I am not Microsoft’s greatest fan. It is a dinosaur stuck on the beach while the fleeter of foot are soaring through the clouds. The reality is that it has no, and has never had, any visionaries. Even its domination of the desktop was more down to luck and sharp practices than genuine vision.
It was lucky that Gary Kildall rejected IBM’s overtures, else there would never have been an MS-DOS; and it was sharp practices that killed off Digital Research — its one serious and technically superior competitor. It was lucky that Apple demonstrated the value of Xerox Parc research and paved the way for Windows. It was lucky Jobs was so far ahead of his time he thought he could have a walled garden in the ’80s; and almost destroyed Apple in the process.
But it was sheer arrogant blindness that made Gates think he could ignore the internet. For the last two decades Microsoft has been forced into playing catch up; but catch up never works if you don’t have the vision to get ahead of the competition.
Now, in just one area, Microsoft is showing visionary signs that could differentiate it from all of its competitors. Microsoft has started listening to its customers rather than imposing its will on its customers.
While Facebook is telling everyone that they don’t want privacy, Microsoft is listening and saying, OK, we will give you privacy. While Google is fighting the European Union over privacy and cloud storage, Microsoft is listening to the EU and saying, OK, we can accommodate and store European data in European data centres.
Now, it’s not as simple as that. The US government can still demand customer data from Microsoft’s European data centres simply because Microsoft is a US company. But it’s making that data much more defensible, and telling the EU that it is willing to cooperate rather than fight.
Similar over privacy. When it became clear last week that Microsoft had, quite legally, searched the emails of one of its customers concerning the theft of Microsoft IP, it knew there would be privacy issues. It immediately said two things: firstly that it would in future get a pseudo warrant from an independent lawyer who had previously been a judge, and secondly that it would include its own searches in future ‘transparency reports’ (the ones that publish the number of law enforcement searches).
It wasn’t enough for the privacy advocates who pointed to the hypocrisy of criticising NSA warrantless surveillance and then doing its own.
To Microsoft’s great credit, within a week, it has listened, heard and understood. Brad Smith announced yesterday,
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
We’re listening: Additional steps to protect your privacy
Is this a new Microsoft — the genuinely ‘listening’ company? It no longer dominates the world’s operating systems, and is losing ground on desktop office software. But it seems to be doing one thing that none of its competitors are doing. It is listening to its customers, and giving them what they want. That alone, over the next few years, could catapult Microsoft back into a leading position.
As the dust from Edward Snowden’s Prism revelations begins to settle, it’s time to think again about whether it is safe to use Dropbox. In Part I (June 2011) we said:
You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.
Is it safe to carry on using Dropbox? Yes and No
In Part II (August 2012) we said:
Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
Is it safe to carry on using Dropbox? Yes and No: Part II
What we’ve now learnt from Snowden is that not only can the US authorities (in the form of the NSA and the FBI) demand details of you and your account, they do as a matter of course have access to your actual files. We also know that if you encrypt those files, it will be taken as a red flag and they will pay particular attention to the files, and by implication to you as well.
So if we ask the basic question once again — but expand it from Dropbox to ‘any US cloud-based service’ — we actually come to a similar conclusion but with more riders.
The first part of the question is, is it safe? Absolutely, categorically and emphatically, No. It is not safe to use any US cloud service.
Ladar Levison ran a ‘secure’ email service, Lavabit. Last week he suddenly shut it down after ten years. If you read his statement, you see a man of principle:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.
(For the Americans, and especially in this instance, ‘the American people’ is a metaphor for ‘everyone in the world’ — it’s just that it has never legally been a crime for the NSA to spy on non-Americans.) It is clear that he is now subject to a court order from the secretive US FISA court — the one that the NSA and FBI use to justify their surveillance practices — complete with a gag order: that is, you must hand over your customers’ data but you may not tell anyone about it. However, it is Levison’s last comment that is specifically relevant here:
I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Kim Dotcom ran the Megaupload website, long since seized — quite possibly illegally — by the US authorities. While fighting extradition from New Zealand to the US he has set up a new and far more secure service, simply called Mega. He has first-hand experience of the reach and practices of the US authorities. His take is this:
Remember, move your Internet business to small nations that are free of conflict and therefore don’t have a massive spy agenda. Look for countries that have robust privacy and human rights laws. Stay out of the US. Don’t even host a single server there.
It looks as if he is preparing to move Mega to Iceland. New Zealand is, after all, one of the Five Eyes global surveillance countries with very close ties to the other four: the US, the UK, Canada and Australia.
But what of the other part of our question: can we carry on using Dropbox (and other US cloud services)? Clearly, we shouldn’t; but can we? As with everything else, it’s a risk-based decision: we have to weigh the risks against the advantages.
Snowden has shown us that the risks are far greater than we thought. The danger, however, is that we will conclude, ‘I’m not doing anything wrong so why should I worry: for me there is no risk.’ Think again. Adam Curtis has shown that the intelligence authorities see a plot behind every shadow: MI5 founded on a lie, maintained on a lie, and still lying today – allegedly. There is no reason to suspect that the NSA and FBI are any different; because if they don’t find the plots they will lose their budget and shrink.
Just because you do no wrong does not mean that they will see no wrong.
So the answer to our question today has to be, technically and possibly, perhaps yes; but realistically, no, no, no. Do not use Dropbox. Do not use Drive. Do not use any US cloud service. And if you are already doing so, get ready to move as early as possible to a non-US service. Don’t trust Europe — it is too closely allied to the US. As Dotcom suggests, Iceland currently looks attractive (at least until it joins the EU and gets caught up in EU subterfuges and becomes just another US and US-business puppet). As things currently stand, quite frankly the only secure solution is do not use cloud.
See also: Is it safe to carry on using Dropbox (client vulnerability)? Yes and No: Part IV, which discusses the latest ‘vulnerability’ in the Dropbox client (31/08/2013)
Back on 7 August I suggested that Microsoft’s plan for its own tablet was a big mistake (A Microsoft-made tablet? Big mistake). I may have been wrong – but only if it is part of a completely new and wider strategy.
Let’s look at the Big 4: Apple, Google, Microsoft and The User.
Microsoft’s strategy is built on the predominance and continued dominance of the PC. Without the PC there is only a small Microsoft – and the PC is in decline, and possibly a terminal decline. Microsoft’s strategy is in decline.
Apple’s strategy is built around owning everything, both hardware and software – and charging an obscene price for that monopoly. So far it has worked very successfully; but if you listen to the undercurrents from The User there is growing User dismay over both the price of that monopoly, and the frequency with which loyal subjects are asked to dump existing product and buy new product. Apple’s strategy is at the apex, and the only way is down (with a slight delay when it dumps OS/X in favour of desktop iOS).
Google’s strategy is to base everything in the cloud, and to own the cloud. This makes distribution very, very cheap, and upgrades cheap, seamless and invisible to the User. Google is proving very, very successful in this strategy.
But what about The User? The User’s strategy is to demand everything now, preferably free (but at least very cheap), anywhere and anytime. Microsoft provides none of this. Apple provides some, but not much, of this. Google provides it all.
So on current strategies, Microsoft is doomed, Apple will decline while Google will grow and thrive. (Incidentally, Amazon seems to have seen the writing, and I rather suspect that all three will have to watch out for Amazon in a few years time.)
But what if Microsoft has also finally come to its senses? What if the Microsoft tablet is not just a one-off foray into hardware, but part of a completely new strategy aimed at combining Apple’s hardware/software monopoly approach with Google’s cloud efficiency?
There are growing rumours that Microsoft is about to switch from, say, 3-yearly Windows releases to yearly releases. This makes no sense whatsoever under the current strategy. Expecting users to buy a new operating system every year won’t wash. Unless…
Let’s say that the MS plan is not new operating systems delivered in box or on disk, but new downloads delivered from the cloud just as its current patches are delivered every second Tuesday of the month. This model would require something like an annual license for the OS rather than a fixed price for the box. If that license were around £25 per year (preferably less), few users could say that use of Windows for just £2 per month is excessive. Let’s now take that to the logical conclusion: Windows and Office both migrate to the cloud and are both upgraded or patched on a continuous basis, as and when required, and paid for on a low-cost rolling license.
So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?) – in mimicry of Apple; and then maintaining its software in and distributing from the cloud in mimicry of Google. Such a strategy would combine the best of all possible worlds; and while it is by no means certain that Microsoft could do it, if successful it could reverse the decline of Microsoft.
If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking.
This raises a number of other questions – for example, is the European Commission’s love affair with the cloud heading for an impasse with its own regulators? Back in September the EC issued a ‘communication’, Unleashing the Potential of Cloud Computing in Europe. It concluded with a call
upon Member States to embrace the potential of cloud computing. Member States should develop public sector cloud use based on common approaches that raise performance and trust, while driving down costs. Active participation in the European Cloud Partnership and deployment of its results will be crucial.
Last week, ENISA published an excellent overview of the Privacy considerations of online behavioural tracking, which I thoroughly recommend. It tries to draw a distinction between behavioural tracking and behavioural advertising; but the reality is that this is probably a technical rather than practical separation. This is likely to become the crux of Europe’s problem: it wants to maximise the cloud, accepts that it must allow commercialisation, but politically needs to ensure privacy – and the two things might simply be incompatible. As Peter Hustinx, the European Data Protection Supervisor said in his Opinion on Friday,
the use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations.
In other words, as of right now, the EC’s desire to unleash the potential of cloud computing is incompatible with the need to maintain existing data protection standards. But we needn’t worry too much: it will all, as King John might have said, come out in the wash. Big business will give a little, the regulators will give a little, and the EC will twist and squirm a lot – and we’ll all be able to use the cloud happily.
The question is, will it be with Google? That’s the second issue coming from the Article 29 working party: has Europe got it in for Google? In October, Ars Technica commented:
The French seem to have an appetite for regulating the Internet, and for going after Google in particular. A new proposed law would force Google to make payments when French media show up in news searches; but Google has responded, in a letter to French ministers, that it “cannot accept” such a solution and would simply remove French media sites from its searches.
Two weeks later, Le Canard Enchaîné reported that France had made a €1 billion tax claim against Google and was using this as a bargaining chip in the newspaper content dispute. France, of course, with its current socialist government, likes to tax everything that moves – but as one of the key movers and shakers within the EU, you have to wonder if it is merely spearheading a wider European antipathy; and if so, where does this come from?
Well, again back in October, Henrik Alexandersson [a ‘Swedish libertarian, working for the Pirate Party in the European Parliament’] attended a luncheon seminar organized by ICOMP, the Initiative for a Competitive Online Marketplace (funded, it would seem, by Microsoft).
However, already when we received the seminar documents at the entrance – we realized that this really was something else: A Microsoft-funded Google Bashing lunch.
Google Bashing is a very popular sport in the EU, these days.
Alexandersson was so annoyed by the initial talk by “one of Microsoft’s lawyers, Pamela Jones Harbour… speaking about everything that Google does wrong,” that he and his party got up and left. But privacy, he says,
is not what Google Bashing in Brussels is about. Here it is rather a question of a number of Google’s competitors trying to whip up political criticism, for business reasons. They simply don’t like that Google more or less own the search market.
So here’s a thought. Is that anti-Google sentiment in Europe ‘political exploited by business’, or ‘business exploited by politics’? It’s a moot point. Either way, Google should be in no doubt that it has powerful adversaries in Europe.
Ever since the news of a potential breach at Dropbox emerged, my old post “Is it safe to carry on using Dropbox?” has been getting an elevated number of hits. It is time perhaps to update.
Firstly, what’s this about a breach? Well, Dropbox wasn’t breached in the traditional sense of the word. The likelihood is that a number of Dropbox users had the same log-in credentials (email address and password) that they used on a different web account that was breached. The criminals were able to reuse the credentials stolen from elsewhere, and gain access to a number of Dropbox accounts.
Unfortunately, one of these accounts belonged to a Dropbox employee. The criminals gained access to his account and found a file containing an unknown number of users’ email addresses. It was probably these users that were subsequently spammed, leading to the suggestion that Dropbox had been hacked.
This leaves us two questions: is Dropbox safe to use; and what lessons should we learn?
Dropbox is no more nor less safe than it was before; that is, it is not safe. This for two reasons: firstly, it is in the cloud; and secondly, Dropbox is a US company. You don’t know what is happening in a cloud that is not your own; so it is not safe. Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
But why worry if the data you store is neither of these? You can increase the level of security by locally encrypting the files (with something like TrueCrypt) and storing only encrypted files. The basic rule is simple: if it is important that nobody else ever sees the data, don’t use Dropbox; if it doesn’t matter if other people see your files, you can use Dropbox. If you’re somewhere in-between, encrypt.
What should we learn from this? Well, it is good that Dropbox has or will be initiating additional security – including two-factor authentication. This will make your data more safe from hackers, but it has no effect on law enforcement intrusion. And judging from Google’s 2FA, few people will bother using it.
I also very much like the new security page (partial screenshot below). It’s available at your Dropbox settings location, and shows who has recently accessed your account and who is currently accessing your account. This is certainly worth checking regularly. Note also that this is where you change your Dropbox password.
But despite this good response from Dropbox, the fact remains that these are reactive and not proactive steps. Security is still an afterthought, added on to systems rather than designed into them. That’s one lesson we don’t seem able to learn. Secondly, it is sad that a Dropbox employee should be guilty of fundamental security no-nos: he stored a file with user emails in plaintext; and he was reusing the same password on at least two different accounts.
These are the main lessons that we all need to learn: do not trust other people or systems to do security for you. It is your, not their, responsibility (or at least, even if it is their responsibility, you cannot assume they will do it).
And finally, and fundamentally, and beyond all others: when will we ever learn to stop re-using the same password on multiple accounts? Tens of millions of passwords have been stolen from tens of major providers this year alone – and that’s just the ones we know about. Are you sure that your own password is not included? If it is, and you re-use it on multiple accounts, then you simply don’t know who has access to your accounts. And if that includes your email account or bank account, not to put too fine a point on it, you’re screwed.
So, is Dropbox safe? Probably not; but that doesn’t mean we shouldn’t use it under certain circumstances. I shall certainly carry on using it. But are we safe? Absolutely not until we start using unique, strong passwords for every different account. Hint. Use a good password manager.
Update: the revelations from Edward Snowden concerning US government access to cloud services, which will include Dropbox, adds new urgency to considering the use of Dropbox. See our latest commentary following Edward Snowden’s Prism revelations: Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
See also: Is it safe to carry on using Dropbox following the DMCA takedown revelations? (03/31/2014)
My recent news stories…
You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012
A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012
New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012
UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012
New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012
TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012
Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012
Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012
BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012
25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012
Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012
Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012
My news stories for yesterday and today…
Canada’s interception bill C-30 dead in the water?
For all intents and purposes, the bill is dead; it appears that Public Safety Minister Vic Toews’ plans to ease police tracking of those who use the web for criminal purposes has been shelved.
16 May 2012
New iOS jailbreak expected next week
This year’s Hack-in-the-Box Netherlands security conference takes place next week at the Okura Hotel in Amsterdam, and will be the first ever week-long HITB event. A new iOS jailbreak is expected.
16 May 2012
UK companies are cyber self-confident
A new study by BAE Systems Detica shows that British business is pessimistic about security in general, but strangely confident about its own.
16 May 2012
The danger in service operators’ censorship filters
Yesterday we reported that the German Pirate Party had been ‘accidentally’ blocked by an automatic content filtering system used by many German schools. And yesterday the Open Rights Group and the LSE Media Policy Unit published a new report: Mobile Internet censorship: What’s happening and what we can do about it.
15 May 2012
Security is driving cloud adoption
In its 2012 Disaster Preparedness survey, Symantec finds a link between the three great movers of contemporary computing: virtualization, cloud computing and mobility. That link, surprisingly, is security – or more specifically, it is the need for adequate disaster recovery capabilities.
15 May 2012
How safe is your iCloud data?
Last month, Ars Technica asked the question, ‘Can Apple give police a key to your encrypted iPhone data?’ It concluded that it probably could not for the data on the device; but probably could for data stored in iCloud. Now the question has less relevance, with the latest version of ElcomSoft’s EPPB and the increasing use of iCloud.
15 May 2012