Is the cloud unsafe?

Topic

New Reply

ON SECURITY By Susan Bradley Using the cloud isn’t always a bad thing. During this year of the pandemic, we’ve pivoted from doing many things in perso
[See the full post at: Is the cloud unsafe?]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

a0395335, Perq, abbodi86

Reply | Quote

Replies

As Susan writes in the main article:

“Ultimately, it comes down to trust. We clearly need to do a better job asking that vendors be more transparent in how they protect and secure our data. Identity theft doesn’t occur because data is stored in the cloud; it occurs because data isn’t stored securely in the cloud.”

Problem is, not all those offering Cloud services, particularly the big ones, such as MS with Azure, have a great record that creates trust in appreciably quantities. Trust is an earned attribute, not one gained just by being around.

The Internet and the Web riding on top of it have made many things possible, indeed: I do considerable part of my banking over the Internet,  buy my groceries while self-isolating for  most of the last 12 months over the Internet, connecting to Amazon and Instacart, for example. And buy books, movies and large kitchen sponges and special soap on line. Wine too. All that is very convenient and keeps me off the streets at a time when it is best not to go to where many people go, at least not as much as I used to. I keep in touch with colleagues and friends with email, I participate in teleconferences, I telecommute via VPN.

Then, on the flip side, there is all the cyber crime, the stealing of personal identifiable information from Cloud servers: mine, for example, was stolen, years ago, from a government site, where it was placed so the FBI could veto me as being fit to get my NASA badge renewed (along with everybody else, mine was not a special case, if you were guessing whether it was). Isn’t that interesting?

So I submit that the Internet, the Web and the Cloud are both very useful and also rather dangerous to its users: altogether forming a two-edged sword that cuts both ways.

Now, back in the late 90s, I once watch a TV interview to a leading light of Silicon Valley. That he was a leading light was proven right away by his being dressed in an expensive silk kimono (this man was not Japanese), strolling around in his very large backyard made into an imitation Japanese park with a little arcing bridge over a little stream, sakura trees not yet in bloom, but that will come with springtime, and a patch of ground covered with stones raked into swirls, Zen-style.

He was a very wealthy man, but not exactly a charming one. In fact, he was an arrogant, self-infatuated character that I could see no reason to like, but who said something so appalling that I would never forget. He said to his fawning interviewer in answer to a meandering question about privacy in the age of the Internet:

“You have no privacy anymore. Get used to it!”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

4 users thanked author for this post.

wdburt1, doriel, David F, erbkaiser

Reply | Quote

I always use robust passwords.

Recently, someone sent bogus emails, alleging to be me, using my email address, to friends and business associates.  I researched and found that my email address had been listed (but not with my password) in some big-Tech data breaches.

I have wo questions:

 

1.  Is it possible for someone to do that even if they don’t know the password?
2.  What are your recommendations for VPN providers.  I do not currently use VPN.

 

Reply | Quote

Answering to (1)  If, as you might suspect, the answer is “NO”, the only explanation would be that a computer you are using, or have used, has been compromised and someone who got that way your password, also obtained the email address from the breach you mentioned, or directly from your computer. The former is an unlikely thing to happen, the second is more likely, but as your problem is as unlikely as is unfortunate, either explanation seems plausible.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Answering to (1)  If, as you might suspect, the answer is “NO”

The answer is in fact a resounding “YES”.

3 users thanked author for this post.

Perq, wavy, Ascaris

Reply | Quote

Spoofing of email addresses is a common occurrence.  Only thing you can do about that is one of three things

1. Change your password
2. Create new email acct.
3. Be selective in the future about websites and people you give your email address to.

Reply | Quote

FrumpyNub: Now you’ve got me curious about this: how does someone “spoof” an email account with the email address, but without the email account password?

ktephens43 wrote that her password was not stolen with the address that was used to send “hers” fake emails. From her mentioning the password at all, it seems to me that, as she sees it, those “spoofed” emails were sent from her very own account with either her ISP, or her mail provider (if, as in my own case, they are not one and the same).

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Now you’ve got me curious about this: how does someone “spoof” an email account with the email address, but without the email account password?

HOW TO FAKE AN EMAIL FROM ALMOST ANYONE IN UNDER 5 MINUTES

2 users thanked author for this post.

ClearThunder, OscarCP

Reply | Quote

So the only defense is to check the full headers of the message, to see where it really came from, information that is somewhere, in the long series of entries there, each for one of the steps the message took in its journey along the Internet to get finally to you.

But if someone’s girlfriend, lets say, gets a message “from xxx”, meaning “your beloved”, that tells her: “You are a horrible person.  I don’t know why I have put up with you for this long. I don’t  love you, in fact not even like you and don’t want to see you ever again. So don’t even think to come whimpering to darken my doorstep, as usual.”, is she going to check the headers to see if it is really from her, until now, beloved one?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

is the cloud safe? Does the east coast pipeline work?

2 users thanked author for this post.

ClearThunder, OscarCP

Reply | Quote

They didn’t hack the cloud, they hacked on premise control machines. They went through the cloud for sure. Let’s face it if you have Internet access we are all “on the cloud”.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Indeed. Initially an actual picture of a cloud was used as a representation of the internet, and that was how it got its name. Any access to the internet creates a bigger attack surface than anything local, but it’s like driving (or riding in) cars and so many other things… we realize it is inherently dangerous, but we accept it as a price of modern life.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

Reply | Quote

The “Cloud” may be different things to different people, but I would prefer to concentrate on the “Cloud” as the setup whereby people keep their important stuff in someone else’s servers, somewhere, and uses software available also there, to make calculations also there for whatever they need to do, or fancy doing.

At a “somewhere” that seems to be burglarized more frequently as time goes by, sometimes in an epic scale, where the spoils, among other things, usually include personal identifiable information (PPI) of the users of the “Cloud” service so despoiled. PPI that is then sold to all kind of criminals to take advantage of it, or by the burglars themselves to do that, either way often to the pain and sorrow of some users. Susan is right that the “Cloud” is not the reason for this, but poorly defended sites are. However, if there were no “Cloud”, there would be no security problems associated with it. Chicken or egg?

At any rate, the “Cloud”, in its broadest meaning, is something that is now part of what we need to use to do important and even commonplace  things in our daily lives, in the world of the 2020’s. So we are stuck with it, to a lesser or greater extent, depending on how cautious — and how lucky — we are. I may not “be” in Facebook, letting all hang out there for the world to admire, but someone else who knows me, or of me, might be posting personal information about me there and I could be quite unaware of it.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hmm … it should have been ‘PII’ there, not ‘PPI’. Before someone corrects me …

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

There must be downside for all these incredible tools and systems we use today. Its amazing how globally things can work today in matter of tens of miliseconds. Its a profit-driven industry, to make information available worldwide.
The “unsecurity” is the price we pay. I am not so educated, so I really do not know how things are secured and protected. But Im not naive and I know, that there must be weak points in the security. I am only enthusiast and occasional programmer, I dont really know, if servers are hashed (encrypted), so you cant “mine” the data, but it seems to me, that most of systems are weak. I see often articles about data leaked, passwords stolen ad so. Some part of that is caused by users giving away their credetials where they shouldt. Cant tell what percentage it is.

In the past, banks were sweet spots fot thieves – gold concertated in one place. In today age, when banks really dont have any physical gold available (and protection is on high level), thieves are targetting data – clouds.

I dont prefer to store my data on “someone elses computer” (cloud), I still use old fashion local backups. I dont need smart watch, that shows my pulse and records when I sleep. I consider the risk, if someone “hacks” my account, I dont want someone to know all about my life. Where I am at the moment, or when I usually sleep.
People using this gadgets must understand, that there exist some risk. Its like driving car, nobody can guarantee, that you wont crash and die. Its just a matter of probability. I can live without personal data on the internet. And if someone wants to see my photos from the vacation, go ahead, I have nothing to be ashamed.

When personal data are put on the internet (government databases), they should be protected as gold in the bank. Not to be stored on the cloud on multiple datacenters.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

OscarCP

Reply | Quote

Putting your important and/or private personal stuff in the cloud is simply putting it on someone else’s computer. Period. Their computer may have more security than your own personal computer. But, their computer may also be a much greater target for hackers interested in having your private personal stuff.

I keep my all valued information on my own personal computer, and, I do all I can to keep others out. If you don’t know how to keep your computer from being compromised and you don’t practice diligence in that end, then you may as well upload it to the cloud, because it may have more protection there than on your own computer. This ain’t rocket science. It is common sense, which seems to be in rather short supply these days.

 

5 users thanked author for this post.

wavy, NaNoNyMouse, doriel, OscarCP, wdburt1

Reply | Quote

I think I’ve said this or something similar before.  The Cloud is a bunch of computers that you don’t own, can’t see, and have no control over.  It’s why I refuse to use the cloud for data storage or backup.

"War is the remedy our enemies have chosen. And I say let us give them all they want" ----- William T. Sherman

2 users thanked author for this post.

oldfry, OscarCP

Reply | Quote

Depends on what safe means, I guess.  I use online storage for a few things I let others access but they’re files and videos with copies I keep locally.

Some phone culture denizens have everything online and don’t worry because they have apps to send notifications when cards or accounts are compromised.  Which is a lot like relying on On Star to call for help after you crash instead of driving attentatively.  The real costs, which go on and on, of either folly can be rather large.

Would I trust my finances to some leased cloud some weird online “bank” with a name like Bankarooster or Greenbackerly that charges insane fees and sells all my info?  Sure, when purple cows can really fly.

1 user thanked author for this post.

OscarCP

Reply | Quote

Ms Bradley mentioned Google and their 2-factor authentication. What happens if, for example, you try signing into a gmail account with your smart phone? Will Google send a code to that smart phone? If so, that seems to at least partially negate the security of the 2-factor method. I think many people check a gmail account when they’re out and about making sending a code to another device impractical. Are you just going to have tell Google that your phone is a trusted device? That seems somewhat pointless as well since a computer locked in my home is presumably more secure than a phone I’m carrying since the phone is probably more likely to be stolen or lost.

These may be dumb questions but I’m sure I’ll be asked them and I didn’t see much useful information on the Google web pages describing their 2-factor authentication.

Reply | Quote

What happens if, for example, you try signing into a gmail account with your smart phone? Will Google send a code to that smart phone?

I use google account. I ma informed immediatelly on my email, when my account is being accessed (from another device). For example if I log to new computer, on my phone email arrives. This emais asks, if I recognize this activity = logging into new device (PC, tablet, phone).

Email contains link to check your active devices. You can see them, you can delete them, thus disconnecting them from your account.

You can also manage your security setup from that link.
You can set 2FA – google will send a SMS with code to proceed when logging in with password.
There is also possibility to validate your login with phone, istead of entering password – I dont use this, so I dont really know how it works in reality.

Sorry for czech email, but you will get the idea. The email says, that my account has been accessed from Zebra MC33 device and button “Check this activity”.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

DrBonzo

Reply | Quote

I understand what you’re saying but what if I’m not close to two devices? If I’m out walking around town and I want to log in to gmail from a smart phone, it seems that Google would have to send a code to that smart phone in order for me to be able to log in at that time. But sending the code to the same phone I’m trying to log in with defeats the purpose behind 2 factor authentication.

I’m sure I’m missing something here because I’m sure Google doesn’t really expect me to carry a smart phone and a computer with me everywhere I go. And even if I did, I’d have to connect my computer to public wi-fi, which is certainly not secure.

Reply | Quote

Hi, @DrBonzo.

I’m out walking around town and I want to log in to gmail from a smart phone, it seems that Google would have to send a code to that smart phone in order for me to be able to log in at that time. But sending the code to the same phone I’m trying to log in with defeats the purpose behind 2 factor authentication.

I think its not that way you understand it. You add the telephone number to your account for security, and THAT is where all SMS are delivered.
If you log into different device (mobile phone), your authentication SMS still comes to your primary device, so you have full control of what happens with oyr account. I would definatelly not log to public network and access my emails or internet banking.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

DrBonzo

Reply | Quote

OK. So I add a smart phone telephone number to my account for security, and that smart phone is where all SMS are delivered. What happens if I try to log into my gmail account with the smart phone where all SMS are delivered? It seems as though the smart phone I’m trying to log in with will also get an SMS, and that seems to make the 2-factor authentication useless. It seems that in order for 2-factor authentication to work I need 2 smart phones (or 1 smart phone and one computer).

There must be some other way to validate or authenticate the smart phone I’m trying to log in with.

(I hope it doesn’t seem as though I’m arguing with you. I’m just trying to understand how this will work. 🙂

1 user thanked author for this post.

doriel

Reply | Quote

No argue, I take this as a pure conversation, my friend.

What happens if I try to log into my gmail account with the smart phone where all SMS are delivered?

The thing is, that you are probably already logged in to your gmail account on that telephone. I understand your point, but this is very specific case. You are trying to access your account from your device. It does not make 2FA useless, its just very specific case of 2FA.

0. Create account
1. Log in to your account with mobile phone
2. Enter your mobile number and set 2FA
3. Your phone is your primary device now
4. When you log to your account on another PC (or mobile), SMS will arrive on the primary phone
5. Log to the second device for the case, that you lost your primary mobile phone ad you need it to lock it remotly.

You certainly need at least one mobile phone (telephone number) for 2FA. Other devices are validated by SMS sent to your primary phone. Once you are logged in, it works towards the future.

I see one downside still. If someone stoles your phone and SMS arrives, SMS is displayed even on the locked screen, if thief does not know the code for unlocking the phone. So unless you block your device remotly (from second device), you may be in trouble. But for accessing your account, the attacker still needs password AND sms code. Its safe I think, unless you use unsecured networks.

I also use ZOHO account (emails, tasks, sharing), which is awesome by the way, and I use 2FA also for this account. When I log to a new device, SMS arrives on my PRIMARY telephone and I must validate the login. Then I also can set the ZOHO to trust my device for 180 days, so I wont be asked for SMS code on that device for another half year.

Approaches are vaious, but the security is still mostly matter of the user. Software provides some options, but we need to be carefull.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

DrBonzo

Reply | Quote

So if you make your smart phone your primary device, then when you log in to gmail with that smart phone an sms is sent to that phone. You enter the code and you get logged in.

That’s better than absolutely no 2-factor authentication but yo better not lose your smart phone.

Thanks for your help.

Reply | Quote

Uh, never use a phone for two factor.  If it’s Android, Google knows who you are anyway; all Google stuff is linked and online if you’re logged into your account, so giving them your phone number doesn’t matter, they have it but now they can do even more with it.

You can always use an email that’s been out there forever, the one all the Nigerian Princes with lots of money spam.  GMail! Yay, that’s all it’s good for.  An alias is nice, too, Google knows, no one else does.

If not Google, you’ve just linked your cell and everything Google to someone else.

I have a home phone with a base that costs $10 per month; that’s the number I give out if needed; otherwise it’s a black hole call blocker.

Cell Phones are not secure or private, they’re regulated differently than computers since almost everything they do uses long distance radios.

1 user thanked author for this post.

oldfry

Reply | Quote

Understanding the difference between various types of cloud computing and identifying which one is the right fit for a growing business.

Reply | Quote

In the very early days of “The Cloud”, there was a magazine called “Networking”. In general, for anything to be considered safe and reliable, it had to be:

1. At least co-located (the more locations, the merrier, and more costly)
2. Mirrored locations had to be a good geographical distance away from each other*
3. Mirrored on a near-real time basis
4. Have the security of Fort Knox

*(If one location went down/under water/burned down/hit by a nuke, you could count on a “Mirrored Server somewhere else on Earth)

Unfortunately, the magazine collapsed under the weight of “The Cloud,” and now it seems to mean, “Your stuff on someone else’s hard drive,” or whatever the company trying to sell you on their bucket out there wants it to be.

Security? “Hey, we just rent the bucket, pal, security is YOUR problem!”

(OK, the last may be an extreme…but I’ve seen it.)

“Standards are great…everybody has one.”

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

Reply | Quote

Nibbled To Death By Ducks wrote:

(If one location went down/under water/burned down/hit by a nuke, you could count on a “Mirrored Server somewhere else on Earth)

…. On the other hand if you were based near nukeville, you wouldn’t have to worry where or which cloud your stuff landed.

Personally,I have no problem using iCloud to store photos. Docs and other sensitive material goes to the totable USB flash. A strong password for the cloud and being careful what you plant there is key to staying safe. IMO

MacOS, iOS, iPadOS, and SOS at times.

Reply | Quote

A strong password for the cloud and being careful what you plant there is key to staying safe.

I always wondered, if cloud hosters (those who manage our cloud data) are able to see our data. They promise they cant see our data, but how is it possible, that our email addresses and other data (browsing history for example) are sometimes sold to third parties?

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

doriel wrote:

I always wondered, if cloud hosters (those who manage our cloud data) are able to see our data.

We are always taking that chance in this digital day and age. I look at it this way, if my photos are that interesting to anyone managing my data they must not have much going on at their side of the fence. I don’t worry much. The latter just makes for a short life. 🙃

MacOS, iOS, iPadOS, and SOS at times.

1 user thanked author for this post.

OscarCP

Reply | Quote

Well, yeah, they tell you that in the fine print of the obfuscation clauses.  Encryption only gives you some storage privacy if what you sent is encrypted at rest.  Unless a provider clearly states so, assume No.

Sarcasm aside, it is possible to find services that are completely private but ya’ gotta search.

Reply | Quote

Google 2FA saved me from having my Gmail account hacked by some unknown person in Ecuador.  Use it!

See this thread on Ask Woody.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

doriel

Reply | Quote

Ecuador, or some VPN maybe.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

GMail sends messages to me from my email address but it’s neither me nor my account, just my name.  I have GMail only to keep Google chasing its tail.  My real email is a good subscription service, not that Outlook/Hotmail/MSN farce, either!

Public email is very, very easy to mess with.

Reply | Quote

doriel wrote:

I always wondered, if cloud hosters (those who manage our cloud data) are able to see our data.

Yes, they do, unless you encrypt your data before syncing/uploading.

How to Tell If Your Cloud Provider Can Read Your Data

2 users thanked author for this post.

oldfry, doriel

Reply | Quote

What about documents on one drive personal vault?  That’s encrypted & I am assuming it’s safer than other cloud storage or non-encrypted documents I have on one drive, like recipes.

Reply | Quote

Are you sure, data on Personal Vault are encrypted? Encryption is not mentioned here.
It says only strong authentication.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

No I’m not sure I probably use the wrong wording. I’d have to go back and re-read what MS says about it, thanks.

Reply | Quote

Encryption basically means.

Data encryption is a security method where information is encoded and can only be accessed or decrypted by a user with the correct encryption key. Encrypted data, also known as ciphertext, appears scrambled or unreadable to a person or entity accessing without permission.

Bitlocker is example of encryption. If someone stoles your HDD/SSD, he cant read the data, unless he knows this alphanumeric 48 digit key.

I would like to belive that your data are encrypted annobody but you can read it. But I really doubt about this. I think cloud providers can actually read your data. Im only assuming too. Maybe Microsoft is just not telling, if data are encrypted or not.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I think you are correct the data is not encrypted.  MS can see my data or a perhaps a rogue employee…….

It is also hackable – certainly not as safe as encrypted data.  I read that personal vault data is encrypted with bitlocker when accessed via computer but not when accessed via the cloud such as my iPad

I need to take a good hard look at what I’m storing in my personal vault. Thanks.

Reply | Quote

All OneDrive files are encrypted in the cloud, but Personal Vault uses additional BitLocker protection for your local copy:

BitLocker-encryption – On Windows 10 PCs, OneDrive syncs your Personal Vault files to a BitLocker-encrypted area of your local hard drive.

How OneDrive safeguards your data in the cloud

2 users thanked author for this post.

dmt_3904, doriel

Reply | Quote

Boxcrytor is trying to sell cloud services but I think all that they are saying is true. As with everything there are risks. Some services are more secure than others.
https://www.boxcryptor.com/en/blog/post/onedrive-personal-vault-security/

Microsoft advertises the OneDrive Personal Vault with the fact that the data in it is even more securely encrypted in addition to the 2-factor authentication. However, as we have often pointed out, there are different types of encryption, and very few of them completely prevent third parties from accessing your data. An example: All common cloud providers encrypt user data in transit and at rest. The problem with this type of encryption:

It is not continuous (there are times when the data is not encrypted)
With this type of encryption, you send the data unencrypted to Microsoft and Microsoft then encrypts the data for you. In other words: Whoever encrypts the data, has the encryption keys and can therefore decrypt it again if necessary.
The additional encryption in the OneDrive Personal Vault consists of the additional storage of Vault data in a Bitlocker-encrypted area of your local hard drive. In the cloud, however, the data is not additionally encrypted, but only protected by the second factor.

Who can theoretically still access your data in the OneDrive Personal Vault:

• Microsoft
• Microsoft’s employees
• Third parties to whom Microsoft grants access (according to the American CLOUD-Act, for example, providers are obliged to release user data on request of the American authorities).
• Hackers that gain access to your OneDrive Personal Vault

Reply | Quote

DrBonzo wrote:

That’s better than absolutely no 2-factor authentication but yo better not lose your smart phone.

But your smartphone is secured by FaceID or/+ pin and you can wipe it remotely if lost.

1 user thanked author for this post.

DrBonzo

Reply | Quote

So, what are your thoughts on putting my KeePass database on One Drive? I am not really that comfortable, or trusting, but I am not an expert either.
Thanks for sharing your wisdom.
Jimmy

Reply | Quote

If you use a secure password (18+ chars and variation) then your database is only accessible via guessing (brute force). This is not likely to happen in less than several centuries, so you could actually put the database on a public web site with big arrows advertising it.

OneDrive (or other cloud) should only ever be a backup. Preferably one of several.
If you use a cloud based password manager (Robocopy etc) you should make a local backup of the data.

cheers, Paul

Reply | Quote

I use Strongbox,  a keepass db. I had the same question as you and asked the developer –  this was his response:

Yes, for sure, it’s a good idea always to have a back somewhere or even in multiple locations, for example I email a copy of my database to myself every now and then but it’s also nice to have a copy made on Dropbox or on a USB key which I store physically. I’m sure you can think of good locations just in case. OneDrive sounds like a good option.
>
> Your assumption is also 100% correct, the security is based on encryption and not on where the file itself is located 🙂
>

Reply | Quote

Is the cloud safe? No. The cloud greatly expands the attack surface for your private data to be compromised. On the other hand, the cloud can be convenient. The trick is to use the cloud judiciously. I selected those cloud providers that don’t have the encryption keys at their site to decrypt your data, just an account username & password to derive the key which is used only locally on your own device. Second, before putting any private data in the cloud, I encrypt it myself locally, and keep my decryption key away from the cloud. So, my private data is encrypted at least twice on cloud storage.

One result is the use of smaller cloud providers that match my encryption requirements. A second result is using a safe deposit box to recover from all of this if my flat burns down. Even if thieves steal my box at the bank, the passwords are all encrypted and not written down. The only way I can loose everything is if the cloud provider, my flat, and the bank all get nuked together. I just have to remember three passwords: the password manager, the password to the encrypted disk the password manager lives in, and a password to my local only encryption key. So all the passwords are double encrypted as well in the bank’s safe deposit box.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

anonymous wrote:

Would I trust my finances to some leased cloud some weird online “bank” with a name like Bankarooster or Greenbackerly that charges insane fees and sells all my info? Sure, when purple cows can really fly.

We just watched a fascinating show on PBS about Tetsuya Theodore Fujita who among other things developed the Fujita scale “as a means to differentiate tornado intensity and path area”. Among the videos of tornados I did see one that shows cows really can fly, but the video was in black and white so I cannot say if this particular cow was purple.

https://www.pbs.org/wgbh/americanexperience/features/mr-tornado-ted-fujita/

Reply | Quote

I wanted financial software to replace my QB, which is expiring and I do not want to renew.  All financial software requires that you provide bank account number/financial data and passwords!!! 😬😧 Yeah really, when purple cows fly🤣🤣

I am happily using an excel file.

Reply | Quote