At 12:05 PM -0500 12/23/2008, Dan wrote: >At 9:33 AM -0500 12/23/2008, Tom Coradeschi wrote: >> >And yet their FAQ also describes getting access to your data even >>>after your computer has been destroyed. They even have you call >>>Support to have them manually give you access... >> >>Correct. However, as I stated, if you lose or forget your decrypt key >>(assuming that you don't use the default, which is the same as your >>login password), you are totally out of luck. >> >>http://support.mozy.com/docs/en-user-home-mac/faq/concepts/commissue_lost_key_c.html > >"Unfortunately, your data is inaccessible without >the correct encryption key. Since you chose to >use your own private key, we do not have access >to your data [...] Remember to choose a private >encryption key that you will not forget, or use >Mozy?s own encryption key." > >Ok... So *by default* the data is encrypted with >THEIR key. So it is only secure *IF* *every* one >of their employees is to be trusted AND they >don't screw up and release their private key. >Likewise, if you chose your own key, it is still >only secure IF they don't screw up and let your >data be grabbed by someone willing to spend the >computer power to brute force it.
Brute force cracking for 256-bit AES is non-trivial. And someone wants to spend those kind of resources decrypting pictures of my kids and a bunch of excel spreadsheets depicting the pitiful state of my bank account? > >...Don't fall into the "but brute force takes >years" trap: it doesn't. If the data is worth >having the cracker will do his homework to create >a characterized attack, thus greatly reducing the >possible key set. Agreed. See above. > >> >It may be that there is some magic secure way of doing all this, that >>>they're just not talking about. But ... still, they're an unknown >>>3rd party... >> >>A pretty well known 3rd party, actually. And, as noted, review the above FAQ. > >Well known if you follow the historica a bit, I >guess. EMC begot Decho in November 2008, and >took over Mozy. That puts two layers of >abstraction between the customer liability and >EMC (a publicly traded company). Mozy is based >in Utah -- so BE CAREFUL as to the type of data >you put there. hum. Their domain registration >address doesn't match their business address. Neither does my employer's. > I >don't see any bonding information posted for them >- not necessarily a bad thing; some companies buy >the bond but don't post its details public.) > >Sorry. My original opinion still stands: >Trusting a 3rd party with your data is an >unnecessary security risk. It is far less safe >than a trusted friend/relative's sock drawer. My original opinion still stands as well. I think, at this point, that we can agree to disagree. The user makes the final decision in any case. -- tom coradeschi [email protected] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Low End Mac's iMac List, a group for those using G3, G4, G5, and Intel Core iMacs as well as Apple eMacs. The list FAQ is at http://lowendmac.com/imac/list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/imaclist?hl=en Low End Mac RSS feed at feed://lowendmac.com/feed.xml -~----------~----~----~----~------~----~------~--~---
