ALL BLOG POSTS AND COMMENTS COPYRIGHT (C) 2003-2018 VOX DAY. ALL RIGHTS RESERVED. REPRODUCTION WITHOUT WRITTEN PERMISSION IS EXPRESSLY PROHIBITED.

Tuesday, October 03, 2017

The death of the cloud

This sort of thing is why we don't use the cloud. Frankly, I don't understand why anyone does.
Yahoo said a major security breach in 2013 compromised all three billion accounts the company maintained, a three-fold increase over the estimate it disclosed previously.

The revelation, contained in an updated page about the 2013 hack, is the result of new information and the forensic analysis of an unnamed security consultant. Previously, Yahoo officials said about one billion accounts were compromised. With Yahoo maintaining roughly three billion accounts at the time, the 2013 hack would be among the biggest ever reported.

"We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected," Yahoo officials wrote in the update. "Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected."

The information taken in the heist may have included users' names, e-mail addresses, telephone numbers, dates of birth, passwords scrambled using the weak MD5 cryptographic hashing algorithm, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo said investigators don't believe the stolen information included passwords in clear text, payment card data, or bank account information. Yahoo also provided updated figures in a press release and in a filing with the Securities and Exchange Commission.
As if there is any chance - any chance at all - that they didn't know that all of the information had been taken. Who trusts anything these Big Tech companies say anymore anyhow?

Sure, I use Blogger and Gmail, but always in the full knowledge that everything on this blog and in my email could go public one day. There is no such thing as "security" in social media.

Labels: ,

50 Comments:

Blogger Matamoros October 03, 2017 7:16 PM  

The cloud has always given me pause. Its out there with all your stuff. Soon your stuff will become their (or someone else's) stuff.

Keep it on the hard drive.

Anonymous Auntie Analogue October 03, 2017 7:19 PM  

Seems there's as much security in the Global Village as there was in the primeval village. Plus ça change, plus c'est la meme chose.

Anonymous Anonymous October 03, 2017 7:21 PM  

"There is no such thing as "security" in social media."

This is exactly the way to look at it. I am not even sure that any computer hooked up to the internet can be totally secured.

I would advise everyone to be very careful with any data that they want to keep "private".

Anonymous A Deplorable Paradigm Is More Than Twenty Cents October 03, 2017 7:23 PM  

Gosh, did anything change in Yahoo leadership in 2013?
Attitudes roll from the top down.

"Cloud" - techspeak for "someone else's computer".

Blogger Nate October 03, 2017 7:24 PM  

never have used cloud storage for anything. ever. i've always thought it was retarded.

that said for something like Alexa... the cloud is fantastic.

Anonymous FP October 03, 2017 7:32 PM  

What has amazed me is seeing many older players in the tech game who bought into the cloud idea so much after years of yammering on about security. Money above all I suppose.

Blogger Nate October 03, 2017 7:33 PM  

"What has amazed me is seeing many older players in the tech game who bought into the cloud idea so much after years of yammering on about security"

what was hilarious was they used "security" as a selling point... and the morons fell for it

Blogger Lazarus October 03, 2017 7:36 PM  

Spooner don't care, he got big meat.

Anonymous Crew October 03, 2017 7:39 PM  

Is this the future of gaming?

https://www.reuters.com/article/us-rovio-ipo-shares/flying-high-after-ipo-angry-birds-maker-looks-to-swoop-on-rivals-idUSKCN1C410J

Anonymous Ominous Cowherd October 03, 2017 7:40 PM  

markstoval wrote:

I would advise everyone to be very careful with any data that they want to keep "private".


Digital can't be private. Private can't be digital. Your options are meat space and private or digital and public knowledge.

This is all just another way of saying that security is inconvenient, or it's not secure.

Anonymous Crew October 03, 2017 7:41 PM  

@5: never have used cloud storage for anything. ever. i've always thought it was retarded.

Not only that, you have to change your whole paradigm and all that software that you wrote that works fine? It's obsolete now.

Blogger LonestarWhacko October 03, 2017 7:44 PM  

Iirc, Benjamin Franklin said a secret can be kept between two people....if one of the is dead. Data has value. Therefore....ANY electronic storage can't be trusted. And as for electronic media that's supposed to be isolated from the net.....best look at that again....

Everything is wide-open nowadays. Personally, I always felt that the net was a real convenient way to gather information. I can remember Belmont Club explaining how data mining and statistical analysis was used to determine who to kill in Iraq. That's been some years back.

Cloud storage is going to ruin most people, imo.

Anonymous Marvin Boggs October 03, 2017 7:47 PM  

If you must use the cloud, encrypt your data BEFORE they leave your computer (and use a password that the cloud provider DOES NOT KNOW).

DO NOT assume that the cloud will always be there; it could evaporate at the drop of a hat.

Blogger Johnny October 03, 2017 7:56 PM  

However much it is they know, it is as much as they admit to and more. I am spared the trauma because my internet hookup is second rate, so on my hard disk most of it remains.

Blogger DonReynolds October 03, 2017 7:57 PM  

Privacy is a bit like effective birth control. If you are actually worried and believe it is important, behave accordingly. Assume there is no such thing.

Never write or type or say anything you would not want broadcast from coast to coast and around the world, with your life history attached, complete with photos, with hard copies sent to your parents and your kids.

Vox is absolutely correct. There is no privacy unless you change the definition of privacy to "state of being ignored, for the time being". Everything you ever did in your lifetime is subject to discovery and question and challenge and review and analysis. There is no privacy.

Blogger Lovekraft October 03, 2017 8:01 PM  

Was there ever a time when we had complete security and anonymity?

Perhaps this is a new level of vulnerability of the person. But eventually, when one realizes that there's no point in trying to hide, he is released from the burden of double-checking his opinions and just lets go.

Liberating, in a way. We know we are answerable to God, and man, with his wicked intent, serves as a pestering annoyance in terms of being a critic.

Blogger Ingot9455 October 03, 2017 8:10 PM  

Just look at what's happening to Paddock. Everything he ever wrote, every picture he's ever been in, and so on. That is what happens to you if the Eye of Leviathan alights.

Blogger James Dixon October 03, 2017 8:18 PM  

> I am not even sure that any computer hooked up to the internet can be totally secured.

Well, if you ran DOS with the Crynwr packet drivers, you'd probably be safe. Almost none of the current Internet would be usable though.

OpenVMS is, as far as I know, secure, but again, usability would be an issue.

OpenBSD also seems to be as secure as it's possible to get for a general purpose operating system, and is probably your best bet if you want something that will work on modern hardware.

Linux, though far more secure than Windows, is now popular enough to be attracting a lot of attention from the hackers, with a resultant increase in exploits. The majority of those exploits are local (not remote) and application exploits, but that makes no difference to users. Windows itself? Don't make me laugh.

> "Cloud" - techspeak for "someone else's computer".

Exactly. You're simply farming out the risk.

> Is this the future of gaming?

No. It's the current fad.

> There is no privacy.

You can get reasonable security on your local machine if you don't run Windows. But anything that goes out unencrypted on the net you have to assume the NSA has. They have anything encrypted too, but with good encryption it will take them 20 years or so to get to the point where they can easily decrypt it. And if it's encrypted, they will keep it for that 20 years, just in case.

Anonymous Post Alley Crackpot October 03, 2017 8:19 PM  

"... passwords scrambled using the weak MD5 cryptographic hashing algorithm ..."

This is still a problem for voice-over-IP (VoIP) protocols such as SIP.

The only workaround for now is to pick a password of sufficient length that the cryptographic strength vastly exceeds 128 bits. This prevents MD5 password hashing attack collisions that resolve to a single password.

As for what 128 bits minimum cryptographic strength in passwords means:
A-Z, a-z, numbers, SQL-safe punctuation = 6.1 bits/character: >= 21 characters
A-Z, a-z, numbers = 5.9 bits/character: >= 22 characters
a-z, numbers = 5.1 bits/character: >= 26 characters
a-z = 4.7 bits/character: >= 28 characters

Naturally, a reasonable working minimum adds at least 10 to all of the numbers above.

Our VoIP systems accept passwords of up to 64 characters, so we use passwords that are about that long. This gives us roughly 300 bits of cryptographic strength in our passwords, which makes MD5 password hashing attack collisions extremely unlikely.

As for the cloud, we prefer to implement our own private cloud services, but then again that's fairly much like saying that rain is wet and that cats like to sleep on window sills.

This basic training course in cryptographic security is brought to you by the letters [redacted] and [redacted] and the number [redacted]. :-)

Blogger Scott October 03, 2017 8:19 PM  

4chan strikes again. https://i.redd.it/z7ma82sfxopz.png

Anonymous Carnivore October 03, 2017 8:28 PM  

Friend is employed by a tech corporation that went that route. He says they used to have their own email servers in a secure data center along with their in-house data-sharing library. Of course that's much too expensive. Company dumped the data center hardware and IT staff and went with Google Mail and Drive. He said the company continues to require its engineers to complete yearly 'protect our proprietary information' classes even though all that 'proprietary information' is stored in the Google cloud.

Anonymous basementhomebrewer October 03, 2017 8:44 PM  

FP wrote:What has amazed me is seeing many older players in the tech game who bought into the cloud idea so much after years of yammering on about security. Money above all I suppose.

The crazy part is major corporations are putting their ERP systems in the cloud. Great idea guys! Lets trust running our whole company to a 3rd party. Most companies that deal in physical products can not run at all or at only a fraction of normal operations when their ERP system is down. That's not mentioning confidential financial information that you are trusting to a 3rd party.

I will forever maintain that 90% of business decisions at the executive level are wholly based on advice given in business and industry magazine. This advice tends to be dolled out by people who do not actually, nor have they ever actually worked in a normal business environment. They have worked in a combination of academia, consulting and in the magazine industry. The cloud trend is the same as the "open office concept" trend. It's based on a lot of untested theories that do not work once they hit the reality of the working environment.

"The cloud is more secure because we are experts" Turns into one big target for millions of hackers.

"Open office concept encourages collaboration" Meanwhile workers are afraid to talk to each other because their manager can see them talking instead of working.

Blogger Brad Matthews October 03, 2017 9:12 PM  

Oddly enough, it was your Gab situation that prompted me to drop the username. Taking away their ability to Dox keeps you accountable and consistent. At any time, a social justice hire can "slip" your identity public. If you have posted information you don't want associated with your real identity, you probably shouldn't be posting it in the first place. This way, I can boldly say "Yep, I wrote that. What about it?"

I fully understand that not everyone can or is willing to do this. Plus, user names can be pretty original. i.e. Charlottesvillain and a Deplorable Paradigm (Deploradigm?) is More than 20 Cents.

Anonymous User October 03, 2017 9:20 PM  

There's no such thing as security for any networked computer system and anyone who tells you otherwise is selling something or taken in by one who is.

The only reasonable assumption is that every ASIC is pwned from the microcode on up. There is no logical or epistemological basis for trusting trust.

Anonymous Exit the Goolag October 03, 2017 9:57 PM  

@VD What do you use for secure communication?

Anonymous Anonymous October 03, 2017 10:10 PM  

software is so open to exploitation at all levels that it's literally impossible for the most prominent targets to secure themselves against attack.

The bigger and more centralized they are the more likely they are to be breached.

This doesn't even get into the asset forfeiture laws which can be used to take down any public cloud without warning, wiping out whatever you have stored there.

The fact is none of this would get off the ground if home internet were symmetric: people could host off their home connections at this point if their upload were equal to down.

Anonymous Armand October 03, 2017 10:17 PM  

@20 Scott: If that is true then its possible the muslims did not target the concert specifically but simply saw the opportunity after they killed Paddock and decided to kill some infidels for fun. The real question is who shot the security guard and what did he see?

This theory actually fits with the timeline as I understand it. The gunmen fired for 20 minutes but had stopped shooting by the time cops showed up and did not once shoot for the 50 minutes while the cops waited outside the room. By the time the cops arrived the real gunmen had fled and Paddock's corpse was rotting inside while the cops waited for SWAT to arrive.

Blogger dlstacy October 03, 2017 10:30 PM  

@22 - they're better off moving it. The same major companies have outsourced so much of their own IT skills, they don't know how to do anything including maintaining the security of their own infrastructure stacks.

Blogger Mocheirge October 03, 2017 10:41 PM  

Exit the Goolag wrote:@VD What do you use for secure communication?

I use pen/paper + decoder ring. Sometimes, for extra tough encryption, I run my messages through the ring twice.

Blogger TM Lutas October 03, 2017 10:42 PM  

@26 A simple truth in advertising law that mandates the advertisement of Internet connectivity on the speed of the slower leg would take care of that. It's simple, elegant, and nobody in engineering has to change a thing.

The product itself is just revealed for what it is.

However. There is another problem. Residential service is specifically not for business use and is almost universally port blocked on all the useful ports. Want a true internet connection? Shell out for business class.

Anonymous Icicle October 03, 2017 11:02 PM  

4chan strikes again. https://i.redd.it/z7ma82sfxopz.png

I remember the Leland thing. What the actual f*ck?

Anonymous Brick Hardslab October 03, 2017 11:28 PM  

Isn't this how all those actresses got their pics on the internet? Why in the world ( if you're a legitimate actress) would you let some guy film you?

I'm old do maybe I just don't see the appeal. All I can see is the shame to herself and family.

Blogger Student in Blue October 03, 2017 11:46 PM  

Why in the world ( if you're a legitimate actress) would you let some guy film you?

Solipsism.

Anonymous John VI October 03, 2017 11:51 PM  

The thing is. In order to access your data on a "cloud" the pass through code has to have your password. The technology REQUIRES the cloud service provider to know and use your password in order to access your data and files. From there it's just a trust/integrity issue. And they just keep demonstrating their trust and integrity every day.

Don't they?

Blogger dvdivx October 03, 2017 11:56 PM  

I've known several businesses that rolled email and exchange services over to Google or Amazon cloud services. In many cases email goes missing in some cases for weeks. It makes a good backup but putting all your eggs in one basket will just end up costing you in the end. Most of them moved back to a local email server.

Anonymous ~A October 04, 2017 12:51 AM  

Not really.

If you upload a binary file to Google Drive etc, it's a binary file stored there that you can get, and they don't know or care if that is actually an encrypted image of your wife. Similarly, if you write an email where you write everything with some sort of cypher encryption (say, a=p, b=h... so that 'defend the east wall of the castle' becomes 'giuifg cei iprc tpnn du cei qprcni'), the recipient will receive that encrypted text and that is all that the cloud provider will have.

The need to provide decryption keys to cloud services arises only if you want to use their services directly with the encrypted data (I.e., if you want to see a thumbnail of that image in your Google drive). As someone mentioned earlier, convenience over security.

Blogger Snidely Whiplash October 04, 2017 2:37 AM  

This won't kill public clouds because the cloud providers can reasonably claim it's not an indictment of cloud security.
What will kill public clouds is the first sustained outage and/or publicly known serious data breech. Modern megacorps are entirely dependent on their data. Losing access, or having PCI data compromised are about the only things that will change their thinking.

Anonymous Panzer Man October 04, 2017 2:41 AM  

@Icicle

Is this just 4chan weirdness, or is there something tangible behind this? If it's at all true -- holy moley.

Blogger Akulkis October 04, 2017 2:59 AM  

Cyber security isn't basic training...it's a module in AIT.

Blogger Akulkis October 04, 2017 3:28 AM  

It would explain why the audio sounds like AK-47 fire, not M-4/M-16 fire, while the cops say (and presented photos of) the room having a bunch of AR-15/M-16/M-4's.

Indeed, the gun running and being intercepted/blown by Muslim buyers makes a lot of sense. And that would make the girlfriend relevant and explain the $100,000 wire transfer.

Anonymous Anonymous October 04, 2017 4:19 AM  

User wrote:There's no such thing as security for any networked computer system and anyone who tells you otherwise is selling something or taken in by one who is.
There are degrees of security. You can make it difficult to get at your data, or you can make it very easy to get. In most cases, the "slowest zebra" principle applies: you don't have to be the fastest zebra in the herd to avoid being eaten by lions--you just have to avoid being among the slowest. Ask yourself how much damage your data could do in other people's hands, then calculate the security/usability ratio.

As for the "cloud" thing, I never understood why people fall for that. The very terminology is deliberately misleading: surely clouds are neutral, harmless things. Why, a cloud would never hurt your data. Data is safe when it gambols happily among the fluffy clouds.

It goes without saying that Google et. al. mine the hell out of anything you store amongst their water vapor. What if someone else takes the data, though? Are they even under any obligation to tell you it happened? I don't think so. I'm not going to hurt myself by reading their ToS, but I really don't think so. Clouds have no contractual obligations.

Anonymous 8859 ways to be fun. October 04, 2017 5:14 AM  

My first day of working for a Fortune 100 company, they told me NEVER, EVER type or say ANYTHING (email, note, memo, internal report, etc...) that I wouldn't be comfortable seeing on the front page of the New York Times with my name and picture attached.

Blogger Stilicho October 04, 2017 5:14 AM  

Clouds are zebra watering holes. Where else would you expect the lions to be hunting?

Anonymous OrangeHat October 04, 2017 9:36 AM  

I used to work for a Gartner-ranked cybersecurity company. I dealt with many end-user customers and managed service providers.

True security requires the right tools, a comprehensive process, and trained people. You have to watch for content as well as intent. You have to watch the entire network, not just the firewall location. You need comprehensive threat intelligence. And all of that costs money.

And the money required to achieve "reasonable" security is viewed as a waste by the management of those companies.

I would watch the sales team do discovery and the panicked reaction of the customer as they realized how vulnerable they were. And the relief on their face when the sales team described how we could secure them. And then the sour look we got when we explained how much it would cost.

And then the customer would buy some piece of hardware and stick their head back into the sand.

They know full well that they aren't secure. But they won't sacrifice their profit margin or raise their prices.

FWIW, achieving good security would require both an IDS/IPS system and a SIEM solution that are managed by human experts (on top of the usual email filtering and firewall, and AV on endpoints)

Blogger Lance E October 04, 2017 1:37 PM  

1. There's no such thing as a "private cloud", that's just a gimmicky phrase for dedicated or virtual private servers.

2. It does not matter if you have 300 bits or 3 million bits of password entropy, the likelihood of an MD5 collision doesn't change because its output space is only 128 bits. "Use longer passwords" is complete nonsense as a mitigation strategy for weak hashing.

You're welcome. Hopefully after reading this, whatever company you work for will change its shoddy practices and stop using MD5.

Anonymous Ominous Cowherd October 04, 2017 1:42 PM  

DonReynolds wrote:Everything you ever did in your lifetime is subject to discovery and question and challenge and review and analysis.

Everything that has been digitized is public.
Everything that has not been digitized is probably private.

Mocheirge wrote:I use pen/paper + decoder ring. Sometimes, for extra tough encryption, I run my messages through the ring twice.

Double rot-13 ftw.

8859 ways to be fun. wrote:My first day of working for a Fortune 100 company, they told me NEVER, EVER type or say ANYTHING (email, note, memo, internal report, etc...) that I wouldn't be comfortable seeing on the front page of the New York Times with my name and picture attached.

Phone calls provide a reasonable level of plausible deniability. Conversations in the hall even more so.

Blogger James Dixon October 04, 2017 4:25 PM  

> You have to watch the entire network, not just the firewall location.

And the "network" may be bigger than you think, since it probably now includes employee phones and tablets. Add in VPN from home, etc. The BlueBorne vulnerability (https://www.armis.com/blueborne/)is just one example of the potential problems.

And that leaves out physical security. If I can gain access to your equipment, I can probably have a copy of an entire drive in hours or less, and of the important data on it in minutes.

Blogger CM October 04, 2017 4:40 PM  

--Seems there's as much security in the Global Village as there was in the primeval village. Plus ça change, plus c'est la meme chose--

At least in the primeval village, you can bury your shit in the yard and toss some asps on top of it.

Hacking comes w real risk of physical harm.

Anonymous Bob October 04, 2017 8:32 PM  

I've said it before, and I'll say it again: "The Cloud is just someone else's computer."

I don't even trust my own machines to be 100% secure (if I had to estimate, I'd put it at 75% secure). I keep everything of value on flash drives in a lock box for just that reason. Frankly, a good amount of my sense of security comes from not being that worth hacking, since I'm only one fellow with all his useful information stored offline.

Storing anything you want to keep private and secure on someone else's computer, which has security you haven't vetted and is home to thousands of people who might be worth compromising to some enterprising criminal, strikes me as madness.

Blogger The Aardvark October 05, 2017 7:15 PM  

I don't feel like an utter dinosaur, now.

Post a Comment

Rules of the blog
Please do not comment as "Anonymous". Comments by "Anonymous" will be spammed.

<< Home

Newer Posts Older Posts