[Discuss] AeroFS

Kent Borg kentborg at borg.org
Sun Apr 20 13:58:21 EDT 2014


On 04/19/2014 05:23 PM, Tom Metro wrote:
> If the encryption is done properly, and can be verified, it doesn't 
> matter where your bits are stored.

Yes, but...

Two quibbles:

First quibble applies to all encryption and information security: Is the 
rest of the system sound? If your keys are poor, if your end-point 
computers have spyware installed on them, if there is a micro-camera 
mounted over the keyboard where you type sensitive stuff, if your foe 
resorts to rubber-hose cryptanalysis, etc. Nothing new here, nothing 
special about clouds here, but these points matter, and don't forget 
them when analyzing your circumstance.

Second quibble: metadata. Even if the bad guys never decrypt your data, 
just by doing traffic analysis they might learn a lot.

For example, how much data gets read and written, from what IP address, 
when. And after that data has been written by a computer in, say, 
General Electric, is that same data read a few hours later by a computer 
in, say, someone basement? Is that about the same amount of data that is 
then sent in an unencrypted e-mail (a PDF of financials?) from that 
basement computer to a third computer, detailing some insider 
information and how many shares to sell? Even if the data encryption is 
never broken and keys never leak, it might not matter. Someone watching 
the comings and goings might figure out plenty.

Kinda like watching late night weekend pizza deliveries to the Pentagon 
as a way to know when something big is about to happen.

Not that Tom said anything wrong, I just had to interject my two-cents.

-kb




More information about the Discuss mailing list