Just read this over 90 Miles:
Former New York City Mayor Rudy Giuliani revealed on Fox News Thursday night that prosecutors in the Justice Department secretly “invaded” his iCloud account and seized privileged documents. Giuliani later tweeted about the potentially illegal surveillance, asking “who else are they spying on? You?”
I have two cloud “back ups” which really are nothing more than non-sensitive file repositories I can access anywhere. It is basically stuff I don’t care anybody sees and a lot of it has already been published by me or somebody else.
The serious stuff and overall computer back up? A 1 TB portable wired hard drive similar to this baby.
That thing is actually smaller than a slice of bread and not only I used it to store the stuff I want to keep confidential, but as “start up disk” for my computer. And if that was not enough, we have several thumb drives used for specific items that later can be transferred to the portable HD.
There is plenty of cheap storage that does not require sharing it with some unknown entity that can be accessed by parties without your permission.
Cloud servers come in lots of different forms. I’ve had “cloud servers” that were my own hardware, on my own internet connections. I’ve had cloud servers that were my hardware sitting in somebody else’s data center. I’ve had cloud servers that were somebody else’s server in their data center but dedicated to me. And the most common today, I’ve had a “virtual private server” which is a set of block storage assigned to a virtual CPU/Memory.
How secure all of that is is very dependent on who you are paying and where they are located and how you setup the servers.
If I have physical control of a device, I can “get into it” and read everything on that device. The only thing that keeps that from happening is to have the contents of the device encrypted.
MOST physical attacks require at least one power cycle. If your data is secured via encryption, and that encryption key requires you to provide the key each and every time, power cycling the server means that the encryption key must be provided and you aren’t willing to do that.
Linode, AWS and most of the other providers that have someway for you to gain access to a server after you’ve lost root access all do it through a shutdown, modify, reboot process. This give you protection for your data.
The next access point is for somebody to break into your cloud server. This is actually more difficult, in most cases, than breaking into your home/personal computer. This is because your personal computer is not as well protected and is generally not as up-to-date as those cloud servers.
There is another type of cloud storage, backups. The tools that I use encrypt the contents as they are written to cloud storage. This means that even if the bad guys get those backups, it is meaningless to them.
For certain clients, that encryption happens on the client machine, for others it happens on the backup server. The difference is that doing the encryption on the backup server reduces the load on the client machine.
The big downside to “cloud” based servers is that you don’t know when the feds come a looking. They could just present the paperwork to your provider and your provider is required by law to turn over copies of all the bits that you own. If your bits are encrypted, the feds are SOL. If they are in the clear, then the feds have copies and you never know.
I’ve received that paper work in the past. It always read that I could go to jail if I let my customer/client know that the feds had requested information.
In some cases I’ve cooperated fully with the Feds. Offered them guidance on how to get the info they are looking for. (Kiddy diddler was downloading kiddy porn). In other cases I’ve been less helpful.
The day they asked for all my logs for everybody that logged in over the course of a month. Those log files were sent, via fax, after the order was randomized. They got all the data, but not in a useful form. If they had been willing to give me specific time/date IP addresses I could have given them the username and all of said user’s logins, but they didn’t want to do that, they went on a fishing expedition.
veracrypt: https://sourceforge.net/projects/veracrypt/
Good point on encryption. A nice option (one I use) is Veracrypt, a derivative of Truecrypt. It’s free and open source, so worth trusting. I’m not sure how to use it on a boot disk (that may be an option, I don’t know) but you can easily encrypt a whole disk or a selected part of it and treat the encrypted container as another disk that you can use the same as any other.
Hard drives store data pretty much forever; SSDs such as thumb drives do not. You should plan to power up your SSD storage at least every 6 months or so to give the internal machinery a change to refresh the storage cells. I don’t know how long that takes; as a guess I’d expect at least a day per terabyte, possibly longer. Some googling might be useful.
You can handle boot “disks” in a couple of ways. One method is to have a boot partition that is in the clear. It loads stuff and executes, before it mounts the root disk, it prompts for the decryption key for the root drive.
The other method, which I prefer, is that the root drive is not encrypted. This allows me to boot unattended. Once booted, I can use an encrypted path to the server to complete the boot process of mounting data drives and providing keying material to do so.
Part of that process is that I run a tool on my local machine that “proves” to me that nothing has changed on the root drive that would compromise the process of providing keying material to the server.
(Short version, we upload a statically linked version of shasum to the server and then execute it providing a list of files to hash. Those hashes are processed back on my local machine to verify that nothing has changed. Then, and only then, does the process of mounting encrypted block devices proceeds. There are tools that help with this, such as tripwire)
It is complex, but once you have it all setup, it is pretty secure.
” I’m not sure how to use it on a boot disk (that may be an option, I don’t know)” I’ve done that with Truecrypt, not yet with Veracrypt (the successor product). My recollection is, it wasn’t difficult. Just make sure you make the bootable iso for recovery.
I’m mostly Linux now, and full disk encryption for that is an easy option, out of the box, these days. (A small unencrypted boot partition is made.)
Yes but there still needs to be a VALID legal reason for LE to get it.
Abuse of power
Unfortunately, Apple is making harder and harder to use their devices without some form of connection to the Cloud. Grrrrrrr.
Don’t. Want. Cloud!
Not just Apple.
Just be sure that your drive has more than 1 copy. I got hit with ransomware last year.
The other useful advice: if at all possible, don’t run Windows.
That didn’t help. My disk server ran Linux.
Ransomware on Linux??? Or did you have a Windows client accessing that server and it’s the client that was the virus vector?
It was the ech0raix ransomware that targeted Linux based QNAP NAS systems. I lost several TB of data.
You might consider an ironkey for a flash drive.
https://www.amazon.com/s?k=ironkey&ref=nb_sb_noss_1
Or another encrypted thumb, in case the goons come knocking.
My guess is that the FBI is treating the Cloud as abandoned property.
Plz encrypt. There are a variety of private cloud options as well. Syncthing, next cloud, etc. The new mega from kim dot com is attractive since everything is supposedly encrypted and accessible only to you, but i havent tried the service myself.