I wonder how many years it will take before the next penny drops:
That the contents of your server RAM, on a cloud computing environment, are much like your personal details on Facebook.
Interesting & exploitable.
<<For too long consumers have thought about privacy on Facebook in terms of whether their ex-boyfriends or bosses could see their photos. However, as we fiddle around with our profile privacy settings, the real intrusions have been taking place elsewhere.>>
Just like social media users up to 2018 have assumed that the only threat model they need to be concerned with is a few fringe stalkers / personal enemies....
... server administrators have also assumed that the only threat model they need to be concerned with is a few fringe hackers.
In both cases, users should be thinking VERY seriously about the people at the very top of the organizations hosting their data.
Who they report to; what they could do with such data *at scale*.
If you think 'well, Jeff Bezos doesn't report to anyone except the US Government'
Then you have two threat actors. And you might ask: "what would Jeff Bezos like to do with all his power? What has he used it for so far? How has he acted? Who restrains him?"
If you think "nobody seriously would scrape my AD credentials / my SSL private keys / my Bitcoin wallet"
Just remember so many people thought that about "viruses" too.
But algorithms, like viruses, don't have to be targeted to do damage.
There's a Software-as-a-Service cloud accounting company in NZ called Xero.
It now has access to a LOT of New Zealand company financial data.
Peter Thiel was an initial investor and joined Xero's advisory board in 2010 (he then reduced his shares below 5% in 2017).
The founder of Xero said in 2017 he 'absolutely' backs Thiel having NZ citizenship (which he gained under very strange circumstances).
https://www.xero.com/blog/2010/10/peter-thiel-to-invest-in-xero/
http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11833032
Thiel's interest in Xero might be totally innocent. It might just be pure capitalistic greed with no other strings attached. Just a little bit of fun.
It might be.
On the other hand, a lot of people in tech seem to like playing for the entire table, not just taking side bets.
The entire table is the data from which the table is built.
The psychological truth, IMO, is that our threat modeling is going to evolve fundamentally.
We're shifting from a period where threats were primarily physical (our industrial shift came with more dangerous jobs, food problems, and security holes, versus the agrarian shift sounds familiar to me) to one with abstract, conceptual, long-term threats (like the agrarian shift, where finding out if your crops would grow took a long time, compared to finding out if you could hunt tigers).
