Sunday, October 18, 2009

I told you so. I told you so.

Loathe as I am to do it, today's post is a solid "I told you so". Not once, but twice.

First... in my last post ("You're a pirate, and you don't wash your hands") I suggested that you should turn off automatic updates, and examine security patches before applying them. Friday, ZDNet posted a story exemplifying what will happen to you if you don't heed this advice ("Microsoft exposes Firefox users to drive-by malware downloads").

Some time ago, Microsoft critically abused their Windows Update facility to sneak in a Firefox extension that was not requested, validated, or approved by the Firefox user. This was their ".NET Framework Assistant" add-on, which frankly, is not necessary for the operation of Firefox and "fixes" no Firefox deficiency or bug. Quite simply, Microsoft decided on their own to change the way a competitor's product works, and they abused your trust to do it without your knowledge. This isn't opinion, by the way, it's a statement of fact.

This same software, installed without permission, was left in place even after the abuse of trust was made public. Microsoft Security Bulletin MS09-054 warned of a critical remote code execution flaw which affected "Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8". What they fail to state is that, due to their abuse of trust and ineptitude, it also affects any Firefox browser that received the .NET Framework Assistant add-on.

This isn't the first time Microsoft has abused the Windows Update system to stuff in some unasked-for piece of code that changes the way your computer works...
Just so we're clear... I am not describing some tin-foil-hat scenario, or paranoid fear of what might occur. I am describing more than a tangible risk. It is a solid certainty that if you didn't heed my advice before, Microsoft has compromised the security of your PC without your permission. If you'll examine the links above, you'll see that Microsoft promised two years ago that they wouldn't do that sort of thing ever again. You'll also notice that two years ago the same brand of ineptitude also compromised security on XP machines.

Although Microsoft quite demonstrably has not learned from their mistakes, you can.
TURN OFF automatic updates, apply bug fixes AFTER EXAMINING what they are, and then ONLY if it's clear what the fix is for.

Second... I'm pretty vocal in my dislike for "cloud" computing. Here are links to a couple of my most recent thoughts on the subject:
My contention is basically this: you should never, ever, ever entrust your critical data solely to a third party. As described by Robert Vamosi at ("Press delete: the risk of outsourcing your data"), the reason is clear. You stand a very good chance of losing said data, with no recourse, and no chance of recovery. It's a very, very stupid thing to do.

Recently, users of T-Mobile's Sidekick service discovered that when thousands of them lost all of their contact data. All of it. (I'm not intending to prod, but Microsoft was behind that one, too.) For their part, T-Mobile offered their users a month of free service and $100 credit on stuff you buy from them in the future. Not $100 credit, but $100 off on the additional money you send to them in the future.

Yeahh.... about that future thing....

The big question here isn't really "what caused the outage?" or "who's to blame?"... it's "why is this stuff dependent on a cloud server anyway?" Maybe in the future I'd re-think the way I store and sync that data.

And it's not just T-Mobile... the same link describes a Bitbucket outage. Google Docs have had everal outages in recent months. The advice here isn't to not use online services... often they're a convenient way to share information. BUT, for the life of your company, DO NOT depend solely on these services for storing your data safely.

Certainly, your own computers and hard drives can experience failures. The difference is this: You own your machine and your data. You can make backups and be assured that they are available to you. Most "cloud" services are not beholden to you for the integrity of the data at all. AT ALL. Don't believe me? Then as an example, the Google Terms of Service, applicable to all Google services include Google Docs and Gmail. Pay particular attention to "15. Limitation of Liability", esp. 15.1(B)(iii), in which you learn that Google is not liable to you for...
In other words, they don't guarantee squat. They don't really have to do anything at all. You are completely and totally on your own with regards to liability. This isn't just common... it's universal. No online service guarantees its service. Go ahead and look for yourself.
Or just look at the terms of service of your preferred provider. If it's not clear enough from real-world examples, common sense, and the tacit admission of the innumerable vendors who absolutely refuse to warrant their services, Cloud computing is inherently risky. DO NOT depend on it. When you do, use it for convenience, but keep your data on your hardware. All cloud vendors place the risk of using their services entirely with you. But all the responsibility in the world means exactly nothing without the empowerment to act to mitigate risks. So with regard to online services, your one iron-clad inescapable inflexible rule should be to never use a service that does not provide a simple means for synchronizing your data to a local datastore.


Anonymous Anonymous said...

Very interesting and helpful. I like the way you write. thnx for spending time writing this. I don't share your views on cloud computing though. Used in a VM environment you just request a machine with such-and-such properties, press a button and *poof* somewhere a machine is born and you get an email with the root password. In an INTRAnet implementation.

February 18, 2010 1:54 PM  

Post a Comment

<< Home