Feeds

back to article Prez Obama cyber-guru: Think your data is safe in an EU cloud? The NSA will raid your servers

A former White House security advisor has suggested that you, dear reader, are naive if you think hosting data outside of the US will protect a business from the NSA. "NSA and any other world-class intelligence agency can hack into databases even if they not in the US," said former White House security advisor Richard Clarke in …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge
Big Brother

Message from US to EU:

"You can run ... but you cannot hide!"

3
0
Anonymous Coward

Re: Message from US to EU:

Message from EU to US:

Still want Silicon Valley companies to sell in the EU?

Seriously, though, there is in principle no difference between protecting your IT from hackers and from the NSA, only that the latter plays more dirty. There are few more defensive strategies out there, and the NSA knows it, hence this war of psychology to make people just give up (similar to what the US has been doing with privacy).

Don't give up. If they want a fight, they can have it. You and your customers all have rights, defend them and get your politicians to grow a spine (or do fewer things they can be blackmailed with, of course).

On a less aggressive note: has anyone noticed what is happening to US passport holders abroad?r Nowadays, it's easier to get a bank account with Nigerian passport than a US one...

38
0
Silver badge

Re: Message from US to EU:

1) "You can't do anything against us, lube up"

2) "If you want to do anything against us, deep down it's just about filty lucre anyway, so don't"

That guy sure is a piece of work. A mix of narcisissm, american exceptionalism, belief in the omnipotent state and hypocrisy. And a desire to keep going on the useless talking heads roundabout.

But he's right. There *will* be lubing up. EU behaviour on subjects as diverse as FATCA and Ukraine says so.

15
0
Bronze badge

Re: Message from US to EU:

Sad but true: next they are going to force all the multinational companies which want to open a single office in US (almost all as US might be the ground for their branding) for giving access to their data even if that is offshore.

3
0
Silver badge

Re: Message from US to EU:

He is , however, one of the few people in government being honest and truthful about any of this

7
0
Anonymous Coward

Re: Message from US to EU:

Well, the message confirms the fundamental basis of the idea to move abroad.

We all know that if we becoma a target, the hit is likely to be successful. That has not changed since the days when intelligence services were opening letters sealed with a wax seal with a heated thin blade. Nothing new here.

That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad.

Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.

12
0
Anonymous Coward

Re: Message from US to EU:

they are going to force all the multinational companies which want to open a single office in US (almost all as US might be the ground for their branding) for giving access to their data even if that is offshore.

That's what a good privacy strategy is for. It starts with "if you have a US HQ, you're pretty much hosed, so let's move that first". Once you have decision power relocated outside the US, you leave a subsidiary in the US whose access to data from there is pretty much segmented away from the rest of the corporation. Then you go through the corporation country by country and clean up any residual leverage (a classic example is having a dependency on a US provider, or US investors which can be blackmailed with the promise of eternal IRS investigations).

The entertaining issue is that this idiocy is putting the whole of Silicon Valley at risk (an issue they are now trying to plaster over with all sorts of excuses). Companies there already have SERIOUS problems selling in Europe, and it's only going to get worse because the Safe Harbor fix has now also been exposed for the irrelevance it is..

6
0
Bronze badge
Coat

@ Yet Another Anonymous coward: Honest government employee!??

That's why it says "former" in the article ;)

1
0
Silver badge

"That targeted approach"

> That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad. Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.

Exactly. He's obfuscating the controversy by claiming that it's about the NSA. It isn't. It's about Congress and the White House.

I'm a strong supporter of spying agencies breaking the law -- I'd rather they break laws than that laws be changed to allow spying, as the latter leads to a ridiculous petty police state, with, for instance, local authorities legally spying on parents to check they're in the right cachement area for their kids' school. If what they're doing is illegal and they can get in trouble if caught, that's a very sensible and effective check on their behaviour: they only do stuff if it's worth that risk. What Congress and the White House did was remove that check -- in the Land of Checks & Balances, no less. Ha!

Also, if the spies are breaking the law, their targets are allowed to avoid them. Sure, the NSA can hack a server in Sweden, but the owners of that Swedish server are allowed to stop the hack if they detect it, they're allowed to upgrade their security whenever they want, they're allowed to install a new server without the same vulnerabilities, forcing the NSA to go to the effort of hacking all over again. Again, that effort is a check on their behaviour. I prefer that to the current US system, where the owners of the servers are legally obliged to give a direct feed of all their data to the NSA, no hacking required.

A lot of IT-illiterate members of the public aren't seeing these distinctions, which is fair enough, but I hardly think this bastard is one of them. He's just lying about what the controversy is.

12
0

"We're going balls deep into your data...

...and there's fuck all you can do about it."

1
0
Silver badge

Re: "That targeted approach"@ Squander Two

That is one of the most insightful comments I've seen for while! Thanks for those thoughts that I'll probably recycle somewhere else.

1
0
Silver badge

Re: "That targeted approach"@ Squander Two

Too kind, sir.

1
0
Bronze badge

Follows Night

Follows Day.

0
0
Bronze badge

Yes we know you...

can hack into overseas databases, what's your point? The point of having data in the country of origin is that, you will have to hack into it, not have it handed to you on a plate.

67
0
Thumb Up

Re: Yes we know you...

So many times I read these forums and someone just said exactly what I was about to say...

16
0

Re: Yes we know you...

It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it.

Given all these revelations, if you keep data in the US you can pretty much assume at least the metadata has been scanned and possibly stored. Anything outside the US is probably going to be at least a little, if not a lot, better than this poor standard.

15
0
Anonymous Coward

Re: Yes we know you...

In addition to this, by depriving big US corporations of income by hosting outside the US, they will put more pressure on the US govt to change as it is costing them $$$

19
0
Silver badge

Re: Yes we know you...

@Salts

Right on.

Moreover, as such actions do not, in any sense, fall under the jurisdiction of National Security Letters and suchlike, a hosting provider in Luxembourg (for example), is fully within its legal rights to communicate any such breaches to its customers and the world at large.

Data being moved from US-controlled servers changes the game from "grab what we want, under full protection of the law and with little chance of exposure" to "make a conscious decision to breach foreign owned and run servers, risking discovery and public condemnation".

Of course they are clearly doing this already so it's not something they are adverse to but there is a big difference between lawfully requesting/receiving data from a company compelled to secrecy and silence and clandestinely breaking into foreign-controlled servers.

24
0
Silver badge

Re: Yes we know you...

@Flat Phillip

"It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it."

Actually, I think it's pretty much the other way around: spying on your own citizens, while easier from a technical perspective, seems to be more rigorous from a legal perspective*. So far as I know, I don't believe a US court would be likely to rule that collection of European data from a European server violates anyone's fourth amendment rights!

I don't doubt that there would be some processes around such 'hacking' but I doubt they would be 'judicial' in nature.

* - By relative measures, of course.

1
1
Silver badge

Re: Yes we know you...

Perfectly said. If I may sum up: "Dear NSA: Work for it, bitch!"

10
0

Re: Yes we know you...

>Perfectly said. If I may sum up: "Dear NSA: Work for it, bitch!"

Or more likely - Ask your buddies in GCHQ etc.

3
0

Re: Yes we know you...

Given our recent behaviour, I'd be surprised if the UK was invited to join any pan-european data warehouse...

6
0
Silver badge

I'll bet they'd have a harder time hacking into one in China

That might be a better place to keep your cloud data even as (or especially as) a US citizen/company. Sure, the Chinese can definitely access it, but if you store encrypted data it is probably safe. I think they'd have much less chance of breaking the encryption than the NSA.

Thus, encrypted data is probably safer sitting on a Chinese server with the Chinese equivalent of the NSA trying to crack it as it would be on a US or EU server with the NSA/GCHQ trying to crack it. As a US citizen, this is a very sad state of affairs to admit.

8
0
Silver badge

Re: I'll bet they'd have a harder time hacking into one in China

If you are a US political group, environmental campaigner, 99%-er, pro-gun etc etc, then you are probably better keeping your data on a Chinese server than a US one.

The cold war was a bit of a waste of time and money wasn't it?

If you are a European aircraft/car/software/phone maker then you don't want your data on a US/UK server or a Chinese one. Does Nigeria do cloud hosting?

10
0
Bronze badge

Re: I'll bet they'd have a harder time hacking into one in China

Fragment your data and store one useless and encrypted half (in tiny bits) on various US servers and one useless and encrypted half (in tiny bits) on various Chinese servers. Total security.

2
0
Silver badge

@Eguro

That's a great idea, but may I recommend one change? Don't fragment your data, store two complete copies, each XOR'ed with the same random data, so it can only be reconstructed on your end by XOR'ing the two together. Let the NSA and the Chinese each go crazy trying to decrypt something utterly impossible to decrypt!

Someone should write a Linux FUSE driver for that...

6
0
Silver badge

Re: @Eguro

Not impossible. Once one realizes you need the other copy, they'll just hack into EACH OTHER. Which they've already been doing.

0
0

Re: @Eguro

You're onto something here, what about an encryption method that splits the data up into a large chunk and a smaller chunk - like a keyfile for ssh? Is there any program that already does something like that?

You can stick the small chunk on usb and simply store the larger chunk in any cloud.

2
0
Bronze badge

Re: @Eguro

That's an even better idea, if feasible.

Could also word for businesses I imagine - depending on how big the small file would need to be. One local server, the rest in a cloud.

I second the question: Is there any program that already does something like that?

1
0
Anonymous Coward

Re: I'll bet they'd have a harder time hacking into one in China

> Does Nigeria do cloud hosting?

For heteros, yes.

0
0
Silver badge

Re: @Eguro

As I understand it, there are encrypted filesystem programs already in existence that can operate on a file image. A CLOUD file image could perhaps be done in a stretch. As for the other piece, that's just a keyfile, and you can make that just about anything of your choice. As for hardening the image file, many of them can use multiple algos for extra strength. It reduces the throughput, but with a cloud file the network is the bottleneck anyway.

0
0
Silver badge

@Charles 9

I left unspoken the obvious fact the data would be encrypted before being XORed with random data.

So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.

I think that makes it impractical for a "let's capture everything" type of attack. If you attract their interest, they won't bother with any of that. The fastest way to break encryption is with a rubber hose, after all.

0
0
Bronze badge

Re: @Eguro

Truecrypt already does this.

http://www.truecrkeyfiles/docs/keyfiles

1
0
Bronze badge

Re: @Eguro

@Adam 1 If you make the url something I can make work, I promise I'll also upvote your new comment

0
0
Silver badge

Re: @Charles 9

So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.

You forget the very real possibility the NSA and its chinese counterpart routinely hack into EACH OTHER. Meaning it's passing fair one encounters the other's file, puts two and two together, and obtains a copy of the other's file, reducing the number of places you have to hack. Furthermore, merely finding something like this would likely draw an investigation into who did something this elaborate.

1
0
Bronze badge

Re: @Eguro

Cool. Bonus vote

http://www.truecrypt.org/docs/keyfiles

1
0
Bronze badge

>"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."

That is excellent. hosting in the EU or Brazil is not going to make the job of our beloved acronyms any different so they are offering no opinion about where we host. Got it!

5
0
Silver badge

MRDA

2
0
Silver badge
Devil

Dear Mr. Clarke:

"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."

If you think data localization in Europe won't cause your operational costs and the risks your operatives incur to increase tenfold , think again.

15
1
Silver badge

Re: Dear Mr. Clarke:

But, according to one line of thought, increased budget and more staff are the way to make a certain type of management slime very, very happy!

2
0
Gold badge
Unhappy

Like most crime you can't stop a *really* determined criminal.

But you can make them think it's too much trouble and go after easier prey.

That works for me.

Actually it's about both the bottom line and privacy.

Because if you're a European business whose IP has military applications (and with the right PoV that's probably damm near everything) having your IP passed to some BFF corp of the NSA means you could be out of business.

I suggest that cheap cloud deal does not look quite so cheap now.

10
0
Bronze badge

Re: Like most crime you can't stop a *really* determined criminal.

"..if you're a European business whose IP has military applications.."

Friend, may I suggest a more subtle phrase: "If you're a European Prime Minister whose talks have nationwide applications.."

2
0

Re: Like most crime you can't stop a *really* determined criminal.

"If you're a European Citizen who was telling their mother about what they had for dinner and sending a picture of the cat..." :)

0
1
Anonymous Coward

Re: Like most crime you can't stop a *really* determined criminal.

Because if you're a European business whose IP has military applications

One would hope you airgap your information inside your company premises, so hacks are only possible from on premises. Then vet and audit your staff.

2
2
Silver badge

Re: Like most crime you can't stop a *really* determined criminal.

As if that's stopped the NSA before. Remember Stuxnet? It penetrated an airgap...

0
0
Anonymous Coward

Re: Like most crime you can't stop a *really* determined criminal.

"Because if you're a European business whose IP has military applications"

How about rephrasing that:

"Because if you're a European business whose IP could be serious competition for a US company"?

0
0
Bronze badge

Re: Like most crime you can't stop a *really* determined criminal.

>But you can make them think it's too much trouble and go after easier prey

As the joke/adage/saying goes in at least one variant.

Don't try to outrun the lion/bear/[any Australian animal except some of the sheep]. Try to outrun the guy behind you.

0
0
Anonymous Coward

Re: Like most crime you can't stop a *really* determined criminal.

As if that's stopped the NSA before. Remember Stuxnet? It penetrated an airgap...

I never said it would stop the NSA, it would however stop an awful lot of people, and make it harder for those who wanted to try, like the NSA.

0
0
Anonymous Coward

Your data

is probably marginally safer on a US based service. There are limits to NSA activities at home, but none on their activities abroad. And most of the rest of the worlds state backed eavesdroppers are more domestically focused.

1
13
Gold badge
Unhappy

Re: Your data

"is probably marginally safer on a US based service. There are limits to NSA activities at home, but none on their activities abroad. And most of the rest of the worlds state backed eavesdroppers are more domestically focused."

Wrong.

A by definition if the billing address is abroad it's probably a furriner and if the servers are in the US THE PATRIOT Act dumps the 4th amendment

Or did you not realize that, Mr AC?

8
0

Page:

This topic is closed for new posts.