|
Ynglaur posted:This has come up a few times in this thread. So I have to ask: has any European government ever prosecuted a company for a GDPR infraction because data was stored on Azure? The Italian government and all of its departments has zero issues using workspace and 365 as long as the data is contained in EU zones(which is an issue if you are an edu tenant as microsoft in its infinite wisdom will set up yammer in US as default). Hisec data will be managed in a dedicated set of datacenters provided by Leonardo, TIM and Sogei. No government entity gives any fucks about gaia-x beyond FSF nerds.
|
# ? Sep 23, 2022 17:21 |
|
|
# ? Apr 18, 2024 02:25 |
|
CLAM DOWN posted:No. That's the whole point of what I'm saying. Who's the CSP?
|
# ? Sep 23, 2022 17:27 |
|
Rust Martialis posted:Who's the CSP? What do you mean? CSP normally is "cloud service provider" in my field. Do you mean the building owner? Telco? Operator?
|
# ? Sep 23, 2022 17:33 |
|
Rust Martialis posted:Who's the CSP? 3288212 Nova Scotia Limited and Microsoft Canada Development Centre Co. . For 365 EU sites refer to France and Germany CSP. edit: @ClamDown https://servicetrust.microsoft.com/DocumentPage/ede6342e-d641-4a9b-9162-7d66025003b0 SlowBloke fucked around with this message at 17:42 on Sep 23, 2022 |
# ? Sep 23, 2022 17:35 |
|
CLAM DOWN posted:That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe. Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government. The whole thing is basically untested except by Schrems I and II, which both made it more clear that basically any involvement from the USA is in conflict with GDPR. But the whole thing is still largely untested, and because American cloud is so dominant, everyone is betting on a compromise making it legal. It just isn't happening without either changes to American or European law.
|
# ? Sep 23, 2022 18:03 |
|
BonHair posted:Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government. Microsoft Canada is a wholly owned subsidiary of Microsoft. I don't know how many other ways I can say this, we are not bound by the Patriot Act here. I've worked at a number of places where this has been tested. There's literally no other way I can type this.
|
# ? Sep 23, 2022 18:05 |
|
Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.
|
# ? Sep 23, 2022 18:24 |
|
So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear.
|
# ? Sep 23, 2022 18:26 |
|
SlowBloke posted:If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. ah, the mossad vs not mossad threat model
|
# ? Sep 23, 2022 18:26 |
|
BonHair posted:So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear. their point is that scenario is less relevant than you think it is
|
# ? Sep 23, 2022 18:27 |
|
The Fool posted:ah, the mossad vs not mossad threat model Being made up as a joke doesn't make it less real
|
# ? Sep 23, 2022 18:29 |
|
SlowBloke posted:Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense. Honestly they don't even have to do that. The western intelligence orgs are all allied and share information, so the CIA calls the RCMP who calls MS Canada instead of the CIA calling them directly.
|
# ? Sep 23, 2022 18:30 |
|
SlowBloke posted:Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense. This is whole other point, namely that any information in Europe that the is government want, they will get, either through cooperation, espionage or whatever shady poo poo they need. But that is besides the point of GDPR compliance, since the majority of that activity is illegal in the first place and thus kept under wraps (until someone leaks that Merkel's phone was tapped or whatever). I'm also betting that we will see high profile cases about American cloud providers within 5 years. But because of various politics, and because it's just some guys going up against basically all of tech, it's gonna take time. The data protection agencies are laughably underfunded to take on this kind of case, or even just do regular smaller scale stuff. If we're talking real risk then yeah, Azure AD is probably largely safe from a privacy perspective. But that's not really the issue, it's the principle of the thing. Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved.
|
# ? Sep 23, 2022 18:39 |
|
On a completely unrelated topic because this is not the most fun circular discussion and this new topic I find very fun: https://blog.cloudflare.com/randomness-101-lavarand-in-production/ I had no idea this was a thing! This is so loving neat. Lava lamps!
|
# ? Sep 23, 2022 18:39 |
|
cloudflare ia bad and lavarand was originally developed by sgi in 1997
|
# ? Sep 23, 2022 18:41 |
|
also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise.
|
# ? Sep 23, 2022 18:43 |
|
SlowBloke posted:If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on.
|
# ? Sep 23, 2022 18:44 |
|
The Fool posted:their point is that scenario is less relevant than you think it is Just to be clear, it's completely improbable, and not a real risk. But GDPR compliance (in some interpretations) requires data not to be accessible from countries with this kind of law, known as "unsafe third countries". Ironically, Ukraine was a "safe" country until this year, which is funny both because it was invaded and had been partially occupied for 8 years, and because while the laws were good, they probably weren't followed too rigidly, especially when factoring in corruption. But that's how the legality works, as long as the legal framework of right, actual practice is less relevant.
|
# ? Sep 23, 2022 18:45 |
|
The Fool posted:also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise. I WANT TO USE LAVA LAMPS
|
# ? Sep 23, 2022 18:46 |
|
spankmeister posted:Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on. While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump
|
# ? Sep 23, 2022 18:46 |
|
BonHair posted:Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved. I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future.
|
# ? Sep 23, 2022 18:50 |
|
CLAM DOWN posted:That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe. If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused). So yes while Canadian data does reside inside Canadian data centres (one in Toronto, and one in Quebec City), it is almost guaranteed to be routed through the US to get to you. And let's not pretend that the US gov't isn't willing to do shady things to collect data It's not a great solution, but blame our lovely telecommunications cartel. MustardFacial fucked around with this message at 19:06 on Sep 23, 2022 |
# ? Sep 23, 2022 19:03 |
|
SlowBloke posted:I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future. Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA? It's probably good enough for 99% of cases though.
|
# ? Sep 23, 2022 19:03 |
|
The Fool posted:While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump No, it's not.
|
# ? Sep 23, 2022 19:06 |
|
MustardFacial posted:If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused). FIPPA was amended but our public sector organizational policy did not accept that amendment, which as you can guess severely limits our options for a lot of products/vendors. Azure/MS has worked with us on that and is still compliant with FIPPA prior to the amendment.
|
# ? Sep 23, 2022 19:08 |
|
CLAM DOWN posted:which as you can guess severely limits our options for a lot of products/vendors. I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain.
|
# ? Sep 23, 2022 19:17 |
|
MustardFacial posted:I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain. We recently discovered a team using WhatsApp and I was just like, wtf
|
# ? Sep 23, 2022 19:19 |
|
BonHair posted:Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA? Every data movement to the US is likely going to be done at the behest of the Italian government. The three core suppliers are the following: Sogei is a government controlled entity(which provides most of the core taxes digital services), TIM is a telco with heavy government control shares and Leonardo is the Italian MIC. Any of those three doing stuff on their own is pretty impossible without immense fallout and the Italian intelligence services has historically been more than willing to compromise for favors. Edit: if we want to talk digital service pain for government ops, how about making purchasing servers and data center equipment illegal? The precursor to PSN was to find a handful of best of class datacenters on the peninsula and move everything there, so no expenses allowed unless you were in top class. As of today, we are still waiting for the list of those datacenter to offload stuff to. We have offloaded everything microsoft to cloud, thankfully 365 provides a shitload of storage so we have managed to survive only with maintainance fees for hardware and onsite software. SlowBloke fucked around with this message at 19:24 on Sep 23, 2022 |
# ? Sep 23, 2022 19:19 |
|
I'm not trying to be dramatic or anything, its just pretty settled that anything you put in Azure or AWS can be read by the USG without your Cloud provider telling you.
|
# ? Sep 23, 2022 19:31 |
|
CLAM DOWN posted:There's literally no other way I can type this. not with that attitude. i dont even see any fun fonts or colors or anything. slacker
|
# ? Sep 23, 2022 19:37 |
|
CLAM DOWN posted:We recently discovered a team using WhatsApp and I was just like, wtf Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company.
|
# ? Sep 23, 2022 21:08 |
|
MustardFacial posted:Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company. But their owner isn't.
|
# ? Sep 23, 2022 21:52 |
|
The effort and cost involved to make slack HIPAA compliant is an incredible journey.
|
# ? Sep 23, 2022 21:55 |
|
https://twitter.com/MatthewKeysLive/status/1573298480520404992 Well that didn't take long.
|
# ? Sep 24, 2022 00:26 |
|
Cup Runneth Over posted:I hope his jail time is minimal when he's inevitably caught and he gets a nice cybersecurity gig on the outside.
|
# ? Sep 24, 2022 18:46 |
|
quote:Police zeroed in on A.K. as a suspect after finding similarities between the Rockstar and Uber attacks and several other cyber intrusions that occurred between last year and early this year, including the compromise of data from tech companies Microsoft, Okta and Nvidia. A.K. was charged earlier this year with both attacks and had been living in his mother’s house while the case was pending in court, according to information obtained by The Desk.
|
# ? Sep 25, 2022 00:52 |
|
Why not? Plenty of teenage hackers living in their mothers' houses growing up into respectable cybersec experts.
|
# ? Sep 25, 2022 02:06 |
|
Heck, plenty of respectable cybersec experts living in their mothers' houses these days, economy and all that
|
# ? Sep 25, 2022 02:06 |
|
I mean Sabu and Topiary from LulzSec both have director level positions doing pentest consultancy now with side speaking engagements. This kid will probably be just fine.
|
# ? Sep 25, 2022 02:23 |
|
|
# ? Apr 18, 2024 02:25 |
|
I don't know if this is the right place to ask, but I was curious since I never worked in the consumer space. Do places do active audits on their credit/debit infrastructure? Because I'm paranoid if I have to end up chipping on places like drug stores, gas stations, or whatever I examine the end point for credit skimmers by seeing if someone did the low hanging install over the end point one. I haven't found one yet, but I've been nailed by one at a pump before that had to have been installed inside the machine itself. I'm gonna say "generally not", because lol security, but was curious.
|
# ? Sep 25, 2022 16:07 |