Posted on

Does the new AWS Euro Cloud solve the Data Sovereignty problem?

No, obviously not. It’s just fine words, along with every other promise made by cloud computing vendors. I’m using AWS as an exemplar, as they’ve just hyped up the launch of their AWS European Sovereign Cloud.

According to AWS it’s “a new, independent cloud for Europe entirely located within the EU” and has been welcomed by their customers and policymakers.

Basically it’s rolling out new “sovereign” AWS Local Zones in which the data will always remain in the country of origin. That’s data residency, not sovereignty, but it’s a start – if Uncle Sam wanted access to this data they’d have to pressure AWS to hand it over. However, given the US Administration’s willingness to pressure Europe into making Demark hand over Greenland, such pressure isn’t unimaginable.

Stéphane Israël, managing director of the AWS European Sovereign Cloud and digital sovereignty, stated “Customers want the best of both worlds – they want to be able to use AWS’s full portfolio of cloud and AI services while ensuring they can meet their stringent sovereignty requirements. By building a cloud that is European in its infrastructure, operations, and governance, we’re empowering organisations to innovate with confidence while maintaining complete control over their digital assets.”

This is interesting. Governments do impose sovereignty requirements, but that doesn’t mean they get them. It just means a service provider has promised to keep their data within international borders while it’s convenient for them to do so. However, if the company is ultimately based abroad, the government there will be able to pressure it to hand the data over anyway, and the small print in the contract will allow them to comply to all applicable laws (present and future).

I don’t want to make the Americans out to be the bad guys here. For example, late last year a Canadian court ordered French bit barn OVHcloud to hand over customer data as part of a criminal investigation. This could have been handled by a mutual assistance treaty, but the Canadian police decided to go after OVH’s Canadian subsidiary. French law prohibits OVH from complying or they go to jail, but the Canadian’s will take it out on their subsidiary there if they don’t. Place your bets on the outcome.

And this is mild mannered Canada. Imagine what the Chinese or Americans might do, and for less reason? Companies in China are very much under the control of Communist Party, and the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US officials to subpoena data from US companies stored on foreign servers with minimal court protections.

Now you might say you don’t really care if the CIA wants to read the innocuous chatter between Wizards on your MUD, but if it’s personal information protected by local law then you might find yourself in trouble whether the option to access it is taken or not.

So what can you do?

You can eschew multinational hyperscalers and use a local cloud provider, of course. Your local government can probably still access the data unless they’re too small to show up on radar, but this may not matter to you or your customers. The risk here, in my experience, is that these companies don’t last forever and may well be subsumed by a multinational. And to be honest, quality has proved even more variable than the hyperscalers. You won’t get the PaaS infrastructure tools and services provided by the likes of AWS, Azure GCP. However, going for the self-managed VPS option doesn’t tie you to a particular provider and give you an escape route if their sovereignty becomes compromised at a later date.

The problem remains – your VPS provider can snoop on you. One particular provider, who shall remain nameless, contacted me to warn I was running a compromised version of RHEL and I really needed to patch it or they’d take my server down. What? It turned out I had a CentOS repository (running on FreeBSD), which was needed to support testing and migrating a legacy project and their scanner had picked up an old (but obviously not running) version of log4j2 amongst the packages. The point is they were scanning the disks, albeit with the best of intentions. And if you think running whole disk encryption on a VM would stop that, think again.

Last week a friend asked what I thought of a particular UK cloud provider as a means to overcome sovereignty problems perceived by his commercial partners, which was the second thing that has prompted me to write this. He followed with “I expect you’ll say I should run my own servers in a data centre”, and he be right in many cases. If you can run your own VPS, you ought to be able to run your own servers, and they’ll be a lot cheaper. If you’re not sure about looking after the hardware, put a consultant on a retainer. And if you think hard disks have become a bit expensive lately, wait until you see what the could providers charge per gigabyte. Having your own servers also means you do have total control of your data. You know where it is at all times, and can whole disk encrypt it if necessary to protect against physical theft. With cheap asymmetric fibre lines you can even keep backups and archives in your company safe, or under a mattress as you prefer.

Posted on

Airports “hacked” by ransomware gang

I’m looking at media reporting of the disruption caused to airports by the latest ransomware attack and I’m once again struct by the lack of detail. The victims are, as always, tight-lipped about it and this translates to the media as “we don’t know what happened apart from it was an attack”.

Anyone who knows how this stuff works will have a pretty good idea what went down. So let’s look at the Collins Aerospace system at the heart of it: It’s reported as being MUSE but it’s actually cMUSE

cMUSE stands for common-use Multi-User System Environment, and it allows airlines to share check-in desks. It’s what’s known as a common-use passenger processing system, or CUPPS. When the self-loading cargo presents itself a the check-in it tracks their bags using integration with systems like BagLink, sorts out boarding stuff and so on. It’s main competitor, if you look at it that way, is SITA’s BagManager, but this only handles and tracks luggage.

Now here’s the thing – cMUSE makes a big thing of being cloud based. It runs on AWS. A SaaS product. It is possible to run it on your own infrastructure, but they sell the benefits of not needing your own servers and expensive IT people to manage it – just let them do it for everyone on AWS.

So what went wrong? They haven’t said, but a penny to a pound it’s the AWS version that got hit. This is why so many airlines got their check-in hijacked in one go. A nice juicy target for the ransomware gangs.
At Heathrow, I believe it’s deployed on over 1,500 terminals on behalf of more than 80 airlines. It’s used in over 100 airports worldwide, which isn’t a huge share of the total number (there are over 2000 big ones according to the ACI), but it’s been sold extensively to the big european ones – high-traffic multi-carrier hubs. The ones that matter. Heathrow renewed for another six-year contract this April.

Collins claims it will save $100K per airport going to AWS, but that must seem like a false economy right now. Its predecessor, vMUSE, dates before cloud-mania and users of the legacy system must be feeling quite smug. Many airports have a hybrid of cMUSE and vMUSE and it’s hard to know the mix.

Ottawa International went cloud with a fanfare in 2017, and Shannon Airport chugged down the kool-aid, renewing for cloud-only in 2025. Heathrow is likely mostly cloud. Cincinnati/Northern Kentucky, Indira Gandhi International (Delhi) are publicly know to be cloud users. What bet Brussel and Berlin Brandenburg are on the list? Lesser problems at Dublin and Cork, which use the system, suggest they’re hybrid or still on vMUSE.

Subscribing to a cloud service for anything important is such a bad idea. You’re only as safe as your cloud provider. There’s no such thing as a virtual air-gap and large-scale attacks are only possible because everyone’s using the same service. If airports save $100K by switching, they’d be much better off having servers on-site and paying someone to look after them – part-time if it’s such a small amount in question.

If you want a games server in the cloud go ahead. If my business depended on it, I’d want to know where my data was and who could get at it.

Posted on

Microsoft plans to dump OneDrive unlimited and Windows 7

Microsoft continues to lose the plot. This week saw the announcement that OneDrive customers have a year to shift their data way, and business have a year to switch from Windows 7 to Linux Windows 10.

The problem they’re having with OneDrive is that when they sold it on the basis of “unlimited” storage, they didn’t realise the punters would actually believe them. After all, who believes what Microsoft says about any of their products? But, apparently, some credulous customers have been using it for backing up all their stuff and this has caught the folks in Redmond by surprise. So they’re withrawing the product, and users have a (at least) year to shift their stuff off, after which the Office365 subscription would have lapsed anyway. The maximum storage available after that date will be 1Tb, but they have yet explain what will happen to the excess.

And in the same week, Microsoft announced that Windows 7 will no longer be available in a year. It may surprise some to hear that it’s still available, as anyone buying a domestic PC from the high street has only had Windows 8 since 2013. However, if you buy a business machine from a business supplier, chances are it will still have Windows 7 pre-installed, with a set of Windows 8 downgrade disks in the box to satisfy an “everything now ships with Windows 8” clause in some OEM deal. Businesses don’t want Windows 8, and voted with their cheque books to keep Windows 7.

Microsoft now plans to take that choice away, and force everyone on to Windows 10. This is hardly unexpected, but now it’s official. The reasons aren’t clear to me. Okay, Windows 10 has the creepy doll sending user data back at Redmond, in order to deliver a richer user experience (and targeted adverts) and make the world a better place (for Microsoft shareholders). Possibly a case of corporate Google-envy? Is Microsoft so keen on the Google business model that they’d risk hacking off the loyal customers who’ve been buying Windows XP and Windows 7 for years? Ironically, Google is pushing it’s paid-for cloud apps, and I suspect, would like to get a larger revenue stream from selling SaaS.

Listen up, Microsoft. People buy Windows because it runs the applications they want. It has nothing to do with whether the like the colour scheme. Windows XP runs DOS stuff; Windows 7 does, just about, because it has XP emulation. This is a concept known as Backward compatibility, and Intel knows all about exploiting this and making mega $$$ if you need a reminder. Lightweight home users and kids might be impressed by the new and shiny, but business wants something that works, and if it ain’t broke, don’t fix it.

The beneficiaries of this will probably be Linux (including Android), Google GDrive and other cloud storage providers, and alternatives to Office: (Google Docs, OpenOffice.org and smaller companies like SoftMaker. The latter has just released SoftMaker Office 2016, with an offer to make it free for use in schools.

Posted on

Leaky iCloud

As I picked up my copy of Private Eye at the station Newsagent just now I noticed the headlines on certain of the dailies going on about hackers stealing naked photos of celebrities from their Apple on-line storage areas. The fact that they were (apparently) celebrities and that the weren’t wearing clothes was the main point for the tabloids, but the big story is really the security of cloud storage.

Personally, I’d be very surprised if attackers had actually compromised Apple’s servers. More likely explanations would be an inside job, or the lusers endpoints. But my money would be a phishing attack.

It does highlight, however, the danger of outsourcing your sensitive data to anyone.

In the 1980’s the fad for outsourcing really took off. Professional engineers all said it was a bad idea then. If your company data is important, the last thing any business should do is trust it to someone else.

The term ‘cloud’ has become a trendy marketing concept in recent years. What it really means is “I have no idea and don’t care.”. It was used in context as follows:

“Where is that service your using actually running?”

“Don’t know, somewhere up in the clouds!”

It’s was ironic. In the real would, admitting you’ve lost control of your data is hardly something anyone would be proud of. But suits heard the new buzzword and wanted some of it. And the punters quickly accepted the benefits (free stuff) without a thought to the risks.

So has Apple’s on line storage been compromised? I doubt it’s been hacked. The technology is fairly robust. If you want to access iCloud data, Apple’s servers themselves are not the soft attack vector. The obvious method is to trick users into handing out their passwords. After all, any coy celebrity foolish enough to (a) take pictures of themselves in the buff; and (b) store them on someone else’s computer, are hardly going to be the brightest stars in the sky.

The fact that fanbois seem to have been the victims in this case is irrelevant. They may have been easier targets if, indeed, it was a phishing attack. However, the general principle remains the same whoever is providing the service – Amazon, Google, Dropbox, Microsoft or one of the many startups trying to get a bit of the action. And the same goes for Facebook and the like – anyone uploading anything remotely sensitive to their servers needs to consider the implications. If you wouldn’t publish something directly on your web page for all to see, don’t send it to “the cloud” either.

The American gun-selling industry has long used the argument that firearms in themselves aren’t dangerous. It’s the users that are the problem. They’re right, in so far as the argument goes. Unfortunately, adding the human factor to cloud services makes the encryption, data centre security and other precautions taken by the providers irrelevant in the same way. People will be hurt. And “celebrities” will caught with their pants down.