Hacker News new | ask | show | jobs
by diggan 589 days ago
> everything being stored in the cloud somewhere

Sounds like it would make it easier for law enforcement. They no longer need a warrant against/for the company they're investigating, just the place where their data is stored. Get the warrant, raid the place and grab the drives, then continue the investigation. Done the right way, the company under investigation wouldn't even notice it.
4 comments
SirMaster 589 days ago
Grab the drives from the cloud?

Isn't most data in the cloud heavily distributed and broken into shards across many racks and drives and such? And encrypted so is useless outside of the custom block storage system employed by the cloud provider?

They would need to decrypt and assemble the shards to get usable data out.

I have no clue how they would even know which drives out the tens of thousands to grab, and they would also have other customer's data on them.

link
kube-system 589 days ago
They'll just get a warrant to search the live system as it is powered on rather than take a cold drive.

https://leb.fbi.gov/articles/featured-articles/executing-sea...

Or in China, just take the entire data center. https://www.theregister.com/2018/01/11/icloud_china_goes_to_...

link
Hikikomori 589 days ago
It's simple, just grab all of S3.
link
oceanplexian 589 days ago
The data is stored on a server in another country where the warrant isn’t worth the paper it’s printed on. Now what?
link
crossroadsguy 589 days ago
That is why countries are increasingly demanding (and mandating) those data (of citizens and business done there or that involves that nation or its citizens) to be stored inside their borders.
link
seiferteric 589 days ago
That's why I wonder if these raids are really more for show, can't they do this pretty much already?
link
belter 589 days ago
Completely for show since they even make press releases about it.

And its sad to see the atrocious quality of the BBC article. Even high school students learn that a journalistic piece, should make sure it touches the Five Ws of good journalism...

https://en.wikipedia.org/wiki/Five_Ws

The Hollywood Reporter has much better quality reporting including context: https://www.hollywoodreporter.com/business/business-news/net...

link
scarface_74 589 days ago
First the data is stored in another country. Second are they really going to raid and take the drives at an AWS data center that has other customer’s information? How will they know which drive to take?
link
gruez 589 days ago
>First the data is stored in another country.

Plus you can engage in some jurisdiction arbitrage where all the documents pertaining to country A is stored in country B, and all the documents pertaining to country B is stored in country A.

> Second are they really going to raid and take the drives at an AWS data center that has other customer’s information?

You can also ask AWS to produce the files/documents for you.

link
scarface_74 589 days ago
And those files are hopefully encrypted at rest and probably using a customer managed key…
link
gruez 589 days ago
>using a customer managed key…

Not an AWS expert but how does that even work? Does AWS connect to your HSM remotely? Or is a cloud HSM that's also hosted by AWS?

link
scarface_74 589 days ago
(Source: I am a current high level employee at a third party AWS consulting company and former employee at AWS working in the Professional Services department)

I actually was imprecise with my wording.

A customer managed KMS key is any key that you make instead of using an AWS provided key. AWS still has the means to theoretically decrypt the data.

I am actually referring to a customer managed KMS key where you import your own key material

https://docs.aws.amazon.com/kms/latest/developerguide/import...

There is also CloudHSM

https://aws.amazon.com/cloudhsm/faqs/#:~:text=AWS%20CloudHSM....

I don’t know how far “AWS doesn’t have access to your keys go” when it comes to a government subpoena.

I do know that if anyone accesses anything on your account from AWS, all sorts of internal alarm bells go off at AWS and it would still show up in your CloudTrail logs.

I’m sure there is something that allows internal AWS employees to access your account in unauthorized ways. But I never heard about it in 3.5 years working there in the Professional Services department.

link
grapesodaaaaa 589 days ago
Data stored in another country: are their reciprocal prosecution agreements with that country?

Raiding AWS: call Amazon, provide subpoena, Amazon can either give access to the account or provide copies of data. This would only allow access to non-customer encrypted data.

I played with encryption schemes and obfuscation pretty heavily for a long time, but at the end of the day companies operate within the legal frameworks of the countries they reside in. If you don’t cooperate, you could end up in jail anyway.

I think the conclusion I’ve come to is that you have to play by the rules. If you don’t like them, is it really worth falling on the sword for a corporate entity?

link