Edward Snowden endorses OpenStack and warns of closed-shop public cloud risks

Whistleblower Edward Snowden today endorsed the open-source infrastructure platform OpenStack, warning of the "silent vulnerabilities" that investing in for-profit public cloud infrastructure brings.


Whistleblower Edward Snowden today endorsed the open-source infrastructure platform OpenStack, speaking via video link during a keynote on the second morning of the OpenStack Summit in Boston.

Snowden, who enlisted the help of journalists to expose the NSA and GCHQ’s worldwide surveillance dragnet, offered his thoughts on cloud computing and what the implications are for open source versus closed shop development.


“How does the ordinary user think about cloud, what does cloud mean to them? To them cloud means Google Apps, Gmail, things like that, they’ve got things on somebody else’s computer,” he said, responding to a question from the OpenStack Foundation’s Mark Collier. “On the other hand wee’ve got what you guys do, the infrastructure as a service layer, which is increasingly becoming the bones of the internet, the thing it’s built upon.

“One of the things that you guys do best is help the people who are placed to actually make the decision about how to build it make these in a considered way,” he said. “For most people the internet is kind of magic, it just happens, they look at it on their smartphone, their Facebook app is the internet.

“But that’s not enough and we can’t let people go to this stuff mindlessly when they’re in the acts of building rather than consuming.”

And that means questioning the for-profit public clouds offered by the big players like Microsoft, Amazon and Google.  

“You could use EC2, you could use Google’s Compute Engine, or whatever, these are fine, they work, but the problem is they are fundamentally disempowering,” Snowden said. “You give them money and in exchange you’re supposed to be provided with a service, and that exists. But you’re actually providing them with more than money, you’re providing them with data, and you’re giving up control and giving up influence - you can’t reshape their infrastructure, and they’re not going to change things and tailor it for your needs.

“You end up reaching a certain point where, OK, these are portable to a certain extent, you can containerise things and then ship them around, but you are sinking costs into an infrastructure that is not yours, fundamentally.”

He said that OpenStack rids its users of that “inherent silent vulnerability” that comes with investing into platforms that users do not influence, do not own, do not control, and “do not even shape” - public cloud, essentially.

“Whereas with OpenStack, you build it layer by layer, it’s a little bit more of a technical understanding, but as it’s becoming more sophisticated and continues to comply with the free and open values that the open source community drives all over the place, but particularly, here, we can start to envision a world where cloud infrastructures are not private in the sense of private corporations, but private in the sense of personal, whether you are a small business, whether you are are a large business, whether you are a community of technologists.

“You can control it, you can shape it, you can build, you can lay the foundation upon which everybody builds, and I think that’s probably one of the most powerful ideas that shapes the history of the internet, and hopefully will allow us to direct the future of the internet in a more free, rather than closed, way.”

Snowden went on to detail his work as the president of the Freedom of Press Foundation, including working on the organisation’s in-house open source development, such as SecureDrop. The Foundation is now working on an open hardware effort called an ‘introspection engine’ that will allow people to check that their smartphones are behaving in the way they’re told they are.

“This gets into that central issue we talked about with infrastructure,” Snowden said. “You’re running things on Google’s stack, you’re running things on Amazon’s stack, how do you know when it starts spying on you? How do you know when your image has been passed to some adversarial group?

“Whether it’s taken by an employee, sold to a competitor, whether it’s taking a copy for the FBI, legally or illegally, you really don't have any awareness of this because it’s happening at a layer that’s that’s hidden from you - it doesn’t matter if it’s a rootkit, it doesn’t matter if it’s a hypervisor, or a process stack.

“The same thing happens with our phones - when we turn on airplane mode, when we turn off location services, how do we know the GPS is actually turned off? How do we know the baseband antenna is actually powered down?”

Users are trusting that the software on their devices will tell them the truth but that might not be the case.

“So we are developing a hardware that’s free and open and everybody will be able to replicate this, where you will be able to look at the electron flow over the circuit paths to confirm that for yourself,” Snowden said.

But what should the people actually building the technology take into consideration - and what are their ethical obligations?

“We don’t work for governments, we don’t work for states, we don’t work for corporations, we should be working for the spirit of technology itself, moving people closer to a more empowered future,” he explained. “I try to think of this in terms of values - all systems should be largely designed to obey the user. Secondly, they should not be designed to hide things from the user, they should not deceive the user, they should not lie to the user.

“This is one of the largest problems we have with closed source - it’s not so much that somebody doesn’t want to share the source code, although that matters in the abstract sense, it’s what that actually means when they don’t. This leads to the world we have today when we have vulnerabilities in every Intel chip that has AMT enabled - because Intel’s management engine has these blobs on it, we can’t inspect that, we can’t see that, we can’t change that and we can’t patch it ourselves.

“When you're thinking about your ethical obligations, the main thing is: how do i empower the user? And if this creates a large-scale disruption in the traditional power structures, if this can be used for an application of powers by aggressive actors, whether they’re corporate, government entities or anything else, how can people be sheltered against this?”

"Recommended For You"

Why would a cloud provider support open source How to Use OpenStack in an SME