Google to encrypt cloud storage

Kyle Maxwell kylem at xwell.org
Mon Aug 19 07:31:54 PDT 2013 

Keep in mind that not all law enforcement (or the broader class of
potential adversaries) will have access to NSA/FBI-type capabilities
or even NSLs and such, not to mention that it provides additional
protection in case a Google server is breached. Having spent time
chatting with some of their security people, including members of
their incident response team, I'm not so cynical that they view
anything like this as a reason not to secure their stuff. I find it
far more likely that they see this as adding an additional hurdle for
adversaries to clear.

On Mon, Aug 19, 2013 at 7:30 AM, rysiek <rysiek at hackerspace.pl> wrote:
> Dnia poniedziałek, 19 sierpnia 2013 08:02:38 Dan Staples pisze:
>> On Mon 19 Aug 2013 07:35:10 AM EDT, rysiek wrote:
>> > Dnia poniedziałek, 19 sierpnia 2013 13:12:35 Lodewijk andré de la porte
> pisze:
>> >> AES-128 is obviously not secure enough against NSA-type attacks. It works
>> >> against the random raid of the servers, the exploitative sysadmin and
>> >> perhaps even the remote exploit in the software. It also allows Google to
>> >> run storage nodes at a lower security level, which might help them smooth
>> >> operations.
>> >>
>> >> Nothing there to help against the agencies.
>> >
>> > But the algo is really completely irrelevant here. They could have used
>> > OMGWTF-8096 and it would still be irrelevant. If the keys are being held
>> > by
>> > Google -- and as far as I understand, they have to -- the whole encryption
>> > is moot.
>> >
>> > They don't have to give the government the keys. They can just hand over
>> > the cleartext...
>> >
>> > The point about running nodes at a lower security level is interesting,
>> >
>> > though. Maybe that's the whole point:
>> >  - Hey Joe, if we encrypt user data (and hold the keys), we could care
>> >  less
>> >
>> >    about these nodes' security.
>> >
>> >  - Hey, yeah, Jack, this seems to be a good idea; and we could sell it to
>> >
>> >    people as a "security enhancement", esp. after PRISM.
>> >
>> >  - Oooh, I like this. I'll be talking to PR dept right away!
>>
>> Not so sure we need to be quite so cynical. Obviously this encryption
>> is useless against state-level agencies, since data is encrypted
>> server-side and Google manages the keys ( although the fact that they
>> think they won't be obligated to hand the keys over to the gov't is
>> bullshit). However, what I think is important to see in this story, is
>> that Google is responding to pressure from the public to take privacy
>> and encryption more seriously. This is an opportunity for security and
>> privacy activists to push for real security solutions for user data
>> storage, that involve strong *client-side encryption* of data.
>
> I see it purely as a PR stunt, a pre-emptive strike against services that are
> bound to spring-up, offering *real encryption* and *real security*. Now Google
> can say "we're already offering that" and good luck with explaining to John
> Doe why this is not quite the same...
>
> --
> Pozdr
> rysiek



-- 
@kylemaxwell

More information about the cypherpunks mailing list