How 'The Cloud' Eats Away at Your Online Privacy

Tom Henderson, Principal Researcher at ExtremeLabs Inc., is not a cloud fan. He is a staunch privacy advocate, and this is the root of his distrust of companies that store your data in their memories instead of yours. You can get an idea of his (dis)like of vague cloud privacy protections and foggy vendor service agreements from the fact that his Network World columnn is called Thumping the Clouds. We called Tom specifically to ask him about a column entry titled The downside to mass data storage in the cloud.

Today's video covers only part of what Tom had to say about cloud privacy and information security, but it's still an earful and a half. His last few lines are priceless. Watch and listen, or at least read the transcript, and you'll see what we mean.

Another worthless video article

a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory
b) hint, people not on Slashdot won't see the article, so posting it is irrelevant
c) video articles suck balls, nobody wants to hear some dork talk when they could read the piece in 1/4 of the time

Re:Another worthless video article

[ShanghaiBill]

a) everyone on Slashdot knows that "cloud" and "your privacy" are contradictory

Unless they know about encryption.

Re:Another worthless video article

[Roblimo]

They've always been show/hide on videos, which are the only type of content that needs them. :)

So you know: Like many other Slashdot denizens, I read many times faster than people talk, so I often prefer transcripts to videos myself.

No way! The cloud lets you can do THIS!

[Morpeth]

http://arstechnica.com/informa... /sarcasm

Problem is...

... it's already become entrenched. Facebook, Steam, MMO's, F2P, etc. The only way to put this back in the box would be to take over these companies and I simply don't see that happening. Technology has advanced to the point that corporations will share everything as long as it makes them a buck and they've gotten too used to having exact information about everything. The market is totally transparent to companies. Who you are, where you live, etc. Because you have to provide them with things like your credit card information.

Re:The downside?

[duck_rifted]

Somebody could melt my PC and my code would be safe. Startups can serve their sites and application data from the cloud without having to invest in expensive server farms. When the robots that manage social media websites get confused by a stalker's reports and consequently won't even let you post pictures of yourself or your own family, the cloud is the only option you have left to protect digital memories.

I don't like it. I don't like that the safety of our data, from the perspective of security and persistence, are entrusted to faceless businesses. But we were already subject to that massive vulnerability before cloud computing. Imagine how devastating it would be if your email service suddenly shut down and you didn't have enough time to update people and move data. These businesses hold our entire lives in the palms of their hands, and there's nothing to do about it except to disconnect permanently.

But to say that the cloud is useless is simply wrong. Most dangerous things are useful. Technology is always a healing staff on one end and a blade on the other. Did you ever finish Deus Ex: Human Revolution? Did you pay attention to the ending? Most of the part of humanity that influences our progress has already chosen to side with Sarif.

Today's Headline

Old man yells at cloud

Re:Today's Headline

[Enry]

clod yells at cloud

My own private cloud

[BobSwi]

ownCloud 8 on my Raspberry Pi is working just fine for me.

Re:My own private cloud

[Rich0]

ownCloud 8 on my Raspberry Pi is working just fine for me.

If only. It is lacking most of the features of Gmail/Google Docs/Google Play/Google Music.

I'd really love to have open-source alternatives to the cloud. The problem is that the best anybody seems to come up with are X11 apps plus some kind of dropbox synchronizer or something. If it doesn't work entirely from a browser, then it is a non-starter.

Re:My own private cloud

[Wootery]

Neat. I don't think it has a word-processor though.

Re:My own private cloud

[Rich0]

Try Cozy then.

Thanks. It looks a bit better than some of the options out there, but it is still missing email and documents (word processing, spreadsheets, presentations). So, it is hardly a google apps replacement, but certainly it is going in the right direction.

The Google Plus logo

[Roman+Mamedov]

The Google Plus logo in the corner gives this video a special kind of hilarity.

Re:The Google Plus logo

[Roblimo]

Believe me, both Tom (a friend *and* a /. reader) and I are 100% aware of the irony.

Tell us something new

[Enry]

Been hearing this argument for years. It's still valid, but comes down to how much you care. I store my music with Amazon, but that's mostly because I want to have access to it everywhere. My CDs were ripped years ago and exist on my home server and Amazon and Google. I use Amazon and Google, but if something happens to either of those, I still have my originals. It's more likely that my home RAID array will eat itself before Amazon or Google get corrupted.

Re:Tell us something new

[postbigbang]

They're *your* assets, CDs, pics, but also the personal bits about your identity. What's your identity worth?

Oblig. Simpsons

Old man yells at cloud.

Re:The downside?

[Sarten-X]

The upside is that my problems are now someone else's problems.

I no longer need to manage my long-term backups for my team's projects. They go off to a cloud provider, and if we really need something, we can get it back, and I don't have to worry about keeping tapes or disks around, and I don't have to be the one going through the library to find some old media. Data is encrypted prior to archival, so privacy isn't really a big deal.

I no longer have to worry about constant availability. If my local servers go down for a few minutes, maybe a user will notice. If they're down for an hour, I'll probably get an annoyed email, but I will get that email because our constant-availability services are hosted elsewhere.

Now, I do still have local servers to manage. I do still keep a decent number of nines, and I do still make my nightly backups, but I don't need to be managing every aspect of every problem. I can push that responsibility elsewhere, and make my workload more manageable without bringing on significantly more risk.

Thank you, Tom Henderson

[itzly]

Your facial features, voice and speech patterns have now been included in the cloud databases. Thank you for your cooperation.

Proper usage

[Earthquake+Retrofit]

If private data is defined as what you don't want others to see and public data is defined as what you want others to see, which is appropriate for the cloud? Seems easy to me: if you need to keep secrets, keep it off the internet. And you might think about how easy security is if you only use your powers for good not evil.

More people should self host

[Karmashock]

I have a raspberry pi that I use to host a personal website. It is just for me and a couple friends and it associates a free subdomain with my home dynamic IP.

I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.

That's the trick. Remove the third party.

Is it more expensive to self host? Not really. I want these things stored locally anyway. So I just link my local drives to the pi. So self hosting cost me about 25 dollars... total and done.

The only thing I use the cloud for is offsite backups and only of a few critical things.

Beyond that, why involve a third party?

Re:More people should self host

[Rich0]

I have access to my home movie and music library anywhere, can remote into my home systems whenever I want from my phone, and can host any file I want on line without having to give it to a third party.

There is a lot more to the cloud than a page full of links behind .htaccess or whatever.

I'd love to self-host, but I don't see any FOSS options that are equivalent to the likes of Gmail or Google Docs or Google Music. There are some web-based email applications, but they're pretty weak. I've yet to find one that lets me archive/delete/spam an email with a single keystroke.

Re:More people should self host

[Karmashock]

Name a feature you want and it exists. I grant the listings are often poorly organized but what do you expect from FOSS? They're almost always poorly organized.

You get good at searching through that stuff. You learn the terms. And it all comes into focus.

What you want to do is archive, delete, or send to spam on a single keystroke?

That's more a matter of the email client itself than the server. I suppose you're looking for a good webmail client?

Not a fan of them personally. Email clients simply do a better job than the crap that approximates one in a website.

But I'm sure you could find a good webmail client that is FOSS if you wanted. It isn't a big deal.

Still.. I wouldn't bother. The email clients that don't bother going through websites are always faster. Even than gmail. A proper email client donkey stomps gmails webclient and always has.

A feature I think is really important for example is auto sorting of email as well as "triggers" that do certain things automatically when some emails come in.

For example, I get a text message on my phone when some of my automated systems send an email to my address with certain trigger phrases in it. The home client checks the box every few minutes. When it gets that message, it puts the message in a special folder and then triggers a script that also sends a text message to my phone.

The vast majority of mail that arrives at my email accounts is automatically sorted. I can receive hundreds of mails in a day and know what I got that matters in about 5 seconds.

And that is entirely independent of the server.

Re:More people should self host

[Karmashock]

Nah, more like "Google announces policy that only effects lazy and or ignorant people"

Don't care.

Re:More people should self host

[Karmashock]

Personal web traffic is typically so low that no one will notice.

If you have high enough traffic that you need that much bandwidth then I don't see how you're going to get free cloud service that covers that volume.

Yes, if you're doing youtube videos or something then fine... but really what else is going to matter?

I self host everything that is private. Anything that isn't self hosted doesn't matter to me. They can sniff those panties all day.

Re:More people should self host

[Rich0]

Name a feature you want and it exists...What you want to do is archive, delete, or send to spam on a single keystroke?...I suppose you're looking for a good webmail client?...But I'm sure you could find a good webmail client that is FOSS if you wanted.

So, obviously you've never looked for them. I have. The best options right now are Roundcube and Squirrelmail, or the less-FOSS Zimbra. None of them let you archive/delete/spam email with a single keystroke, and I don't think any of them support tag-based email either. That function in Gmail lets me blast through an inbox in about a minute or two, has an offline cached client for Android, and works in a browser.

A proper email client donkey stomps gmails webclient and always has.

And it won't work on a Chromebook or a mobile device with only a browser.

The vast majority of mail that arrives at my email accounts is automatically sorted. I can receive hundreds of mails in a day and know what I got that matters in about 5 seconds...And that is entirely independent of the server.

If you're doing it on a client, then it is useless when you're not using that particular client. That's the whole point of the cloud - you're not tied to one client. MAYBE I could get by with a curses-based email client over a terminal, but giving up a GUI seems like a poor move anytime after around 1990.

My email is all sorted as well, typically in more than one way since I'm using tags. Stuff I follow goes in the inbox, stuff I browse more by group doesn't go into the inbox.

Re:More people should self host

[radarskiy]

"Remove the third party"

You ran point-to-point network links to everyone who want to get to your website? Impressive!

Re:More people should self host

[Karmashock]

I'm familiar with them, I just don't use them because email clients are superior.

As to not working on a chromebox... why would I use such a thing. They're trash. I can get a laptop for the same money that can run real software. The only value of the chrome box is that it is arbitarily limited in its ability. And I can get the same effect by installing a Kiosk GUI ontop of windows or linux. So there's no point to the chromeboxes. I've looked at them a few times and that anyone buys them can only be attributed to ignorance.

As to smartphones that don't have email clients... there is no such thing. Any smartphone either android or iOS or blackberry has email clients.

As to doing it on a client not being useful elsewhere, wrong. I use IMAP boxes which means the desktop client sorts the email on the email server which any other system passively profits from.

I know what I'm doing, thanks.

Re:More people should self host

[Karmashock]

Don't be obtuse

Re:More people should self host

[Rich0]

I've looked at them a few times and that anyone buys them can only be attributed to ignorance.

I already own one and am thinking about buying another. Given a standard laptop I could build my own, but it would be a royal PITA and missing most of the features I care about (secure boot, transparent encryption, trivial re-provisioning, automated updates, etc). I'll probably run a distro in a chroot on the side as well, though I try not to use them too much since those are a pain to re-provision and the whole point of something like a chromebook is to not need to be running backups/etc.

It is a bit arrogant to say that anybody who buys one must be ignorant. They simply have different values than you do.

I know what I'm doing, thanks.

I never claimed that you didn't. You've found something that apparently meets your own requirements. Unfortunately, it doesn't meet mine. Most of your post has basically suggested that I must be an idiot for having the requirements that I do. You're entitled to your opinion, but you'd be amazed about how little I care about what it is in this case. :)

Re:More people should self host

[Rich0]

So anything that won't work on a Chromebook is out? Well, then you are already a Google fanboy and should keep using your beloved cloud. The whole point is to stay AWAY from the cloud and being tracked. You can't do that if you elect to use a fucking tracking device anyway.

There is no reason that a Chromebook needs Google to run. If there were an FOSS alternative to the services google provides (including authentications/etc) you could just as easily build chromiumos to use those, and self-host those services. I'd certainly being doing that if it were available.

It isn't like I profit from Google having my personal data. They just provide a better level of service than the alternatives. That is more an indictment of the state of FOSS than anything else - the level of service Google provides is not actually all that high. If somebody managed to hack into my Google account I'd be stuck re-creating everything from backups/etc which are a pain to maintain, because it is almost impossible to get customer service from Google.

Oh, and as far as being tracked goes - they'll be doing that whether you use the cloud or not. :)

Re:More people should self host

[Intrepid+imaginaut]

How did you get the subdomain to point to a home dynamic IP? Mine changes every day or so, do you ping the pi or have the pi ping a webserver and update it or something?

Re:More people should self host

[Karmashock]

Look up a category of products called "Dynamic DNS".. the concept is that your router or your home server pings a third party every ten minutes. That associates a subdomain on their system with your current IP. You can this service for free. It doesn't really cost them anything.

Re:More people should self host

[Karmashock]

Be more specific.

Re:More people should self host

[Karmashock]

Yeah, because ignorance and incompetence is sexy, right?

Its people like you that herald the idiocracy.

Re:More people should self host

[Karmashock]

The intent is not to offend but to be honest.

As to getting those features on a laptop... if you have very specific requirements you could set it up once and then ghost the image. There after, the only thing you'd have to do is manage some drivers if you installed it on a new machine.

Explain to me the utility of Secure Boot? When you say transparent encryption, what do you mean? What reprovisioning are you doing on a chrome book? Most OS's have automated updates.

Re:More people should self host

[Rich0]

Explain to me the utility of Secure Boot?

Secure boot ensures that only the software I want on the device is actually present on the device, precluding the ability of a rootkit/etc to be intruding on it (unless that rootkit is housed in the firmware, which I'll grant is a problem). I would prefer if Chromebooks allowed the use of secure boot with a different set of keys - I believe you're stuck with it either on with Google's keys or off.

When you say transparent encryption, what do you mean?

I mean that the user data on the drive is encrypted using a strong key (ie not just a hash of a simple-to-remember password). Having the password to log in is necessary to decrypt the data, but not sufficient. If you were to obtain an encrypted image of the drive and the owner's password, you would not be able to decrypt the image without physical possession of the actual computer. If the computer were re-provisioned since you obtained the image and password, then you wouldn't be able to decrypt the backup at all, since the TPM would be re-initialized.

All of this works without any user intervention or configuration.

What reprovisioning are you doing on a chrome book? Most OS's have automated updates.

If I mess something up (such as playing around with stuff in chroots or whatever) I can just wipe the thing back to factory condition in about 15min, log in, and all by settings are restored despite not having made any effort to maintain my own backups. The whole point of using the cloud is that you don't store anything of value on the local machine - just cached state for offline use/etc.

Re:More people should self host

[Karmashock]

In regards to rootkits, I think the real issue with them is when they get in the firmware and then lock the firmware.

I believe apple products were shown to have a vulnerability where a rootkit could get into the firmware and then write lock the firmware.

My only real worry with nonsense like this is that it can't be fixed. I'm not so worried about rootkits unless I can't get rid of them. So long as the firmware can't be writelocked BY the firmware... I'm happy. Ideally some sort of hardware button override during boot to get access to the firmware in the event that we do want a write locking feature if only to prevent rootkits from intruding.

As to secureboot, from what I can see, windows 10 has it. So there you go.

As to transparent encryption, I can think of a few products that do this actually. I mean... you have to install and configure them but then they just do what you want. I'm not a fan of full drive encryption because I've seen that go horribly wrong especially on the system drive. But encrypting partitions with your data is reasonable. My email, documents, finance information, firefox profile, etc is all on an encrypted partition.

I suppose it isn't transparent in my case because I do prompt to mount and unmount that partition but I actually like that. My machine loads without a password when it is turned on. I don't want a thief to reformat my drive. I want it to be super easy for him to use my machine so that the tracking apps I installed can be accessed by ME. Using those apps, I MIGHT be able to track the person that stole my machine and possibly recover it. But if I can't... they won't get my data.

As to backing up on the cloud. I don't really trust the cloud with my backups. I push all my data at a home file server.

Once every six months, my system drive is ghosted to the file server. And my critical files are updated every day. I don't just overwrite the old download. I use a GFS backup script that maintains versions of my files going back a month. Grandfather backs up once a month. Father backs up every 7 days. Son backs up every day and three copies are permitted in that case. If I don't catch a corruption that is over three days old, then the Father has to catch it from 7 days back. And if that isn't sufficient then the grandfather from a month ago gets it.

I do some other tricky things with my back ups. The files on the file server are duplicated to two external drives and there are error codes up the whazoo if there is a problem such as drive having problems or being unplugged. And those errors are sent to my phone as a text message and to my email.

I haven't had to tweak the system for years really. It just works. But if I need to make a change... the whole thing is just a script so I can really change anything about it.

I like having control.

Re:More people should self host

[Blaskowicz]

I'm sure you have a fine and awesome solution but most people only ever used webmail. Can check e-mail from any place, without having to (at worst) ask for the root or admin password so you can install and configure your beloved mail client.

Re:More people should self host

[Karmashock]

Don't be silly, every smartphone comes with a built in mail client.

This is a stupid conversation. You're not being honest and I have no patience for incompetent deceit.

Re:More people should self host

[Blaskowicz]

Smartphone, what's that?
A computer without a keyboard, without security updates, without battery life, with a high recurring fee to access the network and that wants you to sign up to a google account. I'll pass, it's too immature for me.

Re:More people should self host

[Karmashock]

This discussion is tedious. I've led a mule to water and you are far too stubborn to drink it.

So I'm done. Whatever dude.

Re:Does Slashdot use the cloud?

[diamondmagic]

Nowadays there's nothing it can't mean, but I originally understood it to mean "Virtual machine hosted on lots of identical nodes with no guarantee of uptime for any one node" -- as opposed to a mainframe, or time-shared machine.

Then it sort of became "Use the Internet to store things normally kept on your computer, have your content on all your devices." Well, ok, but that's what the Web is.

Then it was existing, long-established companies just rebranding their service without any change. "Cloud email!" Um, wat.

Re:The downside?

[MobSwatter]

Since the advent of Windows Server 10 which promotes use of cloud storage through integration there is some benefit to it in terms of redundancy, however there is a pretty nasty down side, the 'cloud' serves as an example of a high valued target for Tommy 10 year old script kiddy hidden behind likely only one layer of admin security. In essence the cloud violates the first rule of security, don't put all your eggs in one basket. Then there is the government that is walking the edge of going bankrupt since 1971 and floating on credit ever since that is always looking for ways to make money with hungry corporations looking for marketing data, then there is the aspect of corruption within government doing the same only with a bit more visibility than your average Joe to find targets and way more stingy about it.

I never did like the idea of the cloud simply over rule number one, and there is no way in hell I'd point any type of authentication towards the cloud in hopes of maintaining security of the checkpoint.

Re:The problem isn't cloud technology itself.

[gnupun]

And how do you know the binary code running on the server was generated using exactly the same open source code you have been provided with? IOW, the code could be modified without the customer knowing about privacy breaches. Don't be so naive when it comes to security.

Re:mp4 please

[Roblimo]

You didn't notice the change in /. videos to HTML5? Really?

Re:The downside?

[Sarten-X]

The paranoia's adorable, but here in the real world, everything I do is a balance between risk and reward.

Sure, our data could be sold off, but that's what contract lawyers are for, just like any other business deal. Sure, I risk a malevolent company holding my data hostage, but even at increased prices, it's still cheaper than handling the data myself. Sure, I could be using the same rack a terrorist uses, but he could also be renting office space in the same building we use.

My company could, of course, buy its own building, own its own servers, manage all of its own data, and run all of its own processing... and then promptly go bankrupt, because the cost to do that is too high for the extremely limited benefit.

Volume control?

[PhillipNolan]

why do these videos start at 11 and have no visible volume control? My ears work fine thank you. I don't need max volume.