September 15, 2022
Midnight Tech

CLOUD “Email, Social Media, Hosting, and Applications” all have a drawback…

Just because its free does not mean it is good for you. I remember the saying, “You get what you pay for.”

What is the Cloud?

Cloud is the term that describes a server somewhere out on the internet that you do not own. Microsoft One Drive, Google Drop Box, Facebook, and YouTube. Media Com offers email and apps in their client packages with their internet, VOIP, and Cable TV. AOL provides a bunch of services to their customers and they are not limited to only email. Ubiquity hosts security camera streaming services using their cloud. Apple and Google have put your phone services in their cloud. Most website and email providers are cloud providers. Even text and sms messaging is stored in a type of cloud at the service provider. Did you know SMS and Text messages are unencrypted and not secure?

A Hybrid Cloud is similar except some of that cloud is self hosted. The self hosted portion is your PRIVATE CLOUD. Consider Microsoft Exchange. It is the mail service application from Microsoft that installs on microsoft server platforms. Office 365 is the office productivity package and Active Directory is the Directory Controller which houses everyone’s account identity. It is common to host these services on servers located at the business. Microsoft also provides a solution to synchronize everything to their CLOUD. They do charge a small fee per user which is rent for infrastructure or Infrastructure as a service.

There are many cloud services out there that have no fee. Each cloud service carries its own End User License Agreement (EULA) and in most of these they lay claim to any and all information that you post to that cloud service. The EULA’s for cloud services are actually release of liability documents (for the provider) combined with an agreement you accept to freely give ownership over your information to that corporation. If you disagree, you just will not be using the service.

Is the CLOUD secure?

Cloud services are controlled by the owner of the platform and in many cases this is a corporate entity and not an individual. Before answering the question or even considering it we should define what security is.

What is PII?

PII is an acronym for the term, Personally Identifiable Information. According to DHS, PII is defined as

“any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department”.

What is Sensitive PII?

Sensitive PII is defined by DHS as:

“Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, bio-metrics, or peoples criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data is compromised.”

How do we measure security?

Security can be measured 7 different ways.

1. Confidentiality: is the data stored securely? Is the information safe from prying eyes? No one should be given your information without consent, it must be kept Confidential.

2. Authentication. At log in this establishes proof of identity before there is any access to data. Now there has been in addition to a username and password, a second form of authorization called two factor authentication which secures this even further. It ties a third credential to your authentication process. It might be Authy on your cell phone, or a math question, or a secret code you set up in advance.

3. Integrity. Is the data stored safely and is it kept in tact? Are there protections in place for viruses? Are there backups?

4. Non Repudiation. Is it possible for someone to deny they logged in? Non repudiation prevents a person from denying they logged in. This is commonly done using log files. It can also be used to prove the users actions while on the system.

5. Access Control. Who has permission to access your account and data? Is the data Physically Secure?

6. Availability. Is your data always available and accessible? How often does it go down for maintenance. Does that prevent your work process if it goes down?

7. Ethical and Legal Security. Ethical Responsibility and Legal Governance are the focus for this. There are multiple levels governing bodies that govern service providers. INTERNATIONAL, FEDERAL, STATE, LOCAL and Organizational. Another example is HIPPA which governs the treatment of patient information in the medical world.

Is the cloud secure?

That is a very hard question. How many cloud providers do you deal with? The question has to be answered for each of them, individually. I have only touched on a few. Also, it is a matter of perspective. You may be the client, the cloud provider, an employee of the client, or an employee of the cloud provider. Each perspective changes the answer to each point of security we mentioned above.

For the purpose of this security discussion let us establish that we are the end user and that our cloud provider is YouTube.

YouTube is free and they require you accept a EULA that no one looks at for long. Have you read it? It links out to other policies and the way it is worded seems very harmless. Also consider that you registered your phone with google and or apple when you used it for the first time. Do you understand that it tracks your location data and performs backups of your files, texts, and applications to the cloud? What did that EULA say?

Now when sign up for YouTube, in addition to all of this, you will also accept a EULA regarding the content you are going to post and your rights. Once you have accepted the EULA they have you on record giving your consent to them to use your data and you are releasing them from all liability. You hold YouTube blameless.

Dr. John Cambell is a fellow that has tracked the COVID virus, the vaccines, and the effects each had on the populations around the world. I placed a portion of his video below. It is from September 18th 2022. Dr. John Campbell looks at the numbers of excess death that are published by the World Health Organization and other global agencies. In this video he also mentions that YouTube warned him with a strike that his content was in opposition to their “Community Standards”. He establishes that it really was not because he used their “published” positions on various topics.

For our security discussion this has more to do with the security of Johns content he is posting at his cloud provider, YouTube. It also touches a bit on his freedom of speech.

Again, The EULA allows YOUTUBE to govern your content and claim ownership over it. By signing and accepting you are rendered powerless to speak truth if it does not conform with Community Standards.

Here is Johns Video. This example of the “EULA phenomena” gives John very little control over his data. The provider can just delete it at will if they choose. Keep in mind that John only uses data provided by the Authoritative Organizations and maintains speech that is harmless.

https://www.youtube.com/watch?v=WjG3VoX3Ldk

Lets move forward now and look at YouTube from our perspective as an end user using the 7 points to measure security from this perspective.

  1. FAIL for Confidentiality. is the data stored securely? Is the information safe from prying eyes? No one should be given our information if it is kept confidential.

    This is google. They have all of your information already if your an Android User. Every individual is different. Google does allow you to register under another email domain. Just in the short review of the EULA above I saw this.

    “Your Information

    Our Privacy Policy explains how we treat your personal data and protect your privacy when you use the Service. The YouTube Kids Privacy Notice provides additional information about our privacy practices that are specific to YouTube Kids.”

    If you continue on to the Privacy Policy we see

    “We want you to understand the types of information we collect as you use our services”

    It is not just a picture or a video. It is your demographics, information about your device, the activity information about how you use your device and what you look at on youtube. Also the content you post. They help direct appropriate products your way using the data. They are positioned as an advertiser / hosting provider.

    What do they do with that information?

    They use your information to:

    provide services
    maintain and improve services
    develop new services
    provide personalized services, including content and ads

    Well. Look at that. Google is using your information to do business. Is that privacy? No. It is not. But the EULA you accepted gives them that right.

    I recommend you remove google from your phone if you value your privacy.

    It is YouTube. They say “When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.”

    A disarming comment. However, they put themselves in control when you accept the EULA. Your only choice is whether or not to use their cloud services.

    What exactly are the services they provide and who pays for them? We did not spend anything. Who does? How is it free? I believe that nothing is free. You pay for it one way or another. In this situation you are the commodity. Advertisers pay for your information. I wonder if any Governmental Contractors pay google for your data? Is google a Governmental Contractor?

    Confidentiality is your choice and responsibility. If you post yourself with a wild nose hair hanging out you can not hold YouTube accountable.

    Phone Permissions

    Most people use the YouTube app directly from their cell phone. Go into your apps right now and look at the permissions for You Tube. Why do they need access to your location? Is it important for someone at google to have the GPS coordinates that are attached to your phone, pictures and videos? Why is that important? Why does the application need your Microphone and Camera? So you can post your videos of course. No big deal? YouTube has access to the local storage on your phone. Of course, how else will it upload the video you took? Why does YouTube also have the phone permission? Is it important for YouTube to look at your call history or your contacts?

    Before we get into authentication it is important to discuss Biological Identification. At the very start of the article we looked at DHS who defined Sensitive PII. Biological Data is considered to be Sensitive PII. Most phones today, both Android and Apple, have taken the liberty to integrate facial recognition, finger prints, and other methods to use your Biometric Data as a form of identity. There was a EULA you agreed to when enabling this feature also. You freely gave access to your Sensitive PII to use as they will and to hold them blameless.
  2. Pass for Authentication. At log in this establishes proof of identity before there is any access to data. Now there has been in addition to a username and password, a second form of authorization, called two factor authentication which secures this even further. Google has very nice authentication controls that establish your identity – every time.
  3. FAIL for Integrity. Is the data stored safely and is it kept in tact? Are there protections in place for viruses? Are there backups?

    Is your video you posted earlier in tact? Did it get deleted because it opposed “Community Standards”? The fact that the cloud provider can govern your content fails. By removing or deleting your content they failed integrity.
  4. PASS for Non Repudiation. Is it possible for someone to deny they logged in? Non repudiation prevents a person from denying they logged in through log files. It can also be used to prove the users actions while on the system.

    From the standpoint of the end user there are very fine controls to log and report activity. Through this logging google has identified and reported to me at least, that a login occurred from a device at a specific time and location. The notification comes in and most of the time it is just me. But it proves that I logged in. They kept the activity and have that data. That they even used it to question if that was me logging in.

    To an end user who had their content taken down, google admits openly that they removed content they say did not conform with their community standards.

    There is even a record kept when you flag the content you have found on another YouTube channel. You admit and record you reported that channel.
  5. FAIL for Access Control. Who has permission to access data? Is the data Physically Secure? Should the average visitor of my site be able to change any of the content in this blog post? Can someone walk up and carry the server away or is it locked up?

    Let’s be honest. Do you want the administrator of YouTube to destroy your content. Did you give them Access and Control over your video? Through the EULA. You published your video. You “own” the content and yet YouTube deleted it? Did they have your authorization to delete it. No. That was not in your plan.

    Physically google has secure data centers. Yes? Where are they? Who maintains them? How do you find out?
  6. FAIL for Availability. Is your data always available and accessible?

    The same problem exists for us as an end user. Just for our posted content that was flagged and removed because of “Community Standards”.

    I have seen YouTube end a live stream and remove the video using the “Community Standards” reasoning.

    If the content an end user has posted is no longer available and that end user did not intend for their content to become unavailable then this security point is a definite fail.
  7. FAIL for Ethical and Legal Security. This speaks of Ethical Responsibility and Governance. There are multiple levels governing bodies that govern service providers. INTERNATIONAL, FEDERAL, STATE, LOCAL and Organizational. The question becomes who establishes the measure for ethical behavior?

    I believe YouTube has an issue with Governance. They dance around the law with EULA’s claiming that gives them the right to do what they will. A big loop hole to go around law.

    Who can blame YouTube for taking advantage of our willingness to accept their EULA? This is their position. They are held blameless by the end user that accepted their EULA.

By this review from the perspective of the YouTube user – I would say No. YouTube does not meet many security standards.

Are CLOUD Services Secure?

I feel that youtube is not very secure.

There is little control over the information that is stored on this platform. It can be deleted and it may be shared and used to create new services. You tube is an advertiser and they are paid not by you but by the advertisers. This makes you are their commodity.

Youtube controls its content and if it does not agree with their “Comunity Standards” it is deleted. Therefore, your freedom of speech has been taken by them through the EULA. They are now feeding you only the information they approve of. They control your perspective by telling you what to believe, and what to think, by only providing what they want you to see.

The YouTube service is a Technocracy to all that use it. Youtube behaves through its own Governance as a COMMUNIST form of Government.

Take control over your data

Determine what services you depend on and how to move away from a Cloud Provider that does not honor Security to one that does. If you are not sure give us a call for a free consult.

Youtube Truth

As Americans, it is simple to look towards Washington DC and understand who your president is. May I discuss this situation? The White House Visitors Center has a big board with every president that was elected and how long they served.

Here is a link to their website:

https://www.nps.gov/whho/planyourvisit/white-house-visitor-center.htm

1450 Pennsylvania Ave., NW
Washington, DC 20230

Penguin 6 is a you tube content provider who has been providing live situation reports in Washington DC for several years. On August 26th 2022 at around 11 AM he visited and filmed the white house visitors center and confirmed the last president listed on the Presidential Wall is President Trump.

Penguin 6 – 8/26/22 – White House Visitors Center – Presidential Wall

Security+ Certified

I design, build, and administer websites, email, identity, and cloud storage solutions. I started this work in 2003. I have certified this knowledge through Comp TIA so this is confirmed by a verifiable third party.

Security Service Offering

  1. Have Midnight Tech conduct a security assessment for you to identify where you may have security risks.
  2. Have Midnight Tech develop a security plan to help you reduce your exposure attacks.
  3. Have Midnight Tech maintain your technology and its security.
  4. Have Midnight Tech establish and train a security team to quickly identify and respond to security events .
  5. Get Security Training to better understand and secure your digital life.

Please send your comments and questions to sales@midnighttech.com.

Search
Categories list
Tags
Credit Scorequality controlPictureSocial MediaQuotescustomer serviceserver 2008Identity Theft10g fiber opticnetworkresellerfree operating systemdetailtech supportIDENTITY CREATIONfriendPrivacy in 2021Power Generationphishingteam work