You need to have compliance certifications or no one will use this. Think along the lines of SOC2, HIPAA, willingness to sign BAAs, etc. The hardest part of this company is going to be sales. You're not selling to small businesses who will pop in a credit card number -- this is an offering for enterprises with annual agreements and longer sales cycles.
Also, consider supporting CCPA for California businesses.
Actually, we’re mostly targeting small companies (10–50 people) that need guidance to avoid big fines but can’t afford the bigger, full-featured compliance tools.
Do you think there’s really no room for something like this in the market without having all the compliance certifications first?
There might be. You need to talk to your market and find out. I work at larger companies, so I can’t speak to startup culture right now. There’s no way I would personally sign off on giving access to all of our company data to a small company with no certifications, especially in an AI world where you might leak all of our data into public training models if it’s done wrong.
Nanit is horrible spyware. Do not buy their products.
If you have a router that lets you inspect data flowing out, you'll be astonished at what your little Nanit cam exfiltrates from your home network. Even if you don't pay for their subscription service, they still attempt to exfil all of the video footage caught on your camera to their servers. You can block it and it will still work, but you shouldn't have to do that in the first place if you don't pay for their cloud service.
This page cannot be scrolled in Safari or Firefox.
Devs -- stop hijacking native scrolling functionality. Why? You had one shot to sell me on this product. I can't see the page, so I can't consider it for purchase. That's a lost sale.
I've used Ruby off and on since the hype train started with DHH's early videos showing how easily you can make a blog in Rails. Oof, that was published 20 years ago! I wouldn't use it for anything beyond simple shell scripts these days. You're better off with Go for back-end work.
I don't see how this is any different than countries putting significant portions of their gold & currency reserves in the NY Federal Reserve Bank. If for some reason the U.S. just decided to declare "Your monies are all mine now" the effects would be equally if not more devastating than a data breach.
The difference is that there are sometimes options to recover the money, and at least other countries will see and know that this happened, and may take some action.
A data breach, however, is completely secret - both from you and from others. Another country (not even necessarily the one that is physically hosting your data) may have access to your data, and neither you nor anyone else would necessarily know.
Is encryption, almost any form, really reliable protection for a countries' government entire data? I mean, this is _the_ ultimate playground for "state level actors" -- if someday there's a hole and it turns out it takes only 20 years to decrypt the data with a country-sized supercomputer, you can bet _this_ is what multiple alien countries will try to decrypt first.
But the bulk of the data is "boring": important to individuals, but not state security ("sorry Jiyeong, the computer doesn't know if you are a government employee. Apologies if you have rent to make this month!")
There likely exists data where the risk calculation ends up differently, so that you wouldn't store it in this system. For example, for nuke launch codes, they might rather lose than loose them. Better to risk having to reset and re-arm them than to have them hijacked
> Is encryption, [in?] any form, really reliable protection
There's always residual risk. E.g.: can you guarantee that every set of guards that you have watching national datacenters is immune from being bribed?
Copying data around on your own territory thus also carries risks, but you cannot get around it if you want backups for (parts of) the data
People in this thread are discussing specific cryptographic primitives that they think are trustworthy, which I think goes a bit deeper than makes sense here. Readily evident is that there are ciphers trusted by different governments around the world for their communication and storage, and that you can layer them such that all need to be broken before arriving at the plain, original data. There is also evidence in the Snowden archives that (iirc) e.g. PGP could not be broken by the NSA at the time. Several ciphers held up for the last 25+ years and are not expected to be broken by quantum computers either. All of these sources can be drawn upon to arrive at a solid choice for an encryption scheme
Yeah that ignores about two thirds of my point, including that it would never get to the "Exploiting such a trove of data doesn't sound complicated" stage with a higher probability than storing it within one's own territory
I'm in agreement with your second point, I think moving data in the country isn't trivial either and requires a pretty strong system. I just don't have much to say on that side, so didn't comment on it.
You can encrypt them at rest, but data that lies encrypted and is never touched, is useless data. You need to decrypt them as well. Also, plenty of incompetent devops around, and writing a decryption toolchain can be difficult.
Am I missing something? If you ever need to use this data, obviously you transfer it back to your premises and then decrypt it. Whether it's stored at Amazon or North Korean Government Cloud makes no difference whatsoever if you encrypt before and decrypt after transfer.
Have it in multiple countries with multiple providers if money isn't a concern.
And are we forgetting that they can literally have a multi cloud backup setup in their own country as well or incentivize companies to build their datacenters there in partnership with them of sorts with a multi cloud setup as I said earlier?
If your threat model includes the TLA types, then backup to a physical server you control in a location geographically isolated from your main location. Or to a local set of drives that you physically rotate to remote locations.
I don't know where I stand on the issue but it's interesting Facebook has been known to block PB links while Google seemed to refuse requests to do the same
Also, consider supporting CCPA for California businesses.
reply