
An Apology to my European IT Team - flybrand
http://fredlybrand.com/2013/06/23/an-apology-to-my-european-it-team/
======
btipling
Hrm I wonder what are the chances that someone at the NSA or doing contract
work for the NSA has a buddy at a company and that person decides to use their
NSA powers to get their buddy's competitor's emails from Google Apps and send
those emails to their friend. If there are safeguards in place from keeping
this from happening how was Snowden able to take so many documents with him
when he went to Hong Kong. Ok so maybe he didn't take any of that kind of
data, maybe I'm reaching. If this kind of thing did happen would they let the
affected company know? Would anyone know?

~~~
alrs
This kind of work isn't informal.

Economic espionage is a big part of what intelligence agencies are doing all
day.

[http://www.commondreams.org/headlines/070200-02.htm](http://www.commondreams.org/headlines/070200-02.htm)

~~~
leoc
One unintended consequence of the Snowden leak is to advertise this service to
US businesses. My guess is that the discreet inquiries are already winging
their way towards Congressmen.

~~~
pc86
No.

With the exception of the handful of Members on relevant intelligence
committees, most Members of Congress were not aware of the massive scope of
this program, or even that it existed in its current form.

Access to this type of information by a private citizen would require a hell
of a lot more access than writing a big check to a Representative can get you.

~~~
Jgrubb
Color me skeptical, but it doesn't appear that there's anything that's outside
the scope of what a big check to a congressperson can get you these days. I do
hope you're right, though.

------
rdl
Seems odd that someone wouldn't have understood that even 10-15 years ago.
Outsourced means being exposed to risk from your supplier -- by the company
itself, by its employees, or by governments. Gmail has somewhat better
technical security to protect from outside non-state hackers than your average
self-hosted exchange server, and from insiders (the IT guy, like Snowden, may
not have the same goals as the organization...), but that may or may not make
up for the ease of serving a third-party communications service provider.

I still prefer well-run self-hosted mail unless:

* You have a <6 month retention policy (i.e. so ECPA's weaker protections are a non issue) (which can be specified in Google Apps for Your Domain)

* You don't have the technical competence to run your own mail server (which gets complicated in a larger organization due to HR risk), or don't have the business competence to hire a contractor to run it in-house in such a way that their staff don't become a huge risk.

There's a third way which would be a lot better for everyone, but it's not
technically feasible yet -- a way to outsource some aspects of the server
without giving up control.

~~~
ricardobeat
It would be great to have a service that could manage your mailserver
configuration, tracking reputation & avoiding spam, while not having any
access at all to the data itself.

~~~
yen223
Is there any way to tell if a particular email is spam, without knowing the
content or the sender of said email?

~~~
ChuckMcM
If all your actual email is encrypted then by definition spam is the
unencrypted stuff. A long time ago in a different galaxy I built a PGP MTA
(based on sendmail at the time) which only forwarded mail that was encrypted,
and as expected it was spam free, all though these days spammers just might go
to the trouble of sending it encrypted if they thought it would get through.

~~~
rdl
Even just setting START TLS REQUIRED might solve your spam problem, as long as
only a tiny minority of people did it. That would have the added benefit of
protecting you from Yahoo Mail users, the FBI, and such.

At this point, I'd consider NOT using START TLS for your MTA to be nearly as
irresponsible as not using ssh instead of telnet/rsh, or not using secure
passwords. It correctly pushes all the pain onto the sysadmin (and a very tiny
amount of pain), rather than end users.

~~~
bigiain
Do you know if a successful response to a START TLS command endured end-to-end
TLS secured mail transport?

I kinda doubt it - if for some reason your outgoing mail server connects to
one of my secondary/relaying MX servers, I don't think there's any way for you
to ensure that server bothers trying to set up a TLS session when it relays my
mail(which I guess is mostly my problem/fault) - and similarly, if your ISP
requires you to send mail via their SMTP servers (blocking port 25 isn't
uncommon here) - I don't think you've got any say in whether or not that
server requires TLS?

(I know - I really should go and look this up myself…)

~~~
rdl
Usually people do _not_ block 465 or 587 (if they do, they really really suck,
and you need to VPN through that network anyway). For outgoing mail, you just
do STARTTLS directly to your own smarthost over those ports.

------
Camillo
While OP's apology is appreciable, there was more than enough information
available in 2008 to understand that his Czech colleagues were right.

The Prism scandal may have come as a surprise to US citizens, but the US has
been spying foreign nationals and companies for years, and we've long known
about it - haven't you heard of Echelon? It was also well known that these
systems were used for industrial espionage.

~~~
skrebbel
Huh. How is "You should've known!" a useful response to an apology? Of course
he should've known, that's why he's apologizing.

~~~
prof_hobart
There is a big difference between "Subsequent facts have shown them to be
right" and "Evidence existing at the time already strongly indicated they were
right".

------
drawkbox
Sadly the NSA programs are strongly anti-business as it is based on 'trust in
me'.

American businesses could and should lobby Congress to fight this and to find
ways to protect US stored data, I know I wouldn't trust a Chinese cloud
company not to snoop or steal business/corporate ideas and trade secrets.

But if there were assurances for US cloud businesses that this doesn't affect
their business ideas accidentally or deliberately then we could set a global
example on how to run cloud data storage that is safe and business friendly.
There is an opportunity here for Google, Amazon, Apple etc for cloud data.

Lots of damage control to be done here for international clients. As an
American I would always trust our systems more but international companies may
have a very hard time trusting without the US being a shining example of how
to correctly protect business data in clouds here, especially encrypted data
that is automatically subject to storage/filtering if international.

~~~
pekk
I love how business-friendliness is your top concern here.

How about this: only businesses (like Facebook, Google et al.) should be able
to say 'trust in me' \- to their customers. Privacy regulation is only for the
government, this will ensure that the surveillance state is built by
corporations, as God intended.

It's obviously a huge risk and embarrassment if the US government looks at
data from Europeans. But if American companies sell each other that data, that
should be of no concern to Europeans, because private companies are all
inherently trustworthy without external oversight.

~~~
drawkbox
Well I mentioned business aspects since that was the topic/article focus, lack
of trust in US business/cloud data due to unsure protections and secrets of
business.

Also I mention that frequently because the people that say 'I have nothing to
hide' and don't mind, might think differently if they are business focused and
do worry about people stealing ideas, plans, or reacting based on those
business secrets.

It is bad all around when individual privacy is at risk unknowingly, but it
also affects business privacy and that impacts everyone and harms perception
of US cloud services for one which the article mentions.

If you make something public on a website like Facebook you should expect that
will be used. But noone expected private emails, phone calls, logs of files in
the cloud to be so easily accessible. It creates huge problems in business
trustworthiness and protections. That aside from the more important lack of
individual privacy that is expected in the same and the root of the problem.

------
pconf
It doesn't take much reading of the literature to understand industrial
espionage or any of the other substantive risks of outsourcing. Prism or not,
when you put your intellectual property on someone else's networks you are
taking a risk.

Yet most of the managers I see who make this decision just don't care. They
ignore the advice of their systems admins and follow the old adage "you can't
get fired for buying IBM" like sheep to a slaughter. It's typical of the
short-term mindset that drives so many business decisions.

I chalk this up to a lack of education, both in business and IT. While CS
professors obsess over data structures and algorithms, and non-IT departments
preach about the relevance of the next quarter's results, "Rome is burning".

~~~
flybrand
We'd brought up a wafer fab in the Hsinchu Scientific Park in Taiwan before -
so we weren't strangers to the concerns about industrial espionage. Several of
us have done a lot of work with the government and we'd manufactured some very
sensitive products (as does the current business).

My apology is really around the fact that at the time we were trusting that
such programs would not exist here (this was before explained Echelon to us),
and that the US didn't work that way. I was naive and I was wrong.

~~~
pconf
_we were trusting that such programs would not exist here_

It's still not clear what programs you are talking about. Because google
provides no access logs "someone could go into our account and take
confidential information, and we would never know". What does that have to do
with Echelon or Prism?

------
Sami_Lehtinen
I just wonder why telcos I've been dealing with have always required to
encrypt all information which is not classified as public information. All
customer, project, system, configuration, documentation, contracts etc. must
be encrypted before transit. - Surely they must have known about this. So if
telcos won't trust privacy of telecommunication, why should anyone else think
that telcos are trustworthy?

~~~
rsynnott
(A) Yes, they probably knew about this, at least as a potential risk; while
the media has gotten very excited about PRISM, it isn't really that different
to ECHELON, which has been effectively public knowledge since the late 90s.

(B) Governments aren't the only ones potentially spying on peoples'
unencrypted comms.

------
driverdan
The author is overlooking one major flaw in his discussion: security (and
possibly also reliability). His implication is that they can run internal
servers more securely than Google and Salesforce. While government collection
of encrypted emails is problematic, securing your own server and making it
reliable is an entirely different issue. Unless they have an absolutely top
notch security team they'd be better off on someone else's servers.

~~~
honzzz
When your provider is forced by their government to just hand over your data,
security is pretty much irrelevant. Anything is more secure than that.

~~~
plywoodtrees
No, not true. There are government and non-government attacks. Even if we
assume cloud services are more vulnerable to government snooping, we need to
also consider that many more companies and individuals suffer more damage from
regular criminal hackers than from the NSA. Avoiding a small risk by
increasing your exposure to a large risk is not rational.

~~~
honzzz
Generally this is a good point but I think it's not relevant in this case. The
author of discussed article claims that they do business with governments and
the knowledge that US government can access their data just by asking their
provider to give it to them is not some 'small risk' that you might want to
accept to avoid something worse - it's a deal breaker. Expose yourself like
that and you have no business.

------
mironathetin
How nice that finally there is understanding, that web-based services are good
for providers and third parties not users.

It's so obvious.

------
jojobe
Hosting the email on a server in your office is no protection if the data is
being captured at your ISP unless all email is transmitted using SSL, and even
then govt probably has that cracked long ago.

------
frozenport
I wonder if this problem is particularly acute for Eastern European companies
who often sell their products to despicable despotic regimes.

~~~
betterunix
How would that differentiate them from Western companies?

[https://en.wikipedia.org/wiki/FinFisher](https://en.wikipedia.org/wiki/FinFisher)

