* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

American SaaS Companies - Trust Issue?

With the now open-knowledge that anything going through American servers is literally split via fiber-optic prism and shared with government officials, is this a trust issue for European companies?

Things such as the UK's Data Protection Act make it an offense to be sloppy with confidential data. Yes, the UK government seems to have its hands just as dirty but for Europe in general, has there been any backlash?

Do you anticipate any in the near future?



AC
Reluctantlyregistered Send private email
Sunday, July 07, 2013
 
 
It is probably a wake-up call for many naive people. Truly smart (or paranoid) ones were understanding the risk of hosting on foreign sites long ago.

[15 years ago I was doing a project for a large national company. Technology-wise the right way was to host it in US. They though decided to set up their own servers, citing concerns that the data could be obtained either by US competitors or US government. That time I was puzzled and seen it as exaggeration. Now I know better.]

IT folks close to government in Russia suggest to move in direction of something they call "digital sovereignty", where none (ideally) information about citizens is stored or passed through foreign servers. That means, in my opinion, among other things, banned Facebook and Google, somewhat like China does.

And China's Great Firewall in hindsight turns out to be a much deeper move than just a ban on a handful of dissidents.

Just like the land borders once were established firmly, the same may come over the internet borders.

I can only hope that the Internet remains not fragmented.
Vladimir Dyuzhev Send private email
Sunday, July 07, 2013
 
 
Good point. I was thinking more of companies shying away, rather than governments putting up barriers or "internalnets".

It certainly hasn't done the SaaS world any favors.

(I believe the American expression is "Thanks Obama!", though of course he's continuing a process already in place)



AC
Reluctantlyregistered Send private email
Sunday, July 07, 2013
 
 
We migrated from using Github and Dropbox to an in-office solution.

Now if running an email server wasn't such a pain in the ass ...
Jeremy Morassi Send private email
Sunday, July 07, 2013
 
 
I agree with Vladimir, "It is probably a wake-up call for many naive people."  If you read any thriller novels or watched any action movies in the last twenty years, you already assume that governments can parse all of your communications.  Of course, in real life government is nowhere near as good at picking out good intelligence from the Niagara Falls of data as it is in unreal life, but none of this should be a surprise.

"I was thinking more of companies shying away"
Just like the NSA and Pentagon, you can't conduct business without sharing vital information with customers, vendors and subcontractors.  Security is a foreign concept to anyone under the age of 35.  Between sloppiness (loud conversations in public places, paperwork left in the open, promiscuous email replies, wide-open access to servers, etc.) and an utter lack of discretion (deliberately spreading around confidential information to impress the world with how smart you are), the only secret in the business world is how to make money by selling free software (if absolutely no one knows the answer, it has to be a secret, right?)

China is the most obvious example of governments supporting their economies with corporate espionage, but China is hardly alone.  Anywhere the state supports business, trade secrets required to gain entry for your products into that country are made available to local industry.  France and Germany are world-class in this regard.

Then there is the issue of global corporations who make money from your data.  The hook is that if you want non-public information for your market research, you have to provide your own non-public information in exchange.  Privacy policy means absolving third parties of liability for selling other people's secrets.

My employer has global headquarters in the U.S. and offices or agents in more than 100 foreign jurisdictions.  Sheer incompetence eliminates American agencies as direct threats, but that same incompetence makes the U.S. fertile ground for anyone else  to conduct corporate espionage.  It's not paranoia if everyone is truly against you.

The primary solution for defending your secrets is a strong offense; sending lawyers around the world to demand payment from anyone who could possibly be framed/proven in a court of law to have used your secrets for their gain.  The Achilles heel of this strategy is that the ROI of legal action drops sharply once you are beyond American territorial waters.  Happy fishing!
Howard Ness Send private email
Sunday, July 07, 2013
 
 
I think average MicroISV has many types of sensitive information: contacts of it's own customers,  passwords for different accounts (hosting, domain names, corporate facebook/linkedin), contacts of partners, todo lists, customer's data e.t.c

So I believe it could be wise to make this sensitive information hidden from all kinds of PRISMs.

Maybe we really should stop using some US based SAAS?

For example:
- don't use "Google Apps for domain"/emails  for business purpose
-  don't upload unencrypted sensitive information to Dropbox or Amazon S3
- do not upload ideas, development plans, financial data to Office 365/Google Docs...

Probably instead of these SAAS  MicroISVs should find a better place for web/email/doc hosting.  Maybe in a smaller country that is not a "surveillance state" and probably on other continent.
MatrixFailure Send private email
Monday, July 08, 2013
 
 
Matrix, I'll all for dropping Google*, Dropbox, Office365, etc., but don't bother switching your hosting to an anonymous-friendly state.  If it's on the Internet, your data is going through hubs in locations with well-developed surveillance infrastructure, regardless of the source or the destination. 

You are far more likely to suffer business losses from accidental disruption by losing critical information than you are from having someone steal that information.  The risk of criminal elements stealing your financial information is far greater than the risk of government agencies intercepting your data.

There are much easier ways to steal your financial information than intercepting data packets.  Same applies to information about your business operations, except stealing that information is worthless to anyone but you.  The best strategy is go offline as much as possible, and when you have to be online, use services with reliable, high bandwidth access to the Internet backbone.  And go through your offline business practices with a fine-tooth comb to find all the vulnerable spots in your own backyard.  Your weakest link is your own computer.
Howard Ness Send private email
Monday, July 08, 2013
 
 
> If it's on the Internet, your data is going through hubs in locations with well-developed surveillance infrastructure, regardless of the source or the destination.

If it's SSL encrypted you should be fine. As I understand it the problem with PRISM is it's in the endpoint servers so SSL is useless. A cryptographically secure connection still can't be broken so data en-route to a legally and technically secure location should be fine.
Jonathan Matthews Send private email
Monday, July 08, 2013
 
 
"If it's SSL encrypted you should be fine"
Man in the middle proxies aren't very effective with random sources and destinations, but if you know which servers the pertinent endpoints are connected to, you have access to DNS servers and routers with low ping times, and you are patient, you can trap whatever information you need without having to crack the encryption. 

But seriously, why would any espionage agency be interested in an online company instead of individuals?  If you don't have access to the Internet's infrastructure, you can always using phishing techniques and "creative" research to get enough information to inflict a financial penalty on your target.

Perpetual paranoia is the way to go, man!
Howard Ness Send private email
Monday, July 08, 2013
 
 
+1 Howard Ness

On a practical and rational basis, you (and by "you" I assume "a small software business", as this is "business of software" forum) can ignore NSA spying. It doesn't affect you, it doesn't affect your customers.

If AWS or dropbox get owned, you'll be last to be affected by the virtue of mattering the least.

A much bigger risk with much bigger negatived consequences is that you make a typo that allows a hacker to own your website, steal e-mail addresses and passwords (that you didn't bother to scrypt) of your users. Those are the things you should be worried about, not NSA.
Krzysztof Kowalczyk Send private email
Monday, July 08, 2013
 
 
I agree that technically an mISV shouldn't be worrying about this. It wouldn't surprise me though if some of us (who do SaaS) start having issues with our customers worrying about it.

In the past I've had conversations where having UK based servers has been a + for customers, for legal reasons they can't let their data rest outside the EU. Now replace the legal reasons with paranoia about PRISM and I bet the number of people in that category will increase.

Right now I bet a lot of big company IT departments are preparing for pressure from their high profile customers to prove their data doesn't enter the US.

Rational for all but the most sensitive business data? No, not IMO, but people do think like this - they want to stay away from the most fashionable business risks because it makes them look thorough.
Jonathan Matthews Send private email
Tuesday, July 09, 2013
 
 
"But seriously, why would any espionage agency be interested in an online company instead of individuals?"

An agency maybe not that interested in your online company, but some individuals who work there and who can:
- read all your emails
- get your passwords
- see your income / profit
- get your list of customers
- finally download your source code from your SVN/GitHub/online backups
- and finally steal your domain name

Theoretically they can have a temptation to borrow your small online business.

By the way, right now Greece going to layoff 75% of 3500 municipal police officers. http://bit.ly/1aUMVPs

Who knows maybe one day something similar can happen in US.

Finally, what counts is capability, not intentions.
MatrixFailure Send private email
Tuesday, July 09, 2013
 
 
As Jonathan points out, it's not so much that you running a company need be paranoid - presuming you're complying with the 12 pages of dense small-print of new federal laws every year - but your clients.

Also, the "If you've done nothing wrong you have nothing to fear" viewpoint isn't one I share.




AC
Reluctantlyregistered Send private email
Tuesday, July 09, 2013
 
 
Good heavens, do I have to spell it out?  If you are concerned about your clients getting the wrong idea about your business, avoid having your business disrupted.  DOS, DNS hijacking, blacklisting, problems with credit card transactions, that kind of stuff.    The best service at the best price with those requirements is going to be found in 1. U.S.A., 2. Canada, 3. Great Britain.  If your clients are actually considering dropping you because you use U.S. based servers, they are idiots, and you are better off without them.
Howard Ness Send private email
Tuesday, July 09, 2013
 
 
> they are idiots, and you are better off without them.

Or their clients are idiots, recursively down the risk audit chain.

I do agree it's too paranoid btw, and I'm not worried about it now as someone who runs US servers, but I can see some providers may get issues from it.

Some companies are run by lawyers and so are just waaay too risk averse. As example: the customers I turn away because they want me to indemnify them against damages when using my product.
Jonathan Matthews Send private email
Tuesday, July 09, 2013
 
 
Well here there is a lot of talk about standardizing contracts and beefing up security for SaaS/cloud computing:

http://cloudtimes.org/2013/07/01/european-commission-urges-increased-security-for-cloud-computing/

And here they mention the NSA thing directly:

"European Commission Vice President Neelie Kroes said that if businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out.

"Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?" Kroes said."

http://www.cbronline.com/news/tech/networks/telecoms/european-firms-may-abandon-us-isps-over-nsa-spying-scandal-050713



AC
Reluctantlyregistered Send private email
Tuesday, July 09, 2013
 
 
Howard Ness: "The best service at the best price with those requirements is going to be found in 1. U.S.A., 2. Canada, 3. Great Britain.  If your clients are actually considering dropping you because you use U.S. based servers, they are idiots, and you are better off without them."

It has been a political issue in British Columbia where -- I think it was medical -- data was going to be stored on U.S. servers.  Given that the US. government thinks that it should be able to dig into the data, there was protest.

Those with servers in Canada and Great Britain will appreciate the business.

Sincerely,

Gene Wirchenko
Gene Wirchenko Send private email
Tuesday, July 09, 2013
 
 
> If it's SSL encrypted you should be fine.

Governments (not just US gov) can force CAs to issue fake domain certs. Occasionally it may be noticed, like it happen here:

http://googleonlinesecurity.blogspot.ru/2013/01/enhancing-digital-certificate-security.html

TL;DR; a CA issued a fake *.google.com certificate to undisclosed organizations. Such certs allow for transparent man-in-the-middle HTTPS traffic decrypting and recording. CA now of course claims it was an accident.

Also, while PFS is not widely deployed, the recorded HTTPS sessions may be decrypted later when a private key gets stolen.

So, in short, SSL is good, but not a guarantee.
Vladimir Dyuzhev Send private email
Tuesday, July 09, 2013
 
 
"It has been a political issue in British Columbia "
Politics is the enemy of common sense, logic and intelligence pretty much anywhere, but on the Wet Coast, it's like anti-matter.  Just one of several reasons why conducting business in BC is more expensive.
Howard Ness Send private email
Wednesday, July 10, 2013
 
 
"medical -- data was going to be stored on U.S. servers"
At least it would be harder to walk home with unencrypted hard-drives or flash drives, and there would a lower likelihood of full filing cabinets being tossed in dumpsters.  Although I have to admit that the province of Ontario is world-class clueless when it comes to physical security of private data, so perhaps this doesn't happen in BC.
Howard Ness Send private email
Thursday, July 11, 2013
 
 
Not really op topic but somewhat related

http://www.foxnews.com/world/2013/07/11/kremlin-turns-back-to-typewriters-to-avoid-leaks/

It goes to show how irrational this perception thing can get...
codingreal Send private email
Thursday, July 11, 2013
 
 
> It goes to show how irrational this perception thing can get...

It is not irrational.

In security one cannot relay on 99% good solution. A determined adversary will exploit that last 1%.

It is also said that security and convenience are zero-balanced. Stakes are high enough for top-secret documents to get rid of convenience and get the security.

I guess the NSA scandal only allowed security folks to gain an upper hand in argument with generals who liked more convenience.

...
P.S. There are Russia-designed (and produced) CPUs. They are not as powerful as Intel, but more than sufficient for documents editing. Alas, the infrastructure (mail systems, print spoolers, ...) have to be built on standard base (Linux) and thus may contain vulnerabilities known to adversaries.

Call them paranoids, but they do not leave much to chances.
Vladimir Dyuzhev Send private email
Thursday, July 11, 2013
 
 
A followup to why computers may be banned from the Russian top-secret circles:

http://cryptome.org/2013/07/intel-bed-nsa.htm

TL;DR; Intel's on-chip PRNG may be in fact not so random, and allow to read the encrypted traffic using pre-generated tables.

Couldn't use Chinese chips for the same reason.
Vladimir Dyuzhev Send private email
Sunday, July 14, 2013
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz