Yum Yum, go Google!
Bring on the downvotes
Never one to miss out on an up-and-coming tech trend, Google is all set to launch its very own cloud storage service, competing with the likes of Dropbox, Microsoft and Apple. People familiar with the matter were unable to keep schtum and spilled to the Wall Street Journal (paywall), telling it that the Chocolate Factory's new …
One of the biggest failings of Dropbox is that there is no encryption baked into it. i.e. you cannot tell Dropbox that one folder is encrypted and everything inside should always be encrypted / decrypted transparently as it is sent or received from their servers.
Data is stored as plaintext which might allow them to do some redundancy tricks (e.g. if 1000 users have fedora-linux-16-x86.iso on their account then they need only store 1 copy) but its horribly insecure. So when Dropbox gets hacked, as it has in the past, it potentially exposed everything on their service. The only way to do crypto is storing stuff in an encrypted archive or a truecrypt volume or similar none of which is ideal for obvious reasons.
I hope Google have the cop-on to realise they need this. It doesn't mean encrypted storage has to be the default behaviour but it should be there as an option. With no recovery key either.
Just use it with TrueCrypt and make sure your password is really secure. Something like
7498-8767-7823-9552-8653-8452-6659-3289-3669-2558
You will need in the order of 128 bits of entropy to make the key truely secure, which means about 40 decimals of true randomness.
http://www.truecrypt.org/
Regarding the Truecrypt approach isn't it rather inefficient to create a Truecrypt file to store files in on your cloud storage and then every time you change a single file the whole massive Truecrypt file has to be uploaded again to be in-sync?
Is this the way it works or does it realise that only certain bits of the Truecrypt file has changed?
For that reason I use Boxcryptor with Dropbox as it just encrypts individual files.
It would be nice if these services provided "client side" encryption by default. Yes I know its encrypted at the server end but its well known that Dropbox employees can get at those files if they needed to.
I love Truecrypt, but it's got issues in that space. For example, I use an encrypted TC container file which is mounted when needed. The size and timestamp of that file never changes for security reasons, so I hardly trust my backup software to clue in that the contents have changed and that it should therefore copy the file to my backup location.
My solution to date has been to copy the TC file to a USB key, it's small enough for that.
If gDrive allows us to mount their drive could we not rsync the changes between the local TC and the remote TC? Thus limiting exchanges to strictly the changes? Plus, I'd want to unmount the remote TC file when done.
You could make the password 2000 characters and it still wouldn't be secure. The reason being that DropBox stores your data in a format which allows their administrators, or the court to access it. Sometimes even hackers. This has all been hashed over before - DropBox admitted they stored data in a manner which was essentially plain text. Worse, in one incident their login servers broke and there was a period of time where you could log into any DropBox account with *any* password. At least encryption would protect against screwups.
Regarding Truecrypt yes its horribly inefficient. If you have a 100MB volume then you are syncing a 100MB file every time it changes, possibly continuously. So only is it a huge pain to do but it's inefficient to boot. If I need to encrypt on DropBox its easier to use 7-zip but that still is not without its own issues.
If a cloud service allowed me to designate that particular folders were password protected and required me to supply the password (or for the client to remember it) then encryption would be transparent. I would drag files into the folder, the client would encrypt them before syncing and it would be decrypt files when syncing in the other direction. The cloud would store encrypted data that even DropBox admins couldn't read. The client could warn that by encrypting a folder it might become inaccessible through certain clients (e.g. web or Android / iPad) plus dire warnings about losing data if you lose the password but it would otherwise work transparently.
I really can't see any reason it shouldn't be done for those who wish it. Who knows perhaps they'd even get some people to pay for a "pro" account if the encryption was enabled in that but not the free edition.
Maybe they'll use convergent encryption like BitCasa. If I were me and I was implementing a cloud storage service, that's what I'd do. Alternatively, encryption could be full-fat (not convergent, as there are a few drawbacks from the user's point of view) but only available as a 'pro' option you have to pay for.
Encrypted/decrypted at the client, versioned backups and all the other features of the rest. It's the only one I'd consider paying for, and possibly necessary since the 2GB free account is a little low.
OT, but does Skydrive still only allow uploads in 50MB chunks? That's one sure way of ensuring nobody uses all 25GB.
There's the flipside to this - it was a feature, for a long while. If a file was already in the Dropbox cloud, you could upload it in a fraction of a second, because your client would just say "I have a file that matches the hash for fedora-linux-16-x86.iso", and the server would say "Already have that one, thanks".
Alas, the content sharing community managed to hack this with a client that just told the server you had a file with the hash for "Latest Hollywood Blockbuster.mp4", which meant that suddenly Dropbox became a file-sharing server ; one person would upload it, and everyone else could copy the hash into their Dropbox folder and download the file. Dropbox, not wanting to be treated like MegaUpload, rapidly nixed this "emergent feature".
"Although no one could say that Google hasn't come up with some nifty ideas of its own, it does have a tendency to have a wee glance around the market to check out what people are liking and then come up with its own version of it."
-- which isn't actually that bad as you get a good quality service that integrates seamlessly with your other Gstuff and will work on just about any platform.
While not virulently anti-Google, I'm struggling to come up with many. PageRank, I'll grant you, but after that? <scratches head>
Internet search engine - no
Targeted Internet adverts - no
Linux-based phone OS - no
Chrome - maybe, but somewhat derivative and I'm not sure it qualifies as 'nifty'
I actually think Google have a long way to go before they can claim there myriad of services are truly integrated. Connected perhaps, but not integrated.
Wilst they've made big strides in this recently it's still far from perfect. I have use many different services from Google, but other than a common login many of them are completely separate. Language settings being one REALLY annoying "feature" that Google as simply yet to solve.
I'm hoping Google raise the bar somewhat on the space allocated to free accounts, which should result in a better offering from Dropbox.
Then I may actually bother to use one of these services.
Being a web dev and somewhat geeky, I have plenty of web space available to me already, but it starts getting damn expensive when you want to store RAW photo data!
Then again, do I really trust a *free* account with my data? - will they change the Ts&Cs at some point and claim rights to my content?
I wonder how Google intend to prevent individuals signing up to multiple free storage accounts? - currently, you can create as many Google accounts as you wish to.
I suspect it'll be tied down to mobile phone numbers, a code is TEXT'd (the same way signing up for analytics is currently done) to enable the account.
@ Matt 89:
"I wonder how Google intend to prevent individuals signing up to multiple free storage accounts? - currently, you can create as many Google accounts as you wish to."
Isn't this where the so-called "security feature" which is authentication by phone comes in?
I can have as many browsers in VMs I want to keep other data separate, but I don't have a fleet of phone numbers to match.
I'd prefer the Google approach (subtle side-bar ads relevant to the context), to the Microsoft approach....
* Clippy appears *
"It seems you are about to have a w**k. Would you like some help with that? How about :-
* Call Customer Support over VoIP, now with a "Personal satisfaction" script
* View the latest webcam footage from Steve Ballmer's Palace of Love
* Buy some Micro-soft tissues
"
For those who already have gmail accounts (presumably large %age of folk on here), just use one of the programmes set up to use your Gmail storage as a drive - e.g. Gmail Drive - http://www.filehippo.com/download_gmail_drive/download/4c07cc67ebeb90d2b8cbbb28f7e4fcdf/
Very simple to use, you already have 7GB to play with (less emails), you can monitor spare space, you have the login info, presumably their email systems are encrypted, etc.
Once you've set it up on 1 pc, simply drop the installer into you gmail drive folder, then if you want to install on another, its easy enough to find - simply search your gmail for the file.
Admittedly, the official way of doing things will probably bit a bit more versatile and cross platform friendly!
All this Dropbox, Skydrive, Gmail ranting. Why not use Spideroak - it's secure, the client is open source, it allows per folder syncing meaning I don't have to dedicate an arbitrary folder to share stuff in, I can select pre-existing folders.
What's more you can get up to 50GB free through referrals!
Knock yourselves out: https://spideroak.com/
(I'm in no way affiliated with spideroak, but have used them for a couple of years and find their product and service excellent. I used to use Dropbox but lost faith in the way they handled their rather public muck-ups, which everyone else seems to have forgotten)