Google to encrypt cloud storage

rysiek rysiek at hackerspace.pl
Mon Aug 19 05:30:07 PDT 2013


Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze:
> On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
> > Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte 
pisze:
> >> AES-128 is obviously not secure enough against NSA-type attacks. It works
> >> against the random raid of the servers, the exploitative sysadmin and
> >> perhaps even the remote exploit in the software. It also allows Google to
> >> run storage nodes at a lower security level, which might help them smooth
> >> operations.
> >> 
> >> Nothing there to help against the agencies.
> > 
> > But the algo is really completely irrelevant here. They could have used
> > OMGWTF-8096 and it would still be irrelevant. If the keys are being held
> > by
> > Google -- and as far as I understand, they have to -- the whole encryption
> > is moot.
> > 
> > They don't have to give the government the keys. They can just hand over
> > the cleartext...
> > 
> > The point about running nodes at a lower security level is interesting,
> > 
> > though. Maybe that's the whole point:
> >  - Hey Joe, if we encrypt user data (and hold the keys), we could care
> >  less
> >  
> >    about these nodes' security.
> >  
> >  - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to
> >  
> >    people as a "security enhancement", esp. after PRISM.
> >  
> >  - Oooh, I like this. I'll be talking to PR dept right away!
> 
> Not so sure we need to be quite so cynical. Obviously this encryption
> is useless against state-level agencies, since data is encrypted
> server-side and Google manages the keys ( although the fact that they
> think they won't be obligated to hand the keys over to the gov't is
> bullshit). However, what I think is important to see in this story, is
> that Google is responding to pressure from the public to take privacy
> and encryption more seriously. This is an opportunity for security and
> privacy activists to push for real security solutions for user data
> storage, that involve strong *client-side encryption* of data.

I see it purely as a PR stunt, a pre-emptive strike against services that are 
bound to spring-up, offering *real encryption* and *real security*. Now Google 
can say "we're already offering that" and good luck with explaining to John 
Doe why this is not quite the same...

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20130819/2661a127/attachment-0001.sig>


More information about the cypherpunks mailing list