tag:blogger.com,1999:blog-24586388.post2297606500415169677..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: (Un)Trusting the CloudJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-24586388.post-13707592298553631502011-06-14T11:07:41.290+02:002011-06-14T11:07:41.290+02:00What program do you use as keychain?What program do you use as keychain?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-16783558108369001352011-06-01T14:38:56.987+02:002011-06-01T14:38:56.987+02:00@Anonymous: I might want to share my holiday photo...@Anonymous: I might want to share my holiday photos with just a group of friends, and not necessary with the whole rest of the world.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-2525337405106869522011-06-01T14:37:18.832+02:002011-06-01T14:37:18.832+02:00@ruleant
Surely the purpose of social networking ...@ruleant<br /><br />Surely the purpose of social networking is 'to share' - thus, the concept of putting data on a social network which you wish to keep private is kind of an oxymoron, surely?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-45083376579880682222011-06-01T09:51:26.736+02:002011-06-01T09:51:26.736+02:00@d2: the usual way to ensure code matches the sour...@d2: the usual way to ensure code matches the source code is to build the code (compile it) and compare the hashes.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-91081002802120136862011-06-01T09:06:55.054+02:002011-06-01T09:06:55.054+02:00add passpack to the list of encrypted cloud storag...add passpack to the list of encrypted cloud storage apps you didn't know about.<br /><br />As for publication of code, how'll you ever ensure that the live code is the same as the published code (what's the point, in other words)?d2http://reddit.comnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-59658385795885889452011-05-31T18:44:49.739+02:002011-05-31T18:44:49.739+02:00A partial approach would be to have some kind of p...A partial approach would be to have some kind of proxy that encrypts any files that go to "the cloud" on the fly. This would avoid modifying the application and even allow you to move this encryption engine to a different VM. Of course, cross platform support might be tricky but could possibly be done at the router level (with an open source router)<br /><br />Nicolas WagrezAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-34003876839829864932011-05-31T13:28:02.633+02:002011-05-31T13:28:02.633+02:00Interesting read.
Some time ago I was thinking ab...Interesting read.<br /><br />Some time ago I was thinking about protecting data you share on social network websites, and I came to a similar conclusion : encrypt everything before it leaves your PC/device : http://ruleant.blogspot.com/2010/10/open-source-social-networking.html<br /><br />I guess this principle not only applies to clouds, social networking, internet data storage, ... but to all data you are willing to share with others on a public network (if you are conscious/paranoid enough to protect it from being read by anyone else).Dieter Adriaenssenshttps://www.blogger.com/profile/02113174187540531952noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-3713711643340258282011-05-31T10:20:15.573+02:002011-05-31T10:20:15.573+02:00What I really would like to see is a client-encryp...What I really would like to see is a client-encrypted calendar/task list service. With apps for iOS, Mac, Linux.<br /><br />Cool that such things as Wuala, Firefox Sync, or Lastpass exist, although I cannot say anything about their security. Why they don't publish the sources of their client code? (except for Firefox Sync I guess)? Do they sign at least their client apps?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-15436510549766072902011-05-31T10:19:10.514+02:002011-05-31T10:19:10.514+02:00Good read, thanks Joanna !
Do you know about Sync...Good read, thanks Joanna !<br /><br />Do you know about Syncany? It's a cloud storage with client-side encryption and multiple storage types (from buckets to imap or images).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-67379278490904840742011-05-31T08:36:11.989+02:002011-05-31T08:36:11.989+02:00As previously said, client side encryption effort ...As previously said, client side encryption effort exist in mainstream software/service like Firefox (Sync). You are able to rely on Mozilla Sync cloud storage or on your own sync server.<br /><br />Another effort is syncany ( http://www.syncany.org/ ) where plugins provides you different types of storage backends (imap, rackspace, amazon etc) for your encrypted file chunks.<br /><br />You are totally right johanna, the last thing that owns all the keys is ... the client side device.<br /><br />But nowadays, in companies, when you are speaking about security aspect of a cloud project, even client side encryption/protection is not seen as a requirement. It is often seen as a cost for a non real threat. So speaking about client device security, you are right, it is not as easy as it should be.<br /><br />Great article.<br /><br />Bye ChristopheC. Brocashttp://brocas.org/blog/noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-46793526345908642232011-05-30T19:24:04.171+02:002011-05-30T19:24:04.171+02:00@Joanna:
Any comments on Wuala service?@Joanna:<br /><br />Any comments on Wuala service?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82204462423623197582011-05-30T18:44:47.539+02:002011-05-30T18:44:47.539+02:00@Anonymous: Whether you must manage 3 password, or...@Anonymous: Whether you must manage 3 password, or 33, or 333, or 3333 passwords -- it all takes the same amount of effort. In each case you should remember only the master password/PIN.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-92216096280055852582011-05-30T18:39:22.104+02:002011-05-30T18:39:22.104+02:00More passwords to manage? It will never become mai...More passwords to manage? It will never become mainstream.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-22297201990448718592011-05-30T14:13:43.709+02:002011-05-30T14:13:43.709+02:00very interesting but.. for instance i have a lot o...very interesting but.. for instance i have a lot of documents in docs.google.com<br />how can I encrypt them?<br />is is possible?zintianoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79119902295422596982011-05-30T06:37:50.240+02:002011-05-30T06:37:50.240+02:00It's difficult not to be convinced of a plot a...It's difficult not to be convinced of a plot against privacy. Whether it is location tracking cell phone (being abused by the feds), "cloud computing", Operating Systems and Hardware with obvious security flaws, long-term 'co-operation' between telcos and governments...<br /><br />Do you we each need to invent our own protocols, cellular technologies and encryption to achieve privacy?Ryan M. Ferrishttps://www.blogger.com/profile/03122603266808854365noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-13508922999664777382011-05-29T18:07:12.634+02:002011-05-29T18:07:12.634+02:00With all the API buzz for each service would it be...With all the API buzz for each service would it be hard for security community to develop tools for client side encryption?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-34515837054361531702011-05-29T12:57:42.347+02:002011-05-29T12:57:42.347+02:00LastPass does that - https://lastpass.com/whylastp...LastPass does that - https://lastpass.com/whylastpass_technology.phpciastekhttps://www.blogger.com/profile/13606276120281211888noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-91797070129474336952011-05-29T03:57:51.659+02:002011-05-29T03:57:51.659+02:00I agree fully, and like the previous commenter als...I agree fully, and like the previous commenter also want to point out Mozilla's sync:<br /><a href="http://www.mozilla.com/en-US/mobile/sync/" rel="nofollow">http://www.mozilla.com/en-US/mobile/sync/</a><br /><br />Such kind of encrypted services are supposed to be the norm, not the exception.Shmerlhttps://www.blogger.com/profile/14404784573198104036noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-19868878328843504822011-05-29T03:28:29.186+02:002011-05-29T03:28:29.186+02:00As for online/cloud storage there are already a fe...As for online/cloud storage there are already a few services which provide a "client-side-encrypted cloud service".<br />Take the swiss "Wuala" for example: You can store and backup your files, sync them between your computers and also share them to other people. It's based on "Cryptree, a cryptographic tree structure which facilitates access control in file systems operating on untrusted storage." (http://dcg.ethz.ch/publications/srds06.pdf)<br />Every file that leaves the client gets encrypted, split into smaller fragments (Reed-Solomon) and then sent into the distributed cloud (meaning: some Wuala-servers in Europe and many peers).<br />You can also mount the online storage into the filesystem to access your files faster. It also has file versioning and deduplication ("global deduplication" unfortunaly but that's presumably gonna change/become optional afaik).<br /><br />More infos about the security here: http://www.wuala.com/blog/2011/05/wualas-encryption-revisited.html<br /><br />It's my first try "clouding" my data because this time I don't need to trust the company but only their client software. Unfortunaly encrypting everything before uploading also means there's no way to retrieve the password if you forget it but we will have to become accustomed to that I think because that's simply how encryption rolls.Anonnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82930299188122347882011-05-28T22:05:07.487+02:002011-05-28T22:05:07.487+02:00You might be interested in Firefox Sync (formerly ...You might be interested in Firefox Sync (formerly Mozilla Weave), the protocol used in Firefox 4 for synchronization of user bookmarks, browsing history, etc., between multiple instances of Firefox on different systems. It doesnt exactly match your proposed system but does have the same general goal of storing only encrypted data in the cloud.<br /><br />Google "firefox sync" for how it's explained to end users, and "how does weave use cryptography" for an explanation of the underlying encryption scheme.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-20163240531600319182011-05-28T21:28:58.253+02:002011-05-28T21:28:58.253+02:00Great writing.Great writing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-18373293275150622022011-05-28T21:03:52.555+02:002011-05-28T21:03:52.555+02:00Great, as usual.Great, as usual.Simonhttp://www.carantec-informatique.comnoreply@blogger.com