Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Plans Service to Store Users' Data Online

Posted by Zonk on from the could-have-used-this-two-weeks-ago dept.

achillean wrote this morning with a link to the Wall Street Journal, announcing plans we've all seen coming for a while: an online data storage service from Google. Though the article doesn't come out and call the project 'gDrive' or anything like that, it does indicate the service could be available within the next few months. "Google's push underlines a shift in how businesses and consumers approach computing. They are increasingly using the Web to access applications and files stored in massive computer data centers operated by tech companies such as Salesforce.com Inc., Microsoft Corp. and Google. Such arrangements, made possible by high-speed Internet connections between homes, offices and data centers, aim to ease users' technology headaches and, in some cases, cut their costs."

1 of 155 comments (clear)

  1. AES security and crypto in general by Beryllium+Sphere(tm) · · Score: 3, Informative

    As the old saying goes, if you count on crypto to solve all your problems you don't understand crypto and you don't understand your problems.

    The point that your data can and will be attacked while it's in plaintext is well taken. A networked machine running a web browser (the Sendmail of the 21st century) is a low security device, even with a good operating system. Google for "Scarfo", the mobster who was using PGP but also had an FBI keylogger on his computer.

    As regards AES, though, we've got good reason to think it's resistant to cryptanalysis. The NSA is also in charge of protecting government secrets from foreign snoops and has approved AES for protecting classified data.

    The low security of a workstation cuts both ways in an argument about gDrive: because your data is already at risk sitting on your hard drive, storing it encrypted on gDrive might not be any worse.

    Security without threat modeling is like bricks without straw. What are we protecting data against? Loss, primarily. I trust Google's backups more than I trust mine (but I'd tell a client to look for a provider willing to sign an SLA). Unauthorized copying by crackers? AES should be an adequate control to cover that risk. Subpoenas? An attorney with two brain cells to rub together will subpoena the decryption keys, so no help from AES there. Vacuum-cleaner style mass government surveillance, looking for keywords like "Tibet" or "Falun Gong"? AES should prevent that. Government criminal investigation? You could (in the US) argue that surrendering the keys would be self-incrimination and end up paying a lawyer lots of money to argue the point for years. Expensive and undependable security, but then in a criminal investigation there's not much security difference between gDrive and your local machine anyway.

    If you have security needs you should do an analysis like that last paragraph, only longer. For lots of people encrypted files on gDrive might be just fine.