Would you trust your data to me??
January 17, 2008 9:10 AM   Subscribe

I am thinking about signing up for a service like Mozy, but I am just scared to pull the trigger? I have a lot of trouble trusting that there's no way anyone can get to my data. I'm not that important, but I suppose it could be useful to someone. Can someone explain in technical detail why I can or cannot completely trust the security surround a service like Mozy. I asked them, but they say their service is the best and it would never be compromised! Never ever! Ever!
posted by tcv to Technology (11 answers total) 9 users marked this as a favorite
The network transactions are executed using SSL via WebDAV, so there can be no 'listening in' of the conversation there.

Mozy allows you to choose your own encryption key for files stored on their site, so no one can access those remotely stored files except you.

Two things:
1) We both know that 'never ever, ever!' ain't true. Never is a long time.
2) I'm pretty sure it's WebDAV.
3) (THREE things) I'm a client, so grain of salt and all that.
posted by unixrat at 9:14 AM on January 17, 2008

If Mozy isn't very specific about their security, then you might want to consider Jungledisk. Uses amazon s3 as a backbone and they have a specific page explaining their encryption. It's encrypted before it leaves your computer and they can't decrypt your data. In fact, if you lose your key, they can't help you because they don't know it.
posted by sharkfu at 9:18 AM on January 17, 2008

You can trust anyone to store your data as long as you encrypt it with a sufficiently strong encryption yourself and never give out the key. You can NEVER trust anyone if THEY encrypt it.

Also, you might be interested in this article.
posted by blue_beetle at 9:40 AM on January 17, 2008 [1 favorite]

If the encryption explanations aren't enough for you (and they probably should be!), you can set up your own backup server relatively cheaply. Find an old computer, slap a big hard drive in it, and stick it in your parent's (or trusted friend, etc) basement. From there, you can use tools like rsync (or one of its many wrappers) to do nightly backups.
posted by chrisamiller at 9:43 AM on January 17, 2008 [1 favorite]

I use Mozy. I think there is a slight change your data mught be comprimised. I suppose. The flip side is that any self-administered backup system is much, much more likely to fail. Use a hard drive? Single point of failure. Use raid? It's still in one box and if you have a fire, poof. Mozy is a real disaster recovery system - my entire house could be reduced to ashes and I would still be able to get my 100GB of files. Oh, that's the other thing - I currently have 112 GB on Mozy, including some 10GB files of home video. At ~$50 per year, that's a pretty good deal.

I really like the service and am not worried about security risks. If you have something really secure, like Quicken files, just don't back those up and use a local backup strategy for those. But I'm no more worried about it than I am about (say) my house burning down.
posted by GuyZero at 9:52 AM on January 17, 2008

You can encrypt your Mozy files with your own Blowfish key or have Mozy do it for you. In the program, it will warn you that if you lose your own key that nobody can help you, even them. Then they give you about 3 warnings.

The only thing I dislike about Mozy is that if you reformat that you have to upload everything again from scratch.
posted by colecovizion at 9:52 AM on January 17, 2008

Steve Gibson just did a show about the security of JungleDisk. A big thumbs up from him. From the comments it sounds like Mozy has the similar ability to encrypt your data on your system before it is uploaded to them. Just be sure to pick a strong password or long passphrase and I would rest easy.
posted by jacobsee at 10:35 AM on January 17, 2008

blue_beetle writes "You can NEVER trust anyone if THEY encrypt it."

This also applies if you are using their client to encrypt your data with your own key on your machine regardless of the encryption method they claim to be using. It might protect you from man in the middle attacks (maybe, who knows what weakness may exist in a non reviewed application) but it won't guarantee the service can't read your data (and therefor expose your data to the world at large).
posted by Mitheral at 10:50 AM on January 17, 2008

There's one worry I've had in trusting my data to other entities. Even if the system is 100 percent secure (which no system ever is), there is still the danger that they could receive a court order (or something more insidious like a National Security Letter) directing them to hand over your data, and that they wouldn't contest it vigorously enough. Or tell you.
posted by grouse at 12:42 PM on January 17, 2008

. . . using their client to encrypt your data with your own key on your machine . . . won't guarantee the service can't read your data . . . .

One of Jungledisk's selling points is that all data storage is by Amazon, not Jungledisk, and your files are transmitted from your machine directly to Amazon without even passing through Jungledisk servers.

So does the JD software secretly allow Amazon to decrypt your encrypted data? Jungledisk could be a clandestine front for Amazon, and indeed Amazon itself could be acting on behalf of a national security service. But, back here on planet Earth, it's hard to see why JD would have any interest in making your data readable by Amazon.
posted by Dave 9 at 2:06 PM on January 17, 2008

That said, you might feel more comfortable if you did your own encryption with open-source peer-reviewed encryption software before uploading to an off-site backup service. The strength of the backup service's encryption is then irrelevant.
posted by Dave 9 at 2:20 PM on January 17, 2008

« Older If I were to sneak a third question in the title...   |   Sing in Me, O Hivemind Newer »
This thread is closed to new comments.