The problem with online backup solutions
|
| Author | Content |
|---|---|
| caitlyn Oct 24, 2010 12:55 PM EDT |
The problem with online backup solutions is somebody else ends up controlling your data. As we have seen with recent breaches of privacy by Google and Facebook you have to assume any such data can be mined and sold. You have to assume that their security may be breached and someone may steal your data. Thanks but no thanks. I'm all for off site backups, preferably on a server I have control over. Granted, if I place a server in a colocation facility or rent a managed server there is some risk that the hosting company may fail in all the same ways. However, I do have the ability to secure my data to whatever extent I deem appropriate. That is as close to an online backup as I am willing to go. |
| tuxchick Oct 24, 2010 3:15 PM EDT |
Spideroak can't see your data because you get a unique encryption key. If you lose your password you lose all access to your backups. I use them and like them a lot; it is easy to set up both shared and private directories, and they don't care how many people you share your account with. |
| rijelkentaurus Oct 24, 2010 9:13 PM EDT |
There is a term for that, TC, don't recall what it is right now, but it is a requirement for offsite storage of sensitive personal and financial data that must meet guidelines (sox, credit card info, etc) that the offsite storage provider not have access to the encryption keys. I have also used SpiderOak and found it pretty nice, especially since I had the data of 5 computers on the one account since the total was less than one hundred gigs. |
| Steven_Rosenber Oct 25, 2010 12:58 AM EDT |
I'm glad to see a report on Spideroak. Their offer seemed on the "too good to be true" side. There is at least one distribution offering Spideroak in its default. I can't remember which one, though. |
| bigg Oct 25, 2010 6:25 AM EDT |
But how do they show you that they don't have access to your data? How does a company even know what is going on? It's not just dishonest employees, though they exist. Look at the information Google's Streetmaps had access to and nobody in the company even knew it. And is it really the case that your password can't be changed? I'm skeptical. All anyone can say is that the company claims you are the only one with access to your data. |
| gus3 Oct 25, 2010 11:38 AM EDT |
Just for the record, I know such a cross-platform setup is possible, and workable, because I worked with one for 2-1/2 years. |
| azerthoth Oct 25, 2010 12:29 PM EDT |
bigg, thats the tricky part, 1: how much do you trust and 2: proving a negative. I'll stick with my own backups for myself. |
| caitlyn Oct 25, 2010 12:37 PM EDT |
I agree with azerthoth and bigg 100%. Spideroak may well be the best solution out there for those who absolutely need an online backup solution. There are other solutions available to me and my business that I trust more. |
| tuxchick Oct 25, 2010 12:54 PM EDT |
You can also be unrealistically cautious. Spideroak would have to run an elaborate and sophisticated scam to defeat their customers generating their own encryption keys and passwords. I don't know why they would want to in any case, since most folks give up their personal stuff without a second thought. I've also read tales of renting space from services like Amazon's EC2 and encrypting your stuff. At worst they can delete your data. rijelkentaurus, I think the term you're looking for is "zero knowledge." Dropbox and other online backup services also offer zero-knowledge encrypted backups. |
| azerthoth Oct 25, 2010 1:28 PM EDT |
TC, not that I am claiming that Spideroak or anyone is actually doing this, but it's the work of moments for many here to put a password/encryption key interface on the user end and making it look legit but in actuality has zero effect on the server end. Easier actually than having to actually make it work properly on both ends. So it does devolve to trust and proving the negative IMHO. I am sure that they are doing exactly what they claim, but for the most part I have trust issues when it comes to my data and the corp-rat mind set. For me, the cost of high capacity USB hard drives is sufficiently low, and the form factor sufficiently small, as to let me keep backups for several systems in a fairly small fireproof safe. |
| caitlyn Oct 25, 2010 1:35 PM EDT |
TC, I agree the level of risk with Spideroak or a service that does essentially the same thing is small but, as az points out, it isn't zero. I have to have a colocated server for my business anyway so I have two geographically distinct locations. Using the existing backup solutions adds zero cost for me so even a tiny added risk (and cost) of an online service simply makes no sense. I suspect that is true of many businesses. |
| hkwint Oct 25, 2010 7:58 PM EDT |
I guess, for some companies, losing their data is more costly than someone else illegitimately copying their data without consent. |
| gus3 Oct 25, 2010 9:02 PM EDT |
@hkwint, the same term generally refers to both events. "Lost data" refers to data over which the proper owner has lost control. Can't get to it, or can't prevent others from getting to it. If it's stolen, but encrypted (preferably with multiple keys over many files), so what? Recover the encrypted data from backup, you still have your key(s), and you're as good as your most recent backup. OTOH, look up CardSystems to see what happens to someone who loses control of data that isn't encrypted. |
| caitlyn Oct 25, 2010 9:48 PM EDT |
...and we all know that encryption can absolutely never, ever be broken, even if someone if determined and has huge resources to throw at the problem. |
| gus3 Oct 25, 2010 10:22 PM EDT |
That's a fair point. With 8,192-bit encryption on today's hardware, it would have to be a huge stroke of luck to find the key before the data becomes essentially worthless. That's part of the advantage of multiple keys over multiple files: a database log file should use one key, the schema another, and the main DB yet another. Only with all 3 keys can one have full access to the data; an outside file structure analysis program may (or may not) be able to find which X-ray images correspond to which patient ID's. But not to worry. As hardware improves, and today's keys become more susceptible to discovery, the same improved hardware will support stronger encryption algorithms and longer keys. |
| hkwint Oct 26, 2010 5:41 PM EDT |
Once, I made some calculations on 256 bit AES.
There are 2^256 possible keys, which can be written as 10^77. Imagine all Top 500 supercomputers being as fast as Chinese Nebulae (no 1) and running at max speed (3PFlop) and being able to test one key per flop, it would still take 10^52 years (or something) to brute-force the password. Given earth ceases to exist somewhere within 10^9 year, I'd say brute-forcing is not an option - even for the most determined. Especially not with layered encryption schemes. So if you use a truly random password, about the only thing you'd have to ask yourself is: Do you trust Belgians? |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!