Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SlowBloke
Aug 14, 2017


Ynglaur posted:

This has come up a few times in this thread. So I have to ask: has any European government ever prosecuted a company for a GDPR infraction because data was stored on Azure?

I mean, the Patriot Act basically says "gently caress your sovereignty, world", so a strict interpretation of GDPR basically amounts to, "You can't tell an American anything, ever." Which I suppose might be technically correct, but is it practically a prohibition?

The Italian government and all of its departments has zero issues using workspace and 365 as long as the data is contained in EU zones(which is an issue if you are an edu tenant as microsoft in its infinite wisdom will set up yammer in US as default). Hisec data will be managed in a dedicated set of datacenters provided by Leonardo, TIM and Sogei. No government entity gives any fucks about gaia-x beyond FSF nerds.

Adbot
ADBOT LOVES YOU

Rust Martialis
May 8, 2007

Sarcastic Bastard

Pillbug

CLAM DOWN posted:

No. That's the whole point of what I'm saying.

Who's the CSP?

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





Rust Martialis posted:

Who's the CSP?

What do you mean? CSP normally is "cloud service provider" in my field. Do you mean the building owner? Telco? Operator?

SlowBloke
Aug 14, 2017


Rust Martialis posted:

Who's the CSP?

3288212 Nova Scotia Limited and Microsoft Canada Development Centre Co. .

For 365 EU sites refer to France and Germany CSP.

edit: @ClamDown https://servicetrust.microsoft.com/DocumentPage/ede6342e-d641-4a9b-9162-7d66025003b0

SlowBloke fucked around with this message at 16:42 on Sep 23, 2022

BonHair
Apr 28, 2007

easily buttfrustrated


CLAM DOWN posted:

That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe.

Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government.

The whole thing is basically untested except by Schrems I and II, which both made it more clear that basically any involvement from the USA is in conflict with GDPR. But the whole thing is still largely untested, and because American cloud is so dominant, everyone is betting on a compromise making it legal. It just isn't happening without either changes to American or European law.

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





BonHair posted:

Yeah, the legal owner is Microsoft Canada, but who's the legal owner of Microsoft Canada? I highly doubt it's a completely independent company, especially if you go into stock ownership, which I'm pretty sure USA laws allow. As long as someone in the USA (corporations are people too) is technically able to make demands through their ownership of chains of companies, my understanding is that the Patriot Act allows the USA to force them to make the data available to the US government.

The whole thing is basically untested except by Schrems I and II, which both made it more clear that basically any involvement from the USA is in conflict with GDPR. But the whole thing is still largely untested, and because American cloud is so dominant, everyone is betting on a compromise making it legal. It just isn't happening without either changes to American or European law.

Microsoft Canada is a wholly owned subsidiary of Microsoft. I don't know how many other ways I can say this, we are not bound by the Patriot Act here. I've worked at a number of places where this has been tested. There's literally no other way I can type this.

SlowBloke
Aug 14, 2017


Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

BonHair
Apr 28, 2007

easily buttfrustrated


So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear.

The Fool
Oct 16, 2003



SlowBloke posted:

If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided.

ah, the mossad vs not mossad threat model

The Fool
Oct 16, 2003



BonHair posted:

So you're telling me that if the NSA told Microsoft HQ "hey, we think maybe there are terrorists doing stuff in Canada to hurt USA, please provide us with any an all users in Company X and their IP addresses", that you would believe that no part of American law could be violated by Microsoft HQ saying "no"? My understanding is that this point is at best unclear.

their point is that scenario is less relevant than you think it is

SlowBloke
Aug 14, 2017


The Fool posted:

ah, the mossad vs not mossad threat model

Being made up as a joke doesn't make it less real :)

Nukelear v.2
Jun 25, 2004
My optional title text

SlowBloke posted:

Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

Honestly they don't even have to do that. The western intelligence orgs are all allied and share information, so the CIA calls the RCMP who calls MS Canada instead of the CIA calling them directly.

BonHair
Apr 28, 2007

easily buttfrustrated


SlowBloke posted:

Yelling Schrems at the top of your lungs doesn't make your european hosted data safe from yanks. If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided. Going all "putting data in azure makes it possible to be exfiltered by a random passerby" as if hetzer or ovh are bastion of security are false hopes. If you have hardcore high risk data, your government has safe facilities for that, average shitposting doesn't require those, using the same baselines for standard LoB is nonsense. There has been no government entity in Europe fined for using microsoft 365 so your point doesn't make much sense.

This is whole other point, namely that any information in Europe that the is government want, they will get, either through cooperation, espionage or whatever shady poo poo they need. But that is besides the point of GDPR compliance, since the majority of that activity is illegal in the first place and thus kept under wraps (until someone leaks that Merkel's phone was tapped or whatever).

I'm also betting that we will see high profile cases about American cloud providers within 5 years. But because of various politics, and because it's just some guys going up against basically all of tech, it's gonna take time. The data protection agencies are laughably underfunded to take on this kind of case, or even just do regular smaller scale stuff.

If we're talking real risk then yeah, Azure AD is probably largely safe from a privacy perspective. But that's not really the issue, it's the principle of the thing.

Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved.

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





On a completely unrelated topic because this is not the most fun circular discussion and this new topic I find very fun:

https://blog.cloudflare.com/randomness-101-lavarand-in-production/

I had no idea this was a thing! This is so loving neat. Lava lamps!

The Fool
Oct 16, 2003



cloudflare ia bad and lavarand was originally developed by sgi in 1997

The Fool
Oct 16, 2003



also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise.

spankmeister
Jun 15, 2008








SlowBloke posted:

If they want your data, they will happily blackbag you or whichever admin is easier to grab and turn kneecaps into fine powder until password and mfa to fetch what they want are provided.

Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on.

BonHair
Apr 28, 2007

easily buttfrustrated


The Fool posted:

their point is that scenario is less relevant than you think it is

Just to be clear, it's completely improbable, and not a real risk. But GDPR compliance (in some interpretations) requires data not to be accessible from countries with this kind of law, known as "unsafe third countries".

Ironically, Ukraine was a "safe" country until this year, which is funny both because it was invaded and had been partially occupied for 8 years, and because while the laws were good, they probably weren't followed too rigidly, especially when factoring in corruption. But that's how the legality works, as long as the legal framework of right, actual practice is less relevant.

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





The Fool posted:

also, if you actually have a need for a random number service, https://www.random.org/ does it with atmospheric noise.

I WANT TO USE LAVA LAMPS

The Fool
Oct 16, 2003




spankmeister posted:

Why do people keep saying stuff like this? Has there ever been an example of this actually happening? The US government blackbagging and kneecapping some admin? Come on.

While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump

SlowBloke
Aug 14, 2017


BonHair posted:

Also lmao at any European government having actually safe data storage facilities in any meaningful capacity. Maybe for some intelligence stuff, but I'm betting on a lot of paper and few computers being involved.

I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future.

MustardFacial
Jun 19, 2011

Fucker in charge of you fucking fucks




CLAM DOWN posted:

That's not true. We've dealt with similar issues for our provincial privacy requirements in BC. The legal owner of Azure here is Microsoft Canada, not Microsoft USA. We do not fall under the Patriot Act for exactly that reason. It's safe to assume there's a similar setup in Europe.

If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused).

So yes while Canadian data does reside inside Canadian data centres (one in Toronto, and one in Quebec City), it is almost guaranteed to be routed through the US to get to you. And let's not pretend that the US gov't isn't willing to do shady things to collect data

It's not a great solution, but blame our lovely telecommunications cartel.

MustardFacial fucked around with this message at 18:06 on Sep 23, 2022

BonHair
Apr 28, 2007

easily buttfrustrated


SlowBloke posted:

I have no idea about the current four(or so sites) in italy since i'm not that high in the food chain but the next one will be called PSN, with a cost of 3 billion euros with an expected operational time of 10-13 years. Bid went final a few weeks ago. I'm expecting France to have similar initiative(likely based on gaia-x) in the near future.

Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA?

It's probably good enough for 99% of cases though.

spankmeister
Jun 15, 2008








The Fool posted:

While I haven't heard of a specific example of a sysadmin. given this its a pretty reasonable jump

No, it's not.

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





MustardFacial posted:

If you're referring to FIPPA or PIPEDA, it should also be noted that both regulations originally covered data in transit and data at rest for data residency, however had to be amended to cover only data at rest since no service provider or ISP could guarantee data in transit not being routed through the US (It would cost the big 3 some amount of money to expand and make their network more resilient so they outright refused).

So yes while Canadian data does reside inside Canadian data centres (one in Toronto, and one in Quebec City), it is almost guaranteed to be routed through the US to get to you. And let's not pretend that the US gov't isn't willing to do shady things to collect data

It's not a great solution, but blame our lovely telecommunications cartel.

FIPPA was amended but our public sector organizational policy did not accept that amendment, which as you can guess severely limits our options for a lot of products/vendors. Azure/MS has worked with us on that and is still compliant with FIPPA prior to the amendment.

MustardFacial
Jun 19, 2011

Fucker in charge of you fucking fucks




CLAM DOWN posted:

which as you can guess severely limits our options for a lot of products/vendors.

I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain.

CLAM DOWN
Feb 13, 2007


RICK:tutbutt:ARUS

It's Moot baby!
:peanut::peanut::peanut::peanut::peanut:





MustardFacial posted:

I have to yell at people everyday to stop using trello and slack because they're not compliant so I feel your pain.

We recently discovered a team using WhatsApp and I was just like, wtf

SlowBloke
Aug 14, 2017


BonHair posted:

Yeah, but if you're being honest, do you trust it to be actually safe, knowing large organisations, government projects, IT in general and Mossad/FSB/NSA?

It's probably good enough for 99% of cases though.

Every data movement to the US is likely going to be done at the behest of the Italian government. The three core suppliers are the following: Sogei is a government controlled entity(which provides most of the core taxes digital services), TIM is a telco with heavy government control shares and Leonardo is the Italian MIC. Any of those three doing stuff on their own is pretty impossible without immense fallout and the Italian intelligence services has historically been more than willing to compromise for favors.

Edit: if we want to talk digital service pain for government ops, how about making purchasing servers and data center equipment illegal? The precursor to PSN was to find a handful of best of class datacenters on the peninsula and move everything there, so no expenses allowed unless you were in top class. As of today, we are still waiting for the list of those datacenter to offload stuff to. We have offloaded everything microsoft to cloud, thankfully 365 provides a shitload of storage so we have managed to survive only with maintainance fees for hardware and onsite software.

SlowBloke fucked around with this message at 18:24 on Sep 23, 2022

Rust Martialis
May 8, 2007

Sarcastic Bastard

Pillbug

I'm not trying to be dramatic or anything, its just pretty settled that anything you put in Azure or AWS can be read by the USG without your Cloud provider telling you.

Achmed Jones
Oct 16, 2004





CLAM DOWN posted:

There's literally no other way I can type this.

not with that attitude. i dont even see any fun fonts or colors or anything. slacker

MustardFacial
Jun 19, 2011

Fucker in charge of you fucking fucks




CLAM DOWN posted:

We recently discovered a team using WhatsApp and I was just like, wtf

Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company.

Ynglaur
Oct 9, 2013




MustardFacial posted:

Someone told me yesterday that Slack shouldn't be on the ban list because they're a Canadian company.

But their owner isn't. :smuggo:

Sickening
Jul 15, 2007

Black summer was the best summer.

The effort and cost involved to make slack HIPAA compliant is an incredible journey.

Honey Im Homme
Sep 3, 2009



https://twitter.com/MatthewKeysLive/status/1573298480520404992

Well that didn't take long.

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate





Cup Runneth Over posted:

I hope his jail time is minimal when he's inevitably caught and he gets a nice cybersecurity gig on the outside.

Malloc Voidstar
May 7, 2007

Fuck the cowboys. Unf. Fuck em hard.

quote:

Police zeroed in on A.K. as a suspect after finding similarities between the Rockstar and Uber attacks and several other cyber intrusions that occurred between last year and early this year, including the compromise of data from tech companies Microsoft, Okta and Nvidia. A.K. was charged earlier this year with both attacks and had been living in his motherís house while the case was pending in court, according to information obtained by The Desk.
I suspect he will not be getting a job

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate





Why not? Plenty of teenage hackers living in their mothers' houses growing up into respectable cybersec experts.

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate





Heck, plenty of respectable cybersec experts living in their mothers' houses these days, economy and all that

Adbot
ADBOT LOVES YOU

Diva Cupcake
Aug 15, 2005



I mean Sabu and Topiary from LulzSec both have director level positions doing pentest consultancy now with side speaking engagements. This kid will probably be just fine.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply