Nov 04 2013
I spend far too much time reading about governmental spying on citizens, both US and abroad. It’s a job hazard, since it impacts my role at work, but it’s also what I would be researching and reading about even if it wasn’t. The natural paranoia that makes me a good security professional also feeds the desire to know as much as possible about the people who really are spying on us. You could almost say it’s a healthy paranoia, since even things I never would have guessed have come to pass.
But every time I hear about someone who’s come up with a ‘solution’ that protects businesses and consumers from spying, I have to take it with a grain of salt. A really big grain of salt. The latest scheme is by Swisscom, a telecommunications company in Switzerland that wants to build a datacenter in that country to offer up cloud services in an environment that would be safe from the US and other countries’ spying. The theory is that Swiss law offers many more protections than other countries in the EU and the rest of the world and that these legal protections would be enough to stop the data at rest (ie. while stored on a hard drive in the cloud) from being captured by spies. The only problem is that even the Swisscom representatives admit that it’s only the data at rest that would be protected, not the data in transit. In other words, the data would be safe while sitting still, but when it enters or leaves Swiss space, it would be open to interception.
It was recently revealed that the NSA doesn’t need to get to the data at rest, since they simply tap into the major fiber optic cables and capture the information as it traverses the Internet. Their counterparts here in the UK do the same thing and the two organizations are constantly sharing information in order to ‘protect us from terrorists’. Both spy organizations have been very careful to state that they don’t get information from cloud providers without court orders, but they haven’t addressed the issue of data in motion.
So while the idea of a Swiss datacenter built to protect your data is a bit appealing, the reality is that it wouldn’t do much to help anyone keep their data safe, unless you’re willing to move to Switzerland. And even then, this solution wouldn’t help much; this is the Internet and you never know exactly where your data is going to route through to get to your target. If it left Swiss ‘airspace’ for even one hop, that might be enough for spy agencies to grab it. And history has proven that at least GCHQ is willing to compromise the data centers of their allies if it’ll help them get the data they believe they need.
Comments Off on Attacking the weakest link