«

»

Jan 22 2014

Print this Post

dis-unity

The “cloud” is achingly trendy at the moment and new companies offering some-bollocks-as-a-service (SBaaS) keep popping up all over the ‘net. Personally I am extremely unlikely to use any of the services I have seen, I just don’t trust that particular business model.

I checked out the website for one of these companies today following an article I read on El Reg. The company’s website says, in answer to its own question, “what can you do with younity?” that you can:

Spontaneously access any file, from any device, without planning ahead.

Browse all your devices at once.

It further says:

share any file.
ANY FILE STORED ON ANY COMPUTER WITHOUT PLANNING AHEAD, VIA YOUNITY OR PRIVATELY TO FACEBOOK.

(I love that “privately to facebook” bit.)

However, further down it says “Step 1, download younity for Windows or Mac, Step 2, install on iOS”. So, the “any file stored on any computer” claim is just not true if, like me you have a mixture of Linux machines, Android tablet and CyanogenMod ‘phone. I’m pretty sure that claim must breach some advertising standard and I’d complain if I cared about using the product. Fortunately I don’t.

Another “cloud” company making some interesting claims is Backblaze, the company whose blog commentary on consumer grade disks I referenced below. They supposedly offer a service with “unlimited storage”, which “automatically finds files” on your computer and then stores them in the Backblaze cloud with “military-grade encryption”. The website says that “everything except OS files” is backed up, so the system must have the freedom (and permissions) to ferret about on your local disk and then pass the files it finds out to Backblaze’s pods. Forgive me if I don’t like that idea.

The section about encryption is intriguing because it claims:

When you use Backblaze, data encryption is built in. Files scheduled for backup are encrypted on your machine. These encrypted files are then transferred over a secure SSL (https) connection to a Backblaze datacenter where they are stored encrypted on disk. We use a combination of proven industry standard public/private and symmetric encryption methods to accomplish this task. To a Backblaze customer all of this is invisible and automatic. For example, when you create your Backblaze account, we automatically generate your private key that is used to uniquely protect your data throughout our system.

They go on to say:

Upon arriving at a Backblaze datacenter, your data is assigned to one or more Storage Pods where it is stored encrypted. Access to your data is secured by your Backblaze account login information (your email address and password). When you provide these credentials, your private key is used to decrypt your data. At this point you can view your file/folder list and request a restore as desired.

A blog posting by Backblaze’s Tim Nufire gives some detail about how the company encrypts your data. On the face of it, the use of a 2048 RSA public/private key pair in conjunction with ephemeral 128 bit AES symmetric keys (to actually encrypt the data) looks impressive – particularly when the company claims that the private key can be further protected by encryption with a user provided passphrase. But given that the company is US based, that claim bothers me. I am particularly sceptical about any claims that the company is unable to decrypt private data because /they/ generate the public/private key pair and they admit (in the blog post) that they store the private key on their servers. Sorry, but if my data is private enough for me to wish to protect it with strong encryption, then I want to use keys I have generated myself, on a system which I control.

Backblaze’s description of the file restoration process does not give me any warm feeling either. Here is what they say:

When you request a data restore, we do what is known as a cloud restore. This simplifies the data restoration process. For example, let’s assume your hard drive crashes and you get a new hard drive or even a new computer. To restore your data you first log in to Backblaze using a web browser by providing your Backblaze account information (email address and password). Once you have logged in to the Backblaze secure web interface you can request a restore of your data. You do not have to install Backblaze to get your data back. To make this work, we decrypt your data on our secure restore servers and we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on your computer, you can unzip it and you have your data back.

So if I want my data back, they get a clear text copy of it all before sending it to me. Worse, they even offer to send it to me through the post on a USB disk.

I don’t call that a private recovery system.

Permanent link to this article: http://baldric.net/2014/01/22/dis-unity-2/

1 comment

  1. Peter

    Maybe I missed something, but doesn’t that restore process complete undermine their claims that they themselves cannot access your data? How can they cook up a restore archive without having access to your data? Not that I would consider using their service anyway (you know my opinion about businesses operating from a US jurisdiction), but this explanation seems to firmly aim both barrels at the feet of the “security” (*cough*) claims they are making.

    Ditto, by the way, for the “let’s make another complex techno security claim without looking at the jurisdiction we work in” outfit Vitru (virtru.com). First of all, I like a provider I can beat over the head legally if they screw up – a domain registered in Panama doesn’t inspire trust (OK, OK, I know I’m picky). But ask yourself, would YOU install software from a provider who hosts their name servers in the US and whose care of client confidentiality is so lax that they host their email with Gmail???

    To wit:

    ; <> DiG 9.8.3-P1 <> virtru.com mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62891
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;virtru.com. IN MX

    ;; ANSWER SECTION:
    virtru.com. 300 IN MX 5 alt1.aspmx.l.google.com.
    virtru.com. 300 IN MX 5 alt2.aspmx.l.google.com.
    virtru.com. 300 IN MX 10 aspmx2.googlemail.com.
    virtru.com. 300 IN MX 10 aspmx3.googlemail.com.
    virtru.com. 300 IN MX 1 aspmx.l.google.com.

    Want another one? Geo-locate where the NS and MX is for blackphone.ch. Hint: it certainly is NOT as Swiss as the domain name would like to suggest. Personally, I find this *seriously* dodgy.

    As I predicted, 2014 will be the year of privacy BS. QED.

    Peter

Comments have been disabled.