This is going to be a short series on encryption.
With the rise in the number of cloud storage services, the subsequent fall in prices of the same cloud storage services and the increasing adoption of broadband internet, more and more Zimbabweans are making use of cloud storage services as a backup option. Most people do not take care to encrypt their files on their end before they entrust these to some third party.
Some of these services for example Mega, Trensorit, Wuala (shuting down) and Mcafee Personal Locker implement some form of encryption which allows the customer to be the custodian to their own key.
There are two problems with such services, however. Most struggle to find relevance as people often do not value encryption services that much and so do not put much stock into it as a selling point. The result is that most of these services struggle to find customers as they compete with much more popular easy to use services such as DropBox, Google Drive and Onedrive. The second problem is that despite all assurances, how can you be really sure that the service provider does not have a copy of your key?
Most people think they need not care about encryption. Well here are two lessons you ought to bear in mind no matter what you do.
Lesson one: Humans are not to be trusted
There is a joke about a knight who was about to leave his village and embark on the long journey to Jerusalem to fight in the crusade wars. He had recently gotten married to a beautiful bride and so before he departed he called his friend, and gave him the key to her chastity belt so that the friend could marry her instead should the knight fail to return from the war. The knight had hardly left the village when he saw his friend chasing after him. The knight stopped for thinking his friend had an important message for him. Panting and battling to catch his breath the friend angrily yelled at the knight,” You gave me the wrong key!”
Morale of the story: You can never trust someone else with your most valued treasures. Humans are to be always distrusted.
Lesson two: Everyone has something to hide.
Most people seem to think they do not have anything to hide, them being law abiding citizens and all. The thing is it’s not just governments who are after your data even hackers too. There are a lot of twisted people out there who will get the kicks just by stealing and exposing your data. If you are one of those people that think you have nothing to hide consider the following points:
- They are a lot of things you do not want revealed to the public. For example your HIV/AIDS status, the fact that you are in love with someone else other than your partner even though you have never cheated on them but have considered doing so on a number of occasions and have flirted with other people online, nude pictures on your phone, your age, you debit card number, the parentage of one of your kids, your weight and all the other dark thoughts you might have.
- The government might think you have something to hide even if you don’t. There are a lot of weird and complicated laws on the books and people are unwittingly breaking them all the time. When the government has access to your data it will be Open Season on you. You might not have committed the fraud you are being accused of but during the search the government might see that episode of House of Cards which you had to download. Now that’s illegal.
- You might just make honest errors for example one night you get to excited and decide to insult the President or make a joke about overthrowing the President. The security forces might just not share your dark sense of humour and before you know it you are facing treason charges. Or you might accidentally stumble upon a beheading video and find yourself on the dreaded watch list. There are lot of Isis branded items out there and none of them have anything to do with the sickening terror group. A wrong Google search can land you in a lot of trouble even if it was unintentional.
- You may not want to hide something but people will still hate and discriminate against you if they find it out. Case in point, even though we live in a democratic country having certain political affiliations may lead to your failing to secure employment in certain quarters. Come on, you know which jobs you will not be able to get so we will not be saying it.
- People need privacy in general. How many things would you rather do in public. Would you want people to see you learning how to dance. I know for a fact I would not.
- Trade secrets that would give your competitor an edge they otherwise might not have. Imagine a world in which everyone knows how to make Coca Cola or if a rival restaurant stole your signature dish.
Lesson three: It can happen to you too
So it has happened to Sony, the Hacking Team and now Ashley Madison but it can happen to you too. Just because you are an uninteresting Zimbo with “nothing to hide” does not mean you are safe. Consider people like the now former Miss Zimbabwe (warning beware of this link it might expose you to offensive material), Tino Katsande and Stunner. You are just another individual until you aren’t.
I think you get the picture. Assuming you are one of those people I have managed to convince, now that we have looked at why you will need to encrypt data on the client side while using cloud storage we will be looking at how you can encrypt your data on the client side before uploading it to cloud storage.
Image credit: unixmen.com
Share
Home
17 comments
I like your article man. In summary, Zimbabweans need to be more aware of data security. We need more students and professionals involved in complex programming and penetration testing. That to me is the key. We can on depend on external software to solve all our problems. Every system can be hacked hence we need to know how to defend ourselves.
I think, you guys need to run more articles like this. A lot of people think there safe because no one is interested or I’ve got nothing to hide attitude. Data and information on or about you is always dangerous depending on the context, which other people will decide for you.
Zim moved quite quickly into the internet age we have now, but nobody is teaching people safe habits and protecting themselves in the online age
One of the reasons I’ll never install Windows 10, you literally give Microsoft and anyone they choose access to your data, scan your files, monitor your traffic etc and practically they can tell you what, you can and cannot use.
If you are really concerned with privacy then public cloud storage is not an option. We deal with customers whose data cost billions and can cause wars worldwide.
You tell them to keep their data on anywhere near internet and they leave before you even finish first few words.
Privacy is when you know where your data is physically located,
What hardware hardware it is sitting on,
What DR(data recovery) policy and system is in place,
Can the data storage provider meet SLA agreement without fail.
If you can get straight answers from above requirements, then you know that your data is 99% secure. But obviously you do not get the answer if is you host using public cloud.
You can still use these public cloud services and still have control of your data security AT THE SOURCE.
You may lose out on things like differential sync if your data is encrypted. Especially on very large files. Otherwise, take control of your own security and never trust what cloud service providers tell you. There are serious horror stories of how the cloud services providers actually handle security.
What I meant was, only store encrypted data in your cloud folder.
If your data is already encrypted, no matter how they use it or abuse it, it is already, encrypted … by you! And no one knows how you encrypted it, using what keys or algorithm or tool.
Encrypted data can be analysed to know what encryption type was used. The encryption header is never encrypted otherwise the whole data will be unreadable even if you have the correct keys!!
true. security through obscurity is a myth.better to just focus on the strength of the encryption algorithm(s) used.
you keep using the phrase “encryption header”. i do not think it means what you think it means.
i was thinking the exact same thing…lol
What does it mean the?
Please read this before you answer or just google for encryption header size:
http://www.networksorcery.com/enp/protocol/esp.htm
hooookay. i see where your confusion lies boss. that link you shared is about ESP which is one of the methods used in IPSEC along with AH. But what you’re talking about is encryption of data-in-transit not data-at-rest as the writer mentioned. coz as far as I know, if you encrypt your data using AES/DES/3DES there is no header in the metadata (every useable file format has a header section) of the ciphertext (the file racho raitwa encrypt) itself that mentions kuti what algorithm has been used.
TL;DR data-in-transit versus data-at-rest
#TheMoreYouKnow
If you keep your key, next time you want to use it, you will find the door changed( it happened here with someone claiming to be holding keys to economy).
Mind provoking article, me like!
Good article. Suprisingly not because of the google search link and the disclaimer attached to it….But it really does contain information which is very useful.
and practice good OPSEC in the industry i am in you can never be too paranoid
Great article
I’m sure the cloud storage providers will always have a copy of your data somewhere. Even the data that you are sure you removed or deleted from their systems.
There is no guarantee that they will delete it! What if some within the company make his her copy and take it home?