Comment by shadowgovt
3 years ago
It's going to be an "if," not a "when." The percentage of users who want to manage their own cloud is vanishingly small. If people are sensitive to the risk of handing over their data to a trusted (well, trusted enough) corporation with a reputation to lose and money on the line, how safe should they feel putting their data on a cloud they manage, essentially stacking themselves up against every Joe Random Hacker on the Internet without the benefit of a Google, Microsoft, or Amazon SRE team to keep the shields up and the lights on 24/7?
The risk surface for self-hosting is higher, on multiple axes, than cloud-hosting. Hosting your own cloud is the "I don't trust auto mechanics so I'm going to become an auto mechanic" approach and most people have neither the time nor the talent.
I think this is missing the forest for the trees. There are plenty of products that make self-hosting seamless and transparent. Take the Ubiquiti Protect series of home video cameras as just one example of self-hosted plug-and-play.
It is a 'when' not 'if' since it is becoming easier and easier to self-host, and more people are realizing the benefits. I did it this year and convinced many others to do the same or use mine.
Hackers go after value targets which are companies or organizations holding a lot of valuable data. My little home server with social media, XMPP, Home Assistant and Nextcloud for pictures and such is not something they can do anything with. Good enough security is built into most self-hosting platforms.
Hackers go after two kinds of targets: centralized high-value targets and distributed targets with common failure modes, via scripting. There's definitely risk in centralization, but there's risk in distribution as well: known exploits take forever to patch out of the distributed ecosystem. There's a reason Microsoft became so aggressive about patching Windows: without the aggression, people didn't put the effort in and internet-connected desktops became weaponized.
I predict a correlation between small self-hosting projects and more entries on shodan.io. Your small home server is probably secure enough... Probably. But you're the sort of person that posts on a site called "hacker news..." How much should we trust the average soul to do the bare minimum to not get owned? Do we imagine they're checking in regularly on https://www.cvedetails.com/vulnerability-list/vendor_id-1723... ?
Keeping things patched to latest was difficult in the past, but it is much easier these days. Unattended upgrades run every day on my server, and I get an email from my server that tells me any issues and if packages or applications have updates available. I open the web UI on my phone and make a couple clicks to update them all. The community at Yunohost is one of a few maintainers who have really simplified things.
>handing over their data to a trusted (well, trusted enough) corporation with a reputation to lose and money on the line
Not sure how anyone who understands how Internet works could claim Google is in any way trusted, or trustworthy. Or has any reputation it could lose by a mere data leak.
The last major data breach Google suffered was in 2009, via a targeted Chinese espionage program involving personnel intrusion.
Contrast that with, well, gestures widely to most of the Internet. While Google's security model is "We secure your data," so the trust interface between the end-user and Google is significant, Google for their part does an execllent job holding tightly to that data. If anything, the biggest risk working with Google is losing access to your own data because they stop believing you are you, not some third party getting your data out of Google's clutches.
The last major data breach Google "suffered" is continuing as we speak, as mandated by US national security laws. "Most of the internet" looks better in that regard.
2 replies →
Self-hosted VPN for at least a narrower risk surface, in theory?