Lockbox Aims To NSA-Proof the Cloud 292
Daniel_Stuckey writes "Lockbox, a tech startup founded in 2008, just received $2.5 million in seed funding for its end-to-end encryption cloud service, Client Portal. So, how does end-to-end cloud encryption work? Lockbox encrypts and compresses files before they are uploaded to the cloud. Only a person in possession of the corresponding key can unlock, or decrypt, the files. This means that the NSA, malicious hackers, business competitors, and even crazy girlfriends and boyfriends won't be be able to peer into users' most sensitive and private files."
I like the idea (Score:5, Insightful)
But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)
Re:I like the idea (Score:5, Insightful)
Re:I like the idea (Score:5, Insightful)
What's to stop me encrypting my files then putting them on normal dropbox?
Re:I like the idea (Score:5, Funny)
tinfoil hats used to be a fashion choice. now they're a necessity.
Re: (Score:3, Interesting)
Having actually done tests on tinfoil hats, we came to the conclusion that tinfoil just doesn't work. Steel wool does though. Maybe you can use the tinfoil to wrap the steel wool to contain it so it's less scratchy.
(and yes, this was real - we needed to determine behavior of a device as it slowly lost it's incoming signal - wrapping in steel wool worked great for this.)
Re:I like the idea (Score:4)
For the truly ultra-paranoid conspiracy theorists of you.
No, the ultra-paranoid are thinking about the back doors built into hardware/firmware. Hacking into your network chip without it even reporting activity to you, and silently scanning your computer underneath the OS. Rootkits/backdoors in the OS itself are not only a possibility, they are likely - no matter how much Microsoft denies it. Certainly there is documentation claiming they can at least grab anything in your "Outlook". But once you're in - you're in.
Re:I like the idea (Score:5, Insightful)
Thank goodness most of those chips are made in China!
Re: (Score:2)
NSA rootkit in your OS capturing your key. For the truly ultra-paranoid conspiracy theorists of you.
Yes, but what's the advantage of this new one? Surely the NSA will target it specifically, where I could be using any type of command-line encryptor.
Re: (Score:2)
Properly implemented encryption isn't easily breakable and there's only a few types of usable ciphers out there. Of course this sounds custom and probably proprietary, so in fact there's no reason to trust that at all.
Re:I like the idea (Score:5, Insightful)
Re:I like the idea (Score:5, Insightful)
A friend of mine offered that kind of service quite a few years ago.
It was a backup service. The user had the key. It was encrypted on the user's site, and only encrypted data sent up to the server.
It's not novel. It's a slashvertisment. {sigh}
Re: (Score:2)
Yes, most of the online backup services offer this. Crashplan does the same. I have the keys, they don't.
Re:I like the idea (Score:5, Interesting)
Tarsnap should also be mentioned in this context. It's a business started by Colin Percival, noted cryptographer and BSD developer. The client is 100% open source and runs on your machine. When Colin developed Tarsnap he found existing key derivation functions lacking, so he developed his own memory hard scrypt, which has found wide applications in other areas.
The major problem with "encrypted cloud" solutions is that encryption severely limits what can be done in the cloud. You can basically do encrypted file storage. You can't run virus or spam filters on your data, you can't index it and search it etc. So all the useful features we have in a Gmail session need to awkwardly and inefficiently be re-implemented on the client side.
The providers have very little incentive to do this and transform ad supported free services into paid ones (since data mining no longer works, ad revenue drops dramatically). While I would love encrypted email for everyone, it just won't happen for economic reasons. The NSA affair will be quickly forgotten and people will return to business as usual.
Re:I like the idea (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Yes, most of the online backup services offer this. Crashplan does the same. I have the keys, they don't.
I use CP as well, with a private key. How do you know that they haven't sent that private key to their servers? I don't, but I'm pretty sure they won't do this by default. If it comes out, it's not good for their business. But how about an obfuscated command that tells the local backup program to send the key to them? It would only be used rarely, so it won't be discovered quickly. Can you assure me that such an option does not exist? I can't.
Re: (Score:2)
Re:I like the idea (Score:4, Informative)
Another service offering:
SpiderOak uses AES256 in CFB mode and HMAC-SHA256. SpiderOak uses a nested series of key scopes: a new key for each folder, version of a file, and the individual data blocks that versions of files are composed from. Having keys with such limited scope allows for selective sharing of chosen portions of your data while keeping the remainder private.
Most importantly, however, the keys are never stored plaintext on the SpiderOak server. They are encrypted with 256 bit AES, using a key created from your password by the key derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data ("salt"). This approach prevents brute force and pre-computation or database attacks against the key. This means that a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable.
SpiderOak accounts also include a 3072 bit public/private RSA key pair. This is currently not used for anything, but is included with all accounts with the expectation that SpiderOak will add multi-user private collaborative and sharing features which would necessitate the use of the the public/private keys.
https://spideroak.com/ [spideroak.com] .
Re:I like the idea (Score:5, Insightful)
It would defeat the point. You can probably safely assume they are not sending them right now.
The problem is: in the future, when more than 2 people start using their service --- the chance gets higher and higher over time, that NSA agents will descend upon them, and provide a legal order requiring they insert backdoors into their service, or protocol, or otherwise: provide the NSA with the resources required to get at the content, AND requiring they tell nobody.
In other words : No US-based cloud service can really fight the NSA; unless they are prepared to shutter the service and go to jail for the cause, which is not likely.
An overseas service is even better for the NSA getting a better chance at capturing the data -- because the things that are legal for them to do expand; gathering intelligence on overseas communications falls within their government mandate; and the techniques they employ could espionage, infiltration into the organization providing the service; and include compromise of computer systems and implanting malware bugs.
Re:I like the idea (Score:5, Insightful)
I don't think an overseas service is better for the NSA. They don't have to even pretend to have ethical or legal constraints, but they are limited by international politics. They are stuck asking for cooperation. Or trying to bribe the right people. Within the US they have the full force of the US government behind them and can simply put uncooperative people in jail.
Nevertheless things have reached a point where you might get idealogically motivated people starting anti-NSA encryption systems and there isn't much the NSA can do against someone willing to risk prison or flee the country or shut down their entire company rather than deal with the devil. The NSA and the government in general are used to dealing with people who are easily controlled with nothing more than money.
But, yeah, the NSA can at least shut down pretty much any US based centralized system intended to fight them. Outside of North America and Western Europe it's a different story though. They don't have any legal power to shut down anything over there.
Re: (Score:2)
"Nevertheless things have reached a point where you might get idealogically motivated people starting anti-NSA encryption systems and there isn't much the NSA can do against someone willing to risk prison or flee the country or shut down their entire company rather than deal with the devil. The NSA and the government in general are used to dealing with people who are easily controlled with nothing more than money."
"Might get"???
Haven't you been reading the news?
Re:I like the idea (Score:4, Insightful)
If you go outside of North America and Western Europe, the NSA have big wallets and a bribe is more likely to work. You may think that somewhere like Venezuela hates the US enough to allow a business like this but I guarantee that the average sys admin in Venezuela could be bought for a few hundred. I would opt for a European country with more a sensible legal system like Switzerland. It will take years for the NSA to get in and the fight would be public. I know that they got into the banks but we all knew about it long before they got there. There are still other option with more effective privacy options and zero corruption but outside of Europe you know they are easily bought.
RLY? Switzerland? (Score:3)
It's been done already:
Re:I like the idea (Score:5, Insightful)
Tpb was raided due to a threat from USA regarding an embargo towards Sweden.
So, well, if bloody Hollywood can put that type of pressure on a country, I believe a branch of the government can as well.
Re:I like the idea (Score:4, Funny)
if bloody Hollywood can put that type of pressure on a country, I believe a branch of the government can as well.
Hollywood is a branch of the US government!
Re:I like the idea (Score:5, Insightful)
You misunderstand. Hollywood is the propaganda arm of US government. As a result, while it does enjoy significant protection of US government as to enable it to perform its task (financially self-sustainable domestic and international propaganda), it most certainly does not command US government beyond its ability to influence the puppets, otherwise known as politicians in the same way that other similar agencies can influence the same puppets.
It still has to combat all the other agencies, and in that game agencies like NSA and CIA hold much stronger cards as they have blackmail material on everyone, as well as ability to simply remove people they do not want.
Re: (Score:2)
That's not Exactly true.
If a service provides an open source encryption routine, and also, perhaps, but not necessarily required, an open source transfer routine for the already encrypted files, you could air gap the encryption task from the transfer task, and even with a court order and a shot gun to their head, the company couldn't give you data away.
Spideroak has promised to open source their client for exactly this reason. So far they haven't delivered.
Re:I like the idea (Score:4, Informative)
you could air gap the encryption task from the transfer task, and even with a court order and a shot gun to their head, the company couldn't give you data away.
The order could say to covertly insert a backdoor of the NSA's choosing in the "open source" client; or provide the NSA operatives root access to the server that distributes the client binaries, and the keys to push out a new release of the software.
Someone maintains the code that the users are using. And the maintainers could very easily be subject to a gag order; to not discuss the covert backdoor, even if it's visible in the open source code ----- it doesn't have to be, though: most people will just download the project's (NSA-patched) binary builds of the release.
Re: (Score:3)
When someone is buying a security product, and buying one that specifically bills itself as open source you can bet there will be many many sets of eyes on the code. It only takes one person to spot something like that, and you would be able to add your own layer of encryption on top of what was already in the open source.
So, no, open source is not as easy to beat as you suggest.
Re: (Score:3)
If it were my choice, there wouldn't be any. The installer pulls down a well-known compiler (say a specific version of gcc) from a server known to publish it and source code from our source code server, builds it, and installs that.
Ah, but if the NSA tampers with the binary, the installer covertly puts down something else as well; as in it puts down the compiler, downloads the source, compiles it, and then as the last step before linking: quickly applies a binary patch to a .O file, and then links them,
Re: (Score:3)
Re: (Score:2)
Re:I like the idea (Score:5, Insightful)
In other words : No US-based cloud service can really fight the NSA;
The key to fighting the NSA is to provide a completely transparent API.
And then rely on 3rd parties to deliver software that uses the API.
Even if the NSA knows that I have account with the cloud service, they don't know what client I use, (and even if i do, the client is on my equipment not "service based" there is no easy target to send a gag order too.
Essentially, dropbox, skydrive etc are all perfectly suitable cloud services.
What we need is them to do isopen them up wide open to 3rd party client development.
Re: (Score:2)
Anyway on this particular subject I think you have hit the nail on the head. The key to long term security is to completely open up the API and separate the client side components so that third parties can use te service with their own sotware or with the software that you have provided them dire
Re:I like the idea (Score:4, Interesting)
Re: (Score:2)
In other words : No US-based cloud service can really fight the NSA; unless they are prepared to shutter the service and go to jail for the cause, which is not likely.
Seems like a dandy way to make enough money to leave the USA, though. Start cloud service, collect money, put it in offshore banking like all the actual criminals in government. Eventually the NSA serves you an order, you leave the country and then shutter the service and publish the order, spending your days drinking Mai Tais in a non-extradition country.
Re:I like the idea (Score:5, Interesting)
But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)
It's pointless anyway against the NSA. Seriously. Every single modern operating system (including on routers) has tons of unpatched exploit vectors. There's even a black market for them. The NSA can just infect your machines and ex-filtrate your data and/or the encryption keys... See the previous story:
Hell we have multiple celebrations of insecurity every year called "computer security conferences" where without fail new systems are compromised. How can you even look at stuff like Pwn 2 Own, and not have your brain melting in cognitive dissonance as you try to believe there are network attached scenarios where your data is safe from the NSA?
You want your data kept secret? Use whole drive encryption on machines that are never connected to any networks -- And even then there's the Ken Thompson Microcode Hack [bell-labs.com], so your systems could be theoretically pre-hacked from the factory... I won't buy a CPU that has remote cellular capabilities... Like Intel's Sandy Bridge [techspot.com]. Laughed my ass off when I heard about that! "Security Feature" indeed. At least if the machine can't get on the networks there's a much lower chance of your data escaping if it's pre-hacked.
I don't know of any hacker worth their salt -- black, gray or white hat -- that doesn't have a directory of unpatched zero day exploits.
I keep mine in: ~/with/great/power/comes/great/responsibility/
Me having to navigate the directory structure has saved many a newb... The NSA has no such sensibilities.
If the data's encrypted, they assume it could be from a foreigner, and thus give themselves license to get at it, and they can.
This is what happens when you let Threat Narrative run amok.
Re: (Score:2)
Re: (Score:3)
It's pointless anyway against the NSA. Seriously. Every single modern operating system (including on routers) has tons of unpatched exploit vectors. There's even a black market for them. The NSA can just infect your machines and ex-filtrate your data and/or the encryption keys...
If you are individually targeted by the NSA, then yes, you probably don't stand much of a chance. But they couldn't use that kind of attack vector en masse without it being discovered fairly quickly, so it still helps against dragnet fishing.
Re: (Score:2)
Most compression algorithms use a dictionary, if you knew approximately the dictionary was in the data stream it should make it fairly easy to guess the key wouldn't it?
Compressed English for example would have many similar dictionaries amongst most digests. Knowing the most common dictionary entries statically analyzing the cypher text would result in a clear text digest which in turn would be trivial to reveal the message.
Of cours
Re: (Score:2)
But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)
I use Crashplan for online and local backup. They have two options for encryption. The program itself can generate a key, which is shared with CP. When you lose the key, they can get it back, and your files are still save. You can create your own key, which is only saved locally on your computer. If you lose it, all backups are lost. I've thought about this many times, and there is no way of knowing that this key is being sent to CP, for me at least. And probably this key is never sent, but then there is no
Obligatory 5 dollar wrench. (Score:4, Funny)
http://xkcd.com/538/ [xkcd.com]
Re: (Score:3)
Re:Obligatory 5 dollar wrench. (Score:4, Insightful)
With the recent "revelations" (they're not), it would be obvious that xkcd was pretty far off the mark here. The NSA is engaging in a far-reaching fishing expedition that is not practical to conduct with wrenches.
But on the other hand if their "far-reaching fishing expedition" doesn't give them the information they want, and they want it badly enough, a wrench always works.
Re: (Score:2)
With the recent "revelations" (they're not), it would be obvious that xkcd was pretty far off the mark here. The NSA is engaging in a far-reaching fishing expedition that is not practical to conduct with wrenches.
But on the other hand if their "far-reaching fishing expedition" doesn't give them the information they want, and they want it badly enough, a wrench always works.
Some people simply won't give in, even if you use that wrench on their loved ones.
Re: (Score:2)
With the recent "revelations" (they're not), it would be obvious that xkcd was pretty far off the mark here. The NSA is engaging in a far-reaching fishing expedition that is not practical to conduct with wrenches.
But on the other hand if their "far-reaching fishing expedition" doesn't give them the information they want, and they want it badly enough, a wrench always works.
Some people simply won't give in, even if you use that wrench on their loved ones.
Yes but that's the sort of person the NSA really is interested in. My secrets, i'd give up in a hearbeat in that situation.
Re: (Score:2)
Even so, this service does not protect an individual against wrenches.
Re: (Score:2)
Even so, this service does not protect an individual against wrenches.
Indeed it doesn't, but a wrench is not guaranteed to work either.
Re: (Score:3)
Even so, this service does not protect an individual against wrenches.
Indeed it doesn't, but a wrench is not guaranteed to work either.
If the wrench does not work, you're holding it wrong.
Re: (Score:2)
2. Two sets of logins: One set of credentials is to your normal account, the other has a login/startup script that wipes the private key and DoD wipes the free space
3. When the NSA asks for your password, give them the wipe password
Congratulations, the NSA can beat you with a wrench all they want, it's not possible for you to give them the encryption key anymore.
Re: (Score:3)
Dream on (Score:2)
Whatever the encryption is, you can bet your bottom dollar bill that the NSA is at least two decades ahead of it.
Re: (Score:2)
Whatever the encryption is, you can bet your bottom dollar bill that the NSA is at least two decades ahead of it.
That's why, if you want it really secure, you leverage their own security.
Hack an NSA/TLA network, and store your encrypted data right alongside of their data.
You could hide your data on Obama's Blackberry servers, or on Gen. Alexander's, Valerie Jarret's, or Clapper's machines.
For extra happy-fun-time, make sure to include some CP, bestiality, and snuff films in separate files/folders, and then out them publicly. Sauce for the gander. :)
The US government has by their own actions declared a de-facto no-rule
Wuala (Score:2)
If they want you (Score:2)
They will just attach to your PC 'end point' and get their data before you encrypt.
There is no hiding at this point of the game. Well, really its been that way for a bit now, just most people who knew this were called tin-hatters and paranoid. Its nice to be vindicated, sometimes..
Re: (Score:2)
The big telco and computer brands handed over clear text making life much more easy but old methods are still waiting for anyone.
Re: (Score:3)
Great idea but... (Score:4, Insightful)
...based in California - cannot trust the security... ...UK - what is security? ...Australia - the FBI asked us nicely...
Re: (Score:2)
...based in California - cannot trust the security... ...UK - what is security? ...Australia - the FBI asked us nicely...
You have some fine words there, now you just need to put them in order to form a sentence :-)
They're actually Australian-based, according to this press release [lock-box.com]. Not that it helps much - with a strong US presence they are still vulnerable to national security letters.
If only the hardware wasn't already compromised (Score:5, Insightful)
Re:If only the hardware wasn't already compromised (Score:5, Interesting)
The thing about Ken Thompson's theoretical attack is that it would inevitably be detected. It's an interesting thought experiment, but a functioning example that would be able to discern the right program to attack (and differentiate between a kernel and a userspace application) has not been shown as far as I am aware.
Re: (Score:2)
2. You can decompile binaries and verify nothing has been added.
Clown Computing!!!?? Stop already. (Score:3, Interesting)
Can we stop pretending that "The Cloud" has actual meaning, technical relevance, etc..?
Do we really have to go back to the fracking mainframe with all our eggs into one (someone else's) basket,
and at the mercy of whatever corporate greed du jour? Your Brains! They are SOOOO CLEAN!
We have so much computing power and bandwidth in the home and office that it should be perfectly feasible
to go exactly the other way, do away with the stupid client/server model and go 100% P2P, keeping
one's own data on one's own hardware in one's own home.
ISP's that go symmetric and neutral will survive.
Re: (Score:2)
While I'm not a huge fan of cloud services, they *do* provide me with one huge benefit: the sync/backup service I use provides live versioning, so when something goes horribly wrong on a document that I don't notice until several saves have gone by, I can easily restore it. The only comparable programs I've found either tapped my drive/CPU near-constantly enough to slow the system down or required extensive manual configuration.
Re: (Score:2)
Sure, ok, but that only means you have a well-designed backup service, and that has nothing to do with where it stores its data: It could be saving to your own device, or to devices at one or more trusted parties *of your choice*. In essence, towards devices managed by people that you have a mutual agreement or a true definable trust relationship with.
I'd like to hear *one* example of a useful application that is better off in "the cloud" than implemented with other schemes, even a bunch of VM's in your own
Re: (Score:2)
I'd like to hear *one* example of a useful application that is better off in "the cloud" than implemented with other schemes, even a bunch of VM's in your own data center. All I can think of are one-off raw-power activities using only publicly available data. And even those could be distributed if you have an adequate web of trust.
The usefulness is not so much that the cloud is better, but it's much cheaper and much more available for clients with smaller budgets. Having a 200GB backup service for $10 a month, or my own server for $20 a month, with high availability, high speed upload and download. I can't offer that here at home (slow upload, no offsite backup) or elsewhere (much more expensive, more difficult handling the hardware in case of trouble).
Is it really safe / free (libre) software? (Score:2, Informative)
In this months Free Software Foundation news Bulletin the FSF points to what appears to be a similar offering that is free software friendly:
https://leastauthority.com/press_release_2013_07_30
I took a quick look at lockbox and nothing I saw screamed free software. I could be wrong. Maybe they are even using the same underlying software as LeastAuthority. However they haven't advertised that clearly enough (on front page). I'd be concerned in using a service that is more concerned about looks, isn't clear, a
Trusted client? (Score:2, Interesting)
What's to stop the intelligence agencies from compelling the company to produce a compromised client? For example, logging the encryption keys somewhere, or subtly introducing flaws into the algorithm... I mean, right there on their website, "Only naive users would trust their cloud vendor" - so instead trust us - we *promise* we won't let the NSA sneak anything into our software...
About the only way you could have any real confidence in this is if you write your own client to manage all the encryption and
Wishful thinking (Score:2)
Until they are served with a secret order telling them (i) to install key escrow backdoor and/or (ii) until NSA starts implanting torjans onto the suspects' computers (like FBI did with some of the Tor users recently, exploiting an unpatched vulnerability in the TorBrowser - http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail [slashdot.org] ).
Encrypts and compresses? (Score:2)
the cloud is dead (Score:5, Interesting)
At best the service will simply be shut down by the NSA if they cannot compromise it. Lockbox claims to use client side encryption. If the system is executed perfectly and all of your data is fully encrypted before it leaves your computer this might be difficult, but if the service is shut down you will probably lose your data anyway. Which means you will need a local backup which would seem to ruin the point. I think it's about time to admit that saving any data on a remote server in the US, UK, or close allies of either has to be considered to be stored by the NSA/GCHQ and forwarded to other law enforcement agencies if deemed appropriate. And international cooperation in this regard among close allies cannot be ruled out.
In the sort of privacy-hostile environment currently faced in the US, UK and much of the world going full tin foil hat is the only way. Any information you want to remain private has to be encrypted by a system fully under your control before it leaves your computer and your passphrase has to not just be secure, but NSA/GCHQ secure. And it wouldn't hurt to toss in some multifactor authentication and steganography as well.
Re: (Score:2)
Also recall many nations have sent their officer class to the US. They will recall the best years of their lives while working in the telco/security sectors...
Then comes the "just this once" telco/OS favour
Close allies or cold war friendships - or a nations law enforcement - its not your cloud.
Re: (Score:2)
The NSA couldn't shut down PGP (though they did try unsuccessfully to restrict the public's access to it), and Snowden said it's still secure.
Re: (Score:2)
nas (Score:2)
SpiderOak does it without using Java (Score:3)
SpiderOak [wikipedia.org] has had client-only encryption/decryption using 2048-bit RSA & 256-bit AES for its sync/backup/versioning service for years -- I believe ever since they opened in late 2007. That sure sounds like what this newcomer is touting, except that SpiderOak also has free 2GB accounts with live versioning, and uses binary executables on all platforms to do the encryption/decryption (Lockbox uses a Java web client, which I thought was a security no-no).
FWIW, I don't get jack out of pointing out SpiderOak. I've just been really relieved that it has restored documents that I completely fucked up (live versioning FTW) and think it's seriously overlooked/underrated.
PGP (Score:2)
We already have PGP, which is open-sourced. Will this be better and easier to use?
Online or Secure (Score:3)
Pick one
Need to close their US office (Score:5, Insightful)
Seriously. If they want to be taken seriously as offering a service proof against the NSA, they need to not be an American company and to not have any physical US operations. Otherwise a secret FISA order (e.g., issue a client update that sends the encryption keys along with the next batch of data), and their customers are screwed.
No cloud service (or any other service) in the US can be trusted.
Lastpass does that for Passwords (Score:3)
This is how LastPass.com works. Very good idea and works well but I must trust that future updates are not modified by an "NSA Patch" or some sort of court order.
One way to somewhat "NSA Proof" it would be to separate the encryption and storage software.
Storing an encrypted Linux container on a service like crashplan.com works well
Truecrypy+Dropbox? (Score:2)
Which is defeated by the rubber hose. (Score:2)
If someone wants it bad enough, they will get it. Not only does it apply to cryptography, it also applies to traitors like Edward Snowden.
He will be found, prosecuted, convicted, and imprisoned.
Re: (Score:2)
While the people doing the releasing of documents will find themselves as accessories to whatever crimes the Snowden gets convicted of in court.
All that while the persons that helped locate, prosecute, and convict will be the true patriots - without any fear of retaliation.
I think they understimate the cloud (Score:2)
I think they underestimate the sheer power of the NSA's cloud. If they decide to sic it on a particular encrypted file, they *will* gain access. We're talking about tens of thousands of servers working to decrypt a file.
Sure they can't do it for every piece of data they're interested in, but if they want something badly enough, they will decrypt it.
Re: (Score:3)
Yawn. Yet another tech answer to what isn't a tech problem to start with. I suspect there will be gazillions more coming your way over the next few months because all the Silicon Valley entrepreneurs want to milk that market before people realise they've been had: IT IS NOT A TECHNICAL PROBLEM.
For a US based company it is 100% pointless to install any defence mechanism if some random official can walk in and ask for corporate data - the owner has to offer the data., unlocked.
For any organisation outside t
The Root Problem (Score:4, Interesting)
The root problem, appalling pun gleefully intended, is political, not technical.
Between unlimited resources and questionable legal tactics, the NSA and other sigint agencies can and will always compel or bribe that which they cannot hack. Software crowbars, legal hammers, and moneybags of grease are everything they need. For every new solution, they will create a new problem.
The only guaranteed solutions are either the (don't hold your breath) complete abolition these government entities, with no successor remakes, or the courts and Congress must hamstring them with crystal-clear transparency (still possible, but politically unlikely).
To believe otherwise underestimates the present unfettered powers, technical, legal, and financial, of the government.
Pricing? (Score:2)
£500 a year for 20 users, and 15 GB?
Really?
It seems what is needed here is to give up some (Score:2)
convenience. No modern OS should be used, no modern hardware, and no internet connection. I'm going to dig out my old 386 computer, stack of OS/2 floppies, and an old copy of PGP that I have on a floppy from when it first came out. The encrypted files will be stored on 5" floppies in my off-site safe and if they need to be shared with others, it will be done by sneaker net.
Wait, isn't that what Al queda does? Wait, if that is what Al Queda does, why is the NSA monitoring everything on the internet? Wha
OK Hypothetically (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re:not secure (Score:4, Interesting)
Re: (Score:2)
I wouldn't trust anyone but myself with my private keys, and I certainly wouldn't trust anyone else to generate private keys for me.
But you trust a program on you computer to generate those keys? Or have you compiled from source? Have you checked the source before compiling? Are you 100% sure no keylogger software or hardware is present?
Re: vigintillions (Score:2)
Urban Dictionary: vigintillion ~ www.urbandictionary.com/define.php?term=vigintillion
a very large number: 1000000000000000000000000000000000. used when wanting to sound smart.
LOL... also used when actually smart (IMO) but I thought that was funny result when I looked it up
Re: (Score:2)
mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite
Re: (Score:2)
mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite
Re: (Score:2)
Dunning-Kruger is becoming the new Godwin.
Re: (Score:3)
Didn't Al Gore already invent this a long time ago?
Al Gore invented inventions. So basically - yes.
Re: (Score:2)
Good security practices where build on a few basic building blocks/books/skill sets and an ever expanding acceptance of the 'cloud'.
Data and passwords where to be trusted in some distant network with very little thought or understanding.
Now we all understand more and can educate others