Linked by Thom Holwerda on Fri 21st Mar 2014 16:56 UTC
Internet & Networking

Microsoft has lost customers, including the government of Brazil.

IBM is spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government.

And tech companies abroad, from Europe to South America, say they are gaining customers that are shunning United States providers, suspicious because of the revelations by Edward J. Snowden that tied these providers to the National Security Agency’s vast surveillance program.

Right. Because, as we all know, European governments did not fully comply with the US spying programs, nor have they similar programs of their own.

High time some smart company develops a very simple and straightforward 'personal cloud'; a simple, large box with loads of storage that you dump in the basement somewhere, with pre-configured email, internet storage, and so on. Also offer the ability to have multiple of these things tied to the same account for data duplication, so you can, say, dump one of them at a trusted friend's home. Make it platform-agnostic and encrypted, et voila.

Doesn't sound like something that's terribly hard to do.

Thread beginning with comment 585076
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Personal Cloud
by ricegf on Sat 22nd Mar 2014 17:12 UTC in reply to "RE[2]: Personal Cloud"
ricegf
Member since:
2007-04-25

However how do you transfer it securely?


That was the point of my post. I must not have been clear (sorry).

* You set up the server.
* You use an offline computer to create the one-time pad and write the one-time pad to two one-time-read SD cards.
* You place one SD card in your server and the other in your wallet for use in connecting to your server.

This avoids the transfer problem entirely. It's a special case, of course, but it is the special case that we're discussing in this thread.

Does that clear up why a one-time pad works in this instance?

t seems like quantum mechanics offers an easier and more secure approach


More secure, yes, but easier?? Where do I buy a quantum server to put in my basement, and a quantum smartphone to carry around with me, pray tell?

Reply Parent Score: 2

RE[4]: Personal Cloud
by Alfman on Sat 22nd Mar 2014 21:44 in reply to "RE[3]: Personal Cloud"
Alfman Member since:
2011-01-28

ricegf,

Where do I buy a quantum server to put in my basement, and a quantum smartphone to carry around with me, pray tell?



My knowledge of quantum physics drops off sharpy. However I do know that quantum encryption does not require a quantum computer, only a quantum event source + detector + a suitable transmission medium. These exist today in their infancy. Take a look at the link, the device is fairly small and it will get smaller.

http://www.technologyreview.com/view/514581/government-lab-reveals-...

The suitable transmission medium part is a major problem though. The photon received must be quantum entangled with the source, it won't work across switched networks. So it needs new infrastructure. So it would seem you are right, this tech is not going to reach mobile users soon.


I found today a company offering quantum encryption for a hub&spoke network targeting power grid security.
http://gridcomtechnologies.com/

This might not be a bad idea for applications where the hub is trusted by the "spokes". However in a residential scenario the ISP is the hub, yet the ISP is NOT trustworthy from our point of view.


I found this too, quantum encryption for wireless devices may be on the horizon.
http://www.extremetech.com/extreme/165281-new-breakthrough-could-br...

However I'm skeptical about it and if the quantum encryption is only used to encrypt traffic between the cell phone and the cell tower (rather than end to end), well that's already useless since we know the wiretaps are at the telcos.



Going back to your idea...
* You set up the server.
* You use an offline computer to create the one-time pad and write the one-time pad to two one-time-read SD cards.
* You place one SD card in your server and the other in your wallet for use in connecting to your server.


Unless you are solving some other logistics problem, I don't think having an "offline computer" enhances security in this case. So the server or client might as well generate the one time key pad themselves. I think an SD Card is less secure than transferring the keys to an internal disk/device, consider that the SD card is easier to physically swipe/copy. However that doesn't change the principal of your idea.


Of course if you can physically reach the server to resync the one time key pads periodically before running out, then your solution is completely legitimate. But what if you could periodically resync your one time keys over a quantum secured link at home and a distant server when you place your phone in the charging/syncing cradle? That would give you the security of one time keys. Of course this is not much help today without a quantum capable infrastructure.

Reply Parent Score: 3

RE[5]: Personal Cloud
by ricegf on Sun 23rd Mar 2014 12:00 in reply to "RE[4]: Personal Cloud"
ricegf Member since:
2007-04-25

I've been fascinated by quantum computing and quantum encryption for some time, but I don't see it as a solution I can afford to deploy today.

Unless you are solving some other logistics problem, I don't think having an "offline computer" enhances security in this case.


Consider the scenario where the computer generating the one-time pad has been remotely compromised - I contend this is not an unlikely case. If online, the pad is immediately copied to the NSA (or whoever). If offline... well, they'd need physical access.

This is the same rationale for keeping the private key for your virtual currency on an off-line computer. Do you consider that to add no value, either? I respect your opinion, but I believe you're missing a significant threat in this case.

I think an SD Card is less secure than transferring the keys to an internal disk/device, consider that the SD card is easier to physically swipe/copy.


One of us isn't thinking this through. Sure hope it's not me! ;-)

Consider my one-time read SD card, as discussed recently on this site (to wit, the firmware in an SD card can be hacked).

If an adversary remotely accessed and copied the SD card, what would that accomplish? When I attempted to establish an encrypted link, the link would fail - the SD card would be blank. This is similar to quantum encryption, which doesn't actually prevent interception of data, it just ensures that you know it has been intercepted (because you can no longer communicate).

I selected a hacked SD card as a cheap way to add one-time read-only storage to the device. If you just stick the pad on your disk, as you suggest, then your server can be hacked and the pad copied. As far as I know, a hacked SD card can't be re-hacked via a remote connection. (I've actually designed a similar system for secure communication in a corporate environment - the hacked SD card is just a cheaper solution that occurred to me while writing earlier in this thread.)

Of course, if physical access to the server is gained by your adversary, the card could be copied and a new hacked SD produced and placed in the server. But then, even if you were using quantum encryption, you're screwed if the adversary has physical access to an end point!

Am I missing something?

Reply Parent Score: 2

RE[5]: Personal Cloud
by zima on Wed 26th Mar 2014 23:27 in reply to "RE[4]: Personal Cloud"
zima Member since:
2005-07-06

So it needs new infrastructure.

I kinda doubt we'll ever have this... what would be the motivation for govs to give us so powerful encryption methods? (isn't present encryption basically good enough for "citizen uses" as far as govs are concerned?)

Reply Parent Score: 2