CLOUD “Email, Social Media, Hosting, and Applications” all have a drawback…

Just because its free does not mean it is good for you. I remember the saying, “You get what you pay for.”

What is the Cloud?

Cloud is the term that describes a server somewhere out on the internet that you do not own that hosts something of yours. Examples: Microsoft One Drive, Google Drop Box, Facebook, and YouTube. Media Com, AOL, Ubiquity, Apple, Cellular service companies host your SMS and text messages. Did you know SMS and Text messages are unencrypted and not secure unless you establish an encryption (such as GPG) between you and your recipient?

What is a Hybrid Cloud?

A Hybrid Cloud is similar except some of that cloud is self hosted. The self hosted portion is your private cloud. For a well established business they may host their email in a Microsoft Exchange Server on the property. For a private individual think about the western digital “redundant” hard drive. They have more than one drive so if one fails you do not lose your data. These also have a cloud option where you can access your home storage device from abroad. Your private cloud.

The BIG difference between Private and Public Cloud?

The difference between them is who has control of your data and if it is actually secure.

EULA: End User License Agreement or terms of service

There are many cloud services out there that have no fee. Each cloud service carries its own End User License Agreement (EULA) and in most of these they lay claim to any and all information that you post to that cloud service. We will look more in detail about this phenominon using youtube as an example. The EULA’s for cloud services are now most commonly presented to perform as release of liability documents for the provider. It is one sided, not in your favor, and when you accept to freely give ownership over your information to that corporation they hold all the power over your data and security.

What is Information Security?

There are 7 main areas to evaluate information security.

1. Confidentiality
2. Authentication
3. Integrity
4. Non Repudiation
5. Access Control
6. Availability
7. Ethical and Legal Security

All of these points apply to any of the following roles:

1. Data Owner
2. Hosting Vendor
3. 3rd Party Investor

What role do you fit in?

What is PII?

PII is an acronym for the term, Personally Identifiable Information. According to DHS, PII is defined as

“any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department”.

What is Sensitive PII?

Sensitive PII is defined by DHS as:

“Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, bio-metrics, or peoples criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data is compromised.”

How do we measure security?

1. Confidentiality: Is the information stored in such a way that the Data Owners information is kept Confidential. This is not just their contact information. It includes every byte of data they place in data storage.

2. Authentication. Data owners authorize whoever they wish. The authorization is commonly given through credentials and a 2nd form of authentication. It further proves the identity of the party who is being authorized. Example: When you log into google on the computer you enter your gmail account address and password. The if you go to the google play store and choose software to install on your phone google is going to send a security code to the phone to verify that you have the phone and are who you say you are. You must enter that code on the computer to prove you possess the phone. A secondary form of authentication. Try that.

3. Integrity. Example: Your computer has a documents folder and you stored files in there. You installed google drop box and it copies the files up to google whenever something changes. You step away to answer the phone and when you come back there is a problem. A crypto / ransomware virus has taken over your computer and encrypted all of your documents. In this situation the integrity of your files was not secure. Hopefully, the copy of data on google drop box was not also affected. Commonly, that happens too. Perhaps next time you will use a great antivirus product such as Webroot. Also, I feel it is better to put on a managed version installed that you do not control. It can’t be removed and it’s settings can’t be modified. Even if your the administrator. So the security cannot be “turned off” by you or any one, or anything pretending to be you.

4. Non Repudiation. Example: If someone were to log in to your computer and delete all your files, this form of security provides proof regading who did this. It makes it impossible for them to deny their actions.

5. Access Control. Example: You logged in to your work computer. Then you decided you were going to go look at a coworkers email. Too bad! You are not that person. Therefore, only they have access to their email. You have only been given access to the things you need.

6. Availability. Is your data always available and accessible? In an earlier example I mentioned the integrity of your data. That example had your computer being compromised by a crypto / ransomware virus. If that happened your documents may not be available either. The Security of your documents availabiliy is also compromised.

7. Ethical and Legal Security. There are multiple levels of governing bodies that are concerned with information security. INTERNATIONAL, FEDERAL, STATE, LOCAL and Organizational. For example: you went on vacation to Paris. While there a street vendor sold you a nice shirt. When you got back to your hotel you ordered food but the card was denied. You found out that your shirt was a ploy to steal your credit card data. The PCI compliance laws and regulations which are international were broken by that street vendor. Second example: you decided to get gas at a small road side gas station. It had 2 bays. Very simple and kind of old. There was a credit card reader. You were in a hurry. You filled up and left. While using your card you did not see the security seal was broken on the pump. Later, you go to get dinner and your card is denied. The PCI compliance regulations were broken by the gas station who by law cannot sell gas unless the security seal is valid and in tact. They actually have to pay their pump provider a fee to inspect, test, and seal their pump. Next time you get gas look for that seal.

Now you have a very good idea of what security is and who it involves. Back to the question.

Is the cloud secure?

Knowing what I have shown you, that is a very hard question. To answer it you have to ask which cloud? Because you must evaluate each one separately. How many cloud providers do you deal with? So lets do an exercise. A hypothetical situation. Let us establish that we are the end user and that our cloud provider is YouTube. OOOH boy. Will my site get taken down?? !!#!. NO. I have a private cloud and self host. GOOGLE, enjoy the TRUTH. I am unhappy with your ways! You need to be disbanded.

YouTube is free and they require you accept a EULA that no one looks at for long. Have you read it? It links out to other policies and the way it is worded seems very harmless. Also consider that you registered your phone with google and or apple when you used it for the first time. Everyone told you thats just what you do. Right? And because its new just for you, and so convenient. Dont worry about anything. It will be perfect! Right?? NO. Not really. Is this a red pill moment for you? You can turn back now if you like. I promise to be fair and kind.

Do you understand that any application on a cell phone may have the ability to track your location, your data (texts, call history, contacts, web browsing history, pictures, videos) and it might even look at you and listen to you without your knowledge? Have you ever heard of Edward Snowden? He spoke about this very thing. It is true.

As far as youtube is concerned what did their EULA say?

Have you read it?

Dr. John Cambell is a fellow that has tracked the COVID virus, the vaccines, and the effects each had on the populations around the world. I placed a portion of his video below. It is from September 18th 2022. Dr. John Campbell looks at the numbers of excess death that are published by the World Health Organization and other global agencies. In this video he also mentions that YouTube warned him with a strike that his content was in opposition to their “Community Standards”. He establishes that cannot be true because he has used only WHO’s and other National Agencies “published” positions on various topics.

For our security discussion this has more to do with the security of Johns content he is posting at his cloud provider, YouTube. It also touches a bit on his freedom of speech.

Again, The EULA allows Youtube to govern his content and claim ownership over it. By signing and accepting it he has been rendered powerless to speak truth if it does not conform with “Community Standards” which is debatable because he whatever was published by WHO and nothing of his own opinion. Just the numbers they put out.

Here is Johns Video. This example of the “EULA phenomena” which gives John very little control over his data. The provider can just delete it at will if they choose. Keep in mind that John only uses data provided by the Authoritative Organizations and maintains speech that is harmless. Just so you really understand, he has agreed along with all youtube users to have no security for the integrity of their data. The ethical guidelines and governance are made of no effect by the EULA also.

Lets move forward now and look at YouTube from our perspective as an end user using the 7 points to measure security from this perspective.

1. FAIL for Confidentiality. is the data stored securely? Is the information safe from prying eyes? No one should be given our information if it is kept confidential.
   
   This is google. They have all of your information already if your an Android User. Every individual is different. Google does allow you to register under another email domain. Just in the short review of the EULA above I saw this.
   
   “Your Information
   
   Our Privacy Policy explains how we treat your personal data and protect your privacy when you use the Service. The YouTube Kids Privacy Notice provides additional information about our privacy practices that are specific to YouTube Kids.”
   
   If you continue on to the Privacy Policy we see
   
   “We want you to understand the types of information we collect as you use our services”
   
   It is not just a picture or a video. It is your demographics, information about your device, the activity information about how you use your device and what you look at on youtube. Also the content you post. They help direct appropriate products your way using the data. They are positioned as an advertiser / hosting provider.
   
   What do they do with that information?
   
   They use your information to:
   
   provide services
   maintain and improve services
   develop new services
   provide personalized services, including content and ads
   
   Well. Look at that. Google is using your information to do business. Is that privacy? No. It is not. But the EULA you accepted gives them that right.
   
   I recommend you remove google from your phone if you value your privacy.
   
   It is YouTube. They say “When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.”
   
   A disarming comment. However, they put themselves in control when you accept the EULA. Your only choice is whether or not to use their cloud services.
   
   What exactly are the services they provide and who pays for them? We did not spend anything. Who does? How is it free? I believe that nothing is free. You pay for it one way or another. In this situation you are the commodity. Advertisers pay for your information. I wonder if any Governmental Contractors pay google for your data? Is google a Governmental Contractor?
   
   Confidentiality is your choice and responsibility. If you post yourself with a wild nose hair hanging out you can not hold YouTube accountable.
   
   Phone Permissions
   
   Most people use the YouTube app directly from their cell phone. Go into your apps right now and look at the permissions for You Tube. Why do they need access to your location? Is it important for someone at google to have the GPS coordinates that are attached to your phone, pictures and videos? Why is that important? Why does the application need your Microphone and Camera? So you can post your videos of course. No big deal? YouTube has access to the local storage on your phone. Of course, how else will it upload the video you took? Why does YouTube also have the phone permission? Is it important for YouTube to look at your call history or your contacts?
   
   Before we get into authentication it is important to discuss Biological Identification. At the very start of the article we looked at DHS who defined Sensitive PII. Biological Data is considered to be Sensitive PII. Most phones today, both Android and Apple, have taken the liberty to integrate facial recognition, finger prints, and other methods to use your Biometric Data as a form of identity. There was a EULA you agreed to when enabling this feature also. You freely gave access to your Sensitive PII to use as they will and to hold them blameless.
   
2. Pass for Authentication. At log in this establishes proof of identity before there is any access to data. Now there has been in addition to a username and password, a second form of authorization, called two factor authentication which secures this even further. Google has very nice authentication controls that establish your identity – every time.
   
3. FAIL for Integrity. Is the data stored safely and is it kept in tact? Are there protections in place for viruses? Are there backups?
   
   Is your video you posted earlier in tact? Did it get deleted because it opposed “Community Standards”? The fact that the cloud provider can govern your content fails. By removing or deleting your content they failed integrity.
   
4. PASS for Non Repudiation. Is it possible for someone to deny they logged in? Non repudiation prevents a person from denying they logged in through log files. It can also be used to prove the users actions while on the system.
   
   From the standpoint of the end user there are very fine controls to log and report activity. Through this logging google has identified and reported to me at least, that a login occurred from a device at a specific time and location. The notification comes in and most of the time it is just me. But it proves that I logged in. They kept the activity and have that data. That they even used it to question if that was me logging in.
   
   To an end user who had their content taken down, google admits openly that they removed content they say did not conform with their community standards.
   
   There is even a record kept when you flag the content you have found on another YouTube channel. You admit and record you reported that channel.
   
5. FAIL for Access Control. Who has permission to access data? Is the data Physically Secure? Should the average visitor of my site be able to change any of the content in this blog post? Can someone walk up and carry the server away or is it locked up?
   
   Let’s be honest. Do you want the administrator of YouTube to destroy your content. Did you give them Access and Control over your video? Through the EULA. You published your video. You “own” the content and yet YouTube deleted it? Did they have your authorization to delete it. No. That was not in your plan.
   
   Physically google has secure data centers. Yes? Where are they? Who maintains them? How do you find out?
   
6. FAIL for Availability. Is your data always available and accessible?
   
   The same problem exists for us as an end user. Just for our posted content that was flagged and removed because of “Community Standards”.
   
   I have seen YouTube end a live stream and remove the video using the “Community Standards” reasoning.
   
   If the content an end user has posted is no longer available and that end user did not intend for their content to become unavailable then this security point is a definite fail.
   
7. FAIL for Ethical and Legal Security. This speaks of Ethical Responsibility and Governance. There are multiple levels governing bodies that govern service providers. INTERNATIONAL, FEDERAL, STATE, LOCAL and Organizational. The question becomes who establishes the measure for ethical behavior?
   
   I believe YouTube has an issue with Governance. They dance around the law with EULA’s claiming that gives them the right to do what they will. A big loop hole to go around law.
   
   Who can blame YouTube for taking advantage of our willingness to accept their EULA? This is their position. They are held blameless by the end user that accepted their EULA.

By this review from the perspective of the YouTube user – I would say No. YouTube does not meet many security standards.

Are CLOUD Services Secure?

I feel that youtube is not very secure.

There is little control over the information that is stored on this platform. It can be deleted and it may be shared and used to create new services. You tube is an advertiser and they are paid not by you but by the advertisers. This makes a commodity that they sell to advertisers.

Youtube controls its content and if it does not agree with their “Community Standards” it is deleted. Therefore, your freedom of speech has been taken by them through the EULA. They are now feeding you only the information they approve of. They control your perspective by telling you what to believe, and what to think, by only providing what they want you to see.

The YouTube service is a Technocracy to all that use it. Youtube behaves through its own Governance as a COMMUNIST form of Government.

Take control over your data

Determine what services you depend on and how to move away from a Cloud Provider that does not honor Security to one that does. If you are not sure give us a call for a free consult.

Youtube Truth

As Americans, it is simple to look towards Washington DC and understand who your president is. May I discuss this situation? The White House Visitors Center has a big board with every president that was elected and how long they served.

Here is a link to their website:

https://www.nps.gov/whho/planyourvisit/white-house-visitor-center.htm

1450 Pennsylvania Ave., NW
Washington, DC 20230

Penguin 6 is a you tube content provider who has been providing live situation reports in Washington DC for several years. On August 26^th 2022 at around 11 AM he visited and filmed the white house visitors center and confirmed the last president listed on the Presidential Wall is President Trump.

Security+ Certified

I design, build, and administer websites, email, identity, and cloud storage solutions. I started this work in 2003. I have certified this knowledge through Comp TIA so this is confirmed by a verifiable third party.

Security Service Offering

Please send your comments and questions to sales@midnighttech.com.