
Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap.
Strange place to put an apostrophe.
Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap. The useful "back up my data" option in Google's Android operating system sends a lot of private information from fandroids' devices to Google's cloud storage service. Such sensitive data includes …
This post has been deleted by its author
as these can be relatively easily broken, but all the other stuff: like my list of phone contacts that is now in the hands of the NSA. I would be happier if I could back up these settings to my own server.
More worrying that wifi passwords are email login passwords; it would be interesting to set up an email account that is not used anywhere, configure in the android phone and see what loggs in from where.
" I would be happier if I could back up the phone contacts to my own server."
My original-model Samsung Galaxy Tab phone does that when I plug it into my PC and run the appropriate option on the "Kies" management application. In other respects it doesn't quite do what I want, but this is fairly good.
Also, if the data is on your SIM, then you probably can buy a small adapter and software to connect the SIM to your PC, and back up the contact data that way.
Google, Microsoft and Dropbox are probably exploiting the fact that many people are storing the exact same things on their cloud drives and therefore they can improve performance and save storage space if stuff is in the clear.
For example if I stuck eclipse-4.3-win32.zip on my drive then the chances are there are 1000s of other copies already up there. The drive app could hash the file, see it's already on the server and save itself the effort of uploading and storing another copy of that 150MB file.
The problem comes from the fact that people DO store sensitive information on these drives and none of these cloud apps offer client side encryption. And they should. Not only does it address privacy concerns but it also means the likes of Google, Microsoft can legitimately turn around to the NSA and state they literally have no idea what those files are because they don't.
Even if its just one folder which is encrypted and the default for others is no encryption. The user should be able to supply a strong passphrase or key which doesn't travel to the server and through which all files are encrypted before being sent. It might mean certain features such as web apps but the user can be made aware of this and presumably accept as a restriction.
The work around at this moment is to put a Truecrypt volume or an encrypted zip file on the drive but this is obviously a pain in the ass. I assume someone could create a shadow dropbox app which resembles the real one but uses a different folder. It would encrypt files out of this folder into the Dropbox folder and sync in the opposite direction too.
Forget Truecrypt. If you want client side encryption for Dropbox, Skydrive or GoogleDrive then use BoxCryptor. It works directly at a file/folder level (rather than having to dump a huge Truecrypt volume on your cloud drive which has to resync the whole truecrypt file every time you make a tiny change to your files). I've been using boxcryptor for years and it works great. Its fast and is completely transparent once you map a drive.
If I was setting up a Cloud Storage service, I wouldn't offer a user encryption option. Not because I want to look at the files, but because when (not if, WHEN) users lose their encryption keys, they'll blame the Storage service for locking them out of their files.
The customer base isn't demanding this option, so there's no real upside to providing this feature, yet the downside to providing it is potentially huge, from a commercial point of view, especially for a free service.
Being a user with a bit of a tinfoil habit (no, I'm not a nun), I've always used a second wireless router (configured as a switch) for my Android tablet, and it's only switched on when I'm actually using the tablet. Don't store any personal data on Android, so I've never knowingly used the backup feature, but I expect the NSA have a copy of the passphrase slurped via Google anyway.
Also, having a second, temporary WAP is useful when visitors request internet access, it stops their devices having a copy of your main router's wireless ID and passphrase.
Regarding your WAP's - are you using WPA/WPA2 with pre-shared keys?
If so, you are probably using a lot of energy and gaining little security. Both WPA and WPA2 can be broken by a determined attacker.
WPA/WPA2 Enterprise variants address this by using a key that is negotiated based on authentication details (LDAP/certificates/AD/local user databases are all supported) and can (should...) be time limited to prevent an attacker having the chance to gain sufficient information by sniffing or probing the WLAN.
I don't see this as being a big deal, if we have learnt anything this last month - it's that stuff big companies and government wish to remain secret will find a way to leak - IF it turns out Google has provided such sensitive data to third parties - people worldwide will dump their Android devices in an instant and start looking for alternatives, and there will be absolutely no way at all that Android would ever recover from that. To date we have been informed that the data that has been available to third parties is meta data, but not content. WiFi passwords and website login data is more than just meta data.
This post has been deleted by its author
There's an Open Android available some time after Google's "partners" get it but that won't be what's on your phone... By the time it Andriod gets to the consumer it'll have been thoroughly pissed about with by the manufacturer and network operator. Nuisances like PAN may have disappeared and other strange obstacles put in the way of tethering etc. Lots of branding installed. Probably a pot pourri of random crapware. Perhaps even a whole new UI layer. God only knows what else. Cyanogen & friends are more like what you're thinking ... although even then most of the drivers are propitiatory.
I was slightly unnerved by the fact that I purchased a new device that then instantly connected to my WiFi... yes convenient perhaps, but I don't recall opting in to having a secret of mine sent across to the web to be stored somewhere I have no control over.
I am currently looking into evaluating all the data the google has slurped and attempting to turn off what I want to keep private (i say attempting because all of a sudden now photos I take are also alutomatically being uploaded!!! arrggghhh!!!)
It asks you during the initial configuration, "Backup my settings to Google servers". Since you left it ticked (I think it is ticked by default), that means that any application that's implemented the Backup API has a copy of it's data on Google's servers. This could be any and everything so best to disable the option if you're worried.
That said, I have no idea if disabling the option will remove the data already stored on Google's servers. Logically it should, but ...
To be fair, the option isn't very informative as to what is being backed up. Personally I always leave it off because my device has all sorts of passwords to access my network.
"It asks you during the initial configuration, "Backup my settings to Google servers"." - which is good except for when you buy your phone from a place where some clueless dick decides to "help" by "setting it all up for you" - as if you are considered incapable of reading simple instructions despite the fact that the so-called assistant took three attempts to get the SIM inserted correctly despite the fact that it only goes in one way!
Thankfully I knew about Google's opt-in-data-spew so I turned it off the moment the guy handed the phone to me. And set the correct time zone. And changed the PIN from 0000. And turn off auto-sync. Etc.
The NSA a wholly owned subsidiary of Google anyway?
Look, they slurp up information and save it off in farms of zillion byte stores. All of this is ripe for NSA to peer through the looking glass to see what it wants to see.
So, does Google have stock in the NSA, or the other way around? Inquiring minds might never know.
All your (fill in) belong to us!
I've long had this thing. *I* back up my shit. Not somebody else, as I have no clue what they do during and after said backup.
What that means in the real world is, sensitive financial documents are backed up locally to RAID at a minimum storage in my own home. At work, the same or more. SAN gets backed up to SAN, second SAN gets backed up to warm site SAN.
That is true at work as well as at home. The difference between home and work being, my porn collection is worthy of sacrifice, my financials are not, so the latter get backed up. But both start being stored on a RAID 5 minimum storage unit. Backed up to a twin, with different lot numbers for the individual devices.