Ubuntu One needs cloud encryption like LastPass does it

Jason Todd jtodd929 at hotmail.com
Fri Mar 23 23:36:53 UTC 2012 

Guys, please read these (or listen to the podcasts): 
http://www.grc.com/sn/sn-256.htm
http://www.grc.com/sn/sn-257.htm

Things being said seem to conflict with what I learned from this episode of security now on how lastpass works. Essentially: LastPass is very secure and no one can access the data except the user.



> Date: Fri, 23 Mar 2012 18:25:04 -0500
> Subject: Re: Ubuntu One needs cloud encryption like LastPass does it
> From: jordon at envygeeks.com
> To: smickson at hotmail.com
> CC: ubuntu-devel-discuss at lists.ubuntu.com
> 
> On Fri, Mar 23, 2012 at 1:34 PM, Sam Smith <smickson at hotmail.com> wrote:
> > Everything you said, you can do with LastPass: "make it more convenient,
> > access your files from anywhere (including the website), stream your own
> > music, share your files"
> >
> > Using secure encryption that occurs on the computer before it leaves for the
> > cloud does not prevent any of the things you seem to think it does.
> 
> The other gentleman is correct, for a service to be considered secure,
> in real world terms and real world application you would not have
> access to your data in decrypted form via a website, you would only be
> able to download the encrypted pieces.
> 
> Secure encryption is not so secure when you decrypt it from a website
> using a server that you originally tried to avoid having encrypt it.
> What I am saying is, what is so secure about the encryption you are
> using if you let a third party decrypt it, one that can obviously
> intercept your key quite easily and decrypt it anytime they want to.
> It's no more secure then just having them encrypt it with their own
> keys that they make up for you, sort of like drop box.  Actually, it's
> a false sense of security they are giving you at this point, and in my
> eyes a fraudulent claim of being more secure then others because 'you
> control the encryption key' when in all honest opinions, they could
> just intercept it anytime they wanted to so you are back to square
> one.   At this point, secure is out the door, and it's just become
> another drop box, actually, one that just hasn't been called out about
> it yet.  Be round-a-bout with your terminology all you want so people
> don't realise that they are no more secure then they were but the
> truth is still there when you read between the evasion.
> 
> The short of the short is, for a service to be truly secure the
> company hosting it must not have access to any of the encryption keys
> and only the encrypted data, your data is either encrypted and
> unavailable, period, or your data is decrypted and available, not a
> false sense of security where Jim thinks he's secure because he
> controls the encryption key, not realising that the company claiming
> he's more secure because he controls the encryption key, can in fact
> intercept said key anytime they want to.  It's not security, it's
> not-so-clever marketing.
> 
> -- 
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20120323/93fdca21/attachment.html>

More information about the Ubuntu-devel-discuss mailing list