This Cloud Doesn’t Have Your Back
Finally, it seems like regular people are coming around to the realization you cannot trust your data in the hands of a service provided by cloud companies. In fact, I think its pretty obvious you can’t trust your information on the internet. The celebrity hack on mostly iCloud users shows a complete failure on many fronts how the cloud is totally vulnerable, yet misunderstood by many.
It really began with Dropbox. The ability to sync files from one device to another and keeping it easy enough that anyone from outside the Tech industry could understand its value and incorporate it into their daily lives. In fact, its become too ubiquitous. Files are set to auto back-up on so many devices and very few people even know this is happening.
Security Lip Service
What is completely obvious in the celebrity attack and photo leak is the lack of security measures put in place by cloud providers. Although Apple is insisting this is not a by-product of an iCloud weakness, I believe they take much more fault in this situation than the uneducated public. First and foremost is the password policy from Apple.
As an iPhone owner and user I see this frustration every day. In the Apple universe you have one password. One password buys apps in the App Store. It also buys movies, music, and TV shows in the iTunes store. It also gives you access to all of your iCloud data and wipe your phone remotely. There are so many opportunities for someone to take advantage of this system.
About every third app I download the App Store requests my password before it will continue. We all know what good password hygiene is now. I have been a huge advocate for password managers and I am careful to use different passwords for all of my services and websites I visit. But, without a doubt, my Apple password is the easiest to hack. I have kept it simple because I’ve had to enter it so many times. I know I could save a strong password in LastPass then paste it into the box when required. But, simplicity always wins over security.
Apple has rolled out 2-factor authentication for accounts. But, this is limited to just purchases. The 2-factor authentication does not apply to iCloud. My credit card may be safe, but my files and pictures are not. Back in May of 2013 Ars Technica reported on this scenario:
To be clear, iCloud data is still secure so long as the password locking it down is strong and remains secret. But in the event that your account credentials are compromised — which is precisely the eventuality Apple’s two-factor verification is intended to protect against — there’s nothing stopping an adversary from accessing data stored in your iCloud account.
Dan Goodin, Ars Technica — May 30, 2013
Fast forward and the 2-factor authentication still has the same issues. If the celebrities in the attack would have had 2FA turned on, it would not have helped them. Apple still does not force a login to use 2FA to access iCloud data.
This really shows a total disregard for a users privacy for files stored on Apple’s severs.
Even if you were a celebrity who had enabled two-factor authentication, it wouldn’t have helped in this case because Apple doesn’t enforce two-factor authentication for iCloud logons even if you have it turned on, as was reported by Ars Technica all the way back in May of 2013. Apple primarily uses two-factor to prevent credit card purchases, not to protect the privacy of your data.
David Auerbach, Slate — Sept. 2, 2014 — Blame Apple
Cloud is Full of Peeping-Toms
In reality, regardless of security measures, we shouldn’t be trusting any of our information to cloud providers. To think that your information is private on a cloud server has become very obvious that its just a pipe dream. In the guise of safety, most cloud providers are scanning all of your stuff anyway.
Just this year Dropbox was in the middle of a firestorm when users noticed files were taken down with a DMCA notice. Dropbox later clarified that they are not removing the violating file, just blocking it from being shared. Many sites note the scanning tech behind this process and Dropbox has assured that they cannot see what the files are, but that their algorithm finds similar hashes to copyrighted material and blocks it.
In the same breath, Dropbox referred to a program that finds items that are the same on another users Dropbox account and instead of storing two copies of the same file, just gives each person access to the same file. Once again, this is done all algorithmically. This issue I debate with myself is; do I trust them? Is what they are saying to the public what they are actually doing inside Dropbox? In a post-Snowden world with plenty of evidence suggesting numerous companies have been coerced to having back-door access to files, do you trust a company that removes files and only stores single copies when they say they aren’t looking at your personal info too? My answer is an unequivocal NO.
Where Do We Go From Here
The easy answer is to have 2FA forced onto all cloud services and as Darren Kitchen at Hak5 would say “encrypt all the things”. But, requiring users to do either is a momentous task. 2FA is not easy and requires plenty of discipline to keep it on. Some systems are slow to send out codes or you just might be somewhere where codes can’t reach you. I think people want to be secure, but we haven’t made it easy or intuitive.
A real opportunity exists for encryption of everything. But, this has been true for decades. SSL and PGP have been around for a long time and neither has grabbed a foothold. Most sites don’t even deploy SSL and that requires no interaction from the user.
In reality, the best option for just about everyone is to never use the cloud as a backup solution unless they feel comfortable using encryption tools. There should also be serious repercussions for companies selling snake oil. For now, all we can do is vote with our wallet. But, as we grow up in the internet we have virtually lost all privacy already. At this point I think its safe to assume your bits are on the web.