Prez Obama cyber-guru: Think your data is safe in an EU cloud? The NSA will raid your servers A former White House security advisor has suggested that you, dear reader, are naive if you think hosting data outside of the US will protect a business from the NSA. "NSA and any other world-class intelligence agency can hack into databases even if they not in the US," said former White House security advisor Richard Clarke …
Message from EU to US:
Still want Silicon Valley companies to sell in the EU?
Seriously, though, there is in principle no difference between protecting your IT from hackers and from the NSA, only that the latter plays more dirty. There are few more defensive strategies out there, and the NSA knows it, hence this war of psychology to make people just give up (similar to what the US has been doing with privacy).
Don't give up. If they want a fight, they can have it. You and your customers all have rights, defend them and get your politicians to grow a spine (or do fewer things they can be blackmailed with, of course).
On a less aggressive note: has anyone noticed what is happening to US passport holders abroad?r Nowadays, it's easier to get a bank account with Nigerian passport than a US one...
1) "You can't do anything against us, lube up"
2) "If you want to do anything against us, deep down it's just about filty lucre anyway, so don't"
That guy sure is a piece of work. A mix of narcisissm, american exceptionalism, belief in the omnipotent state and hypocrisy. And a desire to keep going on the useless talking heads roundabout.
But he's right. There *will* be lubing up. EU behaviour on subjects as diverse as FATCA and Ukraine says so.
they are going to force all the multinational companies which want to open a single office in US (almost all as US might be the ground for their branding) for giving access to their data even if that is offshore.
That's what a good privacy strategy is for. It starts with "if you have a US HQ, you're pretty much hosed, so let's move that first". Once you have decision power relocated outside the US, you leave a subsidiary in the US whose access to data from there is pretty much segmented away from the rest of the corporation. Then you go through the corporation country by country and clean up any residual leverage (a classic example is having a dependency on a US provider, or US investors which can be blackmailed with the promise of eternal IRS investigations).
The entertaining issue is that this idiocy is putting the whole of Silicon Valley at risk (an issue they are now trying to plaster over with all sorts of excuses). Companies there already have SERIOUS problems selling in Europe, and it's only going to get worse because the Safe Harbor fix has now also been exposed for the irrelevance it is..
Well, the message confirms the fundamental basis of the idea to move abroad.
We all know that if we becoma a target, the hit is likely to be successful. That has not changed since the days when intelligence services were opening letters sealed with a wax seal with a heated thin blade. Nothing new here.
That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad.
Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.
> That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad. Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.
Exactly. He's obfuscating the controversy by claiming that it's about the NSA. It isn't. It's about Congress and the White House.
I'm a strong supporter of spying agencies breaking the law -- I'd rather they break laws than that laws be changed to allow spying, as the latter leads to a ridiculous petty police state, with, for instance, local authorities legally spying on parents to check they're in the right cachement area for their kids' school. If what they're doing is illegal and they can get in trouble if caught, that's a very sensible and effective check on their behaviour: they only do stuff if it's worth that risk. What Congress and the White House did was remove that check -- in the Land of Checks & Balances, no less. Ha!
Also, if the spies are breaking the law, their targets are allowed to avoid them. Sure, the NSA can hack a server in Sweden, but the owners of that Swedish server are allowed to stop the hack if they detect it, they're allowed to upgrade their security whenever they want, they're allowed to install a new server without the same vulnerabilities, forcing the NSA to go to the effort of hacking all over again. Again, that effort is a check on their behaviour. I prefer that to the current US system, where the owners of the servers are legally obliged to give a direct feed of all their data to the NSA, no hacking required.
A lot of IT-illiterate members of the public aren't seeing these distinctions, which is fair enough, but I hardly think this bastard is one of them. He's just lying about what the controversy is.
It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it.
Given all these revelations, if you keep data in the US you can pretty much assume at least the metadata has been scanned and possibly stored. Anything outside the US is probably going to be at least a little, if not a lot, better than this poor standard.
@Flat Phillip
"It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it."
Actually, I think it's pretty much the other way around: spying on your own citizens, while easier from a technical perspective, seems to be more rigorous from a legal perspective*. So far as I know, I don't believe a US court would be likely to rule that collection of European data from a European server violates anyone's fourth amendment rights!
I don't doubt that there would be some processes around such 'hacking' but I doubt they would be 'judicial' in nature.
* - By relative measures, of course.
@Salts
Right on.
Moreover, as such actions do not, in any sense, fall under the jurisdiction of National Security Letters and suchlike, a hosting provider in Luxembourg (for example), is fully within its legal rights to communicate any such breaches to its customers and the world at large.
Data being moved from US-controlled servers changes the game from "grab what we want, under full protection of the law and with little chance of exposure" to "make a conscious decision to breach foreign owned and run servers, risking discovery and public condemnation".
Of course they are clearly doing this already so it's not something they are adverse to but there is a big difference between lawfully requesting/receiving data from a company compelled to secrecy and silence and clandestinely breaking into foreign-controlled servers.
That might be a better place to keep your cloud data even as (or especially as) a US citizen/company. Sure, the Chinese can definitely access it, but if you store encrypted data it is probably safe. I think they'd have much less chance of breaking the encryption than the NSA.
Thus, encrypted data is probably safer sitting on a Chinese server with the Chinese equivalent of the NSA trying to crack it as it would be on a US or EU server with the NSA/GCHQ trying to crack it. As a US citizen, this is a very sad state of affairs to admit.
If you are a US political group, environmental campaigner, 99%-er, pro-gun etc etc, then you are probably better keeping your data on a Chinese server than a US one.
The cold war was a bit of a waste of time and money wasn't it?
If you are a European aircraft/car/software/phone maker then you don't want your data on a US/UK server or a Chinese one. Does Nigeria do cloud hosting?
That's a great idea, but may I recommend one change? Don't fragment your data, store two complete copies, each XOR'ed with the same random data, so it can only be reconstructed on your end by XOR'ing the two together. Let the NSA and the Chinese each go crazy trying to decrypt something utterly impossible to decrypt!
Someone should write a Linux FUSE driver for that...
I left unspoken the obvious fact the data would be encrypted before being XORed with random data.
So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.
I think that makes it impractical for a "let's capture everything" type of attack. If you attract their interest, they won't bother with any of that. The fastest way to break encryption is with a rubber hose, after all.
So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.
You forget the very real possibility the NSA and its chinese counterpart routinely hack into EACH OTHER. Meaning it's passing fair one encounters the other's file, puts two and two together, and obtains a copy of the other's file, reducing the number of places you have to hack. Furthermore, merely finding something like this would likely draw an investigation into who did something this elaborate.
You're onto something here, what about an encryption method that splits the data up into a large chunk and a smaller chunk - like a keyfile for ssh? Is there any program that already does something like that?
You can stick the small chunk on usb and simply store the larger chunk in any cloud.
As I understand it, there are encrypted filesystem programs already in existence that can operate on a file image. A CLOUD file image could perhaps be done in a stretch. As for the other piece, that's just a keyfile, and you can make that just about anything of your choice. As for hardening the image file, many of them can use multiple algos for extra strength. It reduces the throughput, but with a cloud file the network is the bottleneck anyway.
>"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."
That is excellent. hosting in the EU or Brazil is not going to make the job of our beloved acronyms any different so they are offering no opinion about where we host. Got it!
"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."
If you think data localization in Europe won't cause your operational costs and the risks your operatives incur to increase tenfold , think again.
But you can make them think it's too much trouble and go after easier prey.
That works for me.
Actually it's about both the bottom line and privacy.
Because if you're a European business whose IP has military applications (and with the right PoV that's probably damm near everything) having your IP passed to some BFF corp of the NSA means you could be out of business.
I suggest that cheap cloud deal does not look quite so cheap now.
>But you can make them think it's too much trouble and go after easier prey
As the joke/adage/saying goes in at least one variant.
Don't try to outrun the lion/bear/[any Australian animal except some of the sheep]. Try to outrun the guy behind you.
"is probably marginally safer on a US based service. There are limits to NSA activities at home, but none on their activities abroad. And most of the rest of the worlds state backed eavesdroppers are more domestically focused."
Wrong.
A by definition if the billing address is abroad it's probably a furriner and if the servers are in the US THE PATRIOT Act dumps the 4th amendment
Or did you not realize that, Mr AC?
They don't have to trump it. They just IGNORE it: "Ink On A Page". It's not like you can vote in anyone else to replace them (no one even gets on the ballot unless they're in on the plot). And the average American is to apathetic (or busy trying to earn a living) to organize a massive uprising a la Kiev.
If you're putting data on a US based service from anywhere in the EU, GCHQ and the NSA have a full copy of your data. Did everyone miss the revelation that every single packet passing over a long distance fibre link in or out of the UK is being caputured? Did everyone miss that GCHQ and the NSA have systemically undermined encryption systems?
The point is that NSA (and pretty much any other agency) can simply send a secret FISA warrant and seize all the data by themselves. They don't need to hack stuff within their borders, they already have the omnipresent power there. That's why lavabit shut down.
Same thing applies to CBP, they can simply dump all your HDD's contents for later "research" if they want to at customs. This is why I had to delete sensitive client data before traveling to the US; I'd be involuntarily breaking NDAs just by entering the US. Extra points as the CBP power was given by a judge during a pedophile case, so it gets the added "for the children" mantra used instead of going after "terrists".
It'll take a few years, but if something doesn't change you'll slowly see an increased focus from European consumers on buying non-american stuff. It'll be like a weird form of continental commercial nationalism.
Hopefully stuff will change, but it seems unlikely anything will happen till money stops flowing.
It'll take a few years, but if something doesn't change you'll slowly see an increased focus from European consumers on buying non-american stuff. It'll be like a weird form of continental commercial nationalism.
That has already been happening for a few years, not in the least helped by the IRS hunting tax dollars abroad (which brings them less than they spend on investigating, but IMHO it appears it's the fear they're after, not the money). In IT, there is already extreme weariness using US kit (the simplest example is Huawei vs Cisco), in banking they don't even want to *touch* a US passport holder anymore because they cost more in compliance than they bring in revenue, and a US accent is no longer certain to produce a positive reaction - most try to hide it now.
It's interesting how a nation can turn its citizens into unwanted pariahs abroad.
For a country that basicly on the side of the good guys the septics make themselves very hard to like. Even there closest allies are starting to say what they have felt for a long time. Basically that they are a bunch of arrogant pricks who don't give a shit about anyone except a few thousand voters in a few swing states.
The guy seems to be setting himself up as a tea party candidate. His next argument will probably run "all data was created by god and right thinking godfearing american citizens should have access to it all"
To be honest, the US already had accumulated a lot of bitterness during the Cold War, so much that a good chunk of their current problems are caused by their past evils.
- Iran? They CAUSED it, along with the UK, with Operation AJAX. So much that said operation is no longer considered a good thing as it basically triggered a series of events that caused the Islamic Revolution and turned Iran into the US-hating, religious-zealot-run country it is today.
- Most of Latin America suffered bloody tyrants and South America in particular had at one time a CIA backed dictatorship in most of its countries. Ever wonder how Chavez got to be President in Venezuela? That's why. Having a US hating prez is the new cool in most of South America.
- The Iraq WMD lie basically killed whatever goodwill was left in the remaining part of the world that didn't have a grudge against the US. Dubya's Administration foreign policy brought hatred to the US and the whole NSA/PRISM thing was just the finishing touch to all that.
It is indeed sad to see this happen, given that the US at one point was the shining beacon of freedom during the 19th Century. Today? Not so much.
"- The Iraq WMD lie basically killed whatever goodwill was left in the remaining part of the world that didn't have a grudge against the US. Dubya's Administration foreign policy brought hatred to the US and the whole NSA/PRISM thing was just the finishing touch to all that."
You missed the estimated $13T (that's a 13 with 12 0x) that the US is estimated to have stolen from the Iraqi economy.
Starting with the cost plus sole supplier contract award by "Gin Rummy" Rumsfeld through a trusted stooge subordinate when he was SecDef.
Would I be p**sed off if I was an Iraqui growing up in post invasion liberation Irqaq?
F**k yeah.
Legalise hacking USA servers.
Interesting approach to reciprocal treatment - after all, the NSA's activities abroad were declared perfectly legal under US law (as far as I can follow it), so it's indeed a viable "reap what you sow" option.
We should also fingerprint anyone who leaves the US.
Dear GCHQ
Having forgotten my password for my lineone account, I dont suppose you could nip in and click the 'forward mail' option could you. Usual addy please, which no doubt you know. If you havent got that info could you ask NSA for me as I dont know who to contact there..
TVM,
UK minion
... North Korea.
I doubt they'll intentionally isolate themselves; rather, they'll just gradually piss their erstwhile allies off more and more until suddenly they realise that the world's moved on without them and they aren't so relevant any more.
Remember when the USSR collapsed in 1991? I wondered then who the Yanks would point their guns at next. This is the huge problem they have - two generations of military and security people who were brought up in the Cold War era and taught to regard the Soviet Union as The Enemy (TM). Now the USSR has collapsed and the threat of Mutually Assured Destruction has receded (not completely gone though), they're left in positions of power facing a world order they're quite incapable of dealing with.
So they're falling back on their Cold War training. Iraq is a classic example of that strategy. As they're struggling to deal with the today's challenges, all they can do is do more of what they already do, oblivious of the fact that they're turning the United States into a xenophobic bullying pariah in the process. They don't know, or possibly don't even care, that throughout the world, friendship is developing into suspicion, suspicion into dislike and dislike into full-blown loathing.
Well done, Vladimir. Looks like your side won, after all.
"There are very many SF stories going back decades based around the idea of America isolating itself from the rest of the world. They are all looking rather prophetic now."
"The Cold Peace" is the backdrop to Vol 1 of James Blish's "Cities in Flight" series.
A totalitarian theocracy in the US is a key feature of RA Heinlein's "Revolt in 2100," which given the SEL nature of some of these jokers is starting to look like a real piece of "future history."
"NSA and any other world-class intelligence agency can hack into databases even if they not in the US"
Didn't the US say that they would consider such actions by a nation state to be an act of war at some point last year? Or was that only building of viruses to target systems they were referring to?
If you have data that you want to keep confidential, don't store it on a server owned by somebody else. It really is that simple. As soon as the data leaves your own systems, you have no control over where it goes and no control over who can access it. You might be under the illusion that you do, but in reality you don't.
At that point you have to have complete trust in your cloud provider, and every telco that carries your packets, and every one of their employees and subcontractors, and the government agencies of every country where the cloud provider and telcos have datacentres.
If you are going to store sensitive data in the cloud, you might as well just post it on facebook.
"The United States government has to get out of the business – if it were ever in the business – has to get out of the business of fucking with encryption standards," Clarke said.
No, Mr. Clarke. The United States government would have to be seen and believed to have gotten out of that business. Regardless of your political stance on the whole matter, that is going to be a Herculean task in the current environment.
"Well, perhaps not a lady in this case, but a spy telling everyone not to bother to take any defensive actions, because they'll just bypass them anyway, does sound just a bit like someone trying to control with misinformation."
Yes. It's a variation on an old psychop speech I used to give.
My punchline was whenever someone tells you this why are they telling you this?
Just about everything we do is intended to give the US a commercial advantage. That's the natural order of things. But if you do it, that's an attack on our fundamental freedoms (Star Spangled Banner, much saluting, waving of Mission Accomplished placards, reading of US Constitution, laying of wreaths by the NRA at the Zimmerman Memorial).
Clarke is a funny guy.
NSA may hack into European based datacenters but it won't be as easy as forcing a US company to fork the data & mass surveillance will be largely out of questions without active European cooperation.
In addition let's not turn the table. European companies are not using NSA as a marketing tool. The NSA clowns and the Fisa biggots created and maintained this American disadvantage all by themselves.
Btw did fake President Obama offer the Queen of England an iPhone at the time based on NSA recommendations?
Yes, the data might not be safe from the NSA, however you have legal cover in the EU if the NSA hacks into your systems to use it against you. In fact, it should be legislated that if that data is obtained illegally, then you cannot be extradited to the US imho. If we really wanted to escalate, you could consider having an EU citizen's (intellectual/virtual) property attacked by a foreign government's agency an act of war.
1. Nobody does any sort of business with the USA or its colonies.
2. All copyrights, patents and licenses specifically exclude Gitmo Nation.
3. We make it clear that we are happy at being friends or allies but they do not have rights over us.
4. We regard their hacking us in the same way they would feel about it.
So we would loose some market - after all the USA has nearly 4.4% of humanity in it. They aren't are rich and powerful as they used to be. They have been heading down since at least the start of the century and their military is doing to them pretty much what the USSRs did to them...
By "localizing", the non U.S. countries are better able to monitor their own citizenry, and retain taxable services within their own economy. This also enables the NSA to have centralized data collection points to simplify the monitoring thereby reducing the NSA's co$t. Many governments will hand desired data without a hack; and as most data isn't needed the NSA's searchability is improved at a reduced co$t.
For me moving what tech I had from US to EU cloud providers wasn't ever about escaping illegal US military surveillance. It was about not rewarding US companies for aiding the military in their effort. To be blunt, it was about punishing those companies for betraying my trust by "voting with my feet". If some of the largest and most politically influential companies on the planet can't be bothered to bring that influence to bear in curbing abuse of their customers by the US military -- especially when it is clear that they would almost certainly suffer financially when their complicity became public -- then it seems to me that the only thing left for any of us to do is everything we can to make that worst case economic scenario a reality for them in the hopes that it will deter them from future bad behavior.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
