So China was right in not relying on US big tech
Never had been.
You just now figured this out?
There’s always been a risk, but now that risk is actually playing out. It’s a bit smug to pretend that nothing has changed.
Not to mention that Bert Hubert has been beating this drum for a long time. However, he also sees that there is more momentum now to actually affect change, which involves latching onto changing circumstances.
Pretending that things are the same as ever only leads to a defeatist attitude, where people conclude that apparently it’s worked so far, might as well continue doing it.
Which idiot is responsible for the “no longer”?
Biden literally was working on legislation to provide protections to EU companies (not to his own citizens) because they had been leaving silicon valley providers in droves for EU ones since GDPR
Protections and laws don’t stop anything. The NSA, CIA, FBI and whatever other three letter agency will still have their fingers deep into any cloud, any software and any hardware from the US.
Nah, see Church Committee
Well clearly people thought it was previously.
America and Europe have been supposedly allied since WW2. That’s “no longer” the case, now more obvious than ever before.
AWS and Azure kind of kneecapped all the other cloud providers
What the hell is a government doing using someone else’s cloud? I have a small business and I bought a Synology NAS years ago. How is it possible that a government does not have its own servers?
What the hell is a government doing using someone else’s cloud?
Fucking up everything. Thar’s what governments do for a living,
Yeah, that just doesn’t scale. Don’t get me wrong, what you do works and is good, but you (probably) don’t have an off site backup or 100TB of customer data, that is needed in 17 countries accessed by over 15.000 employees.
I’m not saying, that you need a public cloud provider for that, there are other companies, that do these kinds of things, but it is more comfortable and as with SAP no manager has ever been fired for proposing using Microsoft.
It’s not like we don’t have datacenters and server providers in the eu. We have hetzner, OVH and Aruba (ew)
Yes, but there are even more smaller companies doing that and in the past a lot of companies did that themselves (if big enough) but “the cloud”
isseems just so convenient, that they don’t want that anymore.
Buying service level agreements on rented hardware is easier and cheaper (you don’t have to pay your own IT). Security and data protection, pfft nobody needs or wants that.
you don’t have to post your own IT
Now you’re paying for devops…
“Yes, but that’s another departments cost. Or some lobbyists told me this is cheaper. Anyway, we’re locked into the whole thing by now, doesn’t matter anymore.”
As a cloud professional in the US he is 100% right. They should be worried.
Care to elaborate?
Without too much detail, all heads of US cloud providers sat behind trump at the inauguration.
See National Security Letter. Eg Lavabit and calyx
The cloud is a tool of oppression in the wrong hands, and it is in the wrong hands.
Let the sun shine in.
Tried to explain that to the higher ups in my org for months.
They introduced some proxy/VPN that pipes all of our traffic through a service that is not only breaking SSL, but also owned by a US corporation.
That’s enough red flags to make Mao blush, but nobody saw any problem in it…
Care to elaborate for someone that is not in tech? Does twingate fall in that category?
Let’s say you open Youtube (or any other site) in your browser. Normally, that connection is encrypted end2end, so only Youtube and you see what data is being sent. An outside observer (your employer, your ISP, etc) might deduce from the network traffic that you’re accessing YT, and how long/how much data, but nothing else.
This encryption is based on SSL/TLS, in a small nutshell, that works by having a chain of cryptographically signed certificates, that proof to you, that YT is really YT, and not someone else (your employer, for example). Attacks like this are called Man in the Middle (MITM). The certificate chain however, needs an anchor. Somewhere to start. These are called Root CA (certifying authorities). Typically these are dedicated companies or large ISPs. Their certificates (the public parts) are stored on your device from the factory (more or less). And thus your device can verify the entire chain of trust from the certificate YT send you down to the RootCA…
Now, if someone would install a new RootCA certificate on your device, than that entity could become a Man in the Middle, it acts as a relay for all of the traffic going out of your device, can read everything send over the wire - and your device wouldn’t even know it. If that entity would be part of a US company, they would be legally forced to hand over all their data to NSA, FBI, etc. even if the actual data transfer woud happen completely within Europe.
This is exactly what Twingate seems to do. Crowdstrike and ZScaler are similar products.
The underlying problem here is that IT security in large organizations doesn’t mean “How can we be secure?”, but “How can we make a legal argument that we did nothing wrong?”. So security clusterfucks like this can be implementend, since the CTO can claim not to have been negligent.
PS: The description above is obviously very simplified, the Wiki articles for SSL/TLS are much better.
Wow, thanks a lot for the detailed explanation. More than enough for me for the moment, but it seems I’ll have more changes to make than I thought, and a lot more research.
