Category Archives: NEWS

Second Life Is Plagued by Security Flaws, Ex-Employee Says

by

A former infosec director at Linden Lab alleges the company mishandled user data and turned a blind eye to simulated sex acts involving children.

A man plays second life as a hand comes out of the computer and steals money from his pocket
Elena Lacey; Getty Images

A lawsuit filed by the former information security director of Linden Lab—the company behind the online virtual world Second Life, which, yes, is still a thing—claims the company mishandled sensitive user data and turned a blind eye to simulated acts of child molestation and the potential for money laundering.

Paris Martineau covers platforms, online influence, and social media manipulation for WIRED.

In a lawsuit filed in San Francisco County Superior Court on July 30 and served to Linden Lab on Tuesday, Kavyanjali Pearlman, a security researcher who joined Linden Lab from Facebook in 2017, says that she raised these issues during her tenure, and was met with hostility. The suit alleges company executives retaliated against her for flagging cybersecurity risks and potential violations of anti-money-laundering laws, child exploitation, and data misuse.

Pearlman claims the company discriminated against her as a woman, an Indian immigrant, and a Muslim. “After making her concerns known, [she] was treated worse than similarly situated employees who were not immigrant women of color, who were not religiously Muslim and wore a hijab,” says the suit. “Instead of looking into Pearlman’s complaints, Linden Lab’s senior officers led a campaign of retaliation against her, painting her as an inept employee who has issues with communication, and ultimately terminating her employment in March of 2019.”

“While we will fight her alleged claims in court, we deny any allegations that the company has engaged in any illegal activity,” said Linden Lab spokesperson Brett Atwood. “Ms. Pearlman left the company on March 15 only after she was given the opportunity to improve her work performance. We look forward to all the facts coming out in a court of law,” he said, declining additional comment because of the lawsuit.

Linden Lab is best known for Second Life, the massively multiplayer virtual world launched in 2003, which boasted around a million regular users at its peak, and an estimated 800,000 active monthly users as of 2017. Those numbers are paltry compared with today’s social media giants, but it’s still a sizable chunk of people.

A decade ago, Second Life was populated mostly by futurists, brands, and, for some reason, embassies; today, the virtual world occupies a more niche space online. Much of Second Life revolves around the Linden Dollar, a virtual currency with real cash value that is used to buy and sell in-game items, virtual land, and operate or play at virtual “skill gaming” casinos. In 2018, approximately $65 million was paid out to Second Life users for a variety of virtual goods and services. Gaming—including both free-to-play games and “skill” games that offer payouts—was the most popular activity among users, according to Linden Lab.

Last October, Pearlman says she raised concerns with Linden Lab executives that the company was not complying with anti-money-laundering rules, including not required information about the operators of skill games, according to the lawsuit. She says her concerns were dismissed, and that the issues had yet to be addressed by Linden Lab when she left the company in March.

Atwood, of Linden Lab, declined to comment when asked about the accuracy of Pearlman’s description of events. “All Second Life skill gaming operators must provide and verify their identification as part of a rigorous application process,” Atwood told WIRED over email. “We are in compliance with all legal regulations and all skill gaming operators agree to our Terms & Conditions as part of the review and approval process for our Skill Gaming program.”

In the suit, Pearlman claims that the user payment information collected by Linden Lab and “Second Life customer data” wasn’t secure, and that her attempts to correct even the most glaring security issues were met with hostility. In September 2018, Pearlman says she alerted multiple members of the IT team and executive board that payment information was accessible by employees from other parts of the company, and that outside contractors were gaining access to support tools that gave them unfettered access to private user data, according to the lawsuit.

Pearlman says even more serious issues received similar treatment. Sexual roleplay is a popular activity among Second Life users; the virtual world features many so-called adult regions where users’ avatars can be nude, have sex, and engage in more niche sexual activities. Last fall, the suit alleges, Pearlman urged Linden Lab to review its age verification and consent review process, as she was worried the company could be erroneously collecting data on minors and enabling children to use the platform without the consent of a parent or guardian, which would violate the Children’s Online Privacy Protection Act and Europe’s GDPR.

Pearlman says that her concerns were only amplified by violations of Second Life’s “ageplay” rules, which prohibit users from engaging in virtual sex acts with users that present themselves as children. The lawsuit says that violations of Second Life’s ageplay policies “could be called simulated child molestation” as users’ avatars can resemble children; in an email to the chief operating officer in the fall of 2018, the suit says, Pearlman raised concerns that the company’s age-verification policies posed the “risk of underage kids being involved,” but was dismissed in favor of prioritizing the launch of a subsidiary company.

According to the lawsuit, in 2018 the manager of Linden Lab’s fraud team “presented information to Linden board members in quarterly fraud reports that acknowledged a high number of such Ageplay [sic] violations were actually occurring on a regular basis each quarter.” The suit says Pearlman “was concerned that Linden Lab was apparently allowing the users to violate ageplay rules, by not implementing appropriate procedures to prevent violations from repeating at the same levels each quarter.”

The lawsuit claims that Scott Butler, Linden Lab’s former chief compliance officer, wrote a memo to other executives in June 2018 “urging compliance with cybersecurity laws consistent with Pearlman’s repeated concerns” and recommending that she be appointed the company’s Chief Information Security Officer. A former high-level Linden Lab employee confirmed the contents of the memo. The former employee said the memo “indicated that there should be more scrutiny on the ‘skill gaming program,’” and recommended Linden Lab adopt a suggestion from Pearlman to determine why it “had not been able to prevent the seedy population of ‘age-players’ from returning to Second Life, time and again.”

When asked whether Pearlman’s description of events regarding ageplay violations is accurate, Atwood, the Linden Lab spokesperson, declined to comment.

“In accordance with Second Life’s Community Standards and Content Guidelines, real-life images, avatar portrayals, and other depictions of sexual or lewd acts involving or appearing to involve children or minors are not allowed within Second Life,” said Atwood. “If any such activity is detected, individuals or groups promoting or providing such content and activities will be subject to enforcement actions, which may include immediate termination of accounts (including all detectable alternate accounts), closure of related groups, removal of content, blacklisting of payment information and loss of land or access to virtual land.”

This article was posted on 8/16/2019 and is public knowledge. We at Zoha Islands in no way share beliefs or supports alleged accusations we are just a messenger to our readers. Have a great week from all of us at ZI

Try This, For Faster and Safer Internet

by

On occasion, I have recommended using alternative DNS as a means to a faster and more reliable Web browsing experience. But faster Web surfing isn’t the only benefit of switching your DNS servers. I know it sounds geeky, but I’ll explain it all in plain English and show you how to make Internet usage both faster and safer, for both adults and curious kids. I have also found this to be helpful when needing a faster reliable connection in second life and other gaming servers. Read on…

Speed and Safety

Let’s start by de-geekifying the DNS acronym. DNS stands for “Domain Name Service” and it’s a service normally provided by your Internet Service Provider (ISP). Here’s why it’s necessary… Humans refer to websites by their common “dot com” names, but the computers that run things on the Internet know them only by numbers known as IP (internet protocol) addresses. When you tell your browser you want to visit a certain website, it must connect to a DNS server to translate that website name into an IP address.

Normally, that DNS server is operated by your ISP, but there’s no technical reason why that must be so. Alternate DNS services can be used to speed up web surfing, provide an additional layer of security, correct typos, or assign shortcuts to commonly-typed website names. Here are some free alternative DNS services you can try.

OpenDNS Home is one such service, used by over 30 million people at Fortune 50 companies, small businesses, schools, and homes. The free service doesn’t require you to sign up for anything, or install any software. By twiddling a few numbers in your router’s setup screens, you can speed up web surfing. But you can also filter out malware, phishing sites, botnets, If you also want to filter out adult content, use the OpenDNS Family Shield instead. It works exactly the same as the OpenDNS Home service, but is preconfigured to block sites that may not be appropriate for younger users.

OpenDNS

OpenDNS includes one of the leading anti-phishing projects on the Internet. PhishTank.com is a collaborate effort to identify and block phishing Web sites one bogus URL at a time. Any registered user can submit a suspected phish to PhishTank via email or the site’s “Add A Phish” uploading feature.

Each suspect URL is evaluated by a worldwide community of security consultants, academics, and registered users. When at least two users agree it’s a phish, the bogus URL is added to PhishTank’s database of verified phishing links. The number of votes needed to verify a phish varies depending on the reputations of the voters. Reputation is established by being right more often than you are wrong. Users who submit lots of false positives – URLs that turn out not to be phishing sites – and who, more often than not, incorrectly label others submissions as phish or not-phish, will have lower reputation ratings.

False positives – URLs incorrectly labeled “phish” by the community – can also be reported. PhishTank’s staff will review the classification and revise it if warranted. OpenDNS draws upon many resources such as PhishTank to decide which URLs and IP addresses to blocks for its users who have phishing protection enabled. It’s possible that a URL labeled “phish by the PhishTank community will not be blocked by OpenDNS.

Separately, OpenDNS Domain Tagging offers users the option to label websites with tags such as “adult,” “violence,” “social network,” “gambling,” and so on. Registered users can tag a domain, but it takes a consensus of the community to make that tag “stick.” OpenDNS users can use the tagging system to block selected categories of content, if desired.

But Does It Work?

You have options when it comes to selecting an alternate to your ISP’s DNS servers. Google Public DNS is similar to OpenDNS, promising increased security and better performance. Which is best? My answer is try them both! You can compare the speed of OpenDNS, Google and other DNS servers with the DNS Benchmark tool.

There’s really no downside to switching your DNS nameservers from the ones provided by your Internet Service Provider to the OpenDNS ones. Most users will see slightly improved page loading time, less “lag” when contacting a website,gaming servers and fewer errors with unreachable websites.

I am skeptical about the “wisdom of the crowd” method used by PhishTank and OpenDNS. Phishing sites come and go rapidly, and I can’t believe that a “committee” of tens of thousands can keep up with the bad guys on every front. But if it blocks the most common phishing attacks, there’s value in that. Just don’t assume it will protect you from EVERY known phishing threat, and continue to use caution about clicking links you see in emails.

The “parental controls” offered by OpenDNS are probably more effective; p**n, piracy and social media sites don’t change domain names nearly as often as phishing sites do. But like every parental-control program ever created, OpenDNS blocks some sites that arguably are not harmful to children. Also, its blocking applies to one’s entire network, so Mom and Dad have to give themselves permission to view “adult” sites like La Leche League, or shop at Victoria’s Secret.

If you configure your Internet router with the OpenDNS name servers, it’s important to remember that it can protect only the computers, laptops and other devices that are connected to your router, via a wired or wireless connection. When outside of WiFi range, OpenDNS can’t protect mobile devices such as laptops, smartphones or tablets. However, you also have the option to modify the DNS settings on individual devices, rather than (or in addition to) your router. This OpenDNS setup guide will walk you through the steps to make it happen. Just remember to record your current nameserver settings somewhere as a backup, in case you want or need to switch back.

Do you use an alternative DNS offering to boost your speed or security online?

Have a Great Week From all of us at ZI

Linden Lab Hit By Wrongful Termination Lawsuit

by

This post was made public a few days ago and with strong consideration we felt we should share the post as it was released. We at Zoha Islands have no intent to comment or have any opinion in this matter and suggest that our readers refrain as well. Read on.

Linden Lab Hit By Wrongful Termination Lawsuit Alleging Discrimination & Retaliation for Raising Concerns About Its New Payment Service, Tilia

Kavya Pearlman Linden Lab Tilia Lawsuit Second Life

Kavya Pearlman, an award-winning cybersecurity expert, just went public about a wrongful termination lawsuit she filed yesterday against Linden Lab, where she worked last year. A Muslim-American woman of color, Ms. Pearlman alleges the company discriminated against her, and retaliated against her after she raised security concerns related to Tilia, the company’s new payment service which all Second Life users are required to register with by tomorrow.

Ms. Pearlman shared the full text of her legal complaint with me, and it contains a number of highly serious allegations. For instance this passage, summarizing the red flags related to Tilia that she claims she brought up with senior staff:

In the last year of her employment with Linden Lab serving as the Director of Information Security, Kavya Pearlman raised concerns on multiple occasions to her supervisors, top company executives regarding security risks and possible violations of important laws she observed in Linden’s Second Life and Tilia currency program which prohibit money laundering, child pornography, pedophilia, compromise financial and data security, and other related laws.

She goes on to allege that the company did not respond to these issues, but went ahead with Tilia’s launch as scheduled:

 

Instead of looking into Pearlman’s complaints, Linden Lab’s senior officers led a campaign of retaliation against her, painting her as an inept employee who has issues with communication, and ultimately terminating her employment in March of 2019. Linden Lab proceeded with the timely launch of Tilia’s online token currency, and its expansion of the Second Life virtual reality platforms without taking seriously the risks identified in the realm of compliance and security that Pearlman had identified.

I have of course reached to Linden Lab about this lawsuit, and will update this post if they make a public reply. In any case, Ms. Pearlman has posted a summary of her perspective on Twitter, including a key passage which directly connects her allegations to current events.  Link to the start of her tweet thread below:

Obviously this is a highly explosive lawsuit, so I’m going to refrain from making any hasty judgements about it — and highly recommend to readers that they do the same.

Have a great week from all of us at ZI

Firefox Reality browser plus Oculus Quest

by

Grandma, is it true people in 2019 had to browse the web in 2-D? Mozilla has this time raised web browsing to another level with its virtual reality web browser, Firefox Reality, released for Oculus Quest headsets. Immersion will really grow on users spending time on games and video. Angela Moscaritolo, PCMag, wrote Thursday: “Not thrilled with the Oculus Quest’s built-in web browser? Now there’s an alternative: Mozilla’s Firefox Reality.”

The goal is access to VR experiences such that “Firefox Reality brings the best and freshest content from the web that you know and love to Virtual Reality headsets. Experience a seamless transition from 2-D to 3-D immersive modes.”

Stephen Shankland, CNET, commented on that transition. “VR browsers use VR-adapted web technology so developers can create 3-D virtual realms that span multiple VR devices.

Jeremy Horwitz in VentureBeat followed how Firefox Reality developed: the virtual reality/augmented reality Firefox Reality made its presence known as an April 2018 preview to an official release on different platforms to as HTC’s browser of choice for Vive devices.

And now it is on Oculus Quest.

Catherine Ellis in TechRadar made the similar note of time: The VR browser was already available for some headsets, and became the default option for HTC Vive in January,

Shankland talked about Mozilla’s history in exploring VR technologies in its earlier days. He noted it was Mozilla that helped pioneer VR browser technology in work on the initial WebVR standard for creating VR content, “with its WebXR that embraces augmented reality too, and with its A-Frame programming framework that takes care of a lot of the heavy lifting for VR content creators.”

TechRadar: “Despite the growing popularity of consumer VR, proper VR web browsers are still few and far between, and Firefox Reality is one of very few specifically designed for use without a keyboard, mouse and touchscreen.”

Writing in the Mixed Reality Blog, Mozilla’s Janice Von Itter on Thursday said “We are excited to announce that Firefox Reality is now available for the Oculus Quest!” She said Firefox Reality was taking advantage of Oculus Quest’s “boost in performance” and capabilities.

Horwitz commented that Firefox Reality was thereby “taking advantage of the standalone headset’s 6DoF hardware for a more compelling browsing experience.”

Firefox Reality had taken the step of enabling by default the Enhanced Tracking Protection feature. “Enhanced Tracking Protection” so that sites are blocked from tracking you and the collection of personal data by ad networks and tech companies.

Mozilla’s mindset here is that privacy should not be an optional setting; it should be by default. An added bonus is these protections work in the background and increase browser speed.

Also, according to Variety, the browser blocks auto-playing videos by default.

The first Quest release is available now from the Oculus Store. “Firefox Reality brings the best and freshest content from the web that you know and love to Virtual Reality headsets. Our browser provides an open, accessible and secure way for everyone to explore the web. Experience sharp text, high quality videos, and a seamless transition from 2-D to 3-D immersive modes.”

Mozilla, meanwhile, has even more plans, saying to stay tuned in the coming months as they roll out support for the nearly VR-ready WebXR specification, multi-window browsing, bookmarks sync, additional language support and other new features.

The video tells viewers about 360 video support, voice search (“what would you like to search on the Web?” You can also use your voice to search the web instead of typing), additional languages (Firefox Reality is available in 10 different languages), movie mode, privacy mode, resize mode, bookmarks.

Have a great week from all of us at ZI

Virtual world Second Life to enforce anti-money laundering regs

by

Players will need to provide government identification.

Linden Lab, the company behind virtual world and online game Second Life, will from now on ask its users to identify themselves in order to comply with tightened United States regulations, set up to combat fraud, laundering and terrorism financing.

The company said that “as part of our risk management process, we must obtain, verify and record information about our customers for whom we offer financial related services.”

Second Life has been active since 2003 and still has just under a million users, and its own virtual currency, Linden Dollars that can be credited against US dollar accounts.

These can be used to trade virtual goods in the Second Life marketplace, and one A$ currently buys just under 202 L$.

Linden Labs had over the past years tried to get avoid getting the L$ classified as a virtual currency, stating in its monetary policy that they constitute “a limited license permission to use features of Second Life”.

The US Financial Crimes Enforcement Network (FinCEN) government agency disagreed however and in 2013 said the Linden dollars is a virtual currency.

Starting today, tightened AML/CFT regulations will mean Second Life players using financial services in the virtual world services have to provide personal information to Linden Lab subsidiary TIlia.

This includes full name and address, date of birth, and US social security number and photo identification.

Proof of address and name will be required, and Tilia will only be open to those over the age of 18.

Non-American Second Life participants will be asked to supply government-issued credentials such passports and photo ID cards.

Tightened anti-money laundering regulations around the world have caught out finance providers struggling to remain compliant with the new rules.

Last month, the Australian Transaction Reports and Analysis Cenre (AUSTRAC), the country’s main financial intelligence agency, appointed an external auditor for layby finance giant Afterpay.

The auditor will probe Afterpay after AUSTRAC raised reasonable concerns that the finance company has contravened provisions of Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act of 2006.

Prior to the audit of Afterpay, AUSTRAC’s compliance dragnet had caught systemic breaches at major banks.

One such breach, involving Commonwealth Bank of Australia’s intelligent ATMs failing to automatically ping suspect activity to AUSTRAC, cost the institution $700 million in fines and ultimately chief executive Ian Narev his job.

Virtual Money Laundering: How it works

Note: Second Life.com being the largest and most popular virtual world was used as the template for review.

Users, called “Residents,” move about and intermingle with other residents via a cartoon/human-like character called an “Avatar.” Currently there are approximately 9 million residents in Second Life. The area that your Avatar moves (or flies to or transports to) is called the Metaverse (3D virtual reality world). Your Avatar could find himself at an island beach resort, shopping mall, nightclub, or casino just to name a few. The possibilities are limitless. The residents are able to move about, interact with and/or chat privately with other residents, participate in activities and trade or buy virtual items and/or services from other residents. Additionally, virtual real estate may be purchased, sold and rented and virtual casinos are plentiful.

To purchase goods in the Metaverse, Second Life has created its own currency called Linden dollars (Linden is the name of the game developer) which can be exchanged for US dollars. Currently, on Second Life the exchange rate is approximately 270 virtual dollars for $1.00 US. This is the root of a very complex issue. Once a value is placed on an object (no matter what that object is, real or virtual) criminals will find a way to abuse it either by fraud and/or money laundering. Of course, in the money laundering world, anything of value can be laundered. A player/resident may use his actual credit or debit card to purchase online money and then redeem those credits for actual money with another player in another country and in that country’s unit of currency. Additionally, another question that will ultimately arise will be the issue of taxation or the lack thereof.

To create an account is just a matter of providing a name and email address. There is no verification of this information. To make the purchase of the Linden dollars a credit card may be used or a PayPal account. This is where there may be some form of investigative tracking, however, if fictitious information was used to establish those accounts a dead end will quickly be encountered.

Money laundering scenarios

A launderer opens up numerous separate virtual accounts, all using fictitious id. The accounts are all funded with the proceeds of an organized crime sports betting operation. The launderer can make purchases in the virtual world to and from himself by using those accounts as if he were purchasing assets from other residents. Subsequently, he may direct all his proceeds to an account that he maintains. He can then withdraw those funds either from the bank or using an ATM. It would be nearly impossible to trace the source of those funds.

Areas of Concern:

  • Can virtual money be counterfeited?
  • Is there any trail to follow the money?
  • Who has access to the computer systems used to fund the system?
    • Using the ruse of “improving functions,” hackers have already been able to install keystroke loggers and malicious codes onto the computers of those playing the game. Players already have had their accounts hijacked and their in game assets and values sold off.
  • Can criminals use the system to perpetuate their crimes?
    • Money laundering
    • Fraud
    • Gambling/Betting payoffs
    • Extortion
    • Ransom Demands
    • Private internal message capabilities
  • How does law enforcement investigate?
  • Loading cash from pre-paid cards to purchase on line cash thereby increasing the layering aspect of money laundering.

Some good news is that as of August 2007, Second Life has required identification verification for residents to access the “restricted” regions within Second Life. This is aimed at protecting children from adult areas of the site and from pedophiles. Further regulations will have to be adopted to protect financial integrity. If money is being exchanged then this may need to be classified as a financial institution. Hence, various rules and regulations would come into play.

Other Uses of Virtual Worlds

Many large corporations are currently researching the concept of virtual seminars and conferences. The idea being this is the next step in the communications chain; teleconferences, web conferences and perhaps virtual conferences. Major universities have also begun using the concept of virtual classrooms for their on-line study programs. Numerous large companies, including Nike, IBM, Dell, Reebok, Sears, Coldwell Banker, Calvin Klein and Mercedes have created a presence for their products in Second Life with a vision towards capturing the attention of customers in the real world.

An actual upcoming virtual conference will be presented by The World Bank and the IFC. They will embark on a trip inside the online virtual world at Second Life as they launch their “Doing Business 2008” report to the millions strong digital community. During this three-hour event, a spokesperson for the Doing Business report will appear in Second Life’s virtual world to present the report and take questions from participants.

Virtual Gambling

Gambling on Second Life was one of the more popular areas of the metaverse. One could easily find a game of blackjack, poker, roulette or slot machines. Of course, gambling was done with Linden dollars, however, just like other forms of virtual commerce there was a link back to a form of legitimate currency. Suffice to say that any form of gambling is attractive to the money launderer.

Several issues arose concerning Second Life and gambling. First, as of October 2006 all forms of online gambling became illegal in the U.S. Some of the residents of Second Life who lived outside of the US claimed that they were not violating any US laws. Nevertheless Second Life’s servers are located in California and it is a US corporation thereby making it illegal.

Another issue that arose was the question as to whether or not virtual gambling is the same as real gambling as you are not using real currency to place your bets. In effect you are simulating gambling.

A third issue was that of the actual accuracy of the gambling devices. There are no regulators nor any gambling commissions as there are in the real world to oversee the gambling activities. Hence there is absolutely no form of quality control whatsoever.

As of August of 2007, Second Life has decided to ban any and all forms of gambling on their website.

As individuals sign on to Second Life to do just that, create a second fantasy life, small entrepreneurs and major corporations are brainstorming methods to use this technology to increase revenues and profit. However, as with any venture into profiteering comes risk and uncertainty. While Second Life and other virtual MMOG’s have built a virtual global village complete with entertainment, business commerce and education, they have neglected to incorporate a virtual global police department. Ironically, for the possible reasons that these games were developed, to depart from reality for a short period of time, the lack of structure will be the cause as to why more rules, regulations and laws will eventually become necessary. Even in the virtual world escaping reality becomes problematic.

Have a great week from all of us at ZI

Is Cloud Storage Secure and Private?

by

Are you using cloud services like file storage, online backup, webmail and document sharing? Most people don’t know much about the safety and security of cloud computing. The parade of high-profile data breaches in the past year has some people worried about the security of cloud services. Are your files and sensitive data safe and secure in the cloud, or are they vulnerable to hackers, snoopers and other threats? Here’s the scoop on cloud storage security…

Is Your Head in The Clouds?

Cloud computing – storing data and using application software “out there” in the cloud of Internet servers – is becoming more and more common.  But are they safe? Can you trust some company on the other side of the wire with your business or personal data? Can you depend on software that isn’t on your computer to be available when you need it? What are the risks of cloud computing, and how can you mitigate them?

The first risk you run is being cut off from your computing resources by some breakdown in communication between you and them. But that’s rather unlikely, really. The Internet was designed to route data around broken communication lines, crashed routers, and other obstacles. Unless you live in a country with a totalitarian form of government, the Internet tends to be self-healing, unlike your desktop computer. So before fuming at your cloud storage provider for going down a whole five minutes, estimate how long it would take you to obtain and install a new hard drive, then restore everything from your local backup. Half a day, at least?

Risks of Cloud Storage

Data theft is a second and more serious risk of cloud computing. It’s not that cloud-computing providers are sloppy about security. They’re more conscientious about it than many large enterprises and most small users. But the bigger the castle, the more barbarians there are at the gates. As more companies deposit their top-secret data in cloud-computing providers’ castles, more hackers turn their efforts to breaching those high walls. It’s a never-ending battle, but fundamentally no different from you versus a lone hacker — and most home users are no match for a skilled hacker.

To those who say “I would NEVER put my files out there on some cloud server… they’re much safer on my hard drive,” I say the following: Does your home have gated perimeter access, 24×7 on-site security guards, and security cameras? Do you have a fire detection and suppression system, backup power generators, and a disaster recovery plan in the event of hurricane, flood or earthquake? Do you have sophisticated network monitoring and intrusion detection software? You can bet your cloud storage provider has all that
and more in place to safeguard your data.

Google’s Cloud Security FAQ, for example, goes into detail about how your data is protected: “Our data centers are built with custom-designed servers, running our own operating system for security and performance. Google’s 700+ security engineers, including some of the world’s foremost experts, work around the clock to spot threats early and respond quickly. We get better as we learn from each incident, and even incentivize the security research community, with which we actively engage, to expose our systems’ vulnerabilities… we undergo several independent third-party audits on a regular basis. For each one, an independent auditor examines our data centers, infrastructure, and operations.”

Government monitoring and seizure of data is a third issue with cloud computing. The European Union has strict, high standards of privacy protecting citizens against government intrusion into their personal business. Not so in the United States, where the law gives government agents enormous latitude to spy upon and seize personal data, if they can get their hands on it. Did you know that the Electronics Communication Privacy Act passed in 1986 allows law enforcement to access emails stored in the cloud for more than 180 days without a warrant?

Another important consideration is death. What happens to your information stored online in the event that you’re no longer around? Everyone should have a plan to pass along important login/password credentials in the event they die. In addition to cloud storage, make sure you think about your webmail, online banking and social media accounts.

And it’s always possible that your cloud-computing provider will go out of business. But in the event that a popular, reputable cloud storage provider was planning to shut down their service, they whould provide ample notice and opportunity for customers to retrieve their data. In the unlikely event that a cloud provider suddenly goes dark, what happens to your data in that case? My advice is to keep local backups, or use a second cloud-computing provider for redundancy.

What About Encryption?

Popular cloud storage services like Microsoft Onedrive and Google Drive will encrypt files as they travel between your computer and the cloud servers. So you don’t have to worry about some hacker or wifi sniffer peeking inside your spreadsheet as it zips along the information highway. Your files are protected by strong physical security measures, but they’re not encrypted while they’re stored on the Microsoft or Google servers in the cloud. There are good reasons for that, however. If the files were encrypted in the cloud, you couldn’t easily view them over a web interface, share them with other users or do collaborative online editing. (Boxcryptor is a third-party add-on that works with Google Drive, Microsoft OneDrive, and other cloud providers to provide “at-rest” encryption for your files in cloud storage.

Dropbox does take the extra step of encrypting user files with SSL (Secure Sockets Layer) and AES-256 bit encryption, once they’ve been stashed on the cloud server. That gives you the assurance that if Evil Hackers were able to break into Dropbox, they wouldn’t be able to read your scrambled files. But the caveat is that Dropbox itself has the decryption keys needed to unscramble the files. This quote from the Dropbox security FAQ explains why:

“We do have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access. In addition, we employ a number of physical, technical, and heuristic security measures to protect user information from unauthorized access.”

If you’re uncomfortable about the lack of encryption for files in OneDrive or Google Drive’s cloud storage, or you just don’t trust the server-side encryption that services like Dropbox offer, you do have another option. With client-side encryption, you can encrypt the files BEFORE they leave your hard drive, and you control the decryption keys. Most cloud backup services such as Mozy, Carbonite and iDrive offer you the option to use a personal encryption key so that your files are encrypted before sending to the offsite cloud backup, and only you can decrypt them. VeraCrypt is a free, open-source, cross-platform encryption tool. Versions are available for Windows, Linux, and Mac OS X.

Cloud computing is definitely here to stay, and its benefits are compelling. You shouldn’t avoid cloud storage services because of imagined or falsely inflated fears, but you should be ready to deal with the real risks.

Are you storing files in the cloud?

Have a great week from all of us on the ZI Staff