Benefits for LWN subscribersThe primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!
In a talk entitled "Lies, Damned Lies, and Remotely Hosted Encrypted Data", Kolab Systems CEO Georg Greve outlined the thinking and investigation that the company did before deciding on where to store its customers' encrypted data. The talk, which was given at LinuxCon Europe in Düsseldorf, Germany, looked at various decisions that need to be made when determining where and how to store data on the internet. It comes down to a number of factors, including the legal framework of the country in question and physical security for the systems storing the data.
The intent of his talk was to relay the lessons Kolab Systems learned in the process of setting up its data storage facility. There are a lot of questions to be asked when evaluating the integrity, security, and privacy implications of the options. Greve hoped the talk would give attendees "a better idea which questions to ask".
Threats
Using a set of handwritten and hand-drawn slides [Slideshare], he started by talking about the threats users face. To start with, users have a feeling of insecurity because of all of the surveillance that has been in the news. Security is an "emotional subject", he said. There is no such thing as total security, however, so security is a question of balancing the expense for an attacker against the need to protect the information.
![[Georg Greve]](https://static.lwn.net/images/2014/lce-greve-sm.jpg)
This surveillance creates an awareness of a new risk for users. There is the feeling that they are always being watched, but the actual risk from that is not something they can get a handle on easily. Humans are poor at choosing which risks are more important based on their probability. The classic example of the likelihood of dying in a plane crash versus that of dying in a car on the way to the airport is a good demonstration of that. Our "risk perception is completely off", he said.
Another risk to users and their data is industrial espionage. Greve said that he is personally not convinced that the large budgets given to the US National Security Agency (NSA) and other spying organizations are not aimed at assisting in industrial espionage. The NSA's mandate explicitly says that the data it gathers can be used for promoting the US economy. That aspect has not figured prominently in the discussion of internet surveillance, but he thinks it may have a greater impact than the other uses of the data.
Criminals are another threat. The lore among the tech savvy is that criminals are not particularly smart, but that simply is not true, he said. He gave an example of a point-of-sale device that came "pre-tampered from China". Eventually it was determined that you could detect the tampering by weighing the devices; the tampering added 30g. After a while, that test stopped detecting any tampered devices; opening them up revealed that 30g worth of plastic had been carefully removed from the inside of the case.
Beyond that, some of the changes are themselves tamper-resistant. Trying to determine if the devices have been maliciously altered destroys the evidence of tampering. Internet criminals are sophisticated and technically adept—increasingly they are part of organized businesses. In fact, Greve said, "they are not as inept as we would like them to be".
There is lots of advertising for products that supposedly provide security. There are many different claims: "It has crypto!" or "It uses P2P [peer to peer] technology". But users are left trying to figure out what to believe. Total security does not exist, he reiterated, especially not without loss of convenience. If something is "ultimately secure", that means it will "ultimately do nothing".
"We like the convenience of the Google cloud", Greve said, but we want to be able to restrict access to the data we store there. On the other hand, though, sharing and collaborating with others is part of the value of the internet. Users just want some controls on that sharing.
Location and hardware
The physical servers that store "data in the cloud" have to be located somewhere. Whatever choice is made brings with it a legal framework that governs various aspects of the data stored there. This is a really important decision, he said. "US companies are screwed" by the legal framework that governs their data. The laws that are in place, including those that compel them to secrecy about requests for data, make the US framework rather hard to work with.
But it is more than just the physical location of the server that determines the legal regime applied. If a US company stores its data outside of the country, that data is still subject to US laws. So the laws that apply to the data come from both the physical location and where the company is incorporated. In fact, US companies have tried to claim that European companies should be subject to US laws if they have any US-based employees—just a single salesperson, for example.
If you provide services to others, Greve said, you will hear from the police at some point. You need to know what you will do when they come. Some countries request more data than others, which will determine the frequency of the requests.
In some countries, requests for data will come with a court order that is based on other evidence. That process may be fully transparent and documented. In addition, there may be no other way for the authorities to request data that does not require going in front of a judge and leaving a paper trail that others can review. There are "very few countries where that is the case", he said.
Most of us live in countries where the police do more harm than good, Greve said; that led to an undercurrent of disagreement from the audience. He shrugged that off and continued. It is also important to recognize that you can treat the police as an adversary, but if that happens, they may reciprocate.
Once you have a place to locate your servers, with reasonable laws, and you know what you will do when the police come knocking, there are still some things to think about. Perhaps you will have the money to build a data center, but most don't, which means using an existing data center. The ownership of that data center makes a difference as well; make sure it is fully owned by citizens of the country where it is located. Otherwise, you may be adding another legal system into the mix.
Once you have chosen a data center, you can have them "slap a server into a rack" for you, but that means they can put their hands on the hardware. That, in turn, means they can access the server. An even worse choice would be to rent a virtual machine (VM). There are attacks against hypervisors that might allow other guest VMs to access your data.
The right way to go about it is to own the hardware and place it into a cage with keys that are only in your people's hands. That way, no one can (easily) access the systems. The server room and data center facility should be under 24-hour surveillance as well.
Software and security
There is no such thing as trusted software, Greve said, because all software has bugs and nothing is 100% foolproof. A silver lining from the recent discussions about government spying is that it has shown that there is no reason to trust closed-source code. Open source doesn't mean that you can trust it, but at least there is the option of examining it for flaws.
Using open-source code as far down as you can go—unfortunately only as far as the firmware these days—is important as it builds trust in the system. Choose the open-source software that you are most comfortable with, he said, and be transparent about what you are running.
Operations staff, or "the guy with the root shell", is a vital role. You need to choose that staff carefully and make them aware of the trust being placed in them. In some countries, there are laws that make it a crime to look at data without authorization. But there is no really good answer to the problem of malicious system administrators, he said.
Users will access their data from browsers, which brings in "a whole host of other issues". There are no secure browsers today, which is a problem. In fact, browsers are more about being a software recipient than they are about rendering web pages. "The human equivalent is a junkie that rams every needle you give them into their arm", Greve said.
There are various applications that advertise that data is encrypted in the browser, but that is hardly reassuring. The code to do so comes from elsewhere and can be updated at any time. That update could contain a keylogger, for example.
When using an online service, there is always a payment of some kind. It is not cheap to run servers, so providers of gratis services bury onerous provisions in their terms of service (ToS). Those are not negotiated between the parties and are typically one-sided. They are also quite important, but often not read. He recommended the ToS;DR site that rates the ToS of various services.
If you are hosting data, it is not a matter of whether you will have a security problem, he said: you will. How you react to and handle it are what makes the difference. Defense in depth is important, as you don't want a single server that contains everything needed to compromise the rest of the system. The analogy of a castle is a good one but, like castles, undefended and unwatched systems fall easily.
MyKolab
These questions came up in the context of setting up a service for hosted instances of the Kolab open-source communication and collaboration tool (email, calendar, file sharing, etc.). The MyKolab.com service is hosted in Switzerland, which has favorable laws (including requiring court orders for data requests and criminalizing unauthorized data access). In fact, one can download a spreadsheet (unfortunately in Excel format, he said with a laugh) that details all of the police requests for data in Switzerland.
MyKolab started as something of a demonstration at FOSDEM in 2013, but turned out to be quite popular. Then the Snowden disclosures started, which made it even more important to set the service up correctly. Kolab Systems owns the hardware and runs all open-source software. MyKolab has an "A" rating (very good) from ToS;DR and a FAQ that describes the privacy and security features of the site and the laws that govern it.
The Q&A session after the talk was rather lively, with many people interested in exploring the defenses against governments for a service like MyKolab. Greve noted that when he leaves Swiss soil, his passwords are disabled so that he can disclose them to countries who compel password disclosure (e.g. the UK), but they can't be used to access any of Kolab's systems.
In order for a foreign government to request data from the MyKolab systems, it needs to go through the Swiss courts; the decision and supporting documentation can then be reviewed by others. In addition, the offense alleged must be a crime in Switzerland.
Some also wondered about the Swiss suddenly changing their laws, but Greve seemed relatively unconcerned about that. "The Swiss are known for many things, but not quick decisions", he said with a chuckle. That brings a lot of stability, but does have some downsides. In any case, he believes they would have lots of warning that the laws were changing and would have enough time to make other arrangements if needed.
[ I would like to thank the Linux Foundation for travel assistance to Düsseldorf for LinuxCon Europe. ]
| Index entries for this article | |
|---|---|
| Security | Cloud |
| Security | Privacy |
| Conference | LinuxCon Europe/2014 |