Posts Tagged security
Mac OS X security exploits are like vampires
There are currently few exploits for OS X in the wild (oh yes, there are a few, so let’s not be complacent). There are several reasons for this; primarily, the market share of OS X in the operating system market is small enough that it is less likely to be attacked (why go for 5% of a market when you can aim at 90%); second, although OS X has vulnerabilities its core architecture is less prone to attack than certain other OSes out there; third, OS X users are less likely to go in search of hacked software (one of the major malware gateways); finally, OS X users are smarter and better looking than users of other OSes. Okay, I made that last one up.
So, there are fewer exploits for OS X, what’s all this vampire stuff? (more…)
Add comment February 6, 2010
Putting out in the cloud
There is an old poker adage that runs along the line ‘once you place your bet into the pot, it’s no longer your money’. It is wise to take the same attitude to data you place ‘in the cloud’ (a horrible marketing term that translates, more-or-less, into the more mundane ‘any data you place on-line’).
Whenever you post to a blog, Facebook, MySpace, or any other forum your data is no longer yours. When you store your backup on .MAC, or any other backup service, when you use DropBox or any of he myriad storage facilities, your data is no longer yours.
At this point I hear cries of, ‘but they say it’s secured’ or ‘but only I have the password’ or ‘I only allow friends to see my profile’. Ah, but here’s the rub. None of these services is truly secure. Not only that, a glance at the license agreements we so blithely click though reveals that we absolve the companies who provide these services of any substantial responsibility to secure out data. Sure, they have a basic duty of care but this is nothing but a fig leaf. Besides, once your data is compromised it’s too late for any restitution.
One interesting issue of placing information in these services is a knotty legal nicety. Suppose you are a married man storing all of you information on Google’s services. All you financial dealing, a spreadsheet recording your income/out-goings for example. Now suppose you were to be divorced. If the information were held on a local PC (rather than on Google) then your spouse would have great difficulty getting access to the information. With it all on Google they can subpoena the information direct from Google, you would not even necessarily know they had that information. And this principle applies to more than messy divorce cases.
Hopefully these services will start to offer proper encryption services. Unfortunately at the moment there are technical issues that make proper encryption tricky if the services are to maintain their ubiquity. No doubt, if demand for proper encryption (that is encryption that makes information practically unavailable to anyone other than the owner) these issues will the resolved.
I am not saying we should not use these facilities. I do. A lot. I am simply saying that people should assume that as soon as they put data onto these facilities it will become public knowledge. This is simply the precautionary principle. It is true that for most of people putting data on-line will never be a problem, but by applying the precautionary principle you ensure that it is never a problem.
Add comment January 7, 2010
Cloud computing. Good or bad?
Flavour of the moment in computing architecture is the notion of cloud computing. Whenever I see these new terms (well, newish in the case of cloud computing) being bandied about, particularly by the mainstream media, I immediately start to suspect that it’s largely hyperbole and marketing fluff. Cloud computing does not disappoint in this respect.
The idea that data is stored in a disparate infrastructure and processing power provided by commodity servers is hardly new, but to read the cloud computing lobby’s position you could be forgiven for thinking we were about to see something totally revolutionary.
What we are seeing of course, is the commercialisation of ideas which, until the last few years, have been maintained internally. Take any large organisation’s infrastructure in the last ten years and you have, to a large extent, the progenitor of cloud computing. Large, distributed storage facilities, large distributed server centres, and smaller local storage and processing facilities in the shape of desktop machines. Users hold most of their data on remote facilities, neither knowing nor caring about where or how they are physically stored.
There have been many attempts in the past to move from local PC computing to large commodity server processing. The irony being that early computing was based on dumb terminals and large central computing power. The cloud is slightly different, but only in that the provision of storage and service is not concentrated on one physical computer but rather spread about the internet, provided by potentially dozens of providers.
The shift to more browser based applications is no different to the shift from locally implemented drivers to operating systems. As Google are demonstrating, the shift to browser centric computing is an attempt to shift away from operating system dependence. The issue for consumers will be to protect the idea of open standards on browsers. Noticeably, even the mighty Microsoft are beginning to comply with standards in the latest incarnation of IE in order to position themselves in this emerging market.
Who benefits?
So, where does the market advantage come from for cloud computing? On the face of it the consumer will be the winner. With a crowded and competitive market of suppliers all using standards compliant protocols and browsers to deliver commodity services (no one should discount the bespoke market just yet) we can expect to get more bang for our buck in the next few years. The downside is trust.
Cloud computing in its purest form demands significant trust from users. Your data resides, not on your local machine, but ‘in the cloud’, which translates into ‘on someone else’s disks’. Google, Amazon, Microsoft, take your pick. Who do you trust with your information?
From the point of view of organisations supplying the cloud services the model turns you from a one time purchaser (when you buy your computer or software) into a revenue stream. Instead of buying software you buy access to it. Instead of buying a larger disk drive, you buy access to more on-line storage. The insidious thing about this model, from a consumer point of view, is that, like a hire purchase, seeing a few dollars each month leaving your account does not seem as painful as a large lump when you buy the computer and software but over the time you use the application you will almost certainly pay more.
It is inevitable that cloud services will be bundled in combinations that, like cable or satellite TV packages, will seem like value but in fact mean you pay for services you do not use.
Open Cloud?
Open source software is possible because many developers provide free time to developing it. You buy the hardware and they provide the software. With the cloud model open source benefits only the cloud suppliers. No longer can the consumer leverage free software into the cloud. Even if you find a cloud supplier willing to let you run an open source application on their infrastructure you will still have to pay for the run-time. It’s tough to see how open source will survive in the cloud.
Reliability
With current computing architectures there is a sense of ownership and problems with servers or storage (or your own PC) are directly under your control. If something happens then, assuming you have another PC and reliable backups, getting up an running is simple enough. Most business deal with these sort of failures every now and then, and most do so with minimal disruption to the business. With the cloud computing model there is an added risk that your supplier goes AWOL.
I have several external suppliers involved in delivering services for my business, one ISP provides my broadband connection, another provides support for my website, another supplier provides video streaming facilities, and another backup facilities. These all have high reliability promises, and they all fail periodically. When they fail I lose my on-line presence in part or as a whole. This is no major problem at the moment but as more of my business moves on-line I become increasingly aware of just how reliable a service needs to be to come close to one I own myself. The probability of system failure is the product of the probability of failure for each link in the supply chain.
Typical uptime promises offered by ISPs are 99.98%. This may seem very good until you realise that this means your ISP can meet this standard but still be completely unavailable for 1.75 hours every year. For a private individual this may not be a major problem, for a business it could be a big problem if that 1.75 hours is during a peak sale period. If there are four suppliers involved in the supply chain, each offering 99.98% reliability the worst case (assuming they meet this promise) means four lots of 1.75 hours downtime, or seven hours lost business.
There are strategies on the cloud that allow organisations and individuals to protect against failure, but at a cost.
Securing data
People do seem to be increasingly comfortable handing much of their information over to third parties. Occasionally someone will point out the inequities in a site’s terms of service, but more often than not people simply click through these without realising just what rights they are surrendering in doing so.
Certainly most information is not worth protecting too much. Does it really matter if your family holiday photo’s get out on the internet? Probably not. But what about those saucy photo’s you took with your boyfriend? These you probably would not want floating around. How about your banking details? Or some business plan you’re working on? What about that great invention that’s going to make you rich (providing someone does not beat you to the punch)? Or the blockbuster novel you’re writing? When you’re data is in the cloud it is no longer entirely under your control.
The internet is awash with horror stories of people sending e-mails without thinking of the consequences, and people losing their jobs because over perfectly innocent blog postings that their employer took exception to. The problems do not stop there once your data is in the cloud.
Consider the situation when a couple divorce. With all the data in your own local control it is fairly difficult for your ‘other half’ to get disclosure and almost impossible for them to dig around in your personal data without your knowledge. If this same information is in the cloud a simple subpoena opens the door to all that information and you are not necessarily notified that they have it.
I suspect there will be a growing market in tools to encrypt data as it goes to cloud storage, although we will all be increasingly reliant on third-party processing power if the cloud computing lobby have their way. When this happens we will be completely reliant on the storage solutions providing sufficient protection to our data as we will have no way to mediate any encryption.
As I said above, for a great deal of information it does not matter a great deal that we entrust it to the cloud (although I do take exception to sites that want some sort of ownership over, for example, my photographs just because I upload them to their disks). It is reasonable to assume that the big service suppliers have a vested interest in maintaining a good reputation for securing information. After all, clients will quickly move to another supplier if they believe their data is at risk. I for one will be very cautious about uploading anything remotely sensitive beyond the borders of my own local network without some serious encryption to which only I have the key!
Add comment July 14, 2009
