This is a huge deal. I live in Australia and I have been running businesses on the cloud for the last 3 years or so. I have rarely heard the issue of the PATRIOT Act raised and in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.
Those days are most certainly over. This stuff will affect companies like AWS and Rackspace the most, given that they are competing for contracts with companies who are seriously concerned about who can get at their data. I imagine nobody will flaunt the laws in Australia regarding international data transfers in future, and that countries where no such laws exist will enact some very quickly.
Any cloud based software company in the US which holds large amounts of data that could in any way be deemed to be sensitive is going to have a much harder time pitching to clients overseas who will increasingly opt for a decent local alternative over a foreign one should the option exist. The only thing that American companies can hope for otherwise is that there is no foreign alternative.
The world is not going to come to an end but for a lot of people, their jobs are about to get much harder and the government should be worried about this.
My latest startup is Efficito (a Limited Company, registered in the UK). The web site is http://www.efficito.com and our servers are all in Europe. We have built the service up with a very careful eye for security (why we are going hosted cloud first, and multi-tenant is still in the works).
You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously. We are still looking into whole disk encryption for virtual instances, but key management is a non-trivial problem there to get right. For those who want it I can be pretty sure we'd be happy to work with you to find a way of making the system meet your needs. (Of course given a few customers, we could work with a server in Australia too.)
But I also think it goes beyond shipping the data overseas. Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over. So you can't only look at where the business's servers are but also where what legal authorities they are obviously subject to.
You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously.
You certainly won't be the first with that idea. I've now lost count of how many blog posts, tweets, forum posts and so on I've seen in the past week that essentially say, "Is the next big selling point for European service companies that we're not subject to US laws?"
The UK is not exactly an ideal location to make a fuss about this from, given that the Regulation of Investigative Powers Act (2000) gives extensive rights to the government to demand covert surveillance, which includes requirements of confidentiality over interception warrants to the extent that they in some circumstances can not even be revealed in court.
On top of that Part III of RIPA makes it an offense to fail to disclose your encryption keys to the government in certain circumstances, and the court does not need to actually prove that you have the keys in order to sentence you for failure to produce them.
The laws are build on different principles making them somewhat different. However, one of the things that we pay a lot of attention to is security resilience. The question is, "what has to be compromised before your data is compromised? and is there a way to detect it?" The storage is still something we are working on but you can believe it is a design goal.
The EU has very different approaches again to privacy law. I don't know you can compare them. They tend to be more lax with collection and stronger with use.
However, we can also help you install the software (open source, reviewed by developers all over the world) on your premises if you would prefer. So our best shot is only for those who really want to cloud host.
If you're outside of the US, then yes you are not subject to NSA orders. But your data will still be accessed by the NSA, as the NSA won't require an order to read what you've got.
The cannot get a US court to compel you to hand it over.
How likely do you think it is that any of the UK agencies that have powers to request interception under RIPA will refuse a "please scratch your back, and we'll scratch your back later" request from the NSA if the NSA actually cares about your data enough to try to get someone to compel you to hand it over?
And RIPA does provide basis for compelling you to hand over keys or face prison.
Being in the UK may protect us against NSA just taking whatever they feel like whenever they feel like it for no reason at all, but I very much doubt it does much good for anyone that actually ends up in the NSA's crosshairs.
But the return on investment is likely to be far less. If it is harder, more resources have to be spent, then they will be more selective if just because it would be prohibitive to bug every system across the world, at least at present.
>But the return on investment is likely to be far less.
I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08[1], mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.
And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers[2]
Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)
[2]Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)
Metadata cannot be protected as well as the actual content can. One of the keys of good security is to ask what has to be compromised for your data to be compromised, though. If you have SSL-protected connections, BCG hijacking alone isn't going to reveal your communications but BCG hijacking along with a fake certificate issued by a trusted CA under court order or merely voluntarily) would allow a MITM attack.
The thing is, if you have your own CA, and expect certs from both sides from the same CA, then it is very hard for an MITM attack of this sort to be orchestrated because you can say, "Something isn't right here." So that leaves attacks against the cyphers involved or against the endpoints.
One service we offer is an ability to use an SSL cert issued by the customer, as well as appropriate VPN options to connect to the system at all. Between these, in general I would expect that MITM approaches can be protected against in high security configurations. But that still leaves cyphers and endpoints.
So the first thing we need is a better PKI which can more robustly handle fraudulent certificates. This is something I have written about a bit. (see my blog, http://ledgersmbdev.blogspot.com for more.) But we also need a lot more.
BTW, we build everything on the basis of compartmentalized security with the idea that compromising customer data will require working through quite a bit of depth, particularly in relatively high security configurations. It wouldn't protect against a court order, but it should protect against a lot of other things.
Could the NSA hack us? I am sure they could. Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.
>Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.
Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.
> Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.
As we went through our initial design, and started talking to others, it became quite clear that the being industry standard when it came to security is not something that either myself nor my business partner were comfortable with. We opted to start looking at everything very carefully and review eachothers' works regarding security, suggesting improvement, etc.
It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.
>It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.
So by 'hosted cloud' you mean 'every user gets their own VM?' I mean, you could mean that you use on-demand dedicated servers, but most people mean virtual instances when they say "cloud" (I hate that word "cloud" - it's so vague)
(personally, i still think of multiple VMs on one physical box as multi-tenant. But managing a VPS per user? thousands of times easier than managing a user-account per user and just having a bunch of users on the same box. In my opinion, more secure, too.)
How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.
One thing I've noticed about my customers is that they almost all prefer to use my image than to do a net-install. (I give my xen users a paravirtualized boot loader, so they can load the distro install kernel and go from there.) the interesting thing is that my dedicated customers are far more likely to do their own install (I provide only... a very rudamentary PXE menu.)
Or, maybe that's just my perception because I only notice what OS they are running when they ask for help... whereas on the dedicated servers, I've recently had to move a bunch of them, which required me to look at consoles. So I guess there could be a bunch of arch users or something like that who just don't ask for help.
It does seem like having your own physical hardware would make... a big difference, security-wise.
We can do either but our default is vm's, just because for smaller businesses that is a lot more practical. Customers typically do not have root access to their VM's unless they supply their own keys/x509 certs so we can take ours off. If we are managing the box we have, for example, stored root passwords (rarely needed and only two people have access) encrypted in PostgreSQL (which means we do not log when we are not debugging and we do not allow history to be stored since manual keys must be entered when retrieving this info).
> How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.
It's not the only thing you have to watch out for. If someone can compromise the host they should be able to compromise all vm's given a little time. We do have some automated ways of checking for changes though. In general the physical hosts are much less exposed but cannot guarantee that more generally. We are always discussing ways to tighten security (I am considering setting up a rediculously tight selinux policy on the physical hosts).
> It does seem like having your own physical hardware would make... a big difference, security-wise.
The big difference is actually where the hardware is located. The big difference is really having your own physical hardware on your own premises on your own intranet vs using someone else's physical hardware in their datacenter, with their intranet. In general though if you have someone else's hardware on your intranet you can better control it than if you have your hardware somewhere else.
Again, I don't understand why you think that it's harder for the NSA to hack / bribe / trick their way into data than it is to have to obtain court orders and convince everyone to work with them.
"Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over"
There's a way out. Those server offshore must be handled by subsidiary. Then the parent company in US does not have the data and they can not also command subsidiary to handle it over.
That means the best option is not to use wholely owned subsidiaries and instead have a partnership with the parent owning a large plurality but non-controlling interest (say 10 partners from various countries, with the parent owning 49.9% of the subsidiary). You can set the agenda, more or less run things how you want, but anything you try to do as shareholder can be vetoed by the other 9 acting in unison.
Australia isn't exactly a safe haven. There are only a handful of pipes in and out of the country, each of them probably well within the deep packet inspection capability of serious spy gear. I'd be amazed if one of the AFP, ACC, ASIS, ASIO or DSD didn't have their own rooms in selected Telstra and Optus facilities.
And not to mention that Conroy wants to do something like what the NSA are supposedly doing; he's just going to outsource it to the ISPs.
I've seen an AFP server in a certain government datacentre. Its security was a square of black and yellow tape and the assurance that I would be detained without charge under anti-terrorism legislation if I crossed the tape to take a closer look.
But as an Australian citizen we have our courts and public opinion to try and fight for us. Not to mention the people doing the snooping have far less incentive to pass commercial information along to a competitor.
Americans are, theoretically, in a much stronger position vs NSA snooping. US law is meant to make it illegal for their spy agencies to look inwards and the US Constitution has its famous "search and seizure" clause which can, if you find the right judge, have some formidable teeth.
As Australian citizens we have no such protections and we have no standing in US courts to get any restitution. We're fair game.
Further, as Australians, while we enjoy some protection from our own outward-looking agency (ASIS), the inward-looking agency (ASIO) can and does investigate Australian citizens with a broad range of powers, including powers to intercept telecommunications. Their powers compound of investigation with the Australian Federal Police's powers of arrest, sometimes without cause or notice.
In theory, ASIO requires the Attorney-General to grant warrants to exercise most of its powers. Statistics on the warrants haven't been published, so we have no idea if they're granted begrudgingly or rubberstamped. My guess is going to be the latter -- which Minister wants to the one who was "soft on communism/terrorism"?
As I noted elsewhere in the thread, Echelon taught us that the agencies can circumvent these protections by agreeing to spy on each other's citizens and then forward the intelligence.
The idea that would be just as subject to surveillance using Australian hosted servers is pure speculation and not supported by the so far leaked information on PRISM.
I think the issue for foreign governments is closer to countries not wanting other countries to have easy reach into their data. For them it's not a civil liberties issue, it's a security issue.
NB: It's a real struggle to not make this sound paranoid.
Just at an individual level, I'm questioning whether it's wise to store my data in a US service that won't afford me the same protection as US citizens.
I've already started reducing my reliance on Google, and I barely use facebook, but things like Amazon and Linode are much harder for me to quickly divorce myself from.
Australian here. Government departments are slowly starting to catch on to this sort of thing.
One application I work on stores data from DEEWR and FaHCSIA and this year they've "cracked down" on that data going overseas.
The application's data (and the bits we get back from the government) has always been stored in Australia on our hardware. My understanding is that some of our competitors using AWS and Rackspace had to work hard to quickly get their stuff hosted locally (or are in the process of bringing it back here).
> in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.
I can tell you from working in the finance industry in Australia and APEA, larger companies/banks take this very seriously due to compliance obligations with regulators (APRA, MAS, HKMA, etc).
There are technological solutions to address this for US firms. Encryption on the client side, before data is sent to the cloud, would work. I would suspect (hope) that browser makers will quickly introduce features that make sending and receiving end-to-end encrypted communications (email etc.) a thoughtless process - since that is the only way to get people to use it.
Even better, perhaps someone will write software that sits on top of the network stack and automatically negotiates secure communications regardless of the origin client software. Maybe some sort of public key registry might come into play.
Those days are most certainly over. This stuff will affect companies like AWS and Rackspace the most, given that they are competing for contracts with companies who are seriously concerned about who can get at their data. I imagine nobody will flaunt the laws in Australia regarding international data transfers in future, and that countries where no such laws exist will enact some very quickly.
Any cloud based software company in the US which holds large amounts of data that could in any way be deemed to be sensitive is going to have a much harder time pitching to clients overseas who will increasingly opt for a decent local alternative over a foreign one should the option exist. The only thing that American companies can hope for otherwise is that there is no foreign alternative.
The world is not going to come to an end but for a lot of people, their jobs are about to get much harder and the government should be worried about this.