Welcome!

@CloudExpo Authors: Matt Brickey, Elizabeth White, Christoph Schell, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo

@CloudExpo: Blog Feed Post

Chris Soghoian on Privacy in the Cloud

Privacy, Encryption, and Government Back Doors in the Web 2.0 Era

Chris Soghoian is giving a Berkman lunchtime talk called: “Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,” based on paper he’s just written. In the interest of time, he’s not going to talk about the “miscreants in government” today.

Pew says that “over 69% of Americans use webmail services, store data online, or other use software programs such as word processing applications whose functionality is in the cloud.” Chris’ question: Why have cloud providers failed to provide adequate security for the customers. (”Cloud computing” = users’ data is stored on a company server and the app is delivered through a browser.)

NOTE: Live-blogging. Getting things wrong. Missing points. Omitting key information. Introducing artificial choppiness. Over-emphasizing small matters. Paraphrasing badly. Not running a spellpchecker. Mangling other people’s ideas and words. You are warned, people.

He says that providers are moving to the cloud because they don’t have to worry about privacy. Plus they can lock out troublesome users or countries. It lets them protect patented algorithms. They can do targeted advertising. And they can provide instant updates. Users get cheap/free software, auto revision control, easy collaboration, and worldwide accessibility. Chris refers to “Cloud creep”: the increasing use of cloud computing, its installation on new PCs, etc. Vivek Kundra switched 38,000 DC employees over to Google Docs becore he became Federal CIO. “It’s clear he’s Google-crazy.” Many people may not even know they’ve shifted to the cloud. Many cloud apps now provide offline access as well. HTML 5 (Firefox 3.5) provide offline access without even requiring synchronizers such as Google Gears. 

Chris says that using a single browser to access every sort of site — from safe to dangerous — is bad practice. Single-site browsers avoid that. E.g., Mozilla Prism keeps its site in its own space. With Prism, you have an icon on your desktop for, e.g., Google Docs. It opens in a browser that can’t go anywhere else; it doesn’t look like a cloud app. “It’s a really cool technology.” Chris uses it for online banking, etc.

Conclusion of Part 1 of Chris’ talk: Cloud services are being used increasingly, and users don’t always know it.

Part 2

We use encryption routinely. SSl/TLS is used by banks, e-commerce, etc. But the cloud providers don’t use SSL for much other than the login screen. Your documents, your spreadsheets, etc., can easily be packet-sniffed. Your authentication cookies can be intercepted. That lets someone login, modify, delete, or pretend to be you. “This is a big deal.” (The “Cookie Monster” tool lets you hijack authentication cookies. AIMJECT lets you intercept IM sessions; you can even interject your own messages.)

This problem has been wn since August 2007, and all the main cloud providers were notified. It took Google a year to release a fix, and even so it hasn’t been turned on by default. Facebook, Yahoo mail, Microsoft, etc. don’t even offer SSL. Google says it doesn’t turn it on by default because it can slow down your computer, because it has to decrypt your data. But Google does require you to use it for Google Health, because the law requires it. To get SSL for gmail, you have to go 5 levels down to set it.

So, why doesn’t Google provide SSL bu default? Because it takes “vastly more processing power,” and thus is very expensive for Google. SSL isn’t a big deal when done on your computer (the client computer), but for cloud computing, it would all fall on Google’s shoulders. “If 100% of Google’s customers opt to use SSL, it sees no new profits, but higher costs.” “And Google is one of the better ones.” The only better one, in Chris’ view, is Adobe, which turns it on by default for its online image editing service. [Here's a page that tells you how to turn on SSL for a Google Accounts account.]

Chris thinks that cloud computing security may be a type of “shrouded attribute,” i.e. am attribute that isn’t considered when making a buying decision. But, Chris says, defaults matter. E.g., if employees opt employees into a 401K, no one opts out, but if you leave it to employees to opt in, fewer than half do. Facebook, for example, seems to blame the user for not turning privacy features off. “Users should be given safe services by default.”

Part 3: Fixing it

Chris draws analogies to seatbelts and tobacco legislation. He recommends that we go down the cigarette pathway first: Raise publice awareness so that they demand mandatory warnings for insecure apps. E.g., “WARNING: Email messagew that you write can be read, intercepted or stolen. Click here to turn on protection…” [Chris' version was better. Couldn't type fast enough.]

Or, if necessary, we could pass regulations mandating SSL. T he FTC could rule that companies that claim their services are safe are lying.

Q: [me] How much crime does this enable?

A: The tools are out there. But there's no data because intercepting packets leaves no traces.

Q: How about OpenID?
A: The issue of authentication cookies is the same.

Q: Should we have a star rating system?
A: Maybe.

Q: The lack of data about the crime is a problem for getting people to act. Maybe you should look at the effect on children: Web sites aimed for children, under 18 year olds using Facebook…
A: Good idea! Although Google’s terms of service don’t allow people under 18 to use any of their services.

Q: People also feel there’s safety in numbers.

Q: How much more processing power would SSL require from Google?
A: Google custom builds its servers. Adding in a new feature would require crypto-co-processor cards. I don’t think they have those. They’d have to deploy them.

Q: There are GreaseMonkey scripts that require FB to use SSL. Worthwhile?
A: FB won’t accept SSL connections.

Q: Google Chrome’s incognito mode? Does it help with anything?
A: It helps with porn. That cleans up your history, but it doesn’t encrypt traffic.

Q: The vast majority of people where I live don’t lock their house doors. And [says someone else] people don’t lock their mailboxes even though they contain confidential docs.
A: Do you walk around with your ATM PIN number on your forehead? Your bank uses SSL because it’s legally responsible for electronic break-ins, whereas Google isn’t.
A: The risk is small if you’re using a wired ethernet connection or a protected wifi connection.

Q: With seatbelts and smoking, your life’s at risk. For Gmail, the risk seems different. There aren’t data, screaming victims, etc. It makes the demand for regulation harder to stimulate.
A: The analogy doesn’t work 100%. But I think the disanalogy works in my favor: It’s hard to have a cigarette that doesn’t harm you, but it’s easy to have a secure SSL connection.

Q: Shouldn’t business care about this?
A: Yes, CIO’s can make that decision and turn on encryption for the entire org. Consumers have to be their own CIOs.

[from the IRC] Maybe the govrnment wants Google to be insecure to enable snooping.
A: Allow me to put on my tin foil hat. Last year the head of DNI said that the gov’t collects vast amounts of traffic. We don’t know how they’re doing it, which networks they’re collecting data from. If Google and AT&T, etc., turned on SSL be default, the gov’t’s job would be much harder. Google has other reasons to keep SSL off, but it works out to the gov’t’s benefit.

Does Adobe’s online wordprocessor, Buzzword, offer SSL for its docs?
A: Don’t know. [It does] [Tags: ]

Read the original blog entry...

More Stories By David Weinberger

David is the author of JOHO the blog (www.hyperorg.com/blogger). He is an independent marketing consultant and a frequent speaker at various conferences. "All I can promise is that I will be honest with you and never write something I don't believe in because someone is paying me as part of a relationship you don't know about. Put differently: All I'll hide are the irrelevancies."

@CloudExpo Stories
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
The financial services market is one of the most data-driven industries in the world, yet it’s bogged down by legacy CPU technologies that simply can’t keep up with the task of querying and visualizing billions of records. In his session at 20th Cloud Expo, Karthik Lalithraj, a Principal Solutions Architect at Kinetica, discussed how the advent of advanced in-database analytics on the GPU makes it possible to run sophisticated data science workloads on the same database that is housing the rich...
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.