Is iCloud's 'Epic Hack' a game changer?

Is iCloud's 'Epic Hack' a game changer?

Summary: Steve Wozniak has expressed concerns about the security of the cloud, predicting "a lot of horrible problems in the next five years" but Rob May, CEO of Backupify, respectfully disagrees. Who's right?

TOPICS: Apple, Cloud, Security
Did the iCloud breach change your opinion of the cloud? Jason O'Grady

Recent breaches at DropBoxAmazon and iCloud have raised new concerns about the security of personal data stored on cloud services. But there are two sides to every story.

Apple co-founder Steve Wozniak expressed his concerns about the cloud to the Associated Press fearing that consumers have signed away content they would otherwise own after buying and warned of horrible problems the could result after migrating to the cloud:

“I really worry about everything going to the cloud,” he said. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”

He added: “With the cloud, you don’t own anything. You already signed it away” through the legalistic terms of service with a cloud provider that computer users must agree to.

“I want to feel that I own things,” Wozniak said. “A lot of people feel, ‘Oh, everything is really on my computer,’ but I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”

Backupify's CEO Rob May takes issue with Woniak's analysis and respectfully disagrees:

Those that say you'€™re giving up control when you use the cloud must realize that there are easy fixes to controlling your data when it resides on a cloud environment. One of the easiest and best fixes is having a cloud backup in place.

In the on-premise world, backup is about mitigating against the risk of data loss. In a cloud world, backup is that plus more. In a world where your data lives in the cloud, backup is about keeping control of your data. When you have a secure second copy, you can sleep better at night knowing that no matter what happens to your cloud provider, your data is still safe.

Do you really need a backup of your cloud backup? What happens if that "second copy" gets hacked? Is it another insurance policy on your cloud data or another potential vulnerability?

In light of the tech journalist Mat Honan's Epic Hack Apple has suspended Apple ID password resets over the telephone and Amazon has closed the "last four-digit" loophole that allowed hackers to gain access to iCloud account.

But is it enough?

I still have faith in cloud services, provided that they're used with fair deal of precaution, as I outlined in yesterday's post. I'm more dubious of online backup services because they tend to be slow (nothing beats a local HDD or SSD backup), they're not bootable, lack of control and the potential privacy issues (Dropbox, anyone?).

Honan's exposure of iCloud's porous password reset criteria sent shockwaves through the Mac community and I fear that another high-profile hack of a widely used service (like Google Drive) could do permanent and irrevocable harm to the cloud as a platform.

What's your cloud data storage strategy in light of recent events? Have you changed anything about it? Chime in the Talkback below.

Updated: Gytis Barzdukas, Senior Director of Product Management, Mozy added this statement:

"Steve Wozniak's issues with pushing everything into the cloud appear to revolve around two concerns: the location of the data, and the ownership of the primary version of data. In terms of location, Mozy believes that the best solution is to offer what might be termed a 'hybrid' solution. This is where data is stored both locally and in the cloud. In Mr. Wozniak’s scenario, an individual licenses content such as a book or music from an online service and the content owner revokes the license, blocks access, or remote-wipes a device -- such that the individual can’t access that data anymore. Because the individual is licensing information, the primary (or perhaps only) version of the data exists in the cloud and only a copy of the data is stored locally. Mozy inverts this model with the primary copy of the data being stored locally (i.e. on devices) and a copy of the data stored in the cloud. It's a clean relationship where the user owns the data and takes ownership of the data on their device(s). If the user has the data on their primary device, Mozy will have it in the cloud and the individual can access it from any other device or even sync it across multiple devices. Changes made to the primary data will be reflected in the cloud, with snapshots of previous iterations of the data held so that individuals can restore anything they lose or which becomes corrupted.

"In terms of Mr. Wozniak’s second concern, ‘signing away’ ownership, Mozy never asks its customers to enter into any such agreement. Our privacy commitment is very clear about this. As a customer, your information is yours and yours alone, not ours. We never sell your information to anyone, index it to enhance public search algorithms, or claim rights to use it for other purposes, nor do we sell information about you. We never share your information with anyone unless you explicitly tell us to. We never sift through your information in order to create a profile of you or target advertising. You can always retrieve your information, and once you leave our service—while we are sorry to see you go—we do not retain rights to your information. "Finally, it should be noted that what happened in this case involved not only storage in the cloud, but also social engineering; particularly the use of social engineering to gather personally identifiable information and then build links between various accounts where data was solely stored in the cloud. Storing information in the cloud is not something uniquely insulated from social engineering attacks and we applaud the fact that Google and Amazon have changed their processes to limit these as vectors of attack for other customers.

"In short, Mr. Wozniak appears to be worried that the cloud puts data at risk. In a cloud model where the only version, or primary version, of your content is in the cloud there is indeed risk. But the beauty of the cloud is that there are multiple approaches in terms of how you can use the cloud to effectively manage your data across multiple devices. With the Mozy model, the approach differs from the scenario that concerns Mr. Wozniak. We use the cloud as a protection mechanism to provide a secondary copy data owned by the individual which already exists elsewhere, and then use the cloud to enable that individual to access the content from the cloud. With Mozy, the customer owns their data, and no one and nothing can take it away."

(I also reached out to online backup providers Carbonite for comment and will update this post with their comments.)

Topics: Apple, Cloud, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is iCloud's 'Epic Hack' a game changer?

    Look it is iCloud crapping cats and dogs
    • If it's from iCloud...

      wouldn't that be iCats and iDogs?
      Arm A. Geddon
  • Turns out it was Amazon who gave the "hacker" enough data ...

    ... to answer the iCloud security questions.

    But the hacker already knew a lot about the guy "being hacked".

    Anyway, this is also another example on how there is zero security on the cloud. And yes, Apple has blame ...
  • I kept on hearing the word convenience.

    No matter what tech site, posters didn't seem to mind pulling a Mat Honan. It's convenient. I don't have the time. Blah. Blah. Blah. Well that's why I don't have sympathy for people like Mat. Especially that he should know better. Btw, I'm still not convinced he's told the whole story.
    Arm A. Geddon
    • He admitted

      to sharing the blame. But Apple's security obviously has holes, that's the point.
  • PIE

    Pre-Internet Encryption is the key. If the data isn't encrypted with a local key, before it leaves the computer, then it shouldn't be going into the cloud; unless it is something you want to share with other people.

    To be honest, I have nearly 50GB of "free" cloud storage with the usual suspects, but I have probably used less than 1GB of storage in total and that is all files that are shared with other people.

    With Smartphones, the problem is a little more problematic, with the contact lists being stored in the cloud as well. For business, I would never use a cloud service for contacts or e-mails - mainly because it would be illegal.

    The biggest problem with Cloud Services at the moment is that most of them have an office in the USA and are therefore beholden to the Patriot Act. For people outside the USA, that is a major problem, for those in Europe it is a legal headache!

    In Europe peronsally identifiable information (names, addresses, e-mail addresses etc.) cannot be stored on servers outside the EU. Good luck trying to get GMail, Hotmail, iCloud etc. to guarantee that the information will only be stored on servers within the boundaries of the EU!

    The second part of the problem, even if you go on the premise that as an EU citizen, your data will only be stored on EU based servers, you still have to contend with the Patriot Act. Under EU Law, you cannot give any of the personal data away to a third party outside the EU without getting written permission from each person whose data you want to hand over.

    On the other side, the cloud provider has to hand over that information to the US Government upon request, regardless of what laws they are breaking in the process. The problem is, the user is the patsy, they are the ones that will be prosecuted, if it comes out that that personal information has been handed over to the US Government without them getting the appropriate written permission.

    As the cloud provider is not allowed to inform the user, that they have handed their data over, that means that they open their users up to prosecution without ever informing them of the fact!

    And the prosecution can lead to heavy fines and jail time!
  • First identify the game

    I don't think the high-profile hack destroys the cloud principle: it's like being burgled in the physical world. If a thief is intent on entering your premises he will find a way so to do. On the first occasion I was burgled the miscreants axed the door down and weren't in the least bit worried about disurbing the neighbours. (Would you tackle an axe-wielding thief?)
    Best to have insurance = good passwords + backup.
    It will become increasingly difficult to hack the cloud as the technology matures.

    Woz makes a completely different and far more pertinant point: if you surrender your operation to the cloud you lose control. There is a progressive creep from the PC era where one owned a reconfigurable PC, all the software and had all copies of the data ... to a situation where one has a fixed low-spec. tablet and everything else is in the cloud: hardware, software, price, privacy and security completely out of one's control.
    The problem is that the incumbents, already convicted of monopolistic tactics, will attempt the same level of control ... and that most media outlets (inc. ZDNET) and consumers just don't see it coming.
    Apple users are already hopelessly inured to an expensive, restrictive, closed ecosystem and have accepted a software and media tax as if it were the norm, when in fact it is a new model designed to part the consumer from his cash.
    Windows users are fighting to some extent against MSFT's attempt to copy the Apple model and will give Windows 8 METRO, ARM tablets, the app store et al a hard time. They too however may be seduced if the initial price is right (note the $40 upgrade price for W8).
    Bott sees secure boot, the schizo W8 user interface, the 20-30% tax and Do Not Track features as pure consumer benefits ... when their deeper motives are ecosystem lock-in and direct attacks on competitors' business models (Google's ads in this case).

    I have no objection to the cloud or subscription models per se, indeed might welcome them, BUT if they come without choice, privacy, security, control and do not consistently drop in price as technology advances ... then I will be campaigning against all the global IT corporations offerings.
    • What if it comes to that?

      Are you willing to go somewhere else if you feel that Microsoft's ecosystem is too restrictive? Or are you simply going to buy Windows 8 with slightly reduced enthusiasm? I highly suspect the latter, as is the case with many people; they will complain and moan and groan about how Microsoft and Apple are trying to control all the things, but they never even so much as consider seeking out an alternative because it's too hard.

      It would be funny if Microsoft could find the IP addresses and personal information of the people who complain like this, and charge them extra when they eventually decide to buy Windows 8, because they know they have them by the grapes. Maybe itemize it as "wasting your time and ours".

      "I have no objection to the cloud or subscription models per se, indeed might welcome them, BUT if they come without choice, privacy, security, control and do not consistently drop in price as technology advances ... then I will be campaigning against all the global IT corporations offerings."

      You say that now, but we all know that's not the case; we all know that you'll probably go right along with it, because it's all you know. So just shut your mouth, buy Windows 8 (probably at 40 quids; hell, make it 70), and stop wasting Microsoft's time. Bad enough the proles expect something for their money; now they actually complain about the quality of what they get!
      Third of Five
  • Passwords fall short of secure

    Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.