Skip to content
  • Home Home Home, current page.
  • Moments Moments Moments, current page.

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
rootkovska's profile
Joanna Rutkowska
Joanna Rutkowska
Joanna Rutkowska
Verified account
@rootkovska

Tweets

Joanna RutkowskaVerified account

@rootkovska

Strategy & security at @golemproject. Previously: founder of @QubesOS and Invisible Things Lab. Distrusts computers.

Warsaw
blog.invisiblethings.org
Joined July 2014

Tweets

  • © 2018 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    Joanna Rutkowska‏Verified account @rootkovska Oct 14

    I think the 3 fundamental problems with the Cloud are: 1. We don't control the CODE (service provider-owned apps might be sharing our data), 2. We don't control the INFRASTRUCTURE (admins have access to our data), 3. We don't control the AVAILABILITY (we might get cut off).

    1:39 AM - 14 Oct 2018
    • 462 Retweets
    • 1,046 Likes
    • Oliver Ueberholz GrzegorzWierzowiecki Braunstein Nii Narku Quaynor Lawrence Nahum Chris Parr Gwen Hacket Muzorn Malware Mike
    77 replies 462 retweets 1,046 likes
      1. Joanna Rutkowska‏Verified account @rootkovska Oct 14

        Ad 1. If we could ensure specific code of the cloud/apps services, we could audit them and make sure they e.g. don't let service providers to access our data.

        11 replies 8 retweets 66 likes
        Show this thread
        Thanks. Twitter will use this to make your timeline better. Undo
        Undo
      1. New conversation
      2. Victoria McIntosh‏ @vmcntosh Oct 14
        Replying to @rootkovska

        On point! However, there is one huge advantage: large providers (ex. Microsoft) can provide security safeguards & testing on levels smaller firms can not.

        1 reply 2 retweets 18 likes
      3.  ☃️ Jerry  ❄️Bell  🎄‏ @Maliciouslink Oct 14
        Replying to @vmcntosh @rootkovska

        I would argue that most firms, regardless of size, can’t provide security to the extent a major cloud provider does

        2 replies 1 retweet 33 likes
      4. Taz Wake‏ @tazwake Oct 14
        Replying to @Maliciouslink @vmcntosh @rootkovska

        I'd clarify that, though. The cloud provider is securing their bit. If you spin up an instance it's entirely down to you to secure it.

        2 replies 0 retweets 18 likes
      5.  ☃️ Jerry  ❄️Bell  🎄‏ @Maliciouslink Oct 14
        Replying to @tazwake @vmcntosh @rootkovska

        Certainly so. They are only securing what they are responsible for. Everything else is the customer’s responsibility. Many people get that wrong, as we have seen

        1 reply 0 retweets 8 likes
      6. Victoria McIntosh‏ @vmcntosh Oct 14
        Replying to @Maliciouslink @tazwake @rootkovska

        Definitely and same. I’ve worked with clients to remind that while the cloud offers more physical and technical security, admin controls and following secure data practices are on them.

        1 reply 3 retweets 15 likes
      7. 1 more reply
      1. New conversation
      2. Topper Bowers‏ @tobowers Oct 14
        Replying to @rootkovska

        But if you are in a colo, much of this still applies.

        1 reply 0 retweets 7 likes
      3. Joanna Rutkowska‏Verified account @rootkovska Oct 14
        Replying to @tobowers

        Yes, the #2 and #3. I'm not pushing for "let's go back to colo our own servers", btw ;)

        3 replies 0 retweets 15 likes
      4. Rich Felker‏ @RichFelker Oct 14
        Replying to @rootkovska @tobowers

        Why colo? Modern business or even residential fiber has more bw than the vast majority of servers need to host on-site without being affected by #1 & #2.

        1 reply 0 retweets 7 likes
      5. Rich Felker‏ @RichFelker Oct 14
        Replying to @RichFelker @rootkovska @tobowers

        What keeps ppl from doing this is the lack of well-known trusted software to set it up and maintain it without trusting a third party (or additional employee(s)) with access.

        1 reply 0 retweets 4 likes
      6. Brian‏ @Crashbox Oct 14
        Replying to @RichFelker @rootkovska @tobowers

        I can't speak for others but what's stopped me from doing this at my org is that building a proper data center - security, power, climate, fire suppression, etc. - and doing it right, is an expensive proposition

        3 replies 0 retweets 21 likes
      7. Rich Felker‏ @RichFelker Oct 14
        Replying to @Crashbox @rootkovska @tobowers

        A normal org can run all its infrastructure on one modest physical box. No special power or climate needs.

        5 replies 0 retweets 13 likes
      8. Brian‏ @Crashbox Oct 14
        Replying to @RichFelker @rootkovska @tobowers

        While you're correct about the small amount of hardware needed, I disagree about the power requirements. Unless you're comfortable w/downtime independent, redundant power systems are a necessity. So at the very least mains backed up by a diesel generator w/auto switching

        1 reply 0 retweets 2 likes
      9. Rich Felker‏ @RichFelker Oct 14
        Replying to @Crashbox @rootkovska @tobowers

        Or just a standard UPS with 10 car batteries wired up in parallel in place of the low-capaciy SLAs it came with.

        2 replies 0 retweets 0 likes
      10. 4 more replies
      1. New conversation
      2. م. محمد الدوب‏ @Voulnet Oct 14
        Replying to @rootkovska

        Also legal jurisdiction problems

        1 reply 0 retweets 8 likes
      3. Javi Lavandeira #JoSócCDR #noPasarán‏ @javilm Oct 14
        Replying to @Voulnet @rootkovska

        Exactly. Some professions (medical, financial and legal, for example) who deal with very sensitive private customer information have strong regulations that don’t allow this kind of data to be stores at third party locations or offshore.

        1 reply 0 retweets 5 likes
      4.  ☃️ Jerry  ❄️Bell  🎄‏ @Maliciouslink Oct 14
        Replying to @javilm @Voulnet @rootkovska

        There are plenty of data sovereignty laws around the world, but I’m not aware of any that preclude the use of third party providers. Do you know of any?

        3 replies 0 retweets 1 like
      5. Simon Dann  🥑‏ @carbontwelve Oct 14
        Replying to @Maliciouslink @javilm and

        I used to work in an billion$ org that allowed us to use aws so long as they were EU locations. You can’t move personal data to a legal jurisdiction that provides less protection than where it came from, so EU user data had to stay in the EU.

        1 reply 0 retweets 5 likes
      6.  ☃️ Jerry  ❄️Bell  🎄‏ @Maliciouslink Oct 14
        Replying to @carbontwelve @javilm and

        That is a pretty common misconception. The entity in the other jurisdiction needs to agree to properly handle such data via model clause agreement or binding corporate rules, and under GDPR must be disclosed to customers. It’s a hassle, but not prohibited.

        2 replies 1 retweet 3 likes
      7. Javi Lavandeira #JoSócCDR #noPasarán‏ @javilm Oct 14
        Replying to @Maliciouslink @carbontwelve and

        And this is why I enjoy talking to people who know more than I do: I often learn useful stuff from other people’s experiences. Thanks to both of you.

        1 reply 1 retweet 3 likes
      8.  ☃️ Jerry  ❄️Bell  🎄‏ @Maliciouslink Oct 14
        Replying to @javilm @carbontwelve and

        Twitter is a great place to learn. I have learned things and met people and made friends that I would have never otherwise had the opportunity to.

        0 replies 0 retweets 5 likes
      9. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2018 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Cookies
      • Ads info