[Cryptography] MSFT doesn't retain keys for its own German cloud

Tom Mitchell mitch at niftyegg.com
Wed Mar 16 16:32:27 EDT 2016 

On Tue, Mar 15, 2016 at 7:20 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> On 3/15/16 at 5:56 PM, leichter at lrw.com (Jerry Leichter) wrote:
>
> Of course, this is only relevant when the US (or, for that matter, the
>> Germans) go through standard legal channels.  The spies get their access
>> behind the scenes, and when operating outside of their own borders (let's
>> close our eyes to the stuff within their own borders, shall we?) can do
>> pretty much whatever they can get away with - which is pretty much anything.
>>
>
> The traditional way of handling these situations is to ask some foreign
> agency to the collect the data, so it is operating outside its own borders.
> The word on the street is that GCHQ and NSA are good buddies with these
> arrangements. Of course, proof that it happens is much harder to get.
>

Inserting the  NSA  a federal agency into this is interesting.
As a federal agency it has responsibilities to gather and to protect (both).
I believe any local, state and federal agency has a reporting obligation.

Never say anything has a clear reporting obligation.
   https://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter
 See 1d.
    "It shall be the duty of the Board to advise and make
    recommendations to the  Secretary of  Defense, in  accordance
    with  the  following procedure,  with respect  to  any matter
    relating  to communications  intelligence which  falls within
    the jurisdiction of the Director of the NSA."
Defense -- there is DOD and DHS today.

Access via human intel. or human engineering is going to happen and the NSA
and CIA
rightly so seem to qualify such as a useful universal bug.   In the context
of protecting the homeland (DHS) traffic
analysis that demonstrates transfers of corporate secrets and attacks of
infrastructure
should trigger action.

To me there seems to be a universal legal requirement to report and act on
theft.
Data is little different than  currency, gold, silver, oil,
pharmaceuticals.  When goods are stolen
the law has mandated action to report and stop the problem.   If the theft
is via a known flaw in
a locking device there is a social mandate to notify the lock manufacturer
and the manufacturer
is expected to improve the product to address the theft.  Vaults and safes
went through iteration
after iteration to defend against fire, physical breach and even social
breach (time locks).

I think I am observing an imbalance of attention on possession of
contraband in contrast
to outright theft of data. Or creation of contraband...  Sure a collection
of images can
be sold a thousand times and 100-800 arrests made but without attention to
the source
it is metric friendly to focus on the 100-800 and not on the single bad
actor.

This imbalance of metrics needs attention.
The law enforcement is clearly focused on and has a mind set for hunting
the 100-800 not
the 2-3 sources.  The numbers and expansion of the distribution network are
off by orders
of magnitude but the hundred arrests of corner drug dealers is vastly
easier than the source.
Often "dealers" are cut deals by prosecutors for giving up underlings and
get a
"get out of jail free card" for the easy conviction, often ignoring false
arrest and
conviction of innocents.




-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160316/80e70a34/attachment.html>

More information about the cryptography mailing list