I see increasing evidence that the cloud is drifting into the home and small to midsize business (SMB) market. This is a great thing for security, but also should raise concern.

Take for example inexpensive network attached storage (NAS) devices. Only a few hundred dollars will get a self-contained box with RAID and network services. Several terabytes in a redundant array on the network is a great thing for a home or SMB that wants to safely back up data. The next step in data availability is to start to rotate backups to an off-site location.

Enter the cloud.

Service providers like DropBox or CTERA offer to replicate the data from a NAS. Here is some typical marketing information I found on the CTERA site:

Before data is sent from the Cloud Attached Storage appliance to its online backup destination, it is encrypted using 256-bit AES (Advanced Encryption Standard). This is a highly secure encryption algorithm, approved as safe enough for protecting U.S. government classified material, and widely used by banks.

Highly secure? Very convincing. Oh, wait, do they mean widely used by the government agencies and banks that still get breached? I do not find this kind of vague industry reference very reassuring, but maybe I know too much. They also offer SSL for confidentiality in transmission and SHA-1 for data integrity. Nice to see standards.

Moving on, I noted their explanation of key management. After all, this is what really matters in the world of encryption when it comes to getting a secure service.

Passwords are required to access online backup versions of your data. You may choose between two options of passphrase protection:
* An automatically-generated key: This offers the ability to reset the key if it is forgotten.
* A personal passphrase: In this case, you choose a passphrase known only to you. While this offers an additional level of privacy, it also means that if the passphrase is forgotten, the protected data will not be retrievable at all.

The first option is not explained clearly. Many consumers probably will not realize that the ease of resetting a key is inversely related to the safety of their data in the cloud. How is the reset handled? I see the “additional level of privacy” in option two as really the baseline, not something extra. I would warn customers that using a reset option is below a baseline of privacy, like leaving their front door key under the mat.

A big question for the cloud provider is whether there is more risk in someone attacking the reset mechanism and compromising encrypted storage or if there is more risk in customers losing their keys. Helpdesk and support costs might typically be considered higher for more secure options. However, it seems to me that since they offer a backup service and not primary data access they should still encourage customers to lean away from any convenient reset options. Alternatively they could add support for change/access logging and alerting for data in the cloud.

The Daily Show interviews an Arizona elected official about his views on privacy versus surveillance by law enforcement:

The latest versions of Ubuntu have an urgent security issue that must be patched immediately.

Other Linux distributions are not affected.

The problem is how Ubuntu developers assigned excessive access rights to pam_motd for it to access the file motd.legal-notice in a user’s local cache directory. This file just exists to create user’s file stamp but root level rights were given to the module. Big oops.

A local attacker only needs to create a symlink from a user cache to the password file to gain root access.

Patches can be found here.

The BBC says the European Parliament bans illegal timber

The new law will force companies operating in the EU to produce “chain of supply” documentation so that, in principle, each piece of timber can be traced right back to its source.

This extends a rapidly growing field in security. The first thing that comes to my mind is that this ban will increase pressure to devise ways to prevent illegal goods from being injected into and masked by legal shipments. Already there is huge demand for skills and technology to securely identify and transport military, food and pharmaceutical goods.

The Forestry Department offers a document called Best practices for improving law compliance in the forest sector that indicates log tracking is still very primitive.

Oregon State University issued a press release a few years ago with examples of how well security technology works and could be improved.

“At the moment, we have ways of tracking logs that are only partially effective,” Murphy said. “Bar coding is awkward and leaves plastic tags or metal staples that can cause problems in mills. Radio frequency identification tags are very expensive; with some pulp logs they might cost more than the product you are selling. So we need improved technologies.”

Aroma tagging, Murphy said, is already being used in the marketplace – some manufacturers have used it to help prevent brand piracy. The food industry uses electronic nose systems to measure freshness, the medical profession to detect disease, natural gas companies to detect leaks and in law enforcement to identify drugs or explosives.

Interesting problems to solve. It also brings to mind political issues related to Chinese industry regulation and the relationship with Africa.

China’s failure to take meaningful action against illegal logging and timber imports, failure to meet existing commitments or even to adopt meaningful policies is alarming. China’s continuing spectacular increase in imports of logs and timber, much of it illegal in origin, to either manufacture for re-export to the United States and other countries or for its domestic use and the large scale Olympics building program underway is, in effect, fuelling a crisis that the United States and other G8 nations have given increasing priority, including in the Gleneagles Summit in the UK last month when commitments were made to end imports of illegally logged products.

China’s role in Africa’s illegal logging crisis is predatory in nature and poses a threat to forests, the communities that rely on them and weak governments susceptible to corruption.