Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

To Combat Government Snooping, Encrypt Data Before Putting It In Cloud, Says Interop Speaker
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
10/26/2014 | 8:03:05 PM
Re: Government snooping
Gov would still need to get the key.

User Rank: Apprentice
10/15/2014 | 10:14:59 AM
Government snooping
Who amongst us thinks that the government does not have the unencryption algorthythm for all of the "allowed" encryption methods allowed in the U.S. now?
Sara Peters
Sara Peters,
User Rank: Author
10/7/2014 | 12:51:47 PM
Re: it's that simple...
@Marilyn  "That could take some time to wind through the courts." I don't care how long it takes, as long as they come out with the right answer.   :)   If the government goes ahead and says that MS has to turn over data located in another country, they're going to make international business a nightmare.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/7/2014 | 7:46:15 AM
Re: it's that simple...
The US cloud companies doing business in Europe are definitely handicapped by US government policy, that's for sure. The outcome of the Microsoft appeal will be telling..though I'm not holding my breath. That could take some time to wind through the courts.
Sara Peters
Sara Peters,
User Rank: Author
10/6/2014 | 1:32:26 PM
Re: it's that simple...
@Pablo  Sigh. It's exhausting. If I were a company outside the US, I wouldn't want to use any US-based cloud services either. I don't know if that's ever going to change. Or if it will change too late.
Pablo Valerio
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 1:27:39 PM
Re: it's that simple...
@Sara, this is the usual problem with dual-use technology. Once the surveillance and spying programs are in place the temptation to use them for obtaining other intelligence is too big to resist.

One thing is clear to me: no European corporation trusts the US government to refrain from spying on them. And full encryption programs, plus zer-knowledge services are booming.

The AirWatch CEO was telling us that they are now serving their international customers from Canada and the UK, but they can't stop the US from requesting access; they'll fight it, but that is as far as they can go.
Sara Peters
Sara Peters,
User Rank: Author
10/6/2014 | 12:33:05 PM
Re: it's that simple...
@Pablo  Well that's an interesting viewpoint:  "He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure."  What do you think, Pablo? Is he right or wrong? Does he have inside information? 

I can see his point, and it might be totally right when the US is trying to explain why they want data located in another country. But looking for industrial secrets might not be the reason for their domestic snooping.
Pablo Valerio
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 5:12:06 AM
Re: it's that simple...
More than a year ago, before the Ed Snowden NSA scandal, the UN published the Report of the Special Rapporteur (Google "UN A/HRC/23/40") on the right to freedom of opinion and expression. One of the conclusions was that: 

"Individuals should be free to use whatever technology they choose to secure their communications. States should not interfere with the use of encryption technologies, nor compel the provision of encryption keys."

I believe Apple and Google are going in that direction with their decsion to encrypt smartphones by default, and not store encryption keys in their servers.

A few days ago I attended the AirWatch Connect conference in London. I had an interesting discussion with the CIO of a major European pharmaceutical company. He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/3/2014 | 4:32:34 PM
Re: it's that simple...
>But the key trick here is that all encryption keys should be kept on-site by the customer.  

Preferrably not on a Post-It stuck to one's monitor.
User Rank: Moderator
10/3/2014 | 1:50:25 PM
it's that simple...
It seems like perfect sense that all data should be encrypted before it hits cloud servers or storage, but sadly I don't think it's too common a practice.  As the article clearly points out, the side benefit of encryption, aside fromenhanced security on the data itself, is that indeed, if there is a government request for your data and the provider complies, the data they pass on will be of no value.  But the key trick here is that all encryption keys should be kept on-site by the customer.  This not only limits the exposure that could come from the provider having access to the raw, unecrypted data, but ensures that the data remains in the control of the customer.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-25
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template sy...
PUBLISHED: 2022-06-25
Raytion 7.2.0 allows reflected Cross-site Scripting (XSS).
PUBLISHED: 2022-06-25
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the serve...
PUBLISHED: 2022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated A...
PUBLISHED: 2022-06-25
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can resul...