undefined | Better HN

0 pointsdredmorbius10y ago0 comments

Implication is that OP has audited source and found it wanting.

Threat models and risks vary. SAAS offers aggregated data and appealing targets, though they may be well hardened. Much as I criticise Google, I find their claims of protecting data reasonably credible (not enough to be comfortable with it).

A distributed system with many known and unknown vulnerabilities and a readily determined network signature (nmap or similar) remains a bulk source. A determined adversary could scan all possible network space quite quickly and access data. With known targets -- monitoring your network traffic, knowing URLs or MXs -- they could target you directly.

NB: I haven't audited OwnClowd, nor am I particularly qualified to do so.

0 comments

2 comments · 1 top-level

davexunit10y ago· 1 in thread

But you can't audit Google Drive. If it's not free software, then it cannot be trusted.

dredmorbiusOP10y ago

Fair point, though not strictly true. It's possible to conduct both audits and black-box testing of proprietary systems, and some of these provide source fairly liberally.

Microsoft provides examples of both. Samba's Andrew Tridgell has commented that the team knows many ways to crash or compromise Windows systems. Microsoft's academic code licensing provided pretty liberal access to OS source code. Similarly corporate partner licensing for contractors.

Though security didn't exactly thrive under that regime... PGP is another company that provided core crypto code for public review, though it wasn't Free Software.

j / k navigate · click thread line to collapse