Episode 270 - Why self-hosting is not enough and why it matters
Added 2025-03-04 15:07:01 +0000 UTCSelf-hosting is important and if you can do it, do it. But we have much bigger problems now when privacy is becoming criminalized.
Comments
I've been hearing a lot about/from India. I also interviewed Ente CEO (encrypted photos app) and it's really disheartening to see. That's really how they move the goalpost. First they build the tools for national security, then slowly expand to other crimes and uses. UK law even allows the Food Standards Agency to hack your phone. It's beyond ridiculous. Anime-level dystopian writing right there.
The Hated One
2025-03-24 16:35:09 +0000 UTCAnother wise man once said: "there is no cloud, only other people's computers".
The Hated One
2025-03-24 16:33:07 +0000 UTCAfter further analysis, I realised that the reason Apple is vulnerable is vertical integration. If the devices weren't coupled to Apple's own iCloud, it wouldn't be a problem. If Apple divests the hosting to a completely different company, then the current laws would lose effectiveness. Apple already has experience with using blind signatures, so they would re-use this pattern to allow the hosting company to validate Apple users. They should also open-source the client side of the blind signature mechanism. This way they can't compromise the security without disclosure, which is prohibited by the snooper's charter. The hosting company couldn't do anything either because they would have no control over the client side.
Peter Šurda
2025-03-06 03:29:53 +0000 UTCI agree with the main argument, but I still believe there were some inaccuracies and misperceptions. The first one is regarding the scope of effects of self hosting. It isn't merely about protecting the individual, it's also about protecting the group. With a middleman like Apple, an attacker has a single target to compromise and can conduct mass surveillance. But if enough people self host, you can't mass surveil them, you need to target them individually, which is more expensive and labour intensive and can create more resistance. Second, you seem to be conflating self hosting with homelabbing. These are two different things, possibly you could say a homelab is a subset of self hosting. There are several options for self hosting in a data center, ranging from your own server (colocation), renting a server or a VPS, or various "cloud services" (which are technically commoditised VPSes but are provisioned and managed using different interfaces). You mentioned physical security at your home. Well, just install cameras, they are cheap nowadays. The attacker could shut down the power but then at least you'd know that the power was off. And you can also have a cheap phone setup as a camera, and that's resistant to short power cuts. You can also use full disk encryption on your hardware, both at home as well as in a data center. You can protect the keys with TPM and even a raspberry pi has a secure boot capability. Big cloud providers also provide options to encrypt the services with your own keys. We can discuss whether these facilities have a backdoor, but I think if they did, there would be a much bigger problem as all the companies using these cloud services with security features would get angry. You mentioned that nextcloud could get backdoored if legally required. This however presents logistical problems. Nextcloud is open source and written in PHP (i.e. it is distributed in source code format). It uses a CI/CD pipeline with github actions. It has multiple distribution channels, for example github, docker hub, ubuntu snap store. You'd somehow have to compromise all of these. Furthermore, once deployed, you can still detect, patch and/or firewall the backdoor. In addition to that, although I may be mistaken, but I think the Snooper's charter only applies to those who provide some kind of infrastructure that transports or stores the data, like ISPs or hosting companies. The reason why they can target Apple appears to be not that they are the authors of the software that runs on the phone, but that they host the iCloud services. For Nextcloud, the scope doesn't seem to apply to any of the above components. It doesn't look like they can be ordered to backdoor something they don't host. GCHQ would literally have to hack them in order to get what they want.
Peter Šurda
2025-03-06 00:21:36 +0000 UTCThank you I love this so effing much!!! When this video becomes public I’ll share the bejeezus out of it.
eiko
2025-03-05 17:36:07 +0000 UTCIf you think UK is draconian,Indian govt recently passed a law that allows income tax officials complete access to emails and social media accounts...yes, income tax officers...not intelligence. Good part is it's likely to be struck down by the top court thanks to a previous 2017 ruling that privacy is a fundamental right. https://www.msn.com/en-in/technology/tech-companies/explained-new-income-tax-rules-that-may-allow-it-officials-to-access-your-email-facebook-instagram-and-other-social-media-accounts/ar-AA1Aj4lj
Ajay
2025-03-05 15:49:44 +0000 UTCA wise man once said, "Clouds are for rain".
Shazbot
2025-03-04 17:05:20 +0000 UTC
