I don’t have anything against Dropbox – I think they have the smoothest cloud file system client around, better than all the others I’ve tried. But they’ve just admitted they were hacked, and they had another bad incident last year. So if you’re keeping something you don’t want others to see on Dropbox, don’t do it.
Here’s an open thread.
comrade scott's agenda of rage
Just another example of how “outsourcing” much of our information to “the cloud” has serious drawbacks.
Here in Club Fed, this administration is waaaay too enamored of “the cloud”. There’s a trade off between minimizing day-to-day operation responsibilities against ensuring your data is reliable and secure. I can walk 6 feet to the file server and all the backups. Can’t do that with “the cloud”.
salvage
There is NO SUCH THING as online security. It does not exist so if you use these services assume it will be hacked and you won’t have any problems.
NotMax
U.S. embassy in Norway: Oopsie.
liberal
Count me as another who doesn’t get the “cloud” thing.
Yeah, yeah, economies of scale and division of labor, blah blah blah, but at the end of your day you’re trusting your data with other folks with fairly unproven track records.
Spike
@salvage: Amen to that. I use Dropbox regularly and will continue to do so, but I store nothing other than encrypted disk images there.
burnspbesq
I don’t trust Dropbox with anything privileged. I use Wuala.
And now for something completely different …
The U.S. District Court in Connecticut jas held Section 3 of DOMA unconstitutional. It said that it didn’t have to reach the standard-of-review. Question, because DOMA loses even if the standard of review is rational basis.
http://www.scotusblog.com/2012/07/proposition-8-appeal-filed/#more-149896
kindness
Why would anyone trust ‘the cloud’ to be secure? Seriously!
redshirt
I’ve directed my company to “Insource” all 3rd party IT services for security reasons. They were using all kinds of external services, like Dropbox.
It’s been a lot of work, because of course I need to provide all those services internally, and then administer them. But it’s much safer.
The cloud is great for some things, but nothing secure.
NotMax
What do clouds do in real life?
Either dissipate (leaving nothing behind) or else release their contents indiscriminately.
Digital clouds may be very well named indeed.
Mark S.
Awesome:
FLORIDA: Obama 51 – Romney 45
OHIO: Obama 50 – Romney 44
PENNSYLVANIA: Obama 53 – Romney 42
danah gaz (fka gaz)
This applies to nearly any service on the Internet. I’ll except your online banking, but only because you can sue the pants off of them in the event of being hacked.
And to anyone that says I use X service instead, we have a two words that describe people like you: Easy Marks.
SquareSquid
The Google alternative to Dropbox is pretty neat (google drive), although I feel like Google is one step closer to knowing me well enough to replace me a la Stepford wives.
Another Halocene Human
@Mark S.: Hence the cut to early voting days in Fluhduh and the increase in provisional balloting. I did a mail-in ballot but I think I will in-person early vote in Nov and tell all the pollworkers I know to do the same. Things too f*cked up right now.
wonkie
This is a change of subject.
Remember that blackand white cat that needs a home and is living outside near Sequim?
I found a home for it. I offered to pick the cat up in Seqim and drive the cat to Chehalis where the home is. Offered to pay the balance of the vet bill if other Juicers kicked in. I notified the perso who foud the cat of all this and emailed annielauire twice. I gave my email to theperson who has the cat and my email and phone niumber to annielaure.
Since then Ihave heard nothing.
That bladk and white cat is not the ocnly homeless cat. If I don’t hear some kind of response in a day or so then the offer of a home for that cat will be withdrawn so that I can work with other rescuers to place a differnt cat in that home.
danah gaz (fka gaz)
@salvage: You win. This is the only intelligent and on-topic comment on this thread.
mattH
I work retail, and I’ve actually had customers come up to me, ask my opinion on “The Cloud”, and when I tell them it’s much less secure, they react like I just told them their child looks like a baboon. It’s like some personal insult. Someone somewhere is telling them that it’s secure and moreso than their own home systems.
Djur
@redshirt: It’s people like you that are forcing me to use Exchange instead of Gmail. Bah.
Mark S.
@danah gaz (fka gaz):
This is an open thread.
Lee
@salvage:
That is the truth.
It took awhile but I finally convinced my wife of this. It was a tough sell because I just got her convinced to do her banking online (she is not a tech person at all).
danah gaz (fka gaz)
@Mark S.: I probably should have been more clear. I know it’s an open thread. I was excepting people that weren’t commenting on the topic.
catclub
Think about financial histories of previous presidential candidates. Well, one in particular is Clinton and Whitewater.
Now imagine how many complicated business transactions are hidden in Mitt Romney’s past. How many are worse than the nothing burger that was Whitewater. Should we know about them before or after the election. Ask if Whitewater was important. Ask if knowing about Whitewater would make a difference to elections involving Bill Clinton. Now, tell me again why all of Mitt Romney’s financial past should remain secret.
300baud
It’s not clear to me that keeping things on one’s own server has a better track record.
Keeping things well secured is a hard job, and unlike any home server, companies like Dropbox have people on that full time. Plus, they’re basically immune to a whole variety of ways data gets in the wrong hands: physical theft, physical loss, physical compromise, wireless network attack, user-installed software.
I guess if you’re keeping private stuff on a physical drive that you secure in a safe except when you’re actively using it, then Dropbox is obviously worse. But if you’re talking about files you keep on your laptop and carry around with you, I’d bet that 1% or less of files in the wrong hands are due to providers like DropBox. It’s just that lost laptops, trojans, and naughty BestBuy techs rarely make the news.
Lee
@NotMax:
Interesting story. Not for the ‘ooopsie’ bomb scare but for the fact we are moving our embassy. I wonder if they are being asked to relocate because they don’t want their shit blown up being next to ours.
danah gaz (fka gaz)
@mattH: Thanks for misinforming people.
You DO realize that a most larger websites nowadays are serviced by some cloud or another, don’t you? If nothing else, a CDN.
NotMax
Civil war in Syria ratchets up a whole lotta notches higher.
danah gaz (fka gaz)
@Lee: Banking offers more security. It has nothing to do with tech, however. It has everything to do with their EULA and the bank’s own fraud reimbursement policies.
Maude
@300baud:
If I need to save files, I use a CD. The info goes nowhere.
Of course, I don’t have a lot to save and so it is practical.
I don’t store anything on the cloud. It gives me the creeps.
redshirt
@300baud: That’s the catch of course. If you do it yourself, you sink or swim by your own hand. So it takes effort – something that will scare off quite a few.
I’ve essentially built my own “cloud” using remote sites to exchange backups, in case something were to physically happen to our main site.
danah gaz (fka gaz)
@redshirt: Interesting. When the company I used to code for needed a service like this we did the math and after factoring in labor and TCO we decided using a 3rd party service (such as AWS, but I’m under agreement not to give detail) would be cheaper.
Hill Dweller
Romney, the man who said Detroit should go bankrupt, has a new ad attacking Obama for the auto industry bailout. Not for making the bailout, but for closing some dude’s dealership in Ohio.
Willard is officially running a post-truth campaign.
redshirt
@danah gaz (fka gaz): Cheaper, maybe. More secure? Can’t be argued. The minute you place confidential materials in the hands of a 3rd party you’ve outsourced your security.
That might be all well and good of course – it’s in the 3rd party’s interest to provide a reliable, secure service.
But for what my company works on, that was not acceptable. So I brought it all back in house with great effort.
As for home use, unless someone is super paranoid or really has something to hide, 3rd parties are fine, especially for backups. Personally, I’d rather know my data (pictures especially) is backed up offsite than worry about someone I don’t know looking at it.
Jay in Oregon
@burnspbesq:
Ooh, Client-side encryption? I like. Turns out one of my co-workers used to work for LaCie and he likes it as well.
I may take everything that is personal/confidential out of Dropbox and use that specifically for public or shared files.
patrick II
I put a truecrypt file in my dropbox folder, as I would for any cloud backup. It is encrypted while on the cloud and only in the clear when I “mount” it on my local machine.
joes527
@SquareSquid: I’m assuming that google is reselling me as a D cell as in the matrix. But they make the experience so easy!
EDT: Anyone who hacks my google drive will probably sue me for wasting their time with a bunch of useless crap.
burnspbesq
The most overlooked security threat in American business is that you let an outside service that you know nothing about into your offices every night to clean the bathrooms and empty the trash.
burnspbesq
@Jay in Oregon:
I also like that their servers are in jurisdictions that are serious about enforcing EU data-privacy rules.
ericblair
@Maude:
Is that CD encrypted, or physically locked up? It can still be lost or stolen if it isn’t.
For individuals, it’s really up to the person: I use gmail and put non-critical stuff in the cloud for portability, convenience, and backup. I keep my financial records off and encrypted. Whatever works.
For an organization, you’ve got to weigh the risks of compromise and downtime on a cloud versus the alternative, which is usually data scattered throughout the organization on various servers, backup media, and laptops that aren’t properly accounted for or carefully managed. I’d rather have sensitive records stored on a secured cloud than on someone’s unencrypted laptop drive, and that’s commonly the tradeoff you have to do.
Brachiator
Thanks for the heads up. This is why Technis, god of the InterTubes invented encryption.
Dropbox and other cloud services are essentials. For anyone to say that they won’t use them because of hackers might as well say that they won’t use email, and should just back away from the Net.
In other tech news, the deities have answered the prayers of iPad owners.
While there has been a lot of buzz about tablets recently, video services make all these devices more magical. And Amazon consistently says that they are device agnostic; they want you to use their stuff everywhere. When they inevitably release an Android app for Instant Video, they will make the google Nexus tablet even more kick ass.
This even puts a little competitive pressure on Roku, Apple TV, Google TV and similar devices.
Now, if only NBC could get its act together with respect to Olympics coverage, the world would be a happier place.
The Snarxist Formerly Known as Kryptik
I am growing to hate trying to describe anything to people who immediately latch onto shallow surface impressions and refuse to unlatch from them no matter how hard or how sympathetic you try to explain to them.
I mean, global warming discussions are infuriating enough. Even trying to describe something as inconsequential as the Monty Hall Problem though feels like pulling teeth now because even despite authority from Mathematicians and people who actually understand the damn thing, feels like at least half just go ‘NUH UH, my first impressions are correct because they’re my first impressions, and you big headed stupid fucking eggheads are stupid and don’t understand!’
There seems to be just a scary thread of ‘scientists/mathematicians/academia are the stupidest people alive ever and can’t be trusted’ everywhere these days, and it’s starting to physically hurt. I mean it, I feel my head throb when I get drawn into this shit.
CarolDuhart2
@Maude: The guy who sells me my used computers feels the same way. He suggests CDs for backup instead of using my external hard drive. I go back and forth on the question of using a cloud service instead. Sometimes I think that if I stored my files on Microsoft Live or some other service, at least if my CDs break I can retrieve the info. Not to mention that I have had the experience of serving things on media where the machines are obsolete (5 1/2 inch floppy) and that are no longer retrievable. On the other hand, companies go out of business regularly in the tech world, leaving not even a phone number where they can be reached. And think about the folks on Megaupload who stored their own files they can no longer get at all. At least burned to CD’s you can start over again.
Personal note: I’m thinking about taking the 2 off my user name and changing it. What do you think?
yopd1
If you have 5 minutes, consider calling the number on this website. They are looking for both people with Parkinson’s and those without and have developed a test that is so far 99% accurate in diagnosing. Currently, there is no actual test to diagnose Parkinson’s and many people (especially those with Young Onset) go years without a diagnosis or a wrong diagnosis.
The guy who developed the test is a TED Fellow from MIT and Oxford.
catclub
@Brachiator: I read:
“Amazon Instant Video Lands on iPad As Prime Members Weep With Joy ”
as: prime numbers weep, since it was an encryption thread.
Rafer Janders
@burnspbesq:
Bingo. And most of the people actually taking out the trash are doing so for minimum wage. Think they can’t be bought? I wouldn’t blame them if they were.
Yutsano
@CarolDuhart2: I remember the reason why you did so, but TBH it does give your nym a unique flair. :)
redshirt
@burnspbesq: Agreed. And any 3rd party vendor who has access to your site or network – think about consultants or for-hire web designers, for example.
We background check everyone, including the cleaners. Not foolproof of course.
danah gaz (fka gaz)
@redshirt: I’d say more secure CAN actually be argued. Others on the thread (like 300baud) have already made that point.
However, if what you want is 100% responsibility and control of your security, keeping it in-house is a good option (although if you use an IDC, particularly if you share a cage, there’s always that to consider).
In any case, good on you. Whatever works.
Brachiator
@catclub:
Ha! Very good.
@danah gaz (fka gaz):
For many, the cloud is the best thing since sliced bread. A Florida tax preparer had an electrical storm fry his home office equipment, computers and hard drives. He had to get new computers, but only had to download his data from the cloud and keep on going.
Then there’s a famous writer who had a fire burn down his house and the novel on his hard drive, and the backup hard drive.
And yeah, cloud servers can go down to. This is why redundant redundancy is redundantly important. But I repeat myself.
Ben Cisco
I’m another one not feeling the cloud AT ALL.
My Systems ENG won’t even let a discussion of cloud storage start, FSM bless him.
Ben Cisco
@mattH:
BWAHAAHAA!!
Villago Delenda Est
@salvage:
The only secure computer is in the original, unopened shipping container.
And even THEN it’s suspect.
CarolDuhart2
@Villago Delenda Est: I agree that there’s no perfect security. What we are really paying for in most cases is to keep out the internet equivalent of smash and grab artists and trespassers. Against inside threats or someone really determined, it’s not so easy. And nature itself can override protections (fried computer, flooded computer, what have you).
https://balloon-juice.com/2012/08/01/open-thread-and-psa/#comment-3529240: Yutsano, I had to change it due to technical issues, but I’m wondering if I should use something more descriptive and with a little zest :))
Brachiator
Boxcryptor, like Truecrypt and other services, offers extra security for Dropbox, etc.
Also, use passwords intellgently. If you can easily remember all your passwords, you’re doing it wrong.
catclub
@Brachiator: there is an xkcd kind of on that.
sillyMultiwordpasswordwithnospecials beats any 15 digit
password, no matter how many numbers or special characters.
Jay in Oregon
@Brachiator:
I disagree. I’d rather use a 32-character password that’s potentially easy to remember (like 4 randomly selected 7-letter lowercase words with spaces) because the space of possible combinations for brute force attacks is so much larger than a 12-charcter password that allows mixed-case letters, numerals, spaces, and (for the sake of argument) 10 non-letter characters.
(26 + 26 + 10 + 10 + 1)^12^ = 2.29 * 10^22^ possibilities
27^32^ = 6.36 * 10^45^ possibilities
And if you allow the character options of the second with the password/passphrase length of the first, you get 4.23 * 10^59^ possibilities.
The only concern I have is that people may be more likely to use passphrases that are meaningful to them (their full name, their kids’ names, etc.) which could make them easier to guess, or at least drastically reduce the space an attacker needs to search.
danah gaz (fka gaz)
@Brachiator: FTR, I’m a cloud fan. I’m also a realist when it comes to security.
I like clouds, and salvage nailed it on the security thing.
Besides, in a broad sense, we’ve been using a haphazard cloud for quite some time. Consider how many http requests to different sites are made every time you hit a page on most sites these days. Aside from the obvious content-delivery-networks that speed up last mile content, you have interplaying script, and analysis services running all across the web – spanned across multiple machines, over HTTP, and it’s been that way for years. While it’s not as intentionally integrated as a cloud, it’s cloud-like, and I don’t hear too many people complaining.
Brachiator
@Jay in Oregon:
As is seen time and again whenever hacking stories pop up, people tend to use short, simple, easy to guess passwords (e.g. “password” or “1234”). And they tend to use the same password everywhere. Hackers rarely have to use super sophisticated techniques to do their thing.
So, there is a lot of simple things that people can do before they get to 32 characters in elvish translated into Klingon.
But your basic point about passwords is spot on.
Also, too, hackers are also finding that big corporations are sometimes sloppy about their customers’ security. Life is good if you can get around individuals with good passwords by finding a big fat juicy database with IDs and passwords plainly displayed.
burnspbesq
I use two-factor verification on my gmail account. I don’t know whether it actually makes my account more secure, but it makes me feel better about it. I will do the same thing to my Dropbox account as soon as it becomes available.
liberal
@Brachiator:
Yeah, but if the stuff is encrypted in the cloud, then either you have to move everything back locally and decrypt it, or the keys are in memory at some points in time in the cloud already and can be stolen.
Plus, encryption doesn’t really play nice with relational databases.
danah gaz (fka gaz)
@liberal: While true, in the broad sense, it works fine to use one-way encryption to store passwords in a relational database and any DB dev that doesn’t take this precaution should be publicly flogged.
MattR
@Brachiator: I don’t think I am alone in saying that my biggest problem is that I have too many different accounts/passwords. Between work and personal I have at least 20 that I need to remember. That means I either need a photographic memory (which I don’t have) or I have to break at least one of the cardinal rules of security (either using simple, meaningful words as the root of the password, repeating passwords for different accounts or writing them down). If anyone has a good way to deal with that, I’m all ears.
Brachiator
@MattR:
I use a program called LastPass to keep track of my logins and passwords.
I have not yet used the feature to automatically generate passwords, because I want to know and have some control.
Because I am nutso about this, I often used a table of random numbers to come up with the numbers I use for most passwords.
I don’t have a separate password for every site, but I am more strict about some sites, especially sites that relate to purchases, my business, etc.
I have some throw away logins and passwords that I use for infrequently visited places.
Not a hugely formal system, but it has worked pretty well so far.
Also, too, there are some sites that ask for secret questions, etc, in case you ever need to retrieve a password. Some sites ask about parents, schools, etc. I NEVER use actual personal information, but have a set of canned responses that I use.
But even at its simplest a simple phrase that is easy to use may make a good password. It could be any two non related words. So, “Freeway Exit” would not be good, because this is a commonly used phrase. “Bypass Tinderbox” might be better. The phrase can be memorized and the two words don’t mean much together. Throw in some numbers and special characters and you’re ready to roll.
NotMax
@MattR
Store them in a deep-encrypted digital safe. The only password you need to remember without fail is the one that gets you into the safe. For example (and free, to boot):
http://www.schneier.com/passsafe.html