Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


"Biden admin recently said it will require cloud providers to verify the identity of their users"
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

"Biden admin recently said it will require cloud providers to verify the identity of their users"

MannDudeMannDude Host Rep, Veteran
edited March 2023 in General

From: https://www.politico.com/news/2023/03/10/white-house-cloud-overhaul-00086595

I won't quote the entire article, but some key points are:

Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry.

.

That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at “spinning up and rapidly spinning down” new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.

.

“In the United States, we don’t have a national regulator for cloud. We don’t have a Ministry of Communication. We don’t have anybody who would step up and say, ‘It’s our job to regulate cloud providers,’” said Knake, of the strategy and budget office. The cloud, he said, “needs to have a regulatory structure around it.”


What are your thoughts? Do you think this will have any impact on non-enterprise 'cloud providers' or do you think that things will be so loosely defined that all service providers (web hosting, VPS, dedicated, etc) will fall under the umbrella of this?

Thanked by 2JasonM harrison

Comments

  • MikeAMikeA Member, Patron Provider
    edited March 2023

    My guess is it'll only affect large enterprise providers who have international presence. But I don't think anything like this would ever pass, especially considering politicians don't know what "cloud" is.

  • It's mostly a bunch of wishful thinking on the part of Big Government and law enforcement for the moment, BUT we need to see what the reaction will be from the lobbyists funded by the big providers. They have been writing the script recently, so they will want to have a say in the wording of any potential legislation or executive orders. The appetite for regulatory structures (as opposed to self-regulation) has been growing from them in recent years, and I guarantee you they will use it to hurt mid-sized players if they can. Then watch for the reaction from freedom of speech advocates, and we'll get the battle lines drawn over this and what level of effort there will be for regulation during an election cycle.

  • crunchbitscrunchbits Member, Patron Provider, Top Host

    @MikeA said:
    My guess is it'll only affect large enterprise providers who have international presence. But I don't think anything like this would ever pass, especially considering politicians don't know what "cloud" is.

    I think you're probably right, the only thing that worries me is they don't know what "cloud" is and still somehow pass something absolutely terrible.

    @jlet88 said:
    It's mostly a bunch of wishful thinking on the part of Big Government and law enforcement for the moment, BUT we need to see what the reaction will be from the lobbyists funded by the big providers. They have been writing the script recently, so they will want to have a say in the wording of any potential legislation or executive orders. The appetite for regulatory structures (as opposed to self-regulation) has been growing from them in recent years, and I guarantee you they will use it to hurt mid-sized players if they can. Then watch for the reaction from freedom of speech advocates, and we'll get the battle lines drawn over this and what level of effort there will be for regulation during an election cycle.

    I do worry about it being used as a way to stamp out small/medium competition. Lobbyists using government regulations to close the door behind themselves once they're in is extremely common. Even something as simple as expensive and asinine compliance audits or already having their fingers in owning some ID-verification service and then shoving this through as a way to 'tax' the smaller entities.

    Thanked by 2OhJohn emgh
  • @crunchbits said:
    I do worry about it being used as a way to stamp out small/medium competition. Lobbyists using government regulations to close the door behind themselves once they're in is extremely common.

    Indeed. One of the ideas of many that I've seen floated by lobbyists in similar discussions is requiring an individual or team responsible for regulatory compliance and/or a compliance liaison/officer kind of role. That is chump change for a big provider, but very, very expensive for a smaller provider. These kinds of requirements are the dirty little tricks that lobbyists write into the scripts of these kinds of regulatory structures. It happens in every industry. There's a lot more than that, of course, but it's the kind of thing to look out for as you listen to speeches and testimony, etc...

    Thanked by 3MannDude OhJohn emgh
  • MannDudeMannDude Host Rep, Veteran

    @jlet88 said:
    It's mostly a bunch of wishful thinking on the part of Big Government and law enforcement for the moment, BUT we need to see what the reaction will be from the lobbyists funded by the big providers. They have been writing the script recently, so they will want to have a say in the wording of any potential legislation or executive orders. The appetite for regulatory structures (as opposed to self-regulation) has been growing from them in recent years, and I guarantee you they will use it to hurt mid-sized players if they can. Then watch for the reaction from freedom of speech advocates, and we'll get the battle lines drawn over this and what level of effort there will be for regulation during an election cycle.

    The idea isn't new, it was proposed under the Trump admin and will be proposed under the next administration as well, regardless of party.

    Seems more like the "TSA Approach" to security. Instead of shifting focus where the problem is or diverting funds to strengthen our actual cyber security systems, they just do something that is invasive and annoying to most without having an impact on the actual problem. They're blaming foreign actors 'spinning up and spinning down' American servers to launch attacks and exploit weaknesses in infrastructure here, as if these could only be carried out currently on American servers which we all know is a silly idea. Just seems like they're using the current, "Russia is really bad" excuse to get to implement things that'd normally not have support. (Sort of like the post 9/11 changes in the name of National Security. )

    Probably require something like ID.ME. It's already in use on some Government sites, pretty sure it was on IRS.Gov that I had to do some ID.ME stuff. It's annoying. It feels invasive and incredibly uncomfortable when you're doing facial scans and stuff on your mobile device.

    Thanked by 1jlet88
  • @MannDude said:
    ...in the name of National Security...

    Yes, one of the most common justifications, right up there with a national (or better yet, global) health emergency. They just love to go back and forth between those two award-winning, gold medal, sure bet, triple-A justifications.

  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited March 2023

    @jlet88 said:

    @MannDude said:
    ...in the name of National Security...

    Yes, one of the most common justifications, right up there with a national (or better yet, global) health emergency. They just love to go back and forth between those two award-winning, gold medal, sure bet, triple-A justifications.

    You missed “to protect children”. A classic.

    Francisco

    Thanked by 2jlet88 emgh
  • MaouniqueMaounique Host Rep, Veteran

    KYC is nothing new. It is completely different from "know your random poster in your blog" or "know the random mailing you" or "you are responsible for what other people are doing".

    That being said, of course it is a failed approach, so much so that I think it is actually a pretext. Stopping hackers by knowing whom they have hacked? Seriously?

    inb4 you would go to jail for patching your VPS a few hours too late.

  • jarjar Patron Provider, Top Host, Veteran
    edited March 2023

    Oh I’m sure they’d leave a loophole in it, of course you’d have to grease the hole with the kind of money only the big clouds would have. Because what they’re really into, at the end of the day, is protecting the big corporations from competition while creatively phrasing it as a win for the people.

    Thanked by 2hostdare MannDude
  • @MikeA said:
    My guess is it'll only affect large enterprise providers who have international presence. But I don't think anything like this would ever pass, especially considering politicians don't know what "cloud" is.

    Isn't the fact that Congress doesn't know what "cloud" is precisely why it could pass?

    Thanked by 1MannDude
  • xaocxaoc Member

    I'd rather they impose ssh keys and MFA.

  • I guess time to stop using one of the big US cloud providers and buy some Offshore Dedicated Servers and VPS

  • harrisonharrison Member
    edited March 2023

    There will be an incentive for privacy-focused businesses to leave US. This means Freedom of Expression which was one of the pillars of the foundation of the country would become a joke.

    Carry on citizen, nothing to see here.

  • defaultdefault Veteran
    edited March 2023

    This law is highly possible. We live in strange times (Brexit, Covid with huge restrictions in freedom, wars with people dying for various interests of superpowers, electricity bills going up for no realistic reason, investments in AI for processing huge amount of data faster); so right now I think anything is possible. To be honest, any attack on privacy by politicians for the "well-being" of citizens no longer surprises me - it's quite normal nowadays.

    Thanked by 1MannDude
  • @MannDude said:
    the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers

    Here's my passport, mr biden, please don't delete my LET account:

    Bourne Russian passport Matt Damon

    Thanked by 1crunchbits
  • kaitkait Member

    @DataRecovery said: Here's my passport, mr biden

    Cyka Blyat, why did you post my passport on the Interwebs?

    Thanked by 1crunchbits
  • defaultdefault Veteran
    edited March 2023

    @kait said:

    @DataRecovery said: Here's my passport, mr biden

    Cyka Blyat, why did you post my passport on the Interwebs?

    Because it expired 20 years ago. Passport is no longer valid, so owner can't order services in USA.

    Thanked by 1kait
  • jbilohjbiloh Administrator, Veteran

    @MannDude said: What are your thoughts? Do you think this will have any impact on non-enterprise 'cloud providers' or do you think that things will be so loosely defined that all service providers (web hosting, VPS, dedicated, etc) will fall under the umbrella of this?

    It is certainly a risk that a broad interpretation will be utilized to blanket cover as much as possible. Sigh.

    All for the purpose of the "greater good" and "security" ... give me a break.

  • Some of the most abusive providers out there already require KYC, and nearly all of them require some form of payment tied to your real name. This will change nothing.

    Thanked by 1Maounique
  • DataRecoveryDataRecovery Member
    edited March 2023

    @kait said:

    @DataRecovery said: Here's my passport, mr biden

    Cyka Blyat, why did you post my passport on the Interwebs?

    Becoz I must has cheez cheap VPSos, that's why.

    Thanked by 1kait
  • DataWagonDataWagon Member, Patron Provider

    Realistically, any bad actor is just going to go to another host, probably based in another country, if required to provide KYC for a US ISP...

    I can't see many reasons why a hacker would specifically require a server on US soil.

    Thanked by 1hostdare
  • I would say it will affect even non enterprise. Hackers doesn't use aws, azure and gcp all the time. they also utilize powerful low cost servers which can be found here mostly.

  • MaouniqueMaounique Host Rep, Veteran
    edited March 2023

    @DataWagon said: Realistically, any bad actor is just going to go to another host, probably based in another country, if required to provide KYC for a US ISP...

    A bad actor, especially a hacker, doesn't need to sign-up anywhere. They get the servers they want where they want, for free.

    THAT is the point I am making, when I say "combating hackers by knowing whom they have hacked." It is stupid to the nth degree.

    Remember, these are hackers, not pedophiles, the latter might be dumb dicks, but a hacker will hack whether it is Azure, AWS or the Klingon death cloud. The pedophilia would have worked way better here.

  • @Maounique said: Remember, these are hackers, not pedophiles, the latter might be dumb dicks, but a hacker will hack whether it is Azure, AWS or the Klingon death cloud. The pedophilia would have worked way better here.

    Not that good of a comparison. Actual pedophiles have way better OPSEC than most hackers.

  • @inland said:

    @Maounique said: Remember, these are hackers, not pedophiles, the latter might be dumb dicks, but a hacker will hack whether it is Azure, AWS or the Klingon death cloud. The pedophilia would have worked way better here.

    Not that good of a comparison. Actual pedophiles have way better OPSEC than most hackers.

    Source?

  • @treesmokah said: Source?

    I was hoping you could elaborate on that, actually. We both know you have a lot of experience.

    Thanked by 1Maounique
  • MaouniqueMaounique Host Rep, Veteran
    edited March 2023

    @inland said: Actual pedophiles have way better OPSEC than most hackers.

    I am not sure. True, when there is a "need" there is a way, but not everyone can become an expert in such a way that they can hack servers to hide their tracks. Nope, SOME pedophiles MIGHT have SOME OPSEC with a handful very good at it, but hacking random servers? Not really.

  • treesmokahtreesmokah Member
    edited March 2023

    @inland said:

    @treesmokah said: Source?

    I was hoping you could elaborate on that, actually. We both know you have a lot of experience.

    I have gathered some experience throughout making as many pedo lifes miserable as possible through various methods. Cops are useless at least here, so you often have to take matters in to your own hands to save innocent people.
    I can confidentially say that most pedos have worse opsec than skids and other lowtier "computer gods". Most pedos are sad incels in their moms basement operating in clearnet - often with their own name on it.
    "Hacker" is a very overused term and does not relate to anyone in particular - unlike pedo.

Sign In or Register to comment.