undefined | Better HN

0 pointsvictorhooi10y ago0 comments

I appreciate you taking the time to enumerate those examples.

Several of them are certainly plausible. However, after reading through them, the majority seem to be from the perspective of an external attacker.

That is - the issue here isn't if say, Dropbox knows how you use their app, or Twitter knows how you use their own app - but rather if an external party broke in, and used that data maliciously.

I agree that is an issue - but then it becomes more of an InfoSec issue, than one of a company collecting data from its own apps.

Then it boils down to - do you trust that company/services security staff, to keep the data they collect secure?

I think for most people - if you weigh up the chance of a wide-scale break-in at say, Twitter, or Instagram versus their own data-security hygiene, chances are, it's much easier to hack a user, as opposed to break into a large-scale webapp and steal all of their data.

Not impossible - but when was the last time you heard of somebody breaking into say, Github or Instagram, and stealing data?

Even something like 2FA isn't that easy to implement securely - and when a company like Google or Github does it for you, I think that's a net-win for security.

0 comments

3 comments · 2 top-level

vertex-four10y ago· 1 in thread

> That is - the issue here isn't if say, Dropbox knows how you use their app, or Twitter knows how you use their own app - but rather if an external party broke in, and used that data maliciously.

One huge issue is that, over a period of time, these companies will tend to share increasingly more data with unnamed "partners". And if you've already given them data, and they decide they're allowed to share that data at a later point in time, there's very little you can do about it aside from getting all your data off their services ASAP (if they'll allow you to) and switching, which is expensive in terms of time and productivity when it's even possible.

There's another thread on this post that explains how your entire credit card purchase history is shared with third parties - and that's probably one of most people's most sensitive pieces of data, and there's very few people who realise that it's even happening. The alternative to using banks which do this is, essentially, stashing cash under your mattress, or bitcoin.

The alternative to using GMail, Github or Facebook is, luckily, a bit easier - setting similar services up yourself and maintaining them. Though best of luck if you're not a techie type, or don't have a couple of hours a night to figure out why GMail has suddenly started marking all your email as spam for the fifth time. We don't yet have reasonable infrastructure for small, locally-run services for consumers - try and find cheap email hosting owned by someone where you can actually go knock on their office door and have a chat. One of my long-term projects is to have hackspaces and similar organisations take over this role.

victorhooiOP10y ago

Yes, sharing with "partners" is certainly an issue - but I would posit that falls into once again, do you trust those companies.

There are companies I flat out to do not trust - Sony, Lenovo etc. They will need to work hard to re-gain that trust.

There are companies I have my misgivings about - e.g. LinkedIn (they are quite spammy), and I am very careful with what I share with them.

Then there are those companies that I use day-to-day, that I do trust - they provide a useful service, they haven't breached their trust, they have a good security track-record, and for me, the cost/benefits mean it's simply not worth the additional mental bandwidth of scrutinising everything single packet that leaves their app.

Examples - Github - I trust Github. Or say the HN forums etc. =).

I believe another poster here mentioned their IndieGoGo project - https://cloudfleet.io/#/ - basically 450 EUR for an appliance that provides email, calendar and file-sync - or the code is open-source.

With regards to the bank, I don't have a good answer for that - I live in Australia though, so the story may be a bit different there. I have had people (who indicated they were associated with my credit card company) try to sell me things - but I think that was just another division of my bank, as opposed to partners.

Finally - I agree with you, setting up your own Gmail-equivalent is certainly not trivial. The spam issue you mentioned is certainly one thing - for most people, they just want email that is reliably delivered - and also for incoming spam to be correctly marked as spam. Both of those are significant engineering efforts, in two vastly divergent fields (e.g. keeping up with all the standards like DKIM, SPIF etc. among other operational/administrative things, and machine-learning and large-scale data analysis). I would posit most people here are hardly experts in one, let along both (among all the other things they'd need to be experts in). That, and most people wouldn't have a large enough corpus to train the spam filter on anyhow.

Or say Github - yes, you could certainly setup your own Git repository - but say you hosted a project the PRC didn't like, and they wanted to DoS it - do you really think you could stand up to them, like Github has? There is once again, significant engineering effort involved here, infrastructure, backend, operational etc. in order to mitigate these things:

Eg. https://github.com/blog/1981-large-scale-ddos-attack-on-gith...

Most people simply don't have the know-how or time to execute those well (I wouldn't even try) - yes, if there was an open-source project that had the same backing as Github, the same number of engineers constantly working on it, and the same number of SREs/ops people making sure it ran well (or we had our own personal army of SRE/ops people...haha), I'm sure many of us would use it - but there isn't, and I suspect there won't be. Large scale turn-key web-apps aren't really where open-source shines.

greggman10y ago

I thought the point was Amazon is collecting this data. They are external to all the various individual app companies.

j / k navigate · click thread line to collapse