Ubuntu One needs cloud encryption like LastPass does it
Dale Amon
amon at vnl.com
Fri Apr 6 00:41:47 UTC 2012
I would not be so harsh on these companies. They
are very quietly *told* that they will comply
with the will of certain agencies. Or else. And
they are not allowed to tell their customers. Or
else... But they are trying to sell security. So
what are they going to do? They are going to
do a doublethink and try to give you something that
is Mostly Secure. Except against certain parties.
The encryption key cannot sit on the 3rd party site.
It has to be resident on your own computer and
under the owners control only. You cannot access
secure data anywhere from any computer. You can
only access it from particular machines on which
you have your secure key, or via a USB key that
contains a copy of the user key.
The user's password for their crypto key should
never, ever go out across the internet. It should
happen locally, within the secure machine.
This is all Crypto 101. It's not like it was
something new or strange.
I do not know the details, so I will ask: is it
the case that:
* The user crypto key is generated on the
the user machine.
* The password for the user key is set on
the user machine and never leaves it.
* The user crypto key never leaves their
machine(s).
* The user's password for their crypto key
is never used outside the confines of their
local machine.
* The data is fully encrypted on the user
machine and only encrypted data transits
the net and sits on the storage server.
* The encryption algorithm is such that
no key except the one on the users
machine can decrypt the remotely stored
data.
Unless all four statements are true, the data
is *not* safe.
If the statement made in the other reply is true,
and you can 'retrieve your data from any internet
device' then it is patently obvious that data
security *is* violated.
Dale Amon
CEO
Immortal Data Corporation
More information about the Ubuntu-devel-discuss
mailing list