Archive for the 'Privacy' Category

May 10 2015

Spying pressure mounting worldwide

It’s been an interesting ride ever since Edward Snowden came out with the revelations about NSA spying efforts two years ago.  There was a huge public outcry at first, both from the side who believes spying on your own citizens is necessary and from the side who believes spying on your own citizens is a vital tool in protecting them.  Both sides of the argument have been trying to sway public opinion, with varying degrees of success, but it’s been the spy organizations that have been getting their way as judges and lawmakers side with them for the most part.  But that’s slowly changing and there’s additional pressure mounting on both sides of the argument.  It’s only a matter of time before the pressure seeks an outlet and it may be explosive when it does.

The first problem with spying by intelligence agencies in the US was that it was so secret that most courts couldn’t even get enough information about the practices to determine who had a right to sue for relief from the situation.  You can’t sue the US government unless you can prove you have standing in a case, that you are affected by the action, but you couldn’t prove you were one of the people who were spied upon if the information is too secret to be released even to the court.  So for nearly two years, that venue of combating governmental spying has been stymied.  As of last week though, that’s started to change as the US 2nd Court of Appeals in Manhattan declared that Clause 215 of the Patriot Act did not give authorization for massive collection of phone data.  The ruling also gave the ACLU standing in the case, enabling further legal action, but stopped short of declaring the spying efforts unconstitutional.  In a move that probably didn’t surprise anyone, multiple Senators and Presidential wannabe’s called for new laws to give the NSA and other agencies the power the court just denied them.

Abroad, there’s also a lot of push back against not only American spying, but against the national organizations who are cooperating with American organizations.  Germany’s Federal Intelligence Service (BND) had been cooperating with the NSA for years, feeding the American organization information directly from their telecoms and ISP’s, enabling the NSA to track German citizens in ways the BND might not be able to.  This got mostly overlooked when it was revealed that the US was listening in on Angela Merkel’s phone calls, but recent activity and the NSA’s refusal to give justification for the information they’re asking for has caused the BND to stop cooperating with the NSA and is creating quite an uproar in Germany.  Merkel’s political party has been under a lot of pressure because of the information the BND has been providing and there have even been calls for the resignation of the German Interior Minister.

That’s the recent wins on the anti-spying front.  On the other side, advocates of spying continue to push in all sorts of ways, from asking for golden keys in encryption technologies to calls for more power from legislators and less oversight by the judiciary.  Last week’s elections in the UK have emboldened Home Secretary Theresa May to call for the re-introduction of the so-called “Snooper’s Charter” in the country.  GCHQ already has significant powers within the UK and abroad, but the Draft Communications Charter Bill would extend these powers considerably and lessen any oversight on law enforcement agencies.  The good news is that even members of her own party are critical of the bill and might not be willing to back her call for further power.

Proponents of spying powers have nearly religious respect for the governments need for these powers and the government’s restraint of their use.  Theresa May seems to believe that any judicial oversight is too much and that the government can’t be restrained or the terrorists will win.  In the US, Supreme Court Justice Antonin Scalia has long held similar beliefs and has been very vocal about it.  Last year he presented to a Fordham University class on law, strongly stating that such powers are needed and cannot be limited.  This year when he went to present, the professor had given his class a new assignment: using only publicly available information, create a dossier on Justice Scalia.  The 15 page document was presented to the Supreme Court Justice and included extensive information about his financial information and family.  Rather than take this as an example of what the NSA or any other organization has at their fingertips and a warning as to why this might be dangerous, Justice Scalia blasted the teacher and his students, questioning their ethics and judgment.  It seems that it’s okay when an impersonal national agency does it, but not when a small group of students research the Justice.

And adding to the pressure cooker of the spying argument, China and Russia have signed an agreement not to hack each other.  It’s probably more accurate to say they’ve agreed not to get caught at it, but this means that their considerable resources will be at least partially turned away from each other and to different projects.  There’s probably not many people who won’t identify the US as the primary target of the freed up hackers, but there are plenty of other places they can put their efforts.  In a lot of ways, it’s like to gangs agreeing not to horn in on each other’s territory while they deal with a third gang.  Add in Russia’s upcoming data localization laws and things get very interesting, very quickly.

“May you live in interesting times.” certainly applies.  There’s pressure from all sides, some wanting to increase spying, some wanting to curb the capability of Western law enforcement agencies.  Both sides have valid points, but it’s a trade-off between the security that such spying might provide versus the damages to civil liberties and personal freedom that it causes.  There’s been almost no proof that spying by international agencies makes us safer, but by the same token it’s hard to express clearly how spying damages the lives of average citizens.  In many ways this is going to be one of the defining issues of the early 21st century and will determine the future of our civilization.  Do we defend our liberties or do we give governments the power to protect us from ourselves?  Only time will tell.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

May 05 2015

RSA 2015 Interview: Jason Straight, UnitedLex

Published by under Podcast,Privacy

I got a chance to sit down with Jason Straight, SVP and Chief Privacy Officer.  Jason works on the legal side of security, meaning as a lawyer, not law enforcement.  The conversation covers international legal concerns, privacy and communicating with your own legal counsel, just to mention a few of the topics.

The interview was recorded in a busy tea house and I’ve done my best to remove as much of the noise as possible.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 05 2014

Understanding Apple’s new encryption model

I understand enough about encryption to get myself in trouble, but not much more.  I can talk about it intelligently in most cases, but when we get down to the nitty gritty, bit by bit discussion of how encryption works, I want to have someone who’s really an expert explain it to me.  Which is why I’m glad that Matthew Green sat down to explain Apple’s claims of new encryption that they can’t open for law enforcement in great detail.

The Too Long; Didn’t Read (I often forget what tl;dr means) version of it is that there is a unique ID that’s hidden deep in the hardware encryption chips on your phone that software doesn’t have access to.  This UID is made part of your encryption key through complex algorithms and can’t be pulled out locally or remotely and makes for a strong encryption key that protects your encrypted data.  Do keep in mind that not all of the interesting data on your phone is encrypted, there are still nooks and crannies that can be looked at by someone with physical access to the phone.  And that some of the most interesting stuff on your phone isn’t what’s on it in many cases; it’s the list of who you’ve called, where you’ve been and the like that they can get from the carrier.  That metadata is often at least as important as what’s on your phone, and much easier to get without ever having to even see your phone.

I’m personally very glad that Apple (and Android as well) have begun encrypting phones by default.   Yes, police need to the ability to get into phones and see what people have been doing on them, but the last two years have shown that this ability has been abused for quite some time.  Various governmental officials in the US have decried the move saying they need the ability to catch pedophiles and terrorists.  Yet so far the count of cases where the information needed to catch anyone from either of those categories couldn’t be gotten by other means is still in the single digits.  At the same time the number of  lawsuits against police in the US abusing their ability to get into phones numbers in the hundreds.  Do the math and figure out for yourself if it’s worth law enforcement having easy access.

We’ll be seeing more organizations of all types moving encryption, partially to protect users and partially to defend themselves from the negative publicity being open to the police brings.  There will be a number of missteps, of poor encryption methodology and cases where people realize they can’t just get their backup from the cloud because they used serious encryption and lost the key.  There will be growing pains and there will be examples of guilty people escaping because law enforcement doesn’t have easy access to phone data.  But we need to have strong encryption to protect the privacy of average citizens who’ve done nothing more than catch the attention of the wrong person at the wrong time as well.  Our privacy is much more delicate and deserving of protection than many in power believe it is.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jul 30 2014

Russia says “Hand over your code.”

Published by under Cloud,Privacy

Well, this should be interesting.  The Russian Communications Minister suggested, rather strongly, that Apple and SAP share their source code with the Russian government so that it could be reviewed to make sure it wasn’t being used to spy on Russian citizens.  Yes, Russia is playing the privacy card to sneak a peek at the crown jewels of two of the biggest high tech companies in the world.  Who says Russian politicians don’t have a sense of humor?

On the surface, the request for source code review in order to protect the privacy of Russian citizens from US spying has some merit.  Since the Snowden revelations last year, I think anyone not familiar with Apple and SAP would be willing to entertain the idea that either or both companies might have backdoors in their software.  But anyone who knows these companies understands they’re big enough that they can and would strongly resist any effort to introduce spy technologies into their software, probably vocally.  Beneath the surface of the request, what Russia is more likely looking for is a way to compromise this software themselves and get access to company secrets in order to share them with their own corporations.  Historically speaking, there’s a fair amount of evidence to support this theory.  Or maybe I’m simply too cynical.

Irony aside, between recent laws requiring traffic to be logged inside Russia and additional laws requiring all Russian data to be stored in Russia, this shouldn’t be a surprising move.  In fact, I won’t be at all startled if the next move is a law requiring any software that’s being installed on hardware within Russia to require testing by the Russian government before deployment. The two current laws are already going to make any cloud deployment that relies on global distribution (meaning all of them) nearly impossible, but adding a code audit to those requirements will make doing business in that location unviable, to say the least.

Apple and SAP could make their source code available for ministry code review, but I find that idea extremely unlikely.  The difficulties of doing such code review in environment that is acceptable to both of these companies and the Communications Ministry is going to be next to impossible to create.  Apple is well known for how jealously they guard both their source code and their developing hardware and SAP isn’t all that far off the mark, philosophically speaking.  It’s unlikely either company would be willing to allow their software to be shared for review off of the company premises, or even reviewed in an environment that would allow for the reviewer to copy the code in some way.  And it’s unlikely that any Russian officials are willing to settle on the compromises that will be mandated by the companies before a review is allowed.

The Reuters article suggests that the code review that is being requested by the Russian Communications Minister is politically motivated and being done in response to the sanctions that are being put in place by the European Union and the US in response to the situation in the Ukraine.  While there might be an element of this in the timing, I believe that this request is part of a larger movement within Russia to tighten their control over all data within their borders instead.  So far, the disclosure of source code is merely a request, without force of law behind it.  But don’t be surprised if that request changes to a legal requirement within the next year and it encompasses any software being sold into Russia.  

This situation has layers of complexity that I’m not comfortable covering in a blog post, and in fact I don’t believe I have the background to understand many of the political implications involved.  Russia has made many moves recently that seem to be inherently opposed to the openness of the Internet and to any sort of Cloud deployment.  Both of these seem like self-limiting actions by the Russian government that will keep the country from prospering in the future.  How many companies will decide the market in Russia is simply not big enough to take the risks of sharing source code or storing information inside of the country?  And how long will the companies that do share code be able to keep it secret without it being shared with Russian companies?  

I strongly suspect both Apple and SAP are currently telling the Russian Communications Minister to go pound sand in very nicely worded, politically correct ways.  And that the Minister is calmly telling them both that his request will soon carry the force of law behind them, so they’d better play nice or there will be sanctions involved in the future.  I would not want to be an employee of either of these companies who works in Russia right now, that much I’m sure of.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 21 2014

Can I use Dropbox?

Published by under Encryption,Family,Privacy,Risk

I know security is coming to the public awareness when I start getting contacted by relatives and friends about the security of products beyond anti-virus.  I think it’s doubly telling when the questions are not about how to secure their home systems but about the security of a product for their business.  Which is exactly what happened this week; I was contacted by a family member who wanted to know if it was safe to use Dropbox for business.  Is it safe, is it secure and will my business files be okay if I use Dropbox to share them between team members?

Let’s be honest that the biggest variable in the ‘is it secure?’ equation is what are you sharing using this type of service.  I’d argue that anything that has the capability of substantially impacting your business on a financial or reputational basis shouldn’t be shared using any third-party service provider (aka The Cloud).  If it’s something that’s valuable enough to your business that you’d be panicking if you left it on a USB memory stick in your local coffee shop, you shouldn’t be sharing it via a cloud provider in the first place. In many cases the security concerns of leaving your data with a service provider are similar to the dropped USB stick, since many of these providers have experienced security breaches at one point or another.

What raised this concern to a level where the general public?  It turns out it was a story in the Guardian about an interview with Edward Snowden where he suggests that Dropbox is insecure and that users should switch to Spideroak instead.  Why?  The basic reason is that Spideroak is a ‘zero-knowledge’ product, where as Dropbox maintains the keys to all the files that users place on it’s systems and could use those keys in order to decrypt any files.  This fundamental difference means that Dropbox could be compelled by law to provide access to an end user’s file, while Spideroak couldn’t because they don’t have that capability.  From Snowden’s perspective, this difference is the single most important feature difference between the two platforms, and who can blame him for suggesting users move.

Snowden has several excellent points in his interview, at least from the viewpoint of a security and privacy expert, but there’s one I don’t think quite holds up.  He states that Condoleezza Rice has been appointed to the board of directors for Dropbox and that she’s a huge enemy of privacy.  This argument seems to be more emotional than factual to me, since I don’t have much historical evidence on which to base Rice’s opinions on privacy.  It feels a little odd for me to be arguing that a Bush era official might not be an enemy of privacy, but I’d rather give her the benefit of the doubt than cast aspersions on Dropbox for using her experience and connections.  Besides, I’m not sure how much influence a single member of the board of directors actually has on the direction of the product and the efficacy of its privacy controls.

On the technical front, I believe Snowden is right to be concerned.  We know as a fact that Dropbox has access to the keys to decrypt user’s files; they use the keys as part of a process that helps reduce the number of identical files stored on their system, a process called deduplication.  The fact that Dropbox has access to these keys means a few things; they also have access to decrypt the data if they’re served with a lawful order, a Dropbox employee could possibly access the key to get to the data and Dropbox could potentially be feeding into PRISM or one of the many other governmental programs that wants to suck up everyone’s data.  It also means that Dropbox could make a mistake to accidentally expose the data to the outside world, which has happened before.  Of course, vulnerabilities and misconfigurations that results in a lapse of security is a risk that you face when using any cloud service and is not unique to Dropbox.

I’ve never seen how Dropbox handles and secures the keys that are used to encrypt data and they haven’t done a lot to publicize their processes.  It could be that there are considerable safeguards in place to protect the keys from internal employees and federal agencies.  I simply don’t know.  But they do have the keys.  Spideroak doesn’t, so they don’t have access to the data end users are storing on their systems, it’s that simple.  The keys which unlock the data are stored with the user, not the company, so neither employees nor governmental organizations can access the data through Spideroak. Which is Snowden’s whole point, that we should be exploring service providers who couldn’t share our data if they wanted.  From an end-user perspective, a zero-knowledge is vastly preferable, at least if privacy is one of your primary concerns.

But is privacy a primary concern for a business?  I’d say no, at least in 90% of the businesses I’ve dealt with.  It’s an afterthought in some cases and in many cases it’s not even thought of until there’s been a breach of that privacy.  What’s important to most businesses is functionality and just getting their job done.  If that’s the case, it’s likely that Dropbox is good enough for them.  Most businesses have bigger concerns when dealing with the government than whether their files can be read or not: taxes, regulations, taxes, oversight, taxes, audits, taxes… the list goes on.  They’re probably going to be more concerned with the question of if a hacker or rival business can get to their data than if the government can.  To which the answer is probably not.

I personally use Dropbox all the time.  But I’m using it to sync pictures between my phone and my computer, to share podcast files with co-conspirators (also known as ‘co-hosts’) and to make it so I have access to non-sensitive documents where ever I am.  If it’s sensitive, I don’t place it in Dropbox, it’s that simple.  Businesses need to be making the same risk evaluation about what they put in Dropbox or any other cloud provider: if having the file exposed would have a significant impact to your business, it probably doesn’t belong in the cloud encrypted with someone else’s keys.

If it absolutely, positively has to be shared with someone elsewhere, there’s always the option of encrypting the file yourself before putting it on Dropbox.  While the tools still need to be made simpler and easier, it is possible to use tools like TrueCrypt (or it’s successor) to encrypt sensitive files separate from Dropbox’s encryption.  Would you still be as worried about a lost USB key if the data on it had been encrypted?


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jul 09 2014

Civil disobedience against surveillance

Published by under Government,Privacy,Video

Last year I moved to the UK and spend a considerable amount of time in London.  Therefore I’m often on 10, 12, 16 or more cameras at any one time.  I dislike it intensely, but it was something I knew I’d have to be dealing with when I moved.  There’s no evidence that cameras prevent any serious crimes or even less serious ones, and there’s little evidence they’re very useful in catching perpetrators after the fact.  They do, however, cause a lot of innocent people to modify their behaviors slightly since they know they’re on camera.  It’s a subtle societal shift that most people will never even notice.

But one group has noticed and they’re very actively doing something about it.  It’s an anti-surveillance group called Camover that started in Germany and is working its way onto the global scene.  I’d never heard of them before yesterday, when Salon wrote a story highlighting their growth into the US.  I’m of mixed feelings about this group and their growth; part of me wants to work to change society through lawful means, while another part wants to join in on pulling down the cameras and destroying them where ever they intrude on my ever disappearing privacy.  No, I’m not of an anarchist bent at all, am I?

The part that bothers me is that while the members of this group probably see much of what they’re doing as a bit of relatively harmless vandalism, law enforcement probably paints them as felons and terrorists.  Yes, terrorists.  They’ll be painted as destroying the cameras that protect our freedoms and help catch terrorist.  And when they’re caught, they’ll be treated as if they are terrorists, with all the extra-legal, non-judicial treatment that surrounds that designation.  It won’t be a fun adventure for them, that much is sure.

I see a need for anarchists like this to rise up and show us that surveillance can be fought.  I think we need more people to be aware of exactly how our society is being rapidly turned into a state where our every move is watched and judged.  But I don’t think it’s worth risking disappearing into a detention center somewhere, with all of your rights suspended because an agent somewhere decided to label you as a terrorist.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 07 2014

Intrusive Healthcare

Published by under Big Data,Privacy

Soon your doctor may be giving you a call to discuss your buying habits and what they mean to your health.  Carolinas HealthCare is starting a program that looks at your buying habits based on public records, store loyalty programs and credit card purchases.  Most of which was stuff we thought was supposed to be private and protected by law, but turns out to be accessible by anyone with enough money and the big data computing power to comb through it all.

On the surface, this effort is laudable.  Your doctor and your health care provider have a vested interest in helping you develop good habits such as exercise and taking your prescriptions regularly.  The better your health, the happier your life tends to be and the less money they have to spend on you overall.  It makes sense when you look at it as a long term trend to combat a nation that’s growing wider all the time and it’s an extension of trying to push for more proactive health care overall.  But the potential for abuse is simply staggering!

One of the examples used in the Business Week article suggests a asthmatic who’s in the emergency room, so the doctor checks to see if he’s been buying cigarettes, the pollen count where he lives, etc.  Why would giving a hospital and the doctor this level of access into a patient’s life ever be thought of as a good idea?  The number of things that could go wrong with this boggle the mind.  Yes, most doctors are ethical and wouldn’t take advantage of the data.  But it doesn’t take much for the temptation offered by this level of access into a patient’s life to blossom into a form of cyber-voyeurism. It wouldn’t take much self-justification to turn the best of intentions into intrusiveness that’s inappropriate at the best of times.  I don’t want to get a call from my doctor when I pick up an extra tub of Ben & Jerry’s Chocolate Fudge Brownie at the store.  (It was for the Spawn, honest!)

The potential for abuse by doctors is just one of the first direct problems I have with my data being shared to health care.  If doctors have access to my non-healthcare data who else is going to have access to it?  I’m sure the billing department would love to have a direct line to the information as well, so they could hunt me down if I was late making a payment or so they could vet me before authorizing an expensive procedure.  There’s also all the administrators of the systems and everyone who has access to those systems when they’re left unlocked around the hospital.  

The biggest worry I have though is actually the third parties who’d want the data.  Hospitals are already a tempting target for evil doers of all kind because of the data they have.  If we add credit card & loyalty card data to that mix, it becomes the ultimate treasure trove for identity theft and financial data.  While hospitals try to keep their networks secure, when it comes down to it, the ability of a doctor to access data in order to save a life trumps security by an order of magnitude, so security comes in a distant second.  So why would we think it’s a good idea to pool even more of our data in these facilities?

Final thought:  why are the credit card companies and store loyalty programs even allowed to sell access to this data in the first place?  Inquiring minds would like to know.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 06 2014

The dominoes of Internet Balkanization are falling

Published by under Cloud,Government,Hacking,Privacy,Risk

We knew it was coming; it was inevitable.  The events put in motion last June played right into the hands of the people who wanted to cement their control, giving them every excuse to seize the power and claim they were doing it in defense of their people and their nation.  Some might even say it was always destined to happen, it was just a matter of how soon and how completely.  What am I talking about?  The Balkanization of the Internet.  It’s happening now and with Russia entering the competition to see who can control the largest chunk most completely, it’s only a matter of time before others follow the lead and make the same changes within their own country.

Let’s make no mistakes here, there have been countries and governments that have wanted to circumscribe their boundaries in the virtual domain and create an area where they control the content, they control what the people can and can’t see and they have the ability to see everything everyone is looking at as long as the Internet has been in existence.  But prior to the last year, very few countries had either the political impulse or the technical means to filter what came into and out of their countries except China and a few countries in the Middle East.  China had this power because they’d recognized early on the threat the Internet posed to them and the countries in the Middle East have comparatively limited Internet access to begin with, so filtering and controlling their access is a relatively easy exercise.  In both cases though, the efforts have been coarse with plentiful ways to circumvent them, including the use of Tor.  Though it now looks like Tor was itself has long been subverted by the US government to spy as well.

But then Edward Snowden came forth with a huge cache of documents from inside the NSA.  And it turned out all the things that the US had long been shaking its finger at other governments about, things that the US considered to be immoral and foreign to individual freedoms, were the exact things that the NSA had been doing all along.  Sure, it was only foreigners.  Oh, and only ‘people of interest’.  And people with connections to people of interest.  Four or five degrees of connection that is.  And foreign leaders.  And … the list goes on.  Basically, the logical justification was that anyone could be a terrorist, so rather than taking a chance that someone might slip through the cracks, everyone had become a suspect and their traffic on the Internet was to be collected, categorized and collated for future reference, just in case.  Any illusion of moral superiority, or personal freedom from monitoring was blown to shreds. American politicians carefully constructed arguments to assume high ground and tell other countries what they should and should not do torn down and America suddenly became the bad guys of the Internet.  Not that everyone who knew anything about the Internet hadn’t already suspected this had always been going on and the that the US is far from the only country performing this sort of monitoring of the world.  Every government is monitoring their people to one degree or another, the USA and the NSA were simply the ones who got their hands caught in the cookie jar.

The cries to stop data from being sent to the USA have been rising and falling since June and Mr. Snowden’s revelations.  At first they were strident, chaotic and impassioned.  And unreasonable.  But as time went by, people started giving it more thought and many realized that stopping data on the Internet from being exfiltrated to the USA in the Internet’s current form was near unto impossible.  One of the most basic routing protocols of the Web make it nearly impossible to determine ahead of time where a packet is going to go to get to it’s destination; traffic sometimes circumnavigates the globe in order to get to a destination a couple hundred miles away.  That didn’t stop Brazil from demanding that all traffic in their country stay on servers in their country, though they quickly realized that this was an impossible demand.  Governments and corporations across the European Union have been searching for way to ensure that data in Europe stays in Europe, though the European Data Protective Directives have been hard pressed to keep up with the changing situation.

And now Russia has passed a law through both houses of their Parliament that would require companies serving traffic within Russia to stay in Russia and be logged for at least six months by September of 2016.   They’re also putting pressure on Twitter and others to limit and block content concerning actions in the Ukraine, attempting to stop any voice of dissent from being heard inside Russia.  For most companies doing business, this won’t be an easy law to comply with, either from a technical viewpoint or from an ethical one.  The infrastructure needed to retain six months of data in country is no small endeavor; Yandex, a popular search engine in Russia says that it will take more than two years to build the data centers required to fulfill the mandates of the law.  Then there’s the ethical part of the equation: who and how will these logs be accessed by the Russian government?  Will a court order be necessary or will the FSB be able to simply knock at a company’s door and ask for everything.  Given the cost of building an infrastructure within Russian borders (and the people to support it, an additional vulnerability) and the ethical questions of the law, how does this change the equation of doing business in Russia for companies on the Internet?  Is it possible to still do business in Russia, is the business potential too great to pull out now or do companies serve their traffic from outside Russia and hope they don’t get blocked by the Great Firewall of Russia, which is the next obvious step in this evolution?

Where Brazil had to bow to the pressure of international politics and didn’t have the business potential to force Internet companies to allocate servers within it’s borders, Russia does.  The ruling affluent population of Russia has money to burn; many of them make the US ‘1%’ look poor.  There are enough start ups and hungry corporations in Russia who are more than willing to take a chunk of what’s now being served by Twitter, Google, Facebook and all the other American mega-corporations of the Internet.  And if international pressure concerning what’s happening in the Ukraine doesn’t even make Russia blink, there’s nothing that the international community can do about Internet Balkanization.

Once Russia has proven that the Balkanization of the Internet is a possibility and even a logical future for the Internet, it won’t take long for other countries to follow.  Smaller countries will follow quickly, the EU will create laws requiring many of the same features that Russia’s laws do and eventually even the US will require companies within it’s borders to retain information, where they will have easy access it.   The price to companies ‘in the Cloud’ will sky rocket as the Cloud itself has to be instantiated within individual regions and the economy of scale it currently enjoys is brought down by the required fracturing.  And eventually much of the innovation and money created by the great social experiment of the Internet will grind to a halt as only the largest companies have the resources needed to be available on a global scale.


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Mar 09 2014

Mt. Gox Doxed

I’ve never owned a bitcoin, I’ve never mined a bitcoin, in fact I’ve never really talked to anyone who’s used them extensively.  I have kept half an eye on the larger bitcoin stories though, and the recent disclosures that bitcoin exchange Mt. Gox was victim of hackers who stole the entire of the content in their vault, worth hundreds of millions of dollars (or pounds) have kept my interest.  I know I’m not the only one who’s smelled something more than a little off about the whole story and I’m sure I’m not the only one.  Apparently a hacker, or hackers, who also felt something wasn’t right on the mountain decided to do something about it: they doxed* Mt. Gox and it’s CEO, Mark Karpeles.

We don’t know yet if the files that hackers exposed to the internet were actually legitimate files from Mt. Gox and Mr. Karpeles yet, but this isn’t the only disclosure the company is potentially facing.  Another hacker has claimed to have about 20Gigs of information about the company, their users and plenty of interesting documents.  Between the two, if even a little of the data is valid, it’ll spell out a lot of trouble for Mt. Gox and it’s users.  If I were a prosecutor who had any remote possiblity of being involved in this case, I’d be collecting every piece of information and disclosed file I could, with big plans for using them in court at a later date.  

In any case, I occasionally read articles that say the Mt. Gox experience shows that bitcoins are an unusable and ultimately doomed form of currency because they’re a digital only medium and that they’ll always be open to fraud and theft because of it.  I laugh at those people.  Have they looked at our modern banking system and realized that 99% of the money in the world now only exists in digital format somewhere, sometimes with hard copy, but generally not?  Yes, we’ve had more time to figure out how to secure the banking systems, but they’re still mostly digital.  And eventually someone will do the same to a bank as was done to Mt. Gox.

*Doxed:  to have your personal information discovered or stolen and published on the Internet.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Next »