|
Kesper North posted:I suspect GDPR enforcement wrt O365 is going to look something like this: Aren't the fines like 5-10% of global take, in order to prevent entities from treating it like a toll?
|
#
?
Apr 13, 2024 06:55
|
|
|
|
| # ? May 1, 2024 20:23 |
|
|
Kesper North posted:I suspect GDPR enforcement wrt O365 is going to look something like this: It's not MSFT who'll be punished first, it's that the CJEU and/or EDPB will declare that the latest agreement is incompatible with EU-GDPR and strike down the framework, *again*, making data transfers of protected data to the USA illegal as they will not be subject to an adequacy decision. This includes someone in the USA having access to data stored in the EU, much like ITAR covers letting a Chinese national view data in the US as "exporting" it. As pointed out, the Commission signed the adequacy decision over the objections of the EU Parliament: quote:Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework and not to adopt an adequacy finding on the basis that "the EU–U.S. Data Privacy Framework fails to create essential equivalence in the level of protection". Politicians pretend US law is okay, the EU courts actually look at it and go "no it isn't". As I pointed out, the EDPB has banned the use of M365 by EU bodies already this year. That's from a court case filed in 2021. In a year or so, maybe 2, a decision is going to come down about the adequacy of the latest Data Privacy Framework and while it's a risky business predicting legal decisions, I'm betting as a risk and compliance guy that the adequacy decision goes down in flames. Once that happens, any data owner in the EU using Azure as a data processor for protected data is open to be sued by any data subject for significant chunks of their global revenue. quote:Liability for damages Also: quote:Data controllers and processors face administrative fines of Rust Martialis fucked around with this message at 07:29 on Apr 13, 2024 |
|
#
?
Apr 13, 2024 07:24
|
|
|
I think EU privacy and antitrust laws are some of the best things the EU has done. Yea, they're clunky but they work and are by no means a paper tiger or just some "tax" that companies can just pay. The fines really can be significant. And time and time again EU law has proven to be effective in changing tech giants behavior, for example forcing apple to adopt USB-C on their phones and tablets and more recently having to allow alternative browser engines instead of just reskinning safari. So it makes total sense that the "privacy shield" was struck down in court. After all it just papered over US legislation to make people feel warm and fuzzy but could never supersede US law. The problem is though that in the cloud computing, hosted apps or social media platform space there is nothing in Europe itself that can compete. Banning O365 places EU companies at a great disadvantage because any alternative to will be more expensive, inferior, or probably both. We need EU cloud services that can compete. And I don't see that happening any time soon. The energy costs alone make it uncompetitive.
|
|
#
?
Apr 13, 2024 07:44
|
|
|
Yanis Varoufakis deep dives a lot of what you're talking about spankmeister. He wrote a book (on Spotify if you have premium and don't wanna pay more) called Technofeudalism. He's hyperbolic about how it's a new era separate from Capitalism, but he goes into great detail about US Capital dominating the tech space, Europe failing to compete resulting in what you're alluding to, and China building its own seperate tech (the great firewall wasn't just about censoring Chinese people googling Tiananmen Square). Now companies like MS are able to extract rent in whole new ways, amongst other things.
|
|
#
?
Apr 13, 2024 07:55
|
|
|
spankmeister posted:I think EU privacy and antitrust laws are some of the best things the EU has done. Yea, they're clunky but they work and are by no means a paper tiger or just some "tax" that companies can just pay. The fines really can be significant. And time and time again EU law has proven to be effective in changing tech giants behavior, for example forcing apple to adopt USB-C on their phones and tablets and more recently having to allow alternative browser engines instead of just reskinning safari. I have basically assumed that MS is incapable of building a truly EU-only Azure or just M365 stack because they rely on teams and sub-processors around the entire planet since they did all their development based on the unstated premise that US law was universal. We have a customer who was incensed we used Cisco AMP on their systems because it has a cloud console and therefore their desktop users IPaddr were stored by Cisco in the cloud. This customer uses O365 internally so stores massive amounts of their own customers' personal and financial data in Azure. Our lawyers specifically called their lawyers out on this as hypocrisy. Rust Martialis fucked around with this message at 08:07 on Apr 13, 2024 |
|
#
?
Apr 13, 2024 08:05
|
|
|
Rust Martialis posted:I have basically assumed that MS is incapable of building a truly EU-only Azure or just M365 stack because they rely on teams and sub-processors around the entire planet since they did all their development based on the unstated premise that US law was universal. It's not just the subprocessors, it's very much about ownership. The short version is that as long as Microsoft owns the EU only environment, the US can compel Microsoft to hand over data to the NSA. So either it's an actual independent company, in which case it's not connected to Microsoft and doesn't benefit them, or it's a part of Microsoft and thus incompatible with GDPR. As I see it, there's no way for Microsoft to balance it right, but I'm sure they'll try. I still believe that GDPR was written by people who knew how loving wild it was, but passed the political layer without anyone noticing. And they're rolling out NIS2 for critical infrastructure (including subprocessors) and DORA for banking, it's gonna be fun to see the fallout of those too.
|
|
#
?
Apr 13, 2024 10:24
|
|
|
i just passed the cissp exam 
|
|
#
?
Apr 16, 2024 02:23
|
|
|
Hey, that's awesome! Congrats!
|
|
#
?
Apr 16, 2024 03:34
|
|
|
Nice, you got in just before the new one. I’ve got a boot camp for it next week, curious to see how it goes.
|
|
#
?
Apr 16, 2024 03:39
|
|
|
Kesper North posted:i just passed the cissp exam I actually thought, hey I've known you for years and we worked together, I can vouch, then shook my head and thought "Corps Diplo and Eve probably doesn't count, idiot". Congrats from CISSP #23xxx
|
|
#
?
Apr 16, 2024 05:37
|
|
|
FYI - for those using PuTTY for code signing, etc. I don't think the SSH attack is particularly bad for most people? https://nvd.nist.gov/vuln/detail/CVE-2024-31497 In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
|
|
#
?
Apr 16, 2024 08:11
|
|
|
Internet Explorer posted:Hey, that's awesome! Congrats! rafikki posted:Nice, you got in just before the new one. I’ve got a boot camp for it next week, curious to see how it goes. Thank you so much! I am in still in a bit of shock. I'm usually very bad at tests and did not expect to pass the first time. I owe a lot to the Destination CISSP book and practice quizz app for both a refresher on stuff outside my primary lanes, and teaching me how to recognize the exam's approach to phrasing questions in twisty ways that test your understanding. My understanding is the new test is not very different, but I haven't looked at it in detail yet, because that is very much a tomorrow problem at this moment in time  Rust Martialis posted:I actually thought, hey I've known you for years and we worked together, I can vouch, then shook my head and thought "Corps Diplo and Eve probably doesn't count, idiot". Haha, I appreciate the thought, dude! I'm all set for endorsements though. (I spent my entire second interview explaining GRC through the lens of writing policy for GENTS and Corps Diplo, I poo poo you not) Kesper North fucked around with this message at 10:25 on Apr 16, 2024 |
|
#
?
Apr 16, 2024 10:17
|
|
|
Kesper North posted:3. MSFT prices the fine into their business model
|
|
#
?
Apr 16, 2024 14:14
|
|
|
Good article. https://twitter.com/ericgeller/status/1779858961581138187
|
|
#
?
Apr 16, 2024 14:17
|
|
|
evil_bunnY posted:That's not how GDPR fines work. I’m not sure what you mean here. “GDPR fines” are often a percentage of global revenue, meaning that Microsoft would have to price a ~5% increase of global revenue into things to make it work out, just like pricing in any other fines, no? A matter of degree and plausibility, but not really of kind.
|
|
#
?
Apr 16, 2024 14:18
|
|
|
I assume the biggest "holy poo poo this could be bad" element of Microsoft's security is the amount of outsourcing of support they do, while I've not looked too hard I also have no idea how they restrict access.
|
|
#
?
Apr 16, 2024 14:23
|
|
|
Subjunctive posted:I’m not sure what you mean here. “GDPR fines” are often a percentage of global revenue, meaning that Microsoft would have to price a ~5% increase of global revenue into things to make it work out, just like pricing in any other fines, no? A matter of degree and plausibility, but not really of kind.
|
|
#
?
Apr 16, 2024 14:45
|
|
|
I don’t know what provisions the GDPR has for escalating fines or other penalties, tbh, but it would be great if they had realized that they needed an option for when the fines weren’t sufficiently deterring.
|
|
#
?
Apr 16, 2024 14:50
|
|
|
Subjunctive posted:I don’t know what provisions the GDPR has for escalating fines or other penalties, tbh, but it would be great if they had realized that they needed an option for when the fines weren’t sufficiently deterring. Microsoft's revenue in 2023 seems to have been $227B so the max GDPR fine per offense would be up to $9 billion USD.
|
|
#
?
Apr 16, 2024 15:14
|
|
|
Kesper North posted:I suspect GDPR enforcement wrt O365 is going to look something like this: Its more likely MSFT will do what Google and Amazon are doing and split off their EU datacenters to specific regions to comply with GDPR, as well as offer 'self-hosted' cloud setups.
|
|
#
?
Apr 16, 2024 15:16
|
|
|
CommieGIR posted:Its more likely MSFT will do what Google and Amazon are doing and split off their EU datacenters to specific regions to comply with GDPR, as well as offer 'self-hosted' cloud setups. That still doesn't work because it's owned by Americans who can be compelled to hand over data by the patriot act. But Microsoft's revenue isn't relevant, they're not really doing anything illegal themselves*, it's their customers who are noncompliant by letting an American company handle their data. *Microsoft obviously has their own data that they are processing illegally, but that's relatively minor. Also I'm sure they're generally scummy around the world. Allegedly, obviously.
|
|
#
?
Apr 16, 2024 19:21
|
|
|
BonHair posted:That still doesn't work because it's owned by Americans who can be compelled to hand over data by the patriot act. Not really, because the same has already been argued against AWS and Google, that's why they are separate tenants controlled by separate orgs.
|
|
#
?
Apr 16, 2024 20:19
|
|
|
BonHair posted:That still doesn't work because it's owned by Americans who can be compelled to hand over data by the patriot act. So if a European publicly-traded company has its stock gradually bought up by different American investors, it could stop being a safe place for GDPR stuff? This is wild.
|
|
#
?
Apr 16, 2024 20:22
|
|
|
To be clear, I'm not really an expert, and I don't think the separate organisation trick has been tried legally. The whole thing is still finding its place legally with various cases, and I'm sure Amazon, Google and Microsoft are throwing in a few lawyers to argue their point. Currently in Denmark we have a case going against municipal schools using Chromebooks. If everyone agreed that Google splitting off their data center was enough, that would not be an issue. But the data protection agency has basically said that it is indeed an issue that needs to be fixed. Edit: I'm absolutely not sure how stock ownership actually works in regards to either GDPR or patriot act, but I think that at least the single majority shareholder construction (either at a corporation or physical person) would be problematic. BonHair fucked around with this message at 20:33 on Apr 16, 2024 |
|
#
?
Apr 16, 2024 20:29
|
|
|
Google splitting off their cloud service data centers for customers to use would definitely not be enough to make Chromebooks clean. Google’s own services would be very hard to isolate to European data centers. A whole new borg universe with its own spanner, the transitive closure of all the auth/update/telemetry/etc services that the Chromebooks need, etc. O365 would also be hard to replicate in an isolated way; we saw some of how tangled just Microsoft’s auth system is via the recent CSRB report. The retail cloud services are much easier to isolate, as far as I understand it, at least from a technical perspective.
|
|
#
?
Apr 16, 2024 20:34
|
|
|
Subjunctive posted:So if a European publicly-traded company has its stock gradually bought up by different American investors, it could stop being a safe place for GDPR stuff? This is wild. The issue is transfer of data outside the EU, to any jurisdiction that isn't covered by an Adequacy Decision - basically a statement from the EU that the country in question has protection of data equivalent to the EU. Rule of law stuff - can you go to court and sue for breaches. Canada (under PIPEDA) has an adequacy decision - you can export at least some EU personal data to Canada for processing. The USA is not covered by an adequacy decision, mostly because of the Patriot Act and national security letters. If someone in the USA has access to your data in cleartext, the government can get it without meaningful due process or recourse by the data subject. Azure is delivered by various Microsoft units scattered globally. Some of these staff have the ability to access your data, and some of these are in the USA. If you read Microsoft's Privacy Statement, they will never promise you your data can't be accessed from the USA, just that they pinkie swear they comply with whatever the current agreement is that is in the process of being struck down by European courts because regulations and executive orders aren't laws. Investors aren't the issue. If your company HQ is in Des Moines, though, that's an issue if you can order someone to grab a copy of my data sitting in your Dublin datacenter and hand that to the FBI.
|
|
#
?
Apr 16, 2024 21:19
|
|
|
Subjunctive posted:So if a European publicly-traded company has its stock gradually bought up by different American investors, it could stop being a safe place for GDPR stuff? This is wild. Theoretically any company in the EU whose ownership structure could result in leadership being compelled to turn over data to US authorities would be suspect.
|
|
#
?
Apr 16, 2024 21:58
|
|
|
Rust Martialis posted:Canada (under PIPEDA) has an adequacy decision - you can export at least some EU personal data to Canada for processing. The USA is not covered by an adequacy decision, mostly because of the Patriot Act and national security letters. If someone in the USA has access to your data in cleartext, the government can get it without meaningful due process or recourse by the data subject. It can go into Canada if it never touches anything that a US person has rights to, I assume. So it can’t go to Canada in Google’s Montreal DC. Needs to be in a data center that doesn’t admit US persons (or those who are employment-controlled by US persons). quote:Investors aren't the issue. If your company HQ is in Des Moines, though, that's an issue if you can order someone to grab a copy of my data sitting in your Dublin datacenter and hand that to the FBI. But investors ultimately control the company (through board selection, which then selects the CEO). How can they not be relevant if the US gov’t can force a US entity (or entities) to do something? They could get a FISA judgment that makes Blackrock and Vanguard force their board members to force the CEO.
|
|
#
?
Apr 16, 2024 22:34
|
|
|
i am simply shocked that the EU regulating what they can’t build results in outcomes that are both technically and politically impossible. At a certain point, compliance simply isn’t going to be worth it for market access to a region that’s 15% of world GDP and declining (exhibit A: threads) Not to say that the EU hasn’t produced good outcomes, Margrethe Vestager is rad and I love my USB-C iPhone. But this is simply a bad ruling and not one that I expect to stand if the results are “the EU can’t use American technology products”. The Iron Rose fucked around with this message at 22:53 on Apr 16, 2024 |
|
#
?
Apr 16, 2024 22:45
|
|
Cat Army
|
if the data is only resident in Europe, and can only be accessed in plaintext by EU nationals because of ~controls~, then I don’t see why EU law wouldn’t trump instruction from a US owner. like the US owner could also tell the EU subsidiary’s employee to stab someone, but that would be illegal under EU law so we assume it won’t happen even if stabbing becomes legal in Missouri.
|
|
#
?
Apr 16, 2024 22:46
|
|
|
and if that data’s in Canada, what’s to keep CSIS from using their ex parte surveillance warrants to get access to the data—and give it to the US? I’m genuinely amazed that Canada is considered safe while the US isn’t, given that we have the same privacy-overriding intelligence agency loophole.
|
|
#
?
Apr 16, 2024 22:56
|
|
|
lol apparently disabling telemetry doesn’t mitigate that Palo exploit, they announced that by updating the original disclosure
|
|
#
?
Apr 16, 2024 23:16
|
|
|
Subjunctive posted:and if that data’s in Canada, what’s to keep CSIS from using their ex parte surveillance warrants to get access to the data—and give it to the US? I’m genuinely amazed that Canada is considered safe while the US isn’t, given that we have the same privacy-overriding intelligence agency loophole. Also the vast majority of our traffic is routed through the US. I believe we only have two backbones that don't connect to some US datacentre somewhere.
|
|
#
?
Apr 17, 2024 00:19
|
|
|
MustardFacial posted:Also the vast majority of our traffic is routed through the US. I believe we only have two backbones that don't connect to some US datacentre somewhere. Yeah, we host some cannabis-industry-related stores and their data needs (needed?) to be kept in Canada exclusively and what a pain to make sure of all that poo poo.
|
|
#
?
Apr 17, 2024 00:44
|
|
|
Apparently Stuxnet 2 electric boogaloo is now being leveraged against Russian targets by Ukraine and called fuxnet How long till that starts getting recycled?
|
|
#
?
Apr 17, 2024 02:44
|
|
|
Rust Martialis posted:Only affects PAN-OS systems running GlobalProtect VPN software *with* telemetry enabled, running 10.2, 11.0 or 11.1. Oh hey they updated the vuln disclosure "Palo Vuln posted:In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
|
|
#
?
Apr 17, 2024 03:40
|
|
|
Mustache Ride posted:Oh hey they updated the vuln disclosure Lol
|
|
#
?
Apr 17, 2024 04:02
|
|
|
Mustache Ride posted:Oh hey they updated the vuln disclosure I like that it’s a path traversal bug like we’re living in 1997.
|
|
#
?
Apr 17, 2024 04:14
|
|
|
Cannon_Fodder posted:Apparently Stuxnet 2 electric boogaloo is now being leveraged against Russian targets by Ukraine and called fuxnet Do you have a link to more info about this?
|
|
#
?
Apr 17, 2024 10:16
|
|
|
|
| # ? May 1, 2024 20:23 |
|
|
I'm thinking of dipping my toes more into the governance and audit side of this stupid industry. I feel like I'm in a bit of a career rut despite doing really well for myself, and I'm talking to my CISO to see where my skillset could be better leveraged. Not that I don't enjoy architecture, but I think the org is making some changes that could potentially diversify my responsibility beyond security focus, and I'm not really looking to become more of a generalist when IMO there are already SMEs here that deal with capacity and infrastructure way more comprehensively than myself. I'm always up for a challenge, but I'm not really up for a ninety degree career trajectory change in my 40s. Kesper North posted:i just passed the cissp exam Congrats and sorry in advance, I don't think this thread counts toward a CPE :[ some kinda jackal fucked around with this message at 12:13 on Apr 17, 2024 |
|
#
?
Apr 17, 2024 12:10
|
|
