[liberationtech] What are the secure alternatives to Google Drive?
Julian Oliver
julian at julianoliver.com
Thu Jun 25 04:55:40 CEST 2020
In Extinction Rebellion we increasingly use a self-hosted deployment of
Cryptpad, for simple click-and-go cloud-like document editing and storage,
encrypted end-to-end. Here's the developer's own deployment:
- https://cryptpad.fr
Cryptpad however doesn't offer a complete replacement for something like
Nextcloud, which allows for the upload of diverse content/mimetypes (not just
documents), with click-to-view for video and PDF documents. Nextcloud does offer
an encryption addon now that is quite interesting, for full client-side E2EE:
- https://nextcloud.com/encryption/
I think Nextcloud on an AES-XTS 512bit encrypted filesystem, on a sufficiently
capable dedicated community-owned host/server, and optionally with that same
client-side E2EE, is a great solution and is working well for the activist
communities I support. Files and folders can be shared as public links as
desired, with optional password protection.
For a further degree of security make it solely available over VPN (Wireguard or
OpenVPN, on the same host) with your serverside firewall (ufw, iptables, etc),
passwords in an offline encrypted wallet (KeePass, KeePassXC, etc), TLSv1.2 and
1.3 only. Consider containerisation for isolation from the underlying
filesystem, etc. You may also consider CoLo and using epoxy resin to glue the
RAM into the slot to mitigate the key-theft from RAM (physical) vector.
Globally warm regards,
Julian
..on Wed, Jun 24, 2020 at 07:20:46PM -0700, Marc Sunet wrote:
> I'd be interested in learning more about that setup.
>
> Something else you could do is to encrypt your files before syncing them
> with your cloud of choice. But then we're also complicating the
> situation beyond what an average person would be able to handle.
>
> /> The crux of it is a lot of systems, like nest cameras, sacrifice
> security for simplicity for end users by sticking cloud in the middle to
> avoid dealing with VPNs or port forwarding, etc./
>
> That's a nice way of putting it :) Those guys have in the past shipped
> cameras with default passwords, for example, which is sacrificing
> security for simplicity well beyond what is required. You could, for
> example, have the user go through a one-time setup that creates a random
> key with which the video is encrypted. Of course, that would mean the
> company would no longer have access to the video streams anymore and put
> and end to their surveillance economy, which is probably what they were
> after to begin with (I can imagine these companies harvesting hours and
> hours of video to train face recognition software and engage in other
> such very ethical endeavors.)
>
> On 6/20/20 11:45 AM, Yosem Companys wrote:
> > voss90210 at protonmail.com wrote:
> >
> > In my opinion, there is no such thing as a secure cloud. This is
> > because whatever is on the other end of the connection as well as
> > what might lie in between is unknown.
> >
> >
> >
> > In a best case scenario where you have an encrypted, secure
> > connection to a cloud system, it is unknown how many people have
> > access to that system, whether or not it has been breached, etc.
> >
> >
> >
> > Additionally, since it is a shared system with thousands or even
> > millions of other users, each of those users is a potential vector
> > for breach or other data loss/access.
> >
> >
> >
> > As such, we engineer all our systems to be on networks w control
> > and access them by vpn from offsite. This ranges from such simple
> > things as surveillance video or access control systems to storage
> > and other systems.
> >
> >
> >
> > Depending on the type of system, they are either at a client's
> > site and accessed by the client from external places by direct or
> > VPN access. (systems w build for clients)
> >
> >
> >
> > Or with our own systems they are on our sites and accessed either
> > directly or via VPN.
> >
> >
> >
> > If you were setting up something for shared file access, I would
> > put it on a server you own at a site whose network you control and
> > then make it accessible to user by putting it in either of the
> > following places:
> >
> >
> >
> > 1) A DMZ with port forwarded access (good for things like web
> > developers, etc); or,
> >
> > 2) The main LAN or a sub-LAN and accessible by VPN from outside.
> >
> >
> >
> > The crux of it is a lot of systems, like nest cameras, sacrifice
> > security for simplicity for end users by sticking cloud in the
> > middle to avoid dealing with VPNs or port forwarding, etc.
> >
> >
> >
> > That ease of initial setup compromises the level of security long
> > term, so we never do it.
> >
> >
> >
> > Is it a bit more hassle? yes. However, we've never had a breach
> > in 3 decades.
> >
> >
> >
> > If anyone on the list needs help setting up something like this I
> > can help. It's really easy once you know how.
> >
> >
> >
> > I've actually been thinking about developing a "ZeroCloud"
> > certification and offering it to products with no middle component
> > as such - a simmering idea at present.
> >
> >
> >
> > On Sat, Jun 20, 2020 6:24 PM, fuzzyTew fuzzytew at gmail.com
> > <mailto:fuzzytew at gmail.com> wrote:
> >
> > git-annex assistant is a gui for git-annex which automates file
> > syncing using a git repository to store hashes and locations and
> > history of those things changing.
> > https://git-annex.branchable.com/ . It's written in Haskell. I
> > use it manually on the command line which works well enough; I
> > don't use the daemon or gui but they exist.
> >
> > On Sat, Jun 20, 2020, 1:34 PM Yosem Companys
> > <ycompanys at alumni.stanford.edu
> > <mailto:ycompanys at alumni.stanford.edu>> wrote:
> >
> > That is the rub, isn't it?
> >
> > Thanks for the links, Marc!
> >
> >
> >
> > On Sat, Jun 20, 2020 5:11 PM, Marc Sunet msunet at shellblade.net
> > <mailto:msunet at shellblade.net> wrote:
> >
> > I do not have experience with this, but my go-to for these
> > kinds of questions is often privacytools.io
> > <http://privacytools.io>:
> >
> > https://www.privacytools.io/providers/cloud-storage/
> >
> > Currently the only one listed there is Nextcloud (ignore
> > Keybase, sold to Zoom):
> >
> > https://nextcloud.com/providers/
> >
> > You can self-host or rent storage. Based in Germany,
> > GDPR-compliant and all. At the end of the day you're
> > putting your files in someone else's servers though.
> >
> > Marc
> >
> > On 6/20/20 10:00 AM, Yosem Companys wrote:
> >> I am especially interested in secure alternatives to
> >> Google Drive that are both secure and convenient and in
> >> your experience with these tools.
> >>
> >> Thank you,
> >> Yosem
> >> upload image
> >> Yosem Companys
> >> President and CEO
> >> Techlantis
> >> M: (650) 796-1205
> >> A: 2225 East Bayshore Road, Suite 200, Palo Alto, CA 94303
> >> W: www.techlantis.com
> >> <https://links91.mixmaxusercontent.com/5e196044087550002eab97f3/l/hDocLS2q2TACIvzCZ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>E: yosem at techlantis.com
> >> <https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/e1udm8hBF3C2VlXO6?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> >>
> >> facebook
> >> <https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/tc0Uk7cSRurJaoZuR?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>twitter
> >> <https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/5165ajlvujazJwVER?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>linkedin
> >> <https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/KhnRbbZdCgXpqu7XQ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>instagram
> >> <https://links92.mixmaxusercontent.com/5e196044087550002eab97f3/l/R2iYVxKGEuM3wMK1Z?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>
> >>
> >> To schedule an appointment with me, please visit
> >> https://calendly.com/yosem
> >> <https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/UviUOQK15QPwceB43?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false>.
> >>
> >>
> >>
> >>
> > --
> > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91
> >
> > https://emailselfdefense.fsf.org/
> >
> > --
> > Liberationtech is public & archives are searchable from any
> > major commercial search engine. Violations of list guidelines
> > will get you moderated:
> > https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> > change to digest mode, or change password by emailing
> > lt-owner at lists.liberationtech.org
> > <mailto:lt-owner at lists.liberationtech.org>.
> >
> --
> GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91
>
> https://emailselfdefense.fsf.org/
>
> --
> Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing lt-owner at lists.liberationtech.org.
More information about the LT
mailing list