Google to encrypt cloud storage
rysiek
rysiek at hackerspace.pl
Mon Aug 19 05:30:07 PDT 2013
Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze:
> On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
> > Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte
pisze:
> >> AES-128 is obviously not secure enough against NSA-type attacks. It works
> >> against the random raid of the servers, the exploitative sysadmin and
> >> perhaps even the remote exploit in the software. It also allows Google to
> >> run storage nodes at a lower security level, which might help them smooth
> >> operations.
> >>
> >> Nothing there to help against the agencies.
> >
> > But the algo is really completely irrelevant here. They could have used
> > OMGWTF-8096 and it would still be irrelevant. If the keys are being held
> > by
> > Google -- and as far as I understand, they have to -- the whole encryption
> > is moot.
> >
> > They don't have to give the government the keys. They can just hand over
> > the cleartext...
> >
> > The point about running nodes at a lower security level is interesting,
> >
> > though. Maybe that's the whole point:
> > - Hey Joe, if we encrypt user data (and hold the keys), we could care
> > less
> >
> > about these nodes' security.
> >
> > - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to
> >
> > people as a "security enhancement", esp. after PRISM.
> >
> > - Oooh, I like this. I'll be talking to PR dept right away!
>
> Not so sure we need to be quite so cynical. Obviously this encryption
> is useless against state-level agencies, since data is encrypted
> server-side and Google manages the keys ( although the fact that they
> think they won't be obligated to hand the keys over to the gov't is
> bullshit). However, what I think is important to see in this story, is
> that Google is responding to pressure from the public to take privacy
> and encryption more seriously. This is an opportunity for security and
> privacy activists to push for real security solutions for user data
> storage, that involve strong *client-side encryption* of data.
I see it purely as a PR stunt, a pre-emptive strike against services that are
bound to spring-up, offering *real encryption* and *real security*. Now Google
can say "we're already offering that" and good luck with explaining to John
Doe why this is not quite the same...
--
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20130819/2661a127/attachment-0001.sig>
More information about the cypherpunks
mailing list