[Discuss] cloud storage

[tmetro+blu at gmail.com (Tom Metro)]

Daniel Barrett wrote:
> Cloud backups are not an option, as I don't want my private data
> sitting on some company server.

I've been meaning to mention that Steve Gibson on his "Security Now"
podcast did a review of cloud storage services from the perspective of
their security models. In order for a service to meet his approval, it
had to encrypt the data before leaving the computer, and not share the
keys with the storage provider. (Following Steve's "Trust No One" (TNO)
model.)

The reviews are fairly shallow, in that he mostly just reviewed the
available product information to see whether each service meets the
security criteria, but he does cover a lot of services.

The reviews start with this episode:
http://twit.tv/show/security-now/349

and the topic continues in several subsequent episodes.

Steve dismissed out of hand a few products that met the security
criteria, but where implemented in Java (like Wuala). His take is that
Java is fine for a free product, but a for-profit service should use
platform-specific native clients. He sees Java as a toy. (I'm no big fan
of Java, but this seems to be a bit unjustified and obsolete criticism
of the language. Then again, what would you expect from a programmer who
thinks that the best language for almost anything is assembly.)

A commenter on a subsequent Q&A show pointed out anything short of an
open source client still requires you to trust the vendor, as they could
be saying one thing about how the encryption works and doing something
else. (Similarly, a future software update from the vendor could come
with government mandated backdoors.)

A colleague mentioned that a later episode mentions an open source
backup client, but I seem to have missed the mention. If you catch it,
post a follow-up there.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/