On his way out, Trump emits exec order suggesting US cloud giants must verify ID of all foreign customers On Tuesday, during his last full day as US President, Donald Trump issued an executive order seeking to curtail cyber attacks by directing the government to come up with rules requiring cloud service providers to better identify foreign customers. It now falls to the incoming Biden administration to implement the order, which …
I'm afraid it doesn't sound sensible, or rather it does for the first thirty seconds, sounds pointless for the next two minutes, and then starts to sound concerning.
The first thirty seconds: people use this stuff to commit crimes, so why not identify who they are so it's easier to track them?
00:30-02:30: How is this going to help with anything? The order calls for U.S. providers to audit non-U.S. users. All an attacker has to do is to use a non-U.S. provider and they escape it. Or pretend to be a U.S. person and evade the required tracking. What happens if they use a U.S. provider's non-U.S. infrastructure? And how often do they tell the truth anyway; the really dangerous people will be able to lie through this system.
The rest: They want to require everyone purchasing IaaS services to create a government-auditable log of having done so. While the size of the group who will at some point do this is small, they want to be able to quickly get a full identity attached to any system. This sounds like a privacy nightmare, and rather like those governments who used to require licenses be purchased to own computers, phones, or televisions. While it might help with investigations, it seems more likely to increase the size of the NSA's database on everyone and to be a juicy target for people looking for valuable identifying information.
Doesn't even need a fake US ID, any counties will do.
"This looks like a legitimate Elbonian drivers license so you're all good to go on our cloud, Amanda Hugankiss"
The real worry is yes, another database to track people with. Also, depending on how small they go with the order, how good is the provider's security for that data?
Exactly. And a foreign fake ID doesn't need to be even remotely similar to the real thing, as they probably won't know what they were looking for.
If I were to design a fake Scottish driver's licence, would the average American be aware that Scotland doesn't issue its own driver's licences, but Northern Ireland does?
Northern ireland driving licensees are the same as UK ones now. The say the same stuff, and are issued from Cardiff like the rest of the UK. Coleraine issuing closed down about 8 years ago - even then, they were printed from the same place.
Indeed, I think all the EU had the same DL format - only the colour could vary, though they all had to be pastel shades....
would the average American be aware
The "average" American would not be aware that Scotland and NI are parts of the UK. However the US cloud giants know exactly who you are and probably what you had for breakfast, and certainly who you had breakfast with, all without you having to submit any additional evidence.
As I understand it some US non governmental organisations already have authority to access the DVLA database (for a fee no doubt) in Swansea to confirm ID - that is why the likes of AirBnB etc require you to send 'clear machine readable' photos of you with your driving license to validate an account.
How our government came to allow this is beyond me while we were in the EU, now 'free' of EU regulation I guess we can expect far more of this data base access fee collecting.
More than a bit off-topic, but a college friend (and photographer for the school newspaper) made a fake license (California, late 1960s) for the usual purpose of obtaining alcohol. He did three things that enhanced my appreciation for him.
1) Created a Rhode Island license (unlikely to be familiar to a CA officer, or barkeep).
2) Carefully selected a section of a half-tone photo to match the "tamper-proof" background on some typed fields when the background and typed info was shrunk to the correct size.
3) Made the birth date such that the coming Saturday would be his "21st birthday", so he could not only drink "legally", but gratis.
This is exactly the same mentality that enabled the US to fingerprint anyone who has the misfortune to use one of their airports, even if you only change flights, international to international.
They will simply use it to add to their ever-growing databases of information they continue to harvest, some legitimately, some not.
In many respects the US agencies are no better than Facebook et al. At least all tech giants make no secret of the fact that they do it. You still don't know what the collect and how it is used.
I got this just today.
>>>> I’m sure we’re not quite there yet, but it’ll not be long…!
>>>>
>>>>>
>>>>>> CALLER:
>>>>>> Is this Gordon's Pizza?
>>>>>>
>>>>>> GOOGLE:
>>>>>> No sir, it's Google Pizza.
>>>>>>
>>>>>> CALLER:
>>>>>> I must have dialed a wrong number. Sorry.
>>>>>>
>>>>>> GOOGLE:
>>>>>> No sir, Google bought Gordon's Pizza last month.
>>>>>>
>>>>>> CALLER:
>>>>>> OK. I would like to order a pizza.
>>>>>>
>>>>>> GOOGLE:
>>>>>> Do you want your usual, sir?
>>>>>>
>>>>>> CALLER:
>>>>>> My usual? You know me?
>>>>>>
>>>>>> GOOGLE:
>>>>>> According to our caller ID data sheet, the last 12 times you called you ordered an extra-large pizza with three cheeses, sausage, pepperoni, mushrooms and meatballs on a thick crust.
>>>>>>
>>>>>> CALLER:
>>>>>> OK! That's what I want ...
>>>>>>
>>>>>> GOOGLE:
>>>>>> May I suggest that this time you order a pizza with ricotta, arugula, sun-dried tomatoes and olives on a whole wheat gluten-free thin crust?
>>>>>>
>>>>>> CALLER:
>>>>>> What? I detest vegetable!
>>>>>>
>>>>>> GOOGLE:
>>>>>> Your cholesterol is not good, sir.
>>>>>>
>>>>>> CALLER:
>>>>>> How the hell do you know!
>>>>>>
>>>>>> GOOGLE:
>>>>>> Well, we cross-referenced your home phone number with your medical records. We have the result of your blood tests for the last 7 years.
>>>>>>
>>>>>> CALLER:
>>>>>> Okay, but I do not want your rotten vegetable pizza! I already take medication for my cholesterol.
>>>>>>
>>>>>> GOOGLE:
>>>>>> Excuse me sir, but you have not taken your medication regularly. According to our database, you purchased only a box of 30 cholesterol tablets once, at Drug RX Network, 4 months ago.
>>>>>>
>>>>>> CALLER:
>>>>>> I bought more from another drugstore.
>>>>>>
>>>>>> GOOGLE:
>>>>>> That doesn't show on your credit card statement.
>>>>>>
>>>>>>
>>>>>> CALLER:
>>>>>> I paid in cash.
>>>>>>
>>>>>> GOOGLE:
>>>>>> But you did not withdraw enough cash according to your bank statement.
>>>>>>
>>>>>> CALLER:
>>>>>> I have other sources of cash.
>>>>>>
>>>>>> GOOGLE:
>>>>>> That doesn't show on your last tax return unless you bought them using an undeclared income source, which is against the law.
>>>>>>
>>>>>> CALLER:
>>>>>> WHAT THE HELL!
>>>>>>
>>>>>> GOOGLE:
>>>>>> I'm sorry, sir, we use such information only with the sole intention of helping you.
>>>>>>
>>>>>> CALLER:
>>>>>> Enough already! I'm sick to death of Google, Facebook, Twitter, WhatsApp and all the others. I'm going to an island without internet, cable TV, where there is no cell phone service and no one to watch me or spy on me.
>>>>>>
>>>>>> GOOGLE:
>>>>>> I understand sir, but you need to renew your passport first. It expired 6 weeks ago…
Scary that it is so close to the truth.
They should just blanket cancel all his executive orders made after 3rd November, and sack all his appointees made after that date.
Before then, he at least pretended to be doing his job. After that date, it was all a revenge shit show. If you're going to have to scrape through that shit shoved through at the last minute, it shouldn't be in place while you're doing the scraping. Is any of it even legal? Does it have a legal basis to order private companies to do anything arbitrary without a basis in law?
Cancel it all by default, then go through it to determine what was legal and thought through, there likely will be zero of them.
He probably got pissed at all these people tweeting mean things at him and asked his people to dream up ways of attacking them.
And Trump was the one who slagged off Obama for spending 100 days in his second term for playing golf.
Oh... how the mighty have fallen...
Or is that just another bit of 'Fake News' (despite it being recorded but remember Mexico was going to pay for that Wall)?
Biden has already done this:-
"Presidential memorandum: Withdraw the Trump administration's regulatory process executive order to remove needless obstacles to regulating in the public's interest
Issue a regulatory freeze to pause any new regulations from moving forward and give the Biden administration an opportunity to review any Trump administration regulations"
Honestly, it'd be nice if they took the concept of executive order and hacked the balls off it. It's been used for very little that it's intended for in the past couple decades.
Seems to me that the US government's system of checks and balances was originally installed with a good rationale, and all of the folks bypassing them need a good swat. Wouldn't hurt to see a good deal more 'balance' than 'power' in the old phrase.
The US Government has done its best over the last 4 years to destroy big tech,outside the USA.
With failing to implement its side of Privacy Shield, not revoking the Patriot Act, FISA courts or NLSs, plus adding the CLOUD Act into the mix, they have done their absolute best to destroy cloud computing.
…the three European providers I'm familiar with do implement identity checks. Two of them have a requirement for official photo ID. One may under some circumstances also insist on verifying your location.
I'm very anal when it comes to privacy but having discussed their policies with them on the phone I'm satisfied about their safeguards, and I understand their need to protect themselves and other users from abuse.
I only use European providers for a host of reasons, mostly related to compliance, but also because of their technically capable customer service.
Two of them have a requirement for official photo ID
Which is a pain if you don't have it.. (my drivers license is the old paper style with no photo card and my passport expired a couple of years ago..). Also my work pass doesn't mention who I work for (and could be mocked up in about 5 minutes by someone with access to a card printer).
Which is why, if I have to prove who I am, I have to use utility bills. Which really, really don't prove who I am since I could easily print up something that looks vaguely correct on my nice laser printer upstairs.
When I last read the regulations - the UK ICO accepted EU GDPR for stuff held in the EU ('cos there is no alternative in the short term if you think about where some of the data required for your next paycheck might be stored). T'other way round was a bit more obscure. Mind you he last minute agreement could have changed it - but has anybody (including our PM) read that?
Ask any fisherperson.
Here in the UK there is still no official photo ID card. Sure there are photo driving licenses and passports. But if you don't drive and have no desire to travel internationally, does that mean you wouldn't be able to sign up to AWS or Azure if this rule did come in?
As others have pointed out it would also be pretty trivial to fake an ID in Photoshop since the anti-counterfeiting technology on IDs usually only works when you can see the physical card, not a photo of the card. So unless you are going to give cloud providers access to all the worlds passport, ID cards and driving license databases they will have no way of verifying if its real, fake or even just a stolen ID card.
As others have pointed out it would also be pretty trivial to fake an ID in Photoshop since the anti-counterfeiting technology on IDs usually only works when you can see the physical card, not a photo of the card.
Obviously not the case in UK, but in EU many countries have biometric ID cards that are easily used for authentication (yes you need a card reader) as is done for many public sector online services.
No, I'm not advocating it, just saying physical access to the card by the provider does not mean it can't be authenticated.
No idea what purpose it serves. Providers know all to well that when their infra is used for massive spamming and port-scanning attacks, their IP's will top the Spam databases in no time.
I once used an AWS instance to do a portscan for a paid security check, the same day I got several angry emails from them in which this had to be explained.
Totally pointless, it will just mean such people use non US services which US law enforcement will have little or no control over.
Easy enough to use fake or stolen ID if you must, most of those sort of actors already use stolen payment cards.
Would have been better dictating that world+dog put measures in place to stop ip spoofing.
[IMO] this order isn't really about ID'ing "foreigners", though the language and implications of foreign malevolence will of course play to a certain demographic. The actual *aim* of it is to cut foreign resellers of IaaC out of the US market by making the cost of entry prohibitive. Typical misdirection in the pursuit of MORE MORE MORE in my personal (malleable-to-reason) view.
If it all. Biden was reportedly going to issue an executive order to pause all "recent" (not sure what definition of that word was used) executive orders and administrative actions pending review by the new administration. Whether this survives, is modified, or is killed is up in the air until that happens.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
