OHAI, PRISM caused a ot of fear but now we can finally feel safe again -- Google will encrypt all Google Drive storage with user-supplied keys: http://it.slashdot.org/story/13/08/16/239253/ So our data will be perfectly safe with them, right? Right?.. ;) Seriously, though, this is very, very bad for us. Normals will point to that and say "hey, Google does the Right Thing and we can be safe there, so we should all use Google now. They have encryption and stuff." -- Pozdr rysiek
On Sun, 18 Aug 2013, rysiek wrote:
OHAI,
PRISM caused a ot of fear but now we can finally feel safe again -- Google will encrypt all Google Drive storage with user-supplied keys: http://it.slashdot.org/story/13/08/16/239253/
So our data will be perfectly safe with them, right? Right?.. ;)
I don't understand against who it is supposed to protect your data. It cannot be against google as they have all the keys. Does it mean google admit that there are other people with direct access to their data storage ?
Dnia poniedziałek, 19 sierpnia 2013 12:27:51 Nicolas Vigier pisze:
On Sun, 18 Aug 2013, rysiek wrote:
OHAI,
PRISM caused a ot of fear but now we can finally feel safe again -- Google will encrypt all Google Drive storage with user-supplied keys: http://it.slashdot.org/story/13/08/16/239253/
So our data will be perfectly safe with them, right? Right?.. ;)
I don't understand against who it is supposed to protect your data. It cannot be against google as they have all the keys. Does it mean google admit that there are other people with direct access to their data storage ?
This is *precisely* why I wrote: "Seriously, though, this is very, very bad for us. Normals will point to that and say 'hey, Google does the Right Thing and we can be safe there, so we should all use Google now. They have encryption and stuff.'" We know this is bogus; but for a normal person this sounds like a Great Idea: just imagine, all your data encrypted, easily managed and with Google prowess to back it technologically! What's not to love?.. -- Pozdr rysiek
AES-128 is obviously not secure enough against NSA-type attacks. It works against the random raid of the servers, the exploitative sysadmin and perhaps even the remote exploit in the software. It also allows Google to run storage nodes at a lower security level, which might help them smooth operations. Nothing there to help against the agencies.
Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte pisze:
AES-128 is obviously not secure enough against NSA-type attacks. It works against the random raid of the servers, the exploitative sysadmin and perhaps even the remote exploit in the software. It also allows Google to run storage nodes at a lower security level, which might help them smooth operations.
Nothing there to help against the agencies.
But the algo is really completely irrelevant here. They could have used OMGWTF-8096 and it would still be irrelevant. If the keys are being held by Google -- and as far as I understand, they have to -- the whole encryption is moot. They don't have to give the government the keys. They can just hand over the cleartext... The point about running nodes at a lower security level is interesting, though. Maybe that's the whole point: - Hey Joe, if we encrypt user data (and hold the keys), we could care less about these nodes' security. - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to people as a "security enhancement", esp. after PRISM. - Oooh, I like this. I'll be talking to PR dept right away! -- Pozdr rysiek
On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte pisze:
AES-128 is obviously not secure enough against NSA-type attacks. It works against the random raid of the servers, the exploitative sysadmin and perhaps even the remote exploit in the software. It also allows Google to run storage nodes at a lower security level, which might help them smooth operations.
Nothing there to help against the agencies.
But the algo is really completely irrelevant here. They could have used OMGWTF-8096 and it would still be irrelevant. If the keys are being held by Google -- and as far as I understand, they have to -- the whole encryption is moot.
They don't have to give the government the keys. They can just hand over the cleartext...
The point about running nodes at a lower security level is interesting, though. Maybe that's the whole point:
- Hey Joe, if we encrypt user data (and hold the keys), we could care less about these nodes' security. - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to people as a "security enhancement", esp. after PRISM. - Oooh, I like this. I'll be talking to PR dept right away!
Not so sure we need to be quite so cynical. Obviously this encryption is useless against state-level agencies, since data is encrypted server-side and Google manages the keys ( although the fact that they think they won't be obligated to hand the keys over to the gov't is bullshit). However, what I think is important to see in this story, is that Google is responding to pressure from the public to take privacy and encryption more seriously. This is an opportunity for security and privacy activists to push for real security solutions for user data storage, that involve strong *client-side encryption* of data. -- http://disman.tl OpenPGP key: http://disman.tl/pgp.asc Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte
Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze: pisze:
AES-128 is obviously not secure enough against NSA-type attacks. It works against the random raid of the servers, the exploitative sysadmin and perhaps even the remote exploit in the software. It also allows Google to run storage nodes at a lower security level, which might help them smooth operations.
Nothing there to help against the agencies.
But the algo is really completely irrelevant here. They could have used OMGWTF-8096 and it would still be irrelevant. If the keys are being held by Google -- and as far as I understand, they have to -- the whole encryption is moot.
They don't have to give the government the keys. They can just hand over the cleartext...
The point about running nodes at a lower security level is interesting,
though. Maybe that's the whole point: - Hey Joe, if we encrypt user data (and hold the keys), we could care less
about these nodes' security.
- Hey, yeah, Jack, this seems to be a good idea; and we could sell it to
people as a "security enhancement", esp. after PRISM.
- Oooh, I like this. I'll be talking to PR dept right away!
Not so sure we need to be quite so cynical. Obviously this encryption is useless against state-level agencies, since data is encrypted server-side and Google manages the keys ( although the fact that they think they won't be obligated to hand the keys over to the gov't is bullshit). However, what I think is important to see in this story, is that Google is responding to pressure from the public to take privacy and encryption more seriously. This is an opportunity for security and privacy activists to push for real security solutions for user data storage, that involve strong *client-side encryption* of data.
I see it purely as a PR stunt, a pre-emptive strike against services that are bound to spring-up, offering *real encryption* and *real security*. Now Google can say "we're already offering that" and good luck with explaining to John Doe why this is not quite the same... -- Pozdr rysiek
Keep in mind that not all law enforcement (or the broader class of potential adversaries) will have access to NSA/FBI-type capabilities or even NSLs and such, not to mention that it provides additional protection in case a Google server is breached. Having spent time chatting with some of their security people, including members of their incident response team, I'm not so cynical that they view anything like this as a reason not to secure their stuff. I find it far more likely that they see this as adding an additional hurdle for adversaries to clear. On Mon, Aug 19, 2013 at 7:30 AM, rysiek <rysiek@hackerspace.pl> wrote:
On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte
Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze: pisze:
AES-128 is obviously not secure enough against NSA-type attacks. It works against the random raid of the servers, the exploitative sysadmin and perhaps even the remote exploit in the software. It also allows Google to run storage nodes at a lower security level, which might help them smooth operations.
Nothing there to help against the agencies.
But the algo is really completely irrelevant here. They could have used OMGWTF-8096 and it would still be irrelevant. If the keys are being held by Google -- and as far as I understand, they have to -- the whole encryption is moot.
They don't have to give the government the keys. They can just hand over the cleartext...
The point about running nodes at a lower security level is interesting,
though. Maybe that's the whole point: - Hey Joe, if we encrypt user data (and hold the keys), we could care less
about these nodes' security.
- Hey, yeah, Jack, this seems to be a good idea; and we could sell it to
people as a "security enhancement", esp. after PRISM.
- Oooh, I like this. I'll be talking to PR dept right away!
Not so sure we need to be quite so cynical. Obviously this encryption is useless against state-level agencies, since data is encrypted server-side and Google manages the keys ( although the fact that they think they won't be obligated to hand the keys over to the gov't is bullshit). However, what I think is important to see in this story, is that Google is responding to pressure from the public to take privacy and encryption more seriously. This is an opportunity for security and privacy activists to push for real security solutions for user data storage, that involve strong *client-side encryption* of data.
I see it purely as a PR stunt, a pre-emptive strike against services that are bound to spring-up, offering *real encryption* and *real security*. Now Google can say "we're already offering that" and good luck with explaining to John Doe why this is not quite the same...
-- Pozdr rysiek
-- @kylemaxwell
since data is encrypted server-side and Google manages the keys ( although the fact that they think they won't be obligated to hand the keys over to the gov't is bullshit). However, what I think is important to see in this story, is that Google is responding to pressure from the public to take privacy and encryption more seriously. This is an opportunity for security and privacy activists to push for real security solutions for user data storage, that involve strong *client-side encryption* of data.
I see it purely as a PR stunt, a pre-emptive strike against services that are bound to spring-up, offering *real encryption* and *real security*. Now Google can say "we're already offering that" and good luck with explaining to John Doe why this is not quite the same...
With the same dev money Google could be funding open source projects like tahoelafs, p2p messaging, etc that put the keys in the hands of the user for easy use. Yet no, they compete against them. They're a business, they've become and catered to more corporate/gov base, that's normal, write around them and claim the user base.
On 19.08.2013 23:20, grarpamp wrote:
With the same dev money Google could be funding open source projects like tahoelafs, p2p messaging, etc that put the keys in the hands of the user for easy use. Yet no, they compete against them. They're a business, they've become and catered to more corporate/gov base, that's normal, write around them and claim the user base.
Yet they not only support SMTP and IMAP4, but they give instructions on how to set up Mozilla Thunderbird. They use XMPP and they allow connections from outside their network. In most ways they are way ahead of the competition. To me it sounds pretty much like the GNU/Linux kernel development: make your project popular enough and conform to our coding structure and we're going to include it in the main tree. Fail to do so and you are free to develop patches and loadable modules.
Dnia środa, 21 sierpnia 2013 00:21:49 Moon Jones pisze:
On 19.08.2013 23:20, grarpamp wrote:
With the same dev money Google could be funding open source projects like tahoelafs, p2p messaging, etc that put the keys in the hands of the user for easy use. Yet no, they compete against them. They're a business, they've become and catered to more corporate/gov base, that's normal, write around them and claim the user base.
Yet they not only support SMTP and IMAP4, but they give instructions on how to set up Mozilla Thunderbird.
How gracious of them! Ever heard of SPDY? http://en.wikipedia.org/wiki/SPDY Are you willing to bet that this will not become the Embrace, Extend, Extinguish of our time (this time with regard to HTTP)? http://en.wikipedia.org/wiki/Embrace_extend_extinguish
They use XMPP and they allow connections from outside their network.
Uhm... I'd be very careful with this one: http://tech.slashdot.org/story/13/05/20/2315216/google-drops-xmpp-support http://windowspbx.blogspot.com/2013/05/hangouts-wont-hangout-with-other.html
In most ways they are way ahead of the competition.
And most of these cases are a relic of a bygone era when Google actually practised what they preach, because they were the small, geeky underdog pitted against giants like Microsoft. Now they themselves are a giant and are slowly but steadily abandoning their open-source, open-standards ways in favour of walled-gardens, proprietary protocols and such.
To me it sounds pretty much like the GNU/Linux kernel development: make your project popular enough and conform to our coding structure and we're going to include it in the main tree. Fail to do so and you are free to develop patches and loadable modules.
Where did *that* metaphore come from?.. -- Pozdr rysiek
On 21.08.2013 00:45, rysiek wrote:
Yet they not only support SMTP and IMAP4, but they give instructions on how to set up Mozilla Thunderbird.
How gracious of them!
I feel you were being sarcastic. But it's not the case. Removing those help pages won't alienate their clients. It's truly a way to be nice. Also, although dropping SMTP and IMAP4 support and replacing them with some exotic closed protocol won't do a thing. Android update and the web interface would do the trick. It's even worse. When Yahoo has dropped POP3 support, without replacing it with anything, some Sourceforge projects were started just to replace that. So, again, it's truly a nice gesture. Maybe, only maybe, it helped them initially to gather up strenght. Today that means zero.
Ever heard of SPDY? http://en.wikipedia.org/wiki/SPDY
Yes. I heard of it. Thank you for including the wikipedia page. Have you read it?
OpenSSL 1.0.1 or greater introduces NPN.
The browsers Google Chrome/Chromium, Firefox (version 11+, enabled by default since 13) and Opera browser (version 12.10+) support SPDY.
Amazon's Silk browser for the Kindle Fire uses the SPDY protocol to communicate with their EC2 service for Web page rendering.
An open standard with quite large support from the open source community. Meaning many more can follow. So what's the point?
They use XMPP and they allow connections from outside their network.
Uhm... I'd be very careful with this one: http://tech.slashdot.org/story/13/05/20/2315216/google-drops-xmpp-support http://windowspbx.blogspot.com/2013/05/hangouts-wont-hangout-with-other.html
I dislike slashdot. It's almost all noise. And one of the sites blocking Tor. But I was interested in your argument so I went there for the second time today. And there I read:
Note that no end date has been set for Talk
So, again, what is your point?
In most ways they are way ahead of the competition.
And most of these cases are a relic of a bygone era when Google actually practised what they preach, because they were the small, geeky underdog pitted against giants like Microsoft.
The pope preaches. Google sells. If I use Google search words start popping up suggesting me what I might ask. If I have gmail there is advertising related to the CONTENTS of my received emails. If I go around youtube I get a full column on the right hand side with suggestions. And you know what is impressive? They are all about right. And I surely have missed the time where someone officialy from Google went out and said «we're going to cripple all that for your privacy». Quite the opposite. They said it's one of the reasons people use Google instead of the competition. I personally like how you dramatise things. Yet, they were never small. Google has not started with Woz in a garage and it wasn't selling sports shoes out of a trunk. They had money. They had computing power. They had storage. Just because they have expanded over they years, does not mean they started as a image board on a Pentium hold behind a highschooler's desk.
Now they themselves are a giant and are slowly but steadily abandoning their open-source, open-standards ways in favour of walled-gardens, proprietary protocols and such.
You might have a case with the patents. But that is all. Actually the open standards, although good by being open, they are crap. Email is ugly and squirts information all along the path even if you do bother to encrypt everything. HTTP is chatty to the extreme. And so on. XMPP is nicer than OSCAR and PNG is better than GIF. That statement does not make telnet safer.
To me it sounds pretty much like the GNU/Linux kernel development: make your project popular enough and conform to our coding structure and we're going to include it in the main tree. Fail to do so and you are free to develop patches and loadable modules.
Where did *that* metaphore come from?..
From the kernel source.
They use XMPP and they allow connections from outside their network. ... In most ways they are way ahead of the competition.
How gracious of them!
No, that is old model. Yet how ahead and gracious are the punks? imap4[s only], submission[starttls only], transport smtp[s preferred, and fixed keyed amongst peers], nothing asked for but username and password, allow connections from anywhere including Tor, simple documentation for the user (thunderbird, mutt, outlook, openpgp, enigmail, ...) The demand for these things is very high right now. You don't need to offer webmail. The setup is not hard. There could be 30 new mail providers running around the globe in three months. All of them teaching the user how to encrypt, exactly where it belongs. And that's just for simple mail, a big win, even without resorting to more exotic http://prism-break.org/ systems.
This matter is very relevant to me. I believe if somebody is saying "we offer encryption", the encryption should be actually, you know, protecting the data. ... No. Google SHOULD provide safe, privacy-aware services and encryption that actually truly protects the data, or at least not claim to do so
Unless it is the user who keeps and manages their own keys, no service with any 'offer of encryption that actually protects' can ever be true. Services are classed by who manages the keys. Any service that manages keys on behalf of the user and claims to offer protection is nothing more than a false marketing SCAM. Unfortunately, people keep buying the bullshit. Offering at least a little less bullshit can also make you rich (leastauthority.com, rsync.net, etc).
On 18.08.2013 23:55, rysiek wrote:
PRISM caused a ot of fear but now we can finally feel safe again -- Google will encrypt all Google Drive storage with user-supplied keys: http://it.slashdot.org/story/13/08/16/239253/
I know slashdot does not generate articles. It only links to articles, sometimes in a VERY misleading paragraph, than leaves some uninformed geeks debate about the misleading text. The article you most probably missed is some other place[1] And the text supports that first paragraph of yours. But nothing of the rest of your text.
So our data will be perfectly safe with them, right? Right?.. ;)
Seriously, though, this is very, very bad for us. Normals will point to that and say "hey, Google does the Right Thing and we can be safe there, so we should all use Google now. They have encryption and stuff."
Could you expand on «this is very, very bad for us»? [1] http://www.itworld.com/cloud-computing/369304/google-encrypt-cloud-storage-d...
Dnia wtorek, 20 sierpnia 2013 14:30:52 Moon Jones pisze:
On 18.08.2013 23:55, rysiek wrote:
PRISM caused a ot of fear but now we can finally feel safe again -- Google will encrypt all Google Drive storage with user-supplied keys: http://it.slashdot.org/story/13/08/16/239253/
I know slashdot does not generate articles. It only links to articles, sometimes in a VERY misleading paragraph, than leaves some uninformed geeks debate about the misleading text.
The article you most probably missed is some other place[1]
And the text supports that first paragraph of yours. But nothing of the rest of your text.
Humm, true. Not Google Drive, but Google Cloud Storage. My bad.
So our data will be perfectly safe with them, right? Right?.. ;)
Seriously, though, this is very, very bad for us. Normals will point to that and say "hey, Google does the Right Thing and we can be safe there, so we should all use Google now. They have encryption and stuff."
Could you expand on «this is very, very bad for us»?
Well, if it's the developer-oriented GCS, not Google Drive, it's just a bit less bad for us. Thing is, this encryption scheme (in which, from what I read, Google has access to "master keys" and has the technical ability to decrypt data once it's subpoenad) brings no additional safety to users. It sounds great ("we support encryption! and we're doing it with several keys! that has to be safe, eh?"), but it does effectively nothing to actually protect users and their data from PRISM and similar programmes. And that means it will be this harder for us to explain why this is a bad scheme ("wait, you're saying encryption is evil? now I am confused!") and why people should use other methods of protecting their privacy and their data. -- Pozdr rysiek
On 20.08.2013 14:52, rysiek wrote:
Could you expand on «this is very, very bad for us»?
Well, if it's the developer-oriented GCS, not Google Drive, it's just a bit less bad for us.
I have to admit I haven't even noticed what Google service was involved. Still, what's «bad» about it?
Thing is, this encryption scheme (in which, from what I read, Google has access to "master keys" and has the technical ability to decrypt data once it's subpoenad) brings no additional safety to users.
But do they have the legal right not to hold those keys? Or this matter is irrelevant to you?
It sounds great ("we support encryption! and we're doing it with several keys! that has to be safe, eh?"), but it does effectively nothing to actually protect users and their data from PRISM and similar programmes.
But that's not what they are saying.
And that means it will be this harder for us to explain why this is a bad scheme ("wait, you're saying encryption is evil? now I am confused!") and why people should use other methods of protecting their privacy and their data.
Isn't it ironic? So Google SHOULD make things easier for you to tell people to use other services? Sounds like the new anti–gay legislation in Russia: making it easier for priests to preach homofobia.
Dnia środa, 21 sierpnia 2013 00:16:38 Moon Jones pisze:
On 20.08.2013 14:52, rysiek wrote:
Could you expand on «this is very, very bad for us»?
Well, if it's the developer-oriented GCS, not Google Drive, it's just a bit less bad for us.
I have to admit I haven't even noticed what Google service was involved. Still, what's «bad» about it?
Explained it already 2 times, if anybody else asks, I'll be happy to do it for the third time.
Thing is, this encryption scheme (in which, from what I read, Google has access to "master keys" and has the technical ability to decrypt data once it's subpoenad) brings no additional safety to users.
But do they have the legal right not to hold those keys? Or this matter is irrelevant to you?
This matter is very relevant to me. I believe if somebody is saying "we offer encryption", the encryption should be actually, you know, protecting the data. As it stands now, the GCS encryptions doesn't protect the data from government snooping, from a rogue admin that has access to the master key, and probably from several other scenarios. And the Google's rep saying "we do not provide the keys to the government" reeks of PR-speak and deception. Of course they do not provide the keys, they can simply provide the cleartext, de-ciphered first via the master key.
It sounds great ("we support encryption! and we're doing it with several keys! that has to be safe, eh?"), but it does effectively nothing to actually protect users and their data from PRISM and similar programmes.
But that's not what they are saying.
They are saying they use encryption, and with several keys/levels. They are saying that during the whole PRISM debate heating up, a debate mind you that has Google among the NSA cooperators. They are even claiming they are not providing the keys to the government, so as to suggest even more strongly that they have cleaned up their act: "A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law." When in fact -- as far as PRISM-related stuff is concerned -- they have done anything but.
And that means it will be this harder for us to explain why this is a bad scheme ("wait, you're saying encryption is evil? now I am confused!") and why people should use other methods of protecting their privacy and their data.
Isn't it ironic? So Google SHOULD make things easier for you to tell people to use other services?
No. Google SHOULD provide safe, privacy-aware services and encryption that actually truly protects the data, or at least not claim to do so if they have no intention to. Or, using your "let's turn the tables and see where that goes" method: So Google CAN lie and deceive the users by claiming or suggesting to provide a level of service they have no intention of providing?
Sounds like the new anti–gay legislation in Russia: making it easier for priests to preach homofobia.
Nicely done. I see we have a Schopenhauer admirer. "The Art of Being Right" is a great little book indeed: http://en.wikipedia.org/wiki/The_Art_of_Being_Right I'm just not sure if that's #8, #12 or #32. I'd go for #32, I guess. -- Pozdr rysiek
On 21.08.2013 00:40, rysiek wrote:
Explained it already 2 times, if anybody else asks, I'll be happy to do it for the third time.
Ok. I think I get the point.
But do they have the legal right not to hold those keys? Or this matter is irrelevant to you?
This matter is very relevant to me. I believe if somebody is saying "we offer encryption", the encryption should be actually, you know, protecting the data.
My question was if they can, given the US law, do such a thing. You have repeated the previous statements. I offer encryption means precisely «I offer encryption». If there is a full stop after that, than the rest is fantasy. Take for example the fact that I do full disk encryption. I have the key somewhere. Now. Someone who has the key and the hard drive has access just like without full disk encryption. Including files that I have deleted through the regular delete and not some secure method. This does not make my hard drive any less encrypted than it is. Now take another example: food containing dead pig meat sold in an islamic country as chicken or just «meat». In the first case it's a lie, it might as well write «no meat at all». In the second is a lie by omission. Do not confuse the two cases. Google never ever stated the rest. It's just your imagination.
As it stands now, the GCS encryptions doesn't protect the data from government snooping, from a rogue admin that has access to the master key, and probably from several other scenarios.
Have they said «we protect your data from the government»? I am sure to have missed that one. Same goes for the other scenarios mentioned.
And the Google's rep saying "we do not provide the keys to the government" reeks of PR-speak and deception. Of course they do not provide the keys, they can simply provide the cleartext, de-ciphered first via the master key.
What? You are strange. They do not have to. Most important providers are bugged BEFORE the data reaches their servers. So it's first the Men in Black. Than is the server. Than is my computer. On the other hand you have the power of law. Once there is a data storage one can ask a judge to write a special kind of legal letter to which the storage manager HAS to comply. So the whole chain starting with the investigator and ending with the judge couldn't care less about key, algorithm, hard drive size, CPU type, how many GHz the memory bandwidth. They ask for the data and they are going to receive it or a very convincing explanation. That was established way before computers were invented. And if you care about this aspect you are free to campaign against it. It's ONLY between you and the law. Google, the investigator, the judge, the postal service and all the others just comply.
But that's not what they are saying.
They are saying they use encryption, and with several keys/levels. They are saying that during the whole PRISM debate heating up, a debate mind you that has Google among the NSA cooperators. They are even claiming they are not providing the keys to the government, so as to suggest even more strongly that they have cleaned up their act:
"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."
Right. This is precisely what I have read.
When in fact -- as far as PRISM-related stuff is concerned -- they have done anything but.
Pardon my thickness. How?
Isn't it ironic? So Google SHOULD make things easier for you to tell people to use other services?
No. Google SHOULD provide safe, privacy-aware services and encryption that actually truly protects the data, or at least not claim to do so if they have no intention to.
Sure. Also the pope should stay away from gay people since the year 300. Rich people should help as many poor as they can. One should rise in the bus and give the seat to an old gentleman or lady. But we live in a far from ideal world. That to play your game. Otherwise Google does that already. It's safe. Because then can send you an SMS to recover your free account at their expense. They ask the security question each time you log in from a different location. And so on. They are privacy aware as they don't share your emails with your inquisitive mother. Something you can't say of the postal service or a chatty general practitioner. And given the evil janitor or the evil admin steal the hard drive with your mail they won't be able to read it. Sure, you can idealise it to the extreme. But in real life and real world that is already enough for a free / cheap service. You too should be more concerned with the employer, school, relatives or neighbours than with NSA. Please do notice than I am not saying it's a good thing what NSA does. Only that it is a distant threat. One as concerned as you are already does have a personal mail server somewhere. One should give thanks to someone like RMS for the ability to have that at the cost of the hardware components plus the power bill.
Or, using your "let's turn the tables and see where that goes" method: So Google CAN lie and deceive the users by claiming or suggesting to provide a level of service they have no intention of providing?
They don't lie. They don't deceive. Not in this case. The problem is elsewhere. Think about it a couple of minutes.
Sounds like the new anti–gay legislation in Russia: making it easier for priests to preach homofobia.
Nicely done. I see we have a Schopenhauer admirer. "The Art of Being Right" is a great little book indeed: http://en.wikipedia.org/wiki/The_Art_of_Being_Right
I'm just not sure if that's #8, #12 or #32. I'd go for #32, I guess.
Guess that spells «time to give it up» for me.
Well I think its fair to denigrate it as obfuscation not encryption if the key lives on the same machine as the ciphertext. At best it makes it less risky to dispose of dodgy disks - now and then such things turn up on ebay with client data. At least if you encrypt it properly, and do NOT put the key on the disk, then you can safely toss them in a dumpster, not physically destroy them etc. Adam On Tue, Aug 20, 2013 at 02:52:25PM +0200, rysiek wrote:
Thing is, this encryption scheme (in which, from what I read, Google has access to "master keys" and has the technical ability to decrypt data once it's subpoenad) brings no additional safety to users. It sounds great ("we support encryption! and we're doing it with several keys! that has to be safe, eh?"), but it does effectively nothing to actually protect users and their data from PRISM and similar programmes.
And that means it will be this harder for us to explain why this is a bad scheme ("wait, you're saying encryption is evil? now I am confused!") and why people should use other methods of protecting their privacy and their data.
participants (8)
-
Adam Back -
Dan Staples -
grarpamp -
Kyle Maxwell -
Lodewijk andré de la porte -
Moon Jones -
Nicolas Vigier -
rysiek