Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google To Encrypt Cloud Storage Data By Default

timothy posted 1 year,3 days | from the praise-be-to-google dept.

Encryption 217

jfruh writes "Worries about snooping are now a permanent part of our computing landscape, but Google is attempting to ameliorate those fears by encrypting all data on its Google Cloud Storage service by default. Data is encrypted with 128-bit AES, and you can manage the keys yourself or have Google do it for you. A Google spokesperson said that the company "does not provide encryption keys to any government."" (Also at SlashCloud.)

cancel ×

217 comments

Sorry! There are no comments related to the filter you selected.

what about decryption keys (0)

Anonymous Coward | 1 year,3 days | (#44590795)

or the government's non-power-of-2 computers

Re:what about decryption keys (5, Funny)

Anonymous Coward | 1 year,3 days | (#44590847)

They don't provide any keys. They provide the decrypted data.

Re:what about decryption keys (5, Funny)

Anonymous Coward | 1 year,3 days | (#44591341)

That's funny, because here I thought that Google's Cloud Storage was going to be hosted in NSA's new data center. Brilliant really. Why bring the NSA to you when it's less trouble to let the NSA host your shit for you.

Re:what about decryption keys (1, Insightful)

Anonymous Coward | 1 year,3 days | (#44591431)

Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

Anyway, you can already do this for Chrome's sync data. I setup a pass phase for my sync data thats only known to my browser, and never sent to Google. Of course, that means I trust Chrome, but at least I don't have to trust them to protect the data on their end.

This (letting the user hold the keys) is exactly what we should be rooting for. I'm amazed how negative the posts here are.

Re:what about decryption keys (-1)

Anonymous Coward | 1 year,3 days | (#44591521)

Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

Anyway, you can already do this for Chrome's sync data. I setup a pass phase for my sync data thats only known to my browser, and never sent to Google. Of course, that means I trust Chrome, but at least I don't have to trust them to protect the data on their end.

This (letting the user hold the keys) is exactly what we should be rooting for. I'm amazed how negative the posts here are.

Whoa, oh, ohWhoa, oh, ohWhoa, oh, ohWhoa
I'm waking up to ash and dust
I wipe my brow and I sweat my rust
I'm breathing in the chemicals
I'm breaking in, shaping up, then checking out on the prison bus
This is it, the apocalypse
WhoaI'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
I raise my flags, don my clothes
It's a revolution, I suppose
We're painted red to fit right inWhoa
I'm breaking in, shaping up, then checking out on the prison bus
This is it, the apocalypseWhoa
I'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
All systems go, the sun hasn't died
Deep in my bones, straight from inside
I'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
anonherewe rlegioniwillonlybeablesaythison cesinkingproxyshipsonmywayoutafterpos tingsubmissthencsucha gencihasalready crakedalphaechosierragppglehasthegoaheadto allowtheusertoholdthekeysontheirendbcurdataisnolongerprivateanywhereregardl essifyouentryptornot gameoverhidenowifyoustillc ancnowtencanconfrmover

Re:what about decryption keys (2)

maxwell demon (590494) | 1 year,3 days | (#44591631)

Where are the keys generated? If they are generated at Google and then transmitted to you, then this doesn't really give additional security. Only if the key is generated on your computer and provably never goes to Google, it gives better security than just trusting Google. Of course that means you have to manage it yourself (back it up — not on the cloud, of course —, copy it onto all of your devices — again, not per cloud synchronization, but either through a direct encrypted connection like ssh, or in a way not involving the internet (e.g. per LAN or USB stick). Any solution that doesn't give you that burden also doesn't give you the associated security.

Re:what about decryption keys (2)

rtfa-troll (1340807) | 1 year,3 days | (#44591633)

If you manage your own keys and you use a client that isn't written by Google, how does Google get at the decrypted data? As I understand the system there's nothing they could do and they do allow third party clients?

If so it would be a very good reason to insist your cloud data provider is not the same as your OS vendor. In the end though it's your OS vendor you have to trust for everything since they clearly do have (indirect) access to the keys. Another good reason to use Ubuntu rather than Windows or Cyanogenmod/Replicant rather than Android I guess.

How do you know? (1)

Ralph Spoilsport (673134) | 1 year,3 days | (#44591751)

You say "They don't provide any keys." But if they did, you would have no ability to tell. WOULD YOU? Very simply the internet can no longer be trusted. At all. Ever. It's effectively enclosed and dead.

Lies Lies Lies (5, Insightful)

Anonymous Coward | 1 year,3 days | (#44590805)

Just like how they already lied the first time. Lies Lies Lies. But I don't care. Go ahead and do that NSA thing.

Re:Lies Lies Lies (0)

Anonymous Coward | 1 year,3 days | (#44591143)

Of course it WILL be encrypted, no lie. Though..

Why should we trust you? (4, Insightful)

Mr. Freeman (933986) | 1 year,3 days | (#44590809)

And we have what guarantee, exactly, that they're telling the truth?

Re:Why should we trust you? (0)

Anonymous Coward | 1 year,3 days | (#44590837)

its the decryption keys i worry about most.

Re:Why should we trust you? (0)

Anonymous Coward | 1 year,3 days | (#44591293)

AES is symmetric
decryption key = encryption key

Re:Why should we trust you? (0)

Anonymous Coward | 1 year,3 days | (#44590839)

You have the keys. Simple enough.

Re:Why should we trust you? (3, Insightful)

maxwell demon (590494) | 1 year,3 days | (#44591635)

Well, the question is whether only you have the keys.

Re:Why should we trust you? (1)

Anonymous Coward | 1 year,3 days | (#44590853)

They still hand data over to the government.

From the article:
A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

"Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don't follow the correct process," she wrote. "When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network."

Goggle complies with local laws ... (4, Interesting)

perpenso (1613749) | 1 year,3 days | (#44591395)

Google complies with local laws and regulations. Remember their previous venture in China:
"The new local Google site, expected to be launched Wednesday at Google.cn, will include notes at the bottom of results pages that disclose when content has been removed, said Andrew McLaughlin, senior policy counsel for Google. "Google.cn will comply with local Chinese laws and regulations," he said in a statement. "In deciding how best to approach the Chinese--or any--market, we must balance our commitments to satisfy the interest of users, expand access to information, and respond to local conditions.""
http://news.cnet.com/Google-to-censor-China-Web-searches/2100-1028_3-6030784.html [cnet.com]

When a legal order to turn over info is received they will do it. The only question is what constitutes a legal order.

Re:Why should we trust you? (0)

Anonymous Coward | 1 year,3 days | (#44591859)

... because if they're not, that's fraud and they could get into some serious shit?

Re:Why should we trust you? (1)

hutsell (1228828) | 1 year,3 days | (#44591881)

And we have what guarantee, exactly, that they're telling the truth?

Following up on your rhetorical question: None really; that's why the expression "Trust, but verify." exists. Without some type of enforceable checks and balances in place, our only hope is for the operators to be benevolent. Even then, we're not in the decision making process; they may think their decisions are in our best interests and we might be lucky enough once in awhile for it to be the right one. Usually though, without informed personal experiences to temper the outcome, it won't; especially if there aren't any incentives to be benevolent.

What would happen if someone figured out a perfectly enforceable verifiable transparency without creating any compromise — and they still don't want to do it? For myself, it would confirm what I've always strongly suspected: Any modicum of accountability has disappeared. There're too many disinterested well financed draft exempt connected families in government, snickering behind our backs about what they do and say to the rest of us. Someone will probably yawn out, "We're not doing it. Your problems are none of our business. Love it or leave it."

of course not (1)

Anonymous Coward | 1 year,3 days | (#44590825)

Of course they don't provide encryption keys to any government, they just hand over the plaintext.

Encrypt your own data ... (1)

perpenso (1613749) | 1 year,3 days | (#44591401)

Of course they don't provide encryption keys to any government, they just hand over the plaintext.

Now how are they going to do that if one encrypts the data before sending it to the cloud service? Don't give your cloud service the plain text.

Patriot act? (5, Insightful)

hilather (1079603) | 1 year,3 days | (#44590833)

A Google spokesperson said that the company "does not provide encryption keys to any government.""

As Google is a U.S. based company, I'm pretty sure this is a bald faced lie due to the "Patriot Act".

Re:Patriot act? (-1)

Anonymous Coward | 1 year,3 days | (#44590897)

You'd be wrong if you believed that. There's no law that says they can't encrypt a users data. The Communications Assistance to Law Enforcement Act might be amended to cover this but it seems it hasn't happened yet.

Re:Patriot act? (0)

Anonymous Coward | 1 year,3 days | (#44590983)

Read what he quoted again; it has nothing to do with encryption being legally forbidden.

Re:Patriot act? (2)

Darkness404 (1287218) | 1 year,3 days | (#44590991)

Since when does the FBI/CIA/NSA care about laws? As long as there isn't another Snowden, the media will ignore it and anyone who says otherwise will be dismissed as a mere conspiracy theorist.

Re:Patriot act? (1)

rahvin112 (446269) | 1 year,3 days | (#44591435)

Conspiracy theorists give people that expose real conspiracies a bad name. When you have crackpots out there claiming the moon landing never happened and other such BS the real conspiracies are lost in the noise.

There could even be a government conspiracy to hide real conspiracies in the noise of fake ones. Or it could just be a bunch of nut jobs with paranoia, I put my money on the nut jobs..

Re:Patriot act? (1)

maxwell demon (590494) | 1 year,3 days | (#44591787)

But I can prove the moon landing never happened! Because otherwise they would have found the Nazis hiding on the moon and waiting for the chance to come back! And BTW, the Nazis have made a contract with the aliens which guarantees them exclusive access to the moon. Any attempted landing by anyone but a Nazi on the moon would cause an alien attack. That's the true reason why the Americans hired Wernher von Braun: They tried to convince the aliens that it would actually be the Nazis landing if the US land on the moon. But the aliens are not that easy to trick. Kennedy was the driving force behind the moon landing plans and couldn't be convinced to stop the efforts, therefore the aliens arranged him to be shot (yes, it was aliens who were on that hill). The following president had a problem: They knew a landing was no option, but they couldn't just tell the people that the aliens won't allow it, given that the existence of aliens was top secret. But they also couldn't think of a good public reason to stop it. Thus they decided to fake it. The Russians came to similar conclusions. The reason why the USA won the "moon race" was that while the Russians had the superior rocket technology, the USA had the better filming technology, thanks to Hollywood. The aliens helped with the fake by actually sending the pre-recorded signals from the position where they had to originate, so everything looked real. The rocket starts were real, but the space ships actually entered an earth orbit and switched to silence on earthly communication channels; they could still communicate using alien communication technology which was not detectable by amateurs. The aliens took the part of sending the pre-recorded messages and images, as well as as relaying any live communication as needed for keeping the illusion, from exactly the places where they should have come from had the moon landing actually been performed. That's why nobody could notice the fake by checking the origin of the signals.

SCNR ;-)

(And for those who didn't get it: None of the above is meant seriously, of course.)

does not provide encryption keys (5, Insightful)

Anonymous Coward | 1 year,3 days | (#44590845)

Until they receive a National Security Letter and a gag order to boot.

Re:does not provide encryption keys (0)

Anonymous Coward | 1 year,3 days | (#44591843)

The Patriot Act(tm) does away with the need for a National Security Letter, and the gag order is automatic.

What does it matter... (1)

Anonymous Coward | 1 year,3 days | (#44590851)

What does it matter if they encrypt it all and then give the keys to the government?

What does this mean exactly? (5, Insightful)

synir (731266) | 1 year,3 days | (#44590857)

"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."

What does this mean, exactly? That they would provide encryption keys in accordance with the law? That they could?

A robust system would mean the hosting company wouldn't be more able to decypher encrypted damage than anyone else. Are they offering that?

The fix (0)

sgt scrub (869860) | 1 year,3 days | (#44590883)

A Google spokesperson said that the company "does not provide encryption keys to any government... yet.""

fify

Call me paranoid (5, Insightful)

TubeSteak (669689) | 1 year,3 days | (#44590887)

"If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys," Barth wrote. "We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."

That sounds meaningless.
All that it prevents is interception of data to/from your computer.
It does nothing to stop the NSA from requesting your data from Google, who would control your encryption keys.

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

Which is exactly my point. If they control your key, they have access to your data.

128bits of secure storage (1)

Anonymous Coward | 1 year,3 days | (#44590989)

As long as your store your data in as the AES key, Google will not sure it with the government.

Re:128bits of secure storage (2, Funny)

Anonymous Coward | 1 year,3 days | (#44591101)

128 bits should be enough for anybody.

Re:Call me paranoid (1, Interesting)

Chalnoth (1334923) | 1 year,3 days | (#44591027)

It will be difficult to avoid such requests entirely, but this technology, implemented well, prevents the NSA or others from intercepting the data en route and reading it without a court order.

I'd also point out that Google has, in the past, pushed back against data requests.

Re: Secret court order or just a letter/// (0)

Anonymous Coward | 1 year,3 days | (#44591133)

... but this technology, implemented well, prevents the NSA or others from intercepting the data en route and reading it without a court order.

Where have you been - your mom's basement doesn't have TV? NSA can either get a secret-court order (which you cannot challenge or even hear about) or just write a "national security letter" themselves. No need to bother with a real court/judge that might let someone know what they were doing.

Re:Call me paranoid (1)

TheGratefulNet (143330) | 1 year,3 days | (#44591205)

I'd also point out that Google has, in the past, pushed back against data requests.

and you know that, exactly, how?

oh right, they said so. yeah. ok. we're done here.

Re:Call me paranoid (1)

Anonymous Coward | 1 year,3 days | (#44591147)

This offer is still pretty sure to make a good impression on the mainstream for PR moderate damage control... some people are now on the fence but locked in. They will look the other way with right buzzwords and a pat in the back.

The reluctant geek will more easily move to offshore alternatives knowing what you've mentioned. I mistrust the OS I'm typing this in, and even if it were clean, google probably still installs a system service or two with some non-Chrome programs ("just" for auto-updates).

Even with a clean OS, those of us who would encrypt data before handing it for storage have a big problem. The cloud these days means daily use and post-processing more than storage. There's lots of syncing for on-the-fly music playing, spreadsheet editing, calendar processing, file attachment handlers for pictures and video, etc. I heard Apple does tons of stuff that way too. Real encryption on my side means they'd just have a blob that is useless to my android device.

I'm not too confident in their well-meaning NSA-backed intentions. There's no mention of how middleware would take my pre-encrypted data, decrypt it and hand it to my phone for that cloud-y on-the-fly processing. Will Google throw in some half-baked offer with a flawed process that sneaks my keys away from me with the guise of convenience?

Re:Call me paranoid (1)

Mitreya (579078) | 1 year,3 days | (#44591309)

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

And once US starts to publicize their laws, that would maybe mean something

For now, "in accordance with the law" means nothing because of all the secret laws or secret law-interpretations that are out there.

Re:Call me paranoid (2)

smhsmh (1139709) | 1 year,3 days | (#44591393)

Ummm, if you want to store your data in Google's cloud, or anyone else's, then all you need do is encrypt it before uploading. Then the responsibility for keeping the key secret is yours. If Google reencrypts your data, there is usually no significant gain or loss of security. You can even share documents with anyone else who has the key, perhaps delivered by carrier pigeon. (Surprisingly, multiple different encryptions can sometimes be weaker than any of the individual encryptions - read that somewhere on Usenet long ago -- but I don't think this matters much in practice, otherwise a standard cracking technique would be to try reencrypting the encrypted data.)

Of course, this strategy won't work with Google's application suite (Google Docs, etc.) because your thin client talks unencrypted data with the application running in Google's cloud, even if the connection is ssh -- the data is unencrypted in the server until saved under encryption. Someone should explain to me again why accessing cloud-based apps from a thin client is such a win...

Re:Call me paranoid (1)

Tr3vin (1220548) | 1 year,3 days | (#44591539)

The thin client can be a little bit fatter, though. Since Google provides a web browser, why not add support to it to use your key to decrypt the data on your end? That way, the data on the server is always encrypted. They could provide similar functionality for other browsers via a plugin.

TFA (5, Interesting)

PPH (736903) | 1 year,3 days | (#44590893)

Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.

Which is how it should all be done. Relying on Google's honesty, or some Google employee who doesn't want his fingers broken one by one, is just false security.

All decryption must be done offline (0)

Anonymous Coward | 1 year,3 days | (#44590895)

The only way to secure the cloud is to have a private key on a portable device with limited network ability. Use the thing as a proxy, with an app that runs on the offline machine.

No keys, no issues.

Fool me once.... (5, Informative)

larry bagina (561269) | 1 year,3 days | (#44590899)

Given what we know about the NSA, NSLs, and Lavabits, " [we do] not provide encryption keys to any government" is a worthless statement. With an NSL, Google will turn over everything and won't be able to say anything about it. With an NSL, Google will be required to lie (like claiming data is encrypted when it's not). Lavabits received an NSL and chose to shut down rather than honor it and sell out their customers. Google compiles with their NSLs.

You cannot trust Google or the cloud with your data.

Re:Fool me once.... (5, Insightful)

tftp (111690) | 1 year,3 days | (#44590995)

You cannot trust Google or the cloud with your data.

If you store your data in the cloud, it means that:

  • The 3rd party knows that you have some data stored, and they know its size, and they know how often you modify it or add to it. The observer does not need to have access to your private key to see that.
  • You can never be sure that the data that you deleted was in fact deleted. In most cases, due to existence of tiered backups, it will take a long time to purge your data from an honestly operated system. If the system is ran by a Google-like entity, nothing ever gets deleted.
  • If the observer wishes to decrypt your data, they can always use the $5 wrench, or (if they want to stay undetected) they can send people to duplicate your HDD or to install a keylogger.

The best way to store your data is on your own HDD, encrypted. The observer still can break into your house, but they would have to do it without any information leading to that. (Such as they wouldn't know that you even have a computer, let alone how often you modify certain files.) Modern terabyte drives (USB 3.0 or eSATA) remove every reason to bother with cloud storage - unless you want an additional bottleneck in form of the Internet link and a bunch of additional vulnerabilities, often for a small extra fee. Most people would be perfectly happy with an encrypted USB Flash disk (IronKey etc.) that they can always carry with them.

Re:Fool me once.... (1)

TubeSteak (669689) | 1 year,3 days | (#44591131)

http://www.foreignpolicy.com/articles/2013/07/16/the_cias_new_black_bag_is_digital_nsa_cooperation [foreignpolicy.com]

During a coffee break at an intelligence conference held in The Netherlands a few years back, a senior Scandinavian counterterrorism official regaled me with a story. One of his service's surveillance teams was conducting routine monitoring of a senior militant leader when they suddenly noticed through their high-powered surveillance cameras two men breaking into the militant's apartment. The target was at Friday evening prayers at the local mosque. But rather than ransack the apartment and steal the computer equipment and other valuables while he was away -- as any right-minded burglar would normally have done -- one of the men pulled out a disk and loaded some programs onto the resident's laptop computer while the other man kept watch at the window. The whole operation took less than two minutes, then the two trespassers fled the way they came, leaving no trace that they had ever been there.

It did not take long for the official to determine that the two men were, in fact, Central Intelligence Agency (CIA) operatives conducting what is known in the U.S. intelligence community as either a "black bag job" or a "surreptitious entry" operation. Back in the Cold War, such a mission might have involved cracking safes, stealing code books, or photographing the settings on cipher machines. Today, this kind of break-in is known inside the CIA and National Security Agency as an "off-net operation," a clandestine human intelligence mission whose specific purpose is to surreptitiously gain access to the computer systems and email accounts of targets of high interest to America's spies.

Stealing passwords with a key logger or phishing e-mail undoubtedly involves less paperwork than using the rubber hose.

Re:Fool me once.... (1)

Anonymous Coward | 1 year,3 days | (#44591171)

I use dropbox with encfs; it's nice for files that I'm currently working on, as it gives me automated off-site encrypted backup.

Re:Fool me once.... (1)

fast turtle (1118037) | 1 year,3 days | (#44591613)

I also use dropbox but don't bother with encryption simply because I don't trust em to not share the data with everyone at the drop of a letter. If I need it encrypted, then I keep it off-line completely because the old saying about "a Secret is only secret if No One Else Knows it" applies.

Re:Fool me once.... (2)

Sperbels (1008585) | 1 year,3 days | (#44591119)

You cannot trust Google or the cloud with your data.

Doesn't this really boils down to, you can't trust your government? Nothing is safe.

Re:Fool me once.... (4, Funny)

TheGratefulNet (143330) | 1 year,3 days | (#44591201)

Google compiles with their NSLs.

interesting. the rest of us use gcc. does nsl optimize better?

Red riding hood (4, Insightful)

TheP4st (1164315) | 1 year,3 days | (#44590903)

When I was 8 years old Red Riding Hood seemed convincing enough to be true.

Fool me once..

Re:Red riding hood (0)

Anonymous Coward | 1 year,3 days | (#44591215)

ha ha ha ha....is there anyone but an absolute newbie going to think that this is actually going to help??

Possible Benefits? (2)

az1324 (458137) | 1 year,3 days | (#44590923)

Server side encryption is only potentially beneficial for limited data breaches where the attacker gains access to the data but not the keys. In the case of government requests, they have the same rights to ask for the keys as for the data. Perhaps if there is a seizure of entire disks then having encryption may oblige them to ask for specific keys and therefore protect your data from snooping when you are not the target. It is also unclear exactly how unique/granular the keys are.

does not provide encryption keys to any government (0)

Anonymous Coward | 1 year,3 days | (#44590925)

only the decrypted copy

THIS IS NOT GOOGLE DRIVE (5, Informative)

Nimey (114278) | 1 year,3 days | (#44590947)

This is not Google Drive that's getting automatic encryption, it's their Cloud Storage, which is only available to developers.

Re:THIS IS NOT GOOGLE DRIVE (0)

Anonymous Coward | 1 year,3 days | (#44591823)

To encrypt Google Drive use something like Syncdocs to do encryption on the client before uploading file to the cloud.

Give and Take (0)

Anonymous Coward | 1 year,3 days | (#44590953)

Of course they don't provide the government with keys. The government provides itself with those keys. That's the whole point. Google doesn't give. NSA takes. The result is the same. I would be highly suspicious of their promise to provide key management to the end user. How will they demonstrate that it isn't back doored? Will they provide open source for the client? Will it be vetted? Will it run without patents? Isn't it just easier to buy a TB pocket drive?

Don't trust the cloud, period. (4, Insightful)

C3ntaur (642283) | 1 year,3 days | (#44590957)

If your data is worth encrypting, do you really want it in the cloud at all? The internet never forgets. Given the rapid advances in both raw compute power and cryptography, something that takes unimaginably long to brute force today, might be trivial to crack in just a few years.

Mixed Messages (0)

Anonymous Coward | 1 year,3 days | (#44590975)

http://www.cbsnews.com/8301-205_162-57598496/google-gmail-users-have-no-expectation-of-privacy/

Google lawyers say otherwise. NSA black hats say who cares, we take what we want, Google doesn't give a damn (thing).

Convenient (4, Informative)

elysiuan (762931) | 1 year,3 days | (#44590977)

In other news leaked internal NSA documents show that they only begin to have trouble cracking AES at 256-bit key sizes and higher.

... only in accordance with the law. (3, Insightful)

Anonymous Coward | 1 year,3 days | (#44591009)

The summary leaves out a critical bit of the company spokesperson's quote from the article: they won't give anyone your encryption keys directly, but they'll happily USE the encryption keys they're managing for you to decrypt your data and give the decrypted data to anyone who makes a legal request.

All this buys you is a tiny bit of defense in depth in case someone tracks down the Google server(s) that are storing your data, breaks into the data center, and physically yanks the hard drive out of the machine. Doesn't do anything to prevent a government from getting access by asking politely, and doesn't do anything to address the wide-open front door of someone guessing your account password.

If you care at all, you should be using client-side encryption. If you don't, this is just adding extra latency.

wasted CPU cycles (0)

Anonymous Coward | 1 year,3 days | (#44591023)

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

In accordance with the law, they are required to turn over what ever is asked of them.
In accordance with the law, they are not allowed to speak about what they have turned over.

It's just wasted CPU cycles at this point.

does not provide encryption keys (0)

Anonymous Coward | 1 year,3 days | (#44591037)

A Google spokesperson said that the company "does not provide encryption keys to any government."

Of course, they just need to send a clear copy to NSA before any of stuff got encrypted.

Does anybody still believes that ANY that passes through any server in the US can be safe from NSA snooping, unless the stuff is being encrypted on client side before it leaves your PC? Even then, NSA would still collect all the metadata about it (when, where, who).

still evil (0)

Anonymous Coward | 1 year,3 days | (#44591039)

meh, google still works with the NSA to copy all traffic in and out of their network.

I will do it myself (1)

Reliable Windmill (2932227) | 1 year,3 days | (#44591059)

I will encrypt my data myself, that is the only way I can keep it private. But hey, thanks for the free storage. Maybe you'll manage to trick someone else with this?

The bad news is... (0)

Anonymous Coward | 1 year,3 days | (#44591083)

the encryption password is "trustno1"

does not provide encryption keys to any government (1)

hottoh (540941) | 1 year,3 days | (#44591103)

"does not provide encryption keys to any government."

Means, "we provide encryption keys to the whim of any government." Guessing this is true.

bullllllshit! cloud computing is dead... (0)

Anonymous Coward | 1 year,3 days | (#44591109)

and the government killed it.

What is wrong with people? (0)

Anonymous Coward | 1 year,3 days | (#44591137)

Why are people so quick to give up control of their data to anyone? Especially a corporate entity? I am baffled by this. I know the reasons why and they all suck. Control your own data, people. Data is the new oil, and people are too quick to share it, give it away -- whatever -- for nothing much in return.

Re:What is wrong with people? (1)

glenebob (414078) | 1 year,3 days | (#44591621)

Data might be the new oil, but the data of any one average person is worth almost exactly nothing. Should I charge Google almost exactly nothing for my data?

I want my browser to manage my keys (3, Interesting)

aviators99 (895782) | 1 year,3 days | (#44591141)

When I first read the summary I thought Google was going to provide me a way to manage my own keys in a practical sense. I would like for my browser to automatically decrypt when I download from Google Drive using private keys stored on my local store (with a pass phrase, of course).

Re: I want my browser to manage my keys (0)

Anonymous Coward | 1 year,3 days | (#44591185)

I'm sure Google will write something to do that.

But it will only run under chromium.

Re: I want my browser to manage my keys (0)

Anonymous Coward | 1 year,3 days | (#44591543)

Do we dare trust the browser? Mozilla's wallet is in bed with Google, chrome IS Google, MSIE and Apple are American, Opera is NON-American... who is safe? do we turn to some obscure extension writer who could be a plant sneaking in NSA backdoors?
What the US has done is pretty much say, oh hi, now you SEE me watching you and I dare you to keep doing exactly the same you were doing this whole time. The cloud itself is useless if it's encrypted. I can use a local storage for that. Will anyone dare put up crypto interfaces just to hide their right to listen to their own encrypted, legally obtained music privately?

When Push Comes to Shove, they'll bend over (1)

Anonymous Coward | 1 year,3 days | (#44591161)

"No Legitimate Expectation of Privacy," Says Google, Quoting the Supreme Court

http://reason.com/blog/2013/08/14/no-legitimate-expectation-of-privacy-say

  “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979).

Google Drive is not Google Cloud Storage (0)

Anonymous Coward | 1 year,3 days | (#44591167)

Summary: Google is deliberately trying to confuse customers and users into believing their files are secure. US company, data hosted in the US, your files belong to the NSA.

words, words (2)

mbone (558574) | 1 year,3 days | (#44591175)

"does not provide encryption keys to any government."

Based on recent evidence these words mean absolutely nothing* and you would be a fool to trust them.

* That doesn't mean they are technically a lie. Maybe 128 bit AES has a hidden weakness. Maybe there is NSA sponsored back door to their code. Who knows?
Who, except for the forensic types, cares?

Same google (1)

ceoyoyo (59147) | 1 year,3 days | (#44591189)

This is the same Google that insists in court: of COURSE we read your email... why would you expect anything else, right?

Sing the song (4, Insightful)

gmuslera (3436) | 1 year,3 days | (#44591207)

Obama killed the cloud star. Google must comply with legislation, they could deny (at least till NSA summons another secret law that essentially says all your data are belong to us), but at least for citizens of other countries, or americans that contacts them they must give the data anyway. Once they put in the tables laws that force you to do something and not speak about it you can't trust in anything they say, you just can't decide if its true or is a lie that is forced to say (even assuming their best good will in this topic).

Re:Sing the song (1)

cornholed (1312635) | 1 year,3 days | (#44591597)

Judging by your uid, you must not be from around here.

Verboten (0)

Anonymous Coward | 1 year,3 days | (#44591211)

"'Once a pillar of innovation' at Google, now verboten."

Mathematics and those who know mathematics are ... verboten @ Google.

Anyone with a Ph.D. in Mathematics and Physics @Google are ... Verboten.

20 month time frame for Google now shows employees evolving to ... 'technicians.'

Page likes employees who are without high school diplomas who have gender confusion, cocaine and viagra dependencies.

Ha ha @Google

Sounds like somebody is getting a bit desperate (1)

fustakrakich (1673220) | 1 year,3 days | (#44591235)

Anybody else think that this cloud business is taking a hit? Maybe they should try a different angle and tell us that NSA is good for us and is perfectly safe [adweek.com] ...

Google IS the fucking NSA, you idiots. (0)

Anonymous Coward | 1 year,3 days | (#44591325)

God damn, you motherfuckers are so devoid of intelligence
you need to be told when Dracula has his fangs in your throat.

Bottom line :

If you want to keep it secret, do NOT send it via electronic means, period.

google is a jew operation (-1)

Anonymous Coward | 1 year,3 days | (#44591333)

so they don't give it to the nsa they give it to the mossad who give it to the nsa

And? (1)

no-body (127863) | 1 year,3 days | (#44591377)

The encryption master keys are subpoenaed under a NSL by our good friends looking out for us, so nothing bad happens.

In Soviet Russia, all us belong to your base. (1)

Thor Ablestar (321949) | 1 year,3 days | (#44591379)

The only really secure data are the ones written to your own HDD in your safe in your basement, encrypted with opensource program, with part of encryption key entrusted to some friend who is instructed to return it to you when he is satisfactorily ensured that you are not under coercion.

Transparent PR Stunt (2)

FuzzNugget (2840687) | 1 year,3 days | (#44591381)

OK, so you have the option to manage your own keys, but we're trusting that Google doesn't copy your keys when you create them and that they don't have a backdoor. Based on recent revelations, I wouldn't put either past them.

Once Google unequivocally tells the feds to fuck off the next time they come sniffing around for user data, I'll put some stock into such supposed privacy measures.

Re:Transparent PR Stunt (1)

swillden (191260) | 1 year,3 days | (#44591683)

Once Google unequivocally tells the feds to fuck off the next time they come sniffing around for user data, I'll put some stock into such supposed privacy measures.

Google refuses ~30% of government requests for user data.

Keep in mind that most requests are subpoenas (which can only get extremely limited data; name and IP address, basically), court orders (which can get a bit more, but not e-mail contents) and search warrants, and I think it's quite likely that if you were in a position to look at the requests and their rationale, you'd agree that most of them are legitimate and not only legally must be respected, but should be respected, because it's the right thing to do.

http://www.google.com/transparencyreport/userdatarequests/

http://www.google.com/transparencyreport/userdatarequests/legalprocess/

Too late (1)

sugarmotor (621907) | 1 year,3 days | (#44591423)

It might have been. But too late now.

If Google is able to give up your keys... (0)

Anonymous Coward | 1 year,3 days | (#44591547)

... then you are doing it (encryption) wrong.

Useless security without direct control of the box (1)

assemblerex (1275164) | 1 year,3 days | (#44591551)

What they will do is snoop your connection for when you input the password. Https connection? They will have the cert keys already.

You might as well be using open to send the password.

Unless you are uploading locally encrypted files to the cloud (for convenience I suppose) and never sharing keys except in person you should be fine.

Until they kick your door in that is.

Proof of security would add value (1)

jcasey (264935) | 1 year,3 days | (#44591579)

If Google had a way to PROVE that their service was secure, then that might be worth entertaining. Such PROOF would need to satisy concerns about the handling and passing of data and keys, and securely deleting information when the user requests it to be deleted. Unless they can prove that they are secure, this is an utter joke. Their reputation has been trashed as a result of their unfortunate run in with the three letter orgs. Its a pity.

Why are people worried about the government? (1)

cyn1c77 (928549) | 1 year,3 days | (#44591641)

I don't understand all the cynical comments about the government forcing Google to decrypt everyone's data.

Would 128-bit AES encryption really bother the NSA that much? Would it even bother a committed hacker that much? If anything, this will just provide Google with a little ass coverage in case they every get hacked by someone other than the NSA.

But seriously, if this is something that you're really worried about, you should be encrypting your online storage yourself. Or better yet, don't store anything online. Even better, don't network a computer that you aren't willing to have hacked. The level of inconvenience goes up with the level of security; everyone needs to decide what will work for themselves.

I'll still use Tahoe-LAFS instead, thanks. (1)

Anonymous Coward | 1 year,3 days | (#44591685)

Tahoe-LAFS is just as free-as-in-beer, yet also free-as-in-speech. Encryption is automatic and I can install it on any workstation.

Dear Gov, (0)

Anonymous Coward | 1 year,3 days | (#44591733)

These are all the keys possible that the user is 'not' using. Dear user, We did not give them any keys you use.

Don't be good... (1)

eviljav (68734) | 1 year,3 days | (#44591769)

I don't see how anybody could trust them at this point.

False Sense of Security by the bits... (1)

NeoStrider69 (2777567) | 1 year,3 days | (#44591791)

AES-128? Really? Why not higher at least? If you want to provide a false sense of security at least up the magic numbers and make it sound harder than just handing over the decrypted data since they obviously have the public and the secret keys.

128bit AES is insecure (1)

flyingfsck (986395) | 1 year,3 days | (#44591795)

Google doesn't need to give the keys to anyone if the algorithm is insecure.

Too late google. (1)

lapm (750202) | 1 year,3 days | (#44591927)

So they finally desided to encrypt users data? So its been unencrypted upto this point? I tough googles prime policy was do no evil? Considering who is looking to spy on you,i would not consider only 128 bit AES secure by any standard. Not to mention google can get unencrypted data to them anyways... Always wondered why every encryption standard in use on internet need to be accepted by NSA first? Most likely becouse NSA wants to make sure they can brake it.

Worthless. (0)

Anonymous Coward | 1 year,3 days | (#44591931)

Unless the decryption is done on your own computer and your key never leaves your own computer, this is utterly worthless since of course the NSA can intercept anything in transit. And _if_ the encryption is on your computer only with software under your own control (not "updated" by Google ever), you don't need Google for anything but plain unencrypted storage. They might be annoyed that your data compresses lousily, but that's it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>