bjoernvold.com

End to end encrypted cloud services could also be called locally encrypted clouds.

Your data are encrypted and decrypted locally on your box not on the server. This means that your data are pretty safe out there.
Services that offer lost password recovery are already potentially able to decrypt your data on the server. The data may be encrypted there but the cloud people - like Dropbox etc - do have the key to unlock your data.
So your data being encrypted in the cloud is not enough - the encryption must happen on your box - on your end.

That is what end to end encryption does.

Basically this means that the cloud provider must offer you a cloud space where he has absolutely no control over your data and no possibility of reading it.
Most services provide the encryption on the server.

Spider Oak has this Zero Knowledge approach.
Spider Oak will give you a 2 GB free Trial that you can upgrade to 1TB for $12 per month.

Another service that offers true end to end encryption is mega.co.nz
These guys give you 50 GB for free and you can download a browser app for easy access. These guys seem more like genuine privacy advocates.
They Give you 50 GB for free!

Wuala offers end to end encryption.
https://www.wuala.com/

Cryptoheaven offers it too.
http://www.cryptoheaven.com/

I don't think all these services are worth registering for so I will try out MEGA...

I created an account and had to confirm it by e-mail. The good thing is that there is no password recovery which means the MEGA guys have no records of my password that is also my encryption password.

After having confirmed my account I come it too this nice Interface

This seems nice enough and ready to use out of the box.
You can download clients for Windows Mac and Linux directly from the site - there was no Download for Arch but I found megasync in AUR so I will install that...
I installed it and started it and entered the email I registered with at MEGA and the password.
Now I can chose what to sync:

Basically it makes a folder on my home that will be synced with the cloud.
So I accepted the default

That will sync with the MEGAsync folder in the cloud.
Time to drag some content into that directory then...
I dragged over a picture to my local ~/MEGAsync folder and seconds later I could see it on the web interface.

This thing works like a charm and 50 GB is a nice free quota.

It belongs to the story the it is Kim Dot Com who has developed this - and he seems to know his stuff

I have used Megasync for some time now - and I can still recommend it. It is perfect for synking your home and etc or documents.

When you switch computer you can fetch your data from the Mega cloud.

I had a service called Bix here that did the same and provided 16GB but their conditions are that they shall have access to the userdata for service purposes. This includes checking for violation of digital rights.

They are at least honest. They don't have end to end encryption so they can read every thing stored on their servers .- because they have the encryption key there.

From a privacy point of view; that is unaceptable since you would not allow them to check your computer at home.

This condition is simply not possible with end to end encryption since the data on the server are unreadable without the key on your computer - not on the server

The "Digital rights industries" attempts to intimidate Kim Dotcom shows that the privacy part is working. Taking the servers will not work.

Megasync is as safe as it gets in the cloud (which never is a 100% safe).

Do you make your own keys or does Megasync make them for you?
S.

I make the key here so it is generated on my end (here on this computer). Then I need to save it and put it somewhere safe. There is no lost password routine that can work without it.
Basically if you forget your password/key you are scr..... as it should be.

The one thing that really makes Megasync credible is the urge of NZ and US authorities to get at Kim Dotcoms servers. He is not leading Megasync anymore but it was real important to him that he could document that he did not and could not know what was on the servers.
(If they somehow would have access to the keys - then the NSA and NZ government would have taken them without making all that fuzz).
To get to these data they need a Key logger - as the Norwegian Police wants - like this one:



Those data are unreadable to the service personal and since the Keys are not on the server they cannot be "opened" either.

Unlike Dropbox or Bix where they make a major point of the great encryption they have - which is true - 'cept that that door can easily be opened with the keys that they have access to.

I Just had a discussion with the Live chat on Bix

Me: Do you offer end to end encryption for Bix?
Helper:Bix comes with the services so you log in with the passwords you have there.

Me: Yes I get that, but is there a way to encrypt the data so that your service personal cannot read it?
Helper: There is no way we can access those data because they are encrypted

Me: I am specifically talking about Bix - and your service personal can easily read my data by using the key that is on your server. That is why the service personal must respect professional secrecy.
Helper: There is no way w can enter those encrypted data

Me: Yes you can!.. and it is even part of your service terms. This is not that unusual and Dropbox has pretty much the same. Your Terms even demand that your service personal shall access my data in point 1.2:
https://bix.com/en/terms-and-conditions-eur
"Bix also reserves the right to access user data. In such event, the staff
of Bix will be subject to professional secrecy."
Helper:You can encrypt the client or on the server during install.

Me: I realize that this is heavy stuff but I am fuzzy about my data - I think you have answered all my questions - thank you!
Helper: Don't hesitate to call again Have a nice day

This was a friendly guy and the response was fast. But the focus and Knowledge on privacy is pretty much non existent among those who give professional advice.

That is a bit scary.

Hmmm, Mega does not allow any access to their web site without cookies which seems a little excessive for me (I should at least be able to look at their site and evaluate whether or not I want to try their service before I subject myself to tracking). Their "Security & Privacy" page says:

Mega wrote:Q: Is all of my personal information subject to encryption?
A: No. Only file data and file/folder names and attributes are encrypted. Information that we need operational access to, such as your e-mail address, IP address, folder structure, file size/ownership and payment credentials, are stored and processed unencrypted. Please see our privacy policy for details.

Why would they store payment credentials at all?

When I access their home page I see this image

which allows me to "upload" files. When I send files it shows me a "folder structure" and shows me that my file is there. It does not show me any keys whatsoever. Is this because I have not signed up for an account? Does it behave differently if I sign up for an account? Do you have any screenshots or a video of key management inside an account?

S.

Strange... this PCWorld article states:

You will then have to click on a confirmation link you receive via email before you can start using the service.
megaMega creates an encryption key for file management.

Once you confirm and sign in, Mega will create a 2048-bit RSA public/private key pair for the service's encryption features.

and this mashable article states:

After signing up for Mega, the server creates a 2,048-bit public/private key pair. This pair encrypts all access to the Mega servers from your web browser.

Both of which sound like the SERVER (which is owned by Mega of course) is the machine generating the keys. This would be bad. However, the Wikipedia article about Mega says:

Dotcom has said that data on the Mega service will be encrypted client-side using the AES algorithm. Since Mega does not know the encryption keys to uploaded files, they cannot decrypt and view the content.

Which sounds great... but is he still working with Mega? If he isn't (thenextweb.com reference), then he may not know. If he is, then I would want someone other than the primary financial beneficiary of the service to verify that the keys are not generated (or accessible) on the server side. In fact, according to the History section of Mega's Wikipedia page it says:

In July 2015, Dotcom said he doesn't trust Mega service in a Q&A session with tech website Slashdot, claims New Zealand government has control of the site. Dotcom encouraged readers not to use it and plans to release a detailed breakdown of Mega's status, he said in Twitter.[31][32] Mega responded that the authorities have not opposed or interefered with any of Mega’s operations.

When the guy who launched the service doesn't trust it, I at least have to question it. I don't like the idea of generating keys on a machine that I do not have sole control over, and I don't like generating keys in a browser. Whether rumours of a "hostile takeover" are true or not, I'm not so sure I am ready to trust Mega.

S.

The klikk link in mail part is correct. The encryption part is generated partly on the server against a database - there has to be some contact.
Kim Dotcom does still own Mega; I think - his current priority now is to provide secure chat and kick some Skype but.

As I understand it the query logic is performed client-side against encrypted data on a remote server.

Even if the database server is compromised, an attacker will not be able to view the unencrypted data. And that part seems to have been working well with Megasync given the desperate and unsuccessful actions of the government to get access.

Megaupload was seized and shut down early in 2012. This indicates that it was uncontrollable by the government.
One year later Kim Dotcom started the present Megasync - and the US and NZ government hated it

Mega generates a client side export key called MEGA-MASTERKEY that can be used for sharing. You will have to download this and preferably store it on a dongle that is not normally connected to your computer.
This is the weak point! That masterkey may be accessible on your computer - by Mega - and then the decryption will be possible - but only then.
This is disputed by Mega but put in somewhere else than on your computer to make sure...

This is the view on the client that runs as a daemon
Mega puts it's money where the mouth is; if anybody finds and reports a security flaw he will be rewarded up to €10,000 for reporting security problems to Mega.

I cannot see that there is any better cloud out there.

But I will never trust any cloud 100% - nobody should. They may be 100% secure some of the time in some situations. But never all of the time in all situations
And remember Kim Dotcom is a specialist in getting attention so everything he says may not be all that factual but it will sure generate attention...and money.
I think he is somehow making my point too though...

When he states that clouds are insecure; he knows that he is PO the NZ government. They want you to trust it and have you put all your computer data out there for them to check if you are downloading Movies, Music or cheating with taxes.

Kim Dotcoms constant conflict with the US and NZ authorities makes him way more credible than say AT& T's "extreme" willingness to cooperate with the NSA.

Somehow our dear governments have managed to make themselves untrustworthy. Maybe because they are Lying, breaking international conventions, Violating human rights and persecuting whistleblowers and the press for speaking the truth.

The stupid common Joe seems to loose confidence over that....

Web view coming up....


Here I have simply entered the directories from my Home that I wanted to sync/back up. It all works fine,

The only problem is the "show website" button on the client if you have Firefox as the standard Browser - that will not work under Linux and Mega will complain that Firefox is outdated.

Thanks for the screenshots v60... much appreciated. I think I am going to stay away though, it just doesn't look like there is enough key-control for me. When encryption starts to look like "behind the curtain magic" I call shenanigans.
S.