Schneier on Security
A blog covering security and security technology.
« iPhone Encryption Useless |
| Another New AES Attack »
July 30, 2009
Risks of Cloud Computing
Excellent essay by Jonathan Zittrain on the risks of cloud computing:
The cloud, however, comes with real dangers.
Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)
Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.
Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.
Here's me on cloud computing.
Posted on July 30, 2009 at 7:06 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Private corporations fooling with your data can do you much harm...
...but government can do much worse.
And government have the habit of collecting everything that is in their reach.
So for private data the simple solution is: keep it out of reach.
once data leaves your computer (via wires or storage media) you have to assume it's fair game for everyone to read/copy/use/redistribute/crack it
The Doctor makes a good point. One that I was discussing the other day; essentially it boils down to one question:
If a government wants to read your email is is easier for them to take it from your computer (Outlook) or take it from Google (Gmail)?
I'm interested to see what people think - if that's OK with you Bruce...
At least in germany/EU online is easier.
The problem is that forms of access that would create an outcry all over the country if done physically are mandatory/easier if applied to data.
See data retention, the paper mail equivalent would be to scan all addresses on every letter and store them for 1/2 a year.
2nd problem: Mass access.
Searching 10 thousand houses for computers with Outlook is next to impossible.
Searching through 1 billion Gmail accounts is a piece of cake.
@ thedoctor - we don't know if that is already done: the letter-sorting machines could be patched to store the scans and make them available to govt/law agents
It is not just data it is metadata and processing methadologies as well.
Data is in reality bits and bytes that have some limited structure which may or may not be apparent to an observer.
The metadata is not just the structure of the data, but also it presents some limited meaning to the data values. These meanings may or may not have their own meta data (dogs have fleas upon their backs...)
The data may in of it's self reguire processing in some form to become meaningfull (think zip files and chain encryption).
If you do not have full access to these then your data is as good as in the big bit bucket /dev/null.
As we have seen applications have their own "propriatry formats" even within open formats.
Also Processing methadologies can be hidden in run time code well beyond any specification.
We know that many software producers regard the application code and the processing methadologies as comercial secrets that you can use but have no understanding of.
In Europe and Russia you have a limited right of "reverse engeiring" to prevent significant "data loss". However this can only happen if you actually have access to the source, which with "online apps" you don't.
All of the above needs to be considered. Having all the rights to your data via contract or legislation is of little use if you do not have access to other parts.
You have to know and understand this in great depth before you consider any other of the very many other security issues.
Having seen numerous cases of major projects with 1000+ page contracts go bad and the data becoming a hostage due to some clause or oversight in a contract I would certainly make,
If it's in the cloud it is lost to you forever get over it.
As Cloud Rule No1, in the same way as it is for a bust hard disk without a backup.
Oh and the second rule as,
"It will go wrong period"
Therfore plan to move to another suplier at instant notice as a basic operating requirment.
Which if you cover both of these rules properly you realy should have a very good answer to,
"Why can this not be done in house"
And the answer had better not be one of resources otherwise you are in trouble before you start.
Yes, i know.
Easy as hell, and dead on illegal...
...but if such a thing would leak (and it would !), even the most conservative grandpa/grandma would rip that government to shreds...
...so up to now our godsend leaders are fearful to do such a thing.
I see this come up a lot, and I think the first comment on any of these articles is that there is at least a partial solution: Use AGPL software.
It's open source, and it is a guarantee that your data will belong to you at the end of the day. There is an excellent wiki coverage of available software over here http://autonomo.us/wiki/Wish_list
There is also the diso project, working to get bring down the walled garden model of network services. Once it is on your server, you have a whole host of extra priveleges, without having to give up the network effects.
"Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader"
Good essay? How about: poorly-researched essay. There was no change of heart by the publisher. A publisher was selling pirated copies of the book through Amazon. When Amazon discovered it sold the books illegally, it overreacted. But there was no "change-of-heart" by any publisher.
It's not yet a problem, but does anyone remember "Fahrenheit 451", where gov't used the fact that everything was on computers to manipulate the information? It is less likely for anyone to manipulate the information on millions of personal computers, but given sufficient computational power and access it doesn't seem impossible (automation). I wonder if NSA is creating any botnets for experience in mass computer security breaking.
@nick The copies were not pirated, they were from a country whose gov't is less controlled by Disney and Hollywood, and where Orwell's works had recently entered the public domain.
@billswift: They were pirated. They were being intentionally sold in America where such a sale is a violation of the Copyright Act. You can't legally ignore one country's copyright law by importing from a country with a different law.
"Good essay? How about: poorly-researched essay. There was no change of heart by the publisher."
Op eds tend to have longer lead times than news, and Zittrain notes on his blog that "the Kindle/Orwell incident broke about ten minutes before the piece closed:"
So he was probably going on early reports that didn't give the full story. Obviously, in retrospect, it's wrong -- and I'm a little surprised the Times didn't fix it -- but it's two sentences tacked on to an op ed that was already complete without them.
@ Nick, billswift,
"They were pirated. They were being intentionally sold in America where such a sale is a violation of the Copyright Act. You can't legally ignore one country's copyright law by importing from a country with a different law."
Nick : first off they where not pirated they where legaly produced in country X. The fact that they where imported (questionably) into country Y does not make them "pirated". It might possibly make them illegaly imported but a court would have to decide on that depending on who the primary rights holders are and which juresdiction they are in.
The arbitary increase by the US of "copyright" time is a legal nightmare.
For instance you have a work made in country A and the primary right holder is also in country A. However you have a secondary rights (distribution etc) holder in country B. Provided both countries expire the copyright at the same time there is no issue. However if country B extends the time after the secondary right where signed over you have a real legal problem.
Because you have a contract between the primary rights holder and a secondary rights holder which is in effect breached because it should have expired on the loss of copyright by the primary rights holder. However the secondary rights holder because of the extension by country B to copyright time assumes (probably incorrectly) that they still have the secondary rights.
However a contract can only exist if something is exchanged in both directions (goods for consideration etc). Now you have the primary rights holder not able to supply their side of the contract, and if the secondary rights holder was to make payment as the contract requires then it would be an illegal payment.
And obviously the converse applies in the oposit direction.
How this sort of issue is to be resolved is a nightmare. The simple solution is that the contract becomes void because one or other of the parties cannot legaly in their juresdiction forfill their contractual obligation.
For an organisation to maintain that the contract is still in place in their juresdiction is a nonsense because they cannot forfill their contractual obligation without effectivly breaking the law in the other juresdiction
And having a contract that gives a juresdiction primacy is still likewise ludicrous.
How this will pan out should it ever get to court is one which is going to upset a lot of people one way or the other the peg is obviously not round and the hole is so it's got no chance of being a good fit without damage to either the peg or hole or both.
And yes this is a major concern for cloud computing because in which juresdiction does the law apply over the "data" and is the data an original or derived work etc, and if derived in which juresdiction was it derived...
The joy of "action at a distance" when it crosses a juresdictional boundry is going to cause all sorts of headaches, likewise is a backup a copy or derived work?
"Obviously, in retrospect, it's wrong -- and I'm a little surprised the Times didn't fix it -- but it's two sentences tacked on to an op ed that was already complete without them."
Welcom to another thorny legal debate that is only just getting started.
In the "printed world" you issue a retraction or corrective update as it is in practice impossible to either recall or modify the issued printed copies.
However in the "electronic world" things are in many cases mutable. So it is possible to modify "to be correct" but what happens with "fair use" copies.
Some US news outlets have taken to modifing, others with additions.
My personal choice for many reasons is even though you can change you should not as you destroy the historical record on which derived works are based.
Unfortunatly as seen in the UK some judges have decided to enforce modification not addition of a retraction or correction. I think they are being very shortsighted as they are ordering a change in the historic record. And the law very much depends on the imutability of the historic record...
So I think the Times is correct to let the work "stand as is" but wrong not to add a correction.
"A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password."
I don't get it. Someone used the same (bad?) password for personal and work accounts, so after an attacker gained access to the (presumably less protected) private password, they could log into the work account. Isn't the problem that you shouldn't use the same password everywhere, and especially not for both high-value and low-value accounts? Wouldn't that have worked for any work account that is internet accessible? What's the cloud got do with it?
First, cloud is just another word for an IT service provider. Note that Zittrain skips right over a definition. Is it just a fancy word for server? He doesn't say.
He does say:
"Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password."
This is totally misleading.
Before what? Before networks? If I setup mail servers and file servers and provide web access to users...then all you need is a password.
Difference? This could be a cloud, or not a cloud, depending on your marketing preference.
Clouds are not inherently more risky because they use passwords to provide network access to sensitive files. That risk was established well before.
There are certainly risks unique to the cloud. This just isn't one of them.
He is correct when it comes to privacy but again this is not a cloud issue. This has always been a service provider issue. When you give your stuff to someone else to hold, do you have any guarantees they will not turn it over to the government on request? Not a problem unique to clouds.
>the letter-sorting machines could be
>patched to store the scans and make
>them available to govt/law agents
I would be completely floored if that WASN'T already in place.
The sorting machines are pretty sophisticated. It would be trivial to add storage to technologies like this http://www.cedar.buffalo.edu/hwai/... to keep a log.
Now add a bar code to the bin they collect mail from a drop box or that the carrier picks up on his route and you can at least track a letter back to the drop box or carrier route of origin.
On the main topic, agree with Davi & Daniel.
The problem isn't cloud computing.
The problem is remote access without two factor authentication, which allowed a password guess to work.
Same vulnerability exists with a corporate mail server web interface or VPN that doesn't use two factors.
I read the password issue differently. The twitter employee may have used different passwords on his personal email and google, but using google's "reset password" feature and collecting the new password via the personal email would be an "escalation of rights" attack.
From there, the attacker simply looked at what was available in google docs, and lucked out that work documents were stored in "the cloud". At no point was the employee's work password ever involved, but that's the point. With the cloud, the attacker never even had to touch a twitter computer, physically or electronically.
The same point with "before"... Of course since networks you have been able to remotely access a vast smorgasbord of company computers. The aggregation of the cloud means you don't even have to do that any more, you just need to find one (of presumably many) hole to wiggle your way in.
@Clive "Some US news outlets have taken to modifing, others with additions."
The Washington post (at least their kindle addition) does post an article with changes.
I noticed this in the world of databases too. What is real, authoritative? How real is real? A hard copy can be interrogated as to where it was, who wrote on it, who approved it, who changed it. A field in a database modifiable by anyone with access all you have to interrogate is the phospher dots on a screen. Not very informative.
I think the problem is not what is a document but what is the difference between "a record" and "a communication".
A record (my info at the phone company) needs change controls a change process including notification and authorization. I move. I submit a change of address notice, they authenticate my identity (they don't but say they did), and a clerk with access and need to know updates the record. That update makes another record in the audit logs.
DHS's IT security manuals were notorius for policy adjustments on quarterly basis. The only way to see what had changed was by their record of changes. Trace down to the page and chapter and note "Oh we have to redesign the mainframe to make this happen. again."
The developers I've worked with regard information as any old bits and bytes. (network engineers are worser they just want to move packets from a to b).
There isn't the notion that some information needs to authoritative. And authority needs decision making not some Navy deckhand working a computer terminal. Your analysis on who made the decision to remove the letters from the US/Canada border station talks to that. A lot of decision making I've seen in Gov't is people making best guesses. I suppose this is a reason we're constantly confusing computer security with information security.
Clive, I meant they could have corrected it before it ran, since the details of the Kindle incident were well known by the time they actually published the op ed. Retroactively editing a newspaper to correct a sentence involving George Orwell would certainly peg the irony meter -- but this is getting rather far afield.
Because the legal issues in the sale are novel (electronic "importation", difficulty in defining what and where "copying" took place) I don't think anyone knows if the books Amazon deleted were "pirated" or illegal or not. But even if they were, Amazon's reaction was unreasonable, as even they now admit.
The problem is that so long as this ability exists, it will occasionally be used in a way that later appears to be completely wrong with varying levels of disastrous consequences. Often it will be done with a lack of appreciation for the collateral damage. (Such as the disconnection of annotations from the sections they annotate in this particular case.)
This is a very real danger in trusting your data to someone else. More work needs to be done on systems where other people do the work for you, but no (or much less) trust needs to be extended.
Considering the high risks right now, imagine what will happen in a few years when this is more mainstream. This article really scared me: http://cloudtechsite.com/news/...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.