Sadly, the folks at Nextcloud don’t understand that owning your data and owning your infrastructure are not the same thing. I love the software and have done for a long time. But they consistently contend (needlessly) that you don’t own your data unless you own the hardware storing it. That’s patently absurd and silly.


@paco I would say that they're right, in regards to the hardware that's running NextCloud. Encrypted blobs of data should be able to go anywhere, even a NAS in your friend's basement.

But if an attacker can run his code on your NextCloud instance, it's not your instance anymore.

@r000t I don't disagree. But the legal title to my server hardware (e.g., my friend's box, my own box, a VPS, AWS EC2, etc.) has nothing to do with that. NextCloud/Linux/Whatever is as secure as it is, regardless of whose hardware it runs on. Hardware ownership and software security are orthogonal. You can do one really well and screw up the other and vice versa.

@paco Looking at their toot, owning one's data is being mentioned in the context of advertising and data mining.

The security of the webapp doesn't enter into it if someone else is responsible for the machine it runs on.

EC2 or at home, if you deployed it, you know it's not getting mined or sold.

@paco Decentralized on anywhere you can get a VPS is still way better than centralized on Dropbox or Google Drive.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.