This has been becoming more and more of a concern to me as it’s getting harder to deal with.
I thought this could be something that people could contribute to.
Something that REALLY caught my eye recently was that an IT virus expert deliberately created an encrypted container and placed a virus within it and then uploaded the encrypted container to a cloud provider.
The part that makes it scary is that the cloud provider was able to detect the virus with the encrypted container and deleted the file. This means the cloud provider was able to decrypt the container and detect that a virus was within the container… It’s safe to assume the IT virus expert used a sturdy password to protect it.
Personally I’m fine with carrying around a USB stick with my data on it, but it’s getting harder to avoid cloud “Features”. I don’t even have an offline Notes App on my newest phone while the old one I had from 8+ years ago came with an offline Notes App…
Also, I’ve been looking at the “DIY Cloud Home” solutions and they seem great as well as opposed to uploading personal and private user data to a cloud provider on the Internet.
There’s too little info here to draw a conclusion on what actually happened
Self-hosted cloud stuff is very hit or miss when it comes to security, not to mention needing to have some idea of what you’re doing if you do host these services. A better solution is to avoid online services that don’t use e2ee when handling sensitive data, and use cryptomator (one of the tools recommended by PG) for anything you do have to (or want to) store with consumer cloud storage providers.
I agree with @pinkandwhite. Microsoft did decrypt some malware that was in an encrypted ZIP file that was share by one security researcher with another because the password for it was found either in an email or with the file. So it has happened before, which really annoyed the researcher. But anything other than that isn’t known. Google flags them to warn the recipient it that it may be malicious, but doesn’t seem to scan them and block them.
And yes, self-hosting can be tricky. That’s why I still use Apple’s iCloud but with Advanced Data Protection enabled. I cannot give any help with self-hosting as I don’t do it myself and don’t want to give any wrong information.
I ought to have been more clearer. When I said “DIY” home servers I didn’t mean for users to literally build their own home server software, but to use open source pre-packaged solutions like these which are very popular and have a great deal of documentation:
No, you were clear, and I do mean that those pre-packaged FOSS/OSS solutions can be hit or miss when it comes to security – FOSS doesn’t necessarily imply great security, remember. And that’s not even getting into misconfiguration by someone inexperienced, it’s something I’ve been guilty of myself while learning
It’s the same reason why many people on the Bitwarden subreddit/forum recommend most people just to use Bitwarden’s servers rather than their own using Vaultwarden. Yes it’s hosted on a server that you don’t control and is definitely a much bigger target than your own server, but they have protections in place, a bigger team and they get audited, all of which are things that someone who did their own stuff at home wouldn’t have.
It is definitely much easier either using a cloud service that uses zero-knowledge encryption or encrypting files yourself before putting them on iCloud (or enable Advanced Data Protection), Google Drive or Dropbox.
Alternatively you just store everything locally, which is what humans have done for millennia (obviously as the World Wide Web was only invented in 1989 and made public in 1991). And it was something most people had to do in the early days of the internet as not everyone could use cloud storage. Google Drive, iCloud Drive and Dropbox brought that to the masses and made it very easy.
I’ve been learning about iCloud’s “Advanced Data Protection” and it looks great, but I have old Apple devices that don’t support it, which means I’ll only have a couple devices that can access my iCloud files.
The other that sucks is that if you enable it you also lose the ability to access your data at icloud.com
It’s important for me to respond to this directly.
Think of it this way: using Cryptomator or something similar, you encrypt a PDF file that contains your personal and private data and then upload it to a mainstream cloud provider.
Once the file is on the cloud provider’s it can then be decrypted by an endless amount of computing power that the mainstream cloud providers have access to.
This endless amount of computing power can be used to decrypt your PDF file. Think of all the devices around the world trying to break your encryption…
That assumes that Big Tech Company™️will actually direct all that compute at one specific file and that whatever encryption scheme you use (AES-256 in the case of Cryptomator, for example) can even feasibly be cracked with lots of compute anyway.
My educated guess is that no, any given Big Tech™️will not direct all that compute towards a specific file because they make way more money renting that compute out as GCP/AWS/Azure and that no, it’s not feasible to crack AES-256 otherwise the three letter agencies would do it all the time since they also have the money for bucketloads of compute.
I agree it’s unlikely anyone will actually try to crack your encrypted file in the cloud unless you are a very high profile target. Just be aware that if you live in a jurisdiction where you can be compelled by law to decrypt files on demand, having the file in the cloud in the first place makes it available to this kind of demand and you have to assume the authorities have it available indefinitely even if you delete it.
