Tag Archives: cloud

CERN Centos Dojo 2017, Event report (0 of 4)

For the last few days I’ve been in Geneva for the CentOS dojo at CERN.

What’s CERN? – http://cern.ch/

What’s a dojo? – https://wiki.centos.org/Events/Dojo/

What’s CentOS? – http://centos.org/

A lot has happened that I want to write about, so I’ll be breaking this into several posts:

(As usual, if you’re attempting to follow along on Facebook, you’ll be missing all of the photos and videos, so you’ll really want to go directly to my blog, at http://drbacchus.com/)

 

Privacy, security, and data integrity in "The Cloud"

The following are thoughts I wrote up in anticipation of Thursday’s Ask Slashdot, where I was discussing “The Cloud” with the Slashdot community.

The Question:

“With so much personal data being kept on the cloud, including government and health records, do you have any concerns about it falling into the wrong hands? Do you think the cloud’s benefits are outweighed by continuing security issues?”

I used to be a security “expert” (at least according to my business card), but that was long enough ago, and things have changed sufficiently since then, that I no longer make that claim. However, back then, most of our customers happened to be in healthcare in some form or another, and I was appalled, on a daily basis, how insecure their data was. Any high school kid with some tools could completely own their network servers with very little effort. We hired one of those high school kids, and he frequently did.

Furthermore, with a little sweet talking, or looking under keyboards, we got access to all the stuff that he didn’t. Granted, this was in the days immediately before HIPAA, and in the first days after HIPAA (health care related data privacy/security legislation in the USA, circa 1996 and following, more stringently enforced after about 2002 or so) when people were trying to figure out how to implement the requirements. I naively hope that HIPAA has corrected some of the most glaring of these problems.

It’s hard to imagine that putting data “in the cloud”, whatever that happens to mean in the particular case under discussion, could be any less secure than where they’re already storing your data.

Every time I go to a doctor’s office and have to fill out all the same data, yet again, or when I have to fill out yet another government form with all the same information that they already have, often two or three times on the same set of forms, I think, why, in 2011, do I have to fill out these forms at all, when they already have so much information on me that should be readily accessible? A retinal scan, or even an ID number, should be sufficient to avoid this. Why haven’t we solved this problem yet? (Yes, that’s a very naive position, largely inspired by the frustration of filling out the 8th form while other peoples’ kids run around screaming and sneezing on me.)

One obvious requirement that should be placed on any “in the cloud” service where my medical information is stored is that the software securing it must be Open Source. This should be a requirement that we all demand. If you say that my data is secure, prove it to me by letting me inspect your code, do a security audit, and patch holes that I find.

I’ve long thought that government software should be software of the people, by the people, for the people. If I pay for the development of software that used to run, say, the TSA, then I should have access to that code. And if the IRS is using software to store my data, I should have access to that code so that I can verify that it’s secure, and is calculating my tax refund correctly.

I’m not sure, as a non-lawyer who has never worked as a government contractor, whether such demands are at all realistic or probable, but I still think it’s worth making the demands. While I’m confident that *my* congress critter didn’t understand the letter I sent him on the subject (at least, based on his content-free response), I would encourage you to contact yours, and maybe there’s one out there that would understand.

Now, having said all of that, it’s worth noting that the phrase “in the cloud” is, for the most part, rubbish. Servers “in the cloud” are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren’t. “The cloud” is not intrinsically secure or insecure, because “the cloud” is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that’s based in reality.

Every time we read an article about “the cloud”, it’s useful to take a moment to consider what it actually means in that particular scenario.

Although “the cloud” means “I don’t care where my servers are”, there are in fact actual servers somewhere, and there’s an actual person or team of persons responsible for maintaining that server or servers, and they are either good at their job, or they aren’t. Talking about “the cloud” as though it’s one homogeneous mush of data is nonsense, and leads to all sorts of false conclusions.

SugarSync

For some reason, I was sure that S3 was an end-user file storage service. It’s not. It’s for web developers who need somewhere to store a large amount of data for back-ending their website. So, say, someone like Flickr might use S3 for the actual photo storage. (I don’t know if they do. Just an example.)

So, thanks to a suggestion from CGNaughton, I am now using SugarSync, which was remarkably easy to set up, and seems to work pretty well, although it took three days for the initial sync of my data.

I’m also planning to put the 24G of photos, which I have on an aging Linux box at home, up on SugarSync, which will likely take all weekend. Once that’s done, I will finally shut down Buglet, which I have operated out of my house for more than ten years now, and I will then have a total of *zero* servers in my home, for the first time in probably fifteen years.

Having my servers managed, and, in particular, backed up, by someone else, has an awful lot of appeal. It’s no longer fun to keep servers updated, patched, backed up, free of dust, and restarted every time there’s a power dip.

On a related note, if you’re in the Lexington area, and you need a half-dozen aging server machines, come and get them. We’re only too delighted to offload them. Most of them were great machines in their time, but I no longer have need of them. Monitors too.