Rich Kulawiec on 8 Jan 2017 04:02:47 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XKCD: Team Chat

On Sat, Jan 07, 2017 at 10:19:08AM -0500, Christopher Barry wrote:
> Well, to be fair, employees of a company that manages it's own data can
> do that as well, but yeah, CloudCo folks have less loyalty,
> presumably...

Probably correct.  Also, please consider these two points:

1. The attacker budget for compromising one company is a lot less than
the attacker budget for compromising 492.  (To continue using the number
I chose for an example.)  Employees of that one company may decline to
accept a $10K payoff.  But will CloudCo employee when offered $100K?

Why should they?  It's not THEIR company.  It's not THEIR data.
The chances of being detected are tiny.  (Defending atainst insider
attack is a very low priority almost everwhere, if it's even on the list.)
Blame can always be assigned to $COUNTRY or Anonymous or random hackers.
It's tax-free income.  There will probably be more at a later date.
And of course judicious use of the data by its purchaser may well prevent
the breach from ever being discovered.

This is all just simple economics: is there a demand for the data?
Then there will be a market.  If there is a market, there will be
buyers.  If there are buyers, there will be sellers.  If there are
sellers, then it's only a question of the price.

2. If I were running the intelligence service of a medium-sized nation
or larger, I would have anticipated this 15 years ago when the hype about
cloud computing and social networks began.  I would have long since placed
my own people -- who would be quite loyal, out of ideology or politics
or bribes or blackmail or whatever -- inside every major cloud computing
vendor and every so-called social network on this planet.  They'd be
in operations, security, accounting, management, everywhere.  Why not?
It's a cheap, safe investment that will give me some degree of access to
enormous amounts of data at low risk and without the tedium of getting
through firewalls and breaking application-level security and all that.
And it's a great deal for them: they get paid twice, once above the
table, once under.

Of course an even better alternative would be to start my own.  Then I
could have businesses paying me for the privilege of handing over their
crown jewels, or individuals falling all over themselves to populate
my databases with as many petabytes of personal data as my disk arrays
could hold.  This may be speculation or it may be history.

It is of course everyone's choice, but in my view, outsourcing your
privacy and security is a catastrophic blunder.  It's difficult
enough to manage these adequately even when they're under your direct
control; if you deliberately hand them over to third parties, then
you've abdicated your professional responsibilities and resigned
yourself to failure.  It's not a question of it, only of when.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --