Why Microsoft’s Rumored Plan For a Cloud-based OS is a Bad Idea

Photo from iStock
Photo from iStock

While Apple is busily trying to solar power the cloud and getting into the hybrid smart phones/tablets (“phablets”) market now dominated by Samsung, Microsoft has come up with an “innovative” scheme to make the upcoming Windows 9 more popular than Windows 8 by making it cloud-based.

Don’t know what the cloud is? Here’s a quick primer:

“The cloud” is an Internet-connected virtualized infrastructure that exists outside of computer hard drives. It hosts not only the data used by companies, including customer data but, increasingly, applications. The cloud (also known as computing on demand) is used in a variety of ways (there are public, community, private and hybrid clouds) and can offer a variety of resources: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and network as a service (NaaS), making the cloud less a monolithic whole than a nebulous amalgam of services. Because it reduces cost, especially with regard to expensive data centers, increases productivity and improves customer accessibility, cloud computing has become a core technology.

So back to Microsoft. Solar power never hurt anyone. And the phablet might be a bust but that is something the market itself will decide. You’ll be out a few bucks but at the worst, you’ll end up with a phone that doesn’t actually replace your tablet. But as ideas go, a cloud-based OS is a lemon.

The reason? Sure, as CNN Money tells us, a cloud-based OS “could translate into more free space on your hard drive, fewer Windows updates and potentially cheaper computers,” but the cloud isn’t safe.

Using the cloud is like jumping into a public swimming pool: you open yourself up to everything all the other swimmers bring into the pool with them. CBS News reported last year that the CDC found public swimming pools “rife with fecal contamination.” And the nasty stuff doesn’t end with fecal matter.

Don’t stop at athletes foot; think Legionaries’ Disease, or why not go right to influenza, or even the Cryptosporidiosis parasite, which the CDC says “is one of the most frequent causes of waterborne disease among humans in the United States.” Cryptosporidiosis, if you have a compromised immune system, can kill you.

Think about these potentially deadly nasties for a minute because it will put your mind where it needs to be when considering a visit to cloud-anything. There are things on the cloud as deadly to your computer as Ebola, and far more contagious. Computers are expensive. Your documents are valuable. Your computer can become junk if you are not careful, and your documents as extinct as the Carrier Pigeon.

Yes, malicious hackers were quick to realize what fertile ground the cloud represented, and they were quick to act. Quicker than cloud providers were with cybersecurity, at any rate. As a report by research firm Solutionary put it late last year, “The cloud has become a preferred mode for malicious actors who are using cloud computing for many of the same reasons that legitimate customers are.”

Just getting on the cloud now? Malicious hackers have been there for more than five years already.

The results are about what you would expect in an industry that makes cybersecurity an afterthought.

It is indicative of the business world’s mindset that an article on ZDNet asking if the cloud really stacks up, doesn’t so much as mention security. You’ve got licensing, infrastructure, support and maintenance, and training, but nothing about cybersecurity.

And it’s not like there is no need for security. Oh boy is there a need for security.

Do you use Dropbox? Millions do. Twitter was all a-buzz recently with folks excited about increased storage on Dropbox. Some said they’d put every file they own on the cloud. Yet on June 26 of this year, NetworkWorld told us that “Trend Micro reported today through a blog post that it has observed the first instance of hackers using DropBox to host the command and control instructions for malware and botnets that have made it past corporate firewalls.”

Good times…. Yeah, not so much. Industry giant Amazon could not protect its own cloud in 2011.

The cloud is so not safe that in December 2010, the Office of Management and Budget (OMB) issued a “Cloud First” policy requiring cloud use by federal agencies whenever possible (U.S. GAO, 2012). But the federal government has also recognized the cloud’s vulnerabilities, the National Institute of Standards and Technology (NIST) observing in 2011 that the very features that draw people to the cloud “can also be at odds with traditional security models and controls” (Jansen and Grance, 2011).

These threats and vulnerabilities have prompted the National Security Telecommunications Advisory Committee (STAC) to form a subcommittee to study the intersection of national security and emergency preparedness (NS/EP) and cloud computing (NSTAC, 2011).

Want to be really scared? The cloud is so unsafe that there are actually botnets on the cloud, called botclouds. A botnet is something you might already be part of, because botnets are composed of infected computers controlled by malicious hackers. A botcloud is easy to setup and difficult to detect, and can be made up of hundreds or thousands of virtual computers.

It has been suggested that the attack on the Sony PlayStation Network was a botcloud attack.

No, the cloud isn’t safe. It never was.

Yet people treat it like some vast and friendly fantasy playground. The simple fact is that you have a far better chance of protecting the integrity of your computer than you do the cloud.

And now Microsoft wants to put your operating system – or at least part of it – on the cloud, a place you have no protection at all.

Think Microsoft can keep you safe? Think again. Much of the talk about Windows 9 is being driven by revelations from Russian pirate group/individual WZOR.

Think about it this way: the cloud is used to attack people. Just yesterday a warning was issued by “Cloud-based business software company Salesforce” that Dyre malware, a Trojan, which is used to steal data, might be used against its customers (former high-profile victims include Bank of America, Natwest, Citibank, RBS, and Ulsterbank).

And you want your operating system coming from there?

It’s not that Apple is necessarily more secure than Microsoft. As CNN reported the other day in regards to the nude celebrity photo brouhaha, “Apple confirmed to CNN Monday that it is looking into reports that its popular iCloud online data backup service may have been compromised by the hackers.”

But Microsoft ought to know better, or at least learn from Apple’s misfortune. If Microsoft is seriously considering a cloud-based OS, then maybe where innovation is concerned, Microsoft ought to just stick to copying everything Apple does.

References:

Jansen, W., Grance, T. (2011). Guidelines on Security and Privacy in Public Cloud Computing. (NIST Special Publication 800-144). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

10 Replies to “Why Microsoft’s Rumored Plan For a Cloud-based OS is a Bad Idea”

  1. WFT Since it is based on internet speed it will work for those with fast connections and not for others. They will also shut out a large part of the world that does not have the speed to us it.

  2. Every time the page comes up for downloading the cloud software I close it. That’s just too much of my info out there that I have no control over. I fear that people will get so used to computers supplementing our lives that we will be in deep trouble when and if there occurs something that will make all the equipment useless. That is why I have an analog or pre-digital equipment for nearly everything I own, including a car that is non computerized.

  3. I am glad I only use dropbox for photos!

    I wouldn’t trust the cloud for anything. This is nothing more then a major freeway for the CIA and other bands of marauding peekers. I use dropbox because when I take a picture, it is on my desktop in seconds no matter where I am. But putting anything of value there? No way. That’s as dumb as using Gmail.

  4. The majority of this article is scare-mongering… “the cloud isn’t safe”.

    It’s incorrect to believe there is ONE cloud. There are many; each one having its own security protocols. More than incorrect, this article is also mean-spirited. It’s mean to confuse and scare people.

    Yes, there have been serious breaches of security for some Cloud services – particularly in the area of Software as a Service (SaaS). And, yes, security standards for Cloud are evolving, with specializations for each of the services (IaaS, PaaS & SaaS). But it’s incorrect and mean-spirited to mislead people who are unfamiliar with the concept of a Trusted Computing Base (kernel). Hell, just look at the comments posted here!

    In the 1980s, the introduction of personal computers (hardware) and access to the world-wide web revolutionized computing. We learned about risks and we still work to mitigate ’em.

    Cloud is equally revolutionary. Get educated or get left behind.

  5. Cloud computing is much, much more than Dropbox (online storage).

    If you use smart phone apps, you’re using Cloud computing.

    The companies you do business with… they’re probably using private Clouds that you’re unaware of (virtual servers and virtual networks).

    Being cautious is good. Being informed is better. It’s better because then we can be cautious in ways that make a difference. Wikipedia has a good article about Platform as a Service (PaaS). I recommend it.

  6. The cloud is nuts. Today memory is cheap. why do we need the cloud to begin with? It is going to make thing a easer to be hacked. Keep it home and your computer well protected. I have 2 1/5 tear bytes of memory. The problem is people don’t keep their computers cleaned Out. They leave them open to every peace of junk on the internet. I say NO to the CLOUD!

  7. Mean-spirited? Seriously? Incorrect to cite facts?

    It is not only NOT scare mongering, it is a public service.

    A full list of my sources for this post:

    Agapi, A., Birman, K., Broberg, R.M., Cotton, C., Kielmann, T., Millnert, M., Payne, R., Surton, R., & Renesse, R. (2011). Routers for the cloud: Can the internet achieve 5-Nines availability? IEEE Internet Computing 15(5), 72-77. doi:10.1109/MIC.2011.122

    Anthes, G. (2010). Security in the Cloud. Communications Of The ACM, 53(11), 16-18. doi:10.1145/1839676.1839683

    Aron, J. (2011). Beware of the botcloud. New Scientist, 210(2817), 24.

    Babcock, C. (2012). The Cloud’s Points Of Failure Are Showing. Informationweek, (1346), 14-16.

    Brown, R., Dalton, C.I., & Gebhardt, C. (2008). Hypervisors: Preventing hypervisor-based rootkits with trusted execution technology. Network Security, 20087-12. doi:10.1016/S1353-4858(08)70128-4

    Clarke, R. (2012). How reliable is cloudsourcing? A review of articles in the technical media 2005-11. Computer Law & Security Review, 28(1), 90-95. doi:10.1016/j.clsr.2011.11.010

    Cobb, C., Cobb, S., Kabay, M.E. (2009). Penetrating computer systems and networks. In Bosworth, et al., (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

    Constantin, L. (2012). Study warns cloud be used as giant botnets. Cio, 26(6), 30.

    Crawford, D. (2013). Emerging cyber threats ring in the new yea. Communications of the ACM, 56(1), 20.

    Drew, J. (2012). Managing cybersecurity risks. Journal of Accountancy, 214(2), 44-48.

    Dubie, D. (2008). Security concerns cloud virtualization deployments. Networkworld Asia, 4(1), 23-24.

    Gold, J. (2012). Protection in the Cloud: Risk Management And Insurance for Cloud Computing.Journal Of Internet Law, 15(12), 1-28.

    Helland, P. (2013). Condos and clouds. Communications of the ACM, 56(1), 50-59. doi:10.1145/2398356.2398374

    Jansen, W., Grance, T. (2011). Guidelines on Security and Privacy in Public Cloud Computing. (NIST Special Publication 800-144). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

    Junseok, O., Young Bae, Y., Jong Ryeol, S., & Bong Gyou, L. (2012). The Difference of Awareness between Public Institutions and Private Enterprises for Cloud Computing Security. International Journal Of Security & Its Applications, 6(3), 1-9.

    Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12), 5-8. doi:10.1016/S1353-4858(12)70111-3

    NSTAC votes to establish cloud computing subcommittee. (2011). Telecommunications Reports, 77(12), 31.

    Orloff, J. (2012, January 13). Avoid vulnerabilities and threats in the cloud. IBM. Retrieved from http://www.ibm.com/developerworks/cloud/library/cl-cloudthreats/index.html

    Price, M. M. (2008). The paradox of security in virtual environments. Computer, 41(11), 22-28. doi:10.1109/MC.2008.472

    Robertson, B. (2009). Top five cloud-computing adoption inhibitors. Computerworld Hong Kong, 26(5), 10.

    Summary of the Amazon EC2 and Amazon RDS service disruption in the US East Region. (2011, April 29). Amazon Web Services. Retrieved from http://aws.amazon.com/message/65648/

    Tadokoro, H., Kourai, K., & Chiba, S. (2012). Preventing information leakage from virtual machines’ memory in IaaS Clouds. IPSJ Online Transactions, 5(0), 156-166. doi:10.2197/ipsjtrans.5.156

    U.S. Government Accountability Office. (2012, July). Progress made but future cloud computing efforts should be better planned. (Publication No. GAO-12-756). Retrieved from http://www.gao.gov/products/GAO-12-756

    Vaas, L. VM security risks: Phantom or Menace? (2007, October 25). eWeek. Retrieved from http://www.eweek.com/

    VivinSandar, S., & Sudhir, S. (2012). Economic denial of sustainability (EDoS) in Cloud services using HTTP and XML based DDoS attacks. International Journal of Computer Applications, (20), 11.

    Prince, B. VUPEN exploit enables virtual machine escape 107884. (2012, September 6). eWeek. Retrieved from http://www.eweek.com/

  8. There is another problem with cloud computing.

    Data hijacking. You put all your information out there on the cloud, it leaves the safety of your hard drive

    (For Christsakes use a memory stick)

    A bunch of pirates hijack your data and ransom it. This, too has been happening.

    No this is. It scaremongering. This is really bad stuff. You have surely by now heard that the data breaches have been getting larger and larger. The Target data breach, the Home Depot data breach.

    This also goose hand in hand with outsourcing banking information to third party, third world countries.

    Just recently there was an RBC account where $97K of a man’s retirement money was stolen. The thieves had obtained the man’s signature, which meant it was an inside job and they traced the theft to Malaysia.

    RBC had also fired a bunch of Canadians to replace them with temporary foreign workers. People who are seeking a paycheck but who have no investment in the country.

    Race to the bottom.

  9. Responding with an excerpt from one of the resources you posted…

    “Orloff, J. (2012, January 13). Avoid vulnerabilities and threats in the cloud”

    Like any IT service, there are security vulnerabilities that attackers look for in the cloud. Yet as more IT professionals become aware of these vulnerabilities and how to address them, the cloud becomes a safer place. In fact, venturing into the cloud has improved security according to 57% of the participants of a Mimecast survey. The reason the majority of that group feel that cloud computing is safe is because they understand the threats and have learned how to mitigate them.

    30 years ago, pundits warned about risks involved with using the WWW. Those risks still exist, but usage of the WWW continues growing.

    My message is unchanged. Education about Cloud and Cloud security is BETTER than scare-mongering.

Leave a Reply

Your email address will not be published.