Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lockbox Aims To NSA-Proof the Cloud

Soulskill posted about a year ago | from the but-can-you-NSA-proof-yourself dept.

Encryption 292

Daniel_Stuckey writes "Lockbox, a tech startup founded in 2008, just received $2.5 million in seed funding for its end-to-end encryption cloud service, Client Portal. So, how does end-to-end cloud encryption work? Lockbox encrypts and compresses files before they are uploaded to the cloud. Only a person in possession of the corresponding key can unlock, or decrypt, the files. This means that the NSA, malicious hackers, business competitors, and even crazy girlfriends and boyfriends won't be be able to peer into users' most sensitive and private files."

cancel ×

292 comments

AL GORE ENDORSES THIS SLASHVERTIZMENT !! (-1)

Anonymous Coward | about a year ago | (#44729063)

And thank for your support !!

I like the idea (5, Insightful)

bondsbw (888959) | about a year ago | (#44729085)

But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)

Re:I like the idea (5, Insightful)

Garridan (597129) | about a year ago | (#44729107)

Yup. It's only secure as your OS, and the NSA pwns that. Always airgap your private key, or it's theirs.

Re:I like the idea (4, Insightful)

Joce640k (829181) | about a year ago | (#44729829)

What's to stop me encrypting my files then putting them on normal dropbox?

Re:I like the idea (4, Insightful)

JWSmythe (446288) | about a year ago | (#44729117)

A friend of mine offered that kind of service quite a few years ago.

It was a backup service. The user had the key. It was encrypted on the user's site, and only encrypted data sent up to the server.

It's not novel. It's a slashvertisment. {sigh}

Re:I like the idea (1)

toQDuj (806112) | about a year ago | (#44729287)

Yes, most of the online backup services offer this. Crashplan does the same. I have the keys, they don't.

Re:I like the idea (5, Interesting)

Anonymous Coward | about a year ago | (#44729445)

Tarsnap should also be mentioned in this context. It's a business started by Colin Percival, noted cryptographer and BSD developer. The client is 100% open source and runs on your machine. When Colin developed Tarsnap he found existing key derivation functions lacking, so he developed his own memory hard scrypt, which has found wide applications in other areas.

The major problem with "encrypted cloud" solutions is that encryption severely limits what can be done in the cloud. You can basically do encrypted file storage. You can't run virus or spam filters on your data, you can't index it and search it etc. So all the useful features we have in a Gmail session need to awkwardly and inefficiently be re-implemented on the client side.

The providers have very little incentive to do this and transform ad supported free services into paid ones (since data mining no longer works, ad revenue drops dramatically). While I would love encrypted email for everyone, it just won't happen for economic reasons. The NSA affair will be quickly forgotten and people will return to business as usual.

Re:I like the idea (5, Interesting)

TheRaven64 (641858) | about a year ago | (#44729545)

Full homomorphic encryption is really hard. Homomorphic encryption allows you to encrypt your data, do some computation on the result, and then perform some operation on the output to get the same result as doing the operation on the unencrypted data. Current solutions are at least a factor of 1000 slower than doing it on unencrypted data, but that's only for general case. There are ways of encrypting data that preserve certain properties so you can, for example, perform simple database operations on it in the encrypted form and only interpret the results if you hold the keys. The down side of these approaches is that they increase the size (effectively doubling it for every primitive operation that you want to support), but with storage becoming cheap they may become interesting...

Re: I like the idea (1)

Anonymous Coward | about a year ago | (#44729559)

It's not quite accurate to call Tarsnap "open source". While all of the source code is publicly available (in fact, the client is _only_ available in source form) the license forbids using it for any purpose other than connecting to Tarsnap's service.

That said, Tarsnap is still awesome, well priced, and just works.

Re: I like the idea (1)

Architect_sasyr (938685) | about a year ago | (#44729609)

Open Source - "where the source code is freely available". Different from "Free Open Source" - which includes definition of license.

Re:I like the idea (5, Insightful)

mysidia (191772) | about a year ago | (#44729119)

It would defeat the point. You can probably safely assume they are not sending them right now.

The problem is: in the future, when more than 2 people start using their service --- the chance gets higher and higher over time, that NSA agents will descend upon them, and provide a legal order requiring they insert backdoors into their service, or protocol, or otherwise: provide the NSA with the resources required to get at the content, AND requiring they tell nobody.

In other words : No US-based cloud service can really fight the NSA; unless they are prepared to shutter the service and go to jail for the cause, which is not likely.

An overseas service is even better for the NSA getting a better chance at capturing the data -- because the things that are legal for them to do expand; gathering intelligence on overseas communications falls within their government mandate; and the techniques they employ could espionage, infiltration into the organization providing the service; and include compromise of computer systems and implanting malware bugs.

Re:I like the idea (5, Insightful)

0111 1110 (518466) | about a year ago | (#44729215)

I don't think an overseas service is better for the NSA. They don't have to even pretend to have ethical or legal constraints, but they are limited by international politics. They are stuck asking for cooperation. Or trying to bribe the right people. Within the US they have the full force of the US government behind them and can simply put uncooperative people in jail.

Nevertheless things have reached a point where you might get idealogically motivated people starting anti-NSA encryption systems and there isn't much the NSA can do against someone willing to risk prison or flee the country or shut down their entire company rather than deal with the devil. The NSA and the government in general are used to dealing with people who are easily controlled with nothing more than money.

But, yeah, the NSA can at least shut down pretty much any US based centralized system intended to fight them. Outside of North America and Western Europe it's a different story though. They don't have any legal power to shut down anything over there.

Re:I like the idea (1)

Jane Q. Public (1010737) | about a year ago | (#44729305)

"Nevertheless things have reached a point where you might get idealogically motivated people starting anti-NSA encryption systems and there isn't much the NSA can do against someone willing to risk prison or flee the country or shut down their entire company rather than deal with the devil. The NSA and the government in general are used to dealing with people who are easily controlled with nothing more than money."

"Might get"???

Haven't you been reading the news?

Re:I like the idea (3, Insightful)

Zemran (3101) | about a year ago | (#44729357)

If you go outside of North America and Western Europe, the NSA have big wallets and a bribe is more likely to work. You may think that somewhere like Venezuela hates the US enough to allow a business like this but I guarantee that the average sys admin in Venezuela could be bought for a few hundred. I would opt for a European country with more a sensible legal system like Switzerland. It will take years for the NSA to get in and the fight would be public. I know that they got into the banks but we all knew about it long before they got there. There are still other option with more effective privacy options and zero corruption but outside of Europe you know they are easily bought.

Re:I like the idea (5, Insightful)

Andtalath (1074376) | about a year ago | (#44729381)

Tpb was raided due to a threat from USA regarding an embargo towards Sweden.

So, well, if bloody Hollywood can put that type of pressure on a country, I believe a branch of the government can as well.

Re:I like the idea (4, Funny)

Anonymous Coward | about a year ago | (#44729695)

if bloody Hollywood can put that type of pressure on a country, I believe a branch of the government can as well.

Hollywood is a branch of the US government!

Re:I like the idea (1)

Anonymous Coward | about a year ago | (#44729735)

if bloody Hollywood can put that type of pressure on a country, I believe a branch of the government can as well.

Hollywood is a branch of the US government!

On the contrary: the US government is a branch of Hollywood.

Re:I like the idea (-1)

Anonymous Coward | about a year ago | (#44729487)

Yalancdan babakan olmaz çünkü : http://yalancidanbasbakanolmaz.blogspot.com/

Re:I like the idea (1)

icebike (68054) | about a year ago | (#44729279)

That's not Exactly true.

If a service provides an open source encryption routine, and also, perhaps, but not necessarily required, an open source transfer routine for the already encrypted files, you could air gap the encryption task from the transfer task, and even with a court order and a shot gun to their head, the company couldn't give you data away.

Spideroak has promised to open source their client for exactly this reason. So far they haven't delivered.

Re:I like the idea (3, Informative)

mysidia (191772) | about a year ago | (#44729339)

you could air gap the encryption task from the transfer task, and even with a court order and a shot gun to their head, the company couldn't give you data away.

The order could say to covertly insert a backdoor of the NSA's choosing in the "open source" client; or provide the NSA operatives root access to the server that distributes the client binaries, and the keys to push out a new release of the software.

Someone maintains the code that the users are using. And the maintainers could very easily be subject to a gag order; to not discuss the covert backdoor, even if it's visible in the open source code ----- it doesn't have to be, though: most people will just download the project's (NSA-patched) binary builds of the release.

Re:I like the idea (2)

icebike (68054) | about a year ago | (#44729507)

When someone is buying a security product, and buying one that specifically bills itself as open source you can bet there will be many many sets of eyes on the code. It only takes one person to spot something like that, and you would be able to add your own layer of encryption on top of what was already in the open source.

So, no, open source is not as easy to beat as you suggest.

Re:I like the idea (1)

TheRaven64 (641858) | about a year ago | (#44729555)

It's harder to covertly insert a backdoor into an open source client because people can watch the changes. It's much easier to insert it before it's open sourced, because then people have to review the entire code drop at once. That said, adding a back door into OpenSSL would be comparatively easy because no one understands the convoluted twisty maze of code paths in it.

Re:I like the idea (0)

Anonymous Coward | about a year ago | (#44729285)

Here in the US, the NSA is a known enemy, for better or for worse.

A cloud provider overseas will be bullied by whatever intel service is in the host country. If I locate one in China, my company is owned by the PLA anyway.

I look at what my biggest security threats are, and the NSA is nowhere near the top of my list compared to foreign intel looking to crush US companies like China did the entire US solar industry.

Re:I like the idea (4, Insightful)

vux984 (928602) | about a year ago | (#44729361)

In other words : No US-based cloud service can really fight the NSA;

The key to fighting the NSA is to provide a completely transparent API.

And then rely on 3rd parties to deliver software that uses the API.

Even if the NSA knows that I have account with the cloud service, they don't know what client I use, (and even if i do, the client is on my equipment not "service based" there is no easy target to send a gag order too.

Essentially, dropbox, skydrive etc are all perfectly suitable cloud services.

What we need is them to do isopen them up wide open to 3rd party client development.

Re: I like the idea (0)

Anonymous Coward | about a year ago | (#44729289)

Exactly

Re:I like the idea (4, Interesting)

VortexCortex (1117377) | about a year ago | (#44729359)

But I prefer that my encryption tool and my cloud storage service be completely separate. (How do I know Lockbox isn't sending the keys to the NSA, or whoever?)

It's pointless anyway against the NSA. Seriously. Every single modern operating system (including on routers) has tons of unpatched exploit vectors. There's even a black market for them. The NSA can just infect your machines and ex-filtrate your data and/or the encryption keys... See the previous story:

[NSA] Budget documents say the $652 million project has placed 'covert implants,' sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions.

Hell we have multiple celebrations of insecurity every year called "computer security conferences" where without fail new systems are compromised. How can you even look at stuff like Pwn 2 Own, and not have your brain melting in cognitive dissonance as you try to believe there are network attached scenarios where your data is safe from the NSA?

You want your data kept secret? Use whole drive encryption on machines that are never connected to any networks -- And even then there's the Ken Thompson Microcode Hack [bell-labs.com] , so your systems could be theoretically pre-hacked from the factory... I won't buy a CPU that has remote cellular capabilities... Like Intel's Sandy Bridge [techspot.com] . Laughed my ass off when I heard about that! "Security Feature" indeed. At least if the machine can't get on the networks there's a much lower chance of your data escaping if it's pre-hacked.

I don't know of any hacker worth their salt -- black, gray or white hat -- that doesn't have a directory of unpatched zero day exploits.
I keep mine in: ~/with/great/power/comes/great/responsibility/
Me having to navigate the directory structure has saved many a newb... The NSA has no such sensibilities.
If the data's encrypted, they assume it could be from a foreigner, and thus give themselves license to get at it, and they can.
This is what happens when you let Threat Narrative run amok.

Re:I like the idea (1)

VortexCortex (1117377) | about a year ago | (#44729399)

Hehe, oh... I mean, the company is named "Intel" FFS, haha ha!

wow (0)

Anonymous Coward | about a year ago | (#44729535)

you are so easily fooled.. I'm not going to get into all the false bullshit you lap up. but one thing I do know: you know nothing of the NSA or blackhat culture, other than what the mainstream media has fed you - parrot.

Re:I like the idea (1)

Nikker (749551) | about a year ago | (#44729835)

Compressed cypher text should be quite easy to crack shouldn't it?

Most compression algorithms use a dictionary, if you knew approximately the dictionary was in the data stream it should make it fairly easy to guess the key wouldn't it?

Compressed English for example would have many similar dictionaries amongst most digests. Knowing the most common dictionary entries statically analyzing the cypher text would result in a clear text digest which in turn would be trivial to reveal the message.

Of course I welcome any insight from anyone more knowledgeable since I am not well versed in cryptography.

Good move... (0)

Anonymous Coward | about a year ago | (#44729095)

We need a service like this and pretty soon Google Drive and the rest should hopefully follow suite to keep up with the Jones'...

Obligatory 5 dollar wrench. (3, Funny)

JWSmythe (446288) | about a year ago | (#44729099)

Re:Obligatory 5 dollar wrench. (2)

DirePickle (796986) | about a year ago | (#44729125)

With the recent "revelations" (they're not), it would be obvious that xkcd was pretty far off the mark here. The NSA is engaging in a far-reaching fishing expedition that is not practical to conduct with wrenches.

Re:Obligatory 5 dollar wrench. (3, Insightful)

jamesh (87723) | about a year ago | (#44729183)

With the recent "revelations" (they're not), it would be obvious that xkcd was pretty far off the mark here. The NSA is engaging in a far-reaching fishing expedition that is not practical to conduct with wrenches.

But on the other hand if their "far-reaching fishing expedition" doesn't give them the information they want, and they want it badly enough, a wrench always works.

Re:Obligatory 5 dollar wrench. (1)

MichaelSmith (789609) | about a year ago | (#44729195)

Even so, this service does not protect an individual against wrenches.

Hah (0)

Anonymous Coward | about a year ago | (#44729103)

Good luck with that, they own the cloud.

Dream on (1)

Damouze (766305) | about a year ago | (#44729109)

Whatever the encryption is, you can bet your bottom dollar bill that the NSA is at least two decades ahead of it.

Re:Dream on (1)

BlueStrat (756137) | about a year ago | (#44729499)

Whatever the encryption is, you can bet your bottom dollar bill that the NSA is at least two decades ahead of it.

That's why, if you want it really secure, you leverage their own security.

Hack an NSA/TLA network, and store your encrypted data right alongside of their data.

You could hide your data on Obama's Blackberry servers, or on Gen. Alexander's, Valerie Jarret's, or Clapper's machines.

For extra happy-fun-time, make sure to include some CP, bestiality, and snuff films in separate files/folders, and then out them publicly. Sauce for the gander. :)

The US government has by their own actions declared a de-facto no-rules, no-laws, screw-the-Constitution, all-out cyber-war...not only against every other government including supposed US "allies", but their own citizens as well. History teaches that the dues incurred for such hubris always get paid.

Strat

Wuala (2)

ruhrguide (1420289) | about a year ago | (#44729115)

... exists. But as mentioned by bondsbw, you can't control wether it sends your keys to a third party.

Cloud (1)

Anonymous Coward | about a year ago | (#44729123)

The summary contains the word "cloud". Next please.

Re: Cloud (0)

Anonymous Coward | about a year ago | (#44729205)

Spot on and having to support such a service will expose vulnerabilities in the software whilst they try to make this easy to use!

If they want you (1)

nurb432 (527695) | about a year ago | (#44729127)

They will just attach to your PC 'end point' and get their data before you encrypt.

There is no hiding at this point of the game. Well, really its been that way for a bit now, just most people who knew this were called tin-hatters and paranoid. Its nice to be vindicated, sometimes..

Re:If they want you (1)

AHuxley (892839) | about a year ago | (#44729435)

In the old days a gov would go after the coders, hardware makers, publishers or even create a 'trusted' front company.
The big telco and computer brands handed over clear text making life much more easy but old methods are still waiting for anyone.

And? (1)

fustakrakich (1673220) | about a year ago | (#44729129)

So what stops the feds from seizing your 'cloud' and locking it up in the impound?

Re:And? (1)

AHuxley (892839) | about a year ago | (#44729437)

Or a NSL to add in another server?

Great idea but... (3, Insightful)

Zemran (3101) | about a year ago | (#44729137)

...based in California - cannot trust the security... ...UK - what is security? ...Australia - the FBI asked us nicely...

Re:Great idea but... (1)

munch117 (214551) | about a year ago | (#44729577)

...based in California - cannot trust the security... ...UK - what is security? ...Australia - the FBI asked us nicely...

You have some fine words there, now you just need to put them in order to form a sentence :-)

They're actually Australian-based, according to this press release [lock-box.com] . Not that it helps much - with a strong US presence they are still vulnerable to national security letters.

not secure (1)

BradMajors (995624) | about a year ago | (#44729145)

It says Lockbox will do the encryption, which means Lockbox knows the encryption keys, which means that the NSA will ask for and receive the encryption keys from Lockbox.

Re:not secure (3, Interesting)

GigaplexNZ (1233886) | about a year ago | (#44729449)

Doesn't necessarily mean they know the decryption keys does it?

Sounds like a job for... (1)

SGT CAPSLOCK (2895395) | about a year ago | (#44729147)

Sounds like a job for... Well, any of the millions and trillions of safer, free, open source software utilities which can do the exact same thing without exposing your keys to some third party.

I wouldn't trust anyone but myself with my private keys, and I certainly wouldn't trust anyone else to generate private keys for me.

For that matter, I don't trust my data to be safe in anyone else's computer, but I guess that's OT.

Re:Sounds like a job for... (0)

Anonymous Coward | about a year ago | (#44729249)

millions maybe, but trillions? come on now

Re:Sounds like a job for... (1)

SGT CAPSLOCK (2895395) | about a year ago | (#44729331)

Vigintillions, my friend.

Honestly, I didn't mean for that number to be taken literally. This is Slashdot! How could it be taken as truth without a reference?!

Re: vigintillions (1)

Bob_Who (926234) | about a year ago | (#44729591)

Urban Dictionary: vigintillion ~ www.urbandictionary.com/define.php?term=vigintillion
a very large number: 1000000000000000000000000000000000. used when wanting to sound smart.

LOL... also used when actually smart (IMO) but I thought that was funny result when I looked it up

What exactly is $2.5 million funding? (0)

Anonymous Coward | about a year ago | (#44729155)

The price of serving up many copies of a single-page PDF describing how to use a myriad of freely available tools to encrypt before upload?

PT Barnum was never more right.

Re:What exactly is $2.5 million funding? (2)

GPLHost-Thomas (1330431) | about a year ago | (#44729181)

It's funding the advertising campaign on slashdot.

Lockbox == NSA (0)

Anonymous Coward | about a year ago | (#44729165)

This would be the perfect cover. The NSA creates a company that says it can hide you from NSA. PROFIT!

If only the hardware wasn't already compromised (4, Insightful)

ReallyEvilCanine (991886) | about a year ago | (#44729171)

Without known-secure hardware and and OS to run it, all the fucking encryption in the world don't mean squat. And before the fanbois scream, "Lunix is Teh Shiznit Seckyoor!" remember that you have to know the compiler is safe as well (*cough*Ken*Thompson*cough*).

Re:If only the hardware wasn't already compromised (4, Interesting)

Microlith (54737) | about a year ago | (#44729241)

The thing about Ken Thompson's theoretical attack is that it would inevitably be detected. It's an interesting thought experiment, but a functioning example that would be able to discern the right program to attack (and differentiate between a kernel and a userspace application) has not been shown as far as I am aware.

All one's eggs in one basket is never a good idea. (1)

MobSwatter (2884921) | about a year ago | (#44729175)

This will work until they get the NSL, then it is over as with anyone they send one to.

Hardware (0)

Anonymous Coward | about a year ago | (#44729197)

If you honestly think they are screwing with you and your probably gonna get disappeared anyways you might as well be obnoxious as shit and just change keyboards discs and video cards ALOT like troll ebay for whatever junk you feel like. so they have to constantly be re rigging everything.

Lockbox (1)

Cyfun (667564) | about a year ago | (#44729231)

Didn't Al Gore already invent this a long time ago?

Clown Computing!!!?? Stop already. (3, Interesting)

marienf (140573) | about a year ago | (#44729233)

Can we stop pretending that "The Cloud" has actual meaning, technical relevance, etc..?
Do we really have to go back to the fracking mainframe with all our eggs into one (someone else's) basket,
and at the mercy of whatever corporate greed du jour? Your Brains! They are SOOOO CLEAN!

We have so much computing power and bandwidth in the home and office that it should be perfectly feasible
to go exactly the other way, do away with the stupid client/server model and go 100% P2P, keeping
one's own data on one's own hardware in one's own home.

ISP's that go symmetric and neutral will survive.

Re:Clown Computing!!!?? Stop already. (1)

TheSeatOfMyPants (2645007) | about a year ago | (#44729443)

While I'm not a huge fan of cloud services, they *do* provide me with one huge benefit: the sync/backup service I use provides live versioning, so when something goes horribly wrong on a document that I don't notice until several saves have gone by, I can easily restore it. The only comparable programs I've found either tapped my drive/CPU near-constantly enough to slow the system down or required extensive manual configuration.

Is it really safe / free (libre) software? (2, Informative)

Anonymous Coward | about a year ago | (#44729235)

In this months Free Software Foundation news Bulletin the FSF points to what appears to be a similar offering that is free software friendly:

https://leastauthority.com/press_release_2013_07_30

I took a quick look at lockbox and nothing I saw screamed free software. I could be wrong. Maybe they are even using the same underlying software as LeastAuthority. However they haven't advertised that clearly enough (on front page). I'd be concerned in using a service that is more concerned about looks, isn't clear, and might even be snake oil.

If somebody has the time to take a better look please post a reply with the relevant facts and links to the source/evidence/etc.

Trusted client? (2, Interesting)

Anonymous Coward | about a year ago | (#44729243)

What's to stop the intelligence agencies from compelling the company to produce a compromised client? For example, logging the encryption keys somewhere, or subtly introducing flaws into the algorithm... I mean, right there on their website, "Only naive users would trust their cloud vendor" - so instead trust us - we *promise* we won't let the NSA sneak anything into our software...

About the only way you could have any real confidence in this is if you write your own client to manage all the encryption and use it as a dumb storage backend. And that assumes you can trust the OS and all the other software on your computer - I mean, the company pretty much has to operate out of a country, and that country probably has provisions in its law to compel co-operation with police investigations or intelligence agencies.

All they need to do is rock up with a court order that includes non-disclosure provisions, and wham, next time something auto-updates you're screwed. And if you don't install the updates, there's probably _something_ on your computer that phones home that could be used to identify your system and use all the un-patched vulnerabilities to sneak in a keylogger or similar.

You're probably better off writing coded letters, but even that is highly vulnerable to a wrench attack.

Wishful thinking (1)

trifish (826353) | about a year ago | (#44729245)

Until they are served with a secret order telling them (i) to install key escrow backdoor and/or (ii) until NSA starts implanting torjans onto the suspects' computers (like FBI did with some of the Tor users recently, exploiting an unpatched vulnerability in the TorBrowser - http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail [slashdot.org] ).

The Hell You Say!! (-1)

Anonymous Coward | about a year ago | (#44729291)

These scoundrels are terrorist sympathizers. This is high treason. These anti-Americans should be hanged, drawn and quartered; one and all

Cyphertite (1)

chriscappuccio (80696) | about a year ago | (#44729299)

Cyphertite's end-to-end system is already up and working. And inexpensive storage and fully open-source. And supports all major and minor platforms. What the fuck else could you want?

Encrypts and compresses? (2)

TheTrueScotsman (1191887) | about a year ago | (#44729325)

One would hope they do the compression first otherwise there's very little point.

the cloud is dead (4, Interesting)

0111 1110 (518466) | about a year ago | (#44729329)

At best the service will simply be shut down by the NSA if they cannot compromise it. Lockbox claims to use client side encryption. If the system is executed perfectly and all of your data is fully encrypted before it leaves your computer this might be difficult, but if the service is shut down you will probably lose your data anyway. Which means you will need a local backup which would seem to ruin the point. I think it's about time to admit that saving any data on a remote server in the US, UK, or close allies of either has to be considered to be stored by the NSA/GCHQ and forwarded to other law enforcement agencies if deemed appropriate. And international cooperation in this regard among close allies cannot be ruled out.

In the sort of privacy-hostile environment currently faced in the US, UK and much of the world going full tin foil hat is the only way. Any information you want to remain private has to be encrypted by a system fully under your control before it leaves your computer and your passphrase has to not just be secure, but NSA/GCHQ secure. And it wouldn't hurt to toss in some multifactor authentication and steganography as well.

Re:the cloud is dead (1)

AHuxley (892839) | about a year ago | (#44729457)

Yes they have your tame mainstream OS/cell OS and every hardware "keystroke" before encryption and any needed knowledge of the OS.
Also recall many nations have sent their officer class to the US. They will recall the best years of their lives while working in the telco/security sectors...
Then comes the "just this once" telco/OS favour ....
Close allies or cold war friendships - or a nations law enforcement - its not your cloud.

Re:the cloud is dead (1)

mr100percent (57156) | about a year ago | (#44729475)

The NSA couldn't shut down PGP (though they did try unsuccessfully to restrict the public's access to it), and Snowden said it's still secure.

Re:the cloud is dead (1)

AHuxley (892839) | about a year ago | (#44729505)

They have the cooperation of the average users OS, its code and plain text input. Forms of onetime pads, PGP and other amazing encryption has always been an issue. The solution was Tempest, later weak/cheap global standards and now plain text as entered.

Mega (0)

Anonymous Coward | about a year ago | (#44729333)

So how is this any different from Kim Dotcom's Mega service?

nas (1)

thephydes (727739) | about a year ago | (#44729341)

Why would you put your personal data in "the cloud". It seems to me that there are plenty of just-as-secure options in NAS, or have I been duped by that as well?

Re:nas (0)

Anonymous Coward | about a year ago | (#44729459)

Sure your local NAS is secure - as long as your router or firewall is not compromised. But the use factor here is "access from anywhere". So your data is only as secure as the VPN you use.

AC because the NSA is watching (naw really because I don't have my /. password handy)

Hee haw ! the captcha is 'enclosed'

will the NSA get access through a court order ? (0)

Anonymous Coward | about a year ago | (#44729353)

As this is an American company the doors are open for the NSA.
Anybody knows a similar service sold by a European outfit,
or maybe even better a BOLIVIAN one ??

No thank you (0)

Anonymous Coward | about a year ago | (#44729375)

but I've learned that when it's American it can't be trusted.

Me too? (0)

Anonymous Coward | about a year ago | (#44729391)

1. sshfs

2. ecryptfs

Can I get 2.5 million dollars as well?

Dejavu? (0)

Anonymous Coward | about a year ago | (#44729407)

DejaDup dejavu much? As in http://en.wikipedia.org/wiki/Duplicity_(software) [wikipedia.org] contains pretty much all of this, just needs a tiny bit of polish more for the masses to understand it.

SpiderOak does it without using Java (2)

TheSeatOfMyPants (2645007) | about a year ago | (#44729423)

SpiderOak [wikipedia.org] has had client-only encryption/decryption using 2048-bit RSA & 256-bit AES for its sync/backup/versioning service for years -- I believe ever since they opened in late 2007. That sure sounds like what this newcomer is touting, except that SpiderOak also has free 2GB accounts with live versioning, and uses binary executables on all platforms to do the encryption/decryption (Lockbox uses a Java web client, which I thought was a security no-no).

FWIW, I don't get jack out of pointing out SpiderOak. I've just been really relieved that it has restored documents that I completely fucked up (live versioning FTW) and think it's seriously overlooked/underrated.

Re:SpiderOak does it without using Java (0)

Anonymous Coward | about a year ago | (#44729493)

Sounds good, except that they are USA based, and therefore can be required
to change their code and deliver your keys. You'd never know.

TeamDrive may be a better bet being based in Germany, but them again
according to the recent leaks, they have been complicit, so you never know.
They offer client based encryption and zero knowledge. I'm a customer, not
an employee.

PGP (1)

mr100percent (57156) | about a year ago | (#44729463)

We already have PGP, which is open-sourced. Will this be better and easier to use?

Let FUD be dismissed and truth be elucidated (0)

Anonymous Coward | about a year ago | (#44729467)

So, the obvious FUD here is that separating the encryption from the data storage service is pointless due to the various reasons given. There are many reasons why you wouldn't want data to be readable given it was obtained without the user's permission. I would imagine MOST data that is obtained without the user's permission is ILLEGAL in fact and not as a result of NSA (etc).

Let's assume the user encrypts the data themselves, which should be (by default) entirely separate from the service provider. Every possibility provided about how this encryption might be beaten could of course happen, but ASSUMING THEM ALL IN PERPETUITY is PURE AND 100% FUD. All encryption could be beaten eventually. All encryption should be independent of the network and the data storage service for reasons of interception. If a user encrypts the data on their desktop, than they could be using a) any client, b) any encryption protocol, c) any key(s). These ALL would have to be dealt with by somebody who illegally obtained your data.

Also, if you happen to be a data storage provider and you receive a warrant for a particular user's data, you must comply. BUT, you cannot in any way be made responsible for something you fundamentally are not responsible for, so although you might provide some layer of protection on the data, any user encryption scheme would be 100% external to you.

Online or Secure (2)

toygeek (473120) | about a year ago | (#44729491)

Pick one

Need to close their US office (4, Insightful)

bradley13 (1118935) | about a year ago | (#44729497)

Seriously. If they want to be taken seriously as offering a service proof against the NSA, they need to not be an American company and to not have any physical US operations. Otherwise a secret FISA order (e.g., issue a client update that sends the encryption keys along with the next batch of data), and their customers are screwed.

No cloud service (or any other service) in the US can be trusted.

Re:Need to close their US office (0)

Anonymous Coward | about a year ago | (#44729657)

Yea, they're just another US company that talks big but in the end either willingly or unwillingly has to cooperate anyway. Their assurances are worth just as much as those from Microsoft, Google and so on. In such an environment there cannot be privacy or trust.

Re:Need to close their US office (1)

Anonymous Coward | about a year ago | (#44729823)

Seriously. If they want to be taken seriously as offering a service proof against the NSA, they need to not be an American company and to not have any physical US operations. Otherwise a secret FISA order (e.g., issue a client update that sends the encryption keys along with the next batch of data), and their customers are screwed.

No cloud service (or any other service) in the US can be trusted.

LOLHARD @ avoiding domestic intelligence gathering by going abroad... that's like avoiding drunk drivers by hiding out in the bar's parking lot.

too incompetant for words (0)

Anonymous Coward | about a year ago | (#44729503)

mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite

Re:too incompetant for words (1)

Bob_Who (926234) | about a year ago | (#44729625)

mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite

Re:too incompetant for words (1)

Bob_Who (926234) | about a year ago | (#44729629)

mystery interior astrologers joy evil foreshow providence
fragrance Thou remindeth draught far_out_man deliverest
fit conceit urged to-day worketh strengthened seasons
genius wilderness stroke partaketh rudely edit departest
wavered adapted Jews don't_worry don't_even_think_about_it
contrite

Encryption isn't enough (0)

Anonymous Coward | about a year ago | (#44729517)

Even if you trust their (noble) goals. And even if you trust your computer hardware and even if you trust your OS. And even if your encryption software is perfect and bug free. All of this is meaningless. They [NSA, FBI, GCHQ, ASIO, HBO, FOX] can still find out a) if you have an account and b) how many files files you have. Then judicious use of a monkey wrench will render the entire stack useless. The weakest element is always the human element.

http://xkcd.com/538/

NSL (0)

Anonymous Coward | about a year ago | (#44729523)

Until a National Security Letter forces Lockebox to push out an update with a NSA backdoor.
The simple truth is you can't offer secure (as in safe from NSA et al) services as a US-based company - or with any part of your infrastructure located there.

Privacy has been outlawed; only outlaws have privacy.

Güncelist (0)

Anonymous Coward | about a year ago | (#44729527)

Guncelist-Tr [blogspot.com] sitesinin yazarym sitenizi çeviri sayesinde takip ediyorum. ilginç konular paylasyorsunuz

Article or Ad ? (0)

Anonymous Coward | about a year ago | (#44729547)

Ads on article ? You can do the same with an owncloud hosted on your private server.
What's new on that ?

Until (0)

Anonymous Coward | about a year ago | (#44729585)

This means that [none will] be be able to peer into users' most sensitive and private files

Until a flaw, a bug or a highly effective encryption method is found.

Nothing is forever!

Overreaction? (0)

Anonymous Coward | about a year ago | (#44729635)

There's much more attention on privacy and encryption these days. Did Snowden's revelations really change the pros and cons of following good security practices all that much?

Even Tahoe-LAFS, after years of being largely ignored, is finally getting some recognition.

I'm not complaining. I like that more people are caring about things that I care about. But I get the feeling that people are going too far with this.

Lastpass does that for Passwords (2)

Skylinux (942824) | about a year ago | (#44729741)

This is how LastPass.com works. Very good idea and works well but I must trust that future updates are not modified by an "NSA Patch" or some sort of court order.

One way to somewhat "NSA Proof" it would be to separate the encryption and storage software.
Storing an encrypted Linux container on a service like crashplan.com works well

Truecrypy+Dropbox? (1)

stevegee58 (1179505) | about a year ago | (#44729809)

I don't see the value add of Lockbox. It sounds like what I'm doing now with the Truecrypt/Dropbox combination.

Which is defeated by the rubber hose. (1)

sethstorm (512897) | about a year ago | (#44729819)

If someone wants it bad enough, they will get it. Not only does it apply to cryptography, it also applies to traitors like Edward Snowden.

He will be found, prosecuted, convicted, and imprisoned.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...