Follow

<< Data was stolen from an Amazon Web Services-based storage bucket, which included more than 140,000 Social Security numbers >>

How about all of these 'data breach!!! data was taken OUT OF THE CLOUD!!!!' articles instead start with

"Data was PUT INTO Amazon Web Services, which is a sketchy private company with an extremely bad reputation owned by the world's richest man who is currently being blackmailed and who many Amazon users hope, against all the evidence, isn't a literal Bond Villain.."

If you put your company's secret data in the cloud, YOU ALREADY LOST CONTROL OF YOUR DATA

Cos it's in the Cloud.

That's what the Cloud is.

It's giving someone else control of your secret data.

That someone being someone who wants to rule the world.

You can kid yourself for a very long time that nobody who runs the Cloud is going to look at your secret data.

But it's a cutthroat business world, data is money, and you will never know if they did look.

They probably aren't looking! You hope.

@natecull If only there were mathematical systems in existence to ensure that your data were only accessible by authorized parties!

@digicana There..... aren't, though, that's the thing.

That's what I'm trying to get people to understand.

If you use purely cloud *storage*? Yes. You can encrypt data on your physical machine and then send it it through the Internet and store it in the Cloud.

If you use a cloud *compute* server? Hahaha lol no.

Your cloud server's RAM will have your decryption keys in it, because how else will it be able to compute?

Good luck. Maybe Secure Enclaves will save you. Maybe!

@digicana

But see, the thing, is:

Cloud compute means we now have this MASSIVE concentration of all the world's data and compute in maybe three or four companies. All of whom want to have and keep VERY close relationships with US military and intelligence.

This is a very, very target rich environment for those agencies, should they want to... go fishing for, whatever.

It's like the perfect data crime. Who will know if you're scanning hypervisor RAM for keys? And the payoff? Near infinite.

@digicana If I were a US spy and I *wasn't* quietly talking to US cloud companies (through their national security channels, extremely classified, Top Men only) about how to massively sift all compute node RAM for keys, I'd be doing something very wrong.

Use case #1: 'What if ISIS is running secure chat over an AWS node? Omg we need to be able to listen to them! We need to get all their keys!'

Use case #2: 'What if we scale that up to more Bad People than ISIS?'

Use case #3: 'I don't like X'.

@digicana

Now there are no doubt all sorts of internal rules, procedures, military honour, etc, preventing the NSA, CIA et al from just turning on the surveillance on everyone

And Jeff Bezos isn't currently on Team Trump. Apart from the blackmail and the eye-wateringly expensive divorce in process.

but on the other hand,

Trump happened.

I think it's fair to say a whole lot of safeties have failed in the US political and intelligence system, and we don't know who is running who right now.

@natecull Regardless of world events, AES remains politically neutral.

@digicana And once again, I ask:

How are you going to securely encrypt and decrypt AES, on a cloud compute server running a hypervisor whose code is classified, with the keys held in RAM connected to you don't know what?

@digicana Because AWS hypervisor code *is* classified, I believe. 'For security'. For someone's security, yes. Is it yours? Maybe!

@niconiconi @digicana

sure, but if your adversary *literally owns the physical computer*, their job of reading your RAM is a LOT easier.

It's just that for some reason nobody's threat model yet includes 'what if your tech infrastructure provider WAS your adversary?'

They certainly do if that provider is Huawei! But if it's American (and they're American, or even English-speaking non-US), they think it's fine.

Even if they also think the US President is literally owned by the Russian Mafia.

@natecull This is why there's interest in the 'Secure Enclaves' from Intel and AMD (though I worry they'll get used for DRM more than anything.)

And Fully Homomorphic Encryption is an active area of development to allow systems to carry out computations on encrypted data and yield encrypted results without being able to ever see the plaintext of either. (So long as inputs and outputs are both of the same length.) Sadly, it's slooooooooow and memory hungry and inefficient as heck at present.


@niconiconi @digicana

@azure @niconiconi @digicana

Yeah, I really wonder what the use case of homomorphic is. Some esoteric intelligence thing, where they have a lot of computations that they don't mind being known, and that don't include comparisons?

Secure Enclaves might maybe work... at least then you just have to trust the chip and not the hypervisor.. but you still gotta set up a secure channel to the enclave, send your key to the enclave, let the enclave decrypt data and then... not ever use that plaintext?

@natecull @azure @digicana In a picture of the future, full homomorphic encryption is dreamed to create the ability of running full applications on completely untrusted providers' hardware, i.e. create a trustless cloud. The current implementation even has troubles running a few logic gates, but if it really does scale, it may create a somewhat crucial shift of power in a world of centralized cloud.

@azure @niconiconi @digicana

I can see enclaves MAYBE working IF they:

* applied to an entire chip right from the start, all DRAM and motherboard I/O is encrypted

* there's some kind of secure key transfer from an out-of-cloud key server and the key stays after power off

* the key transfer can't be MiTMed

* the system is simple enough to be verified to not have bugs

* the system also can't be meddled with on the chip

* but the chips can be verified

* an enclave-only OS is written for it

@natecull @azure @digicana chip verification, it seems to be an unsolvable issue even if you have 10 billion dollars, with far-fetching consequences.

@natecull @azure @digicana While verification is nearly impossible, there's no shortage of bug-hunting. Existing evidence showed it's not uncommon for manufacturers to leave backdoors (non-malicious debug interfaces for R&D, but effectively backdoors), even for chips with high expectation of security.

My favorite paper is: link.springer.com/content/pdf/

Researchers creatively used differential power analysis, a common HW technique to attack ciphers, and identified hidden features in a top-of-the-line FPGA.

@natecull @niconiconi @digicana I could imagine perhaps something like MapReduce implemented to use it could be done for SOMETHING though at present I think it's more a nifty thing to play with.

I think for Enclaves people want to do things like hide the public key in the enclave but be able to get signatures out of it, so the Empire of Mist and Vapor can never see your signing key. Or use an encrypted authentication database that can give a Yea or Nay without risk of the database ever being exposed for theft.

@azure @niconiconi @digicana

Yeah, about the only thing I can see Enclaves or hardware HSMs used for is literally *signing*. Ie, granting approval for something. Something that doesn't use much storage.

I can't see them being used to decrypt data cos then you have that plaintext data in an untrusted system.

Unless they're whole-system-sized.

For THEIR security, the US.gov can rely on their buying power over Amazon et al and can request clean hardware, their own people checking it, etc.

@natecull @digicana I meant it's possible that your can use these vulns for your own advantages. From this perspective the proliferation of scary side-channel attacks is not 100% bad. If everything runs on the cloud, users have nothing to lose, these vulns are actually giving some people a remote (but non-zero) chance to subvert massive concentration of three or four companies, and possibly even US military and intelligence. Here comes a new #cyberpunk plot.
:blobspy:

@niconiconi @natecull I’m actually kinda curious how the big boys are handling all the speculative execution processor vulns. I mean no doubt they have mitigations, but I suspect it’s the nation states not the little guys who have effective tools to leverage these into workable exploits.

@natecull this has been my entire last couple of weeks at work. Provisioning a new server at work to store our accounting data (the easy part) then chasing back down the path to the end users' machines and disabling every fucking "helpful" cloud service that wants to subvert every control we put in place if you save a file in the wrong place or open it with the wrong program.

@natecull thats true, but its low grade information. You could lie and trick them. Even trick them into thinking that you believe something that you dont.

@Rich_Graham @natecull i mean, except we’ve already established via this data leak that it includes over 140,000 social security numbers so

Maybe the stuff /you/ are doing with AWS is low grade data, in which case thats fine! But clearly other people are /not/ and the only reason they thought putting 140,000 SSNs into the cloud was okay was because we’ve managed to divorce “the cloud” from “the actual real company you’re handing all your stuff to”

@Satsuma @Rich_Graham

What worries me the most about Cloud hype is that there's this whole cult of the Expertise Of Giant Companies that goes along with it. The value proposition being actively sold is 'it's actually more secure to give all your data to the biggest company possible than to hold it yourself!'

Which would be maybe fine IF being the biggest company meant being the most ethical? But we know that isn't how the market works.

@natecull @Rich_Graham yeah any company making money off of selling data should be considered like, inherently unsafe when it comes to data security and it’s absolutely wild that they aren’t

@natecull @Satsuma @Rich_Graham I have heard Eric Schmidt (I think?) of Google explicitly making that claim.

I ofcourse don't buy it.

@natecull @Satsuma @Rich_Graham

The people most responsible for writing shitty non-secure software tell us that we are not capable of of protecting the privacy they’ve already failed to protect.

And they are incentivized to fail at this.

And we keep falling for it.

And this behavior enables systemic persistence of this state via legislation like SOX, HIPAA, HITRUST, etc.

We can do better.

@natecull

> If you put your company's secret data in the cloud, YOU ALREADY LOST CONTROL OF YOUR DATA. Cos it's in the Cloud. That's what the Cloud is. It's giving someone else control of your secret data.

Something I struggle with is what to think about personal backups. On the one hand, everything you said.

On the other, it's just encrypted data (no compute) and there aren't many options for off-site backups.

I currently don't have a good solution, or off site backups

@codesections Yeah, if it's encrypted (and encrypted locally) I think it's pretty safe.

It's mostly cloud compute and Software as a Service and Big Data Deep Learning as a Feature that I worry about, which are the big ones the corporate world are pursuing.

@codesections like literally, the hot new thing in antivirus is 'the antivirus server is in Microsoft's cloud, so all the metadata about every file on your system gets just sent to Microsoft and then they run <unspecified algorithms> on all of that and you'll be So Much Safer!'

and I'm like WHAT HOW DID WE GET HERE but, it's the new corporate thing

@codesections @natecull Personally, I don't see any problems with using other people's computers to store encrypted backups. If done right they can't actually do anything with it except loose it, which leaves you no worse off then you'd otherwise be.

@alcinnz @codesections @natecull On a practical level, I can recommend Tarsnap. Recovery is very slow, but I have a good deal of faith in the security of the service.

@natecull Boggles me that this is done by the same grade of companies as those who just a few years ago wouldn't trust their backups to less than Iron Mountain. Amazon is not Iron Mountain. This should be obvious. And yet... Despite that a live database is much more potentially devastating than a tape archive. Grr.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!