Slashdot Mirror
Lockbox Aims To NSA-Proof the Cloud
Daniel_Stuckey writes "Lockbox, a tech startup founded in 2008, just received $2.5 million in seed funding for its end-to-end encryption cloud service, Client Portal. So, how does end-to-end cloud encryption work? Lockbox encrypts and compresses files before they are uploaded to the cloud. Only a person in possession of the corresponding key can unlock, or decrypt, the files. This means that the NSA, malicious hackers, business competitors, and even crazy girlfriends and boyfriends won't be be able to peer into users' most sensitive and private files."
But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
We need a service like this and pretty soon Google Drive and the rest should hopefully follow suite to keep up with the Jones'...
http://xkcd.com/538/
Serious? Seriousness is well above my pay grade.
Good luck with that, they own the cloud.
Whatever the encryption is, you can bet your bottom dollar bill that the NSA is at least two decades ahead of it.
And on the Eighth Day, Man created God.
... exists. But as mentioned by bondsbw, you can't control wether it sends your keys to a third party.
The summary contains the word "cloud". Next please.
They will just attach to your PC 'end point' and get their data before you encrypt.
There is no hiding at this point of the game. Well, really its been that way for a bit now, just most people who knew this were called tin-hatters and paranoid. Its nice to be vindicated, sometimes..
---- Booth was a patriot ----
So what stops the feds from seizing your 'cloud' and locking it up in the impound?
“He’s not deformed, he’s just drunk!”
...based in California - cannot trust the security... ...UK - what is security? ...Australia - the FBI asked us nicely...
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
It says Lockbox will do the encryption, which means Lockbox knows the encryption keys, which means that the NSA will ask for and receive the encryption keys from Lockbox.
Sounds like a job for... Well, any of the millions and trillions of safer, free, open source software utilities which can do the exact same thing without exposing your keys to some third party.
I wouldn't trust anyone but myself with my private keys, and I certainly wouldn't trust anyone else to generate private keys for me.
For that matter, I don't trust my data to be safe in anyone else's computer, but I guess that's OT.
The price of serving up many copies of a single-page PDF describing how to use a myriad of freely available tools to encrypt before upload?
PT Barnum was never more right.
This would be the perfect cover. The NSA creates a company that says it can hide you from NSA. PROFIT!
Without known-secure hardware and and OS to run it, all the fucking encryption in the world don't mean squat. And before the fanbois scream, "Lunix is Teh Shiznit Seckyoor!" remember that you have to know the compiler is safe as well (*cough*Ken*Thompson*cough*).
This will work until they get the NSL, then it is over as with anyone they send one to.
If you honestly think they are screwing with you and your probably gonna get disappeared anyways you might as well be obnoxious as shit and just change keyboards discs and video cards ALOT like troll ebay for whatever junk you feel like. so they have to constantly be re rigging everything.
Didn't Al Gore already invent this a long time ago?
In Soviet Russia, dot slashes YOU!
Can we stop pretending that "The Cloud" has actual meaning, technical relevance, etc..?
Do we really have to go back to the fracking mainframe with all our eggs into one (someone else's) basket,
and at the mercy of whatever corporate greed du jour? Your Brains! They are SOOOO CLEAN!
We have so much computing power and bandwidth in the home and office that it should be perfectly feasible
to go exactly the other way, do away with the stupid client/server model and go 100% P2P, keeping
one's own data on one's own hardware in one's own home.
ISP's that go symmetric and neutral will survive.
In this months Free Software Foundation news Bulletin the FSF points to what appears to be a similar offering that is free software friendly:
https://leastauthority.com/press_release_2013_07_30
I took a quick look at lockbox and nothing I saw screamed free software. I could be wrong. Maybe they are even using the same underlying software as LeastAuthority. However they haven't advertised that clearly enough (on front page). I'd be concerned in using a service that is more concerned about looks, isn't clear, and might even be snake oil.
If somebody has the time to take a better look please post a reply with the relevant facts and links to the source/evidence/etc.
What's to stop the intelligence agencies from compelling the company to produce a compromised client? For example, logging the encryption keys somewhere, or subtly introducing flaws into the algorithm... I mean, right there on their website, "Only naive users would trust their cloud vendor" - so instead trust us - we *promise* we won't let the NSA sneak anything into our software...
About the only way you could have any real confidence in this is if you write your own client to manage all the encryption and use it as a dumb storage backend. And that assumes you can trust the OS and all the other software on your computer - I mean, the company pretty much has to operate out of a country, and that country probably has provisions in its law to compel co-operation with police investigations or intelligence agencies.
All they need to do is rock up with a court order that includes non-disclosure provisions, and wham, next time something auto-updates you're screwed. And if you don't install the updates, there's probably _something_ on your computer that phones home that could be used to identify your system and use all the un-patched vulnerabilities to sneak in a keylogger or similar.
You're probably better off writing coded letters, but even that is highly vulnerable to a wrench attack.
Until they are served with a secret order telling them (i) to install key escrow backdoor and/or (ii) until NSA starts implanting torjans onto the suspects' computers (like FBI did with some of the Tor users recently, exploiting an unpatched vulnerability in the TorBrowser - http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail ).
Cyphertite's end-to-end system is already up and working. And inexpensive storage and fully open-source. And supports all major and minor platforms. What the fuck else could you want?
One would hope they do the compression first otherwise there's very little point.
At best the service will simply be shut down by the NSA if they cannot compromise it. Lockbox claims to use client side encryption. If the system is executed perfectly and all of your data is fully encrypted before it leaves your computer this might be difficult, but if the service is shut down you will probably lose your data anyway. Which means you will need a local backup which would seem to ruin the point. I think it's about time to admit that saving any data on a remote server in the US, UK, or close allies of either has to be considered to be stored by the NSA/GCHQ and forwarded to other law enforcement agencies if deemed appropriate. And international cooperation in this regard among close allies cannot be ruled out.
In the sort of privacy-hostile environment currently faced in the US, UK and much of the world going full tin foil hat is the only way. Any information you want to remain private has to be encrypted by a system fully under your control before it leaves your computer and your passphrase has to not just be secure, but NSA/GCHQ secure. And it wouldn't hurt to toss in some multifactor authentication and steganography as well.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
So how is this any different from Kim Dotcom's Mega service?
Why would you put your personal data in "the cloud". It seems to me that there are plenty of just-as-secure options in NAS, or have I been duped by that as well?
As this is an American company the doors are open for the NSA.
Anybody knows a similar service sold by a European outfit,
or maybe even better a BOLIVIAN one ??
but I've learned that when it's American it can't be trusted.
1. sshfs
2. ecryptfs
Can I get 2.5 million dollars as well?
DejaDup dejavu much? As in http://en.wikipedia.org/wiki/Duplicity_(software) contains pretty much all of this, just needs a tiny bit of polish more for the masses to understand it.
SpiderOak has had client-only encryption/decryption using 2048-bit RSA & 256-bit AES for its sync/backup/versioning service for years -- I believe ever since they opened in late 2007. That sure sounds like what this newcomer is touting, except that SpiderOak also has free 2GB accounts with live versioning, and uses binary executables on all platforms to do the encryption/decryption (Lockbox uses a Java web client, which I thought was a security no-no).
FWIW, I don't get jack out of pointing out SpiderOak. I've just been really relieved that it has restored documents that I completely fucked up (live versioning FTW) and think it's seriously overlooked/underrated.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
We already have PGP, which is open-sourced. Will this be better and easier to use?
So, the obvious FUD here is that separating the encryption from the data storage service is pointless due to the various reasons given. There are many reasons why you wouldn't want data to be readable given it was obtained without the user's permission. I would imagine MOST data that is obtained without the user's permission is ILLEGAL in fact and not as a result of NSA (etc).
Let's assume the user encrypts the data themselves, which should be (by default) entirely separate from the service provider. Every possibility provided about how this encryption might be beaten could of course happen, but ASSUMING THEM ALL IN PERPETUITY is PURE AND 100% FUD. All encryption could be beaten eventually. All encryption should be independent of the network and the data storage service for reasons of interception. If a user encrypts the data on their desktop, than they could be using a) any client, b) any encryption protocol, c) any key(s). These ALL would have to be dealt with by somebody who illegally obtained your data.
Also, if you happen to be a data storage provider and you receive a warrant for a particular user's data, you must comply. BUT, you cannot in any way be made responsible for something you fundamentally are not responsible for, so although you might provide some layer of protection on the data, any user encryption scheme would be 100% external to you.
Pick one
Nobodies Prefect
Tidbits for Techs Technology Blog
Seriously. If they want to be taken seriously as offering a service proof against the NSA, they need to not be an American company and to not have any physical US operations. Otherwise a secret FISA order (e.g., issue a client update that sends the encryption keys along with the next batch of data), and their customers are screwed.
No cloud service (or any other service) in the US can be trusted.
Enjoy life! This is not a dress rehearsal.
mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite
Even if you trust their (noble) goals. And even if you trust your computer hardware and even if you trust your OS. And even if your encryption software is perfect and bug free. All of this is meaningless. They [NSA, FBI, GCHQ, ASIO, HBO, FOX] can still find out a) if you have an account and b) how many files files you have. Then judicious use of a monkey wrench will render the entire stack useless. The weakest element is always the human element.
http://xkcd.com/538/
Until a National Security Letter forces Lockebox to push out an update with a NSA backdoor.
The simple truth is you can't offer secure (as in safe from NSA et al) services as a US-based company - or with any part of your infrastructure located there.
Privacy has been outlawed; only outlaws have privacy.
Guncelist-Tr sitesinin yazarym sitenizi çeviri sayesinde takip ediyorum. ilginç konular paylasyorsunuz
you are so easily fooled.. I'm not going to get into all the false bullshit you lap up. but one thing I do know: you know nothing of the NSA or blackhat culture, other than what the mainstream media has fed you - parrot.
Ads on article ? You can do the same with an owncloud hosted on your private server.
What's new on that ?
This means that [none will] be be able to peer into users' most sensitive and private files
Until a flaw, a bug or a highly effective encryption method is found.
Nothing is forever!
Urban Dictionary: vigintillion ~ www.urbandictionary.com/define.php?term=vigintillion
a very large number: 1000000000000000000000000000000000. used when wanting to sound smart.
LOL... also used when actually smart (IMO) but I thought that was funny result when I looked it up
There's much more attention on privacy and encryption these days. Did Snowden's revelations really change the pros and cons of following good security practices all that much?
Even Tahoe-LAFS, after years of being largely ignored, is finally getting some recognition.
I'm not complaining. I like that more people are caring about things that I care about. But I get the feeling that people are going too far with this.
This is how LastPass.com works. Very good idea and works well but I must trust that future updates are not modified by an "NSA Patch" or some sort of court order.
One way to somewhat "NSA Proof" it would be to separate the encryption and storage software.
Storing an encrypted Linux container on a service like crashplan.com works well
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
I don't see the value add of Lockbox. It sounds like what I'm doing now with the Truecrypt/Dropbox combination.
If someone wants it bad enough, they will get it. Not only does it apply to cryptography, it also applies to traitors like Edward Snowden.
He will be found, prosecuted, convicted, and imprisoned.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I think they underestimate the sheer power of the NSA's cloud. If they decide to sic it on a particular encrypted file, they *will* gain access. We're talking about tens of thousands of servers working to decrypt a file.
Sure they can't do it for every piece of data they're interested in, but if they want something badly enough, they will decrypt it.
I do not fail; I succeed at finding out what does not work.
Linked blog post needs to research its facts a bit better.
It says "It's also worth nothing that Lockbox developed the encryption libraries that Google uses in its Android operating system." which is completely incorrect.
The Legion of the Bouncycastle developed the crypto libraries used in Android many, many years before Lockbox was formed.
I just use GPG on client side, encrypt, and then transfer the files to any cloud service. The service doesn't have the key and their client cannot get at my key. The only way would be to infiltrate my system, bundle malware into GPG, or use the rubber hose on me, all of which are rather extreme scenarios! :-P
The only reason we are even allowed to _have_ encryption is because the NSA can break it. If there were actually an encryption algorithm they couldn't break, it would be criminalized immediately.
Now, kneel before your new Gods.
The root problem, appalling pun gleefully intended, is political, not technical.
Between unlimited resources and questionable legal tactics, the NSA and other sigint agencies can and will always compel or bribe that which they cannot hack. Software crowbars, legal hammers, and moneybags of grease are everything they need. For every new solution, they will create a new problem.
The only guaranteed solutions are either the (don't hold your breath) complete abolition these government entities, with no successor remakes, or the courts and Congress must hamstring them with crystal-clear transparency (still possible, but politically unlikely).
To believe otherwise underestimates the present unfettered powers, technical, legal, and financial, of the government.
Scruting the inscrutable for over 50 years.
£500 a year for 20 users, and 15 GB?
Really?
convenience. No modern OS should be used, no modern hardware, and no internet connection. I'm going to dig out my old 386 computer, stack of OS/2 floppies, and an old copy of PGP that I have on a floppy from when it first came out. The encrypted files will be stored on 5" floppies in my off-site safe and if they need to be shared with others, it will be done by sneaker net.
Wait, isn't that what Al queda does? Wait, if that is what Al Queda does, why is the NSA monitoring everything on the internet? What is their real purpose?
sparkleshare, the open source dropbox alternative already offers end-to-end encryption, for free ...
You deploy an app that is actually capable of NSA-Proofing the internet. How long do you reckon it'd be before someone pulls up next to your car at a light and shoots you in the ear? I doubt they'd actually be that unsubtle, but you know what they say... "Accidents happen ALL the time... to people who try to NSA-Proof the Internet."
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I was going to say something similar. EncFS + rsync over ssh. Somebody slap a GUI on my ugly shell script and let's sell this thing!
In our case, we create an end to end encrypted connection from the browser to your hardware (located at the place you want) which runs your server ( a privacy friendly platform ). We also let you migrate seamlessly from our cloud to your hardware. We started a couple of years ago as well, and currently support file storage, ebook (pdf) view, search and share; and a photo-album system. Please do check us out: https://register.blib.us/ - In the past month we doubled our pre-alpha users, and we are looking for more early adopters. We hope to revamp our webpage next week.
Focusing on the network can also mean taking it back into our own hands:
https://commons.thefnf.org/index.php/FreeNetworkStack :-)
If lockbox is not opensource then there is no way to be sure what is going on or what is happening to those keys. Perhaps they are appended to the end of the "encrypted" file with Lockbox's own key? Encrypt on your own first with a program you can probably trust (there is no 100% certainty even for open source).
If you want a good test to see if this service can actually do what it claims then watch the company closely and see if there is a move by the government to shut it down or otherwise strong arm it into being co-opted..
I would opt for a European country with more a sensible legal system like Switzerland. It will take years for the NSA to get in and the fight would be public. I know that they got into the banks but we all knew about it long before they got there. There are still other option with more effective privacy options and zero corruption but outside of Europe you know they are easily bought.
Poppy cock:
http://en.wikipedia.org/wiki/Crypto_AG
http://cryptome.org/jya/nsa-sun.htm
There's fighting without fighting, as the late Mr Lee would say.
The problem is "NSA agents will descend upon them, and provide a legal order requiring" something, as you say.
Make that ineffective. Host end doesn't hold any keys is easy. No make the client end that uploads open source AND externalise the key handling and algo choice from the client. A script into Truecrypt is a crude example of externalising.
Now, if the upload client suddenly starts wanting keys or anything else unecessary the user will be suspicious, and the knowledgeable can scrutinise the code.
Two points:
- Most other first-world countries have actual privacy laws. Which are actually enforced. The US is unusual in having no such laws. The fourth amendment is supposed to restrain at least the government, but lack of enforcement makes it pretty meaningless.
- If you go outside of first world countries, with the possible exceptions of China and Russia, the governments simply do not have the resources to spy on their entire population.
So the US is unique: A lack of effective privacy legislation combined with a government that does have the resources to monitor essentially everyone.
Enjoy life! This is not a dress rehearsal.
For people like me in India, 256 kbps connections are still pretty much considered "broadband" and are expensive enough. With such a connection the security implications of Cloud storage matters less than whether it is feasible at all to use it in the first place. For example I've got about 300 Gb of data on my harddrive and about 5 Gb on my Google Drive which I spent around 10 days uploading with the patience of a saint! I simply won't be able to upload all my data to any Cloud with the kind of connections here. Besides loosing control of your data, Cloud is also dependent on the network quality, and that's the big killer for much of the world. Data duplicated across two different hard disks ought to be very safe, for individual users. Companies would of course need to maintain copies at several geographic locations. The great advantage of Cloud is mobility, but with storage densities increasing much of that attraction is getting diluted too. Combine that with loss of control and security risks and I can't see what the great fuss is about.
There is a additional security hole here that I'd love to see a solution to-- how to hide your patterns of access. The NSA is every bit as interested in who is access what data, when and where, as it is in the contents of the data. If a person of interested has accessed an encrypted file, then other people who access that same file are also very interesting. The actual contents of the file may just be icing on the cake.
I've been using IPsec for years. I bet the reason they are not using IPsec is because they can't patent troll it. That and I compress files BEFORE the encryption step since that uses less CPU for encryption step.
now we need to go OSS in diesel cars
I've been recommending to clients to use GPG to encrypt their backups to the cloud for a very long time now for simple hacker-proofness, NSA aside.
It shocks me that these cloud companies are storing private data online for people in the first place.
- Michael T. Babcock (Yes, I blog)
In other news, one of the documents leaked by Edward Snowden shows that the NSA has contributed $2.5M in seed funding for encryption-related businesses.
leave it on your pc? Send it to your friend over the internet?
I've got this great business plan that entails people running GPG or PGP to encrypt their data before uploading it somewhere. Oh yeah, and paying me money too for the idea or something.
It's been done already:
http://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html
If your children ever found out how lame you are, they'd murder you in your sleep
Any encryption will be broken, it is just a matter of time. And we can expect NSA to have first grade encryption cracking capabilities.
The first line of defense when trying to keep data private is to avoid leaking it, even encrypted.
It wasn't funded recently by someone acting as if they weren't employed by the NSA by chance was it?
The simple thing about encryption is its rather like taking a Loom and laying it over your two dimensional data field. Then workign a shuttlecock back and forth over it to weave it into the "fabric" of the encryption media.
Unfortunately, no matter the algorithm that is used, randomness is a myth.. in reality it does not exist. By definition it is a pattern that cannot be discerned.. but that is the trap.
As soon as you weave your data into the Tapestry, you combine the two patterns and reduce the randomness. The larger the Tapestry the easier it is to see the data hidden beneath. Worse the more sophisticated the algorithm, the easier it becomes to separate the real data from the algorithm.
Stenography is kind of at odds with this.. a known or perceived pattern is co-mingled with data to be hidden and offers up not obfuscation but distraction.. which is the real data?
There isn't a true way to hide data for very long.. the only good insolvent.. is to send short messages entwined with contextual meaning which is never repeated.
Wuala, http://www.wuala.com/ has been doing the client side encryption for quite some time. They also offer lower pieces than Lockbox, including a free tier.
They won't ever catch up with a government that essentially prints its own money to fight against terrorism.
http://arstechnica.com/security/2013/08/feds-plow-10-billion-into-groundbreaking-crypto-cracking-program/
my roomate's step-sister makes $80 every hour on the laptop. She has been out of a job for nine months but last month her check was $20389 just working on the laptop for a few hours. browse around here ...
WWW.Bay92.COM
Currently, SpiderOak isn't very private when sharing (hence the "expectation" sentance above). The core reason is that their sharing keys are server-side (see - https://spideroak.com/blog/20120507010958-increasing-transparency-alongside-privacy). Conversly, all Lockbox keys (and certificates) are purely client-side (there are no server-side keys) so that the "cloud" only ever stores encrypted blobs and is totally "blind" to all information being exchanged. If Lockbox got a legal (or NSA) demand they couldn't hand over anything except encrypted blobs of data (as they just don't have the keys). If SpiderOak got a legal demand, they'd have to hand over their shared data (as they do have access to the sharing keys).
Good idea if either it's open source or based in Venezuela or somewhere... Otherwise, say hi to the TLA visitors you're about to have.
Relying on SSL/SSH only protects the socket between you and the server that you're talking to - which may not be the server that you think you're talking to. You are including a whole lot of stuff in your trust circle. Now if you meant use OpenSSL or similar libraries for your encryption core, then I agree.
This website is just a copy of mega.co.nz, why is this news?