Moved to forums from email:


Is the company is under US jurisdiction ie. would it have to comply with requests and related gag orders under re the US PATRIOT Act.


Storage Made Easy is a UK LTD company, Vehera Ltd, (as of August 2013) and our US Servers would be subject to the US Patriot Act as they are hosted on US soil, but our EU servers would not be.

Two other things to note:

1. Our SaaS service features private key encryption of remote data where we do not retain the key.

2. We offer a totally on-premise version of our service to use with your own data which again features private key encryption.
As a new user, it does not fill me with any confidence that, per your wiki, you use "NSA hardening guidelines". You kindly point readers to the NSA website, where this wonderful, altruistic organisation state :

"The NSA Information Assurance Directorate collaborates with operating system vendors and the security community to develop consensus-based security guidance."

Can you explain, given the last few months of revelations, how this is supposed to fill your users with confidence that their data is secure? The NSA isn't a charity; any "guidelines" or recommendations they make regarding security is almost guaranteed to ensure that anyone following those guidelines is completely the opposite of secure.

Your insights would be most welcome...

NSA hardening guidelines are guidelines that the NSA issue their own governmental agencies as to best practice to secure Linux against any potential threats and attacks. 

The guidelines are not an App or a program that is installed.  They merely instruct US government agencies on how to "Lock down Linux" ie. close down ports and other linux services that can expose Linux to a potential threat.

Perhaps the NSA know only to well these loopholes in Linux....but they are all about closing down services that pose a potential threat (if left open) from hackers.

These hardening guidelines for Linux by the NSA are widely recommended throughout the industry  (just do a web search) and I recommend you read the actual hardening guidelines and if you have any Linux background you will understand that they are really about locking down Linux and that they only collate, what is available from various other places, as best practice.

For reference after we have hardened Linux using various best practices (NSA included) that we have collated the resultant Linux instance is checked by the Nessus vulnerability scanner, and once our codebase is added, is checked by Mcaffee Secure. This tests and certifies daily against our codebase.  If we pass their daily security tests (which help protect consumers from identity theft, viruses, spyware, and other online threats) then they certify as such on our website with their logo and date the site as last checked and passed.
Good answer and good to know the flow and that as a vendor you are concerned about security (DropBox should take a lesson)

We use the NSA hardening guidelines for Linux ourselves.  They are recommended as part of best practice for Linux security everywhere. For example:

as recommended by Fedora for hardening Fedora
also incorporated and include by SUSE for hardening of SUSE Linux
recommended by Berkeley University as part of best practice for hardening Linux
Part of Oracle Linux hardening guidelines (PDF)

I could go on but you get the drift. These best practices are widely recognised and whatever you think of the NSA PRISM debacle they know how to secure stuff from attack.
You guys are clearly experts in this stuff and I have no qualifications to judge on how good, bad or indifferent these guidelines are, I am just Joe Average end user who reads too many New York Times and Guardian articles.

It just doesn't sit right with me that an organisation that has no interest whatsoever in promoting secure systems that it then cannot infiltrate would issue such self defeating guidelines. Think about that for a moment, they spend millions trying to break various levels of RSA encryption, only on the other hand, showing their charitable side, they issue security guidelines that prevent them from doing their job.

Do you think Lavabit or Silent Circle used NSA recommended guidelines? Methinks not.....and they paid the ultimate price for not allowing the NSA access to their systems or the data therein.

But then...maybe I should stop reading the NYT, or the Guardian...or the Washington Post, the Economist...or any other decent and respected newspaper.

This is becoming a ridiculous thread. You are not technical as you say and you are posting about something you simply "don't get".

Bottom line is that NSA's posting is not altruistic. It was meant to help secure US government federal agencies who use Linux. The guidelines / help is not an app' or something you install. They are simply guidelines that they have pulled from throughout the industry, and the industry has, and continues, to contribute to these. Not implementing them leaves Linux a darn site insecure as any Linux admin will tell you.