Mar 29th 2018
Know How... 375
CLOUDy with a Chance of Spying
Hosted by
Fr. Robert Ballecer, SJ,
Steve Gibson
CLOUD act, PGP, Google, Facebook
Although the show is no longer in production, you can enjoy episodes from the TWiT Archives.
Worried about the CLOUD act that was sprung on the American people? Take a deep breath. Hold it. Now let it out and let's talk... Steve Gibson from "Security Now" is my guest to have a serious, NON-PANICKED, conversation about the CLOUD act, what it does, why it does it and what YOU can do to protect yourself and the others in your circle of trust. Trust No One... but listen to us!
CLOUD: "Clarifying Lawful Overseas Use of Data"
US Congress Passes CLOUD Act Hidden in Budget Spending Bill Late last Thursday night the US Congress passed a $1.3 trillion dollar spending bill to keep the US government funded through September.
The photo of the printed legislation is "impressive". I think I recall seeing that it was 2200 pages. It was about an 18-inch high stack sitting on a table next to our president as he announced the bill's successful passage.
However, arguably buried in that Omnibus legislation was the so-called "CLOUD act" where CLOUD stands for Clarifying Lawful Overseas Use of Data. Given that this new legislation was proposed six weeks earlier as a means for dealing with Microsoft's refusal five years ago to turn over US citizen's data residing in Ireland... you can guess what that "clarification" amount to... even if you didn't know that the EFF was glowing a gasket over then-the proposed legislation... which is now the law of the land.
As BleepingComputer put it:
"The unaltered and now official CLOUD Act effectively eliminates the need for search warrants and probable cause for obtaining a US citizen's data stored online. US law enforcement only needs to point to some account and tech companies must abide and provide all the needed details, regardless if the data is stored in the US or overseas."
Further, the bill recognizes foreign law enforcement and allows the US President to sign data-sharing agreements with other countries without congressional oversight. The CLOUD Act will then allow foreign law enforcement to require data on their own citizens stored in the US, also without obtaining a warrant or proving probable cause.
The EFF notes that: "Since there is no more need for a foreign law enforcement agency to obtain US warrants or prove probable cause, this opens the door wide open to political abuses."
The EFF's page makes their feelings clear. It's titled: "A New Backdoor Around the Fourth Amendment: The CLOUD Act" where they explain how this is a backdoor circumvention of the US Constitution's protection against illegal search and seizure.
So... we now have official, warrantless, cross-border data sharing. Many years ago we coined the term TNO for "Trust No One" ...
** From Security Now - Episode 656 **
Let's talk about what's a stake... It's NOT just our email and our files:
We've given A LOT of our personal information to companies like Facebook and Google with the expectation that they'd be responsible with that data.
* The problem is that WE didn't really know what that meant.
* Because MOST of us don't actually understand the amount and type of data being collected
Google is a great example
* You can use "My Activity" to turn off this tracking
** HOWEVER... Google still collects data... they just don't store it for a long period of time.
* Free to try... then $10 a month
* FIPS 140-2 Certification
* HYOK (Hold Your Own Key)
* Works with a multitude of services (Dropbox, Onedrive, Gmail)
• The nature of TNO.
• "By-It-Once" and own it -vs- SaaS service
Once upon a time, these things could be purchased.
Today, most "by it once" solutions are "annual subscriptions."
"BoxCryptor" is a perfect example. It was once a perfect TNO tool. Now it's "a plan" :(
https://www.boxcryptor.com/en/pricing/ Even "AxCrypt" has fallen.
• Whole drive encryption vs File-by-file
"Free client-side encryption for your cloud files. Open source software: No backdoors, no registration."
Per-File encryption
Multiplatform: Windows, Mac, Linux, iOS, Android
"Transparent encryption
Transparent encryption means you will not notice any difference in working with your files. While the vault containing your encrypted data resides somewhere in your cloud folder, Cryptomator provides a virtual hard drive through which you can access your files. You can work on this drive as if it were a conventional USB flash drive.
• TrueCrypt --> Veracrypt
https://www.veracrypt.fr/en/Home.html Free & Open Source
Multiple successful audits
Every reason to believe it's solid
Consider:
Use Veracrypt to create an encrypted volume... which will be a large virtual drive...
Then file delta synchronization to update pieces of the remote file.
See the "news" page to get a sense for Tarsnap's history: https://www.tarsnap.com/news.html Though it's a service, it's pricing is sane:
Storage: 250 picodollars / byte-month of encoded data ($0.25 / GB-month)
Bandwidth: 250 picodollars / byte of encoded data ($0.25 / GB)
• Resources:
Comparison of disk encryption software
* Originally Released in 1991 (But Proprietary)
* OpenPGP released in 1997 (Open Source - has become the standard)
The basics
* Every PGP User has a Public Key and a Private Key
* The Public key is used by OTHER users to encrypt data that I can then UNENCRYPT using my private Key
* If I want to send encrypted data to another user, I need THEIR public key
Signing vs. Encrypting
* By Encrypting, we increase the "Confidentiality" of the data
* By Signing, we increase the "Integrity" of the data (that we know where it came from)
Usage:
* To encrypt, we need a user's Public Key
* We encrypt (and maybe sign) and send to that user
* That user uses their PRIVATE key to decrypt the data
Example:
* Alice wants to send Bob an encrypted message
1. Start with the cleartext message
2. Cleartext is encrypted with Alice's PUBLIC key
3. Encrypted data is encrypted again with Bob's PUBLIC key
4. Encrypted data sent to Bob
5. Bob decrypts with his PRIVATE KEY
6. Bob decrypts with Alice's PUBLIC Key
7. End with Cleartext
Example 2:
* Alice wants to send Bob an encrypted + signed message
1. Start with cleartext message
2. Cleartext is encrypted and SIGNED with Alice's private key
3. Encrypted data is encrypted again with Bob's PUBLIC key
4. Alice's public key is encrypted with Bob's public key and attached to the data
5. Data sent to Bob
6. Bob decrypts attachment with his private key, which gets him Alice's public key
7. Bob decrypts data with his PUBLIC key
8. The decrypted data is further decrypted with Alice's public key (attached)
9. End with Cleartext
I use GoAnywhere OpenPGP Studio
1. Create Key
2. Encrypt a Test File
Let's configure it:
1. Click the "Padlock" icon in the upper right corner of your browser
2. Generate a Key
- Name
- Email
- Password
- Upload your Public key to the Key Server (This doesn't compromise your private Key)
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ and @TWiT.
Thanks to CacheFly for the bandwidth for this show.