I refer the Honourable gentleman to my earlier reply...
And don't call me Dave.
The ongoing revelations about NSA snoopery have prompted The Chocolate Factory to accelerate its effort to encrypt user data at every possible point. Mountain View had already announced that its Google Cloud Storage platform was adding server-side encryption to reassure users. User data uploaded to the service is now being …
And don't call me Dave.
To protect themselves from litigation they pay lip service to encryption, yet will hand over the keys to the NSA and GCHQ as required by the respective Governments.
Other Governments will follow suit demanding the keys by changing the laws in the respective countries.
In reality Google encryption is not worth a jot.
If a government asks decrypted data, then yes Google (or any other provider) would have to hand it over. As a US company they can not be compelled to hand over the keys themselves (or if they did they could always regenerate them immediately, and it's not like there's a "master" key). Far more importantly, this forces the government to ask through legal channels, which up to now they may not have been doing. That's still not ideal, but at least in theory it makes the spooks somewhat more accountable for their actions.
There are often master keys involved - two examples: the private key associated with the certificate used in SSL/TLS, and the password to a password database (e.g. 1Password, Keypass etc).
Coward, if the government requested your data from your own storage your encryption wouldn't be worth a jot either.
" As a US company they can not be compelled to hand over the keys themselves"
Yes they can. They have a UK office. RIPA applies.
"Far more importantly, this forces the government to ask through legal channels, which up to now they may not have been doing"
No, the problem is that the US legal channels are as leaky and uncontrolled as your average banana republic. The mix of laws in the US has resulted in the ability of almost any official to demand information without a shred of due process. There is no NEED to do this illegally, the aggregate of US laws enables such snooping quite legally, without a track record, without any semblance of transparency, legalising what any sensible citizen would call data theft and privacy violations and what used to be only common in 3rd world countries (but there you could probably at least bribe your way out - no such luck here).
THIS is the problem that the whole of Silicon Valley is presently trying to bury under a ginormous pile of marketing and techno-manue: THERE IS NO TECHNICAL SOLUTION TO A FLAWED AND BROKEN LEGAL FRAMEWORK. The whole of Silicon Valley is presently praying to their respective Gods (I assume that is in many cases a large stack of banknotes, but I digress) that the world at large doesn't cotton on to the fact that installing a large safe to guard someone's data is pointless if some random official can come in and force the company to open it or face time in jail. Why bother with cracking if you can get to the person holding the keys? This is also why you should make sure your corporate HQ is nowhere near the US, or you cannot credibly state you don't have the authority or ability to comply.
Expect a truly MASSIVE amount of BS and spin to emerge from US tech companies, because all have by now finally realises that they have a real problem they cannot fix overnight. They can't even "sponsor" their way out with political contributions, because there are now too many bottom feeders making use of those legal flaws to easily turn the clock back. You will see "solution" after "solution" emerge, all with impressive titles, heavy duty crypto studies, shiny new marketing labels, the works. And it will all be privacy theatre.
Because the problem is not technical. Simple, but I suspect it'll have to repeated often before it sinks in.
If the Canadian government requests an unencrypted copy of my data and they have a warrant, they'll get it. I also can't be sued by my customers for complying with Canadian law in this manner.
If the American government requests an unencrypted copy of my data, I'll tell them to kindly eat a sack of severed dicks. In doing so, I'll prevent myself from being sued by my customers by complying with Canadian law in this manner.
Do you have the capability and willingness to understand what I have written?
Now hand over all your information and don't tell anyone you've done!
I guess it'll at least make it harder for the other security services to get the data. It'll only be the NSA and by extension the GCHQ.
Unless Google want to do business in that country - in which case the same friendly service will be extended to them
Surely the only people who understand the implications of this would also understand how futile it would be?
They aren't doing this to actually keep our information more secure, but to make us feel as though it is more secure.
Given that Google, along with other big name companies like Microsoft, Yahoo, Facebook, Apple and so on were documented as openly cooperating with the NSA, I don't know why we should trust that Google doesn't give the NSA access to our data when we deliver it to them, before they encrypt and write it to disk. Google will deny they do this, of course, but there is probably a "secret law" in place requiring Google to cooperate but requiring them to deny their cooperation.
The only thing that would make me feel (slightly) more comfortable would be if I encrypt the data with a key only I have so it is delivered to Google already encrypted, and sent back to me still encrypted and I have to decrypt it to use it.
Apple's iOS backups work this way if you backup to your own computer (though the encryption is optional, so most probably don't bother) but when you backup to iCloud it is protected by SSL on the way there and encrypted on disk, which is supposed to make us feel secure but I never did even before the Snowden affair. I'd like to use iCloud but wouldn't (and now definitely won't) use it under the current implementation so my backups go only to a Windows 7 VM on my Linux laptop that I use only for iPhone backups. Yeah, I don't backup as often as I should, but at least the NSA hasn't got their hands on that data. I think...
It's not completely futile: making it harder for spooks to illegally obtain data would be a start. But at 128-bits, it's basically marketing.
"The only thing that would make me feel (slightly) more comfortable would be if I encrypt the data with a key only I have so it is delivered to Google already encrypted, and sent back to me still encrypted and I have to decrypt it to use it."
And how do you know that the encryption standard hasn't arleady been either munged by the NSA (with their hundred million dollar budget to do just that) to make it easily crackable, or they haven't found a flaw that enables the same outcome?
The only way to keep your data safe is to keep it yourself, off net. Even that can be compromised by obvious means, but in any net addressable storage you have to assume that encrypted or not, it's fully open to the National Stasi of America, or their GCHQ poodles. Chinese hacking now looks like the least of anybody's worries.
All in all a real pity. Just as the technology made cloud solutions smart, cheap solutions that enabled clever things to be done, and then the bad guys suddenly make it unwise to use for anything other than backing up family photographs.
And what if your data goes into the cloud ALREADY encrypted by an open-source and well-vetted algorithm? Remember, while the US itself may not publish codes they can't crack, last I checked they didin't restrict the IMPORT of outside algorithms, and there are plenty of sharp minds outside the US.
to rebuild the trust of all those foreign espionage targets, but it's good to see that some big companies develop technology to improve privacy. Now who is gonna check for back doors?
Really? You think this will improve privacy?
Ask yourself one question about this initiative:
Who holds the keys?
Google and other American IT companies are into a humongous shitstorm, thanks to the NSA and pals. Nothing they can do will bring their customers' confidence back. The USA has practically gutted their own IT industry, probably for ever.
Yeah, the Law of Unforeseen Consequences is a bitch, but IMHO this was quite foreseeable. Or did they expect to keep the activities of many tens of thousands of
spooks people a secret for ever? Delusional.
That'll be worldwide news. If, by now, any naughty person doesn't know to keep his/her trap shut then he/she probably should be in Guinness.
It'd be interesting to be a fly on the wall in NSA and GCHQ over the next few months to see if there was a statistical drop in the number of important intercepts being made.
Quick, where's my drone fly?
"It'd be interesting to be a fly on the wall in NSA and GCHQ over the next few months to see if there was a statistical drop in the number of important intercepts being made."
Why do you think they made any in the first place?
Encypt your data. Pay in cash. Put a random MAC address in your wifi device, upload your data from a busy shop with free wifi then restore the MAC. Anyone got a method for transferring large amounts of data without letting an IP address connect you to your account?
One solution : ,Using a "friends" laptop, a USB version of Tails, connect to the Wifi of an internet café or Airport, encrypt your emails contents and then send using NymServers and Remailers.
Not a very comfortable solution but relatively secure. ( Don't use the same laptop or Internet cafe any more than twice in a year.)
Don't forget about the security cameras when you are using the wifi in that shop.
Shit, I forgot about those damned cameras, OK stand outside of the internet cafe whilst wearing a tinfoil hat and rubber mask and don't speak to anyone..
Ever thought that the sight of ANYONE in a mask in the cameras would attract the attention of the plods?
Let's face it. If they have 1984-esque surveillance, they can probably pick up anything you do before it's encrypted. They'll read your screen, scan your fingers, probably even detect the subtle differences in the signal off the keyboard (and they're probably wise to alternate keyboard layouts).
Phew. I can sleep so much easier knowing that Google's data won't be read because it's encrypted.
You mean Google is quite happy to have PB of data that _isn't_ encrypted flying around at the moment?
OK, it's a Google thread but anyone else remember the fuss over Huawei kit being considered "unsafe" by the American gov? Is this really NSA speak for "they told us to f**k off when we tried to get backdoors into their equipment"? Was it a ploy to get world+dog using kit they have been able to subvert?
Just a thought.
More likely, Huawei answered yes to the feature request and provided them with a full documentation to use the feature immediately describing this as a production feature in shipping equipment. If I was the drone in "Агенция Государственной Безопасности" reading the reply I would have choked on my coffee and muffins straight away at that point.
.... but server-side encryption isn't going to persuade anyone with a clue to do business with US-based companies.
Client-side encryption with selectable keyspace size (I have my doubts about AES128 these days) and selectable encryption algorithm is required. Anything less is just PR bullshit.
Every so often I send an email full of random numbers to a throwaway email account. I like to think that I am helping to promote the sale of supercomputers, and thereby helping to boost employment.
Interesting hypothesis: for every non-trivial collection of random numbers, there exists an erroneous key that will cause some decryption algorithm to convert it into a jpeg of a cat.
...or the complete works of Shakespeare...
... but now I'm having doubts about the PRNG and HRNG given the 'oversight' of the usual suspects in the validation of some of these commercial and standards based products....
If you worry about the algos in use then simply read the source code for it - it's not too tricky on Linux/BSD et al or sign a NDA from MS or Apple if that's your bag.
Then compile your own ...
Even if you are using Windows or whatever I'm sure you can find something open to install to use as a source of entropy for your own /dev/random /dev/urandom to feed things. Or run up a VM in VirtualBox VM Player or whatever or pop a Linux live CD in your PC and use that to generate your keys.
I run Gentoo Linux on most of my systems (I can't help but compile everything from source) and frankly I don't feel much safer than the average bod using say Win 7 from the powers that be let alone the real baddies.
Why are there always so many ACs in these sorts of discussions 8)
As per my recent post (http://forums.theregister.co.uk/forum/containing/1951457) - this now sort of covers "data at rest" (albeit 128 bits is, as mentioned, not entirely 'weapons grade').
Box (not sure about GDrive) allow for WebDAV style access (GDrive does periodic sync?) - so I suspect some people will use local encrypted containers (think Truecrypt, ZipFolders, etc etc) mapped as local drives, and sync the container archive (encrypted file) to GDrive/Box.
Thus, even if a provider hands over keys/access to those files, the files are still encrypted - assuming of course the container encryption method utilized isn't comprised as well.
The true tin foil hat wearers will of course access their data via a virtualized/LiveCD machine, via a (decent) VPN - giving three layer encryption. Four if they use VPN and decryption certificates held on another device entirely.
It drives the vector back to being the endpoint, and thus (you'd hope) warrants/process of some kind.
It seems to me that the NSA would only need to ask nicely for the data. A court order is probably not necessary.
For me at least, SSL encryption while in transit and encrypted storage is not sufficient protection, since Google still have full access to whether they decide to decrypt and disclose it.
US companies have proven that they can not be trusted with our data. I will no longer store anything in the US or use US service providers in any way.
... like the online version of Security Theatre?
"Will this make us safer?"
"Well, no, but it will make you *feel* safer, so don't worry your pretty little head about it.!"
Who does it prevent from reading my data? Not the NSA or Google, or anyone who hacks into my account.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds