![]() Lately there's a new phrase "customer managed keys" used by cloud providers, which sounds really great, but is typically just elaborate hand waving that ultimately allows the vendor and their staff the same level of data access as if it were not encrypted. Recently Slack made the unbelievable claim on Twitter that their service includes end to end encryption (it doesn't.) Perhaps they mean from your end to their end? ![]() SpiderOak customers had benefited from the impossible for years. In response to customer requests on one of their forums, Mozy explained why it would be "impossible" for a storage service to protect users' privacy by encrypting the file and folder names customers store in a way Mozy could not read. The deception had been so effective that leading software engineers were shocked to discover Dropbox had full access to the data they had stored online. In 2009 when Dropbox launched, they made misleading claims about the encryption of customer files and their internal ability to access customer's data or provide that data to 3rd parties, leading to a well publicized FTC deceptive trade practices complaint. Even the most credible journalists writing for well funded publications with fact checking budgets were fooled and repeated these misleading claims to end users. Each claimed that customer data was fully encrypted. ![]() The competitors were companies like Xdrive, Mozy, Carbonite and SugarSync. SpiderOak launched a online backup product for Linux, Mac, and Windows in 2007. Vendors often exploit the inaccessibility of these topics to make a series of statements that, while often factually correct individually, together create a false sense of privacy. This vocabulary is foreign to most folks. in motion, and then most importantly evaluate key management and access. Doing so would require discrimination between transport encryption, data encryption, meta data encryption, encryption at rest vs. Maybe it doesn't mean what we think it means? SpiderOak was one of the first companies to use this phrase commercially and the need has only grown stronger.Īt the heart of the issue is the difficulty for end users to decipher the terms cloud vendors use to describe their security. The encrypted data becomes unverifiable by network nodes.Ī few cryptographers have noticed SpiderOak's marketing term Zero Knowledge is inconsistent with the academic definition. This is because the nodes in the network can’t determine whether the sender really had that money or whether they previously sent it to someone else, or never had it in the first place. A block chain that encrypts transaction data (making it private) and lacks zero-knowledge proofs also lacks the assurance that all the transactions are valid. The property of allowing both verifiability and privacy of data makes for a strong use case in all kinds of transactions, and we’re integrating this concept into a block chain for encrypting the sender address, the recipient address, and the amount. > Zero knowledge proofs are a scientific breakthrough in the field of cryptography: they allow you to prove knowledge of some facts about hidden information without revealing that information. Z.cash is a zero knowledge system and has a good definition of it on its FAQ: > In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true. Plus all of the usual fixings including the details on this months trivia, poll, LAN party, and a special web 1.0 contest sure to bring back the blink tag.In cryptography, "zero knowledge" means something very different than "service providers cannot access cleartext data". We even run into some Hak5 fans, Ryan and David, who built a rockin’ Wii duck hunt box at the Hacker Arcade. Scott Moulton talks to us about recovering dead hard drives and Babak tells us about lock picking and the TOOOL organization. Jordan and Wes give us the details on the Hack or Halo competition while Paul tries his luck with the sniper rifle. Ken Caruso gives us a tour of the Shmoocon NOC and we see how network security is done at a hacker con. Eoin Miller and Adair Collins tell us all about Cachedump and the dangers of cached domain credentials. We also speak to Billy Hoffman about Jikto, JavaScript and XSS. We start by talk to Bruce Potter, one of the conferences organizers, about all things Shmoo. In this special episode of Hak5 the crew heads to Washington DC for ShmooCon, the only annual security conference with complementary foam balls.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |