In yesterday’s tech news, Dropbox, a popular cloud service to store your digital media to, came under fire for a recent change to their Terms of Service (TOS). In short, the TOS now states that if the government asks, Dropbox will give up their data:

“As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

The interesting part to all this is that Dropbox had previously stated:

“Dropbox employees aren’t able to access user files.”

Well, if no employee can access a user’s files, how can Dropbox give up a user’s unencrypted data to the government? Yesterday Dropbox reworded the previous statement to:

“Dropbox employees are prohibited from accessing user files.”

It should be extremely clear that Dropbox does in fact have a way to decrypt your data without user intervention. I’m not saying they will, just that it’s possible. So is Dropbox the only company to be doing this? It appears not. In yesterday’s statement from Dropbox they also stated:

“Like all U.S. companies, Dropbox must follow U.S. law. Our Terms of Service have always stated that Dropbox must comply with law enforcement officials, but as the popularity of Dropbox has grown rapidly, we’ve gotten an increasing number of questions from users about how we do this. The TOS update was merely a clarification for users, not a policy update — we will fight vigorously for user privacy. It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”

From the very first sentence I gather that all online backup solutions must have a way to decrypt your data if the government asks them to do so, which begs the question, “Can I trust my private/sensitive data to any of these online backup providers?”. The answer is a resounding “No!”.

If you want to back up insensitive data, maybe pictures or media you have the rights to, that you do not want to lose, then by all means, use an online backup provider. However, if it’s sensitive data you want to back up, you still have some options:

• Use an online backup provider, but pre-encrypt the data yourself using TrueCrypt or something comparable before uploading to the cloud.
• Use JungleDisk, which will pre-encrypt your data before uploading to Amazon S3 or Rackspace. JungleDisk will manage your files similar to Dropbox, but with tons more options. AS3 and Rackspace are cloud storage services that do not encrypt your data that you must pay for on top of the JungleDisk fee.
• Encrypt your data and store it on an external storage device (hard drive, USB stick, flash memory), and then store it in a firesafe.

To summarize, trust no one.

References:

• TUAW – Dropbox Under Fire for Security Concerns
• Miguel de Icaza – Dropbox Lack of Security

The first part of this 2 part series discussed the reasons for backing up your data to the cloud, and made reference to an article outlining the most popular online backup services. This next part will dive into whether or not these services are handling your data securely. If you are concerned about your data, whether it be photos, music, documents, videos, etc…, and you want to keep said data from prying eyes, then you want to make sure these online backup services are encrypting and then storing your data.

Here is what you need to look for in an online backup provider:

• Data is encrypted and NOT stored in plain text.
• Secure transmission of data via SSL (https).
• For the paranoid – You are given the option to control your private key, rather than having the online backup provider do it for you.

The files on your computer are stored in an unencrypted format natively. In order to prevent someone/something from opening them, they will need to be encrypted before transferring them to an online backup provider. Once encrypted, the second point may seem moot as the data is already encrypted, but it’s always better to be safe with your sensitive data. The third point is more technical, but not a hard concept. The data is encrypted using a secret key (hence ‘private key’), which can be thought of as a password or passphrase, and is the only way to decrypt your data back into its native form. If you control your own private key, then you are the only one who should have access to it. However, if you let one of the backup providers store the key for you, you are trusting them not to lose it. “How would they lose something like that?” you may ask. If their machines are compromised and the keys are not encrypted themselves, an attacker would have access to everything. Another scenario could be the keys are in fact encrypted, but a disgruntled employee with access to the private key that decrypts the set of customer private keys could easily gain access to your data.

For the extreme security freak (which is not a bad thing), you should encrypt your data yourself before having it transferred. You can do this using TrueCrypt. This gives you complete control over the encryption/decryption of your data. And if any of your data was compromised from an online backup provider, it would be useless to the attacker because they would not have the key to decrypt it.

Most, if not all of these services tout security and will display the popular buzzword terminology such as “Secure” or “SSL”, but beyond that it took me some effort to locate their security policies. Below is a chart outlining each backup provider. Disclaimer: Please verify the company’s security policy on your own before choosing one. The links/data provided below were accurate as of 4/18/2011 and are subject to change.

It is clear in this day and age that keeping a copy of your digital files is a no-brainer. There is no way to guarantee your pictures, documents, videos, or music will not be lost if you only have a single copy. If you had a second or third copy, the odds of losing all your files drastically decreases as long as those copies are not stored in the same place. Here is where online backups come into play. There exist a slew of online services that will gladly store your precious files in their data centers, and all you have to do is pick which one you want to give your money to. So which one is the best? Or which one is the cheapest? The answer to both is it depends. Some services charge per unit of storage (usually GB), which will affect the cost. Other services charge a flat monthly fee with a limited capacity on how much you can store, and others offer “unlimited” storage. The other issue with most of these services is that they limit the amount of computers you can make backups of. Some only allow 1 PC per account, while others allow 5 or more. Also, you should be aware that most, if not all, support Windows but could be lacking Mac or Linux support.

PCMag has a great article, with plenty of information on each service including a pricing scenario to help you better decide which plan might best fit your needs. Go read up and stay tuned for Part #2 where I will write about how to securely store your files using these services. They all say “secure”, but what does that really mean? Are your files being transferred securely? Are they being stored securely? Answers to come shortly.

First lets list the reasons as to why you should properly secure your email account:

• To protect private information. Lots of people go paperless, and therefore have bank account statements, credit card statements, tax returns, and other sensitive information that should be kept private.
• To protect your contacts. Your contacts are usually people you trust and you want them to trust you. If your account is compromised, the attacker can solicit your contacts with potentially malicious emails or perhaps send off your list of contacts to a third party for who-knows-what purpose. If this happens, your contacts might not trust you anymore.

Most, if not all, users would agree with the above reasons, but it’s clear the standard username/password combination is a bit archaic. So what can you do to ensure your account is secure? There are a few critical, yet easy, changes you need to do.

1. After logging in to your Gmail account, click on the gear in the top right corner next to your profile name, and then click “Mail settings”. Make sure the “General” tab is selected and locate the section labeled “Browser connection”. Make sure “Always use https” is selected. When you’re done, click the “Save Changes” button at the bottom. Using “https” means that all data transferred from end to end is encrypted and cannot be read by anyone. See [Fig. 1].
   [Fig. 1]
2. Similar to the previous step, locate the section labeled “External content” (it should be just above “Browser connection”), and make sure “Ask before displaying external content” is selected. When you’re done, click the “Save Changes” button at the bottom. External content, images, HTML, Flash, etc…, are nice sometimes, but cannot be trusted especially from untrusted sources.
3. Enable “2-Step Verification”. This feature is awesome and I highly recommend turning it on. 2-Step Verification adds an extra method of authentication when you attempt to log in. The first being your username/password, the second being a unique numeric code sent to your phone. It is very unlikely an attacker will have both your username/password and your physical phone, so you can see how this drastically improves the security of your account. How do you receive this unique numeric code? If you have a smartphone, you can install the “Google Authenticator” application, which generates a random numeric code that is available for 30 seconds before it becomes invalid and a new code is generated. If you don’t have a smartphone, Google will send the code via voice message. And if you lose your phone, Google has you covered there too. To learn more you can read the official blog post, or check out Google’s Help Center.

I’m sure there are more things you can do to lock down your account, but this should give you a solid foundation.

Last night I beat Starcraft 2 on brutal mode. Surprisingly it was not as difficult as it sounds. The trick to most levels is to overly protect choke points (block chokes with barracks with bunkers behind with 4-5 SCVs repairing) and not to lose units (always heal up and take a path of least resistance). What’s nice is now I’m sporting the Kerrigan portrait.

Prior to beating the game on brutal, I beat it on hard to obtain all the achievements in campaign mode. So minus the achievements for “The Lost Viking” mini-game and “Hurry Up! It’s Raid Night”, I have earned them all.

Now it’s time to start rocking the multiplayer. I’ll post a small review of the game later; there are some subtle annoyances for this awesome game.

World of Warcraft: Cataclysm Collector’s Edition is now on sale through Amazon. I pre-ordered my copy already. I have been off the crack for over a year now, but am pretty excited for the expansion since they have revamped the world with new landscape, mobs, quests, etc…. The expansion also adds two new races, one for Horde (Goblins) and one for Alliance (Worgen). You can even use your flying mounts in Eastern Kingdoms and Kalimdor now. There will be a whole slew of new content, tweaks, gear and a level cap of 85. For more details, check out WoWWiki: Cataclysm.

I received my free iPhone case from Apple. I ordered the Belkin Shield Micra (Clear) using the iPhone 4 Case app. The case I was using prior to the Belkin was the BoxWave ColorSplash iPhone 4 Case (Smoke Grey). The BoxWave case was fine since I only paid $4 for it, but since Apple is so “generously” giving away cases, I figured I’d try the Belkin. A couple people at work have a nifty hard shell plastic case, similar to the Belkin, having the top and bottom portions of the case cut out. The reason for this cutout is so the case will not interfere with docking stations or audio plugs, which is great. Since I only just put the case on, I don’t have any real complaints, but I bet this thing will scratch easily. As for the BoxWave, it will go into retirement.

At home I run a Sapphire Radeon HD5770 Vapor-X 1 GB.
My current driver version is 8.660.0.0 and my current version of Catalyst is 2010.0706.2128.36662. The latest version of Catalyst is 10.7 (I assume mine is 10.07). I am a bit behind in my driver version so I thought I would update. As it turns out, the Windows 7 64bit install crashed on the first attempt (BSOD). I rolled back the driver and tried again. The second time went smooth, but after the restart, Windows was reporting an incorrect driver and I was forced yet again to roll back. I never had driver issues when I was running on nVidia hardware. I checked the ATI forums, and it appears quite a few people are having issues. Anyone else with a similar setup experiencing issues?

All pictures shot with the iPhone 4