[liberationtech] What are the secure alternatives to Google Drive?
Neil Blazevic
neilblazevic at gmail.com
Thu Jun 25 08:39:02 CEST 2020
Have a look at https://openappstack.net/ for a method to bootstrap the
launching of a cluster of self-hosted interlinked productivity tools
(RocketChat, NextCloud, OnlyOffice) with centralised user management.
Neil
On Thu, 25 Jun 2020 at 06:00, Julian Oliver <julian at julianoliver.com> wrote:
> In Extinction Rebellion we increasingly use a self-hosted deployment of
> Cryptpad, for simple click-and-go cloud-like document editing and storage,
> encrypted end-to-end. Here's the developer's own deployment:
>
> - https://cryptpad.fr
>
> Cryptpad however doesn't offer a complete replacement for something like
> Nextcloud, which allows for the upload of diverse content/mimetypes (not
> just
> documents), with click-to-view for video and PDF documents. Nextcloud does
> offer
> an encryption addon now that is quite interesting, for full client-side
> E2EE:
>
> - https://nextcloud.com/encryption/
>
> I think Nextcloud on an AES-XTS 512bit encrypted filesystem, on a
> sufficiently
> capable dedicated community-owned host/server, and optionally with that
> same
> client-side E2EE, is a great solution and is working well for the activist
> communities I support. Files and folders can be shared as public links as
> desired, with optional password protection.
>
> For a further degree of security make it solely available over VPN
> (Wireguard or
> OpenVPN, on the same host) with your serverside firewall (ufw, iptables,
> etc),
> passwords in an offline encrypted wallet (KeePass, KeePassXC, etc),
> TLSv1.2 and
> 1.3 only. Consider containerisation for isolation from the underlying
> filesystem, etc. You may also consider CoLo and using epoxy resin to glue
> the
> RAM into the slot to mitigate the key-theft from RAM (physical) vector.
>
> Globally warm regards,
>
> Julian
>
> ..on Wed, Jun 24, 2020 at 07:20:46PM -0700, Marc Sunet wrote:
> > I'd be interested in learning more about that setup.
> >
> > Something else you could do is to encrypt your files before syncing them
> > with your cloud of choice. But then we're also complicating the
> > situation beyond what an average person would be able to handle.
> >
> > /> The crux of it is a lot of systems, like nest cameras, sacrifice
> > security for simplicity for end users by sticking cloud in the middle to
> > avoid dealing with VPNs or port forwarding, etc./
> >
> > That's a nice way of putting it :) Those guys have in the past shipped
> > cameras with default passwords, for example, which is sacrificing
> > security for simplicity well beyond what is required. You could, for
> > example, have the user go through a one-time setup that creates a random
> > key with which the video is encrypted. Of course, that would mean the
> > company would no longer have access to the video streams anymore and put
> > and end to their surveillance economy, which is probably what they were
> > after to begin with (I can imagine these companies harvesting hours and
> > hours of video to train face recognition software and engage in other
> > such very ethical endeavors.)
> >
> > On 6/20/20 11:45 AM, Yosem Companys wrote:
> > > voss90210 at protonmail.com wrote:
> > >
> > > In my opinion, there is no such thing as a secure cloud. This is
> > > because whatever is on the other end of the connection as well as
> > > what might lie in between is unknown.
> > >
> > >
> > >
> > > In a best case scenario where you have an encrypted, secure
> > > connection to a cloud system, it is unknown how many people have
> > > access to that system, whether or not it has been breached, etc.
> > >
> > >
> > >
> > > Additionally, since it is a shared system with thousands or even
> > > millions of other users, each of those users is a potential vector
> > > for breach or other data loss/access.
> > >
> > >
> > >
> > > As such, we engineer all our systems to be on networks w control
> > > and access them by vpn from offsite. This ranges from such simple
> > > things as surveillance video or access control systems to storage
> > > and other systems.
> > >
> > >
> > >
> > > Depending on the type of system, they are either at a client's
> > > site and accessed by the client from external places by direct or
> > > VPN access. (systems w build for clients)
> > >
> > >
> > >
> > > Or with our own systems they are on our sites and accessed either
> > > directly or via VPN.
> > >
> > >
> > >
> > > If you were setting up something for shared file access, I would
> > > put it on a server you own at a site whose network you control and
> > > then make it accessible to user by putting it in either of the
> > > following places:
> > >
> > >
> > >
> > > 1) A DMZ with port forwarded access (good for things like web
> > > developers, etc); or,
> > >
> > > 2) The main LAN or a sub-LAN and accessible by VPN from outside.
> > >
> > >
> > >
> > > The crux of it is a lot of systems, like nest cameras, sacrifice
> > > security for simplicity for end users by sticking cloud in the
> > > middle to avoid dealing with VPNs or port forwarding, etc.
> > >
> > >
> > >
> > > That ease of initial setup compromises the level of security long
> > > term, so we never do it.
> > >
> > >
> > >
> > > Is it a bit more hassle? yes. However, we've never had a breach
> > > in 3 decades.
> > >
> > >
> > >
> > > If anyone on the list needs help setting up something like this I
> > > can help. It's really easy once you know how.
> > >
> > >
> > >
> > > I've actually been thinking about developing a "ZeroCloud"
> > > certification and offering it to products with no middle component
> > > as such - a simmering idea at present.
> > >
> > >
> > >
> > > On Sat, Jun 20, 2020 6:24 PM, fuzzyTew fuzzytew at gmail.com
> > > <mailto:fuzzytew at gmail.com> wrote:
> > >
> > > git-annex assistant is a gui for git-annex which automates file
> > > syncing using a git repository to store hashes and locations and
> > > history of those things changing.
> > > https://git-annex.branchable.com/ . It's written in Haskell. I
> > > use it manually on the command line which works well enough; I
> > > don't use the daemon or gui but they exist.
> > >
> > > On Sat, Jun 20, 2020, 1:34 PM Yosem Companys
> > > <ycompanys at alumni.stanford.edu
> > > <mailto:ycompanys at alumni.stanford.edu>> wrote:
> > >
> > > That is the rub, isn't it?
> > >
> > > Thanks for the links, Marc!
> > >
> > >
> > >
> > > On Sat, Jun 20, 2020 5:11 PM, Marc Sunet msunet at shellblade.net
> > > <mailto:msunet at shellblade.net> wrote:
> > >
> > > I do not have experience with this, but my go-to for these
> > > kinds of questions is often privacytools.io
> > > <http://privacytools.io>:
> > >
> > > https://www.privacytools.io/providers/cloud-storage/
> > >
> > > Currently the only one listed there is Nextcloud (ignore
> > > Keybase, sold to Zoom):
> > >
> > > https://nextcloud.com/providers/
> > >
> > > You can self-host or rent storage. Based in Germany,
> > > GDPR-compliant and all. At the end of the day you're
> > > putting your files in someone else's servers though.
> > >
> > > Marc
> > >
> > > On 6/20/20 10:00 AM, Yosem Companys wrote:
> > >> I am especially interested in secure alternatives to
> > >> Google Drive that are both secure and convenient and in
> > >> your experience with these tools.
> > >>
> > >> Thank you,
> > >> Yosem
> > >> upload image
> > >> Yosem Companys
> > >> President and CEO
> > >> Techlantis
> > >> M: (650) 796-1205
> > >> A: 2225 East Bayshore Road, Suite 200, Palo Alto, CA
> 94303
> > >> W: www.techlantis.com
> > >> <
> https://links91.mixmaxusercontent.com/5e196044087550002eab97f3/l/hDocLS2q2TACIvzCZ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >E: yosem at techlantis.com
> > >> <
> https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/e1udm8hBF3C2VlXO6?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >
> > >>
> > >> facebook
> > >> <
> https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/tc0Uk7cSRurJaoZuR?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >twitter
> > >> <
> https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/5165ajlvujazJwVER?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >linkedin
> > >> <
> https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/KhnRbbZdCgXpqu7XQ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >instagram
> > >> <
> https://links92.mixmaxusercontent.com/5e196044087550002eab97f3/l/R2iYVxKGEuM3wMK1Z?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >
> > >>
> > >> To schedule an appointment with me, please visit
> > >> https://calendly.com/yosem
> > >> <
> https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/UviUOQK15QPwceB43?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false
> >.
> > >>
> > >>
> > >>
> > >>
> > > --
> > > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91
> > >
> > > https://emailselfdefense.fsf.org/
> > >
> > > --
> > > Liberationtech is public & archives are searchable from any
> > > major commercial search engine. Violations of list guidelines
> > > will get you moderated:
> > > https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> > > change to digest mode, or change password by emailing
> > > lt-owner at lists.liberationtech.org
> > > <mailto:lt-owner at lists.liberationtech.org>.
> > >
> > --
> > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91
> >
> > https://emailselfdefense.fsf.org/
> >
>
>
>
>
> > --
> > Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org.
>
>
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200625/07fd2d80/attachment.html>
More information about the LT
mailing list