> Everything can look really nice "on paper" but you don't know what goes on behind the scenes. I have worked with a lot of different people and I have seen too much crazy shit to fully trust anyone with my important data. A cloud provider may have the best of intentions, but sometimes all it takes is a single grumpy employee or even a minor mistake to do a lot of damage.
OneDrive and Google Drive are both pretty cheap. Is there anything wrong with keeping a backup of your important data in one of them? At a certain point you have to live your life and take a chance. Sure, I never made it to Italy, but I had a 100% safe backup system for my files said noone ever.
> Free Git hosting such as GitHub, GitLab and others can also be utilized for data that you don't mind storing in public. GitLab and other providers does provide free private repositories, just don't rely fully on that.
At this point, it's clear the author is looking for arguments to make. Of course you're not going to dump all your stuff into a GitLab repo in the cloud. You're going to clone it on multiple machines! My important work stuff is under version control and cloned on multiple machines in multiple locations. If that's not good enough, I'll live with the consequences.
Time to time I read about people who are randomly banned/locked account by google. I had 1.5TB of my precious memory of my daughter all the way back when she was born,
But I keep a local backup on my old mac, basically a bunch of external hard-drive but it's a pain in the ass to manage thse.
The odds of you losing the master data at the same time as being locked out of your account are astronomically low, and if they don't coincide, then you're not in any trouble (e.g. if you get locked out of your account, then you immediately make another backup e.g. on a USB, and if your main copy has something happen to it, you immediately restore).
I definitely agree that getting locked out of your Google account is a massive risk in general (as well as morally bankrupt on their part), but I don't think it's a problem for the specific case of backups).
I trust major cloud providers like Google or Microsoft to protect my data far more than I'd ever trust a bunch of retail hardware I plugged together and configured myself.
They have entire gigantic teams of employees dedicated to security and privacy and protection from threats. I couldn't replicate that even if I wanted to.
If someone wants to steal and leak your sensitive data, they'll have a much easier time getting into your home hardware (whether over a network or physically or both) than they will getting it out of Google Drive, provided you have 2FA and good passwords you keep memorized.
Yes, at home storage is more at risk for a targeted attack. However, cloud storage is more at risk for a general attack.
It's dead simple for a waiter to steal your CC#. Yet that's likely not going to happen as they'd lose their job and run major risks at getting caught by the police.
On the flip side, a big company like target, even though they have a wealth of experts hired to prevent it, has lost millions of CC#s. That's because they are a nice juicy target.
It really just comes down to which risks are more or less likely for you the individual.
I trust my cluster of retail hardware because the effort for a hacker to pull data from it is a lot higher than the actual value of the data stored there.
I'd say home storage is more at risk even for a general attack if you're using retail hardware with default configurations, like a NAS -- it's easy to scan the entire internet for vulnerabilities. Plus it tends to be vulnerable even to non-traditional attacks like Bitcoin ransoms. Whereas cloud storage is custom and patched and up-to-date and monitored... your consumer hardware mostly isn't any of those.
And there's a huge distinction between retail corporations leaking CC#'s, vs cloud storage providers. Securing credit card numbers is not Target's core competency. While securing personal and corporate data is a core competency for major established cloud providers.
Nah, those general attacks require 2 steps. Getting past the router and finding the NAS.
Sure, you could pull off both exploits, but it's not really likely.
The most vulnerable to those attacks likely aren't operating NAS's in the first place. Very few people are (which decreases the likelihood of attack). I'd imagine most of us on HN are regularly patching all of our home hardware. That makes us far less likely to be susceptible to those sorts of general attacks.
If an attacker is looking for something juicy and general, they are far more likely to try and pull off a general attack against someone's laptop or phone. That's where the pool of users is much more broad.
They don't give a shit about your data though. There are lots of horror stories of people losing all of their photo's of the past decade(s) because Google decided to block their account with place to get in touch with them and now way to restore anything.
Tech companies aren't your friend, they are faceless corporations with nice services. When they fail you though, they fail you big time, unless you have solid back-ups.
> They have entire gigantic teams of employees dedicated to security and privacy and protection from threats. I couldn't replicate that even if I wanted to.
That maybe so, but they won't accept any liability for losing your data either. In the end, we're left to fend for ourselves.
How common an occurence is that? How often is an unimportant, middle class person's data at risk, really? Enough that you'd want to spin up your ZFS storage?
Hypothetically, let's say I had my entire life on Google. I have a unique password for it, backed up by 2FA, without the SMS/Authenticator fallback. What's the long term consequence? Google knows everything about me? They already do anyway. Someone can steal my printout of the backup codes?
I don't ask this to stir shit. I genuinely have these sorts of discussions with friends and family when I try to tell them that privacy is important, and I fail absolutely at convincing them of it.
Everyone has their own opinions on this and their own threat vectors for their own personal situation. The following is my opinion based on my own situation which I believe to apply to the average person:
I think it is safe to assume that Google does some sort of data mining on the data you upload. If that bothers you, self hosting everything isn't your only option -- you can also encrypt everything before uploading to your Drive. Duplicity is one such example that I use.
Despite this, I still don't rely on Google Drive, not for privacy reasons but because of Google's history of disabling people's access. If your Google account is banned at no fault of your own, there is a possibility you could lose all access to those files. Even if you did nothing wrong, you will never in a million years get a human to review your case.
I have had this happen to me, but thankfully it didn't affect anything other than Google Pay. I used it twice for a family member to reimburse me grocery money and Google decided that they were ceasing to do business with me anymore, they would mail me a check, and they told me to not contact them again.
So, everything I have on Google Drive is synchronized to another paid storage service (mostly photos since I don't believe Google Photos has a very good open source self hosted alternative).
Google can simply decide to revoke your account and delete your data. I've seen a number of first-person accounts online of people who rubbed some tech giant the wrong way (or were just suspected of doing so, or were characterized as such by some ML model) and only afterward realized how much they stood to lose.
> How common an occurence is that? How often is an unimportant, middle class person's data at risk, really?
My online accounts have been compromised 16 times in the past 5 years, according to https://haveibeenpwned.com/ including sites like Android Forums and Linux Mint Forums. There are plenty of other better known platforms on there, too, so it's safe to assume that most of the data on said sites would have also been accessible to the attackers.
In contrast, my current self-hosted software accounts have been compromised 0 times in the past 4 years. Maybe 1 time, if you count a throwaway node's Docker socket being exposed to the network accidentally and a crypto miner getting launched on it.
Why is that? Because although many of the online platforms have dedicated security specialists (hopefully) and manage to fight off thousands (or more) attacks daily, all it takes is one good attack to compromise thousands (or more) users and their data in one large batch. Furthermore, those are far more of an interesting target to attackers, possibly due to financial incentives.
Unless easily automatable (like the aforementioned Docker crypto attack), attacking self-hosted software is far less lucrative. It would probably be far easier to hack John Doe's Nextcloud or ownCloud instance, yet the financial gain from that would likely be far lower than stealing a bunch of different users' data on a lesser known and less secure cloud platform of some sort, and selling it or doing something else.
To that end, i see two strategies for protecting one's data:
A) make your defenses good enough to be able to stand up to targeted attacks, which is truly feasible in large orgs and cloud platforms
B) make yourself a less lucrative target, by self-hosting some software and making hacking you sufficiently hard, so that most automated attacks will fail (use key pairs for SSH, use fail2ban, SSL/TLS with something like Let's Encrypt, use Docker Networks if you need Docker so that nothing apart from 80/443 of your ingress is actually exposed to the outside / or just use your firewall for the services that are not containerized, though then you also need to think more about user permissions etc.)
Oh, and use 2FA where possible (especially in regards to the online services) and use something like https://keepass.info/ for managing passwords - to have them be sufficiently long and different for every site or platform that you use.
> My online accounts have been compromised 16 times in the past 5 years, according to https://haveibeenpwned.com/ including sites like Android Forums and Linux Mint Forums.
That's not the same as OneDrive - the entire budget of those organizations is probably a rounding error compared with Microsoft or Google's security spending. It was once reported that Microsoft spends over $1 billion a year on security.[1]
If my servers start mining crypto, I've been pwned by script kiddies. If my data becomes available online and is thus available on the previously mentioned site, I've been pwned by more sophisticated attackers. Whereas if we're thinking more along the lines of NSA or Mossad, they are already in my systems and I just have to hope they're in a good mood.
On that note, none of my self hosted mail server related accounts seem to have been leaked so far, or at least haven't been made publically available.
Apart from that, one can also set up alerts for every SSH login, should fail2ban fail for some reason. On app level it becomes harder, to the point where it's often not worth the effort to introduce alerting. Maybe just blanket ban IP ranges that you don't expect to use at ingress level.
Data stored in Google Drive etc should be encrypted and split into 50 MB chunks or something like that to hide metadata and mitigate the risk of leaks. Better backup tools have been offering this for a long time.
OneDrive and Google Drive are both pretty cheap. Is there anything wrong with keeping a backup of your important data in one of them? At a certain point you have to live your life and take a chance. Sure, I never made it to Italy, but I had a 100% safe backup system for my files said noone ever.
> Free Git hosting such as GitHub, GitLab and others can also be utilized for data that you don't mind storing in public. GitLab and other providers does provide free private repositories, just don't rely fully on that.
At this point, it's clear the author is looking for arguments to make. Of course you're not going to dump all your stuff into a GitLab repo in the cloud. You're going to clone it on multiple machines! My important work stuff is under version control and cloned on multiple machines in multiple locations. If that's not good enough, I'll live with the consequences.