Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SlowBloke
Aug 14, 2017

Ynglaur posted:

This has come up a few times in this thread. So I have to ask: has any European government ever prosecuted a company for a GDPR infraction because data was stored on Azure?

I mean, the Patriot Act basically says "gently caress your sovereignty, world", so a strict interpretation of GDPR basically amounts to, "You can't tell an American anything, ever." Which I suppose might be technically correct, but is it practically a prohibition?

The Italian government and all of its departments has zero issues using workspace and 365 as long as the data is contained in EU zones(which is an issue if you are an edu tenant as microsoft in its infinite wisdom will set up yammer in US as default). Hisec data will be managed in a dedicated set of datacenters provided by Leonardo, TIM and Sogei. No government entity gives any fucks about gaia-x beyond FSF nerds.

Adbot
ADBOT LOVES YOU

Rust Martialis
May 8, 2007

At night, Bavovnyatko quietly comes to the occupiers’ bases, depots, airfields, oil refineries and other places full of flammable items and starts playing with fire there

CLAM DOWN posted:

No. That's the whole point of what I'm saying.

Who's the CSP?

CLAM DOWN
Feb 13, 2007




Rust Martialis posted:

Who's the CSP?

What do you mean? CSP normally is "cloud service provider" in my field. Do you mean the building owner? Telco? Operator?

SlowBloke
Aug 14, 2017

Rust Martialis posted:

Who's the CSP?

3288212 Nova Scotia Limited and Microsoft Canada Development Centre Co. .

For 365 EU sites refer to France and Germany CSP.

edit: @ClamDown https://servicetrust.microsoft.com/DocumentPage/ede6342e-d641-4a9b-9162-7d66025003b0

SlowBloke fucked around with this message at 17:42 on Sep 23, 2022

BonHair
Apr 28, 2007

CLAM DOWN posted:

That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe.

Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government.

The whole thing is basically untested except by Schrems I and II, which both made it more clear that basically any involvement from the USA is in conflict with GDPR. But the whole thing is still largely untested, and because American cloud is so dominant, everyone is betting on a compromise making it legal. It just isn't happening without either changes to American or European law.

CLAM DOWN
Feb 13, 2007




BonHair posted:

Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government.

The whole thing is basically untested except by Schrems I and II, which both made it more clear that basically any involvement from the USA is in conflict with GDPR. But the whole thing is still largely untested, and because American cloud is so dominant, everyone is betting on a compromise making it legal. It just isn't happening without either changes to American or European law.

Microsoft Canada is a wholly owned subsidiary of Microsoft. I don't know how many other ways I can say this, we are not bound by the Patriot Act here. I've worked at a number of places where this has been tested. There's literally no other way I can type this.

SlowBloke
Aug 14, 2017
Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

BonHair
Apr 28, 2007

So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear.

The Fool
Oct 16, 2003


SlowBloke posted:

If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided.

ah, the mossad vs not mossad threat model

The Fool
Oct 16, 2003


BonHair posted:

So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear.

their point is that scenario is less relevant than you think it is

SlowBloke
Aug 14, 2017

The Fool posted:

ah, the mossad vs not mossad threat model

Being made up as a joke doesn't make it less real :)

Nukelear v.2
Jun 25, 2004
My optional title text

SlowBloke posted:

Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

Honestly they don't even have to do that. The western intelligence orgs are all allied and share information, so the CIA calls the RCMP who calls MS Canada instead of the CIA calling them directly.

BonHair
Apr 28, 2007

SlowBloke posted:

Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

This is whole other point, namely that any information in Europe that the is government want, they will get, either through cooperation, espionage or whatever shady poo poo they need. But that is besides the point of GDPR compliance, since the majority of that activity is illegal in the first place and thus kept under wraps (until someone leaks that Merkel's phone was tapped or whatever).

I'm also betting that we will see high profile cases about American cloud providers within 5 years. But because of various politics, and because it's just some guys going up against basically all of tech, it's gonna take time. The data protection agencies are laughably underfunded to take on this kind of case, or even just do regular smaller scale stuff.

If we're talking real risk then yeah, Azure AD is probably largely safe from a privacy perspective. But that's not really the issue, it's the principle of the thing.

Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved.

CLAM DOWN
Feb 13, 2007




On a completely unrelated topic because this is not the most fun circular discussion and this new topic I find very fun:

https://blog.cloudflare.com/randomness-101-lavarand-in-production/

I had no idea this was a thing! This is so loving neat. Lava lamps!

The Fool
Oct 16, 2003


cloudflare ia bad and lavarand was originally developed by sgi in 1997

The Fool
Oct 16, 2003


also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise.

spankmeister
Jun 15, 2008






SlowBloke posted:

If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided.

Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on.

BonHair
Apr 28, 2007

The Fool posted:

their point is that scenario is less relevant than you think it is

Just to be clear, it's completely improbable, and not a real risk. But GDPR compliance (in some interpretations) requires data not to be accessible from countries with this kind of law, known as "unsafe third countries".

Ironically, Ukraine was a "safe" country until this year, which is funny both because it was invaded and had been partially occupied for 8 years, and because while the laws were good, they probably weren't followed too rigidly, especially when factoring in corruption. But that's how the legality works, as long as the legal framework of right, actual practice is less relevant.

CLAM DOWN
Feb 13, 2007




The Fool posted:

also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise.

I WANT TO USE LAVA LAMPS

The Fool
Oct 16, 2003



spankmeister posted:

Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on.

While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump

SlowBloke
Aug 14, 2017

BonHair posted:

Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved.

I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future.

MustardFacial
Jun 20, 2011

Fucker in charge of you fucking fucks



CLAM DOWN posted:

That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe.

If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused).

So yes while Canadian data does reside inside Canadian data centres (one in Toronto, and one in Quebec City), it is almost guaranteed to be routed through the US to get to you. And let's not pretend that the US gov't isn't willing to do shady things to collect data

It's not a great solution, but blame our lovely telecommunications cartel.

MustardFacial fucked around with this message at 19:06 on Sep 23, 2022

BonHair
Apr 28, 2007

SlowBloke posted:

I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future.

Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA?

It's probably good enough for 99% of cases though.

spankmeister
Jun 15, 2008






The Fool posted:

While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump

No, it's not.

CLAM DOWN
Feb 13, 2007




MustardFacial posted:

If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused).

So yes while Canadian data does reside inside Canadian data centres (one in Toronto, and one in Quebec City), it is almost guaranteed to be routed through the US to get to you. And let's not pretend that the US gov't isn't willing to do shady things to collect data

It's not a great solution, but blame our lovely telecommunications cartel.

FIPPA was amended but our public sector organizational policy did not accept that amendment, which as you can guess severely limits our options for a lot of products/vendors. Azure/MS has worked with us on that and is still compliant with FIPPA prior to the amendment.

MustardFacial
Jun 20, 2011

Fucker in charge of you fucking fucks



CLAM DOWN posted:

which as you can guess severely limits our options for a lot of products/vendors.

I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain.

CLAM DOWN
Feb 13, 2007




MustardFacial posted:

I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain.

We recently discovered a team using WhatsApp and I was just like, wtf

SlowBloke
Aug 14, 2017

BonHair posted:

Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA?

It's probably good enough for 99% of cases though.

Every data movement to the US is likely going to be done at the behest of the Italian government. The three core suppliers are the following: Sogei is a government controlled entity(which provides most of the core taxes digital services), TIM is a telco with heavy government control shares and Leonardo is the Italian MIC. Any of those three doing stuff on their own is pretty impossible without immense fallout and the Italian intelligence services has historically been more than willing to compromise for favors.

Edit: if we want to talk digital service pain for government ops, how about making purchasing servers and data center equipment illegal? The precursor to PSN was to find a handful of best of class datacenters on the peninsula and move everything there, so no expenses allowed unless you were in top class. As of today, we are still waiting for the list of those datacenter to offload stuff to. We have offloaded everything microsoft to cloud, thankfully 365 provides a shitload of storage so we have managed to survive only with maintainance fees for hardware and onsite software.

SlowBloke fucked around with this message at 19:24 on Sep 23, 2022

Rust Martialis
May 8, 2007

At night, Bavovnyatko quietly comes to the occupiers’ bases, depots, airfields, oil refineries and other places full of flammable items and starts playing with fire there
I'm not trying to be dramatic or anything, its just pretty settled that anything you put in Azure or AWS can be read by the USG without your Cloud provider telling you.

Achmed Jones
Oct 16, 2004



CLAM DOWN posted:

There's literally no other way I can type this.

not with that attitude. i dont even see any fun fonts or colors or anything. slacker

MustardFacial
Jun 20, 2011

Fucker in charge of you fucking fucks



CLAM DOWN posted:

We recently discovered a team using WhatsApp and I was just like, wtf

Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company.

Ynglaur
Oct 9, 2013

The Malta Conference, anyone?

MustardFacial posted:

Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company.

But their owner isn't. :smuggo:

Sickening
Jul 16, 2007

Black summer was the best summer.
The effort and cost involved to make slack HIPAA compliant is an incredible journey.

Honey Im Homme
Sep 3, 2009

https://twitter.com/MatthewKeysLive/status/1573298480520404992

Well that didn't take long.

Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


Cup Runneth Over posted:

I hope his jail time is minimal when he's inevitably caught and he gets a nice cybersecurity gig on the outside.

Malloc Voidstar
May 7, 2007

Fuck the cowboys. Unf. Fuck em hard.

quote:

Police zeroed in on A.K. as a suspect after finding similarities between the Rockstar and Uber attacks and several other cyber intrusions that occurred between last year and early this year, including the compromise of data from tech companies Microsoft, Okta and Nvidia. A.K. was charged earlier this year with both attacks and had been living in his mother’s house while the case was pending in court, according to information obtained by The Desk.
I suspect he will not be getting a job

Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


Why not? Plenty of teenage hackers living in their mothers' houses growing up into respectable cybersec experts.

Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


Heck, plenty of respectable cybersec experts living in their mothers' houses these days, economy and all that

Diva Cupcake
Aug 15, 2005

I mean Sabu and Topiary from LulzSec both have director level positions doing pentest consultancy now with side speaking engagements. This kid will probably be just fine.

Adbot
ADBOT LOVES YOU

Defenestrategy
Oct 24, 2010

I don't know if this is the right place to ask, but I was curious since I never worked in the consumer space.

Do places do active audits on their credit/debit infrastructure? Because I'm paranoid if I have to end up chipping on places like drug stores, gas stations, or whatever I examine the end point for credit skimmers by seeing if someone did the low hanging install over the end point one. I haven't found one yet, but I've been nailed by one at a pump before that had to have been installed inside the machine itself.

I'm gonna say "generally not", because lol security, but was curious.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply