The Washington Post this week released a leaked set of powerpoint slides that appear to show the existence of a spy programme called PRISM, which allows the United States National Security Agency to peer into some of the world’s largest Cloud providers. There are already a raft of misinformed articles circulating questioning, again, the security of Cloud.
So what happened?
The Washington Post released a set of slides that show something called PRISM, a capture engine that rakes data from a slew of Cloud providers. Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, and Apple.
The data that PRISM claims to be able to scrape includes; email, chat, videos, photos, stored data, VoIP, file transfers, video conferencing, target notification (logins), social networking details, and a rather ubiquitous “special requests.”
Further, it appears that PRISM can ONLY capture information that is in, or passes through, the United States.
This information has got the tinfoil wearing brigade well and truly hot and bothered with a lot of traditional ICT supporters and dying hardware sales companies getting into the “your data is not safe in the Cloud.” It’s just too easy, the “Patriot Act” worry squad now have “proof” that Cloud is not safe and the US is stealing “ALL” our stuff.
Not true. At all. Let’s look at the facts.
Is this the real life? Or is it just fantasy?
There is a strong discussion around whether PRISM is real, or simply a fake. A lot of commentators are pointing to the fact that the PowerPoint slides look like they have been put together by a child. As time progresses on the story, embellishments are also starting to appear.
The reality has to be, who knows. Obama has indirectly spoken about the need for surveillance, the eroding freedoms argument (which is getting a bit tired), but hasn’t actually confirmed PRISM exists.
We do know that all countries spy on each other. This is a fact from time immemorial. We also know that the old traffic patterns of thirty years ago are done. Echelon listened to ALL phone calls across a number of countries and still has a massive base in New Zealand in the Waihopai Spy Base.
Echelon was upgraded with Carnivore, an automated listening system that was required as call traffic grew.
With the advent of the Internet dozens of private companies have taken up the spying game along with most governments (the great firewall of China, Australia, New Zealand, insert most country names here).
Why should this surprise us?
This is affecting consumer (personal) Cloud not enterprise Cloud
None of the enterprise grade Cloud service Providers are listed in this presentation. Amazon, RackSpace, Azure, and so on. Also, when you look at the type of traffic that PRISM claims it collects, its of a personal nature.
Nothing comes for free, if you don’t buy a personal service that encrypts your data, then don’t expect it to be secure. Seriously. All of these large providers already run active scanning to look for “objectionable images”. Policing units send them the “hashes” (signatures) of files they know to be objectionable. The provider looks for those hashes and where it finds them, notifies the agencies of the user details.
The point is, your data is open to be read by others.
The second point is, these services are not typically used by companies for Cloud. I’m making an assumption that based on the data PRISM claims to collect, it is targeting personal Microsoft Services, NOT Azure.
Cloud is still more secure nine times out of ten
Moving your stuff to Amazon, buying the appropriate security services, and spreading your data across multiple sites is going to be more secure than your old firewall, that hasn’t been patched in a while, has a few ports that were open for convenience, and has a log file you haven’t checked since your enthusiasm waned after the day of install.
If you look at what you do today, and what a Cloud provider can offer, you’ll find that nearly all the time the Cloud provider is more secure.
In fact, foreign governments wanting to get at your data are far more likely to attack your own firewall for a variety of reasons. They know there is most likely an exploit, they know you probably aren’t monitoring it, and they know that is where ALL your data is (as opposed to it being spread across Cloud services).
People have been warned all through the Internet revolution that sending an email is tantamount to sending a postcard. This is still true today unless you choose to put some encryption around your email.
So what if the US government has access to it? We post all sorts of personal information via email, Social Media, and other sites. In fact, we automate it. How many of us automatically upload photos the instant they are taken to our Social Media account? Or to a backup service like Apple?
It’s easy to get all outraged about something like PRISM, but most people don’t take any responsibility for their own data, they expect someone else too.
Well, at the risk of annoying the under twenty five year olds; you really need to take responsibility for your own shit.
I’d be far more worried about a piece of spyware being installed on my computer, tablet, or phone, that is scraping my financial details than I would be about some NSA system that is looking at my Facebook photos.
This isn’t going away, spying, or Cloud
Neither spying on each other, or the uptake of Cloud, will slow. Until companies, and individuals, take responsibility for data, this will always be an issue.
The ISP’s in New Zealand already collect reams of data on you and with more laws on the way to bolster that capability. Albeit, thankfully for us, those laws are trying to fix a problem from six years ago as opposed to today.
We see a “leaked” document that talks about a new system, which is just one more in a whole slew of systems, that seems to target personal data, which we have chosen to give to some “Cloud” providers.
If we take responsibility for our stuff, then we can protect it.