NNSquad - Network Neutrality Squad
[ NNSquad ] China, Google, and Trusting the Cloud
China, Google, and Trusting the Cloud
http://lauren.vortex.com/archive/000668.html
Greetings. Some of the initial dust is starting to settle just a bit
in the wake of Google's announced change in China-related operational
policies, and it's fascinating to observe the range of reactions.
One almost immediate result of my posting
( http://lauren.vortex.com/archive/000667.html ) that strongly supported
Google's decision has been a number of people asking if I still stand
by my previous statements of support for the concept of cloud
computing ( http://lauren.vortex.com/archive/000657.html ). Don't the
Chinese attacks on Google and other companies, that triggered Google's
policy changes, demonstrate a weakness in cloud services?
I still am enthusiastic about cloud computing, and I still feel that
there are some important areas of cloud services where more work
needs to be done. But more on that in a moment.
While I believe it's fair to say that most reactions to Google's
announced China-related changes have been extremely positive, there
have been some negative voices.
China of course officially is far from thrilled. My favorite official
statements from Chinese officials on the matter so far include:
"Properly guiding internet opinion is a major measure for
protecting internet information security" -- and a warning that
Internet businesses must adhere to "propaganda discipline."
Propaganda Discipline. Now that's a nifty turn of phrase if ever I've
heard one.
Well, it's pretty clear where official China stands on this, anyway.
An accusation has been floating around suggesting that Google's only
real motivation for the China changes was to give Google cover to
extract itself from its "underdog" search status vis-a-vis Baidu.
Fiduciary responsibility alone would suggest that Google considered
the financial ramifications of actions with the potential of drastic
effects on their China-based operations. But there's no rational
reason why Google would want or need to "cover" a straightforward
business decision in the manner some folks are suggesting -- that's
nonsensical. And to argue that Google would purposely create an
"international incident" of this sort on such a basis is assuming a
degree of functional sociopathy around the level of Norman Bates
( http://bit.ly/4xHwQS ). Sorry, I just don't buy the paranoid
argument.
Another concern being bandied about relates to the (unconfirmed at
this point) rumor that part of the attack on Google involved access to
a couple of Gmail accounts via a Google "law enforcement compliance"
system.
Some observers have expressed outrage that such a system would even
exist -- but frankly I'd be surprised if something at least
functionally equivalent was not in place. Given that Google must
respond to legal demands for information from law enforcement, a
system dedicated in some way to that end would seem at least logical.
And the header-type data obtained by certain of the (apparently)
Chinese attacks (as opposed to message contents that were reportedly
not accessed in this context) are the sort of "pen register" type of
data that is commonly associated with certain common types of law
enforcement information demands.
Whether or not such a compliance system was in play in these attacks,
we know that certain aspects of security at Google and elsewhere were
compromised. And this brings us back to the question of cloud
computing safety.
But to answer that question, we have to consider the security
implications of non-cloud systems as well.
Both from security and privacy standpoints in a perfect world
(including pretty much unlimited free Internet bandwidth and lots of
otherwise free time on your hands as well), it could be argued that
keeping all personal data, e-mail, etc. on your own local computers
would be a nifty setup.
However, we of course don't live in a perfect world. Maintaining your
own mail servers -- and the security of those systems -- in today's
Internet environment can be tough work. I know -- I build and operate
my own servers, and even on a relatively small scale it can be
challenging to keep attacks and other problems at bay. And let's face
it, most computer users have not one iota of interest in spending
their days (and sometimes nights) maintaining such systems.
If you want to provide remote access to your own services or
collaborative environments -- via ssh or other tools -- even more work
is involved and additional security considerations come into play.
And then there's the issue of system backups. Sad to say, vast
numbers of computer users have no usable backups of their data of any
kind!
One reason why Google applications like Gmail have become so popular
is that they offload so many of these issues onto Google's shoulders
(in fact, Gmail has now switched over to using https: by default -- a
major and extremely worthwhile boost for what I call "opportunistic
encryption.")
But yes, a cloud service can be an attractive target, by offering the
potential attacker at least the theoretical possibility of breaching
large numbers of accounts in one fell swoop.
So as with so many other aspects of technology, we see that there's
little black or white to these situations, but lotsa shades of gray.
To judge any given cloud computing or cloud data storage environment
involves not only the capabilities of those services, but also by
contrast your own capabilities and desires in terms of operating your
own systems and associated infrastructure to perform those same
services.
For many individuals, companies, organizations, and even cities or
larger entities, moving some or all information technology
functionality to the cloud may make good economic and security sense,
especially compared with what they could do in these areas on their
own locally.
This calculus should be conducted in each case with the understanding
that no systems -- locally operated or in the cloud -- will have
perfect security, and that security breaches of some sort can
eventually occur. One advantage of the cloud is that in most cases it
is usually much faster to effectively roll out security updates across
the entire population of cloud users than when dealing with non-cloud,
locally-operated computing environments.
We can certainly assume that Google and the other organizations
impacted by these recent attacks will be taking due steps to further
secure their systems based on what has been learned. Computer
security improvements tend to be more evolutionary than revolutionary,
but like in so much else of life we tend to learn the fastest when
challenged the hardest, and ultimate perfection is a pipe dream, not a
practicality.
The decision to use -- or not use -- cloud services is an individual
one. But my stand on the topic hasn't changed at all as a result of
these recent attacks. Cloud computing shows enormous promise and is
extremely valuable for all sorts of applications today. But we're in
the infancy of this technology, and there's a great deal of important
and exciting work yet to be done as this area advances. That work
will undoubtedly include security and privacy enhancements as key
aspects, and much of what we learn from intrusions will often
significantly impact these development efforts in positive and useful
ways.
Perhaps we should be publicly thanking the Chinese attackers for their
"contributions" to the evolution of our cloud computing projects?
Uh, no!
--Lauren--
Lauren Weinstein
lauren@vortex.com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition
for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein