How secure is online backup?
August 11, 2009 11:29 AM Subscribe
How secure is online backup? I'm looking at Jungle Disk for offsite backup of some important personal files. How secure are sites like this? Is my data more or less secure than, say, my credit card info stored at Amazon.com?
I know the upload/download is secured via SSL/encryption, but what about the data sitting on Jungle Disk's server (either S3 or Rackspace)? Is accessible by nefarious means without knowing my encryption key? Thanks.
I know the upload/download is secured via SSL/encryption, but what about the data sitting on Jungle Disk's server (either S3 or Rackspace)? Is accessible by nefarious means without knowing my encryption key? Thanks.
My solution is to store my sensitive docs in an encrypted disk image on my computer (easy to do with a Mac), and then back that up.
posted by mpls2 at 11:45 AM on August 11, 2009
posted by mpls2 at 11:45 AM on August 11, 2009
There are two vectors of concern: Can you trust JungleDisk and are their systems secure. They don't release the source code to their client program so it's anyone's guess if it's actually secure. Vulnerabilities could exist either by accident or intentionally. And anyone's servers could be hacked into in theory. So no on both concerns.
Best thing to do is encrypt your files before uploading them. Truecrypt is a good choice.
posted by Mitheral at 11:46 AM on August 11, 2009
Best thing to do is encrypt your files before uploading them. Truecrypt is a good choice.
posted by Mitheral at 11:46 AM on August 11, 2009
Best answer: "secured via SSL/encryption" really doesn't mean what it use to.
You are approaching this question from the wrong side; of course these services aren't secure, people have access to your data and there are numerous attack vectors, including how you transmit the information and how you encrypt/decrypt it.
How secure do you need your data to be? If you're concerned about the Feds/NSA rolling up on your data, amazon and jungle disk aren't for you. If you have HIPAA or other compliance concern, the additional legal exposure of using amazon/jungle is probably undesirable (talk to your lawyer). If you want to store some personally sensitive data that no one with any skills is likely to go after, it's probably ok.
posted by zentrification at 11:58 AM on August 11, 2009
You are approaching this question from the wrong side; of course these services aren't secure, people have access to your data and there are numerous attack vectors, including how you transmit the information and how you encrypt/decrypt it.
How secure do you need your data to be? If you're concerned about the Feds/NSA rolling up on your data, amazon and jungle disk aren't for you. If you have HIPAA or other compliance concern, the additional legal exposure of using amazon/jungle is probably undesirable (talk to your lawyer). If you want to store some personally sensitive data that no one with any skills is likely to go after, it's probably ok.
posted by zentrification at 11:58 AM on August 11, 2009
Best answer: people have access to your data
People have access to your encrypted data. If you believe that the JungleDisk client is using 256-bit AES correctly, then it really is quite secure. Adding TrueCrypt or GPG on top adds some redundancy, but really -- nobody is going to crack your encrypted data unless the NSA takes a very special interest in you.
The weakest link in the system is the security of your own machine, and TrueCrypt does not help if you ever plan to decrypt your own data locally.
posted by qxntpqbbbqxl at 12:53 PM on August 11, 2009
People have access to your encrypted data. If you believe that the JungleDisk client is using 256-bit AES correctly, then it really is quite secure. Adding TrueCrypt or GPG on top adds some redundancy, but really -- nobody is going to crack your encrypted data unless the NSA takes a very special interest in you.
The weakest link in the system is the security of your own machine, and TrueCrypt does not help if you ever plan to decrypt your own data locally.
posted by qxntpqbbbqxl at 12:53 PM on August 11, 2009
Sure, depending on how they implemented 256-bit AES it may already be attackable by someone who really hates you and a lot of ps3's or video cards. You can download the source and see how the encryption works yourself, but then again if you were really qualified to evaluate the quality of their encryption process, wouldn't you just use a program you knew to already be secure?
Your data might be relatively safe today, but that says little about how effective tomorrows attacks may be against the encryption you've chosen to use.
posted by zentrification at 1:24 PM on August 11, 2009
Your data might be relatively safe today, but that says little about how effective tomorrows attacks may be against the encryption you've chosen to use.
posted by zentrification at 1:24 PM on August 11, 2009
Use a VERY good encryption password that's different from your Amazon password. If you use the same encryption password as Amazon password (the default), a disgruntled admin at Amazon could presumably read your files with no extra effort. If you use a poor password, the same admin could conceivably brute force it. I've heard of demos in which people check all possible 8-letter passwords in under 2 weeks, so use a lot more than 8 letters -- a 100-letter nonsense sentence would be ideal.
posted by miyabo at 2:12 PM on August 11, 2009
posted by miyabo at 2:12 PM on August 11, 2009
zentrification writes "You can download the source and see how the encryption works yourself, "
That source is specifically not for the jungle disk software but rather for a decryption program. It tells one nothing about how well the client program does it's job.
posted by Mitheral at 2:30 PM on August 11, 2009
That source is specifically not for the jungle disk software but rather for a decryption program. It tells one nothing about how well the client program does it's job.
posted by Mitheral at 2:30 PM on August 11, 2009
ok, their blog lies
"Code that demonstrates how data is encrypted/decrypted is available for download on the Jungle Disk Download page under the GPL license."
posted by zentrification at 5:00 PM on August 11, 2009
"Code that demonstrates how data is encrypted/decrypted is available for download on the Jungle Disk Download page under the GPL license."
posted by zentrification at 5:00 PM on August 11, 2009
This thread is closed to new comments.
See this.
posted by qxntpqbbbqxl at 11:38 AM on August 11, 2009