I’ve been thinking about that for a few days now; it began when the Chrome notebook was first announced, and everyone was pushing the idea that the only vaguely defined idea for most, the cloud, was going to be the answer to privacy worries for all.
I’m sorry, but you cannot have it both ways – you cannot scare the public with stories of lost or leaked information and passwords, and then in the next column over tell them how the cloud is the answer to all of their worries.
In at least 4 places I frequent there are stories about the problems that come with using the same password in more than one place, but in those same places are stories of how Microsoft is heading for the cloud, how Google is counting on everyone to be soon working in like manner to the way the Chrome notebook forces users to behave, and still others are assuring the public that the cloud will be a part of their lineup soon – whether or not the cloud should be included.
We look at the problems of the U.S. government, and their not being able to keep things safe, and wonder how any individual has any chance of doing so. After all, when people talk about the cloud, what they are talking about is a place where computers are sitting in buildings connected to the Earth, where people have access to the computers for various reasons, and internet access is there for many, not simply a select few.
There is nothing magical about the cloud. Anyone that tells you so has fertilizer where brain cells should reside, or is being paid as a professional liar.
Moreover, we have word today that the Hamburglar is at is again, and instead of hamburger thievery the problem is loss of security, with users of the wi-fi at McDonalds having their information compromised. It really is no different than if McDonalds had said the information was in the cloud, because it is not on-site at a McDonalds, it resides at a place called Arc Worldwide.
Still others are using the distributed computing power that is part of the cloud for nefarious purposes, and if you think it will lessen instead of grow worse, you’re delusional. About 3 weeks ago there was a story in InformationWeek telling how a hacker used the power of the cloud to crack passwords for a mere $2.10. After doing this, proving to many it could be done easily, the people in control of the resources were not really concerned.
German security researcher Thomas Roth may have discovered the ultimate in DIY dictionary attacks: using on-demand computing power courtesy of the Amazon Elastic Compute Cloud (EC2) to crack the SHA1 secure hashing algorithm for just $2.10.
On Monday, Roth detailed his experiment in a blog post, spurred by Amazon’s introduction of cluster GPU instances. “GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?” he said.
His answer, using a list of 14 hashes: “I was able to crack all hashes from this file with a password length from 1-6 in only 49 minutes.” According to Roth, “this just shows one more time that SHA1 for password hashing is deprecated — you really don’t want to use it anymore.”
Should you trust your information to the cloud? That depends on how important it is to you and what might be done with it. For most of us, the answer should be a resounding, “Hell no!”
Update – 14Dec 0730PST – This morning there is an excellent article on the Guardian, from Richard Stallman, who warns that “the cloud” can lead to an era of careless computing and is “worse than stupidity”. As the head of the Free Software Foundation, it is not as if he has anything to gain from the stance, so perhaps a perusal of his ideas on the subject might be appropriate.