back to article NSA, GCHQ spies have hurt us more than they know – cloud group

The PRISM revelations – that governments monitor their own citizens as well as those in other countries – have undermined business confidence in moving to the cloud. This is according to the UK-based Cloud Industry Forum, which conducted an annual survey of 250 private and public sector organisations and noted a reverse in …

  1. John Smith 19 Gold badge
    Holmes

    There's a reason for that.

    Because they do.

    You hand over your data (and possibly the applications that depend on it) to a server farm you don't even know the location of?

    Note. This is not about the data as I double most PHB's could give a s**t about that.

    It's what their customers should be worried about.

    And if you are a customer you should be worried.

  2. John Smith 19 Gold badge
    Holmes

    There's a reason for that

    Because they do.

  3. Anonymous Coward
    Anonymous Coward

    Faux-naieveté misses the point.

    PRISM revelations – a real shocker for anyone that didn't already realise governments monitor their own and other countries' citizens

    That is not what the complaint is about. Nobody thought that spies didn't spy; we had, however, hoped that they did it legally, constitutionally, proportionately, purposefully, and under warrant and effective oversight. We did not merely hope that this was the case; we had the right to expect that this was the case, and the fact that it has turned out not to be is an offence against liberty, justice and democracy. Your oversimplification appears deeply ignorant of the actual issues at stake.

    1. Anonymous Coward
      Anonymous Coward

      To the point.

      Thank you very much.

  4. Mephistro
    Angel

    the "FUD factor" increased, but given the actual number of breaches, "there is a massive gap between perception and reality".

    This gentleman is naively assuming that the people that answered the survey:

    a) Were aware of all the security breaches

    b) Were interested in disclosing said breaches

    What is next? Bigfoot and Elvis Presley living in a condo in Albuquerque?

    1. Anonymous Coward
      Black Helicopters

      Also missing on security breach question

      So only two breaches...

      A) I'm assuming these are just cloud service-related breaches

      B) Did their cloud providers notify them of all breaches?

      C) How aware are the cloud providers of breaches, especially if its an issue of data being grabbed by SigInt agencies while it is in transit through fiber-optic cables? Let's not forget that until the proper Snowden docs come out, Google was blissfully unaware that the NSA was grabbing traffic between Google datacenters.

      D) Would their cloud service providers be able to notify customers if data was revealed to SigInt agencies through a mechanism like a U.S. National Security letter? Probably not.

    2. streaky

      FUD

      There's no FUD factor; it's now well known that both the NSA and GCHQ (and others) are hoovering up every single bit of data that they can lay their hands on. Odds that they're hoovering up data from inside the network of the company that has a side business in selling everything in the world? Fairly high I'd reckon given the CIA ostensibly like what they're doing (for the CIA to like your kit you'd have to assume they have fairly decent insight into your kit and operations for sensible reasons).

      Not for nothing but if you're aforementioned seller-of-everything, or microsoft, or google you're not going to be *allowed* to tell people that your customers have been breached by those agencies - even if you know it - so relying on public disclosure is a nonsense.

  5. John Savard

    Security from Whom?

    In the case of European companies, their potential legal liability, given European laws about personal information, may make even NSA and GCHQ snooping a concern.

    For most companies in the United States, though, that sort of thing is the last of their security concerns, if it even comes up on the radar screen at all; they don't expect the NSA to pass on confidential information to their competitors, or, indeed, to risk disclosing its surveillance by using anything it sees - except for use related to their legitimate mission of defending America from war, espionage, and terrorism.

    But data in the cloud is still more obviously potentially vulnerable to attack by hackers, and the computer industry's security record has been poor. So not everything is Snowden's or the NSA's fault.

    1. Diogenes

      Re: Security from Whom?

      they don't expect the NSA to pass on confidential information to their competitors,

      I don't know. Given the way the current administration has been using the IRS to target the conservative side of politics I could see the NSA spaffing data to, say the Koch brother's, rivals.

  6. Don Jefe

    Security Concerns

    If a State Actor rooting through your data is what's holding you back from giving a 3rd party all your data, it's going to be very hard to convince me as an investor, or customer, that you're really committed to data security.

    1. Steven Roper

      Re: Security Concerns

      What?!?

      What's holding me back from giving a 3rd party all my data is the possibility of anyone rooting through it, state actor or no. That's why I would insist on all my data not being given to a 3rd party, and instead stored in-house on a computer under my control, where I can monitor and regulate any and all access to it. And that would make you think I'm not committed to data security?

      1. Anonymous Coward
        Anonymous Coward

        Re: Security Concerns

        > What's holding me back from giving a 3rd party all my data is the possibility of anyone rooting through it

        I think that was actually his (sarcastic) point.

        GCHQ breaking in should be a minor issue compared to the risk inherent in uploading your data to a random server farm run by some company you actually know very little about.

        1. Don Jefe

          Re: Security Concerns

          Yes. That was my point. Analyzing and weighting individual threats is, at best, an exercise in masochism after you've abrogated internal data oversight and controls.

          Ignoring technical risks and legislative tricks, you're a passenger on someone else's policy train the moment you entrust your data to anyone else. You not only have zero input in their policies, threat assessments and risk management techniques, you don't even have the right to know anything about those elements. The moment you pay that first invoice you have given your approval of whatever it is they choose to do internally. Retroactive responses via the courts are your only remaining option and retroactive responses and security can't coexist.

  7. amanfromMars 1 Silver badge

    The Great Game Revisited and ReVersioned and Given a Cyber Make Over with Ab Fab Fabless Leverage

    Burton, said the "FUD factor" increased, but given the actual number of breaches, "there is a massive gap between perception and reality".

    There be those who Work, Rest and Play in the Sensitive IntelAgent Sector, with and within Live Operational Virtual Environments, where perception and reality are a singularity and easily cloneable, and both one and the same as each other and in Command and Control of AI UniVersatile Power with Viable Imaginative Applications. .... VIA ProgramMING for Mined Information Networking Games Play, although a reality and perception shift in IT there, has some leading key players assuming and presuming and launching NEUKlearer HyperRadioProActive AIMissions and Real Virtual Projects and Novel Pogroms with Astute Active Adept Adaptable Apps for ......... well, nothing less than Infiltrating Minds for Networking Games Play.

  8. Anonymous Coward
    Anonymous Coward

    Tor

    The NSA marks and considers potential "extremists" all users of the internet anonymizer service Tor, German media reports. Among those are hundreds of thousands of privacy concerned people like journalists, lawyers and rights activists.

    Searching for encryption software like the Linux-based operating system Tails also places you on the NSA grid, says a report by German broadcasters NDR and WDR. The report is based on analysis of the source code of the software used by NSA’s electronic surveillance program XKeyscore.

    But merely visiting Tor project’s website puts you on the NSA’s red list, the report says. But more importantly it monitors connections to so-called Directory Authorities, the eight servers, which act as gateways for the entire system.

    http://rt.com/news/170208-nsa-spies-tor-users/

    1. Don Jefe

      Re: Tor

      Yeah, who'd have thunk that people looking into technologies birthed by US military research labs would catch the attention of State intelligence agencies.

      Now, don't get me wrong, I think all this global scale surveillance is stupid, counter productive and dangerously distracting. If you're looking everywhere for a threat you never see the actual threat until it is too late. Plus it's just embarrassing when I travel.

      But, you've got to admit that if your boss told you to look for potential threats a good place to start is going to be the place where people go to access tools to help them operate under the radar. I'm not approving it, in any way, shape, form or fashion, or even recognizing the necessity of the snooping. I'm just saying that Tor and encryption tools are a really logical place to do some snooping.

    2. DrBobMatthews

      Re: Tor

      I have probably been on the NSA, Mi5, GCHQ and everyone elses red list for some time because I dare to criticize openly UK/US global interference in the pursuit of US government foreign policy agendas. Personally I don't particulary care who's damn list I am on if they wish to waste their time, bring it on. I am more worried about the brainwashed sheep who think that governments have any interest other than their own corrupt self interest and that of their even more corrupt financial backers.

      Anyone who thinks we have democracy is living on a different planet, to most governments the individual is nothing more than an economic unit to be exploited. 1984 is a reality and has been for some time. "Security" is bandied about as an excuse for devious control by the state of its people. When the government no longer trusts its people it is the time for the people to remove the government.

      Bt the people, of the people for the people. They are our servants, they conveniently forget that in their lust for power, wealth and influence.

      1. Don Jefe

        Re: Tor

        I suspect, that were we able to plot the introduction of the various strategies for sideways usurpation of power by government, that exchanging liberties and freedoms for the promise of safety would appear immediately following the kidnapping and harming of loved ones. The entire premise is pure shit any way you look at it.

        On one hand you've got leaders who are openly admitting they are incapable of doing their jobs. Results are not part of the job description. Results within the confines established as the foundations of the nation are the job. Any random chucklefuck off the street can lead if they don't have rules to follow. If they can't succeed where others have they simply aren't fit for purpose. Period.

        Alternatively, we can view the 'safety for Liberty' exchange as extortion. Implying, or directly, threatening people with some sort of harm or hardship unless you do as directed is extortion. It's illegal as shit. I'm fairly certain Western governments are familiar with extortion. They should be well aware of how it works seeing as how they've spent the last two decades prosecuting everyone from actual mobsters to counterfeit BeanieBaby importers and P2P 'pirates' under organized crime laws where extortion is a pretty big fucking component.

        Voters and politicians, both current and hopeful, need to decide how they are going to categorize those advocating for security in exchange for Liberty. Are they woefully ill equipped to lead in the modern world or are they criminals threatening your family and friends? Those are the only two choices. Advocating security in exchange for Liberty can only be failure or a crime.

    3. Hargrove

      Re: Tor--further thoughts

      The following quote from Daniel Webster articulates a fundamental truth.

      “Good intentions will always be pleaded for every assumption of authority. . . . . There are men in all ages who mean to govern well, but they mean to govern. They promise to be good masters, but they mean to be masters.”

      With slight modification the elided reference to the US constitution can be generalized to fit the present discussion. It is hardly too strong to say that the primary purpose of any legitimate government is to guard the people against the dangers of good intentions.

      Any system of government is a theoretical construct. Those who actually govern are flawed human beings, subject to all of the frailties and vices of humankind. The primary purpose of a system of government in a free society is to constrain their actions. In the case of clandestine surveillance, governments have arguably failed fairly miserably.

      The assumption of power to conduct clandestine surveillance of the private thoughts and actions by those who govern poses an unprecedented threat to individual rights and freedoms. Those individual rights and freedoms, in turn, are essential to the creativity, prosperity, and happiness of societies.

      The threat of wholesale surveillance would be horrific enough, if those doing it could get it right. But the ugly secret of clandestine surveillance is that they can’t when it matters—not even theoretically. Those who govern have simply been seduced by the commercial success of Google and social networking to believe that they can.

      The purpose of surveillance is to detect patterns that allow the entity doing the surveillance to classify the results in useful ways. One of the fundamental measures of the “goodness” of a classification algorithm is the ratio of true “positive” to false “positive” classifications.

      What is useful in the commercial world is very different from what is required as actionable intelligence in the realm of national security. For example, some months ago, someone’s data-mining algorithm erroneously classified me as a cigar smoking female athlete in the market for Cohibas and sports bras. The fact that I am a male non-smoker is a non-issue for the spammers. They just need to hit enough of their target market to turn a profit. The number of false positives is essentially irrelevant.

      Actionable intelligence—involving the launch of things more substantive and potentially deadly than an e-mail—is another matter entirely. And this is where the wheels come off the wagon. Any data classification algorithm that is of practical interest follows “relative operating characteristic” or ROC curve. The behavior of classifiers has been described in very clear and readable terms by a gentleman named Tom Fawcett. A Google search of his name and ROC will get anyone interested to his papers.

      The short version? There is no such thing as a free lunch. It is a matter of probabilities and statistics. I can design an algorithm that will maximize the hits on your target pattern, if you can tolerate having a majority of the “hits” be false alarms. I can minimize the false alarms (a desirable feature if I’m launching missiles rather than e-mails.) But the probability of getting the true target will be commensurately low.

      Or I can just tinker with the algorithm until I get the answer I’m looking for. Therein lies the threat.

      Even if we ascribe pure intent to those who govern, they cannot be counted on to discern whether or not their data mining algorithms get it right. We are all spring-loaded to accept answers that conform to our preconceived expectations.

      As an avocation I have been studying trends in how those who govern govern. I foresee a day, not many years hence, when citizens in my country may be subject to criminal charges and detention in the name of Homeland Security, based on evidence gathered by automated data-mining. Seeds for this have already been planted in our laws. When that happens, as one of the other commenters on this article observed, those who govern will assert security to deny those accused information about what data was mined, the criteria whereby the actions were classified as criminal.

      There will be no accuser for the accused to face. They will not have the information, access, or technical means to determine whether the search excluded data and criteria that might have exonerated them. They will never know whether other individuals who matched the same pattern were exonerated based on consideration that was not given to them. (And human nature being what it is, there is not a single government on the planet where this kind of favoritism and preferential treatment is not accorded to some privileged set of individuals.)

      When that day comes, those who govern will be able to selectively prosecute whom they chose with impunity.

      Those who govern are human, and history offers compelling evidence that humans are capable of acting with malicious intent. However, the threat to individuals and societies posed by government surveillance does not demand bad intentions. Good intentions will do the job splendidly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like