Amidst the revelations of widespread Government spying on domestic and global internet communications have come the expected opportunistic claims of this being an immense boon for cloud providers outside of the US. Every man and his dog (and a huge number of European-based cloud vendors) have been jumping up and down suggesting that PRISM shows that only hosting outside of the US (and, usually, specifically with said provider) gives users any sort of protection from surveillance.
Just the other day I got an email from a group of students out of a university in Germany that has launched a nonprofit – BlockPrism.org. According to the email, the goal of BlockPrism is to encrypt messages in social networks. Said the founders:
The NSA scandal has shown that there is a great demand for secure communication on the Internet. While the cryptographic technology to make this possible has existed for some time, encryption has not been widely adopted because it can be too complicated. We want to solve this problem by creating programming tools that allow seamless integration across social media, without the user having to go through any trouble to encrypt his or her messages.
Obviously not concerned by Federal inspection of their funding data, the students have launched a campaign on crowdsourcing site Indiegogo to fund the further development of the project. Sigh…
While it might burst a few non-US companies’ bubble, it’s naïve to think that by simply moving the site of your data center away from the US you’ll miraculously be protected from all of this stuff. Neither will simply choosing a vendor that isn’t a US corporation. Here’s why…
Your Government is in on it too
For those customer who smugly tell you that they’re on the (insert a non-US jurisdiction) cloud and accordingly they’re safe, tell ’em to wise up. Recent revelations in my own country, New Zealand, have shown just how much other Governments are in cahoots with the US. While the NZ Government is part of a generally known surveillance operations, again it’s a fair bet that other, less identified Governments are also. And even if your Government swears black and blue they don’t help the US spy, it’s highly likely they’ve got their own surveillance programs running – national security and all that. The notion of data on the internet only being accessible by the sender and the recipient is, in my view, largely a fallacy.
They can sniff ALL the pipes
Call me a conspiracy theorist you may, but does anyone really believe that the only way the NSA can access data is through vendor agreement? These shadowy organizations (and you can bet there are far more shadowy ones that the public hasn’t even heard of yet) likely have access to all the international pipes – unless you or your vendor can offer a dedicated pipe (and I’m talking dedicated physical here, not some dedicated capacity within a generic fiber), chances are the authorities have access to all those bits you’re sending down the pipe. Ah, you say, that’s fine, ‘cos our stuff is encrypted. Not so fast…
Encryption? Phooey!
Encryption was invented for these guys, it’s a safe bet they can decrypt several generations ahead of where encryption technology stands today. My compatriot, the late, great Barnaby Jack famously showed how he could access an ATM and make it spit out money. Before his untimely death he was going to showcase his new found abilities to hack medical devices. If a hacker, and a lowly Antipodean hacker for that matter, can bypass the best security medical device makers have, just imagine what these shadowy agents can do – well funded and with the smartest startups, best engineering and latest research that exists.
Summary – The data is out there, and it’s being observed
I’m pretty adamant that the spooks, wherever they may be, have access to the pipes on which your data is transported. They likely have the ability to decrypt even the most complex encryption techniques and they have some of the best big-data analytics that money can (or can’t) buy and hence have the ability to make sense of this mass of information. Do I care then that federal agents can likely know my bank account, the private online rants I have about some people or the sweet nothings my wife and I transmit electronically? Actually not really. While there is indeed a conceptual case to be made for a breach of human rights to privacy, that is an argument that, while excellent as an intellectual debate, is largely moot. The cat is out of the bag, the emperor has no clothes, the horse has already bolted from the stable and the new normal is that some precocious girl genius was plucked out of a college somewhere to go work for an organization you and I have never heard. Said girl genius is right now perusing my data and knows almost as much about me as I do myself. Frankly, I don’t really care…
And then there’s the ‘good’ uses…. sometimes the ends justify the means….
http://gigaom.com/2013/08/05/a-chunk-of-the-deep-web-went-down-over-the-weekend-and-tor-users-should-be-wary/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OmMalik+%28GigaOM%3A+Tech%29
I guess the PRISM debacle has had one good thing, and that at least a part of the population is wondering about they way they spray stuff around. PRISM by all accounts was about metadata sniffing, so if they look at my data, they know what sites I have been too, but if SSL was involved they don’t know my traffic content details. There is a lot of conjecture even among security circles of the capabilities of the NSA. Many doubt they have the capacity to do a lot of what you suggest above and I doubt it as well. They might be well funded, by government standards and they might have some smart big data scientists working their, but they allowed someone to copy data to external storage and leave. I doubt they have anywhere the capabilities they like to espouse, remember the FBI a few years ago wasted an inordinate amount of money on a case management tool that never flew.
All I can say is Ben your information is probably a lot safer from the NSA than you think.
Encryption technologies are designed to be, unbreakable, but it depends entirely upon the length of the encryption key – too short and your average laptop can crack it, given time. Make your key long enough and even the latest 40 Teraflop supercomputer is going to take a bit of time (years) to read one message. Expand that to the billions of messages sent per day and you have a problem that’s so big all the computers on earth cannot solve it. Bring on Deep Thought.
There are no back doors to SSL – open source and thousands of eyes ensure that, but the same probably cannot be said of any proprietary encryption algorithm.
BTW surgical appliance manufacturers probably NEVER considered security before keeping people alive – just how long is that battery going to last if its running 256bit triple DES. A world of Internet connected things might be here, but secure it isn’t.
I agree with Ben, but to a point. You should assume that the government (your gov, the US, China, whoever) can see everything you do on the internet – regardless of encryption. From a business perspective, thats fine to me – I can’t think of any information a legitimate business would have that it would need to hide from the government. My information as a private citizen is another matter…
In reply to Mr VVG – SSL and TLS v1.0 have recently been demonstrated to be much more vulnerable than previously hoped.
http://www.informationweek.com/security/vulnerabilities/https-vulnerable-to-crypto-attack/231601759
I disagree with Ben that all encryption is crackable. The NSA doesn’t have a monopoly on crypto geniuses – quite a few exist in the wild and help keep a vigilant eye out for the rest of us on open source crypto – so I doubt all crypto compromised. That said, there have been significant advances in decryption techniques that reduce the time required to brute-force decrypt common crypto by orders of magnitude. I think its safe to say that the NSA has eroded that even further by now.
http://threatpost.com/cracking-crypto-just-got-a-little-easier
But, in reality, are your tax documents and copies of your passport worth their time decrypting? Probably not.