"Frank Slootweg" <th...@ddress.is.invalid> wrote
| > There are some things that can't be made entirely safe. One
| > is javascript in browsers. Another is setting up your system
| > for remote access. There are reeasons to risk both. There's
| > no sensible reason to risk it in order to have a "private cloud".
| > Thus, idiotic.
|
| I think you don't quite know what a "personal cloud" is and is not.
|
| You seem to say that "There are reasons to risk" "setting up your
| system for remote access". If so, guess what? The "personal cloud" is
| also a system which you set up for remote access. It's just not - at
| least not mainly - a *computational* system, big deal. The "personal
| cloud" is just a way to access one's files from the Internet, just like
| "setting up your system for remote access" is, no more, no less.
Yes. That's the point. If you set it up to be accessible from online
then you've set it up to be hacked from online. That's why so many
attacks in the past have exploited remote desktop, RPC, etc. Once
you're able to reach your own computer remotely, or allow others to
by allowing your tech support to work on your desktop, for example,
then you've made the mistake of applying intranet security protocols
to the Internet and you're a sitting duck.
That's also why there are so
many problems with hacked security cameras, thermostats, door
locks, etc. We're creating the IoT without having learned this basic
lesson in security -- that if you want a door opening to the Internet
you need to keep it locked. Why do these problems keep happening?
Because security is a hassle. You want to be able to get your files
in the easiest possible way. So we pretend the real problem was a bug
that needed a fix. Or bad config. But there's no end of such problems.
That's why credit card and corporate database hacks are constant.
That's why the Russians can turn off the US electric grid. The real
problem is that you're allowing people from outside to come in the
front door. The real problem is that these systems shouldn't be online
in the first place.
I knew you'd be back to argue this. :) But you're shooting the
messenger. There are reasons to allow remote access, as I said,
but there are also risks. You don't do yourself any favors by blaming
my imagined paranoia for those risks.
This lesson was demonstrated in the early days of XP. People
started getting scam popups on their systems. Why? The Messenger
service was running by default. Messenger is something that allows
a corporate network admin to post messages on employee systems,
like, "Don't forget to turn off your computer before leaving on Friday.
There will be building maintenance this weekend."
So why was that a problem? Because MS designs Windows to be
a corporate workstation on an intranet where the network is trusted.
With default config it was easy for outsiders online to use Messenger
service. Much of the history of bugs follows a general trend of creating
such holes and then patching them. Automatic updates, COM+, DCOM,
RPC, Messenger, NetMeeting, Remote Registry, javascript in browsers,
ActiveX, Flash, Silverlight, Java... and on and on. They're all clever
tools for use locally or on intranets that make Windows computers
unsafe online.
| but it's just a
| case of misconfigured system gets compromised.
Yes. That's always the culprit. The problem is not that
you left your front door unlocked. The problem is just that you don't
have a backup TV to replace the one that was just stolen. Or the
problem is that you didn't lock down the TV. Yes, that's
all true, to a point. But the fact that these problems are possible
is due to the fact you didn't lock the front door. For convenience.
When your "smart" thermostat is hacked to freeze your pipes
(not to mention the extensive spying Google does on their
thermostats) you can blame it on a software bug, or a missed
update, or faulty configuration, or whatever. But the real
risk was simply having it in the first place. If you want to be
able to call your house from work to turn the heat on then you're
creating possible vulnerabilities. If that's really important to you
then that's up to you. But you might also ask yourself: Do I
really need to talk to my thermostat over my phone? What kind
of nut have I turned into? (Whether you ask the 2nd question
is up to you. :)