Admiral Ack, er, Stallman says IT'S A TRAP

9 views
Skip to first unread message

Chad Cottle

unread,
Jun 11, 2013, 7:58:45 AM6/11/13
to coll...@googlegroups.com

Andrew Wyllie

unread,
Jun 11, 2013, 9:40:30 AM6/11/13
to coll...@googlegroups.com


I've always felt this way about 'the cloud' and I have my own in house servers for email, calendars, photos and any documents I have - I don't really use dropbox or google drive or anything like that unless it's stuff I don't care about - like pictures of cats, basically stuff that I would make publicly available.  Some of this cloud stuff can be useful though - like Amazon's Web Service stuff although I'm not sure if that's technically cloud or something else, I guess it depends on what you are putting on it.  Unfortunately, it can be hard not to use the cloud like convincing my iPhone to use my own servers instead of apple's for some things can be a bit of a pain.  Using google chrome cloud services to sync up all of my computers is pretty convenient too - there used to be a way to do this in house but it's not trivial.


Andrew

 
On Jun 11, 2013, at 7:58 AM, Chad Cottle <opend...@gmail.com> wrote:


--
You received this message because you are subscribed to the Google Groups "Collexion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to collexion+...@googlegroups.com.
To post to this group, send email to coll...@googlegroups.com.
Visit this group at http://groups.google.com/group/collexion?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Todd Willey

unread,
Jun 11, 2013, 10:12:20 AM6/11/13
to coll...@googlegroups.com
Timely and relevant news from 2008. Though now that we know Prism is
real, it bears talking about again.

You can encrypt data at rest on s3, which should be good enough to
keep only casually interested spy agencies from accessing your family
photos. There are a few tutorials on using encrypted rootfs on ec2
servers, which keeps you safe from Amazon deciding to snapshot your
instance and look through the image on disk, but I'm not sure how safe
you are with the running instance. You'd also still need to make sure
your data is encrypted in transit (a la VPN or TLS everywhere).

For real though, why isn't there a dd-wrt / openwrt distro that does
all the things you'd usually ship to the cloud? We have the capability
to install software packages on the router and attach drives for
storage (or offer up NFS mounts). I mean, I'd really like to use my
router as a API endpoint for a dropbox clone, and either have it
encrypt and forward the encrypted data to the cloud, or store it
locally.

-todd[1]

nx

unread,
Jun 11, 2013, 10:12:48 AM6/11/13
to coll...@googlegroups.com
You pay for convenience. If you don't need that convenience, then you can choose to set up an open source solution to your problem or build your own.

If the cost of a hosted solution is outside the budget, then you choose from alternatives. If I didn't want to pay $50 per year for gmail for all of my users, then I would set up qmail or postfix to host my email.

Hosted stuff is fine as long as its in your budget and matches your privacy and security needs. And the current pattern is that there are always open source alternatives to choose from if the hosted stuff doesn't work out.

If I was doing IT administration for the NSA, I wouldn't use Gmail.

Anyway, Stallman made the GPL, so he would say that.


On Tue, Jun 11, 2013 at 9:40 AM, Andrew Wyllie <wyl...@dilex.net> wrote:

nx

unread,
Jun 11, 2013, 10:15:50 AM6/11/13
to coll...@googlegroups.com
Yeah, we could totally build our own clouds. It would be cool if local colocation providers made it super simple for average computer user to set up their own personal cloud servers.

Andrew Wyllie

unread,
Jun 11, 2013, 10:59:56 AM6/11/13
to coll...@googlegroups.com

I kind of jumped on this topic a bit because I've been thinking about
this cloud stuff lately as well as Big Data which is an entirely
different animal but is very appealing to me as a software engineer with
a degree in economics.

I guess the "free" services (not really free as you usually have to wade
through ads or sign a waiver that says the service can snoop your data)
tend to make me nervous as you are not sure what they are doing with
your data. That said, it also seems to me that the cloud is growing up
and that there are some really good applications out there - even for
sensitive data. For example Workday which does cloud based human
resources (and it's not cheap), can take the requirement to have IT
specialists and a secure data centre away for mid to large sized
companies. While it might seem dangerous to put all of you HR in the
cloud (including stuff like payroll) you have to keep in mind that
because they specialize in the stuff, they are probably a lot better at
it than an in-house solution and their servers are probably a lot more
secure than an in-house solution as well.

I have an Asus firewall at home and it does a lot of the free cloud type
stuff like password protected file sharing and an iTunes music server.
You can hook any size hard drive to it via USB and you can VPN to the
thing if you want to. I've always thought that this might be the next
wave of the future. Instead of putting all your personal data and
pictures on Facebook or whatever, you could put them on your own
firewall which connects to some kind of clearing house and has it's own
permissions scheme, etc. So you could update your status on your
firewall - it pings the clearinghouse and anyone that has permission to
see it can now grab it. Maybe not the most network friendly application
but it really depends on how many people have permission to view your
stuff. You also, to some extent, eliminate a lot of the advertising.
Anyway, just a thought.


Andrew

Dave

unread,
Jun 11, 2013, 11:14:26 AM6/11/13
to coll...@googlegroups.com
--- On Tue, 6/11/13, Todd Willey <to...@rubidine.com> wrote:

> From: Todd Willey <to...@rubidine.com>
> Subject: Re: Admiral Ack, er, Stallman says IT'S A TRAP
> To: coll...@googlegroups.com
> Date: Tuesday, June 11, 2013, 10:12 AM
>
> Timely and relevant news from 2008. Though now that we know Prism is
> real, it bears talking about again.
>
> You can encrypt data at rest on s3, which should be good enough to
> keep only casually interested spy agencies from accessing your family
> photos. There are a few tutorials on using encrypted rootfs on ec2
> servers, which keeps you safe from Amazon deciding to snapshot your
> instance and look through the image on disk, but I'm not sure how safe
> you are with the running instance. You'd also still need to make sure
> your data is encrypted in transit (a la VPN or TLS everywhere).
>
> For real though, why isn't there a dd-wrt / openwrt distro that does
> all the things you'd usually ship to the cloud? We have the capability
> to install software packages on the router and attach drives for
> storage (or offer up NFS mounts). I mean, I'd really like to use my
> router as a API endpoint for a dropbox clone, and either have it
> encrypt and forward the encrypted data to the cloud, or store it
> locally.

Would this help?

http://en.wikipedia.org/wiki/Truecrypt

> -todd[1]

Dave

Patrick "Kai" Baker

unread,
Jun 11, 2013, 11:23:00 AM6/11/13
to coll...@googlegroups.com

That's an awesome business model.

Kai

Thomas D'Andrea Jr.

unread,
Jun 11, 2013, 12:58:05 PM6/11/13
to coll...@googlegroups.com
I always use TrueCrypt with a damn long and strong password to create lots of containers, then upload those containers to DropBox or Amazon if it's anything that I wouldn't care to even slightly have out in public domain. Stuff like web links, open source data, ebooks, imgur pics, etc that I couldn't care less if they became public I don't mind dropping in the cloud, but I don't like to keep copies of anything secure even encrypted in the cloud. Though I have to say, if I did upload my truly secure docs and the government wants to spend all their power hacking my tax documents that I send to them anyway, I guess they can and I won't fight them...

Tommy

Chad Cottle

unread,
Jun 11, 2013, 1:06:18 PM6/11/13
to coll...@googlegroups.com
Wow, the fact that the article date was 2008 was totally lost on me.  It came as a suggested reading link off a CIO list.  WTF? 

Well, it's still an interesting topic.

I agree with encrypting data at rest...it's a must do.

Warren Myers

unread,
Jun 11, 2013, 1:30:59 PM6/11/13
to coll...@googlegroups.com
I know lots of places that "allow" you to build your own clouds - rent a rack, half a rack, etc and drop whatever "cloud" hosting option you want (ESXi, Xen, KVM | CloudStack, OpenStack, CSA...)

There's no reason you couldn't cloudify an offering on a single dedicated system  in each of several locations by dropping mirroring/etc apps on hosts around the globe.

Warren Myers

unread,
Jun 11, 2013, 1:34:44 PM6/11/13
to coll...@googlegroups.com
it's 5 years out of date, and was as incendiary then as now (given Stallman's general history - no surprise).

I do "cloud" setups for companies all over the place - it's one of the core offerings of my employer (and the reason we are being bought).

"Cloud" computing is no different than any other form of computing - whether it's private, public, or hybrid: it's computing/storage/etc when you need it, and only for as long as you need it, and then tearing it down when you're done. It's on hardware (somewhere) that you may or may not own, managed by yourself, your team, or others.

It's not conceptually any different than hiring Iron Mountain to do your document shredding - you could do it yourself, but owning, oeprating, and maintaining the shredders, incinerators, etc is likely not going to be your forte

timk

unread,
Jun 11, 2013, 2:07:42 PM6/11/13
to Collexion
When cloud == bad for privacy, is the concern that your data is on a
machine outside your control or that your hosted service company
(gmail) is reading/analyzing/forwarding your data? Either way, it
seems like this is only addressed by moving the machine inside your
network. Even if you stand up your own email server, if it's not on
your hardware, somebody else can touch it. The hosting company has
physical access to your (virtual) server.

In the case of email, self-hosting just shuts down the one-stop-shop
for your email history. It can still be gathered from all those other
(gmail) users with whom you're chatting. You can sign up for a monthly
transparency report from Google that shows the aggregation of
interactions they've recorded about you. Even Google accounts that use
non-gmail addresses show a ton of recorded email activity on those
reports because of all the messages sent to/from gmail users.

https://www.google.com/settings/activity/signup

-Tim

Thomas D'Andrea Jr.

unread,
Jun 11, 2013, 2:14:50 PM6/11/13
to coll...@googlegroups.com
My opinion is that I just don't want some outside organization 1. having my private data easily, 2. having the ease of processing to analyze and forward my data, but very importantly 3: having the ability to cut me off from my data that I may need.

That being said, having a copy of some very important documents, encrypted with a great password and encryption technology, and available on a reliable cloud solution can do wonders in case of emergency (like a tornado flattening your house and your bank where your safety deposit box is located), but again in that case I would want to have it available in at least 2 places. There's a need and use for cloud services, I just think that right now the ease of use is taking precedence over how people handle their data.

Tommy


Dave

unread,
Jun 11, 2013, 2:17:25 PM6/11/13
to coll...@googlegroups.com
--- On Tue, 6/11/13, timk <theat...@yahoo.com> wrote:

> From: timk <theat...@yahoo.com>
> Subject: Re: Admiral Ack, er, Stallman says IT'S A TRAP
> To: "Collexion" <coll...@googlegroups.com>
> Date: Tuesday, June 11, 2013, 2:07 PM
>
> When cloud == bad for privacy, is the concern that your data is on a
> machine outside your control or that your hosted service company
> (gmail) is reading/analyzing/forwarding your data? Either way, it
> seems like this is only addressed by moving the machine inside your
> network. Even if you stand up your own email server, if it's not on
> your hardware, somebody else can touch it. The hosting company has
> physical access to your (virtual) server.

The trick is that you need to encrypt your e-mail before transmission and after
reception. For example, Thunderbird offers a plug-in that does such encryption:

http://en.wikipedia.org/wiki/Enigmail

That way, any messages are encrypted both on the server and as they go
through the network (Don't forget that it's theoretically possible for a sufficiently
advanced packet sniffer, attached to an intermediate node, to sniff the packets
flowing past and reassemble your messages.).

Of course, such encryptions requires a POP type protocol, they won't work with
web-mail interfaces. And, they require that both parties use the same encryption
routines. And, of course, if the person you're corresponding with is a mole,
well, all hope is lost anyway.

> In the case of email, self-hosting just shuts down the one-stop-shop
> for your email history.

Would the NSA issue a FISA warrant against your e-mail server?

> It can still be gathered from all those other (gmail) users with whom you're
> chatting. You can sign up for a monthly transparency report from Google that
> shows the aggregation of interactions they've recorded about you.

And, do you really trust Google to accurate report on what it's done?

> Even Google accounts that use non-gmail addresses show a ton of recorded
> email activity on those reports because of all the messages sent to/from gmail
> users.

Ok, so you periodically do a spam run, and dump enough spam from your address
that any meta-data collected about who you're e-mailing is meaningless. ;-)

> https://www.google.com/settings/activity/signup
>
> -Tim

Dave

Thomas D'Andrea Jr.

unread,
Jun 11, 2013, 2:20:20 PM6/11/13
to coll...@googlegroups.com
> Ok, so you periodically do a spam run, and dump enough spam from your address
> that any meta-data collected about who you're e-mailing is meaningless.  ;-)

Sounds like a nice service that could be sold for small cash money and made into a security process. When you starting?

Tommy

Warren Myers

unread,
Jun 11, 2013, 2:33:53 PM6/11/13
to coll...@googlegroups.com
The problem with encrypting email is that no one else does it.

I'm all for SSL everywhere (or equivalents).

But until *everyone* (or, most everyone) wants the same thing, it'll continue to be plain-text.

One thing most people don't realize is that every server that touches a given email is allowed to keep a copy (and, I'm sure, many do). It's intelligent at least for attempted redelivery if the recipient is full/offline. And it's good for analyzing bad emails.


--
You received this message because you are subscribed to the Google Groups "Collexion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to collexion+...@googlegroups.com.
To post to this group, send email to coll...@googlegroups.com.
Visit this group at http://groups.google.com/group/collexion?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.


Warren Myers

unread,
Jun 11, 2013, 2:34:55 PM6/11/13
to coll...@googlegroups.com
It's also something likely to get you banned from mailing lists, put on blacklists, etc.


--
You received this message because you are subscribed to the Google Groups "Collexion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to collexion+...@googlegroups.com.
To post to this group, send email to coll...@googlegroups.com.
Visit this group at http://groups.google.com/group/collexion?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

timk

unread,
Jun 11, 2013, 2:39:33 PM6/11/13
to Collexion
On Jun 11, 2:17 pm, Dave <wa4...@yahoo.com> wrote:
> The trick is that you need to encrypt your e-mail before transmission and after
> reception.

This is where the next major email innovation will be. If someone can
pull it off, it will be huge. Google embedding it transparently into
Chrome and gmail would be huge. It would require sacrificing their
email ad revenue, which they're probably unwilling to do.

> Would the NSA issue a FISA warrant against your e-mail server?

That's an interesting question. AFAIK, the FISA approvals have been
for wiretapping actions (or similar). My gut tells me your email
server would be considered your property, so they'd need a search
warrant to steer clear of Fourth Amendment violations.

> And, do you really trust Google to accurate report on what it's done?

Yes, I trust that they've done what they said in the report. I don't
trust that they haven't done what they didn't report.

-Tim
Reply all
Reply to author
Forward
0 new messages