Is The The Cloud Safe in the Wake of Meltdown and Spectre?

The Lack of Transparency Will Hurt More Than Just Performance In the Long Term

Attila Orosz
Is The The Cloud Safe in the Wake of Meltdown and Spectre?

"There is no cloud, just someone else's computer," goes the well-abused cliché. Despite the many attempts at trying to debunk this "myth", the fact remains: The hardware on which your favourite cloud services run is owned by other people. So technically when storing your files in the cloud, you are giving it to others to keep it safe for you. But what if not being able to control your data (and its security) just doesn't cut it?

Even though zero knowledge cloud theoretically solves most privacy issues (only theoretically as it still heavily relies on your trust in the provider, and whatever anyone says, or promises, you can never be really sure, unless you do something yourself), there is more to cloud security than meets the eye. Besides the numerous issues with cloud computing, — which proponents like to over-simplify or downplay as much as critiques love to repeat the aforementioned cliché — the Cloud is a lot more vulnerable than people care to acknowledge.

Amidst the recent news of the Meltdown and Spectre vulnerabilities, not long after the quite recent scare of the rowhammer exploit, that alone should have been enough to shake the blind trust in consumer cloud solutions, it is difficult to imagine what makes people want to upload and store their most intimate information to 3rd party providers data centers, but if examined closer, the reasons might just boil down to two simple reasons: Convenience, and a false sense of security.

Underrated transparency

While the convenience angle can be easily explained by pre-conditioned consumerist laziness, the illusion of security is a lot more worrying. Even now, in the wake of Meltdown and Spectre, as we are constantly being told how our own devices could be hacked (like anyone was interested in your laptop), most cloud providers seem to either downplay the same issues or simply imply that they have it under control. Still, the world has yet to see a single explanation as to how most of them managed to do this. Not that they are not more than capable of patching, but even the patches available for them might not deliver what they promise (more on that below). This lack of transparency is surely not helping with any pre-existing trust issues, hurting providers' credibility as much their users' security.

The lack of transparency usually means not knowing how Amazon (AWS), Google (Google Cloud), or Microsoft (MS Azure), just to mention the most significant players, handle security issues like this. All of these giants run closed source, proprietary software, so when they say that something has been fixed, all we really have is their word for it. There is no peer review, no open security audits, nobody to independently verify anything. All we have is, literally, their word, which might or might not be worth much.

As of early 2018 this point had already been proven, as evidenced both by Linus Torvalds' rightful outrage, and Microsoft's decision to release an emergency patch, reverting Intel's buggy microcode changes.

Sadly, the issue of transparency, in this case, does neither start nor end at the cloud provider level. Intel itself had been spinning like a weathercock when it came to admitting either the security or performance impact, trying to shift the blame to include its competitors, and acting like it wasn't all basically down to flawed hardware design. Meanwhile, Microsoft surprised us all by being among the first to admit that there might be performance penalties on certain systems.

Obviously, it would hurt their businesses in the short-term to admit much more (as it has already badly damaged Intel), but what seems more dangerous is most cloud providers' (and also most cloud-based businesses') PR currently playing on a sentiment that already defies all logic, yet seems more persistent than ever: The aforementioned false sense of security such services provide.

Users might feel that they have done everything they could, by using a "secure" cloud provider, because hey, there is "encryption and stuff", and "patches have been applied", etc. And so they can just forget about taking appropriate measures themselves, as it all seems to have been taken care of by the provider. After all, the often too-technical lingo used to explain these issues does not usually register with the average user, and even if it does, the effect on cloud services is usually downplayed. Besides the long-term implications and collateral destruction this kind of thinking can cause, it should be immediately obvious that handling any sensitive (meaning: personal) information in such fashion might just be the worst sort of mistake to make.

Think about it. Just because we (the public) have only learned of these security flaws now, they have been present for years, and even decades. On the other hand, Microsoft, Google and the others have known about it since at least June, that much we can know now, since the Chromium bug report with the 90 day disclosure deadline is "declassified". They simply failed to inform the public until the recent media-storm swept away their secrecy. In other words, even though everyone seems to be really fast to respond now, and issue patches like mad, nobody really knows what's anyone been doing about it for over six months! Six bloody months. I'll let that sink in...

It's not just about performance

Another worrying trend is the media-buzz about the performance issues the patches dealing with Meltdown and Spectre might or might not cause. Besides all affected parties being in denial, there is a much greater problem of security that is once again downplayed, if discussed at all. Nothing definitive can be known about how this really affects server hardware, and not only because nobody really discloses anything, but most mediums don't even ask the right questions to start with.

There are, of course, patches apparently being made available every day, even though these patches might not be properly audited, so nobody can reliably tell whether they are as good as promised [Edit: As of early 2018 it's becoming increasingly obvious that they are not], thus once again, the lack of transparency creeps back into the narrative. Spectre had been known to be difficult to defend against, yet CPU manufacturers now claim they issued microcode updates that does just that, followed closely by various OS kernel patches (even in the Linux world) that claim just the same. In the meantime, The Register's analysis found this to be a pile of steaming bull-excrement.

They quote Daniel Genkin, co-author of the spectre research paper, who told them in an email:

We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign.

Yes, repeat that, and keep repeating until it sinks in: When it comes to Spectre, software-patches, be it kernel or microcode updates just don't cut it. These might provide some protection, but are not definite mitigating factors. The might work well enough on your home or office PC, but servers will need more than that. Yes we are being told that "servers have been patched" and "protected", etc. In other words, we are being misled into believing that everything is fine now. Companies, from manufacturers to providers are trying to save face, save business and minimise the (already significant) impact. At our expense.

And even though agencies like the NSA deny any former knowledge about said vulnerabilities, there is no way of knowing what rogue actors (state-side or otherwise) have been knowing about, and secretly exploiting these security issues for as long as they like. To make things worse, the cloud and shared services/servers etc., are the most vulnerable to the newly discovered attacks.

Unfortunately this and whatever other security holes exist that the world is yet to be informed and scared about (along with those that have been reported, but the Meltdown/Spectre hysteria had drowned the news about them) people will likely forget it a few weeks or probably months later, and go back to using cloud services as if nothing ever happened. Because hey, there's patches, and stuff, so it must be all right. And if we don't know about something, it's might just be as good as non-existent, right? Wrong.

Better safe than sorry

(For the love of a good cliché)

As Paul Kochner (one of the people, who discovered Spectre) said about his discovery:

If you asked me whether intelligence agencies found this years ago, I would guess certainly yes. They have some of the world’s best efforts at these sorts of things. It would be quite likely they would have noticed. And if they found something like this, as long it's yielding [sic] good intelligence, they don’t tell anyone."

And he's right. There is no reason to believe these (or any other, probably even officially "undiscovered") vulnerabilities have not long been used to spy on you, whether "officially" or unofficially. So what can you do about it? Reduce the attack surface. See, it's a lot less likely that your own computer gets hacked than e.g. a massive cloud storage would be. You would have to be targeted specifically, and for that, you'd first need to draw attention. On the other hand, when agencies/hackers/other rogue actors pull data from a cloud provider, your own personal information might just be part of the collateral. Or if hackers do that, your personal information might just end up as digital "commodities" sold for any kind of purpose.

The bottom line is: However scary the recently discovered exploits seem in terms of your home or office environment's security (along with some previous ones the media failed to hype just as much), the real security risk lurks, as it has always lurked, in The Cloud.

But fortunately, you can do something about this. While small (and even larger) businesses might be too deeply invested in their cloud-based solutions, you as a home user, still have a choice.

First protect yourself

Naturally, and this should go without saying, apply any patches, software updates, system updates, microcode updates, anything that is released, and do it as soon as they become available. They might not provide 100% protection, but it's still better to have them than not. There might be a performance penalty to consider, but you will have to decide whether performance or security seems to be more important. And that is about all you can do to protect the devices you own.

As far as your consumer-cloud services go, however, you can do a number of other things...

Encrypt your data yourself, before uploading

Instead of relying on security offered by third parties, cloud users could take responsibility for their data security and begin encrypting stuff before uploading. Once a tedious task, this can now be automated and made almost totally transparent.

The article Clouded Security: Auto-Encrypt Anything Before Uploading, With Cryptomator explains how to do this easily and conveniently, so you have no more excuses to not protecting yourself, even when your better judgement remains clouded. (Yes, I know, it's a bad pun.)

The better way: Stop being high

(As in "up in The Cloud" high)

Just in case you've grown tired of the previous pun, here's an even worse one for a heading. Good news is, you don't need to quit your smoking habit, although you might want to consider that too. But be even more sure your data is safe, the best you can do is keeping stuff off the cloud.

That way, if you are a security-conscious user with an appropriately secured installation of an open source operating system that takes your privacy and security seriously, such as GNU/Linux or BSDs (sorry Windoze and Mac users), you can be somewhat more certain your data is not being tampered with, stolen, or sold to third parties, by government agencies or other, less malicious entities.

When it comes to the likes of NSA, CIA et al, "less malicious" really is both a relative term and a sweeping generalisation. In such context, the term can include anyone, from drug cartels, through raging psychopaths, to bloodthirsty warlords, etc...

Of course, there is no absolute sense of certainty here either, but the often touted "if you have nothing to hide, you have nothing to fear" paradigm might make more sense this way, as nobody would be personally targeting you or your devices. Or at least it a lot less likely that they would.

The article Cloudlessly Connected: Stay in Sync With Resilio will show you how to set up cloudless file syncing, with step-by-step instructions and plenty of screenshots to guide the less experienced.

The best way: Combine the two

This might go without saying. Even though your data stays off the cloud, you might want to keep it locked away from prying eyes, that still can be trying to extract information in the form of spyware, malware, or your non-elected non-representatives that somehow still make it into the government. Apply full disk encryption or any kind of offline vault solution you have available for your platform even when keeping your stuff away from servers.

Extra: Choose non-no backend, no-cloud solutions whenever possible

Do this whenever you can. Yes, a browser-based office suite might be convenient, but can it compete with a proper desktop solution? Better yet, when taking notes, or managing files, the last thing you want to do is exposing them to the internet and third parties. Choosing "traditional" software over the hyped "online", "browser-based", or just "cloud" solutions can often have the added benefit of greater security.

In conclusion

While you can never be one-hundred percent sure about being secure, there are ways to ensure your private information remains private. Your own security and privacy is your own responsibility. It is naive to trust anyone, as evidenced by one of the biggest hardware manufacturer's blame-game and flat-out lying, and while this seems obvious about governments are corporations that deal in data peddling, cloud providers can easily be added to the no-trust list, even though this time they might just as well be victims of sloppy hardware design themselves.

[This article was updated on 30-01-2018 to reflect some recent developments]

Liked what you've read? Sharing this article on your favourite social medium helps a lot with discoverability. You know, sharing is caring.

Got something to add? Comment is free, so please leave your thoughts below, and don't forget to "like"/recommend it on Disqus.

Want to stay up-to-date? Subscribe to the RSS or Atom feed, so you will always know about new content first-hand.

Similar posts

Tell us what you think

Blog Comments powered by Disqus.