Canary claws back cloud features from its IoT camera, starts charging $10/month

Originally published at: https://boingboing.net/2017/10/05/clouds-are-other-peoples-compu.html

…

How mad, though, and for how long? The world seems to operate more and more on an under-bid/over-charge model that has no consequences. Even if canary ends up with a social media slap on the wrist for this, I doubt it’ll kill the business model. The f-35 is still chugging along…

Just another timely reminder that the “cloud” doesn’t exist, it’s just a bunch of computers that belong to someone else and that you can’t really trust.

I am getting deeper and deeper on building stuff in the cloud. To a certain extent, there’s a valid perspective that the Cloud is just “Somebody Else’s Datacenter”. More on this in a bit.

Modern cloud platforms are actually quite a bit more, however. Cloud platforms have evolved into a software stack which allows a collection of servers to maintain distributed multi-tenant infrastructure using virtualization to enforce segmentation between tenants.

So far, we haven’t seen breaches where those lines between tenant’s data have been breached and Customer A’s data was exposed because Customer B got hacked. It doesn’t mean it isn’t possible (or even problematic), but it requires a much higher degree of sophistication, and deep knowledge of how the particular software stack works. At least if we’re talking about how the major cloud providers work (Google, Amazon, Microsoft).

Where we see the real security problems with breaches in the cloud is that people who put their stuff in the cloud maybe treat it a little too much like their own datacenter. Which is to say, they spin up a VM with a publicly addressable IP or hostname and dump a bunch of data on it, and then forget about it. If they were hosting it in their own datacenter, it wouldn’t be publicly addressable by default, and the exposure to every half-assed script kiddie on the planet would be greatly lessened by at least requiring an attacker to have made its way onto the intranet first. Cloud servers needn’t be publicly addressable by default, and companies who do any amount of due diligence realize this and take the necessary precautions.

But don’t let me rain on your parade of hating on The Cloud. Ho ho ho

ETA:

it’s just a bunch of computers that belong to someone else and that you can’t really trust.

Not really. It’s possible to securely deploy cloud VM’s to a corporate intranet. Fact. No external connectivity, due to a leased pipe directly to the cloud datacenters, and the routing and tenant segmentation comprise the isolation layer between those machines and other tenants. I’ve heard noises that people are uncomfortable with this multitenant model, but there’s options available for running the cloud stacks in your own data centers. I’ve yet to hear a sufficient penetration test of these stacks which suggest that the tenant segmentation is scarily inadequate.

I hope that this blows up in the face of Canary, but am afraid that may be too optimistic. I have a vested interest in seeing this type of change of terms be rejected by the marketplace. I have a couple of Arlo cameras for my business, and they offer a similar free platform with their security systems. Everything as a service, with “low, low”, monthly payments, is an insidious social scourge.

I have a feeling Canary is about to feel the back of invisible hand here.
All they are doing is screwing their existing customers for a short-term revenue boost. If they are now moving to a “service” model, returning customers are the demographic they want to serve and take care of. New customers will shop around, and pick a better deal. Extant customers will do the CBA to see if the staying cost is less than switching to a new provider.

Can’t a hacker who penetrates the data center’s intranet then easily hack into any of the VMs running on it? Surely cloud providers aren’t going to let clients run VMs on their hardware that the provider can’t penetrate. Sure they could, call it the safety deposit box model of cloud services, but I’d be surprised if any of the major providers actually do that. Don’t they require access to the VMs? And if they have access, then you’re relying on them to not get hacked or forced to surrender the password and or data by third parties (crooks and/or cops).

Even if they don’t have access to the VM you’re running on their servers, they can still shut off the server or the VM, so maybe they couldn’t get to your data, but you still have to trust them not to simply erase it by deleting “your” VM. By definition, VMs run at the pleasure of their host operating systems.

Running a cloud computing stack on you’re own private data center fixes all that, but that’s just data warehousing by any other name, and not what anyone other than people like you who build the software mean by the cloud.

This system sucks - it couldn’t even tell me when Canary was trying to rip me off.

Well, in theory. That’s why there’s no direct access to the host machines from the internet–only access to the API that orchestrates it. Cloud computing 101: You’re banking on the provider having their security shit more together than your own folks.

Having known what security pros deal with at even fairly huge, well-trusted companies, the single biggest advantage that this model has is that there’s no idiots with admin rights on the host machines who like to click on stuff in dodgy emails.

but that’s just data warehousing by any other name

Sort of, but you’re right in running a “private cloud” doesn’t offer the advantage of someone else doing the backup and DR work for you. What you’re missing is a big part of the value proposition today (that wasn’t there 10 or more years ago) is that cloud platforms offer a lot of automation to allow you to automate deployment and orchestration of resources. That automation can help you save a lot of time (and thus money) in managing infrastructure. In my industry, there’s regulatory concerns which based on the country (or even state), certain data cannot leave certain physical locations, and so it may well pay to have “private cloud” server clusters so that the automation used on the public cloud can be used in your own data centers with very few (if any) changes to it. Develop once, deploy everywhere is the theory, because developer time is expensive.

Oblig. James Mickens talk on cloud computing:

That seems like the crux of the issue. Amazon or Google or Apple almost certainly have better adherence to best practices than the users of their cloud services, so the cloud isn’t the weak point and the data is probably more secure in the cloud than on the vast majority of end users’ computers.

But what about a company like Canary? Don’t a lot of these companies - and I don’t know if Canary is one of the exceptions and run their own data center - just buy virtualization on a major data center? Even if the data center they’re using remains secure, what’s to stop a hacker from penetrating Canary’s services on those VMs when a Canary employee or developer makes a critical mistake? I guess the root of my question is, if Canary or another dubious company has access to your data, then doesn’t your data’s security rely on their security, irrespective of whether they’re buying server time from Amazon et al? Canary seems like the weak link ripe for a breach. I would imagine that most of these large data breaches don’t happen because of mistakes or vulnerabilities at big cloud providers, but because the companies using them to provide services had to have access and didn’t have the same good security.

I see what you mean though about how that wouldn’t readily facilitate hacking the host provider from within the compromised VM and thus penetrating other companies’ VMs. I agree it’s not as simple as all cloud providers are a major risk of being hacked. That said, the reason I want to know if the providers have access to the VMs running on their data centers is because that will still matter when state actors demand access, be it a warrant in a democracy or a court order in an autocracy.

It all comes down to who you trust to do what. I trust Amazon to have better security than most companies, but I don’t necessarily trust them not to roll over for governments. I don’t really trust some struggling start-up offering to house my data on a VM they developed, even if all they did was modify a VM developed by Amazon to run on their cloud. And I definitely don’t trust insecure IoT devices, even ones made by Amazon, because even if the data is safe in their cloud, the device itself is probably riddled with vulnerabilities they may never fix and will surely never tell the end user about, so that the only way someone discovers it is when some burglar or perv hacks the devices to case your place or spy on you getting dressed.

Will watch the video later. Thanks for the link.

Correct.

My complaint is that there’s a conflation of several discrete things into a single big scary distopian thing: Shitty software vendors, Someone else’s datacenter, and software stacks which allow greater automation and orchestration. There is no single “cloud” just like there’s no single computer network called “The Internet”. This stuff exists for a good reason, there’s real benefits to it, and it gets a bit of a bad rap because of the fools who make it seem like when “The Cloud” is involved that you no longer own your own data, and of course the folks who do dumb things like dump a ton of data on a publicly available server or file share.

That seems like a fair complaint. But again, do cloud providers have access to client VMs such that they could turn over your data to corrupt state actors? If not, then do you agree that trust in those providers to house sensitive data should be limited?

But that’s not really the point he was making. It’s not about how secure your data is, it’s about how much control you have over it. If this stuff is hosted on someone else’s computer then you can’t stop them charging for something they provided that was free, but if it’s ion your computer you can.

His usage of “cloud” is used to mean, “data not here, just somewhere else”. Which is what people say who know nothing about “Cloud Computing”.

You are doing it too! =)

Yes, but that somewhere is an actual computer, owned by someone else.

My gripe is that “Cloud” has a specific meaning in the industry, and the shorthand for how it’s used here does not match. This criticism could have been levied just as easily in the 90’s; there’s nothing necessarily “cloudy” about this practice of storing data on a vendor’s servers.

What’s the specific industry meaning?

Scroll up and read about it.

There’s solutions provided for this. Not all cloud providers make a guarantee that they can’t get at your data, and I’m not sure if they offer that assurance how you could double check it definitively.

Here’s Microsoft’s docs on this:

For their basic best practices (which doesn’t completely answer your question): https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms

For the storage service, they don’t yet allow using your own encryption keys, which would prevent outside entities from accessing it with the blessing of the vendor:

But they allow it for some stuff with Key Vault: