Slashdot Mirror
The Cloud: Convenient Until a Stranger Nukes Your Files
jfruh writes "Thanks to a plethora of cloud storage accounts, Dan Tynan thought his days of carrying a thumb drive around with him and worrying about email stripping out his attachments were over. But that was before he discovered that his Box.com account and all the files in it had vanished without a trace. With tech support coming up empty, Tynan had to put on his journalist hat to track down the bizarre sequence of events that ended with his account handed over to another user, who didn't ask for it and didn't even know who Tynan was."
"most transparent administration ever"
Just got to love that whole 'transparency' thing.
http://www.inforum.com/event/article/id/416090/
"FARGO – The Obama administration asked North Dakota’s largest health insurer not to publicize how many people have signed up for health insurance through a new online exchange, a company official says."
Of course this is all Boooshes fault, we all know this.
And the media just keeps blowing Obama whenever he asks. No one throws shoes at him or even asks him any questions.
And most of the stupid drones on this super-smart-geek website support this tyranny.
Fucking fools.
Run it at home, commit/checkout works flawlessly.
Cloud services take all of your IT problems, and give them to someone else, period. A cloud is not inherently going to fix your problems, or make them worse, but just delegate them to someone who may or may not be able to handle them better.
You do not have a moral or legal right to do absolutely anything you want.
FTFA:
* Financial records. I scan all my paychecks and store them (on SkyDrive, not Box.com - fortunately). Our tax form PDFs are all on some cloud storage service, either SkyDrive or Dropbox, as are all our receipts. These would have been in the hands of a total stranger - perfect fodder for identity theft. And if the IRS suddenly decided to audit us? We'd be at their mercy.
* Health records. We scan all our doctors bills and insurance insurance statements and store them in the cloud. So now we're talking about medical identity theft for us and our kids - a situation that's much harder to resolve than standard financial ID theft.
What an idiot.
...I informed you thusly.
Unsure why people are moved to throw their data into the hands of someone (company) that would never treat their data sacred. I don't care what argument you put forth, no one is going to care (security wise) about your data as vigilant as you would (and should). Math wise, the cloud makes no sense to me, even on the free model.
1) wait for you to download your data over the Interwebs (mobile you say... tick tock)
2) There is NO GUARANTEE someone in the company isn't looking at your data or selling it. You're simply trusting they won't
Storage is dirt cheap. 2TB drives are like what 100-200 US per pop give or take. They're compact enough to throw in a messenger bag along with a laptop. Data availability is much faster than downloading it over the wire. Throw on crypto (say Truecrypt) and you have a decent amount of security. Only concern, is your HD goes bad. In either event, another backup 2TB is 100-200. Cloud pay for play? @ 10.00 per month, its STILL the cost if not more than buying your own device.
From TFA :
'So the loss of my Box.com folders was not a personal tragedy. (Had I lost my Dropbox account, though, I would have been screwed.)'
Everyone who stores their only copy of important personal/work data, without backups in the cloud deserves everything that happens to him!
I can't remember where I first heard this, but the quote is along the lines of:
Whenever you hear a reference to "the cloud", replace it with "someone else's computer" and see how much sense it makes
Once you start doing that it shows you how little control you have over such services and how dependent you are on other parties, especially if you consider them as a panacea to not having to keep your own backups (as the OP seems to have done)
I am Slashdot. Are you Slashdot as well?
Valve's shitty application stopped working, and now I can't install or run any of the games I bought (read: rented) from them. Their techsupport is somewhere between non-existent and not-giving-a-shit. I am even locked out of the non-drm games (most of the ones I have bought), because I cannot download them without the stupid Steam application.
Lots of money flushed down the drain to a company that simply does not care. Never again.
I'm a good cook. I'm a fantastic eater. - Steven Brust
He keeps his work files, financial records, health records in the cloud.
Dear sirs and madams, i refrain from even commenting on that for fear of being downmodded hard, and rightly so.
Cloud storage can not be trusted both in terms of privacy and reliability. So follow these steps and you'll be fine:
1) Thou shalt not store unencrypted files in the cloud
2) Thou shalt have backups of files in the cloud
Does that reduce the convenience of the cloud? Yes. Because that is all that online cloud storage can offer - unreliable privacy invading storage.
proof that nobody should commit large amounts of personal data to cloud storage, unless it is encrypted and used as a backup. No system is inherently foolproof, but storing data in a way that you keep in your physical possession is clearly safer.
For the "someone nuked all my files", this is why you should backup your files (or use a Cloud service with integrated backup/history or better use both).
Remember, a proper Backup uses MULTIPLE Backups and not all from the same service provider.
PS: for the "someone saw all by financial records", you should use an encrypted Cloud service where YOU own the encryption key and where the service provider can NOT help you should you ever lose that key.
Sig (appended to the end of comments you post, 120 chars)
This is rather unfortunate for him, of course, particularly if he didn't have a backup anywhere else (duh!), but I'm sure we'll get a lot of slashdotters saying "See, this is why I'll never use the cloud!", and that's silly. Now, there are other valid reasons to avoid cloud storage (e.g. privacy and security, assuming you're not encrypting the data), but reliability really isn't one of them. Thumb drives die, get lost or get damaged, hard drives fail... there is no perfectly-reliable storage medium, but I'll posit that a good cloud storage provider has a much lower failure rate than anything you can manage yourself.
The solution, as always, is backups. Any one storage medium may fail, but the odds of several of them failing simultaneously is very low. Personally, my most important files live on a RAID-6 array with a hot spare on my home file server, and on my laptop's SSD, on my workstation's HD, and on Google Drive. There is a fair amount of low-priority stuff which lives only on Google Drive. It gets automatically synced to multiple machines, but that wouldn't help if someone else got access to my account and deleted my files (of course, I use two-factor auth). It's still better than what I'd do without a cloud service, which is that I'd have those files only on my laptop.
Hmm... It occurs to me that it'd be trivial to write a small script that uses rdiff-backup to copy the contents of my Drive folder to another folder, then run that in a cron job. Then I'd have automatic, persistent synchronization to multiple devices. I think I'll do that right now :-)
Bottom line: This is a sad story, but not a reason to avoid cloud storage. It is a reason to recommend backups. Especially completely automated, effortless backups.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Setting aside the issue of cloud storage, I'd like to point out that any file you don't back up is one you may lose. Leaving the only version on Box is as bad as leaving the only version on your hard drive.
No kidding!!! What do you say at this point?
Does Box.net not store a complete local mirror? Don't they have backups?
But I keep a personal mirror of my dropbox archive on a desktop at home, but only enable syncing on it once a week to make sure I always have an offline copy. Dropbox also has some revision history...but I don't know how that applies if the file is deleted.
And yea, EncryptFS is your friend with these services. The idea that so many companies are storing sensitive data in the cloud is a bit worrying...
The moral of the story is simple - do not store work related files _only_ on other people's storage medium, whatever it is.
Being a total moron and having receipts/work-in-progress files/legal documents that you _depend_on only on Cloud-based storage, well.. Murphy's law will apply.
This apart from any privacy issues that I won't go into here..
Bottom line: don't be a moron, store /your/ important files on /your/ devices.
The cloud is your fired administrator handling your and thousands of other clients information, while not giving a fuck if a percent you of gets annihilated or not.
Also, i'm not sure if anyone else picked up on this, but he was giving out his box.com account credentials to clients so they could upload straight to the folder.
Hrrmm? that's odd. Why would you even think because you sent someone a link to your cloud shared folder that the cloud company would magically given them the account...unless you didn't send them some link....
Ahh, now this language seems a bit too obtuse. "Invited an employee to upload an image". At first glance, you'd think you send this PR employee a link and they uploaded to your box.com folder. But you can't do that with box.com.... Only way to let someone upload to your folder is via an E-mail ( which won't work for large files ) or the 'upload widget' which you have to host on a website and it's up to you to lock it down ( he didn't use this either ). Failing that, YOU HAVE TO GIVE YOUR ACCOUNT USERNAME/PW TO THE PERSON TO UPLOAD TO YOU.
They probably pulled all the accounts used from an IP range known to be the PR firm, and assumed that's "PR Firms" employees. Since this employee had the username/pw, what else were they to assume.
Not a brilliant move on Box.com's part, but also, a stupid move on this writers part.
Most of these large cloud storage apps make it difficult for someone else to 'contribute' (upload) files. Otherwise they get abused for warez or porn.
Long story short, this guy violated their terms of agreement and gave away his username and password and was amazed when his files disappeared.
If he wasn't a tech writer, they would have written him off and rightly so. If anything, this is "Treat me different, I'm the press" mentality.
-Malakai
A Dragon Lives in my Garage
As the old saying goes: there are two kinds of people. Those who keep backups, and those who have never lost data. I think this blogger has now moved from the second to the first category.
Since when has even convenience ever been one of the attributes of "the cloud?" Maybe it's convenient if you have fast upload speeds. For those of us with ADSL, it will never be convenient, because it would take forever to get my data up there. And even downloading is many orders of magnitude slower than my "slow" WD Green drives.
The cloud is "convenient" for turtles with 1980s-tech computers, maybe. For those of us who use modern hardware but early-21st-century American networks (i.e. not gigabit) it's a fucking joke in terms of convenience.
1) You are sharing a work account with your wife who has her own work universe. So when she is working on an article about the "ultimate cloud deletion tool" you will get dragged into her experience without knowing it.
2) you seem to (in theory) have no problem separating your work files from your professional files.
3) you let strangers (yes they are people you are working with but) access accounts that have files that you need for more than the moment. box.com should be no more than a ftp server for transferring files and you should see that the files are deleted after the other party gets them.
4) you don't seem to have any home backup system even though your livelihood seems to be dependent on the availability of that data, not to mention your personal data. dropbox should be the backup of the backup.
In short you trusted your files to a third party and they failed that trust. the lesson is....
p.s. please post a preview of your next article " my cloud provider sold my data to advertisers without my knowledge"
Sanity is the trademark of a weak mind. -- Mark Harrold
In the age of terabyte drives why turn your valuable data over to others?
My experience is that no matter how you try to secure your data, something will go wrong. I've seen software errors (a lot), media failures, my own screwups (a lot). lack of support for old media by new systems. It's always something.
You should have Truecrypted. Doesn't keep people from hijacking your account but your files are of no use to them.
Pro Tip: Use a different password other than your login password for the encryption.
Join the Slashcott! Feb 10 thru Feb 17!
What is the most disturbing part of this story is it seems that box.com doesn't have any major infrastructure for backup of users data. I would have thought that it would be as simple as pressing a button "undelete" for the box.com support people to restore last available data before deletion.
Two adages apply here.
1. Security is inversely proportional to convenience.
2. If you want something done right, you've got to do it yourself.
So, lesson learned: Be your own cloud.
sig: sauer
Cloud services are the spiritual succesor to the BOFH. All the power, none of the responsibility.
I have a malicious and friend delete proof dropbox. I simply have my linux server copy and sync the files. if they all disappear, they all reappear as the server puts them all back. The only way to delete them is to rename then with a special prefix, then the server will actually delete them.
IF you trust the cloud for security or reliability, then you are a fool. Always set up your own systems to automatically back up and manage on top of the cloud service.
Do not look at laser with remaining good eye.
People commenting without reading the article.
I run BitTorrent Sync among several machines and keep backups with SpiderOak. Their zero-knowledge policy lets me sleep well at night.
Trolling is a art,
Yet another relevant xkcd: Reverse Identity Theft
Never had any of the problems you've described. 1 anecdote for, 1 anecdote against, guess it's a wash folks ;)
One could work around these problems by encrypting the files on the local machine before storage to a remote machine. But what new blocking problems does this create?
I own a Synology NAS. It's great and includes plenty of useful features, including a dropbox/box-like application where one can sync files easily to any of their devices. No storage limit (other than the NAS and the storage of whatever devices I'm syncing to) and there's far more other things you can do besides the dropbox-like feature. Why should I pay a monthly fee to let someone else have all my important files, when I can easily host my own? It works great and I never have to worry about some provider getting hacked or changing their TOS.
Of course, one should back up their NAS (and there's plenty of easy ways to do so on the Synology), but the point is if people are concerned about their data, they should take responsibility for it.
Just because it is in the cloud doesn't mean you don't still need backups.
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule.
3 copies of any important file (a primary and two backups)
2 different media types (such as hard drive and optical media), to protect against different types of hazards.
1 copy should be stored offsite (or at least offline).
A cloud service can count as a different media type and offsite, but it doesn't fit the bill for everything.
Learning HOW to think is more important than learning WHAT to think.
Cue the Nelson "Ha-Ha" picture here...
As a CISSP with 25+ years in the IT industry, I can wholeheartedly advise that anyone who stores their mission-critical data in anyone's "cloud" without local backup copies that are positively under your control, and a "Plan B" ready to access that backup data... then that person is a complete retard (and you should pronounce that as "REE-tard" for the proper level of dramatic emphasis).
Oh, and BTW... if you think your confidential data is secure from anyone else's eye while "encrypted in the cloud", you're doubly retarded.
We told you so!
I don't use the cloud to store anything more than photos, but, that being said, your backup solution I don't think should be a 1 stop shop. I have thousand upon thousands of photos I've taken over the years. I store those in the cloud, PLUS, I keep a copy on my primary computer, DVD's & a pair of backup HDD's. I don't want to lose the memories captured over the years. Everyone should always keep a couple of copies, be it a backup, or a couple ghost images somewhere.
In the age of terabyte drives why turn your valuable data over to others?
Because you need someone to hold onto your terabyte drives in case of physical disaster. And because popular home ISPs tend to frown on using a home PC with a terabyte drive as a server.
So the loss of my Box.com folders was not a personal tragedy. (Had I lost my Dropbox account, though, I would have been screwed.)
How is it that a supposed expert on using IT, a person who writes a blog for a renown IT website and who gets paid to pontificate on the cloud, can even admit to this error? One would think that he of all people would religiously back up his data so that there could never be a situation where he "would have been screwed." I figure it's a twist on the old adage in which those who can, do, and those who cannot, blog about it.
As a backup. This guy was apparently using it as primary storage, and not backing up.
Best Slashdot Co
Hey now! You're being very unfair to encased geological samples!
Best Slashdot Co
Backup and replication (a form of DR == Disaster Recovery)
Good luck !
So maybe it is 3 :-)
New things are always on the horizon
What has always struck me about "The Cloud"; is that it is mostly wonderful marketing; "The Cloud". Now if you called it remote servers folk would have been a bit tentative, and maybe a bit more mindful of the potential problems. Convenient sure, but sh** happens, and for me, I tend to like to have only myself to blame when something goes wrong with my sh**. Do I use some remote server services (I get a bit creaped-out by sticking stuff in "The Cloud"); sure. But only there, seems to me I'm playing Russian Roulette with my info.
Offsite storage to ensure no data loss? Good idea. A bad idea is using online storage as it will be a matter of when (not if) they have a major failure, get hacked, go temporarily brain-dead, declare bankruptcy, or just suffer the boring disgruntled employee scenario. A better idea is rotating media to a meat space security deposit box in a bank. No you won't have the convenience of having your files at your fingertips, but neither will anyone else, ffs.
The _local_ phone, gas, electric, company, my landlord, &c. are pretty much guaranteed to have a lawyer who is local and has standing w/ the local Bar, and have to take seriously, legal action at a local level.
National / multi-national companies w/o a physical presence in a community, don't have to care about being sued in some tiny little town they've never heard of and don't care about.
Sphinx of black quartz, judge my vow.
"10 guys managing 1000 customers"
You more likely meant "10 guys managing 10,000 customers"
Or 100,000 customers with those 10 guys running a lot of scripts to
monitor for anomalies.
"10 guys managing 1000 customers" LOL
Where is the profit in that?
Let's see. So that is one user's lost files? and it worked perfectly for the other 100 million users that used the cloud? That system has major flaws!!!
Actually I suspect nothing is really deleted, just marked inaccessible to the owner but still available to the cloud company and any subpoena or court order.
Please encrypt your stuff yourself (not the cloud's encryption) before uploading.
I love the concept of being able to access one's files anywhere.
We love the concept of being able to access everyone's files anywhere ;-)
Sincerely,
The NSA.
That sounds like a law you just made up.
Let's try it out:
Brad, if you have any employees, please fire one of them.
Am I going to jail for saying that?
Dropbox
GDrive
Amazon
SkyDrive
Pitty they are all in USA, any that are NON usa based?
Liberty freedom are no1, not dicks in suits.
Uploads all his/family's medical to the cloud? causing his own HIPAA violations for being an idiot.
NEWS JUST IN!
Dan Tynan stores ALL his sensitive info on SkyDrive & Dropbox and is a fucking moron!
If you want to own something, don't give it away. Big surprise. Meanwhile, the author proposes one solution, and labels it absurd: carry a usb thumb drive. Never mentions running their own cloud.
Roll you own. It's not difficult.
Pitty they are all in USA, any that are NON usa based?
Tarsnap, by Colin Percival (author of the scrypt algorithm).
It's based in Canada and, although the slices of data are stored on Amazon S3 (USA), the actual data-encryption and key handling is done on the opensource source client (which is audited a lot, thanks to a bug bounty by the author).
Specially, the kind of mismanagement that happened to TFA's Author is impossible with tarsnap.
Access and the various key which control who has access to what are controlled by the client. The admin (in this case: Colin Percival himself) can't do much without the keys which aren't available to him (they are stored client-side). The only thing which goes from/to the server are encrypted packets of data.
Tarsnap is a bit less userfriendly for quick-sharing of files (what TFA's Author uses specifically the box.com account).
But on the other hand, tarsnap is perfect for periodical backups/snapshots (with deduplication) of the critical folders with critical information (authors gives dropbox and skydrive as exemples of share where critical informations is backed-up: work documents, financial data, medical records, etc.). Those would have been much more problematic if control was given to the wrong person, as the author mentions (for example: financial data ending in wrong hands would be a treasure trove of data for identity stealing. And if this data get erased by mistake, the author would be on trouble in case of IRS audit).
But that's impossible with scheme where the control is done using crypto keys, instead of a status in a database somewhere.
(Tarsnap data can't be made accessible to someone else. In fact, it can't even be made again accessible to you if you lost the keys. No keys, no anything).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
It depends on the service.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.