Prez Obama cyber-guru: Think your data is safe in an EU cloud? The NSA will raid your servers A former White House security advisor has suggested that you, dear reader, are naive if you think hosting data outside of the US will protect a business from the NSA. "NSA and any other world-class intelligence agency can hack into databases even if they not in the US," said former White House security advisor Richard Clarke …
Message from EU to US:
Still want Silicon Valley companies to sell in the EU?
Seriously, though, there is in principle no difference between protecting your IT from hackers and from the NSA, only that the latter plays more dirty. There are few more defensive strategies out there, and the NSA knows it, hence this war of psychology to make people just give up (similar to what the US has been doing with privacy).
Don't give up. If they want a fight, they can have it. You and your customers all have rights, defend them and get your politicians to grow a spine (or do fewer things they can be blackmailed with, of course).
On a less aggressive note: has anyone noticed what is happening to US passport holders abroad?r Nowadays, it's easier to get a bank account with Nigerian passport than a US one...
1) "You can't do anything against us, lube up"
2) "If you want to do anything against us, deep down it's just about filty lucre anyway, so don't"
That guy sure is a piece of work. A mix of narcisissm, american exceptionalism, belief in the omnipotent state and hypocrisy. And a desire to keep going on the useless talking heads roundabout.
But he's right. There *will* be lubing up. EU behaviour on subjects as diverse as FATCA and Ukraine says so.
they are going to force all the multinational companies which want to open a single office in US (almost all as US might be the ground for their branding) for giving access to their data even if that is offshore.
That's what a good privacy strategy is for. It starts with "if you have a US HQ, you're pretty much hosed, so let's move that first". Once you have decision power relocated outside the US, you leave a subsidiary in the US whose access to data from there is pretty much segmented away from the rest of the corporation. Then you go through the corporation country by country and clean up any residual leverage (a classic example is having a dependency on a US provider, or US investors which can be blackmailed with the promise of eternal IRS investigations).
The entertaining issue is that this idiocy is putting the whole of Silicon Valley at risk (an issue they are now trying to plaster over with all sorts of excuses). Companies there already have SERIOUS problems selling in Europe, and it's only going to get worse because the Safe Harbor fix has now also been exposed for the irrelevance it is..
Well, the message confirms the fundamental basis of the idea to move abroad.
We all know that if we becoma a target, the hit is likely to be successful. That has not changed since the days when intelligence services were opening letters sealed with a wax seal with a heated thin blade. Nothing new here.
That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad.
Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.
> That "targeted" approach however, requires a target selection and resource for _EACH_ and _EVERY_ target. That is finite resource. Even NSA cannot hack everyone abroad. Compared to that - the ongoing attack on all local targets under jurisdiction is a constant resource. Different ball game altogether.
Exactly. He's obfuscating the controversy by claiming that it's about the NSA. It isn't. It's about Congress and the White House.
I'm a strong supporter of spying agencies breaking the law -- I'd rather they break laws than that laws be changed to allow spying, as the latter leads to a ridiculous petty police state, with, for instance, local authorities legally spying on parents to check they're in the right cachement area for their kids' school. If what they're doing is illegal and they can get in trouble if caught, that's a very sensible and effective check on their behaviour: they only do stuff if it's worth that risk. What Congress and the White House did was remove that check -- in the Land of Checks & Balances, no less. Ha!
Also, if the spies are breaking the law, their targets are allowed to avoid them. Sure, the NSA can hack a server in Sweden, but the owners of that Swedish server are allowed to stop the hack if they detect it, they're allowed to upgrade their security whenever they want, they're allowed to install a new server without the same vulnerabilities, forcing the NSA to go to the effort of hacking all over again. Again, that effort is a check on their behaviour. I prefer that to the current US system, where the owners of the servers are legally obliged to give a direct feed of all their data to the NSA, no hacking required.
A lot of IT-illiterate members of the public aren't seeing these distinctions, which is fair enough, but I hardly think this bastard is one of them. He's just lying about what the controversy is.
It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it.
Given all these revelations, if you keep data in the US you can pretty much assume at least the metadata has been scanned and possibly stored. Anything outside the US is probably going to be at least a little, if not a lot, better than this poor standard.
@Flat Phillip
"It's the difference between your data being wholesale tapped "because we can" with no warrant versus a specific hack that, presumably, had a little more judicial rigor around it."
Actually, I think it's pretty much the other way around: spying on your own citizens, while easier from a technical perspective, seems to be more rigorous from a legal perspective*. So far as I know, I don't believe a US court would be likely to rule that collection of European data from a European server violates anyone's fourth amendment rights!
I don't doubt that there would be some processes around such 'hacking' but I doubt they would be 'judicial' in nature.
* - By relative measures, of course.
@Salts
Right on.
Moreover, as such actions do not, in any sense, fall under the jurisdiction of National Security Letters and suchlike, a hosting provider in Luxembourg (for example), is fully within its legal rights to communicate any such breaches to its customers and the world at large.
Data being moved from US-controlled servers changes the game from "grab what we want, under full protection of the law and with little chance of exposure" to "make a conscious decision to breach foreign owned and run servers, risking discovery and public condemnation".
Of course they are clearly doing this already so it's not something they are adverse to but there is a big difference between lawfully requesting/receiving data from a company compelled to secrecy and silence and clandestinely breaking into foreign-controlled servers.
That might be a better place to keep your cloud data even as (or especially as) a US citizen/company. Sure, the Chinese can definitely access it, but if you store encrypted data it is probably safe. I think they'd have much less chance of breaking the encryption than the NSA.
Thus, encrypted data is probably safer sitting on a Chinese server with the Chinese equivalent of the NSA trying to crack it as it would be on a US or EU server with the NSA/GCHQ trying to crack it. As a US citizen, this is a very sad state of affairs to admit.
If you are a US political group, environmental campaigner, 99%-er, pro-gun etc etc, then you are probably better keeping your data on a Chinese server than a US one.
The cold war was a bit of a waste of time and money wasn't it?
If you are a European aircraft/car/software/phone maker then you don't want your data on a US/UK server or a Chinese one. Does Nigeria do cloud hosting?
That's a great idea, but may I recommend one change? Don't fragment your data, store two complete copies, each XOR'ed with the same random data, so it can only be reconstructed on your end by XOR'ing the two together. Let the NSA and the Chinese each go crazy trying to decrypt something utterly impossible to decrypt!
Someone should write a Linux FUSE driver for that...
I left unspoken the obvious fact the data would be encrypted before being XORed with random data.
So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.
I think that makes it impractical for a "let's capture everything" type of attack. If you attract their interest, they won't bother with any of that. The fastest way to break encryption is with a rubber hose, after all.
So someone wanting to get your stuff would need to successfully hack into a US and Chinese cloud provider, and crack the encryption.
You forget the very real possibility the NSA and its chinese counterpart routinely hack into EACH OTHER. Meaning it's passing fair one encounters the other's file, puts two and two together, and obtains a copy of the other's file, reducing the number of places you have to hack. Furthermore, merely finding something like this would likely draw an investigation into who did something this elaborate.
You're onto something here, what about an encryption method that splits the data up into a large chunk and a smaller chunk - like a keyfile for ssh? Is there any program that already does something like that?
You can stick the small chunk on usb and simply store the larger chunk in any cloud.
As I understand it, there are encrypted filesystem programs already in existence that can operate on a file image. A CLOUD file image could perhaps be done in a stretch. As for the other piece, that's just a keyfile, and you can make that just about anything of your choice. As for hardening the image file, many of them can use multiple algos for extra strength. It reduces the throughput, but with a cloud file the network is the bottleneck anyway.
>"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."
That is excellent. hosting in the EU or Brazil is not going to make the job of our beloved acronyms any different so they are offering no opinion about where we host. Got it!
"If you think passing a law making data localization a requirement in the EU or Brazil [...] stops the NSA from getting into those databases, think again."
If you think data localization in Europe won't cause your operational costs and the risks your operatives incur to increase tenfold , think again.
But you can make them think it's too much trouble and go after easier prey.
That works for me.
Actually it's about both the bottom line and privacy.
Because if you're a European business whose IP has military applications (and with the right PoV that's probably damm near everything) having your IP passed to some BFF corp of the NSA means you could be out of business.
I suggest that cheap cloud deal does not look quite so cheap now.
>But you can make them think it's too much trouble and go after easier prey
As the joke/adage/saying goes in at least one variant.
Don't try to outrun the lion/bear/[any Australian animal except some of the sheep]. Try to outrun the guy behind you.
"is probably marginally safer on a US based service. There are limits to NSA activities at home, but none on their activities abroad. And most of the rest of the worlds state backed eavesdroppers are more domestically focused."
Wrong.
A by definition if the billing address is abroad it's probably a furriner and if the servers are in the US THE PATRIOT Act dumps the 4th amendment
Or did you not realize that, Mr AC?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
