one node" -- as opposed to a mainframe, or time-shared machine.
Then it sort of became "Use the Internet to store things normally kept on your computer, have your content on all your devices." Well, ok, but that's what the Web is.
Then it was existing, long-established companies just rebranding their service without any change. "Cloud email!" Um,
Re: (Score:2)
I don't like it. I don't like that the safety of our data, from the perspective of security and
Re: (Score:1)
Since the advent of Windows Server 10 which promotes use of cloud storage through integration there is some benefit to it in terms of redundancy, however there is a pretty nasty down side, the 'cloud' serves as an example of a high valued target for Tommy 10 year old script kiddy hidden behind likely only one layer of admin security. In essence the cloud violates the first rule of security, don't put all your eggs in one basket. Then there is the government that is walking the edge of going bankrupt since
Re: (Score:2)
The upside is that my problems are now someone else's problems.
I no longer need to manage my long-term backups for my team's projects. They go off to a cloud provider, and if we really need something, we can get it back, and I don't have to worry about keeping tapes or disks around, and I don't have to be the one going through the library to find some old media. Data is encrypted prior to archival, so privacy isn't really a big deal.
I no longer have to worry about constant availability. If my local servers
Re: (Score:2)
The paranoia's adorable, but here in the real world, everything I do is a balance between risk and reward.
Sure, our data could be sold off, but that's what contract lawyers are for, just like any other business deal. Sure, I risk a malevolent company holding my data hostage, but even at increased prices, it's still cheaper than handling the data myself. Sure, I could be using the same rack a terrorist uses, but he could also be renting office space in the same building we use.
My company could, of course, bu
Another worthless video article (Score:5, Insightful)
a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory
b) hint, people not on Slashdot won't see the article, so posting it is irrelevant
c) video articles suck balls, nobody wants to hear some dork talk when they could read the piece in 1/4 of the time
Re: (Score:2)
a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory
Unless they know about encryption.
Re: (Score:2)
They've always been show/hide on videos, which are the only type of content that needs them. :)
So you know: Like many other Slashdot denizens, I read many times faster than people talk, so I often prefer transcripts to videos myself.
No way! The cloud lets you can do THIS! (Score:2)
http://arstechnica.com/informa... [arstechnica.com] /sarcasm
Problem is... (Score:1)
... it's already become entrenched. Facebook, Steam, MMO's, F2P, etc. The only way to put this back in the box would be to take over these companies and I simply don't see that happening. Technology has advanced to the point that corporations will share everything as long as it makes them a buck and they've gotten too used to having exact information about everything. The market is totally transparent to companies. Who you are, where you live, etc. Because you have to provide them with things like yo
Today's Headline (Score:5, Funny)
Old man yells at cloud
Re: (Score:3)
clod yells at cloud
My own private cloud (Score:1)
Re: (Score:2)
ownCloud 8 on my Raspberry Pi is working just fine for me.
If only. It is lacking most of the features of Gmail/Google Docs/Google Play/Google Music.
I'd really love to have open-source alternatives to the cloud. The problem is that the best anybody seems to come up with are X11 apps plus some kind of dropbox synchronizer or something. If it doesn't work entirely from a browser, then it is a non-starter.
Re: (Score:2)
Neat. I don't think it has a word-processor though.
Re: (Score:2)
Try Cozy [cozy.io] then.
Thanks. It looks a bit better than some of the options out there, but it is still missing email and documents (word processing, spreadsheets, presentations). So, it is hardly a google apps replacement, but certainly it is going in the right direction.
The Google Plus logo (Score:5, Funny)
Re: (Score:2)
Believe me, both Tom (a friend *and* a /. reader) and I are 100% aware of the irony.
Tell us something new (Score:2)
Been hearing this argument for years. It's still valid, but comes down to how much you care. I store my music with Amazon, but that's mostly because I want to have access to it everywhere. My CDs were ripped years ago and exist on my home server and Amazon and Google. I use Amazon and Google, but if something happens to either of those, I still have my originals. It's more likely that my home RAID array will eat itself before Amazon or Google get corrupted.
Re: (Score:2)
They're *your* assets, CDs, pics, but also the personal bits about your identity. What's your identity worth?
Oblig. Simpsons (Score:1)
Old man yells at cloud.
Thank you, Tom Henderson (Score:5, Funny)
Your facial features, voice and speech patterns have now been included in the cloud databases. Thank you for your cooperation.
Proper usage (Score:2)
More people should self host (Score:4, Interesting)
I have a raspberry pi that I use to host a personal website. It is just for me and a couple friends and it associates a free subdomain with my home dynamic IP.
I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.
That's the trick. Remove the third party.
Is it more expensive to self host? Not really. I want these things stored locally anyway. So I just link my local drives to the pi. So self hosting cost me about 25 dollars... total and done.
The only thing I use the cloud for is offsite backups and only of a few critical things.
Beyond that, why involve a third party?
Re: (Score:2)
I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.
There is a lot more to the cloud than a page full of links behind .htaccess or whatever.
I'd love to self-host, but I don't see any FOSS options that are equivalent to the likes of Gmail or Google Docs or Google Music. There are some web-based email applications, but they're pretty weak. I've yet to find one that lets me archive/delete/spam an email with a single keystroke.
Re: (Score:2)
Name a feature you want and it exists. I grant the listings are often poorly organized but what do you expect from FOSS? They're almost always poorly organized.
You get good at searching through that stuff. You learn the terms. And it all comes into focus.
What you want to do is archive, delete, or send to spam on a single keystroke?
That's more a matter of the email client itself than the server. I suppose you're looking for a good webmail client?
Not a fan of them personally. Email clients simply do a better
Re: (Score:2)
Personal web traffic is typically so low that no one will notice.
If you have high enough traffic that you need that much bandwidth then I don't see how you're going to get free cloud service that covers that volume.
Yes, if you're doing youtube videos or something then fine... but really what else is going to matter?
I self host everything that is private. Anything that isn't self hosted doesn't matter to me. They can sniff those panties all day.
Re: (Score:2)
Nah, more like "Google announces policy that only effects lazy and or ignorant people"
Don't care.
Re: (Score:2)
Name a feature you want and it exists...What you want to do is archive, delete, or send to spam on a single keystroke?...I suppose you're looking for a good webmail client?...But I'm sure you could find a good webmail client that is FOSS if you wanted.
So, obviously you've never looked for them. I have. The best options right now are Roundcube and Squirrelmail, or the less-FOSS Zimbra. None of them let you archive/delete/spam email with a single keystroke, and I don't think any of them support tag-based email either. That function in Gmail lets me blast through an inbox in about a minute or two, has an offline cached client for Android, and works in a browser.
A proper email client donkey stomps gmails webclient and always has.
And it won't work on a Chromebook or a mobile device with only a browser.
The vast majority of mail that arrives at my email accounts is automatically sorted. I can receive hundreds of mails in a day and know what I got that matters in about 5 seconds...And that is entirely independent of the server.
If you're doing it o
Re: (Score:2)
I'm familiar with them, I just don't use them because email clients are superior.
As to not working on a chromebox... why would I use such a thing. They're trash. I can get a laptop for the same money that can run real software. The only value of the chrome box is that it is arbitarily limited in its ability. And I can get the same effect by installing a Kiosk GUI ontop of windows or linux. So there's no point to the chromeboxes. I've looked at them a few times and that anyone buys them can only be attribute
Re: (Score:2)
I've looked at them a few times and that anyone buys them can only be attributed to ignorance.
I already own one and am thinking about buying another. Given a standard laptop I could build my own, but it would be a royal PITA and missing most of the features I care about (secure boot, transparent encryption, trivial re-provisioning, automated updates, etc). I'll probably run a distro in a chroot on the side as well, though I try not to use them too much since those are a pain to re-provision and the whole point of something like a chromebook is to not need to be running backups/etc.
It is a bit arro
Re: (Score:2)
The intent is not to offend but to be honest.
As to getting those features on a laptop... if you have very specific requirements you could set it up once and then ghost the image. There after, the only thing you'd have to do is manage some drivers if you installed it on a new machine.
Explain to me the utility of Secure Boot? When you say transparent encryption, what do you mean? What reprovisioning are you doing on a chrome book? Most OS's have automated updates.
Re: (Score:2)
Explain to me the utility of Secure Boot?
Secure boot ensures that only the software I want on the device is actually present on the device, precluding the ability of a rootkit/etc to be intruding on it (unless that rootkit is housed in the firmware, which I'll grant is a problem). I would prefer if Chromebooks allowed the use of secure boot with a different set of keys - I believe you're stuck with it either on with Google's keys or off.
When you say transparent encryption, what do you mean?
I mean that the user data on the drive is encrypted using a strong key (ie not just a hash of a simple-to-remem
Re: (Score:2)
In regards to rootkits, I think the real issue with them is when they get in the firmware and then lock the firmware.
I believe apple products were shown to have a vulnerability where a rootkit could get into the firmware and then write lock the firmware.
My only real worry with nonsense like this is that it can't be fixed. I'm not so worried about rootkits unless I can't get rid of them. So long as the firmware can't be writelocked BY the firmware... I'm happy. Ideally some sort of hardware button override d
Re: (Score:2)
So anything that won't work on a Chromebook is out? Well, then you are already a Google fanboy and should keep using your beloved cloud. The whole point is to stay AWAY from the cloud and being tracked. You can't do that if you elect to use a fucking tracking device anyway.
There is no reason that a Chromebook needs Google to run. If there were an FOSS alternative to the services google provides (including authentications/etc) you could just as easily build chromiumos to use those, and self-host those services. I'd certainly being doing that if it were available.
It isn't like I profit from Google having my personal data. They just provide a better level of service than the alternatives. That is more an indictment of the state of FOSS than anything else - the level of servi
Re: (Score:2)
I'm sure you have a fine and awesome solution but most people only ever used webmail. Can check e-mail from any place, without having to (at worst) ask for the root or admin password so you can install and configure your beloved mail client.
Re: (Score:2)
Don't be silly, every smartphone comes with a built in mail client.
This is a stupid conversation. You're not being honest and I have no patience for incompetent deceit.
Re: (Score:2)
Smartphone, what's that?
A computer without a keyboard, without security updates, without battery life, with a high recurring fee to access the network and that wants you to sign up to a google account. I'll pass, it's too immature for me.
Re: (Score:2)
This discussion is tedious. I've led a mule to water and you are far too stubborn to drink it.
So I'm done. Whatever dude.
Re: (Score:2)
"Remove the third party"
You ran point-to-point network links to everyone who want to get to your website? Impressive!
Re: (Score:2)
Don't be obtuse
Re: (Score:2)
Yeah, because ignorance and incompetence is sexy, right?
Its people like you that herald the idiocracy.
Re: (Score:2)
How did you get the subdomain to point to a home dynamic IP? Mine changes every day or so, do you ping the pi or have the pi ping a webserver and update it or something?
Re: (Score:2)
Look up a category of products called "Dynamic DNS".. the concept is that your router or your home server pings a third party every ten minutes. That associates a subdomain on their system with your current IP. You can this service for free. It doesn't really cost them anything.
Re: (Score:2)
Be more specific.
Re: (Score:2)
You didn't notice the change in /. videos to HTML5? Really?
Re: (Score:2)
And how do you know the binary code running on the server was generated using exactly the same open source code you have been provided with? IOW, the code could be modified without the customer knowing about privacy breaches. Don't be so naive when it comes to security.
Volume control? (Score:1)