<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'> Guys, please read these (or listen to the podcasts): http://www.grc.com/sn/sn-256.htm http://www.grc.com/sn/sn-257.htm Things being said seem to conflict with what I learned from this episode of security now on how lastpass works. Essentially: LastPass is very secure and no one can access the data except the user. <div><div id="SkyDrivePlaceholder"></div>> Date: Fri, 23 Mar 2012 18:25:04 -0500 > Subject: Re: Ubuntu One needs cloud encryption like LastPass does it > From: jordon@envygeeks.com > To: smickson@hotmail.com > CC: ubuntu-devel-discuss@lists.ubuntu.com > > On Fri, Mar 23, 2012 at 1:34 PM, Sam Smith <smickson@hotmail.com> wrote: > > Everything you said, you can do with LastPass: "make it more convenient, > > access your files from anywhere (including the website), stream your own > > music, share your files" > > > > Using secure encryption that occurs on the computer before it leaves for the > > cloud does not prevent any of the things you seem to think it does. > > The other gentleman is correct, for a service to be considered secure, > in real world terms and real world application you would not have > access to your data in decrypted form via a website, you would only be > able to download the encrypted pieces. > > Secure encryption is not so secure when you decrypt it from a website > using a server that you originally tried to avoid having encrypt it. > What I am saying is, what is so secure about the encryption you are > using if you let a third party decrypt it, one that can obviously > intercept your key quite easily and decrypt it anytime they want to. > It's no more secure then just having them encrypt it with their own > keys that they make up for you, sort of like drop box. Actually, it's > a false sense of security they are giving you at this point, and in my > eyes a fraudulent claim of being more secure then others because 'you > control the encryption key' when in all honest opinions, they could > just intercept it anytime they wanted to so you are back to square > one. At this point, secure is out the door, and it's just become > another drop box, actually, one that just hasn't been called out about > it yet. Be round-a-bout with your terminology all you want so people > don't realise that they are no more secure then they were but the > truth is still there when you read between the evasion. > > The short of the short is, for a service to be truly secure the > company hosting it must not have access to any of the encryption keys > and only the encrypted data, your data is either encrypted and > unavailable, period, or your data is decrypted and available, not a > false sense of security where Jim thinks he's secure because he > controls the encryption key, not realising that the company claiming > he's more secure because he controls the encryption key, can in fact > intercept said key anytime they want to. It's not security, it's > not-so-clever marketing. > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss </div> </div></body> </html>