Old wolves wrapped in new fleece

from @crosscloudme

Old exploits never go away, they just get repackaged and come back to haunt you in the future.

While setting up an installation of antiX on the oldest surviving netbook I discovered my one gotta-have-it software (Nextcloud) is not available in the Debian Stretch Stable repositories. And, in the process of looking for a workaround, discovered another start-up being supported by the Nextcloud team – CrossCloud.Me.

Conceptually it works like this: CrossCloud has a client which will make it extremely easy for you to work with a wide range of cloud-style storage solutions, and will make everything brilliantly secure with single clicks and so on. They started a couple years ago, and things were developing well, but they figured out what many tech innovators learn: you can make money at retail, but the big bucks are in corporate towers.

And the corporate towers have different goals than private users.

Now I have no actual clue as to how their software worked before, or now, but the gist of things seems to be to add a central service. Basically the client lets you manage your data on all your various remote storage systems by creating a central repository of data about the many services you use. This allows corporate HQ to monitor, secure, and control the use of these tools by employees for business communications – a very laudable goal.

It also creates a “one ring to rule them all” situation for both corporate and private users.

Whether it is their intention or not, monitoring communications to CrossCloud.Me will reveal the cloud storage activity of their clients. No doubt with such an expressed privacy and security focus the contents of that communication is well-secured, but the activity itself is advertised, and likely also reveals location of the user.

And, assuming I am right about creating a central service retaining all the metadata about your various cloud services, including the necessary passcodes, cryptographic certificates/keys, and whatnot which will make all that security transparent to the user, this is like storing the keys to all your secrets with some company somewhere. You just gotta believe.

Mallory is the man-in-the-middle. Image from Commons.Wikimedia.Org

You gotta believe they will not build a back door. You gotta believe they will resist a secret government order to build a back door. You gotta believe they know enough to avoid getting hacked – by a state or non-state actor.  You gotta believe they are secure enough that if a government seizes their physical servers that government will be unable to forensically access the data stored there. You gotta believe they will not be ordered closed by a court, leaving your data secure but beyond your reach.

Because any service which requires you to have an account to use their software is a man-in-the-middle.