Archive for August, 2015

August 31, 2015

Google Chrome will block Flash from tomorrow…well, sort of

Adobe’s Flash will face a double setback tomorrow, 1 September 2015.

Amazon’s outright ban on Flash ads kicks in.

And Google’s Chrome browser will start blocking Flash, too.

Well, sort of.

Like Amazon, Google’s anti-Flash stance is neither altruistic nor security-focused.

Ironically, it’s aimed at making your ad experience better for advertisers, amongst other things, rather than making your browser more secure, though it will no doubt do both.

Google’s original end-of-Flash announcement was headlined Bringing Better Performance to Rich Media on Chrome, and by “performance,” Google was referring to shorter runtimes and lower power usage, rather than to reduced attack surface area:

Video and interactive media bring consumers rich, engaging experiences on the web - but they can also impact browser speed and battery life... As soon as September, this setting will be turned on by default so Chrome users can enjoy faster performance and view more content before charging their batteries.

It’s not so much to stop you getting owned as to keep you immersed in all those rich, engaging experiences – which, of course, includes seeing lots of lovely ads.

Indeed, Chrome won’t ban Flash altogether tomorrow, or even enable click-to-play by default for everything.

But click-to-play will kick in automatically from tomorrow, it seems, for what Google calls “content that’s peripheral to the main page.”

In other words, games and videos that rely on Flash ought still to work, but ads and suchlike probably won’t.

Given that the Google switchover is accompanied by a ban on Flash ads served via AdWords, it’s a pity that Google didn’t go all the way and simply turn on click-to-play altogether by default in Chrome, or even set Flash off by default.

→ There’s an important difference between Ask to Activate Flash and Never Activate, to borrow Mozilla’s terminology. With Ask to Activate, or click-to-play, websites are told that your browser supports Flash, so most servers then use it in preference to HTML5. This produces a click-to-play prompt that understandably convinces many users that Flash is still not only widespread but also necessary. Perhaps a “Reload this page without Flash” option would be a handy way of getting past that hurdle?

Nevertheless, with Google automtically converting AdWords ads to HTML5 where it can, and blocking Flash ads where it can’t, even Flashophiles may start to accept that there really is life beyond Flash.

So, perhaps Google’s change, along with Amazon’s, will help to get us to a point at which Adobe can realistically do what Facebook’s CSO rather peremptorily suggested, and announce an end-of-life date for Flash.

It can’t be much fun maintaining Flash any more.

While we’re about it, and taking into account the abovementioned anti-Flash rant from Facebook’s CSO, it would be great to see the social networking giant following the lead of Amazon and Google, and dropping Flash from Facebook altogether.

Even if the motivation is to get more ads in front of us, having one less plugin to patch would surely help.

August 28, 2015

A SmartFridge Just Got Hacked. Are Your Devices Next?

A Samsung SmartFridge Just Got Hacked. Are Your Devices Next?

 Every day in every way, our gadgets and home appliances are getting smarter. But they’re still not smart enough to thwart cyber attacks.

Recently, security researchers gained access to the computer inside a Samsung Smart Fridge (Model RF28HMELBSR). That fridge features a 8-inch touchscreen in the door, which lets you view your Web calendar, play Pandora music stations, get weather reports, watch TV, make phone calls, and more.

The Samsung SmartFridge is wide open to you and to hackers (Photo: Samsung).

White-hat hackers at Pen-Test Partners were able to use fake security credentials to intercept communications between the fridge and Google Calendar. Cybercrooks could potentially use a similar technique to steal your Google login names and passwords. However, those thieves would first need to log onto your Wi-Fi network to access the fridge.

That particular Samsung refrigerator has been available in the US since June 2014; it does not run software created by SmartThings, the IoT company Samsung acquired in August 2014. Neither Samsung nor SmartThings had responded to requests for comment at publication time.


The Samsung SmartFridge connects via Wi-Fi to your smartphone and smart TV — and, hopefully, not a hacker’s laptop (Photo: Samsung).

It takes a village

The research was conducted as part of the Internet of Things (IoT) hacking village at the annual DEF CON hackers conference, held earlier this month in Las Vegas. It was far from the only IoT device that got pwned.

Besides the fridge, the hackers also found 25 vulnerabilities in 14 allegedly smart devices, including scales, coffee makers, wireless cameras, locks, home automation hubs, and fingerprint readers.

At press time, the names of all the devices that were hacked and the severity of the exploits were unavailable, pending notification to the vendors, says Ted Harrington, executive partner of Independent Security Evaluators, which ran the IoT Hacking Village.


The list of devices that researchers at DEF CON 23 set out to pwn. Just because the device is on this list, however, doesn’t mean it was successfully hacked (Sohopelesslybroken).

August 28, 2015

Dark Web market Agora suspends operations due to Tor vulnerability


Agora, said to be the Dark Web’s largest dark market since Silk Road was shuttered, has been spooked by what it called “suspicious activity” and recent research into vulnerabilities in Tor that it fears could help to unmask its server locations.

The anonymous Agora admins posted a message on the market site, to Pastebin, and to the “darknetmarkets” Subreddit saying that the market was temporarily shutting down while they overhaul the software stack to mitigate the problems.

They don’t know how long it will take.

In the meantime, they’re not waiting for the law to knock on their door a la Silk Road and have moved their servers to prevent discovery:

We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again. However, this is only a temporary solution.

The message didn’t specify which Tor vulnerability research has Agora concerned, but it did say this:

Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources.

It’s possible they’re referencing the vulnerability published recently by MIT (Massachusetts Institute of Technology), which described how malicious Tor entry guards could strip away the Dark Web’s anonymity features, exposing users and the hidden websites they visit.

As noted by Roger Dingledine, Tor’s project leader and one of the project’s original developers, attackers would need a whole lot of luck to actually exploit the vulnerability – they’d need to “get lucky and end up operating the entry guard for the Tor user they’re trying to target”, he said.

The Agora admins said that they’ve recently been discovering suspicious activity around the market’s servers that have led them to believe that:

...some of the attacks described in the research could be going on ...

They’re not wrong: there very well could be investigations going on using the MIT technique, or other de-anonymising tricks we don’t know about yet.

As Naked Security’s Mark Stockley noted when writing up the MIT research, it would be a surprise if governments and law enforcement didn’t have a keen interest in cracking Tor, given the serious crimes that Tor masks, together with the intelligence value of entry guards.

💡 Have your say: How much anonymity is too much? ►

As far back as eight years ago, researcher Dan Egerstad demonstrated how useful having your own Tor exit nodes can be if you want to spy on people – he set up five of his own and used them to harvest thousands of emails and messages from embassies in Australia, Japan, Iran, India and Russia, as well as the Iranian Foreign Ministry and the Indian Ministry of Defence.

He came away convinced that he couldn’t possibly be the only one to have figured this out, and that governments would surely be running or spying on Tor relays too:

I am absolutely positive that I am not the only one to figure this out ... I'm pretty sure there are governments doing the exact same thing. There's probably a reason why people are volunteering to set up a node.

And don’t forget that unmasking the client end of Tor communications – identifying who you really are – can be done without any trickery in the network itself.

An attacker who can implant zombie malware or a Remote Access Trojan (RAT) on your computer can pretty much keep track of everything you do, before your browser gets round to encrypting it, and before the Tor network sends it over an unpredicatably mysterious route to a secret destination.

💡 Learn more: Understanding zombie malware ►

Remember that the Spy-versus-Spy ecosystem works both ways: cybercriminals want to strip away the anonymity and privacy of law-abiding users just as much as law enforcement wants to find out who those crooks really are.

August 28, 2015

Ethiopian Airlines Make More Profit Than All Other African Carriers Combined

Ethiopian Airlines’ $175 million profit for the 2014/15 fiscal year it announced at the end of last week is more than what the rest of Africa’s airline industry posted over the same period.

Tewolde Gebremariam, Ethiopian Airlines chief executive, said the airline, which has been the most profitable in Africa for a couple of years now, exceeded its revenue and profit  targets for the fiscal year.

“We had planned for 43 billion birr by 2015, but in the last fiscal year closed at about 49.4 billion birr in revenue. The same with profitability,” Gebremariam told CCTV Africa.

The state-owned carrier said it plans to increased it fleet to 140 planes by 2025 when it expects to be generating over $10 billion on annual revenue. At the moment it has 76 planes and recently announced plans to increase this by 60 percent by buying 44 new aircrafts.

While other major African airlines, including Kenya Airways and South African Airways, fall deeper into loses, Ethiopian Airlines has grown its revenue and expanded its routes  to become the most networked carrier on the continent.

Collectively, Other African Airlines are expected to post a profit of barely $100 million the lowest of all regions, according to the International Air Transport Industry Association (Iata). They are also expected to see the slowest growth among developing markets with capacity and demand expansion of 3.3 percent and 3.2 percent respectively this year.

– See more at:

August 26, 2015

“Father of Android,” will be at Code/Mobile conference in Oct. 7-8

I’m thrilled to announce that Andy Rubin, the “father of Android,” will be at this year’s Code/Mobile conference, Oct. 7-8 at The Ritz-Carlton, Half Moon Bay.

Rubin may be best known for creating and growing Android, the company he started that was acquired by Google in 2005, but his experience with mobile technology extends far beyond that. Before Android, Rubin developed the Sidekick, a pioneering device that was one of the first to combine the features that make a smartphone smart.

He also led Google’s robotics and automation division. And since leaving the company last year, in addition to becoming a venture partner at Redpoint Ventures, he has launched Playground Global to help hardware startups bring their products to market.

At Code/Mobile, we’ll talk with Rubin about where the technology he helped invent will end up next, such as in cars and robots. He’ll join Walt Mossberg onstage in our signature red chairs for what promises to be a fascinating conversation about computing’s future.

Learn more about the program, which also includes speakers from Facebook, Ericsson, Google, Twitter, AT&T and Fitbit, and sign up to join us.

Space is limited, so register now to be there in person.

Producer, Code/Mobile

August 26, 2015

Safaricom suspends new bank-to-third-party MPesa tariffs to December 1, 2015


In order to avoid the potential of a fallout with its banking partners, Safaricom has moved first to suspend its new rates for bank to third party MPesa accounts which took effect less than a month ago on August 1, 2015.

The revised tariffs for bank to third party MPesa transfers were communicated to banks by Safaricom’s GM for Enterprise Rita Okuthe in a letter dated July 9 this year.

The letter titled: “Change of B2C tariff for Bank to MPesa Service” stated that the “changes have risen partly in light of ongoing efforts to streamline the MPesa proposition and also partly in response to continuous efforts to ensure compliance with regulatory guidelines.”

The letter stated in part: “It has come to our attention that there has been an increase in the number of alleged incidents of erroneous and/or fraudulent transfers involving bank customers utlising the Bank to MPesa functionality offered by their various banking /financial service providers. The increase in the number of these incidents has been attributed to the fact that customers are enabled to make direct MPesa transfers to the MPesa accounts of third parties.”

As an incentive, Safaricom introduced discounted tariffs for bank to MPesa transfers to customer’s own MPesa accounts while increasing the tariffs for bank to MPesa accounts of third parties.

“In order to reduce incidents of this nature, it is our advice that you strongly consider only facilitating bank to MPesa transfers to a customer’s own MPesa account in order to discourage the occurrence of the aforementioned incidents. As an incentive, we have introduced a discounted tariff…In the event that you still prefer to facilitate third-party transfers as a service offering, then these transfers may still be pursued but subject to the revised tariff rates,” stated Ms Okuthe in the letter.

The new rates took effect on August 1, 2015.

Based on the revised rates, consumers were being charged a tariff of Kshs 55 to transfer between Kshs 2,501 to 3,500 from one’s bank account to one’s own or third-party MPesa account while transferring between Kshs 20,000 to 70,000 attracted a charge of Kshs 110. But as an incentive, moving between Kshs 50 to 1,000 from one’s own bank account to his/her MPesa account was billed at Kshs 15 with amounts ranging from Kshs 1,001 to 70,000 attracting a charge of Kshs 22.

However, seemingly due to the short period within which the tariff revision was made and communicated to partner banks with no sufficient time in between to relay the same information to clients, it is understood that Safaricom’s Rita Okuthe wrote another letter to the partner banks last Thursday August 20 informing them that the new changes had been suspended and would only be effective from December 1, 2015.

Ms Okuthe’s letter to the partner banks has been followed up by another statement issued today by Safaricom’s director of Corprate Affairs Stephen Chege.

“In line with technological advancements, a number of Banks and Financial Institutions are now using the existing M-PESA infrastructure to extend the transfer of funds from customers’ bank accounts to third party M-PESA wallets (Bank-to-Many),” states Mr Chege in the statement, adding: “This service, like any other service on our platform, will attract charges.  The charges that we will implement are similar to what applies for P2P M-PESA transactions (sending M-PESA from one customer to another).”

Chege adds that Safaricom has already received the requisite approvals from the Central Bank of Kenya, further noting that ‘this is a new service, and not a revision of any existing charges.’

“However, these charges will only come into effect on 1st December 2015. This will allow Banks and Financial Institutions ample time to communicate to their customers about the service,” he states.

Since the launch of M-PESA, Safaricom has partnered with over 30 banks and more than 160 other Financial Institutions to allow bank-to-MPesa account transfers.

According to the CA’s latest industry statistics for the period covering January-March 2015, the number of mobile money transfer subscriptions rose by 3.0 percent to reach 26.7 million up from 26.0 million subscriptions registered during the last quarter while the number of active agents grew by 3.9 percent to stand at 126,622 up from 121,924 agents recorded during the last quarter.

August 26, 2015

Businessman partner who hacked 900 phones as “revenge”

Imagine that you’re a network security company, and you’re in the middle of a demonstration to a prestigious customer in the insurance industry – a customer who is worth £80,000 a year in business.

Imagine that you want to show how quickly and efficiently you could remotely wipe a mobile device to render it useless to a crook, for example after it was reported lost or stolen.

And now imagine that an estranged former business partner managed to hack into your network, perhaps using legitimate-looking credentials set up when he was still an insider, to stage a sort of “demo-within-a-demo” of his own, right in the middle of your demo…

…so that not only the test device got wiped, but also a further 900 of your important customer’s mobile phones.

That’s not too far away from what happened in May 2014 to a company called Esselar, thanks to the vengeful attitude of one of the company’s orginal founders who had recently fallen out with his erstwhile partners and exited the business.

(The customer, insurance giant Aviva, apparently cancelled the contract as a result.)

According to a BBC report, the estranged business partner, Richard Neale, just picked up an 18-month jail term this week for this and other cybercrime offences against the UK’s Computer Misuse Act.

Neale apparently also took over his former company’s Twitter account and changed the logo to a “Heartbleed” by way of advertising the company’s insecurity, which is a particularly bad look for a network security consultancy.

He also he also used a fake account left behind inside the company to mess with his former colleagues by fraudulently rejecting their expense claims.

The BBC notes that Neale’s legal representative categorised these crimes as “foolish and childish” and as “causing mischief” based on festering resentment.

We’d call deliberately wiping some 900 mobile devices belonging to a trusted and trusting customer goes well beyond “foolish and childish”, and we’d suggest that Neale can consider himself fortunate not to have earned a longer sentence.

What to do?

A little vigilance goes a long way:

  • Use a standard, formal process to remove or to disable the accounts of anyone who leaves, whether on good terms or bad.
  • Regularly review accounts that have remote access to prevent “sleeper accounts” being created for later misuse.
  • Consider requiring two-factor authentication for all remote access so you have two ways to lock out a departing user.
  • Regularly change passwords on social media accounts if you have been forced to share the same account and password with multiple staff.
  • Regularly review your remote access logs in case you notice unusual or unwanted access – you definitely won’t spot anomalies if you don’t look.
August 26, 2015

Android 6.0 Marshmallow: The 7 most-exciting features in the soon-to-be-released OS


Google is expected to soon roll out the latest version of its Android OS, Android Marshmallow (version 6.0). While the company will list out, in further detail, the new features of Android Marshmallow once it releases to the public, we give you an overview of the soon-to-be-released OS with its 7 most-interesting features.

1. Android 6.0 Marshmallow has a new Doze power-saving feature that has motion detection which optimises battery usage. When the dozing feature is enabled, the device still continues to send notifications about priority-based activities.

The next version of Android operating system, Marshmallow, will be compatible with fingerprint scanners so users can verify their identities by pressing a button instead of entering a passcode.

2. The fingerprint functionality in Google’s upcoming version of Android can be used either as a standalone feature to unlock Android devices or to authorise either Android Pay transactions, Google Play store purchases, or partner e-commerce app purchases.

3. With the Marshmallow upgrade, users will be able to summon Google Now to scan whatever content might be on a mobile device’s screen so it can present pertinent information about the topic of a text, a song, a video clip or an article. The new Android feature, called “Now on Tap,” will be activated by holding down the device’s home button or saying, “OK Google,” into the microphone. That action will prompt Now on Tap to scan the screen in attempt to figure out how to be the most helpful. Or, if speaking, users can just say what they are seeking, such as “Who sings this?” Google is hoping to provide Android users with what they need at the precise moment they need it without forcing them to hopscotch from one app to another.

4. Android 6.0 will include an alternative to the mobile payment system. Google’s Android Pay, an answer to Samsung Pay and Apple Pay, will replace Google Wallet for making mobile purchases in stores and applications. Google Wallet, which came out in 2011, will still work for sending payments from one person to another. Like Apple’s system, Android Pay can be used to store major credit and debit cards in smartphones that can be used to pay merchants equipped with terminals that work with the technology. Android Pay will also work on devices running on the KitKat version of Android released last year.

5. Marshmallow also streamlines the “permissions” model for users to install and upgrade apps. Android 6.0 will make it easier for users to prevent mobile applications from grabbing their personal information. Permission will only need to be granted to each app if the access is needed for a specific action. That means Android users won’t be asked to share information about their contact lists, photo rolls or locations until an app won’t work without it.

6. Google has also announced support for the USB Type-C standard in Android Marshmallow, which will make your device charge faster than the usual. Also, for the Type-C port, a USB cable will be reversible which means both of its ends will be the same and you will not be required to check if you are inserting the cable in the right way. This means that the new type of USB cable can be plugged into a device in any direction. The new USB support in Android Marshmallow will also lets users use their phone to charge other devices.

7. The Direct Share feature will allow users to share content with targets, such as contacts, within other apps. For example, the direct share target might launch an activity in another social network app, which lets the user share content directly with a specific friend or community in that app.

The moniker for the 6.0 version of the dominant mobile computing system follows a tradition of using sugary treats for Android including Lollipop (5.0), KitKat (4.4), Jellybean (4.1) and Ice Cream Sandwich (4.0).

Android is used in nearly 80 per cent of smartphones worldwide, although many devices use older versions for which upgrades are not available. Android is also the leading platform for tablets, according to market surveys.

August 22, 2015

Amazon bans Flash ads – but not for the reason you may have hoped!


Websites with cool interactive content like games used to go for Java.

By embedding a special sort of Java program called an applet in your website, you could add a bit more pizazz than your competitors could manage with plain old HTML.

Then came Adobe Flash, using a programming language called ActionScript instead of Java, but with the same ultimate idea: multi-platform, cross-browser, web-based, real-time, on-line multimedia coolness.

There were downsides to Java and Flash from the start, of course, namely that:

  • They were “someone else’s” standards, rather than web ones.
  • They required you to install and manage additional plugins in your browser.
  • They inevitably opened up additional security holes.
  • Cybercrooks fell in love with Java and Flash security holes because they often worked in every browser, leading to true “cross-platform” attacks.

Eventually, browser makers and web standards-setters agreed on an alternative approach, called HTML5, that would (or at least could) make both Java and Flash redundant by giving web programmers a way to do cool multimedia stuff right inside the browser.

(To see how cool, try typing the word asteroids in the Naked Security search box!)

As a result, these days you can just use JavaScript in your interactive web pages, instead of using Java or ActionScript.

→ Java and JavaScript are completely different. As a recent Naked Security commentator pointed out, “Java” and “JavaScript” are no more strongly related than “Car” and “Carpet.” They simply start with the same letters.

Sure, HTML5 increases the so-called “attack surface area” of your browser because there are now more tricks you can pull off with JavaScript, and there is more code in the background to go wrong.

But every modern browser supports JavaScript and HTML5 anyway; HTML5 can do the job of Java and Flash; and many if not most websites support HTML5, even if they also support Java or Flash.

Simply put, almost all of us can live without Java or Flash in our browsers, almost all of the time.

Indeed, most of us do live without Java in our browsers these days, because Oracle, which owns Java, no longer enables the Java applet web browser plugin by default when you install the Java product.

Java is mainly used for applications, full-blown software programs that you install locally, so support for in-browser applets is rarely necessary these days.

But Flash has proved harder to eject from the world’s browsers, with lots of people keeping it installed and turned on, and often insisting that they need it, even when they don’t.

The fight against Flash

Apple was the first big brand name to take against Flash in a big way, by the simple expedient of banning it altogether on iPads and iPhones.

If you have an iDevice, you don’t have Flash, and that’s that: it’s all done with HTML5 instead.

Facebook jumped into the anti-Flash wars recently, too, with its newly-appointed CSO coming out swinging on Twitter.

Alex Stamos publicly demanded that Adobe should act to kill off Flash, and to set a date by which all browsers would refuse to support it.

Of course, that was just a Twitter rant.

Facebook doesn’t yet seem to share its CSO’s strident views, because the company didn’t back him up, and still makes use of Flash in your browser if you have it installed.

That’s annoying for those who want to convince the world that Flash is largely superfluous, and thus an unnecessary security risk.

Sites that use Flash “because they can”, instead of just moving to HTML5 for everything, tend to reinforce users who still think they need Flash, even when turning it off would make no visible difference.

So Flash naysayers will welcome Amazon’s recent announcement:

Beginning September 1, 2015, Amazon no longer accepts Flash ads on, AAP, and various IAB standard placements across owned and operated domains.

This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.

Interestingly that Amazon hasn’t gone all out by banning Flash because of its security risk – the “added attack surface area” it brings to your browser.

Amazon is blaming, if that’s the right word, three of the world’s Big Four browsers instead, because they no longer play Flash ads automatically by default.

Indeed, Amazon’s explicit reason for ditching Flash seems to be that it will improve the consistency of your ad-viewing experience, meaning that your browser’s “click-to-play” Flash option will no longer act as a sort-of implicit ad blocker.

Ironically, even though Amazon’s announcement means that some users will start seeing ads that didn’t appear before, it may actually help to distance Amazon from Adobe’s recent (and rather unpopular) suggestion that ad blockers are a Bad Thing and could cost our economy $22,000,000,000 this year.

Nevertheless, Amazon has banned Flash ads, and that’s that!

August 22, 2015

Google customers lose data after lightning strikes


Google has been hit by a data-destroying attack. Four lightning strikes hit the grid powering a data center in Belgium, triggering the data equivalent of coughing, sputtering and fainting.

For once, we know exactly who’s responsible – Mother Nature, flinging lightning bolts.

Google said on Tuesday that four lightning strikes hit the local power grid supplying its European data center last week, on Thursday, 13 August 2015.

Resulting power fluctuations near its Belgian data center – designated as the europe-west1-b zone – resulted in sporadic disk errors.

Those errors in turn led to permanent data loss.

The power fluctuations in fact set off a wave errors that lasted up until Monday, 17 August 2015.

Google says that the data loss affected less than 0.000001% of Google Compute Engine Persistent Disk space in europe-west1-b.

The Google Compute Engine (GCE) is the Infrastructure as a Service (IaaS) component of the Google Cloud Platform, built on the global infrastructure that runs Google’s search engine, Gmail, YouTube and other services.

GCE enables users to launch virtual machines (VMs) – operating systems and application environments installed on software that imitate dedicated hardware – on demand.

Persistent disks, in turn, are used as the primary storage for VM instances.

Some 5% of the standard persistent disks in the zone experienced at least one read or write failure during the power fluctuations, Google said, with some management operations on the affected disks failing, including disk snapshot creation.

Google’s data centers use battery backup for storage systems, as well as auxiliary systems that automatically restored power quickly in this instance.

But Google says that some recently written data had been located on storage systems that were susceptible to power failure from extended or repeated battery drain.

In a few cases, this apparently led to permanent data loss.

Nobody can promise that data stored in the cloud won’t be zapped by lightning – sure gives the “cloud storage” metaphor yet another dark lining, doesn’t it?

Google is taking full responsibility, but reminded customers that GCE instances and Persistent Disks are all lumped together in one data center.

In other words, all it takes is one disaster to hit, and they’re all vulnerable to falling down.