Google Compute Engine - Cloud Computing & Customer Held Encryption Keys / Red Herrings

Google has just done something that’s going to annoy the US and UK governments Business Insider     Alastair Stevenson, Business Insider     Jul. 29, 2015, 11:15 AM    2 UK Prime Minister David Cameron is not going to like this. Google has rolled out a security service for its business customers that could put a serious downer on the UK government’s plans to increase law enforcement’s surveillance powers. The service was revealed by Google product manager Leonard Law in a blog post and is currently in beta form. It will let businesses running the company's Google Compute Engine create their own encryption keys. Encryption is a security technology that scrambles digital information using specialist mathematics. It makes it so only people in possession of a specific unlock key or password can read the encrypted information. Google’s move may not sound like a big deal to people outside the technology community, but the implications for the move are pretty massive. What the Google Compute Engine is Google’s Compute Engine is the basis of the company's cloud computing platform. Cloud computing is a special type of technology that uses a network of remote servers hosted on the internet to run computer processes traditionally done on a device’s internal hardware. In theory, this means cloud computing customers can get high-powered computer performance, or run complex tasks beyond normal hardware’s capabilities without having to buy lots of equipment. As well as Google, which uses the tech to power many of its own services, such as YouTube, numerous big-name companies including Coca Cola, Best Buy, Rovio, Avaya and Ocado also use the Compute Engine. How it links to government surveillance The widespread use of Google’s cloud tech means it handles vast amounts of  user data. Data running through the platform can include things like customer records, account information and, at times, the user's geographic location. PRISM documents leaked by Edward Snowden in 2013 revealed intelligence agencies, such as the NSA and GCHQ, have been siphoning vast amounts of web user information from Google's cloud platform – as well as many other cloud service providers. The move makes sense, as the Compute Engine’s large customer base lets the agencies collect data from multiple companies and services from one central source. A game of cat and mouse Google already encrypts services running through its Compute Engine by default. This partially protects customers as it means agencies like the NSA or GCHQ cannot read the data without knowing which encryption key was used. However, the tactic is not foolproof, as the NSA and GCHQ can use legal requests, such as letters sent under the US Foreign Intelligence Surveillance Act (FISA), to force Google to unlock or hand over unencrypted copies of the data. This issue was set to get even worse in the UK and US as both governments have hinted at plans to make it easier for law enforcement and intelligence agencies. Law enforcement agencies within the US have been lobbying for the US government to control business use of encryption since the PRISM leaks emerged. FBI director of counter-terrorism Michael Steinbach warned lawmakers that strong encryption technology allows terrorists "a free zone by which to recruit, radicalize, plot and plan," in June. UK prime minister David Cameron has hinted at plans to hamper the use of encryption. Cameron told Parliament he wants to "ensure that terrorists do not have a safe space in which to communicate," on June 6. How companies having their own keys will hamper surveillance Experts within the security community have argued that Google’s move will cause problems for the UK government’s plans. FireEye global technical lead Simon Mullis explained to Business Insider this is because it will make it so Google won’t be able to decrypt the data, even if ordered to. “Essentially the access to, ownership and management of the keys used to encrypt all data within Google Cloud is now handled by the end-customer," he said. "[This will] make it harder for any external agencies such as law enforcement or intelligence services to gain access to the decrypted data as there are fewer parties [people able to unlock the data] involved.” As a result, if law enforcement wanted access to the encrypted Compute Engine data, they would have to mount individual requests to each customer, a practice that would slow their surveillance operations. Business Insider has reached out to the UK Prime Minister's press team for comment on how custom encryption keys will impact Cameron's plans. Google is one of many technology companies working to fight the UK and US government’s surveillance plans. A group of 140 companies, including Google, Microsoft, Apple and Facebook, sent an open letter to President Obama in May urging him to reject the encryption proposals, fearing they would damage the US economy. Apple CEO Tim Cook claimed law enforcement’s hostility towards encryption is dangerous in June. SOURCE http://www.techinsider.io/google-has-offered-compute-engine-customers-advanced-encryption-powers-2015-7 --------------------- COMMENT 'Terrorists' is the big stick / leverage go-to for governments to demand access. If I were a company, I would prefer complete control of my own data.  Relying on cloud computing doesn't appeal, even though it may be cheaper.  And why would you trust any company that can unencrypt your data?  But I guess the advantage might be in passing the buck.  As in, if data is compromised, you can maybe blame it on the third party cloud host & they get lumped with compensation payouts? This is a good companion article regarding encryption offerings:   The Red Herring of Digital Backdoors and Key Escrow Encryption Bill Blunden EXTRACTS By concentrating on key escrow the CEOs of Silicon Valley are able to conjure up the perception of an adversarial relationship with federal agencies. This is absolutely crucial because tech companies need to face the public wearing a white hat. In the aftermath of the PRISM scandal, where C-suite types were caught colluding with the government on a first-name basis, American executives are frantically trying to convince people on behalf of quarterly revenue that they’re siding with consumers against spying. An interesting but fundamentally flawed narrative, given how much economic espionage the government conducts and how much spying corporate America does. Who do you think benefits from this sort of mass surveillance? All told it’s likely that private sector involvement henceforth will transpire off stage. Far removed from the encryption debate. Rather than forgo the benefits of aggressive spying, CEOs will merely conceal their complicity more deeply while making lots of noise for rubes about encryption. In this sense zero-day bugs offer the added benefit of plausible deniability. That is, backs doors based on zero-day bugs are vital spy tools that masquerade as mere accidents. Only fitting, one might conclude, as spies and magicians are kindred spirits performing artful tricks that beguile more susceptible members of the audience. http://www.counterpunch.org/2015/07/29/the-red-herring-of-digital-backdoors-and-key-escrow-encryption/ I really like this guy's articles.

US PASSING SNEAKY CYBER SECURITY LAWS TO GIVE NSA MORE POWER ... & NSA STAFF GO PRIVATE

Ex-NSA chief defends his profitable cyber-security business Published time: August 06, 2014 10:05 Edited time: August 06, 2014 12:43 As the marriage between surveillance and non-governmental cyber-security firms comes under the spotlight, former NSA chief Keith Alexander fends off criticism of his new lucrative business, which he claims will revolutionize cyber-security. Alexander, who recently announced work on a number of “game-changing” patents to propel cyber security forward, sees nothing improper in the practice, as he revealed in a Tuesday interview with the AP. The former NSA head also stands to answer why he failed to share some of his groundbreaking ideas in his time as a government employee. But for Alexander, this seems to be a straightforward pursuit of doing business and making a living. ... The business was rumored to be bringing him a cool $1 million a month, but Alexander has brushed off the figure as inflated. Explaining further why IronNet Cybersecurity is different to how the government uses information, Alexander said that the NSA only had authority to defend secret government networks, whereas his work will be focused on the private sector. The tools and technical reach are at this point unknown, but "If it actually works, this will be worth a lot," he said of his new “behavioral model,” which purports to use sophisticated techniques to catch unconventional hackers. Critics see a number of issues with Alexander’s new venture, IronNet Cybersecurity. Apart from the generally disliked idea of government officials cashing in on sensitive information learned and tools retained from public service, people worry that any type of access to sensitive information by private firms using high-tech tools is not good. Only recently there was a private sector initiative to pool top officials from eight US government agencies to create a council that would defend the banking industry from cyber-attacks. Indeed, the Securities Industry and Financial Markets Association (SIMFA), the Wall Street group that proposed the council, has retained Alexander’s services. That agreement and others have raised concerns among those who’ve said Alexander may be in the business of disclosing state secrets for any company with a budget big enough to afford his services.  [Conflict of interests? - May have moved on from public service, but does it form a 'conflict of interest' type of problem from mixing it up in the private sector?] Last month, The Senate Select Committee on Intelligence voted overwhelmingly to approve the new controversial cyber security bill – the Cybersecurity Information Sharing Act (CISA), which SIMFA endorses. Privacy advocates are naturally opposed to the legislation, which lawmakers have been trying to push through for years. They believe that codifying a program to share digital data between the government and private sector would open the private sector up to sensitive information pertaining to millions of Americans. One scornful comment illustrating this came from the World Socialist Website’s Thomas Gaist, who says that “CISA clears the way for virtually unrestrained information sharing between the US government and corporations.” The criticism is not unique to rights groups – government officials occasionally also voice concern. ... Although Alexander’s move into private business has caused concern in some circles, he is traveling an already paved road, being the latest in a line of government, intelligence and security officials who go on to private sector work after an illustrious government career. Some examples include the first secretary for homeland security, Tom Ridge – he now has his own firm; the second homeland security secretary, Michael Chertoff, also has one; just as the NSA’s previous director, Michael Hayden, who now works with Chertoff. ... http://rt.com/usa/178328-nsa-alexander-cyber-security/

The thing that struck me most in this article is the cyber security bill was voted for approval by the 'Senate Select Committee on Intelligence'.

As Thomas Gaist says, the Cyber Security Information Sharing Act (CSIS) exposes the public to 'unrestrained informatin sharing between the US government and corporations'.  That's creepy.

New to looking at politics and unfamiliar with US politics, but I believe the next step is back to the House of Representatives and to Senate, before a finally rubber stamping by Obama and bringing the proposed legislation into being as law.

...........................................................................

Discussion Draft of CSIS proposed Bill - here.

Wikipedia - CSIS proposed Bill - here.

The Guardian - says Senate giving more powers to NSA in secret - here.

Wikipedia on, former NSA head, Keith Alexander - here.  Military background (now retired).  Introduced the 'collect it all' approach:

believed by Glenn Greenwald of The Guardian to be the model for the comprehensive world-wide mass archiving of communications which NSA had become engaged in by 2013.

Note also:  'stockpiling of zero-days'. Not really sure what this means specifically, but it relates to exploiting unpatched (and unknown) software vulnerabilities ... for spying.

Wired reported:

“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the report reads. “Eliminating the vulnerabilities–’patching’ them–strengthens the security of U.S. Government, critical infrastructure, and other computer systems.”

Obama’s response to his advisers’ review, however, added a major loophole, allowing any zero-day vulnerabilities to be exploited if they have a “clear national security or law enforcement” application.

.. read the article - here - if interested.

Hey, following the Wired link, found this:

This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation.

A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes, but has never publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Iran’s uranium enrichment program, used five zero-day exploits to spread.

The stuff about US and Israel hacking(?) Iran is pretty interesting.  Why doesn't Iran hack right back?

Anyway, I'm not sure what the fuss is about because it stands to reason that they'd use ANYTHING they can to their advantage.  Why is this surprising?