Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Encryption On the Rise In the Cloud and Mobile

Posted by Soulskill on from the setting-a-standard dept.

dkatana writes: Overall, demand for encryption is growing. Cloud encryption services provider CipherCloud recently received a $50 million investment by Deutsche Telekom, which the company said positions it for "explosive growth" this year. The services are designed to allow corporations to benefit from the cost savings and elasticity of cloud-based data storage, while ensuring that sensitive information is protected.

Now, both Apple and Google are providing full encryption as a default option on their mobile operating systems with an encryption scheme they are not able to break themselves, since they don't hold the necessary keys.

Some corporations have gone as far as turning to "zero-knowledge" services, usually located in countries such as Switzerland. These services pledge that they have no means to unlock the information once the customer has entered the unique encryption keys. This zero-knowledge approach is welcomed by users, who are reassured that their information is impossible to retrieve — at least theoretically — without their knowledge and the keys.

12 of 83 comments (clear)

  1. Except in the UK! by infolation · · Score: 4, Funny

    Courtesy of our beloved prime-minister's entirely feasible encryption ban.

    1. Re:Except in the UK! by Anonymous Coward · · Score: 2, Informative

      Dual layers are pretty much required too. Use some FOSS to encrypt it locally, then do it again on the cloud. No single point of failure or single point of pressure.

    2. Re:Except in the UK! by __aaclcg7560 · · Score: 4, Insightful

      We can't allow politicians to turn the Internet into a police state, that is something that happens in China and North Korea, it can't happen in Europe

      *cough* 1939 *cough*

    3. Re:Except in the UK! by __aaclcg7560 · · Score: 2

      You don't need the Internet to turn Europe into a police state, as the rise of Adolf Hitler proved in 1939. China and North Korea were police states long before the Internet ever reached their borders.

  2. It's just moving your trust to someone else by Rosco+P.+Coltrane · · Score: 5, Insightful

    So this-or-that company promises you unbreakable encryption or that they won't poke their nose in your data. Do you trust them? I don't. All it takes is a little firm chit-chat from the national security agency of the country your data is hosted in, and your "safe" data isn't safe anymore.

    If you really insist on putting files and shit in the cloud, encrypt it yourself before uploading it. Better yet, run your own server and provide yourself with your very own fucking cloud. Those who want real security aren't lazy and do the work themselves.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:It's just moving your trust to someone else by c0d3g33k · · Score: 5, Interesting

      So now you are placing your trust in those who wrote the code that runs your server or encrypts your data (or did you write it yourself?). Better than believing "trust us - we don't track you/log you/etc" (looking at you, Startpage and DuckDuckGo), but you have to trust someone unless you do it all yourself from scratch. That's not possible for most people, including myself. So most of us are left with choosing amongst Faustian bargains. That fucking sucks, but seems to be the reality in modern times. And it gets even better, because if you end up choosing the best shitty compromise that actually kind of works, you flag yourself for extra scrutiny because you are using an effective solution. FML. I'm going for a hike in the woods with my dog. Ahhhh. That's better.

    2. Re:It's just moving your trust to someone else by mrchaotica · · Score: 2

      Do you have an example?

      To my naive understanding, the output of any encryption should appear random. Then, encrypting anything random should also be random -- the only effective difference should be that you now need (some mathematical function of) both keys to decrypt it.

      I could accept that the above could be wrong, but I'd love for you to explain why it's wrong.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  3. Re:Good luck with that. by ledow · · Score: 5, Insightful

    It doesn't matter.

    Don't trust them? Encrypt your data with a private key before you upload it to them.

    The point of encryption is that you can just give your encrypted data to people. Without the key, there's bugger-all they can do with it. You don't HAVE to trust them. You just have to ensure they don't have the key. And why would they need to?

    Hence, don't trust them. Don't believe them. Who cares? Encrypt it yourself anyway, and it's game over.

    And, if you want to get really pedantic, so long as you NEVER provide them with the public or private keys yourself, there's no way they can decrypt it. Now, they may be embedded in their software, or potentially accessible by their app, or whatever, but that's for you to determine. If they can't get your keys, it doesn't matter what happens on their end. That's the whole point of encryption.

    And exactly why use of it has exploded. It's as simple as not giving Samsung, Google, Apple, etc. your actual KEYS but letting them hold your data.

    Don't trust them, if you don't want to, because you have absolutely no need to do so in order to let them hold your (encrypted) data.

  4. No means to access encrypted data is misleading by Mercury2k · · Score: 2

    Really now, you have to be an idiot to think that the companies that provide encryption have absolutely _no_ means to break your encryption. Sure, they may not be able to break the encryption by brute force (nobody can really), but they are being misleading. The lie, if you were to call it such, is that anyone that can push software updates to your device, can also push malware to it. This includes software designing by governments with unlimited funds to develop such malware to steal your encryption keys, and issue warrants that order said software companies to push it down to your device. About the only defense against such attacks would be a device that has no "back door" means around authentication while the device is turned on, and one which you never put online for updates from IP addresses that are known to be used by your device, nor serial numbers that uniquely identify your device, so the manufacturers can't target you for delivery of the payload from the authorities.

    Come on people, wake up and smell the coffee. Headlines only hype the "we can't break the encryption" stories so the real idiots, the criminals, think they can get away with anything they want. Hopefully the thicker skull monkeys among us actually read this enough times for it to sink in ;)

  5. Welcome to the new reality by Virtucon · · Score: 2

    This isn't going to be good for the NSA or other government agencies trying to snoop into your data but like a thief there will be some way that they'll find a weak point. Whether that's a weak key, a weak cipher some flaw in the negotiation protocols or brute force they'll find some way to get into it. They could just outlaw strong encryption technology as "munitions." I just thought that being a private citizen, one who values his privacy, wouldn't necessitate playing cat and mouse with my personal communications or data. If it's my possession, in my house, in my car there's constitutional safeguards against unreasonable searches and seizures. If it's transmitted to a server outside of my control or across the Internet or even a waxed string between two bean cans then those protections somehow vanish and my own government collects every piece of data they can about me like sweeping up so many fish in the ocean. To me that's not liberty, it's fascism. Secret courts with secret rulings, your information warehoused in Utah on who you called, where you went, who you emailed. That's not my country and doing it to fight "terrorists" doesn't work as an excuse either. I'm already migrating to overseas e-mail services and offshore cloud storage services and that's a shame because I should be able to have the same rights to privacy as somebody in Switzerland.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  6. can't trust what you wrote either by raymorris · · Score: 2

    >. write it yourself?). Better than believing "trust us - we don't track you/log you/etc" (looking at you, Startpage and DuckDuckGo), but you have to trust someone unless you do it all yourself from scratch.

    Even if (especially if) you wrote it from scratch yourself you can't trust it. Just ask the folks who wrote Apple's SSL implementation, or openssl. They wrote it and later found out that it wasn't actually we secure. Unless you can prove that you're MUCH better at encryption than the openssl guys are ...

    I recently tool a look at some password storage a colleague did. He was sure it was secure because he didn't store plaintext passwords, only hashes of them. It took about 60 seconds for me to tell him his password.

  7. lack of salt by raymorris · · Score: 2

    He didn't salt the hashes, so it was a simple lookup