It is time for software companies to unite. Feds can't just continue roaming around, asking companies for their users' password hashes and other things.
In the current state, some big companies have the means to fight such requests, some big companies are very willing to cooperate, and small companies rarely have the means to go into a legal battle.
Because of the current fragmentation and secrecy surrounding feds' requests with software companies, users do not have the possibility of knowing what they're in for with which company. Also, the divide and conquer tactics used by the Feds really allow them to extract much more information than what would otherwise be the case. Ideally there should be a union for software companies, which makes agreements with the feds concerning their access rights; agreements which then apply to all members of the union.
Currently I have two rules of thumb: 1) for critical services, avoid companies located or significantly involved in the US or UK and 2) at all costs, stay away from Microsoft.
This is more apt advice. At Hacker News we are swimming in a sea of start-ups, who are constantly evangelising the 'cloud' (it's often their bread and butter). But if you genuinely want privacy then keep it local and locked down. Stick to mainstream open source products and keep things as simple as possible.
Well ... What if I launched a cloud based startup that used homomorphic encryption on your data? I mean, it'll be another 10 years before we get the encryption overhead below a factor of a million, but at least we won't be able to give away your data in any useful form...
I've been saying the same thing for a while. Many companies need to form some sort of alliance against government censorship and surveillance, not just in US, but globally. One company alone, even one as big as Google, can't stand up to a government like the Chinese one. 100 big American companies that are vital for their economy, might be able to do it.
Ditto. I'm of the notion that the government can't put the entire company in jail. Could you imagine if Google, Microsoft, and Yahoo were effectively put out of business for these decisions? The repercussions would be devastating. Even placing a lot of key officials from these companies in jail would have lasting effects.
To me this is the prime definition of "too big to fail". It would only require a small percentage of these companies uniting "for the greater good" to produce meaningful results. Not cowing to the NSA is not treason in this instance so I can't even possibly understand why complying with "laws that aren't on any books so are they really laws?" has any positive merit.
Yes, but they won't do it until it hurts their bottom line. If I owned a European cloud business of any kind I would be heavily advertising to the US market right now. When customers start leaving major US internet companies because they no longer feel that they adequately protect their data and privacy, things will change.
IMO the very nature of the centralization of power works against individual rights, one of which is (arguably) privacy. As corporations grow they tend to lose a sense of the customer as a means, and instead choose which type of customer they need in order to maximize profits (or other goals).
Corporations (or any large centralized power base) will optimize for the most exploitable customer or user base, culturing this base if possible. To help broaden a target user base corporations need strong centralized governments more than they need even sizable (but less "culturable") segments of their market base.
Upshot: mature corporations (political parties / religions / etc) will not typically stand up to a centralized government on behalf of a rights-demanding fraction of their market... indeed, typically, they will do the opposite.
And let's face it, it's not like corporate America needs the government's help to abuse you based on your private information. Not in a day and age where you can be denied a job because of your credit history or kicked off your insurance because of your health records. People throw off tons of data, and companies have been working for decades to figure out how to use it to screw you.
Well that sounds great if the large companies fight the good fight. If they don't, you have a very large, unaccountable companies, able to fight the governments to get [lower taxes/lower wages/monopolies]
Do we think that services like Mint are handing over all our financial data to the government (making it easy for them to have a picture of your entire finances)?
If so, are there any viable, offline alternatives?
Never mind Mint, if your bank accounts are in the US your financial data is already available for inspection by the IRS, DHS, and probably many other three letter agencies. I'd wager that Mint, not being a bank, has far less an obligation to hand over your financial data than the banks you have accounts with.
The US already has complete financial surveillance over all US financial activity that isn't a cash trade, and they've been expanding it around the globe aggressively. For decades.
In this day and age where everyone does everything through credit cards, everyone already has all your financial data. Certainly the government does, and the credit card companies hand information out like candy.
For what it's worth, I'm working on a Mint competitor of sorts (that takes advantage of Machine Learning to automatically help you save. It will be based in Australia, not the US, and the basic app will be released as open source for personal self hosting.
I don't think any country is safe at this point. TNO (trust no one) is the only solution. Your cloud provider should have no ability to hand over your data because they can't decrypt it themselves. For example, Lastpass has an architecture where the passwords are encrypted and decrypted on the client, the server never sees anything but pseudorandom noise, and you can audit their browser addon to verify this. You can, with careful design, build many - if not most - cloud services in this way.
That is exactly what we are trying to do. The problem is that is somewhat at odds with machine learning in practice, but I have some ideas in the space.
Just an FYI, a Mint competitor, Wesabe, went out of business some time ago. When they did, they open sourced their software. Not sure of the state it's in. Maybe you can find some good things in their bank interface/scraping code...
After reading rlvesco7's comment, I immediately deleted my Mint account. It always made me uncomfortable to have all my financial data sitting in the cloud. I stopped actively using it a few months ago.
An open source service sounds interesting, but I don't think I'll ever be willing to post all my financial data to a web service again. It would be great to have a locally installed application that could keep track of all those accounts. Having some algorithms run to help me save would be great, but it would take some demonstrated assurances to get me to provide even anonymous data for the machine learning process.
This is interesting. Machine learning requires data. Will the app be sending back up anonymized data that then gets used to help the app make better decisions? Or how else will you make your app smart like Mint? Can't wait to see what you're doing.
The former is what we are doing, but coupling it with some basic statistical financial methods (and some stuff I've come up with myself!) that you can rely on if you'd rather not send the information. That's also what the cheapest plan for our hosted version relies on.
The entire premise is personal finance software that learns your habits to make it easier to use :)
The government having access to your financial data is a prerequisite for a functioning tax system. If you are audited, the IRS has the right to look inside your bank accounts.
The policies (or location) of online budgeting tools are entirely irrelevant. Hiding financial data from the government involves well established trades dating to long before the internet (or PRISM): money laundering and tax evasion.
Check out GNUCash. I've been using it for about a year. Entering all your stuff is tedious, but it's open source and integrates with some banks (also import from Quicken and CSV).
I could never sign up for Mint. I see the value in it, but providing a private business with a view into all my financial accounts just seems like a huge mistake.
Other than banks, creditors, and credit-score companies? I imagine there are far more businesses with access to view our financial accounts than we realize day-to-day.
It's not just that, but they use information in your accounts to recommend other companies' products. Today I got a notification that I was paying more than average for car insurance, with a link to a competing product.
text files, paper statements and your file cabinet. There are various open source check register and book keeping packages. GnuCash is complete but possibly overkill for some people.
What part of "privacy is dead" do people not understand? You think multi-core processors in your iPhone or android is to make the calls more clear? How many people here can say they haven't integrated a "smart" Apple or Google phone into their lifestyle? Someone with more HN love should post that poll.
Everyone needs to reconsider their worldview and a few important definitions they hold. One of those is privacy.
My definition of privacy: anything I relay to ANY one person is no longer private. What's the old saying about three people keeping a secret? Information wants to be free and privacy is not its natural state. It's always been this way, but the physical barriers to diffusion have been completely decimated in the past two decades.
This is not a mere blip in a long term trend, it is fundamental, IMO.
That being said, I believe there are new values we can all embrace to make the most of the state of the human experience today. Perhaps someone should can a thread on Internet values for the 21st century and beyond.
PS - Anyone ever wonder how MSFT got an anti-trust pass in the US, but not in the EU?
Hear me out: with a sensible court order and oversight, requesting a single user's password makes a lot of sense. Let's say you've taken a suspect in to custody, but want to capture their co-conspirators [1]. One way to do that might be to impersonate them online so as to keep their plot moving forward.
In what ways is it in a different category to their phone company handing over their call logs and getting someone to impersonate their voice (or send a text message) to an associate?
A single password, in an active situation, with oversight [2], is a totally different proposition from something like Prism or handing over SSL private keys.
[1] Not sure about US law on entrapment, but "bring the kit, we're doing it tonight, rendezvous is XYZ" and then seeing who turns up with what doesn't sound like entrapment to me.
[2] I have no idea what oversight might or might not be applied. "No comment" from the government is admittedly not an encouraging sign.
This sounds far too analogous, but not exactly homologous, to suggesting that Feds ought to be able to get a court order to request a safe manufacturer supply them a workable combination to get into a safe, which only the rightful and legal owner of the safe possesses but does not wish to divulge. Or a locksmith make a key to fit a particular lock for which there is only one possible key that is held by the rightful and legal owner who has invoked her right not to do so for fear of incrimination.
Going to the companies who have to validate user passwords to get a password a user is unwilling or unable to divulge is wrong. Going beyond that in asking for details on how passwords are salted, hashed, what the salts are, etc. ... more wrong still.
That the practice has been revealed should be all any internet startup/company/organization should need to never, ever store a user's password again. Ever.
Actually the legal standard (in the US) to compel someone to turn over a physical key (and I think combination to a physical safe) is fairly low, relative to information. One of the big debates is whether compelled disclosure of a password is information (high protection) vs. access (low protection). Marcia Hofmann from EFF talked to a few people at Hope for about an hour on the finer points in specific situations.
Well, combinations to a safe are viewed quite differently from a physical key to a lock. Compelling the latter has been viewed as permissible, while the former has not.
Where compelled disclosure of a password falls on that spectrum is, indeed, a matter of debate.
However, this is not the same. This is compelling a company to turn over either a user's password (which the user [debatably] could not be forced to turn over without potential infringement of 5A) or specific technical details necessary to business, security, and privacy operations to help them decrypt an encrypted password.
My examples were specifically not about compelling a person criminally charged or investigated to divulge combinations or produce keys. It was about compelling the safe-makers and key-makers to do the job as an end run around users being unwilling or unable to provide the demanded result.
Tangentially, this revelation makes me think a bit more about the CISPA requirements that were discussed regarding protecting employees from being forced to surrender passwords to their employers. Can't help but wonder if backdoor conversations on that proposal were engineered by executive wishes to be able to compel employers to turn over employee passwords because they haven't been successful with service providers directly.
[edit: mixed up my former/latter statement. added last comment. fixed spelling/grammar mistakes.]
I've seen this analogy a few times, that an encryption password is the same as a safe combination. The counter argument is: if a safe contains papers with information that the police can't interpret (either it is in code words, or written in a language for which they don't have an interpreter), can a suspect be compelled to interpret the documents for them?
If not, then to me it would seem that the only password that could be compelled is something like a hard drive firmware boot password, where the contents may not be encrypted but can't be accessed (through normal means) without the password.
The argument is actually whether it's "testimony".
Saying "turn over the physical object used to commit crime" makes turning it over testimonial! But saying "turn over the rifle with the serial number 98980843" is not testimony.
This is a whole other thing, this is a single users password, I think in the article they are talking about every user's password, correct me if I'm wrong.
And even then, a password should be encrypted. If there is a court order to reveal information, then there has to be a way to get this information rather than sending unencrypted passwords to the government so they can snoop through your mail without even being proven that you are guilty.
No because competent companies don't just have peoples' passwords. They would have to give the encrypted password, encryption method and salt which would greatly weaken the companies own internal security because now a bunch of people know a lot about the encryption system of the company and those people can't be trusted to keep the information secure.
Good encryption systems assume that the algorithm is known and still are secure in face of that requirement. So if publishing the method makes your system insecure then it's already insecure by design. Security through obscurity is not a viable approach.
Yes, good encryption/hashing assumes the algorithm is known, but we're also talking about the giving away the salt. The salt in a secure hash plays an analogous role to the secret key in an encryption cipher; both are assumed unknown by an attacker.
There should at least be some burden to notify you that your account has been compromised; that is, you should be notified if you are a 'person of interest.'
This strikes me as a very thin story with a lot of filler added. A red flag for me with the article is that the headline uses the word "tell" while quotes from anonymous sources use the word "request". There's nothing wrong with the government asking for access to a user account if they have a legitimate (ie. named) court order.
This is the most important story for this country since 9/11. Third rate journalism won't be part of the solution.
There's been a few articles like this recently. The problem is, it's so easy to flip a world like "request" to "tell", or drum up a government looking document asking for xyz. There's just no way to determine the validity of this stuff.
For the general public this type of article works well. The filler is useful because a lot of people are coming to the issue for the first time. Hopefully NBC &c. will also fill in pertinent background information as they bring their audiences up to speed.
I'm well aware of Journalism's yellow history, I feel like things have devolved quickly and depressingly in the era of the blog and the pageview/story break Twitter one-upsmanship that exists today.
You do recognise the author, right? It's not some random hack - Declan M has a long history and a good reputation. I'd take his word over some random HN doubter any time.
Good reporting isn't about taking someone's word for something. It's about facts. The story has little substance to it. Who wrote it is besides the point.
Welcome to the world, this is a webcam, put it on your head so we can watch your every move at all times.
What the hell is wrong with the government, is it really their business to interfere with personal life? It's their job to facilitate the community, to find solutions for peoples lives, this is not a solution, they are creating overly complex problems, unnecessary spent money. We need less government, less people there with less money, it seems they have too much of it and way too much time.
You're asking the wrong question. They don't need this data, but they can acquire it. Why can they? Because nobody has said otherwise.
I don't expect a quick resolution to this problem and others. Political philosophy and legal theory have not kept up with technical advancements in society.
With respect, I don't think government should be facilitating the community or finding solutions for people's lives, as that quickly becomes a license to violate the rights of some individuals in order to give a benefit to some others.
I'm not sure how beneficial it is to ask for salted password hashes, when a simple change in the wording of the request to a judge (or the FISA court rubber stamp factory) would yield an order for the provider to capture and turn over the plaintext password the next time the user logs in. US judges will do almost anything they are asked, especially if the requesting agency uses the "T" word. Either these agencies don't know what to ask for, or they are already doing this and no one has written a story about it.
Throwaway account just to post this.
Of course the Feds will have access to whatever they deem necessary even if it takes them time to get the pieces in place. It's the users who ultimately lose the most.
I'm learning the hard way just how much the user is the one ultimately screwed when it comes to account access. My father just recently died very unexpectedly and tragically. He was generally retired but still doing a dozen or so small tech consulting projects here and there and using his personal accounts on Gmail/Facebook/etc. for everything.
Facebook simply will not give any family member access to a deceased person's account. Google will consider it after you fill out a form and send them a bunch of documentation. Then they will consider and may possibly end up sending you off to get a court order and the like, but you're entirely subject to their own decision about whether you can get access to your deceased family member's main form of personal and business communication. You do not own your Gmail account, regardless of the shit they spout about you being able to download your data using takeout. If your estate can't get "your" data, you didn't really own it.
Yes, I know there are steps that could have been taken to have given access to others on the event of one's death, but realistically what percentage of Gmail/Facebook users have taken those steps? And why should those accounts be different from normal digital accounts like bank accounts where a standard court estate document is enough?
I never said I expected them to accept a court order without verification. Simply that there should not be discretion on their part if proper estate documents are presented. They have made it clear that they have discretion, so the account itself it not actually considered part of the estate by Google.
They'll "memorialize" an account which stops it from showing up in friend lists and what not.
Honestly, I kind of like the way that's handled. Whatever I put on facebook is private to me (and me alone, not whoever survives me) plus whatever I allowed that information to be shared with either on site or with legal documents.
This is probably a stupid comment to make, but when the feds request these passwords what is stopping a firm from giving over a set of tampered passwords?
Let's say a request is made for Google give over loads of Gmail passwords. Could they not silently implement an extremely strong password encryption on the affected accounts, and hand over these passwords, knowing that the feds wouldn't be able to crack them without a significant amount of time.
Also, are the feds likely to check to see if these passwords are legitimate? If my password was 12345 and Google simply told them that my password was 54321 then how could the feds possibly know that the passwords sent over are real?
EDIT: Obviously, I know this is highly illegal, and would land any company in trouble. I'm just wondering whether, theoretically, this is possible for a firm to do to circumvent any action from the feds.
Silently sabotaging LEOs efforts like that would be rightfully highly illegal. "Perverting the course of justice" in the UK. I assume there's a US equivalent.
It's just not worth a company risking this kind of tampering. They could go to jail for that.
By all means, companies should fight back legally, and it sounds like they all are. I applaud them for that. But I think it's unreasonable to expect them to break the law for you.
You're absolutely right. However, is it a crime that could be tracked, without an employee explicitly whistle-blowing to the feds? Even then, could the feds prove this? I'm no expert, and I'm probably wrong in saying this, but in my mind it'd be near impossible to prove that a provided hash had been tampered with, instead of a user just changing their password.
It's morally wrong, and obviously I'm not saying it's the way to go. It's just a theory that I had, and I wanted to know if it was feasible for a company to do this.
FWIW if a fed has an account with the service (which is fairly likely for big services like Gmail et al), and knows the hashing algorithm (if they've successfully got the passwords this is pretty likely too) they could prove it easily by hashing their password themselves and comparing it to the stored version.
>Also, are the feds likely to check to see if these passwords are legitimate? If my password was 12345 and Google simply told them that my password was 54321 then how could the feds possibly know that the passwords sent over are real?
Well, they're not going to crack a ton of passwords that quickly, and I'm guessing that they're testing against the live server, so if the password doesn't work then surely the most obvious answer is that the password has changed.
A lot of people have already stated that one way around this would be to change your password before the feds have had a chance to crack the provided hashes. This would surely be a similar system.
Of course, I don't know if this would work at all. I was basically thinking aloud to see if this idea would have some merit.
We really need to systematically implement in our login systems what many ssh access does when you login : "Hello <username>. Your last login was at <time> from <ip>".
It won't solve the problem, but it'll certainly help a bit.
EDIT after a few comments :
This will not make it impossible to steal identity. But this will cost us almost nothing and imply high cost for spooks : if you have a user password, you can use it on many website, for common users, without the related company even knowing it. If you implement last login timestamp, it's something you can do within hours, without any need for heavy architectural changes, and it will cost a lot to spooks to try to fake it on every websites, for a large amount of users.
Cheap to us, costly to them. That's the way to go for me.
Google already does this with GMail. Scroll down to the bottom and it's in the lower right corner.
Facebook also provides access to all recent/active sessions and their last accessed time under Settings -> Security. They've got all kinds of other good security features that are worth enabling too.
I suspect a better long-term approach here is going to be something like Mozilla Persona (with the option of easily using your own domain for auth & auth if you like). Then the service doesn't have your password. They could still give the Feds access to your data, but at least the Feds won't be able to leverage your password against other services (greater adoption of password managers would also help this scenario).
And of course, enable two-factor auth on any site that supports it.
Yes, a friend of mine mentionned the google feature. I never noticed it.
But as I say, we need something that everyone can implement right now and that makes mass surveillance cost too expensive to be realistic. Log history and 2 steps login (for example) are something that need heavy architectural changes, while showing the last log can be done at no cost.
Well, in the context of a specific targeting, certainly. I have no problem with that.
What is a problem is mass surveillance. A simple measure like that could make it very costly to achieve mass operations.
EDIT : also, please note that the problem with password is that once you get one, for common people, you can hope they used it on many other sites. This allow feds to access website without the company even knowing it. If you have to fake login timestamp, all related companies must be aware of your action.
I set it up just to have a play with after the PRISM story broke, and I've been really impressed. Now, if only OX office [1] finally gets released, I'll have all my cloud stuff running on my own server.
Not at the moment. ownCloud does my file backup and sync between devices, calendar, cloud music player and to-do list manager.
I'm considering setting up my own e-mail system, but haven't gotten around to it yet.
EDIT: Actually, I forgot I installed Piwik for web analytics. Not that it's in any way needed for what I do, but I wanted to see what it's like. I was impressed, but haven't pushed it yet.
> A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters.
Yet the linked paper by cpercival specifically states that a 8 _letter_ password would only take $4 per year to crack, but a 8 _character_ password would jump to $130k. Also, these numbers, as quoted from the paper, are referenced from 2002 dollars, including dollar costs of hardware from 2002, but do not include hardware other than the CPU, such as power supplies.
Someone should create a third party certification program where they take a look at your password storage code, and if it uses industry best practices, you can display a badge on your site.
And what prevents me to create a simple page that redirects to plaintext on login if given an order after the audit. With NSL currently the situation is whatever lola wants, lola gets.
There's no need to; the password plaintext is available during the login process anyway. There's a difference between not storing it and not having it. All that would be required, really (assuming you don't want to store passwords, but are terribly, terribly concerned with the ability to extract a particular passwords under particular circumstances) is a conditional that shunts the plaintext somewhere before the login script/module dies. The login then continues as normal, but the bells and sirens go off and the plaintext password is available outside of the system. This, though, depends on user login after the fact, so to speak; turning over the hashes may mean more work for the interested authorities, but it won't depend on new logins.
This is more a voluntary procedure that gives the assurance that the company you're dealing with at least understands password security. It makes no guarantees that they still aren't trying to steal your password or otherwise have something to gain by stealing your password.
Most instances of plain-text or weak password hashing are due to incompetence or laziness, not malice.
Changing your password frequently could be construed as obstruction of justice (US) or perverting the course of justice (UK).
Also, if there is an automated system for sending new passwords to your local clandestine operations agency then you're simply speeding up the process of them hoovering your data.
> How hard can it be? It can already log in by itself, now it just needs to know the page where you can change your password.
The main issue is; scraping is hard and breaks at the drop of a hat. Sure you could script hourly password changes if you wanted to, but as soon as the host service modifies their forms a little, the whole system breaks and you could possibly be locked out of your account.
The only reason any of this is an issue is because we have our data and communication in the internet. That's what makes mass surveillance possible.
If you keep your data off the internet, then you're only at risk of individual surveillance. But even that's difficult; stuxnet demonstrated that even air gapped computers are at risk, because we move data around on usb sticks and the like.
So, speech and paper, or human memory, are the only really secure media.
As for all the apps we carry around in our pockets ... do you really need instant online access to your bank balance over the internet on the bus? We used to carry around checkbooks and make entries in the register. If you really need to know your balance 24/7, carry a register booklet, or a moleskin. Then you don't have to wonder if Mint et al. are giving up your passwords.
So really what we need is some kind of API design that allows for password changes that all websites should adopt. Of course that's never going to happen...
Still, if 1password made scraping work for the biggest sites out there (google, microsoft, etc) then that in itself would already be worthwhile.
1Password doesn't store your passwords, it generates them on the fly. You would need to hand over your encrypted password storage and your passphrase. Both of which 1Password has no control over.
1Password is a local, encrypted store of known passwords. Nothing is generated, except for the original passphrases themselves, which are completely random (not from a seed).
Yeah, I was a little too quick in writing that. What I meant to write was that 1. passwords are stored locally and 2. you have the option to generate passwords with predefined complexity parameters. It would be possible to use this password generating feature to update your passwords automatically at a set interval.
I mean couldn't they just request direct access to the database without going through the pain of cracking your password? They can probably run the sql query on their own and get whatever they need.
I think the point here is that feds don't want to have to ask access to companies, or even getting noticed.
Operating directly on the database means either :
* requesting a dump that get quickly deprecated
* having a direct access to database, which can be traced
Using common interface, you can use it without rising any flags, except if companies specifically implement warning feature for known NSA/feds/whatever ips.
The best of that is that many people use the same password for several websites. So, having one, you may access data on an other website without the company knowing it.
As it becomes more and more clear big companies are fighting agencies here, decyphering passwords and using them abroad makes perfect sense.
Say they ask Amazon for your password, if you reuse the same password elsewhere like 99% of people, then they can access all your other accounts without any permission to ask. In this scheme, only one 'traitor' company compromises all others. People should really use unique passwords.
Hash, salt and algorithm. That will allow you to upgrade the algorithm or work factor as your server becomes more capable (or if a deficiency in the algorithm you're using is identified), authenticate the user under the old system and re-hash on the fly, all seamlessly to the user. (If you're depending on the algorithm being a "secret sauce", you're doing it wrong.)
If you communicate information to a third party, it is vulnerable to disclosure. End of story. Either encrypt it or don't, and if you don't, then you don't complain if you find it being used against you in the future.
That sounds to me similar to the sentence: "Either wear a bulletproof vest or don't, and if you don't then you have waived your right to get upset if you get shot in the chest in the future." You always have the right to be upset if a third party accesses your data. Getting upset about unjust things is exactly how changes happen that make the world a better place. I understand that it's important to take safeguards but not everyone has the technical expertise or interest to protect their data. Many people don't even realize that the problem exists.
In the current state, some big companies have the means to fight such requests, some big companies are very willing to cooperate, and small companies rarely have the means to go into a legal battle.
Because of the current fragmentation and secrecy surrounding feds' requests with software companies, users do not have the possibility of knowing what they're in for with which company. Also, the divide and conquer tactics used by the Feds really allow them to extract much more information than what would otherwise be the case. Ideally there should be a union for software companies, which makes agreements with the feds concerning their access rights; agreements which then apply to all members of the union.
Currently I have two rules of thumb: 1) for critical services, avoid companies located or significantly involved in the US or UK and 2) at all costs, stay away from Microsoft.