The cloud is not secure

We’re getting closer and closer to an age where our data is separate from the machines that we use to manipulate and interact with it. A stepping stone to that future is the “cloud” – a remote, server-based repository of your information that can be accessed by a variety of applications and interfaces. In some ways the cloud has been around since the beginning of computing (dumb terminals plugging into mainframes) but the new, shiny, consumer cloud is both similar and indifferent. And there are many incarnations.

Apple’s iCloud is a complex, powerful solution for remotely storing your data and making it accessible to your apps whether on any of your devices. A simpler solution is Dropbox which syncs your files between devices (and offers a decent web interface). In recent weeks Dropbox has become quite controversial. Dropbox had a serious security breach that allowed people to log into any account using any password. It was a very serious flaw and a serious oversight on Dropbox’s part. They’re currently being sued over the matter. More recently they made an important addition to their terms of service which gives them broad-reaching rights over your data. However they have made efforts to make it clear that they have no interests in rights greater than what they need to run the service.

While services like Dropbox are great and convenient (and probably have the user’s best interest at heart) one thing needs to be made very clear: The cloud is not secure. Having a strong password is no guarantee of security. Putting copyright licenses on your work is no guarantee of security if the TOS give the hosting company rights to it. It is safest to assume that at some point in the near future any data you keep on a cloud storage service can and will be compromised. Under “compromise” I include perfectly legal government seizures as well.

The only data that I put in Dropbox is stuff that I will be making public anyways – copies of school projects, essays or reports that I intend for people to see and distribute. I would never put anything I consider even remotely private in the hands of a service like Dropbox. You should only put private, personal data in the cloud if you first encrypt it locally with a proven encryption algorithm and the encryption algorithm is implemented by an open source, trusted piece of software. The open source is important otherwise there is no way to know that there isn’t a backdoor of some sort. To access the data you should download the encrypted version and then decrypt locally. Anything unencrypted that goes over the wire (or the air) is probably wide open to the world to see. For most people this already includes their email and Facebook data.

I keep my online backups in an encrypted Amazon S3 bucket. I also keep some code on a remote server and make sure to connect over SSH. However, I also don’t keep things like passwords, PINs and account numbers in any written form. The only really secure data is data that doesn’t exist. That being said, modern encryption techniques are still a pretty good defense in most cases. In this age of the cloud you should keep in mind that any data you put unencrypted on someone else’s servers (whether they be files in Dropbox or photos on Facebook) is essentially public.

The Web is for Documents: Part I

I’ve always had something of a love-hate relationship when it comes to webapps. I use a lot of them and by and large I like them. But there was always something about them that seemed just a tad bit … unnatural. I could never quite put my finger on it and over the years as I started to using them more and more I put my uneasiness down to just the newness of the whole thing. By and large, I managed to put it out of my mind or learn to just live with it.

It only came back to me a few weeks ago as I was making plans for an independent study. See, one of the larger gaps in my knowledge of computer technology is networking in general and the Web in particular. I wanted to change that to some extent before I left college and since I had just one semester left I decided to spend my last semester building a webapp of some sort. But when I did that the uneasiness I had felt all along came flooding back. Though I knew that very powerful applications were being built using the current set of Web technologies (mainly HTML, CSS and JavaScript) as I read more and more about web programming something felt wrong. People were writing these huge frameworks and JavaScript libraries in order to build these great programs that ran essentially the same no matter where in the world you were as long as you were running a modern browser. Though it was a great idea and I’m sure lots of hard work had gone into it all, something felt out of place. After exploring the world of JavaScript frameworks and CSS generation tools, I think I’ve stumbled upon the answer.

The thing is, the Web was never built to be a host for dynamic applications. The World Wide Web was (and is) a platform for sharing and displaying documents and it’s only recently that we’ve been trying to hack that document-based framework to enable everything we’re seeing now. Even as the web evolves, the basic standards are still very much true to the Web’s document-based roots. The newest HTML5 specification actually adds a number of semantic elements such as headers, footers, asides and section tags that will help us create better, more meaningful documents. HyperText is ultimately a semantic markup language, no matter how much we try to hack it to be a GUI layout language. JavaScript ultimately manipulates a Document Object Model (the DOM). The inherent document nature of the Web and everything built on it isn’t something that can be ignored and it’s certainly not something that is going away any time soon.

So does this mean that webapps are bad or doomed to failure? Not at all. But it does mean that there are some things that we need to keep in mind as we build and use them. JavaScript does provide a very powerful (and increasingly fast) tool for manipulating our documents in real time and CSS is a good approach for styling and changing presentation (though the language itself could use some work). In order to build webapps that are both useful and feel natural in the context of the web, we should always have the web’s document basis in mind. Webapps that acknowledge and embrace this will have a better time than those that want to only recreate desktop-interfaces on top of HTML5 technologies.

Even today, the most elegant webapps are the ones that have embraced the document idea: Gmail and Simplenote make no pretense to be or mimic desktop apps. The reason that Gmail quickly became more popular than almost any other webmail client out there is that they took a different approach from everyone else: Gmail didn’t try to look or feel like a full desktop app, but it wasn’t just a webpage with links to your messages either. There was a very delicate balance of dynamism and static presentation that makes Gmail so great for the web (as well as no annoying banner ads).

I think the rise of the mobile web and the app store model for mobile devices is helping this new model of webapp become more popular. We’re seeing the rise of cloudtop services — services where the web interface is just one of a group of ways of interacting with the service. Take for example Simplenote and Dropbox. Both have a decent web interface, but also have mobile and desktop apps for the popular platforms and an API allowing others to build inventive applications on top of their services. This means that the webapp doesn’t have to be the be-all and end-all of the user interface. There are many interfaces, each playing to the strengths of their respective platforms.

Of course not all services are going this route. 37signals makes some great web software (or so I’ve heard, I’m not a customer myselft). They’re going all out Web, at least for their Basecamp product. Will it work? Maybe. They claim it’s because they don’t want to have specialized apps for each platform. But the web itself is a platform and the fact that they say that you need a WebKit mobile browser makes it sound like they’re just choosing the web platform instead of native mobile platforms. I personally don’t agree with their direction (and their stated reasons for it), but it will be interesting to see what happens.

I think we’re living in a very exciting time with our technology going in numerous interesting directions. As the idea of cloudtop services becomes more popular, we’re going to see a plethora of native applications that play to the strengths of their native platforms. The ones that are successful on the web will embrace it’s document nature instead of trying to ape desktop apps. And it’s not just apps that we should be looking at, the meaning and scope of documents themselves will change and become better as the Web evolves and its technologies evolves. Stay tuned for part II where I look at some novel types of documents that the web is enabling.

Aiming for the Cloudtop

In my day-to-day work I end up using a number of physical machines and all three major operating systems. I do most of my work on Linux, but I use Windows machines for all my electrical engineering work (mostly MATLAB and a few design programs). I use my Mac Mini for my music and videos and if I need to use a computer at the library I prefer using their iMacs. I often find myself needing to transfer files between machines (especially if I need to print something). Even the school gives students a gigabyte of space on a network drive, I never got it to work on Linux. In the past I’d use a combination of email and USB drives to moce stuff around, but a few weeks ago I started using Dropbox and I’m quite happy with it.

I haven’t been able to quite pin down what makes Dropbox successful when other similar applications haven’t done so well. I think a large part of the reason is that Dropbox seamlessly melds the cloud and the desktop. They have desktop apps for Windows, OS X and Linux that all actually work. The way I use it Dropbox acts as simple folders on my local machines and are immediately synced with the corresponding folders on all the other machines. And whenever I’m at a computer where I can’t install Dropbox, I can just use their web interface (which is well done and very frictionless). It also helps that Dropbox gives me 2GB completely for free. I have friends who are pushing that limit already, but since I just put stuff like homework I need to print off, that should last me a while.

Part of the reason for why Dropbox feels so easy to use (and I becoming very popular) is that it seamlessly fits in to the way you work. Dropbox doesn’t sell itself as a backup or some kind of complex, high powered auto-syncing solution. It does one thing well — keeps a folder exactly the same on all your machines. You don’t have to manually upload files to a webservice or specify which folders you want to sync and what not to. You just put everything in one place (your Dropbox) and rest assured that it will be the same on whatever computer you’re on.

As Anil Dash says, the key to apps like Dropbox and Evernote (which I don’t use myself) is that they inhabit a sort of “in-between” space that exists across both the web and the desktop. They don’t try to deny to deny the presence of the desktop by offering an all-powerful web UI. Instead they embrace the idea that you’ll be using multiple heterogeneous platforms. The web is just yet another interface. They also offer an API meaning that developers can’t extend it for purposes that the original service provider doesn’t support. Another aspect of these apps that I find refreshing (as compared to Delicious for example) while they allow for sharing and a certain social environment, it isn’t central to the service’s operation.

I’m hoping that these sort of “cloudtop” services get more traction as time progresses. In particular, I’d love to see things like user preferences be synced as well as folders and data. On a parallel note, I’d like to export services already present in applications get streamlined as well. As an example, iPhoto allows for export plugins so that you can directly upload your photos to places like Flickr, Picasa or Facebook. Unfortunately the upload process generally blocks the whole app instead of happening seamlessly in the background. I think we’re getting closer to a future where all our data is available seamlessly everywhere. I hope there isn’t too much fragmentation in the area as it would a pain to have to use half-a-dozen different apps to keep my data in sync (especially if they’re all using a different way to do it). This market is still in its infancy but apps like Dropbox are leading the charge and they promise to make computing much easier all involved.