security - Page 68

  • trust in online banks (US) depends much of the trust in their security (poll)

    “Banks are in a precarious reputational position with consumer confidence low, accountholder trust high and fraud attacks on the rise in the United States,” said Christiaan Brand, CTO at Entersekt. “In that volatile an environment, one breach, one major hack, one news story on fraud can shatter a bank’s reputation, leading to an exodus of customers.”

    According to the poll, 71 percent of Americans would be at least somewhat likely to switch banks if they became a victim of online banking fraud. On average, Americans bank online 10 times per month. Each login is an opportunity for hackers to steal personal information.

  • the last words of an Australian supercop about cybercrime

    NSW's longest-serving fraud investigator, Detective Superintendent Col Dyson, is retiring with a chilling warning.


    ''I don't think it's too much of a stretch to think that the homicide squad, at some stage, will be investigating a murder where someone has hacked into a pacemaker and turned it off,'' he said.


    ''Or someone has decided to interfere with the workings of a motor vehicle by hacking into a car while it's going down the M5 at 120km per hour.''


    After all, he said: ''Anything a person can log into, a hacker can log into.''

    I like the last sentence

    it is so true and so short  but incomplete because anything anything can log into a hacker or anything can log into because you have automated logins (webservices)

  • all cybercrime estimates are wrong - period

    Last year, Ross Anderson from Cambridge University led a study that resulted in 'Measuring the Cost of Cybercrime'. “It was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem,” says the report. In particular, it was responding to a study by Detica “which estimated cybercrime's annual cost to the UK to be £27bn (about 1.8% of GDP).” But that £27 billion figure pales in the face of a much earlier 2009 estimate from McAfee: that global cybercrime costs the world $1 trillion per year.


    This year McAfee has downgraded the threat – it now apparently ‘only’ costs in the region of $300 billion.

    there is no possibility to have exact numbers because

    * the numbers are inflated with boosted reputation and inflated ITconsultancy costs

    * most of the incidents are even not declared just to keep the reputation (lie) intact

    * some of the costs are not cybercrime costs but are costs because the right things were not done from the start and have nothing to do with the incident (if you have to resecure your network or install new security appliances this is not part of the costs of the incident but the result of your negligence)

    * and when we have numbers, they don't mean a thing because there is - except for the number of dollars stolen - no definition about what exactly happened (what is spam, malware, adware, virus, trojan, phishing and what are the differences between them ?)

    so if you want to promote your new itsecurity budget, forget all those articles nobody believes anymore - you will look desperate and non-convincing (even stupid)

    * tell them about the risks they have when they lose privacyrelated data and tell them that with that bundle of products (encryption and double authentification for starters) you have made it clear that you have done most of the things the law expects you to do

    * tell them about the chaos throughout the enterprise if they get breached, penetrated and hacked because of all the hours all kinds of technical and managerial people would have to spend (tell them that with a strict securitypolicy installed by application- and webcontrols the IT departments and the managers can continue to do only their functional job without running like chicken without heads to meetings without end trying to establish what has happened and how to resolve it - and who to blame or fire)

    * tell them about the problems they would have with online trust and reputation (tell them that their multimillion advertising campaign will be worthless online if they get hacked and that your budget is only a fraction of it and that more trust means more business dollars)

    * tell them that when a hacker steals their business secrets some-one in China will make their products cheaper

    if they aren't convinced by these arguments, than they don't care about their organisation or business and just want their paycheck at the end of the month because they don't care if their organisation or business will exist the next few years (and this is even more the case for small enterprises)

  • if you give free subdomains to your users, they can redirect your visitors to malware

    researchers have recently noticed two sites pushing that malware to users through sites that leverage Google’s App Engine. Both sites were started just over a week ago and make use of the address, a domain Google runs to help its users develop and deploy applications, according to Jason Ding, a research scientist at Barracuda Labs.


    In a post on the company’s research blog, Ding describes the two sites, java-update[.]appspot[.].com and [http]:// The first models itself after a free Java download site and as Ding notes, looks remarkably similar to Oracle’s official Java site. Links on that site will eventually trigger a download of “setup.exe,” which will try to install and drop Solimba adware onto the machine.



    According to Barracuda, both sites, which are still online, route users through a series of redirects, through several private websites –, and – that were registered with GoDaddy in June and July, before downloading the adware. Whoever set up those sites is passing them through Google’s App Engine to hide their suspicious-sounding URLs.

    the problem is that if there are many of them your main domain an sich will be blocked because there are too many subdomains that are pushing all kinds of malicious and illegal stuff

  • waarom belgische hackers beter niet hacken

    zo één van de voorbeelden want ze komen niet allemaal in de pers

    "Het Stedelijk Museum voor Actuele Kunsten (S.M.A.K.) in Gent vraagt een schadevergoeding van 4.000 euro van een hacker. De 26-jarige man hackte in 2011 de site van het museum en plaatste een naakte vrouw op de homepage.

    Het S.M.A.K. haalt imagoverlies aan voor de schadevergoeding. De dader zegt dat hij de site hackte omdat hij de site lelijk vond en omdat hij zich verveelde.

    Zijn advocaat stelt dat het eerder om kattekwaad ging dan om een informaticamisdrijf. De hacker zou liever de site verbeteren dan een straf te krijgen. "Ze hadden mij beter de site laten herstellen. Ik wil hun webstek zelfs gratis bouwen. Die zou beter en veiliger zijn", laat hij optekenen in Het Nieuwsblad."

    voor belgische websitebeheerders

    Het is belangrijk hieruit te onthouden dat als je belgische site op een belgische server staat het zeer simpel is voor de FCCU om te gaan onderzoeken wie wat wanneer heeft gedaan gebaseerd op de regelijk ruime wetgeving op de cybercriminaliteit en vooral omdat ze niet moeten wachten op buitenlandse samenwerking

    het is ook zeer eenvoudig om te weten welke wetgeving en welke rechtbank verantwoordelijk zal zijn, wat moeilijk is als je server elders staat

    voor jongeren die zich vervelen en beginnen te hacken

    ik denk dat je dan maar beter eens naar buiten gaat als je je zodanig begint te vervelen dat je zou begint hacken en als je denkt dat alle onveilige en slecht gemaakte websites in België best eens een lesje moeten geleerd worden omdat ze onveilig of slecht gemaakt zijn, dan denk ik niet dat je nog een seconde zult vervelen (tot het moment dat een paar dagen later de politie voor je deur staat en al je computers in beslag neemt en je mee neemt voor een urenlange ondervraging waarna je ouders of partner in paniek schieten als ze horen hoeveel duizenden euro's schadevergoeding je zou eventueel als schadevergoeding moeten betalen

    er zijn veel betere methoden om dit aan de kaak te stellen (bloggen is een vb) onderzoeken is een ander vb (maar hier geldt responsable disclosure) of zelf in de sector gaan werken en proberen de zaken te verbeteren

    ik begrijp de frustratie, de wanhoop en het wachten op godot gevoel, maar het is de enige manier waarop we vooruit komen, met hoe meer hoe beter, zelfs al verschillen we met duizenden van mening, dan nog kunnen we een zeer interessant en verrijkend debat hebben (wat een first zou zijn in België, een verrijkend debat over cybersecurity in België dat niet de reeds lang platgewandelde paden en clichés zou bewandelen)

  • if China is not officially responsable for its military hackers, will they arrest or stop them ?

    this is the question that pops up after these comments

    "Chang Wanquan expressed at the joint press conference that the cyberspace is a new field and cyberspace security threats have become a worldwide problem. China is one of the major victims of hacker attacks, suffering serious threats from network attacks.

    Chang Wanquan stressed that China always advocates peaceful utilization of cyberspace, opposes arms race in cyberspace, opposes hostile actions and threats by using the information-based technologies, opposes making use of superiorities in network resources and technologies to weaken other countries' cyberspace self-control and development rights and opposes double standards on network security.

    "The Chinese government always firmly opposes and fights against cybercrimes according to law. The Chinese military has never supported any hacker actions," said Chang Wanquan.

    Chang Wanquan pointed out that China and the U.S. should jointly explore ways to strengthen their cooperation in safeguarding network security instead of unwarranted suspicion and mutual recriminations. He said that the two sides exchanged views on network security issues during his meeting with Chuck Hagel and will work together to study and solve the issues in the future.

    During the fifth round of China-U.S. Strategic and Economic Dialogue more than a month ago, the China-U.S. network working group held its first meeting. The two sides agreed to take pragmatic actions, strengthen dialogues on cyberspace international rules and enhance coordination and cooperation between the Internet emergency-response centers of the two countries, according to the circular after the meeting.

    Both the Chinese and the U.S. sides agreed that the network working group is the main platform for the bilateral talks on the network issues. China and the U.S. will discuss more cooperation measures in future talks and carry out continuous dialogues on network issues. To this end, China and the U.S. agreed to hold another network working group meeting before the end of 2013.

    it is one or the other

    or they are not sponsoring or accepting these attacks as being done by their own forces under their control and they can arrest these people based upon the evidence that is already at hand - or warn them to stop (and I am sure that being arrested in China is something different from here - even if you don't get the popular death penalty)

    or you don't control what everyone in your army and intelligence services is doing and you are responsable for a lack of oversight and control of your offensive cyberoperations (and you have in fact 'rogue' operators) - which is possible in every big intelligence and military complex (but will have to be accounted for based on the evidence that is now on the table)

    or you can proof that the evidence on the table if misleading or incomplete and that the military offices that are supposed to do the hacking were hacked themselves (just to stir up trouble between China and the US) and you have taken the necessary steps to make this nearly impossible in the future)

    and you have made clear political and strategical documents to all layers of your military and intelligence apparatus of what is no longer acceptable in view of the discussions with the US about cybersecurity

    about one thing he is very right, the cyberinfrastructure of China is very hackable if you look at the number of defacements of the .cn domain by all kinds of hackers (which shows that in many cases even more profound penetrations can be done)

    so instead of trying desperately to keep dissent content off the web they should concentrate a bit more on securing their own networks and infrastructure before having bored cybersoldiers launch a few attacks on the US to see if the viruscode they have written still works or if those networks are still open

  • is bitmessage the secure emailalternative (needs a security audit)

    Bitmessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide "non-content" data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. If Bitmessage is completely new to you, you may wish to start by reading the whitepaper.




    An open source client is available for free under the very liberal MIT license. For screenshots and a description of the client, see this CryptoJunky article: "Setting Up And Using Bitmessage".


    Source code


    You may view the Python source code on Github. Bitmessage requires PyQt and OpenSSL. Step-by-step instructions on how to run the source code on Linux, Windows, or OSX is available here.

    Bitmessage should run on any OS though it is only lightly tested on OSX. The start-on-boot and minimize-to-tray features are only implemented for Windows thus far.


    Security audit needed


    Bitmessage is in need of an independent audit to verify its security. If you are a researcher capable of reviewing the source code, please email the lead developer. You will be helping to create a great privacy option for people everywhere!

    it is still in beta and he doesn't know if there are no holes in the code which will not protect the content (encryption defends against interception not necessarily against penetration or passwordleakage)

  • some continue to have problems with the Microsoft patches and some advice

    On Tuesday, Microsoft rereleased the Exchange update, which had broken the content index used for searching for mail on the server, while the problems with the kernel and Active Directory remain. The company is still researching those issues, according to a Microsoft spokesperson.

    "In some cases the programs may not successfully start," Microsoft wrote in an update to the kernel issue. "We are also aware of limited reports that certain users may encounter difficulties restarting their computers after applying this security update.� Microsoft is researching this problem and will post more information in this article when the information becomes available."

    The common security advice for companies is to apply software patches as quickly as possible, yet to roll them out in stages so as to catch any show-stopping defects before they scuttle the entire business.

    you could also organize them in several categories

    example  internet explorer and other internetrelated software : always

                   infrastructure such as exchange, dns, active directory etc  after testing

    but always take the possible risk in consideration if there are attacks and exploits and compromises you won't have much time to test except if you change the way people work with the internet during this transition

  • why DDOS is sometimes a red flag for the securitybulls at a bank or network

    "In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Website(s) and/or Internet Banking URL," the report said. "The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer."

    you lose all perspective because you want to win against the DDOS attacker, show who has the more resilience, the more resources, has more knowledge and overview, can react quicker and so on

    it is the online streetfight you have been waiting for

    while the thiefs are riding away with your car

    smart-ass you have been duped

  • the second battle for Damascus and maybe some panick led to the gas attack

    * the secular and the jihadist opposition have not extended the local violent clashes between some local brigades, which means that at the front they are still fighting together

    * even if the US and the western powers didn't act on their promises, the Saoudi are said to have invested now lots of money in the secular armed opposition (which is normal if you look at the map of the Arabian region you will see that if Syria falls Saoudi Arabia and Kuwait will be the two important powerbrokers, especially if the situation in Egypt becomes more stable and the islamic government in Tunesia is forced to open itself for the secular parties)

    * lately they have overrun some important military installations in the North and have found very important heavy military weapons (of which hundreds of antitank missiles) which could change the balance of power in Aleppo

    * strategically everbody knows that the only real quick breakthrough has to happen in Damascus if the military opposition is to overthrow the regime or push it back to the Coastal region leaving the rest of the country in its hands (which is said to be also the plan B of the regime)

    which means that if the regime thinks that with the new money, weapons and the unity the armed opposition could force its way through the last lines of defense between the neighborhoods under 'control' of the armed opposition and the city center (which wouldn't appear so normal anymore on tv) it make take dramatic measures - even against its own interests - just to survive (hoping that china and russia still play their role of dictatorial crooks of the world)

    that is why the use of chemical weapons is not accidental

    they are sending a message

    we will kill everybody indiscriminate to keep the center of Damascus and in fact stay in power

    so long as the rest of the world lets itself be blackmailed by China and Russia into doing nothing and watching in horror how the most illegal and inhuman weapons are used against civileans

    maybe we shouldn't be sending humanitarian help - we should send bombers and kick them out of Damascus and Syria and bring them to trial for warcirmes so they can rot in a cell for the rest of their lives (or be hanged if yo believe in the death penalty)

  • NSA has no idea what exactly is in the 20.000 documents Snowden took

    More than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn’t know the full extent of what he took, according to intelligence community sources, and is “overwhelmed” trying to assess the damage.

    Officials, including NSA Director Keith Alexander, have assured the public that the government knows the scope of the damage, but two separate sources briefed on the matter told NBC News that the NSA has been unable to determine how many documents he took and what they are.

    so they lied again, afraid to look even more ridiculous

    because even if they had a thin client technology for external access - because of the trust in the security of that system itself - they left the access to the data too open (probably because some-one thought that you wouldn't be able to download or steal something (at the time the system was set up))

    no they don't know

    and they are launching very stupid ideas like firing all the administrators at the NSA (between a 1000 and several thousands) and replacing them by computers. But this is so stupid because everybody who has been following the greatest debate in intelligence since computers became powerful was the debate between the signal intelligence and the human intelligence and between the datacollection and the interpretation of the data and this is where the human element comes in. Fire the people and you will become blind because you will have too much data for too little programmers and organizers and the more analytic people

  • zmap changes the whole security of the internet

    zmap is the new open source tool that makes it possible with a gigabit line and with a simple server to scan the whole of the internet in a few hours. The trick is in fact simple. Other scanning tools send out packets and wait for an answer, keeping one connection meanwhile open. Sometimes it can take very long before a website or server sends an answer and meanwhile the zmap server can't send a new request (nmap). Zmap sends the request for informationpacket but forgets about it and keeps so all his connections open for whatever answer wants to come in or new informationpacket that needs to go out.

    this means that you can scan the whole internet in a few hours and specific networks an hour or even a few minutes

    as a securityresearcher this is important because you can scan your outside network for vulnerabilities or other server- or networkinformation

    but an attacker can do this also and than he can import the vulnerable servers that were found into metasploit and try to attack them (and exploit them if possible)

    this means that the time necessary to attack the vulnerable hosts in a country or an international network can be done in a few hours and not in a few days

    this means that vulnerability and exploit information is much more critical and that the procedures to respond to them is becoming much more critical because also the possiblity that you will be attacked and eventually exploited becomes much greater (as more attackers can scan more networks in no time for vulnerable servers)

    this means that incidentresponse and monitoring become also much important

    zmap changes in fact the whole security of the insecure internet because time and hardware resources make today no difference anymore in the riskassessment (and money neither as it is free)

  • now every malware developers knows how to fool the Apple Store review process

    The app, dubbed Jekyll, was helped by Apple’s review process. The malware designers, a research team from Georgia Institute of Technology’s Information Security Center (GTISC), were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn’t anywhere near long enough to discover Jekyll’s deceitful nature.

    and than the possiblities are without limit - even if you believed apple's propaganda untill now

    “Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge,”

    a revision process that takes a few seconds is not a revision process

    a sandbox in which you can do all these malicious tasks is not a sandbox

    as they say in Belgium (ceci n'est pas une pipe) this is not security

  • what exchange operators should learn from the 3day outage

    Some users of, however, were unable to access email on mobile devices that relied on EAS -- a category that includes iPhones, whose iOS uses EAS for synchronization -- until around 4:30 a.m. ET Saturday.


    During the outage, Microsoft said, the cache service failure "caused these devices to receive an error and continuously try to connect to our service. This resulted in a flood of traffic that our services did not handle properly."


    Microsoft said it had already taken steps to prevent similar problems in the future. "[We] have made two key changes ... one that involved increasing network bandwidth in the affected part of the system, and one that involved changing the way error handling is done for devices using Exchange ActiveSync."

  • all important players in the bitcoineconomy are investigated by US financial inspection

    this is the list

    List of companies subpoenaed by the New York State Department of Financial Services


    • BitInstant
    • BitPay
    • Coinabul
    • Coinbase Inc.
    • CoinLab
    • Coinsetter
    • Dwolla
    • eCoin Cashier
    • Payward, Inc.
    • TrustCash Holdings Inc.
    • ZipZap
    • Butterfly Labs
    • Andreesen Horowitz
    • Bitcoin Opportunity Fund
    • Boost VC Bitcoin Fund
    • Founders Fund
    • Google Ventures
    • Lightspeed Venture Partners
    • Tribeca Venture Partners
    • Tropos Funds
    • Union Square Ventures
    • Winklevoss Capital Management

    I suppose that you will see the real investors now look for a way out - even if that will mean that a new kind or less anonymous bitcoin has to be made (because even if the exchange would tax the buyer based upon his geography (what about proxies and tor) some part of the anonimity is lost)

    they are in the first place businesses and business need business not theories and big ideological fights in the name of the Austrian libertarian (rightwing anarchism) against the state and its institutions

  • Holland wants to use domestic drones in Belgium we don't need it thanks to the privacycommission

    if we read this article

    Vast cameratoezicht is momenteel aan allerlei regels gebonden, waardoor er niet snel geschakeld kan worden. Bovendien hangt de apparatuur soms op plaatsen waar dat niet nodig is, of ontbreekt het waar wel wat gebeurt. Toezicht met flexibele camera's, waaronder drones, moet dat veranderen.

    ,,Het is niet mogelijk om in gebieden waar een verhoogde kans op verstoring van de openbare orde doorlopend aanwezig is, constant mankracht in de vorm van politieambtenaren of bijzondere opsporingsambtenaren (boa's) in te zetten'', vindt Opstelten. Hij wil boa's ook met handcamera's op pad sturen.

    it says that they want drones because it takes too long to get the installation of fixed or landbased camera"s through the administrative process (for example privacycommission)

    this may be the case in Holland, but the Belgian privacycommission clarified this week that their rules are in fact very flexible if you already have one or more camera's (which should be the case if you are that important as an organisation or company).

    the privacy and securityproblems (what if it gets hacked) of domestic drones in cities is something that enormous that you can't imagine the time that would be needed to have your debate and the appropriate administrative framework (it is usable when there is no real privacy issue like the flow of traffic where there are no traffic camera's, big fires and the like,.....)

    in dutch - the decision from the belgian privacycommission document included

  • this is what happens if there is no NSA (or any intelligenceservice) oversight

    The report further confirms that this program is considered "legal" by the administration thanks to a broad interpretation of the FISA Amendments Act, giving the NSA the power to snoop on people "reasonably believed" to be outside the US, rather than requiring "probable cause" that they were "an agent of a foreign power." Also, there's this:

    NSA has discretion on setting its filters, and the system relies significantly on self-policing. This can result in improper collection that continues for years.

    The report also claims that it was one of these "mistakes" that resulted in three years of illegal collections (much greater than the "few months" that were revealed in last week's Washington Post article).

    and so you arrive that 75% of all internettraffic can be monitored instead of less than one percent according to the official NSA rhetoric because of wrongly installed filters and even more important ..... no real oversight

    it is also a very important argument for the 4 eyes principle in which one of both has the NO role (looking at it from a totally different perspective before eventually agreeing to it)

  • secure development is just talk during the reception dine and walk

    In what Ponemon Group's report calls "a serious and potentially dangerous misalignment," some 75 percent of executives surveyed for the report believe their organizations have "defined, secure architecture standards" in their programming. But only 23 percent of technicians agree or strongly agree with that statement.

    it is only if you see it and have analyzed it that you can believe it to exist and afterwards you can see if their implementation is effective or if it is just a smokescreen of useless paper

  • maybe you should revoke and re-establish your access for applications to twitter NOW

    the leak of 15.000 twitter accounts is more serious than thought - even if it is badly or underreported in the media

    the leak is maybe based upon the fact that the procedure that is used to transmit and protect the credentials between twitter and other applications (do you give access to twitter to this application ?) has some leakage and the upgrade of the system last week by twitter of this protocol shows that there is a problem

    another proof that the problem may be more substantial is that the hacker who did only leak 15.000 mostly turkis twitter accounts says he can access and change any twitter account (which have to be seen and espcially tested against the double authentification with the mobile). But the fact that he has the impression that he could change or enter any twitter account gives the impession that there are more serious fundamental questions

    but not everyone is convinced because the leak is so specific it could have come from a phishing attack

    "The details, which appear to be genuine, do not include passwords," writes David Meyer on tech analysis blog GigaOM. "They do include OAuth tokens, though, so Twitter users should probably revoke and re-establish access to connected third-party apps."

    OAuth tokens that are used to connect Twitter accounts to third-party services without obliging users to hand over passwords. Issues with the technology are not uncommon. For example, security researcher Kelker Ryan warned Twitter's implementation of OAuth2 is vulnerable many weeks ago.

    and as twitter doesn't respond or communicate we are just guessing and as a securityguy you better be safe than sorry

    this protocol is also used by Facebook and it also shows that  the implementation is more important than the theoretical advantages of a protocol

  • Brasilian governments thinks about law making it legally impossible to host national important data elsewhere,,EMI340068-17770,00-GOVERNO+QUER+ARMAZENAMENTO+DOS+DADOS+EM+TERRITORIO+NACIONAL.html

    you don't need a law for that

    government and industry have only to take some administrative measures to say that - even not mentioning the spying - to make sure that that kind of important personal, national and commercial data always falls under the national law and will be treated by the national judicial procedures it must be hosted (attention now read slowly) on servers that are keeping ALL THE DATA AND THE COPIES on the NATIONAL TERRITORY

    the prism scandal is just another reason or reminder but even before it is much easier to have your data on national servers falling under national law (even in Europe) than somewhere else in which if there is an incident you are facing an impossible spaghetti of different national laws and procedures (take for example that the firm in Belgian and the data is on an Italian and a dutch server and you aren't sure which of the two versions has been compromised)

    but it shows that the whole cloudhype will come back to what the everythingcloud fanatics dismissed too quickly from the beginning will fall back to reality : cloudhosting is hybrid (and cloudhosting is a technique of organizing your infrastructure it is not something physical or abstract)

    * important data will stay inside the network (eventually with external access through VPN and double authentification)

    * not important but privacyrelated data will stay on servers in your jurisdiction (to make sure that you know exactly which laws you have to abide to)

    * not important general public data can be wherever it is the cheapiest if there are enough guarantees that the security will be sufficient so your ereputation or your security isn't compromised