I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities"
https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
This is not the industry-standard or NIST definitions of these terms. Something like Google Workspace Suite is Software as a Service. Something like Heroku (or Dreamhost or Wordpress) is Platform as a Service. Something like EC2 and S3 are Intrastructure as a Service. The distinction is renting out undifferentiated server space that a customer installs their own software onto. If you rent a VPS from Linode and install self-hosted Wordpress, that's IaaS. If you buy Wordpress's managed hosting, that's PaaS.
Wordpress clearly does not meet the definition of IaaS in the document.
> provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Definitely not in this case (unless you're using Digital Ocean as a VPN end point or something). EO 13984 (which is cited as the enabling act) has a narrow definition:
(e) The term ‘‘Infrastructure as a Service Product’’ means any product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘‘managed’’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘‘unmanaged’’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘‘virtualized’’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘‘virtual private servers’’), and ‘‘dedicated’’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘‘bare-metal’’ servers)
Do you have a basis for this claim or are you just throwing it out there to see if it catches on? The document linked refers to IaaS, which as an acronym definitely does not include ISPs.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
Dreamhost, Wordpress, etc
This is not the industry-standard or NIST definitions of these terms. Something like Google Workspace Suite is Software as a Service. Something like Heroku (or Dreamhost or Wordpress) is Platform as a Service. Something like EC2 and S3 are Intrastructure as a Service. The distinction is renting out undifferentiated server space that a customer installs their own software onto. If you rent a VPS from Linode and install self-hosted Wordpress, that's IaaS. If you buy Wordpress's managed hosting, that's PaaS.
2 replies →
Wordpress clearly does not meet the definition of IaaS in the document.
> provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
19 replies →
Literally every software that you can host.
This effort will end anonymity on the internet. For everyone.
Crypto was just the beginning. Next is end-to-end encryption. And it's going on worldwide, not just in USA:
https://community.qbix.com/t/the-coming-war-on-end-to-end-en...
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
Vultur requires a card linked for ID verification even if paying for BTC. Or at least they did in the past when I tried.
1 reply →
In their definition, everything does, HN included.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
As if they won't just use a stolen identity. And like usual the victim will never even find out because it won't show up on their credit report.
Of course, people who want to circumvent laws will always attempt to do so. That doesn't mean all legal mitigations are useless.
1 reply →
It's still just for IaaS companies, though, right?
Not that that makes this all okay, but it is a much more limited proposal than "internet services" makes it sound.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Legally speaking, internet service providers are infrastructure providers.
Definitely not in this case (unless you're using Digital Ocean as a VPN end point or something). EO 13984 (which is cited as the enabling act) has a narrow definition:
(e) The term ‘‘Infrastructure as a Service Product’’ means any product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘‘managed’’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘‘unmanaged’’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘‘virtualized’’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘‘virtual private servers’’), and ‘‘dedicated’’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘‘bare-metal’’ servers)
(https://www.govinfo.gov/content/pkg/FR-2021-01-25/pdf/2021-0...)
1 reply →
Do you have a basis for this claim or are you just throwing it out there to see if it catches on? The document linked refers to IaaS, which as an acronym definitely does not include ISPs.
6 replies →