[skylark]

Curious: Why would you trust a cloud service operating outside the US more than one operating within?

If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.

If you use some provider in another country, the attack vector has to be way larger, right?

This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.

[mattmanser]

Why is the attack vector bigger?

Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.

Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.

[dahdum]

Google has the resources to secure their systems, the ability to defend against nation state attacks, and billions in revenue at risk for losing that trust. I know of no one that offers the same experience with anything close to the same protection, do you?

[tensor]

This very topic is about the fact that apparently Google doesn't have the ability to defend against nation state attacks. If you are not American, the US government being able to seize your data is very much a nation state attack.

[nickpsecurity]

"he ability to defend against nation state attacks"

I'm skeptical about that. They got seriously owned by one in the past with their proposed solution switching to Mac's and Linux distros. I don't recall if they acted on that but the fact that they thought it would stop nation-states says something. They certainly have more resources to stop, detect, or recover from black hats than the average user of their service.

[solipsism]

They got seriously owned by one in the past with their proposed solution switching to Mac's and Linux distros

Where are you getting your false news? You can't think Google's response to a nation state attack was to only switch to Macs and Linux.

Care to share what you're referring to?

[nickpsecurity]

It was in multiple sources like NYT and Business Insider that they initially blamed Microsoft with a switch planned. Looking it up again, Wired reports they didn't go that far: just gave employees options with extra information informing them about the pro's and con's of them.

https://www.wired.com/2012/05/google-and-windows/

Of course, this is almost equivalent to original claim given they think switching between operating systems will mean much against nation states with China levels of labor. Especially if it's an Ubuntu derivative. It takes a lot of different elements to deal with them which include strong protections on an endpoint designed with that in mind. Lots of configuration checking and monitoring too.

[puzzle]

Why do you talk about things you obviously know very little about and present them as the entire story? Reducing, not eliminating, the Windows footprint was just one of many, many initiatives. U2F security keys are one of the well known ones outside the company. Or hardening ChromeOS.

[fictioncircle]

A warrant is a form of nation state attack from a security perspective. They have also previously used DKIM keys in a way that makes them close to worthless. The NSA had some exploit strategy in place according to Snowden. Etc.

Sometimes being in the big pot is less safe than being in the small pot that is 95% as secure if only because the effort for breaching 95% vs. 100% is minor if you get 50x as much information.

[JumpCrisscross]

> Why would you trust a cloud service operating outside the US more than one operating within?

Because I'm an American in America. If you aren't in America's sphere of influence, the United States may be one of the best places to host your data. (No data retention laws; freedom of speech; working courts; et cetera.)

[jbmorgado]

Because some countries - namely in Europe - have much stronger personal data protection laws than the US. Switzerland for instance.

Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.

Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.

[sfifs]

You would do on-prem and not cloud if your potential legal adversaries included the government because they would then have to come and take your emails from you with a warrant vs. being able to silently take it from cloud providers and compelling them to not inform you.

For any reasonably sized multinational, governments are potential legal adverseries.. and so they avoid keeping mail servers and financial transaction data in the cloud

[uiri]

they would then have to come and take your emails from you with a warrant vs. being able to silently take it from cloud providers and compelling them to not inform you.

What if they just insert a box upstream of your connection via your ISP?

[fictioncircle]

It doesn't collect emails routed within the LAN/VPN. You can secure same domain email address communication to prevent such mitm.

[burrows]

Weigh the cost of corporate controlled robots peeking at your emails against the increased probability of extra-corporate attackers pilfering your data.

[nickpsecurity]

"If you use some provider in another country, the attack vector has to be way larger, right?"

I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.

[mtgx]

> If you use some provider in another country, the attack vector has to be way larger, right?

If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.

And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.

Also because Google actually did get completely owned by the NSA a few years ago:

https://www.theguardian.com/technology/2013/oct/30/google-re...

[linkregister]

The NSA can do way more than just sniffing some network links, please don't call that "completely owned."

According to the Snowden leaks, the NSA has done more comprehensive infiltrations, e.g. Belgacom, Petrobras, etc.

[rl3]

Sorry, but mass collection on inter-datacenter links operated by one of the largest technology companies on the planet should qualify as "completely owned", at least in spirit.

If you insist on using the technical definition, then I'd argue it's very possible that Google could be completely owned after all, in every sense of the term.

What Snowden leaked was essentially a glorified TS PowerPoint repository. Crown jewels such as partner company names didn't even make it into that level of access, and for good reason. If the NSA happened to be installing persistent implants on target systems belonging to Google's senior leadership, it'd be so compartmented you'd never hear about it.

In other words, we probably wouldn't know if Google was completely owned.

[moxious]

Guaranteed to be secure? Are you joking? Aside from the fact that nothing is guaranteed to be anything in the security world, if you go read the documents put out by Snowden there just no way you'd say that.

More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.

Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.

And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.

The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services