Yottabytes: Storage and Disaster Recovery


February 29, 2016  4:47 PM

Amazon Web Services Jumps on the Zombie Bandwagon for Attention

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
cloud

A cloud company has finally figured out a way to get people to read its terms of service: Put a zombie reference in there.

“It’s hard to imagine the kind of person who would read all the way through Amazon Web Services’ massive terms of service agreement,” writes Jacob Brogan in Slate. “At more than 26,000 words, the document is denser and more digressive than Tristram Shandy, a veritable post-apocalyptic wasteland of legalese that dictates how users can and cannot employ products from the e-retailer’s massively profitable cloud computing division. Formidable as it is, however, someone managed to make it through.”

So where do the zombies come in? The service now includes a new Lumberyard gaming engine, which is free, open-source software intended to help developers write games. Normally, users are barred from integrating it “with life-critical or safety-critical systems,” including medical or military equipment,” Brogan writes. “Basically, that means you can’t use the software to program robot doctors or control weaponized drones,” which he says is pretty darn unlikely anyway. But just in case, all bets are off in the event of a zombie apocalypse, Amazon writes:

“However, this restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.”

In the process, the zombie reference also helped promote Amazon’s new gaming engine. That’s likely to help the company’s cloud service, because the gaming engine must be hosted on either Amazon’s Web servers or the developers’ own, notes Elizabeth Weise in USA Today. In other words, no cloud service competitors, writes Chris Morris in Fortune. “And there’s no zombie apocalypse exemption there, so if the worst does happen, and Amazon’s servers go offline too, you’ll be out of luck,” notes Samuel Gibbs in The Guardian.

It’s not the first time that zombies have come up in the context of data protection and disaster recovery. In 2011, the CDC issued its own emergency preparedness and response circular about zombies.

“You may laugh now, but when it happens you’ll be happy you read this,” the circular warned. It went on to describe the zombie threat, and what people could do to be prepared in the event of a zombie apocalypse.

No, it wasn’t issued on April Fool’s Day, and no, it wasn’t a joke. Well, sort of. Did the CDC really expect a zombie apocalypse anytime soon? No, probably not. But it got attention, it made people laugh, and if it got people to read the circular, the information in it worked just as well protecting them against hurricanes and floods as it did against zombies.

As it turns out, the CDC may have been inspired by the Defense Department, which in 2011 released its own plan for “Counter-Zombie Dominance.” “Planners … realized that training examples for plans must accommodate the political fallout that occurs if the general public mistakenly believes that a fictional training scenario is actually a real plan,” quotes Foreign Policy in 2014. “Rather than risk such an outcome by teaching our augmentees using the fictional ‘Tunisia’ or ‘Nigeria’ scenarios used at [Joint Combined Warfighting School], we elected to use a completely-impossible scenario that could never be mistaken for a real plan.”

Cornell University also used zombies to help study the spread of disease, and in the process, figured out the safest places to be in the event of a zombie apocalypse. Similarly, last December, the British Medical Journal published a peer-reviewed study on the upcoming zombie apocalypse, to call attention to preparing for infectious diseases.

“Using zombies in lieu of real diseases gives researchers, public health professionals, policy makers, and laypeople the ability to discuss these heavy issues without getting bogged down in one specific outbreak or pathogen, because many of the problems we’d face during the zombie apocalypse are similar to those that come up in any serious epidemic: coordination. Funding. Communication. Training. Access to treatment or prevention,” writes Tara Smith, the author of the paper. “In short, it’s way more fun for the average person to shoot the shit about zombies than to have a more serious discussion about influenza, or Ebola, or whatever the infectious disease du jour may be–and maybe even learn a bit of science and policy along the way.”

In fact, the CDC zombie circular worked so well that the agency expanded the program into a variety of other content, including a graphic novel. The Amazon reference to the CDC may have been a nod to the program.

Considering that people have actually given up their first-born children through not reading terms of service carefully, vendors can’t be blamed for putting all sorts of weird things into them, just to get people to pay attention.

Newsweek, for example, pointed out that Tumblr’s community guidelines state: “While you’re free to ridicule, parody, or marvel at the alien beauty of Benedict Cumberbatch, you can’t pretend to actually be Benedict Cumberbatch.” And Tumblr also tells children younger than 13 in its terms of service to “ask your parents for a Playstation 4, or try books” instead of using Tumblr, writes David Goldman in CNN.

In that context, the amount of attention paid to the zombie reference in the Amazon terms of service worked pretty well – according to Google, it resulted in about 400 articles.

Well, 401.

February 25, 2016  3:03 PM

Verizon Reportedly Shutting Down Public Cloud Services

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
cloud, Verizon

Users of some of Verizon’s cloud services were left with two months to move their virtual servers to another, more expensive, cloud platform after the company told them it was shutting the services down.

Verizon Public Cloud and Reserved Public Cloud services will be shut down on April 12. The company told Bloomberg it intends to sell those businesses, which it bought through an acquisition of Terremark for $1.3 billion in 2011, and a later acquisition of Cloudswitch. Reuters had reported in November that the company had retained the services of Citigroup to help it sell the assets.

However, Verizon says it will keep its on-site Verizon Private Cloud (VPC) and Verizon Cloud Storage services active, writes Leo Sun for The Motley Fool.

Sun blamed two factors for Verizon’s decision. First, the company was having trouble competing on size with larger public cloud vendors such as Amazon and Microsoft. Second, it was having trouble competing on price with those vendors, as well as Google, which have been dropping costs for a couple of years now. “That move flushed many second-tier players out of the market,” he writes.

“It has become almost impossible to compete with AWS, Azure, and to a lesser extent with Google Cloud Platform in the market for renting virtual compute power over the internet and charging by the hour,” concurs Yevgeniy Sverdlik in Data Center Knowledge. “In competing with each other, these giants have made the cost of using cloud [virtual machines] so low and built out global infrastructure so big, no one can really manage to keep up.”

Because Verizon said it remains committed to supporting enterprise and government customers, Sun speculates that the company intends to provide more-lucrative private cloud services that don’t require it to support its own infrastructure.

Verizon government customers use a different cloud service platform, according to Frank Konkel in Nextgov. Verizon Enterprise Cloud Federal Edition is a public, private and hybrid cloud platform that has met the Federal Risk and Authorization Management Program’s standards, which are the government’s standardized cloud security requirements, he writes.

This isn’t the first time that a cloud provider has shut down with little notice, leaving its customers scrambling to find other options – as well as the logistical challenge of getting the data from one cloud provider to another. Cloud-based disaster recovery provider Nirvanix gave its users just two weeks when it shut down. Vendors such as HP have also announced that they are shutting down public cloud services.

In this particular case, Verizon is at least giving its users options, reports Barb Darrow in Fortune. “Customers on Verizon Public Cloud Reserved Performance and Marketplace can move their work to the company’s Virtual Private Cloud (VPC), which—according to Verizon, offers ‘the cost effectiveness of a multi-tenant public cloud but includes added levels of configuration, control, and support capabilities …’.”

On the other hand, these options are typically more costly. “These are dedicated, physically isolated cloud environments,” Sverdlik writes. “They are usually a lot more expensive than public cloud services, where many customer VMs run on shared physical servers.”

And in any event, moving virtual machines (VMs) takes a lot of work, Darrow quotes one user as saying. “It’s ‘a total pain’ that can take minutes to hours per VM because of a dearth of good migration tools,” she writes. Moreover, the hardware and application programming interfaces (or APIs) of the two kinds of cloud service are different, she adds.

Coincidentally, Terremark hit the news again this week, this time in connection with a post-mortem report on the botched Obamacare launch, for which it was a contractor. Five days before the launch, the company was ordered to double capacity within three days, but it proved not to be enough.


February 19, 2016  3:03 PM

FBI Finds ‘Perfect Test Case’ to Force Apple iPhone Encryption Issue

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, FBI, iPhone, privacy, Security, smartphone

Okay, it’s another government vs. encrypted smartphone situation. But this one is different.

Syed Rizwan Farook and his wife Tashfeen Malik, who last December killed 14 people and injured 22 others in San Bernadino, had an Apple iPhone 5c. The Federal Bureau of Investigation (FBI) wants to see what’s inside the phone, and it’s asking Apple for help.

So far, this sounds like your standard encryption case – Apple says it doesn’t have the password, and can’t decrypt the phone, so the FBI is out of luck.

What’s different in this case is that that’s not what the FBI is asking for. Instead, the FBI is asking Apple to write a new version of the phone’s operating system that will make it easier for the FBI to break into the phone.

The iPhone in question has several security features to help protect it against attacks, such as wiping the phone after 10 incorrect password attempts in a row, forcing passwords to be entered via the phone screen, and implementing a pause in-between password attempts. The FBI wants Apple to write software for that phone – and, it claims, only that particular phone – to eliminate those restrictions, so the FBI can more easily implement a brute-force attack against the device.

(Now, if the shooters had used a fingerprint rather than a passcode to encrypt the phone, the FBI would be in the clear. In fact, they could have even used the fingerprint from the dead shooter to open his phone.)

For the policy wonks, the FBI is using an ancient law called the All Writs Act of 1789, which is intended to compel a third party to help with a criminal investigation. Let’s say you stole something and put it in my safe. All Writs can be used by law enforcement to make me open up my safe to retrieve the stolen property.

Apple, though, is refusing, claiming that were it to write such an operating system hack, it could get out into the wild and be applied against any iPhone. (Including, Apple now says, against more modern iPhones that have even more security features built in.) “World War II, especially in the Pacific, turned on this sort of silent cryptographic failure,” writes Ben Thompson in Stratechery. “And, given the sheer number of law enforcement officials that would want their hands on this key, it landing in the wrong hands would be a matter of when, not if.”

Moreover, Apple is concerned about the implication of using the All Writs law in this fashion. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data,” writes Apple CEO Tim Cook in an open letter. “The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

Also, having once let the genie out of the bottle, what’s to keep the FBI from coming back and requesting this software hack again, in a different case? Or even, writes Farhad Manjoo in the New York Times, prophylactically? “Once armed with a method for gaining access to iPhones, the government could ask to use it proactively, before a suspected terrorist attack — leaving Apple in a bind as to whether to comply or risk an attack and suffer a public-relations nightmare,” he writes.

Apple could also be subjected to the same pressure from other governments, Columbia University computer science professor Steven M. Bellovin (who has just been appointed the first technology scholar for the NSA’s Privacy and Civil Liberties Oversight Board) told CNN.

Naturally, the FBI is using one of the more heinous recent cases of record to force the issue. Terrorism is right up there with child pornography in terms of being one of those crimes that of course you don’t want to be seen supporting. “For the administration, it was perhaps the perfect test case, one that put Apple on the side of keeping secrets for a terrorist,” writes Matt Apuzzo in the New York Times.

One could even speculate that the FBI doesn’t actually need the information on the iPhone, but is simply using this case to establish the precedent.

But having once established the precedent, the software could be used again. Already, notes the New York Times in an editorial supporting Apple, another federal magistrate judge in New York is considering a similar request to unlock an iPhone, this time in a narcotics case. The editorial also pointed out that Apple had already given the FBI data from the phone’s iCloud backup, and that the All Writs Act has a provision against unreasonable burdens. (Manjoo also notes that future versions of the iPhone could potentially close any such loophole.)

At this point, the usual suspects are all lining up on one side or the other on the situation, with some agreeing with Apple and others saying that the company is overreacting. For example, Apple is calling the FBI’s request a “back door,” but is it really? It depends on the definition you use, Thompson writes. “Cook is taking a broader one which says that any explicitly created means to circumvent security is a backdoor,” he writes. But to some, a back door is a way to bypass encryption specifically, which is not what the FBI is asking for, he explains.

Some observers believe that, thus far, Google is equivocating in its support for Apple. What makes it interesting is that Google, along with Apple, was the other company that announced in 2014 that it was turning encryption on in phones by default. Does that mean, if criminals used a Google phone, Google might be more likely to cooperate in breaking the phone’s encryption?

Apple may also feel freer to take a stand on the issue because, unlike Facebook, Google, and Twitter, its business model isn’t as strongly predicated on gathering data from users, write Nick Wingfield and Mike Isaac in the New York Times. In addition, Apple has fewer government contracts that could be at risk than do some of its competitors, they added.

Apple has received an extension from the original February 23 deadline and now has until February 26 to agree to comply.

Or not.


February 9, 2016  8:53 PM

Can Your Heirs Get to Your Data When You’re Dead?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

Normally, this blog talks about the value of protecting your data, whether it’s preserving it, locking it up, encrypting it, and so on. But today we’re going to talk about when you probably don’t want to do that.

Namely, when you’re dead.

Passed on.  No more. Ceased to be. Expired and gone to meet your maker. Stiff. Bereft of life. Pushing up the daisies. Metabolic processes are now history. Off the twig. Kicked the bucket. Shuffled off this mortal coil. Run down the curtain and joined the bleeding choir invisible. Ex-geek.

You get the picture.

“In establishing our online presence: a) we use a computer, camera, or mobile device; b) we register with online services: email, banking, online purchases, photo sharing, website hosting; and c) we store files on a hosting server, network, or cloud service,” writes Crystal Sharp in Online Searcher. “Most of us have several online accounts with different types of services: bank accounts and investments in more than one institution, medical records in a personal health record, website domain ownership information, and photos, music, video, and blogs on various social networking sites. On a regular basis, we may pay bills, collect royalties, make investment decisions, update information, renew subscriptions, or close accounts. Access to each account is by password and users are advised, for security, to have different passwords for each account.”

But all of that becomes terribly complex, Sharp warns. “In an emergency, no one may know what accounts we subscribe to, how to access information for each account, or how to deal with the content within each account unless we record details of the accounts we have, show how to gain access to each account, and provide instructions in a readable and easily available format on what needs to be done.”

Something to keep in mind is that these digital assets may have real value. A 2013 McAfee estimate found that the average person has digital assets worth $35,000. Whether it’s Bitcoin, airline miles, domain names you own, or purchased media, digital assets can add up.

There are certain terms of art associated with the post-death disposition of your digital identity, whether it’s data stored on your own servers, or data stored on somebody else’s servers. Moreover, a lot of this stuff is changing all the time, as these services figure out that, hey, clients die, their heirs want access to it, and they’d better figure out how to handle it.

So the terms you’re looking for are typically “digital assets” for the stuff, “digital legacy” for the stuff after you’re dead, “digital estate plan” for what to do with the stuff after you’re dead, and “digital executor” for the person who handles the stuff after you’re dead. This is all complicated by the fact that not all states recognize digital estate plans or digital executors, but it’s a good idea to write it all down anyway, recommends digital estate service vendor Everplans.

There have been a number of well-publicized incidents of heirs who struggled to retrieve the digital assets of people who died. In one case, a son gave up as much as $2000 in a PayPal account because the father hadn’t left a will granting him possession—even though bank accounts had no problem paying out.

Then there’s Michael Hamelin, a hacker who died in an accident in which his wife was also injured. He secured the family’s systems so well that even with the help of other hacker friends, she hasn’t been able to gain access to some of their files, including the only copies of digital photographs they owned, writes Patrick Howell O’Neill in the Daily Dot.

There have also been legal cases as companies wrestle with the issue of privacy vs. legal access. In one example, Peggy Bush, a 72-year-old Canadian widow, was told by Apple that she’d have to get a court order for the company to reveal the password to an iPad card game she and her husband liked to play. “I thought it was ridiculous,” she told Rosa Marchitelli in CBC News. “I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password. It’s nonsense.”

Moreover, laws may vary from state to state. While the Uniform Fiduciary Access to Digital Assets Act (UFADAA) has been passed to help address this issue, not all states have supported it, and there has been pushback from vendors. Nearly half of U.S. states have introduced legislation in 2015 to enact UFADAA, according to ARMA International. “However, most of those efforts have stalled due to opposition from Internet and telecommunications companies concerned that the act raises privacy questions, conflicts with federal law, and undermines contract rights.”

(Something else to keep in mind is that when faced with grieving widows, companies have been known to bend the rules regarding access to digital assets, leading some to speculate that this will prove to be a fruitful avenue for social engineering, until companies catch on. “I’ve been involved in social engineering,” Andrew Kalat, a friend of the Hamelins who helped the widow deal with the aftermath, told O’Neill. “When I saw how willing companies with little or no planning for death were to bend the rules, I thought, ‘Wow, this is a powerful technique.’”)

The Internet abhors a vacuum, so startups have been springing up to deal with the issue. The Digital Beyond, for example, considers itself, “the go-to source for archival, cultural, legal and technical insights to help you predict and plan for the future of your online content.” While not a service itself, it does maintain a list of more than 50 services intended to help manage and control online content after the death of the owner. Other sites on the topic include Digital Passing, Everplans, and Planned Departure.

Kalat recommends setting up a “legacy drawer” with signon and account information, and actually swapping roles between spouses for a month every year so that everyone becomes familiar with everything.

That said, there may be …things… you don’t want your heirs to find. If you don’t want your kids screaming, “My eyes! My eyes!”, there are provisions for that, too. Some services offer “account incineration,” writes Rob Walker in the New York Times. “If you don’t want your heirs figuring out that you had a secret Tumblog clogged with pictures of Natalie Portman, maybe you should just arrange for it to be ‘incinerated,’” he suggests.

Some services are setting up procedures to deal with a person’s online accounts. Google, for example, offers Inactive Account Manager, a one-stop shop for all Google services that can alert people, pass on information, or wipe your account should you not log in after a certain (configurable) period. Facebook lets you set up a “legacy contact” to control your Facebook account after you die.

One way or another, the Internet will need to deal with the issue, because demographics are not in its favor. “By 2050 more than half of the Internet’s users will be dead,” writes Cory Doctorow in Locus. “That is, of all the accounts ever created by Internet users, more than half will have been created by people who have since died.”


January 31, 2016  8:38 PM

EMC-Dell Merger Hits Turbulence

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Dell, EMC, Storage

Okay, nobody thought that a merger the size of October’s marriage between EMC and Dell would be done this soon. But there’ve been a number of bumps in the road that are making some analysts – and, possibly, customers – concerned.

This past week, EMC held its quarterly earnings call, and the rumblings about the merger were such that CEO Joe Tucci made a point of saying, yes, the merger was still happening and still on track to close by October — if only because the deal included “significant penalties” should either side fall down on the job. (EMC would pay $2.5 billion to terminate the deal; Dell would be out $4 billion, according to the Wall Street Journal.)

EMC has made a number of changes to the merger in response to criticism, writes Barb Darrow in Fortune. “They reversed their stated plan to move VMware’s vCloud Air product into EMC’s Virtustream enterprise cloud unit because VMware shareholders didn’t like the idea,” she writes. “And, on New Year’s Eve, EMC said it was taking a $250 million charge related to its previously announced plan to cut $850 million in costs, including layoffs.”

The opinions of VMware shareholders are relevant because VMware is a big part of this merger. EMC owns about 80 percent of VMware, and VMware also provided about three-quarters of EMC’s value. Also, part of the way the deal is being funded is through VMware being considered a “tracking stock” that is intended to sweeten the deal to shareholders by as much as $9 per share – but some analysts are valuing that part of the transaction as essentially worthless at this point, writes John Shinai for USA Today.

That’s why another action also made watchers of this merger nervous: VMware said last week that it is laying off about 800-900 people, or about 5 percent of the company. In addition, VMware’s CFO is resigning and is being replaced by EMC’s CFO. VMware stockholders are reportedly concerned that the company will end up getting sold to help finance the Dell-EMC merger and they’ll lose money, writes Scott Ard in the Silicon Valley Business Journal.

EMC’s earnings were slightly less than expected. “EMC logged a profit of $771 million (39 cents a share), off from $1.15 billion, (56 cents a share) from a year ago,” Darrow writes. “Excluding merger-related costs and other items, earnings per share fell to 65 cents from 69 cents. Revenue fell 0.05% to $7.01 billion. Analysts had expected 65 cents profit on $7.12 billion in revenue.”

Analysts didn’t blame the merger for the slowdown, just the same sorts of things that have been hurting EMC in recent quarters all along — the adoption of cloud storage, software-defined data centers, and price declines of flash-based storage solutions, writes Morningstar. On the other hand, Tucci reportedly blamed “angst” about the merger as part of the reason for the slowdown, writes Curt Woodward in the Boston Globe. The value of the dollar is also a factor.

In case you forgot, EMC had lower earnings last quarter, too, just a couple of weeks after the merger was announced.

Moreover, since the announcement, both EMC and VMware stock have dropped in value. EMC stock was around $33 a share in October, and now is well under $30 a share, Shinai writes. This is a problem because the deal is predicated on EMC stock being valued at $24.05. If the stock price falls below that level (which it did during at least one point during the week), it’s going to be tough to complete the acquisition, he writes. VMware stock has dropped 40 percent in that same period, he adds.

The result is that the value of the deal has dropped by $9 billion, to only $58 billion, according to the Wall Street Journal.

There’s also concern that Dell might have trouble raising the $40 to $50 billion in debt required to close the deal, writes Billy Utt in AustinInno.

Further down the pike, there’s some concern that EMC may have trouble retaining its employees if they’re concerned about the company’s future, writes Scott Kirsner in BetaBoston.

“We’re confident. We know what we’re doing,” Woodward quoted Tucci as saying on the call.

We shall see.


January 26, 2016  12:04 PM

User Finds Amazon Glacier an Expensive Roach Motel for Data

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, cloud, Storage

People used to joke about the notion of “write-only memory,” where data could be written to it but not retrieved again. To at least one user, that’s what’s happening with Amazon’s Glacier service.

As you may recall, Glacier was announced in August, 2012, as low-cost storage for long-term archiving in return for customers being willing to wait several hours to retrieve their data. That resulted in a cost of $10 per terabyte of data.

But a fellow who used the service found out that retrieving his data wasn’t nearly as easy as putting it in there. Marko Karppinen writes in Medium that he used the service to back up some 150 CDs, or 63 giagabytes, soon after the service became available. Recently, he decided to migrate the data.

“The culprit was the same neat freak tendency that had me toss all those CDs in 2012,” Karppinen writes. “I simply no longer wanted to have that 51¢ AWS bill appear, each and every month, in my email inbox and on my AmEx statement. Here in present-day 2016 I’m paying for a one-terabyte Dropbox account and, as a part of my Office 365 subscription, a 1TB OneDrive. Why would I keep a convoluted 51¢-a-month archival setup when I already have all the cloud storage I could need, on two diverse–yet–incredibly–convenient providers?”

But Karppinen found out it wasn’t as easy – or as cheap – as he might have thought. First of all, it was technically complicated to do, with limited tools to support it. Moreover, it is – as advertised – glacial, he writes. “Before you try it, it’s hard to appreciate how difficult it is to work with an API that typically takes four hours to complete a task.”

(Kind of like working with punch cards in the old days, grasshopper.)

Karppinen writes that he ended up spending most of the weekend trying various tactics – with a requisite four-hour wait after each new attempt.

Second, it was expensive. “Here I was, working on a full retrieval of the archive, something that Glacier was explicitly not designed for,” Karppinen writes. “Glacier’s disdain for full retrievals is clearly reflected in its pricing. The service allows you to restore just 5% of your files for free each month. If you want to restore more, you have to pay a data retrieval fee.”

When Karppinen had originally researched the fee, he noted that the description said it “started at” $0.011 per gigabyte, and assumed that that was what he would be charged, for a total of 86 cents. But as it turns out, it ended up costing him more than $150.

Glacier data retrievals are priced based on the peak hourly retrieval capacity used within a calendar month,” Karppinen explains.You implicitly and retroactively ’provision’ this capacity for the entire month by submitting retrieval requests. My single 60GB restore determined my data retrieval capacity, and hence price, for the month of January, with the following logic:

  • 8GB retrieved over 4 hours = a peak retrieval rate of 15.2GB per hour
  • 2GB/hour at $0.011/GB over the 744 hours in January = $124.40
  • Add 24% VAT for the total of $154.25.
  • Actual data transfer bandwith is extra.

Had I initiated the retrieval of a 3TB backup this way, the bill would have been $6,138.00 plus tax and AWS data transfer fees.” [All emphasis his.]

Remember, to add insult to injury, Karppinen still hadn’t gotten his music back – but he did eventually figure out how to do that. And he includes all the gnarly details.

Interestingly, when we wrote about Glacier in 2012, we noted two points:

  • “The service is intended not for the typical consumer, but for people who are already using Amazon’s Web Services (AWS) cloud service. Amazon describes typical use cases as offsite enterprise information archiving for regulatory purposes, archiving large volumes of data such as media or scientific data, digital preservation, or replacement of tape libraries. ‘If you’re not an Iron Mountain customer, this product probably isn’t for you,’ notes one online commenter who claimed to have worked on the product. ‘It wasn’t built to back up your family photos and music collection.'” [Emphasis mine.]
  • “There is also some concern about the cost to retrieve data, particularly because the formula for calculating it is somewhat complicated.”

Not to say “I told you so” or anything, of course. And Karppinen sounds like he’s figured that out already – and has a lesson for all of us as well. “More and more, we expect cloud infrastructure to behave like an utility,” he writes. “And like with utilities, even though we might not always know how the prices are determined, we expect to understand the billing model we are charged under. Armed with that understanding, we can make informed decisions about the level of due diligence appropriate in a specific situation. The danger is when we think we understand a model, but in reality don’t.”


January 22, 2016  3:02 PM

California, New York Put Forth Useless Phone Encryption Bills

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, Google, phone, Security, smartphone

California and New York are each attempting to pass bills that they claim will help protect people against crime, but in reality would likely simply eliminate a source of sales tax revenue from the state: Each is putting forth a bill that would forbid smartphones with unbreakable encryption to be sold within their respective states, levying a fine of $2,500 on each infraction.

As you may recall, this all started in the fall of 2014, when Google and Apple each released smartphones with encryption that even the respective vendors couldn’t break. Much handwringing on the part of law enforcement ensued, warning us of dire consequences such as pedophilia, terrorism, and so on. After the furor died down a bit, it has come up again in light of recent terrorist attacks and the concern (likely incorrect, as it turned out) that terrorists were using encrypted smartphones.

Now, one of the handwringers, Manhattan District Attorney Cyrus Vance Jr., has encouraged 62 New York district attorneys to ask the New York Assembly to address the issue, because the federal government has failed to do so, writes Seung Lee in Newsweek.

Democratic Assemblyman Matthew Titone, of Staten Island, put forth such a bill last June, but because the Assembly didn’t address it then, he has re-introduced A8093 during this legislative session. The goal of the legislation is to encourage the federal government to act on the issue, a spokesman for the Assemblyman told Lee.

Interestingly, according to some reports, it’s retroactive to January 1 of this year, meaning that Apple and Google could theoretically be on the hook for fines for smartphones they’ve sold legally.

At the same time, California Assemblymember Jim Cooper (D-Elk Grove) put forth a similar bill, Assembly Bill 1681. It is specifically intended to help law enforcement investigate and prosecute suspected criminals and criminal organizations that are found to be involved in human trafficking and other serious crimes, writes Hannah Albarazi for CBS. (One difference – the California bill doesn’t take effect until January 1 of 2017.)

Keep in mind what these bills actually purport to do. They don’t keep people from using encrypted smartphones in New York and California. They simply specify that vendors can’t sell (or lease) those phones in New York and California. The implication is that we could soon expect encrypted smartphone stores, like fireworks stands, to pop up around the borders of whatever states enact such regulations.

“I never thought I’d see an Apple Store in Newark (or Hoboken), but legislation to ban sales of secure smartphones will do exactly that,” noted one Twitter commenter.

Also recall that case law on whether people can be forced to surrender their phone’s encryption key is not yet settled. It all depends on whether an encryption code is something that is the expression of one’s mind, like the combination to a safe, which is protected under your Fifth Amendment rights not to incriminate yourself, or a physical key, something you possess, which is something you can be forced to produce. Courts have been going back and forth on the issue.

Meanwhile, members of the technology community ranging from Apple CEO Tim Cook to security expert Bruce Schneier have pointed out that encryption back doors don’t just open for the government or law enforcement, and would weaken security for everyone. “You can’t build a backdoor that only the good guys can walk through,” Schneier wrote when Apple first announced its policy. “Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.”

“There have been people who suggest we should have a backdoor,” Cook reportedly told 60 Minutes. “But the reality is, if you put a back door in, that back door is for everybody, for good guys and bad guys.”

Ironically, while all this is going on, National Security Agency (NSA) Director Adm. Michael Rogers was telling the Atlantic Council, an international affairs think tank, that encryption was here to stay and that attempts to legislate it, as in California and New York, were misguided. “Spending time arguing about ‘Hey, encryption is bad and we ought to do away with it,’ that’s a waste of time to me,” Rogers said, writes Cory Bennett in The Hill.

Of course, to the paranoid, that simply is confirmation that the NSA already knows how to read our encrypted smartphones.


January 14, 2016  5:38 PM

Are the Malheur Occupiers ‘Using’ Government Computers? Depends

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

Whether it’s arguing about the definition of “is” or just what constitutes a “clean” room,  kids and politicians love to debate about definitions.  Now the people taking over a federal research station in Oregon are doing the same thing.

When the group – –  and it’s up to you whether to call them “militia” or “terrorists” or something in-between – –  first took over the Mather National Wildlife Refuge near Burns,  Oregon on January 2,  concern was expressed about the government computers and data on them located at the site.  

Not to worry,  the group said; they weren’t using the computers.  Honest, Mom. Even though Oregon Public Broadcasting staff saw them doing so,  as well as having access to other personally identifiable information in the station.  

“After [member of the occupying group’s security team LaVoy]  Finicum realized he shouldn’t have allowed OPB to access the room,  he quickly picked up lists of names and Social Security numbers by the computers,  and hid government employee ID cards that were previously in plain sight, “ John Sepulvado of OPB writes.  “We haven’t touched any of the computers,  we haven’t tried to log on – –  we haven’t done anything, “ group leader Ryan Bundy told him.

As it turns out,  their not using the computers is only sort of true,  depending on your definition of “using” – –  and the technique involved is something we should all be aware of should we also find ourselves hosting uninvited guests around our hardware.

According to another article by Sepulvado and Amanda Peacher, the group is indeed using the computers,  via thumb drives with Linux on them.  This is through occupier David Fry, who said he drove in from Ohio to help the group and that he knows “a little bit” about computers. But what he was doing was okay because he wasn’t actually using the computers or the data on them,  he told OPB.

“I am using any computer I can use, “ Fry told OPB.  “Their data is perfectly preserved… you can’t access any of that,  it’s got encryption on it. “

Thank goodness for small favors.

What are the occupiers using – –  for whatever definition of “using” you prefer – –  the computers for?  Making a website for the occupation,  OPB writes,  which Fry identifies in one of his videos as defendyourbase.net.  In fact,  he’s even posted videos of himself “using” the computers and explaining the use of the thumb drives.  

Reuters reporters also observed the occupiers using office printers.  And whether the data came from paper files or the computers,  employees who live in the area report that they have been harassed in the vicinity of their homes by people they didn’t recognize,  which they attribute to the occupiers releasing their personal information.  (Perhaps the next job the office might take on is digitizing their paper files and putting them,  as well,  under encryption.) 

But remember,  the occupiers aren’t really “using” the computers.

It remains to be seen if the law will agree.   Continued »


December 31, 2015  11:08 AM

E-Discovery 2015: Calm Before the Storm

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
ediscovery, legal

The last couple of years have been pretty quiet ones in the world of e-discovery. No multimillion-dollar sanctions for people not following the rules, a few small acquisitions (we’re still dealing with the HP-Autonomy one), a couple of changes in the market but nothing radical. Zzz.

Next year, though, is likely to be different, because of something that actually happened last year. So you can think of 2015 as the calm before the storm.

In case you’ve forgotten, new regulations about the federal rules of civil procedure, which govern e-discovery, were passed in September, 2014, and were slated to take effect on December 1.

“Twitter is abuzz with messages about today’s effective date for the changes to the Federal Rules of Civil Procedure that read more like birth announcements (‘It’s finally here!’),” writes Karin Jenson in Discovery Advocate. “But figuring out what to do once you get that baby home is another matter – despite having a long time to prepare. Moreover, while there is as much commentary about the rules changes as there are parenting books, it’s hard to really figure out what to do until you are doing it.”

So the legal industry is very, very excited about this and is talking a lot about What It All Means, though exactly What It All Means won’t be clear until the rules have been in effect for a while.

“When the 2006 FRCP amendments came out that initially addressed e-discovery, Windows Vista was only a few weeks old, and Apple released its MacBook Pro with a 17-inch screen, 2 gb of RAM, and a 160gb hard drive for $2,799,” notes Jeff Bennion at Above the Law. “Facebook was a few weeks old, and the idea of storing thousands of photos online was still years away. And that was when lawmakers were concerned that electronic data was exploding. It makes it scary to think about how much more data will be created between now and the next update.”

In particular, the new FRCP rules are expected to address many of the ediscovery issues that came up the most in court in 2015, notes Kroll Ontrack’s report, Year in Review: Top Ediscovery Cases in 2015. “As courts grapple with the impact of the new rules, 2016 has the potential to be momentous,” Michele Lange, Kroll’s director of thought leadership, told Amanda Ciccatelli of Inside Counsel. “Will courts hold parties accountable when they only hold ‘drive-by’ meet and confers without raising real, substantive discovery issues at the scheduling conference?  To what extent will the new emphasis on proportionality limit the scope of discovery above and beyond current practices?  How will courts define reasonableness and good faith when determining if sanctions are appropriate?” Ciccatelli writes. “These are meaty issues – with real impacts for requesting and producing parties – that will need to be worked out in judicial opinions in the coming months and years,” Lange told her.

Other e-discovery issues that are likely to crop up? One of them, as always, will be new sources of data – in this case, sensors used in the Internet of Things, writes Edward Sohn for the Association of Corporate Counsel. We’ve already seen some of that with attorneys subpoenaing people’s FitBits and so on; imagine having to provide all the data from all the sensors in a manufacturing plant?

Another continuing issue from 2015 is the matter of data sovereignty and what control various governments have over companies that operate in their regions, even if they aren’t located there. Microsoft has continued fighting efforts by the U.S. government to force it to turn over data located in Ireland, for example, and with the European Union trying to control data exchanges with the U.S., the potential for it affecting other legal cases is high.


December 29, 2015  6:04 PM

Governments, Old Tech, Acquisitions: 2015 Storage Trends

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, privacy, Security, Storage

The interesting thing about looking over an entire year’s worth of stories at once is that things that seemed like a single event at the time turn out to be part of a larger arc.

Yes, the storage industry is like a Game of Thrones season. Who knew.

If you’ve been around reporters at all, you’ll know that they have a rule of thumb: Anything that happens three times is a Trend. By that measure, here’s a number of trends in the storage industry from 2015, and where they might go in 2016.

Storage meets public policy. The whole concept of storage has really gone beyond the basic functionality of keeping track of bits and bytes. It now extends into public policy and business operations as well. What data can companies store? How can they exchange it? In particular, what kind of data can governments store or access? And, most important of all, how can that data be protected from hackers?

We saw many examples of governments directly or indirectly building databases, ranging from faces to spit. What will happen once the government has a database of what everyone looks like so they can use it to scan faces at a demonstration or compare DNA collected from a protest against a database of genetic material? Especially if the police have their own database of everyone who simply knows criminals, under the theory that friends of criminals must be criminals too? Not to mention Republican Presidential candidate Donald Trump’s potential database of Muslims.

At the same time, governments are gaining access to other organizations’ databases through the courts, whether it’s Facebook’s collection of data, data stored offshore by a cloud vendor, or Dropcam video files. Courts are being used against individuals, too, such as by accusing people of hiding data simply by clearing their browser or using encryption – assuming, of course, that governments don’t succeed in their quests to require back doors and allow surveillance.

Courts are also still trying to decide whether people are required to submit their electronics for search within 100 miles of the border, give up their encryption keys, or let law enforcement search their phones. Moreover, governments themselves are increasingly making it harder for citizens to look at government data, such as by setting up private email servers, “losing” data, or protecting police body camera footage.

What it means for 2016: It seems likely that law enforcement organizations, courts, and governments are going to continue using every opportunity they can to collect data, and yet at the same time not do a great job protecting it nor giving individuals the tools they need to protect it themselves. Expect invocations of Paris and 9/11 to be used to justify ever more government access to our data.

Everything old is new again. Whether it’s Zip drives, cassettes, or Betamax, old storage technology is still out there, even if it isn’t officially supported anymore.

What it means for 2016: It’s never a bad time to migrate data on old media into a more up-to-date storage system. And while you’re at it, make sure that the data is readable by modern software as well. Migrating all the old spreadsheets to a new hard disk isn’t going to help if they’re still all in VisiCalc format.

But thumb drives are still bad. Now they can set your computer on fire. But look on the bright side! They can liberate a totalitarian country!

What it means for 2016: They’re still bad. Stop picking up thumb drives and sticking them into your computer. You don’t know where they’ve been.

Finally, there’s acquisitions. Obviously, the biggest one of these is Dell buying EMC (assuming the deal actually gets finalized), but we also had Western Digital buying SanDisk in the ongoing trend of storage company consolidation. And HP-Autonomy is still hanging in there – in court, at least, even if HP did write down most of the acquisition.

What it means for 2016: You can always count on companies buying and selling each other in the industry. In particular, it will be interesting to see how the Dell-EMC acquisition shakes out, especially if Dell ends up having to divest itself of some pieces to be able to keep the other pieces.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: