Silk Road forums
Discussion => Security => Topic started by: SilkRoadRambler on August 10, 2013, 10:14 pm
-
By itself, I mean. Are there any services out there you particularly would trust and not trust? Many of their claims make them sound air-tight.
-
never trust the cloud with anything you consider private or confidential. At best, there will be people in the cloud company who can access your data (and they do, no matter what they say) and at worst, it's them and one or more governments who can ultimate get it.
If you really need a cloud because you need to access stuff from a multitude of platforms in many different physical places, consider setting up your own cloud at home. for a couple of hundred quid you can buy the server - then (as always) you just need to make it secure. (yes, I know that sounds easy to say but still, it's not the end of the world to do).
-
Thanks, abby.
The thing is I use a file in the cloud as a repository of passwords so I can retrieve them from anywhere as needed. Do you have any other ideas for doing that besides creating my own server? And pen and paper obviously... or my phone or a usb drive... or my brain... those aren't always there! I like not having to have anything tangible with me.
-
Assuming safemail is as trustworthy as is claimed (ie the best of a bad lot) how about making an email account there purely to store your passwords? If you're going to be using your phone as well as a pc when you're out and about I can only think to create a draft email, paste them in there and save it. that way it's always sitting there.
if you're going to be using a phone to access it then I don't think there's a phone based encryption app to decrypt it so you'll have to leave it as clear text and hope your details aren't intercepted as you log in. I've not been able to get the tor stuff for andriod to play nice so I can't give you any tips on that and you'd have to assume that your connection to safemail is as secure and your connection to any other online site that you need to log into via the phone (ie not at all really).
In theory you're a small fish in the eyes of those who carry a badge (from what I remember of your postie thread) but still, you need to take care to keep it safe.
Astor or one of the others who know more about this stuff will hopefully come past and fill in the gaps or perhaps suggest something better.
-
No. There are only two outcomes for centralized, third party cloud storage. They either decrypt your data and hand it over to LE, or they shut down like Lavabit did (and Silent Circle did with its mail service). If they make it technically impossible to decrypt your data, LE will compel them to change that until they are forced to shut down.
-
It is too general of a question. The answer is that it depends on how they implemented it. I don't know how any of the cloud providers out there right now work, but I have read whitepapers on some cryptographically secure ones. The best designs use encrypted keyword search / private stream searching. Everything you upload to the cloud is encrypted client side, and you can retrieve it by searching for keywords, without the server being able to tell the keyword you are searching for or the encrypted file that you get from it. So that is pretty secure I think, although it still has some problems, unless files are padded they could possibly be fingerprinted based on their exact bitsize. I would in general suggest that you never store sensitive things on remote third party servers like that, but some of the whitepapers for cryptographically secure cloud storage look fairly solid to me.
-
Think of cloud storage as a hard drive sitting at FBI or FSB headquarters. If you've encrypted everything well enough that you're sure they can't read it, then well...they can't read it. If you're guessing correctly about what they can/can't read.
But what are you buying yourself? It's not in your physical possession, so if your house burns down, or if somebody shows up to search it, the data isn't there. But the other questions to answer:
1. Does your computer have any forensic records of you accessing the cloud storage?
2. If the cloud provider pulls a list of all IPs of connections to your cloud storage over the past X years, will they find any that lead back to you?
3. Are you paying for it? Is there a chain back to you there?
Generally, the difference between "secure cloud storage" and "insecure cloud storage" is how much effort the provider puts into writing shit to convince you it's secure. So with a "secure cloud storage" provider, you know that either they're more secure, or they just have better folks writing bullshit copy. You can't tell the difference from where you're sitting. If you're using their code to encrypt your data, you're still screwed. One court order to backdoor their code, and presto. It's the Hushmail problem all over again.
If you encrypt it yourself, manage your keys properly, pick the right encryption, and never pay for or connect to it in any way that leads back to you, then it might be a decent solution.
But probably not as good of a solution as a cheap hard drive, good disk encryption, and a shovel.
-
The whole point of the cloud computing movement is to do away with private ownership of material. Why are people embracing transhumanist global consolidation ideas? Because everyone from birth to senior citizen is instructed by television etc to think we need this crap.
-
Thanks for the answers, everyone. I guess I just like the idea of knowing I can retrieve sensitive info no matter where in the world I am. I use a lot of passwords. Perhaps I just need to get better at password creation and retention, because I have forgotten several in the past and that has come back to fuck me over. I just can't trust my memory to retrain ten or twenty 24 character passwords that involve using near random character sequences.
I know Last Pass claims that all encryption is done client side... of course I don't know if anyone has a way to prove that. It makes me a little worried, but I don't do anything that would be worth the trouble of a serious investigation I don't think. I just prefer being overly paranoid.
I guess for files I need to store online I cam encrypt on my own computer and then upload to the cloud if I really need to make sure they can be retrieved, although needing PGP to do it just adds a little bit of hassle. But I guess that's the price to be paid...
-
Last Pass is garbage, use KeePass or Bruce Schneier's password encryption program.
If you must back it up each time look into Bittorrent Sync (encrypt it first, then sync).