Security and Data Privacy

Just noticed that often log files are provided, screenshots or other data that one could consider sensitive from a security perspective. Since all users of the forum can access those files and data as well, I would suggest some ehancement of the forum functions or other means to allow dropping confidential files, screenshots etc. to a secure storage accessable only by the one who is supporting the case but linked to the issue record posted.

While that approach is probably missing out on opportunities of other community members responding if they cannot see that data I still consider such a solution more secure and professional.

However, there might be reasons I am not aware of that demand the current solution.
On a similar topic secured data exchange among nodes and servers would be nice too.

I vehemently disagree with the OP.
What “sensitive” information is in the log files?
RS already obfuscates the location. What more security is required?

The present system has worked well for more than 5 years. Please RS people don’t listen to this Johnny-come-lately.

Hi TideMan

I understand change can be a challenging in particular if someone has done something for many years and it was serving his needs. But there is really no reason to be afraid, become personal or rude (“to this Jonny-come-late”) just because one states a perfectly reasonable suggestion.

I don’t know exactly the specific issues you would be facing in case a more stringent view on security and data privacy but I am certainly open to having a conversation among adults about it. I think that is what “forums or communities” are all about, right?

Perhaps it helps if I add some specifics why this thought came up during setting a device:

  • I consider adding a network device which you do not fully control an inherited risk for data exposure and intrusion.

  • I understand that what is considered “sensitive” is a question of opinion. For me it is all data that is exposed.

  • Whether it is an Internet router, a WIFI speaker or a smart device, I prefer sharing as little information as possible about my network structure, configuration and network devices with the outside world as a security precaution and any measures that help me achieving this, I consider beneficial. It is slightly different if I attach a device to a dedicated isolated lab network where no sensitive devices are attached or service run but for a home or company network I more interested in keeping it under control.

  • With the above in mind and regardless of the payload content:

Transferring data in a more secure fashion is not uncommon and I would consider it a best practise approach just because it reveals less with undesired parties.

Sharing log files that entail specifics about the device, your network and devices within the network is risky. It should remain an exception and when is required it should be exchanged in a secure fashion not accessible to just anyone within the community.

A problem determination process that fully depends on log data and cannot offer a secure way of sharing is far from ideal because of the exposure mentioned.

Sure, having access to log files can be beneficial in aspects of speeding up problem determination and fix issues. However, It is not impossible to develop something like a support file or an automated diagnostics process supplying relevant data restricted in more confidential fashion.

It is not such a substantial challenge encrypting traffic among devices, infrastructure and management portals either without jeopardizing purpose and function.

Hope this sheds some light into why I suggested this topic and I would be interested understanding your specific concerns beyond avoiding change or adjustment.

Thx.

hello quakybit,

thanks for the suggestions, and you can be rest assured that we take security very seriously when it comes to the shake. we even have a dedicated page in the manual describing the procedures and best practices to keep your Shake (in general, any IoT) secure from bad actors. this can be found here.

while it is true that adopting new tech to be installed on a local network will always contain some level of risk, there really is no difference when connecting any type of device that you connect to your local network, whether it be a phone, a laptop, router, camera, seismometer, or any other number of computers that have a network interface available.

as regards the log files, the devil’s in the details: the log files uploaded to the server do not contain any of the following:

  • personal information beyond the station name
  • public IP address the unit can be found on
  • login credentials of any kind

in other words, there is nothing contained in the log files which could be used to hack the unit or to reveal anything personal about the user.

if security remains a critical issue for you, whenever you need to provide your log files, but would rather not do so here on the forum, let us know and we can see about what alternate arrangements can be made.

cheers,
richard

2 Likes

Thank you Ivor for clarification. Sorry for the late response.

I must admit I need to dig into this a little deeper once I have spare time. In a first view I thought I did see more data in my logs which would allow me to reconstruct data and information about users and devices but I might be mistaken. I’ll come back once I have reviewed it in more detail. Thx for now.

1 Like