OT: Dropbox and Skydrive encryption
< Next Topic | Back to topic list | Previous Topic >
Pages: ‹ First < 2 3 4 5 6 7 >
Posted by jamesofford
Sep 24, 2014 at 01:21 PM
Very interesting topic. As I said earlier in another thread, I don’t keep anything up in the cloud that I need to keep secure. Not so much for lack of confidence in the security of any given cloud provider, but just as a general practice. Then I don’t worry too much if my cloud account is breached, other than my general dismay at a website getting breached. I also use a password manager(Dashlane https://www.dashlane.com/) for all of my password protected sites and I let Dashlane set the password. It does a good job of picking a strong password, and I don’t have Dashlane upload my data to Dashlane’s servers. I also have a pretty strong password on my local copy of Dashlane.
After a few data breaches like we have seen recently, I am a bit paranoid. Also, when I was in industry the company for which I worked had a couple of breaches in which my name, social security number and a few other choice bits of info were released. But those weren’t breaches through the corporate network. One was a laptop theft, and the second was when the spouse of a colleague installed Limewire on a work laptop and in so doing exposed the laptop to the world. It isn’t clear why that laptop had personnel data on it, but it did.
That being said, the university at which I now work has some pretty strong policies in place for faculty and staff with regard to data security. I have spent some time in the last couple of months improving the security of our local network(just the little bit that is our lab’s), changing IP addresses on equipment so that they are not public, ensuring that none of our equipment is broadcasting such that anyone can connect.
I work in a med school, where HIPAA(health insurance portability and accountability act)controls our data usage. HIPAA is the mechanism by which access to patient information is controlled. Given that, we get periodic presentations by our IT guys on handling data. The med school also provides us with secure servers for data storage. I don’t keep patient data on my local machine. I am not in a clinical setting anyway, so the only patient data that I have is from genetic screens that we are doing, and all of those data are anonymized so that even if the data were lost, no one could trace it back to a real person.
Finally, my iPad is encrypted, and I will be encrypting my laptop soon. While I don’t have any sensitive data from work on my iPad, there are personal data on there I would like to keep safe. One of our IT guys told me that if we used the screen lock on the iPad, then the data are encrypted. I need to check this out. If it is not the case, then I need to get some encryption software. I do have some sensitive data on my laptop, but since it is anonymized, I don’t have a lot of concern about that. I do have concern about my personal data.
Jim
Posted by Alexander Deliyannis
Oct 23, 2014 at 03:15 PM
MadaboutDana wrote:
>But the decision of the US courts to insist that Microsoft
>should hand over data held in Ireland has, I think, thrown a shadow over
>100% US-owned services. What bothers me even more about that is the
>failure by the Irish government to make any kind of statement along the
>lines of ‘hold on, that would be illegal under Irish law’. No, they’re
>too dependent on American goodwill to dare to do that.
I had missed this news; quite remarkable I dare say.
Interestingly, Amazon Web Services have just announced their Frankfurt-based infrastructure:
http://aws.amazon.com/blogs/aws/aws-region-germany/
Posted by Franz Grieser
Oct 24, 2014 at 07:44 AM
Alexander Deliyannis wrote:
>I had missed this news; quite remarkable I dare say.
>
>Interestingly, Amazon Web Services have just announced their
>Frankfurt-based infrastructure:
>http://aws.amazon.com/blogs/aws/aws-region-germany/
Alex, that does not need to keep Amazon from giving NSA and other “authorities” access. Moreover: German agencies also spy on German and foreign citizens. :-(
Franz
Posted by Alexander Deliyannis
Oct 24, 2014 at 02:57 PM
Franz Grieser wrote:
>Alex, that does not need to keep Amazon from giving NSA and other
>“authorities” access. Moreover: German agencies also spy on German and
>foreign citizens. :-(
I would have never thought that we are not taken good care of, heaven forbid…
Posted by dan7000
Oct 24, 2014 at 04:56 PM
I think it’s foolhardy to trust any company in any country with data you really want to keep secure. The only way to ensure it’s secure is if it is encrypted *locally* (on your local machine) with a strong passphrase that is never stored anywhere. You want a system where there is no way for the server administrator to ever decrypt your data—the only way for the data to be decrypted is if you personally disclose the passphrase. Locally-encrypted systems are more likely to have this type of security.
I believe that boxcryptor classic provides such a system. If I recall correctly, the new version of boxcryptor does not.
The next-best is to have data that is encrypted on the server but using a key that is not stored anywhere. The problems with this type of a system are (a) you transmit your password to the server so it’s always possible it’s stored in some cache; and (b) there is more likely a backdoor because when your key is transmitted to the server it’s possible they use it to create a dual-key encryption where they keep one backdoor key even though they don’t have your primary key. This is not possible with locally encrypted systems where your password is never transmitted to the server. I think Apple’s newly-announced iCloud security seems to be in this league, and they say they don’t keep a backdoor or a copy of your password and cannot decrypt the data for law enforcement, so if you take them at their word that’s a good model.
Note that any system where you can share your files with someone else has to have some kind of a second key. Mega.com (the successor to mega upload) has this type of system. They have some type of complicated scheme where they say they don’t save the second key, and have run a contest to break their security which I believe resulted in no successful hacks, but because of the second key this system is inherently less secure. (And of course there’s the question of whether you want to give your data to Kim Dotcom…) It’s possible the new iCloud has this unstored second-key issue too - I don’t know if you can share a file with someone else with it.
Either way, the point is that you don’t want to rely on trusting some company—anywhere in the world—if they have any way to decrypt your data. It doesn’t matter what country it is. The Hague Convention and other treaties allow for civil and criminal discovery in most countries, meaning that a subpoena from the U.S. will be enforced in those countries if it satisfies various requirements. Plus, just because a company is located in one country does not ensure that they will always host their data there, particularly if the company changes ownership. Local encryption with a long passphrase you never transmit anywhere is the best solution - that way you trust yourself, not some company.