Not really sure if circumventing paywalls is that unlawful across the world, but basically copying and pasting an entire web page is just clear and simple copyright violation.
As a government you should not be putting your stuff in an environment under control of some other nation, period. That is a completely different issue and does not really relate to making backups.
Sure. Using a cloud can make that more convenient. But obviously not so if you then keep all your data in the same region, or even “availability-zone” (which seems to be the case for the all “lost to lightening strikes” data here).
If your threat model is this high that you assume encryption breaking to be into your threat model, then maybe you do need a level of comeptency in the process as well.
They have 2 Trillion $ economy. I am sure that competency shouldn't be the thing that they should be worrying at that scale but at the same time I know those 2 trillion $ don't really make them more competent but I just want to share that it was very possible for them to teach/learn the competency
Maybe this incident teaches us atleast something.
Definitely something to learn here though. I am interested in how the parent comment suggests sharing one time pad or rather a practical way for them to do so I suppose since I am genuinely curious as most others refer to using the cloud like aws etc. and I am not sure how much they can share something like one time pad and at the scale of petabytes and more, I can maybe understand it but I would love if the GP can tell me a practical way of doing so to atleast have more safety I suppose than encryption methods I suppose..
I think it doesn't need to be the encryption breaking per se.
It could be a gov laptop with the encryption keys left at a bar. Or the wrong keys saved on the system and the backups can't actually be decrypted. Or the keys being reused at large scale and leaked/guessed from lower security area. etc.
Relying on encryption requires operation knowledge and discipline. At some point, a base level of competency is required anyway, I'm not just sure encryption would have saved them as much as we'd wish it would.
To your point, I'd assume high profile incidents like this one will put more pressure to do radical changes, and in particular to treat digital data as a more critical asset that you can't hand down to the crookest corrupt entity willy nilly just for the kickback.
South Korea doesn't lack competent people, but hiring them and letting them at the helm sounds like a tough task.
First of all, you cannot do much if you keep all the data encrypted on the cloud (basically just backing things up, and hope you don't have to fetch it given the egress cost). Also, availability is exactly the kind of issue that a fire cause…
What part of the incident did you miss: the problem here was that they didn't backup in the first place.
You don't need the Cloud for backups, and there's no reason to believe that they would have backuped their data while using the cloud more than what they did with their self-hosting…
By default, Amazon S3 stores data across at least separate datacenters that are in the same region, but are physically separate from each other:
Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage. S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive redundantly store objects on multiple devices across a minimum of three Availability Zones in an AWS Region. An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. Availability Zones are physically separated by a meaningful distance, many kilometers, from any other Availability Zone, although all are within 100 km (60 miles) of each other.
You can save a little money by giving up that redundancy and having your data i a single AZ:
The S3 One Zone-IA storage class stores data redundantly across multiple devices within a single Availability Zone
For further redundancy you can set up replication to another region, but if I needed that level of redundancy, I'd probably store another copy of data with a different cloud provider so an AWS global failure (or more likely, a billing issue) doesn't leave my data trapped in one vendor).
I believe Google and Azure have similar levels of redundancy levels in their cloud storage.
Except for the backup strategy said consumers apply to their data themselves, right?
If I use a service called “it is stored in a datacenter in Virginia” then I will not be surprised when the meteor that hits Virginia destroys my data. For that reason I might also store copies of important things using the “it is stored in a datacenter in Oregon” service or something.
> GCE instances and Persistent Disks within a zone exist in a single Google datacenter and are therefore unavoidably vulnerable to datacenter-scale disasters.
Of course, it's perfectly possible to have proper distributed storage without using a cloud provider. It happens to be hard to implement correctly, so apparently, the SK government team in question just decided... not to?
Lovely that their blog with privacy propaganda has a cookie banner that is not compliant with any privacy law in any way. Says everything about their efforts, I guess.
It was a trap. Clickbait to get every privacy-minded tech enthusiast on their site. Now, simply because they interacted with the page, facebook, in their opinion, gets a blank cheque to track you wherever they wish, on and off-site.
Having actually worked for Meta in both security and privacy capacities, I guarantee you that it's really not that conspiratorial.
No one wrote this article with the intention of "trapping privacy-minded tech enthusiasts."
I mean no offense, but this sort of thinking (that an engineering blog is attempting to attack you) is unhinged. There is not some grand conspiracy. Companies like this are not the shadowy, highly-competent and absolutely evil entities you think they are. They are barely functional to begin with.
One really just has to think through the situation rationally, even assuming the most greediest of intentions:
> Clickbait to get every privacy-minded tech enthusiast on their site
Turns out the market of privacy-minded tech enthusiast is tiny and they hate clicking on ads. Trying to cajole this group into giving you money is pulling teeth.
Understood.
Let's deploy the same set of company resources and effort on the 99.99% other people in the market place, increase some efficiency by like 0.1% and make waaaayyyy more money.
The ratio of "people who have opinions about what google/meta/etc might be doing" vs "people who have actually worked privacy/security in google/meta/etc" is abysmally low.
Most of what's said by people who actually known what they're talking about is drowned out by low-effort, conspiratorial, semi-intellectual laziness.
Yeah, this is the main reason I stopped using Reddit when I entered the industry.
Taking it a step further - I frankly don't think normal people are positioned to make any decisions or hold any opinions strongly about tech. They are so mislead by journalism it's not even funny.
My doctor friends feel similarly about medicine and how it's reported on (and the populace's common opinions on medicine.) The average person/voter is immensely mislead in basically every field they themselves are not an expert in.
A tech company using a blog to get whatever imaginary consent from random anonymous privacy-aware individuals is so many levels of unhinged that it makes absolutely no sense whatsoever.
The company wouldn't. Someone retroactively realizes they have the data, and then it does.
I'm certainly not saying it happened, or will happen, here. I'm saying it definitely happens.
This is why in regulated industries, there's an emphasis on "data minimization". Much like the principle of least privilege, but applied to whether you're letting your people or systems be exposed to it in the first place.
It's easy to follow a least privilege policy if there's an actual technical control not just agreement, and even easier if the control is "I never had it, didn't derive it, and made sure I couldn't if I wanted to".
If you aren't collecting it for any use, even inadvertently, you can't retcon it into availability for alternative uses.
> Someone retroactively realizes they have the data, and then it does.
This simply isn't within the realm of reason.
Engineers at Meta have far more impactful problems to solve than attempting to reverse engineer the browsing habits of the 12 privacy-sensitive tech enthusiasts reading their engineering blog.
From a ROI/time perspective, it is far in the negative for a single junior Meta engineer to spend even 10-20 minutes investigating this. It literally is not worth anyone's time.
An “accept” only cookie notice isn’t generally permissible in the EU.
They may be serving more compliant versions based on geolocation, though.
> To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies.
- They are not asking for consent, there is just an ok button.
- They assume consent when you navigate further on the site, this is not valid consent.
- Consent needs to be for specific, well defined purposes. “help personalize content, tailor and measure ads and provide a safer experience” are three purposes in one and none of them are well defined.
- They are probably already setting the cookies in your first request, when you have not seen any information yet (did not check)
> Imagine 2007 and the following years already with the EU act in full effect. AppStore would be dead on arrival.
No, it wouldn't have been, as the DMA only applies to 'gatekeepers' and if you're new, you're simply not a gatekeeper. You need at least 45 million monthly active users and 7,5 billion of revenue for three years.
> So EU should change Apple’s and Google’s status from producer to provider of essential service like electricity for example.
That's the whole point of the DMA: designate these parties as 'gatekeepers', providing essential services ('core platform services' in terms of the DMA). Once you are, you have certain obligations that should allow proper interoperability with other/smaller parties.
> You need at least 45 million monthly active users and 7,5 billion of revenue for three years
Minor nitpick that does not really changes the point but might provide context: these are the criteria to automatically be classified as gatekeeper. You can be a gatekeeper even if you do not meet them, but the EU needs to prove that you meet some other more detailed criteria.
> Hotels are concerned that direct booking clicks are down as much as 30% since our compliance changes were implemented. These businesses now have to connect with customers via a handful of intermediaries that typically charge large commissions, while traffic from Google was free.
That's because your search engine results are a joke, not because of the DMA.
If I search for 'hotel <city>', I get an ad from Booking.com, then some hotel ad, then an ad from Trivago, then some Google map with hotels (make sense, but all results there are sponsored by intermediaries), then Booking.com, then Booking.com again, then Expedia, then Tripadvisor, then Trivago.
If you only present me sponsored results from intermediaries, then don't be surprised that people only click on sponsored results of intermediaries.
I use flights all the time. I think mostly because I've not found any of the intermediaries all that good. Google flights provides links to multiple places to buy. Usually I click the link directly to the airline.
I've looked at hotels but rarely use it. Hotel websites, unless they're a major chain, are often pretty crap so booking.com is what I generally use.
Google flights is the only tool (I've seen) that offers so many helpful filter options. It's so easy to find the perfect itinerary. And the overall UX far surpasses anything else.
This is such a weird complaint, Google searches hasn't taken you to the websites of various hotels for a decade or more, maybe a few pages in they did, but the first page of search results have been booking sites and ads for booking sites for a long time.
If the booking sites are such a huge issue for the hotels, which I can honestly believe, then don't use them, or do collective negotiations with them and demand better rates.
The complaint about the maps button not being on the search page is rather funny, because I haven't used that in ages. I've been using search engines which has a ! operator, so !gm or !maps for 10+ years every time I needed a map, so I just didn't notice. While I haven't read the DMA rules, it does seem strange that they can't just link to Google maps.
As far as I understand it, the DMA forbids them from exploiting their dominance in the search engine space to promote Maps. This is similar to the mobile space where users must be presented with a choice of their preferred browser and search engine.
I believe they would be legally okay if they presented users with a choice of their preferred Maps provider (e.g. Google Maps, OSM, Bing, or Apple Maps), but they've decided to implement it in the most obnoxious way possible.
You're talking about the Digital Markets Act (DMA) which will come into effect in the EU in about two weeks. It does exactly what you say, although Apple is still actively trying to sabotage it with a sloppy implementation.
As a small developer, you wouldn't fall under the DMA.