This past week I found more security headlines appearing that bothered me than I have most other weeks. I think I still have a little hangover from the Heartbleed bug that was reported last month. The only good thing is that researchers are using the bug to look for the bad guys. A reminder that trying to exploit this for fun is probably not a good idea.
Security certainly has changed, and rapidly, and it seems as though we are going backwards. In addition to criminals and hackers using bugs to attack us, we potentially have law enforcement, or even border guards that may look through our devices. I certainly hope this is struck down, though even if it isn't legal, that might not help you when you cross a border or are stopped in front of an office. It makes me think we more and more need a way to wipe our devices quickly and easily, but then reload them from backups. I'd love to see someone provide a way to do this that might not allow immediate restores in sticky situations. Maybe the iTunes, "connect to a computer" isn't such a bad idea.
Cloud computing security also had a bit of a setback when a judge ordered Microsoft to comply with a subpoena. A US judge is asking a US company to comply with US law about data stored overseas. This is disconcerting, though to be clear, this is a potential discovery action from US plaintiffs and defendents. It is disconcerting, however, for companies that are looking to some sort of cloud service. I'm glad to see Microsoft isn't just letting this go and is looking to appeal this and seek higher courts that can make rulings about digital information and having any handling of this data be consistent with analog data.
This is even more disconcerting as a survey about encryption use in the cloud found many people expecting the cloud provider to manage encryption. No, no, no, no, this isn't what we want. Companies need to manage and secure their own data, including their own encryption keys.
Perhaps it doesn't matter if you're in the cloud or not. After all, most employees think their employers do a poor job of securing their own systems. Could the cloud be that much worse?