back to article Security guru: You can't blame EDWARD SNOWDEN for making US clouds LOOK leaky

Accusations that the revelations from rogue National Security Agency sysadmin whistleblower Edward Snowden have damaged the US technology industry are misplaced, according to influential security guru Mikko Hypponen. Hypponen, chief research officer at security firm F-Secure, said that the disclosure that US tech was either " …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I beg to disagree, it a number of mutli million pound tech deal i've been in there is a specific set of question around exposure to the Patriot act. these were refered to as deal breakers.

    1. Anonymous Coward
      Anonymous Coward

      deal breakers

      Yes, the phrase in the article "it appears that the outcry in Europe and further afield over privacy has not had much effect." is not only currently wrong - the Snowden 'top secret' leaks will have manifest effects for at least the next decade. Cleaning up after the overcollecting agencies might not make headlines, but it has led to major effects in pan-european ICT projects that I'm unable to go into!

    2. vagabondo

      Diligent organisations would be leery of exposing their or their clients data to US hosting or "the cloud". But I doubt that has as much to do with the Snowden reports apart from a general awareness of the leakiness of "big data". Of course Snowden and Manning demonstrate the leakiness of data that has mass access.

      Uncontrolled access to large amalgamated personal datasets by NHS, Police, Local Government, Parking company, etc. staff represent a more difficult problem for the populus to worry about.

    3. Lars Silver badge
      Happy

      Read "has not had much effect" as has not had enough effect. Or fucking little effect. Finns dislike superlatives.

  2. Anonymous Coward
    Anonymous Coward

    I had flagged US clouds as a risk

    in 2010, when one of our HR bods found an online portal for recruitment based in the US.

    I waved a copy of the PATRIOT act to their safe harbour, and we kept well clear.

    1. Anonymous Coward
      Anonymous Coward

      Ferris Bueller, you're my hero!

      Good for you, well done, you're a jolly good chap. Thanks for telling us all about your stellar work.

    2. big_D Silver badge

      Re: I had flagged US clouds as a risk

      Exactly. US cloud companies were a major risk long before Snowden came along. I had always said, until the Patriot Act was repealed, that the cloud wasn't a real solution for European companies, when the provider also did business in the USA.

      The Federal,Judge in the Microsoft case this week hasn't made the situation an better.

  3. Daniel B.
    Black Helicopters

    Of course Snowden didn't hurt

    Anybody who could've had issues with the Snowden leak was already wary of US-based services thanks to the PATRIOT Act. And then there are the warantless SWIFT data grabs by the US, while SWIFT did side with the US on that issue, they subsequently moved all EU banking data and processing outside the US.

    By the time Snowden leaked the NSA/PRISM thing, the possible clients had already been scared away.

  4. I am a machine (says Turing test)

    Apparently storing data outside the US doesn't help either

    http://www.bbc.co.uk/news/technology-27191500

    If you deal with an American company it doesn't matter where the data is, a US warrant will be enough. For the American government other countries' laws do not exist or are just meaningless.

    (More details also under dictionary entry: "drone")

    1. vagabondo

      Re: Apparently storing data outside the US doesn't help either

      El Reg reported this story earlier and with better comments:

      http://www.theregister.co.uk/2014/04/28/us_judge_digital_search_warrants_apply_everywhere/

  5. Salts

    A Bit Confused...

    "The whole timeline of the leaks bothers me."

    Why? selfless hero or not, if your going to do it at least do it when it has the greatest impact.

    1. Charles Manning

      Re: A Bit Confused...

      "at least do it when it has the greatest impact"

      No, rather do it when it will prevent the most damage. Please tell me my parachute was incorrectly packed before I jump. Non-events are better than events.

      At the start of the Snowden leaks it looked like yet another disgruntled employee/contractor going off the rails vying for media attention alongside Bradley/Chelsea Manning, Assange, and Kim Dotcom. It was only through persistence that Snowden's comments got elevated above the chatter.

      Although the PATRIOT act is well over the top, it was very hard for anyone to accept that any part of .gov would actually go as far as NSA has.

      While PATRIOT legitimises some of what the NSA appears to have done, the chances are they would have done it anyway. They were limited by their technology, not what the law makers said. Give them higher power toys and they immediately do more intrusion on more people.

      That this happened during Obama's watch does not mean he caused it. It only happened now because back in Bush's day they didn't have the computing power they have now. Where Obama failed in his oversight was missing the fact that with increased power, the NSA would grow beyond guidelines set out for them.

      In essence, the only law that NSA understands is Moore's Law.

    2. Anonymous Coward
      Anonymous Coward

      Re: A Bit Confused...

      Well, he has to do it sometime, and the US always has multiple sensitive meetings coming up or ongoing issues at any one time. Exactly when would there have been a "quiet" period in the past half century where someone couldn't potentially be bothered by the timing of the leak.

      In addition, the longer he waited the greater the chance he'd be caught and nothing could be leaked. Once he had all the files, the clock was ticking, he couldn't wait forever.

      Though maybe Snowden didn't like the hypocrisy of the US constantly badgering China over this when he knew the US was just as bad.

  6. monkeyfish

    Well said that man.

    The European tech industry has failed to produce viable alternatives, he claimed. Even in cases where a tech firm makes it big - such as Skype - these firms get bought by Microsoft or other US tech giants, Hypponen concluded.

    Where are the EU alternatives for email, cloud storage, and social networking? None of the ones I've found a rival for Google, MS, and Facebook. Maybe Nokia with all their billions could invest in it? They already have maps after all, and they used to make phones, so they're not unfamiliar with consumer interfaces...

    1. RTNavy

      Re: Well said that man.

      Nokia is owned by Microsoft, so that doesn't help!

      The story also mentioned how many of these "rivals" end up under one of the US Firms anyway.

      1. Davidoff
        FAIL

        Re: Nokia is owned by Microsoft, so that doesn't help!

        No, Nokia is *NOT* owned by Microsoft. Nokia has only sold their cell phone division to them. Nokia is still alive and does other things (i.e. network equipment, HERE maps).

      2. Charles Manning

        Re: Well said that man.

        Only Nokia phone division was bought by MS.

        Perhaps The Company Formerly Known as Nokia (TCFKAN) could make a bundle in cloud services?

        1. monkeyfish

          Re: Well said that man.

          In reply:

          1) As previously pointed out, Nokia are still their own company, albeit with several billion in the bank from selling their phone division to MS. There are still 3 other divisions of Nokia (a company that has been around for ~130 years), that are still quite profitable.

          2) I would prefer a European alternative to these services not only for privacy, but because I find European products generally better than American ones.

          3) Who said anything about the company crown jewels? I was talking about personal services, your company should probably pay for it (of which there are several EU companies to choose from).

          4) To take on Google/MS/Facebook in the consumer space you would need a well known brand that people generally trust. I think there is still a lot of fondness for Nokia in Europe, so they would have a fighting chance.

          In the end it comes down to trust, do you trust Google/MS/Facebook? I'd be more inclined to trust an EU company, especially a Finnish one.

    2. Smoking Man

      Re: Well said that man.

      There's even no operating system available which wouldn't be controlled by an American company.

      So if the Europeans started to create alternatives for search, social media and such, guess what those alternatives would run on.

      Who's your daddy.

      1. Davidoff
        Holmes

        Re: no operating system available which wouldn't be controlled by an American company

        Not true. For a start, Linux isn't controlled by an American company.

        And then there is this: http://www.soos-project.eu/

      2. Nigel 11
        Linux

        Re: Well said that man.

        There's even no operating system available which wouldn't be controlled by an American company.

        Boggle. Ever heard of Linux?

        Not only is it not controlled by an American company, it is not controlled by any company or other organisation at all. It's Free Open Source Software.

        It's possible that there are backdoors in Linux or related software that were engineered by the NSA and which are sufficiently obscure that all the folks who have since looked at the source code have missed the problem. Witness Heartbleed (which was probably an accident, but similarly was not noticed for quite some time). But that's not the same as controlled.

        1. keithpeter Silver badge
          Windows

          Re: Well said that man.

          "Boggle. Ever heard of Linux?"

          Or the *BSDs...

          OpenBSD is supported by a Canadian not-for-profit corporation. I suspect De Raadt isn't going to be doing anything funny.

        2. channel extended
          Joke

          Re: Well said that man.

          Wait, Linux is owned by Microsoft? What happened to Windows?

    3. Nigel 11

      Re: Well said that man.

      Where are the EU alternatives for email, cloud storage, and social networking?

      Email - if you care, use encryption. The e-mail protocols are absolutely as open as a postcard in the mail unless you encrypt. PGP also allows your correspondent to verify that it was you who sent the e-mail, not someone impersonating you. Alternatively just don't say anything in e-mail that you wouldn't write on a postcard.

      Cloud Storage: again, if you care, keep your live data locally and encrypt your backup data before it enters the cloud. Or decide that the risk of putting your corporate crown jewels outside the physical boundaries of the corporation is not worth the cost savings from using cloud services instead of locally-hosted ones.

      Social networking: oh really? I find the best way of not having spooks, burglars, con-men, salesmen, salesdroids, bosses, promotion rivals, exes, and random nutters knowing more about me than I know about myself, is not to use social networks at all. Call me paranoid if you want, but surely the USA gubmint comes very far down on the list of people that most social network users should concern themselves with?

      If you are of dircet interest to the NSA none of the above will help. Your best bet would be to refuse to use any electronic device manufactured since 1990, but they'll probably still have you bugged and monitored 24x7. There are people out there who choose to live without any technology not available several centuries ago. I should think that a modern spook's biggest challenge would be spying on someone living an Amish lifestyle!

      1. tom dial Silver badge

        Re: Well said that man.

        @Nigel11:I wish I could upvote this a few dozen times. Nothing in it goes beyond what any reasonably intelligent person could reason out, yet these facts almost never are mentioned, and hardly anyone pays attention when they are.

      2. Mark 65

        Re: Well said that man.

        The problem with encrypted email is that email encryption is not pervasive. I can't encrypt my email if the recipients don't use encryption and half the time it can be a pain in the arse to setup. Now if firefox (for webmail), iOS Mail or thunderbird etc came with email encryption ready to go with wizard to prompt for setup at the start then maybe we could get this ball rolling. But if it is left as a download, install, setup, integrate task for the end user it just won't take off.

    4. Daniel B.
      Linux

      Re: Well said that man.

      Nokia the non-MS-Borged company might simply resume work on Harmattan and have that as an EU OS for mobile platforms. Or reacquire Symbian from Accenture. That would give the EU a non-US OS. And the rest of their operations? Simply base 'em off Linux.

  7. 2StrokeRider

    Right, so, putting all the cloudy bits in EU will keep the NSA out? Sure they'll use the law for a Warrant where they can, but if it's a non-US company in another part of the world they'll just take it anyway, or does anyone think they and other Intelligence Services didn't have heartbleed exploit for quite some time. I'm sure they have quite a few nice tools they're using to collect data worldwide.

    1. Mephistro

      @ 2StrokeRider

      Two points:

      - The costs for the spooks will skyrocket, perhaps even making mass surveillance economically unfeasible.

      - The risk of discovery and prison for the spooks and their collaborators will go from about zero to quite high indeed, giving the Yanks a strong incentive to abandon mass surveillance in the area, and resorting to dirty tricks only when they're going after the really big fish.

      So yes, having the data in Europe and protected by European laws can be extremely beneficial.

  8. Don Jefe

    Fiduciary Responsibility

    It could be a career ending deal for staff and management if they came to me and suggested changing vendors just because of the Snowden material. They could roll it into their pitch as a 'value added' bonus sort of thing, but not as a primary justification for change. Apparently most other people feel the same way.

    It's not that I'm OK with what the NSA is doing. I think it's 717 different ways of fucked up, but what are you going to do? Two wildly unpopular US companies have been in Brasilia for months getting the details sorted out for building and managing the new data centers that meet that are compliant with their post-Snowden legislative adjustments. The IBM deals in China that some sites made lots of noise about were never cancelled, they were sent back for renegotiation. That's all sorted and the press you're going to hear about new secure systems of checks and balances in the deals are checks going to IBM and increasing their balances.

    The Canadians never gave a shit. They figure we spy on them anyway (they're certainly correct). Some people in various parts of the UK seemed somewhat disturbed by it all, but not enough to do anything about it and the Germans are always angry.

    The time for action has come and gone. Not a god damn thing happened and it ain't going to happen tomorrow either. So where am I going to put my data so that it's secure from State Intelligence Agencies? North Korea? Iran? Tonga?

    I don't like any of this one bit. It's 100% bullshit and that will be reflected in my voting and my campaign contributions, but what else is there to do? The same people screaming about how their counties and businesses would stop doing business with US and build their own solutions sure did get quiet when they got discounts or friendlier terms on invoices. If 30 days more interest free time to pay your bill is all it takes to make everything better then meaningful rebellion was never going to happen. That sort of thing is expensive.

    Nor are people going to spring up with viable new alternatives. They had a chance, but nobody came. I checked today and of the ~70 proposals our VC group actually looked at last year exactly zero made securing data from the US a priority. None. So that ship has sailed. There's not an investment group on Earth that would get involved now. All the people who were genuinely upset have been mollified for cheap.

    It sucks. But that's people for you.

    1. Mephistro

      Re: Fiduciary Responsibility

      "It could be a career ending deal for staff and management if they came to me and suggested changing vendors just because of the Snowden material"

      That's because you're American. You can't opt out from surveillance, no matter where you cloud service is located. If you were a European customer, and if your company was creating original IP, or making big sales to business or government, you'd probably think differently.

      1. Don Jefe

        Re: Fiduciary Responsibility

        You can opt out? There's a little box you check on your censored Internet that says 'I don't want to be spied on by State actors'? No, there isn't, and you know it. You might not want to admit it, but you know it's true. There's no option.

        Who kept you safe from surveillance prior to the Snowden material? The answer is nobody, the same people who are doing it now. Except it is costing taxpayers in other countries a little bit less for the equipment and a lot more for the consult and associated services. So you're paying even more for nobody to do anything. That sucks.

        The IP issue is precisely why we don't do anything in the cloud. Besides the technology we create and license, we've got internally developed technology that gives us a competitive advantage over would be competitors, losing control of those trade secrets would be disastrous.

        Back to the point, what non US companies stepped up to provide cloud services 'safe' from US surveillance? Nobody. Not a single non US company established itself and offered anything remotely comparable to what US companies provide. They didn't do it because they don't have the resources, they didn't do it because it's financially irresponsible. You can't build the necessary infrastructure and offer access at anything resembling a competitive price.

        Any hopes of competitive alternatives died the moment Amazon, Microsoft, Rackspace and Google decided to make price a primary selling point. It's just going to get cheaper for them as they continue to pull in more, and larger, clients. Like I said in my earlier post, there's absolutely no chance of outside investors buying into a cloud startup targeted at generic commercial entities. None. Zero possibility.

        There was a big window for those alternatives to get funding, but nobody came. It's all fine and dandy for you to talk about how 'company this and company that' but company didn't do shit. People tend to stop blabbing once they get a real sense of what competing would cost, and there's simply nobody who wants to get outside investment to create something they absolutely cannot sell and nobody who is going to provide the money for them to do so. Ship has sailed.

        So before you go completely missing the point and making this anti US issue, why don't you see if there's a pro-business alternative. Go look at why nobody in Europe 'opted out' and built their own offering. It's a shame nobody did, but they didn't. Now they can't.

        1. Mephistro

          Re: Fiduciary Responsibility (@ Don Jefe)

          "what non US companies stepped up to provide cloud services 'safe' from US surveillance? Nobody"

          The Snowden revelations are not a year old yet, so you should wait a bit longer before saying this. And there already are companies that have started to offer secure mail.

          Any hopes of competitive alternatives died the moment Amazon, Microsoft, Rackspace and Google decided to make price a primary selling point

          Until European lawmakers get the hint and begin considering the implications of American cloud services in the context of European privacy laws. And in the context of industrial espionage also.

          So before you go completely missing the point and making this anti US issue

          No. The point in my comment was that in your circumstances your approach may be considered wise. But in slightly different circumstances -i.e. Being European and working in Europe- you'd seriously consider never using American cloud providers. Or Chinese ones, for that matter.

          The IP issue is precisely why we don't do anything in the cloud

          Totally agreed.

          1. Don Jefe

            Re: Fiduciary Responsibility (@ Don Jefe)

            Not quite a year old is quite a bit too late. An advantage of being on the Board of a VC group is that you get a really good idea of where things are headed. I use The Register as my gauge of European sentiment about IT 'stuff'. Anytime there is a big technology shift, sweeping new government regulations or change in political climate it just takes a few weeks, or less, for serious investment proposals to start coming in.

            Most are insane and never get past somebody looking at the executive summary. Some are mildly interesting so you flip to the back to see how bad they suck at finance. A few are grounded and pragmatic so you call them up for a chat and if they've got any sales competency on the call you bring them in for a face to face and see what happens. We get proposals from around the globe from all branches of engineering, science and technology and portfolio companies in seven countries (eight in Europe) and it seems fairly random.

            But it isn't random at all. The deeper you look the more that seemingly unrelated things are just different takes on a very small number of new developments. That's what business is about, finding a way to capitalize on change. We've received proposals for scads of cloud related things (provider migration, resource forecasting, collaboration tools, identity assurance, etc...), but no service providers. Zero. For 2013 we received 14 proposals from startups in space exploration. But none from cloud service providers. Zero.

            We had a guy from Dunedin New Zealand come to Virginia and fly his proposal for a secure email service over our fences with a scratch built drone because he was afraid to email or upload it and he couldn't get past security (I did send him back home first class and gave put him in contact with people down there. There's a tiny little company working on a better flux for use in large scale electronics manufacturing not too far from the El Reg London offices that we funded last year. There's another company just outside of London that's doing some bleeding edge work in data compression, but no cloud service providers. None. Zero.

            There was a chance for something new. But nobody took it. I'm going to be in San Jose Saturday where lots of really big VC's are and it'll be the same for them. We all talk you know. We're all in this for money and there isn't any to be had in a cloud service provider this late in the game. Maybe a huge technology shift, or another NSA scandal that will provide new opportunities, but that's not the case now. There's just no money in it to justify building from scratch.

        2. elDog

          Re: Fiduciary Responsibility

          It would be foolhardy for any outfit to offer a certifiable, non-penetrable, cloud solution - now that the actors have implanted their hooks into every bit of equipment and supposedly open-source software. Of course even that word "certifiable" is stupid since who is really certifying those certifiers? Let's see, do I trust Trustee or Verisign or anyone else?

          I agree that corporate, IP, personal, medical, national, etc. information should be kept outside of the clouds, whether directly NSA controlled or well-hacked by other agents. Based on recent revelations of in-house miscreants, I don't think I'd trust any information that wasn't stored and retrievable by at least a three-factor algorithm.

      2. Vociferous

        Re: Fiduciary Responsibility

        > If you were a European customer, and if your company was creating original IP, or making big sales to business or government, you'd probably think differently.

        Absolutely. The US isn't even shy about admitting that it uses Echelon/PRISM/whatevs to spy on non-US companies for the benefit of US companies. If you're a non-US company in the defense or energy sector you are a primary target for US snooping even if you're in an allied country and selling to NATO or the US army.

  9. phil dude
    Boffin

    logically...

    ID theft would seem to be the way to go...the more the better.

    This, of course, is the big problem with the big "haystack" collection method.

    Identity != Intent. In fact, d(Intent)/dt = rand(x), where x is the starting seed....

    P.

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    Blaming Snowden for perception of leaks

    is like blaming the kid who cries out "the emperor is naked!".

    Of course nowadays, the kid would have been shushed by his parents, who would then lose custody while their child was properly "reeducated" through cartoons financed by the Emperor, and anyone daring to mention the child's outburst would find the IRS and HHS closely looking over every single aspect of their records for "problems".

    Blow that whistle, Ed! If even a few people learn to rely on themselves for security, instead of "clouds" for convenience, then you've done a great service.

  12. Nigel 11

    If you really want to scare yourself about the future ....

    Read some good SF. I found the back-stories in Vernor Vinge's "A Deepness in the Sky" particularly haunting. Societies that were driven back to the stone age or extinct by inflicting omnipresent surveillance on themselves. Others which avoided that trap, and fell into the more subtle trap of over-optimizing their civilisations, thus finding themselves powerless to avert a complete collapse when entropy finally gained the upper hand.

    The front story is also pretty darned good, though (IMO) a bit less frighteningly plausible.

    Do we have the wisdom to avoid in real life, that which will haunt your dreams when you read it as fiction? I very much fear not.

    1. ecofeco Silver badge

      Re: If you really want to scare yourself about the future ....

      History says no we don't.

      Repeatedly.

    2. Vociferous

      Re: If you really want to scare yourself about the future ....

      > Do we have the wisdom to avoid in real life, that which will haunt your dreams when you read it as fiction?

      Only if avoidance is the short-term profitable solution.

  13. ecofeco Silver badge

    Clouds not safe?

    ...as I was saying.

  14. Sporkinum

    Supposedly Snowden's revelations are a major reason why Brazil went with Saab on their jet $4.5b contract, and not Boeing.

    1. Vociferous

      > Snowden's revelations are a major reason why Brazil went with Saab on their jet $4.5b contract, and not Boeing

      Nah. The only thing which matter in big arms deals is bribes. Saab either out-bribed Boeing, or Boeing got scared that they were about to be exposed and dropped their bribes completely.

      1. Vociferous

        Two thumbs down? Yeah, I'm sure famously corrupt Brazil spent $4.5 billion on the slower, unproven, aircraft with the underpowered and failure-prone engine and the limited weapons mounts because they were upset about Snowden, not because Saab plied anyone with thicker envelopes and prettier whores than Boeing.

  15. Vociferous

    Snowden was/is a chinese spy.

    Whether that really changes anything is a different matter. He really did expose abuse.

    1. Nigel 11

      Re: Snowden was/is a chinese spy.

      Chinese??!

      So why is he stuck in Russia?

      1. a53

        Re: Snowden was/is a chinese spy.

        It seems there are some idiots posting here. He's stuck in Russia because his passport was withdrawn.

      2. Vociferous

        Re: Snowden was/is a chinese spy.

        >So why is he stuck in Russia?

        Because he overestimated the gratitude of his masters. China isn't big on helping people out of the goodness of its heart, especially not when doing so may cause problems with a big market, and sold/traded him to the Russians. When the Russians are done milking him for all the PR he's worth, perhaps they'll sell him to Iran or exchange him for some spy in US prison.

  16. Oh Homer
    Facepalm

    Blaming Snowden was even an option?

    Ignorance is bliss, is it?

This topic is closed for new posts.

Other stories you might like