Hacker News new | past | comments | ask | show | jobs | submit login

The NSA doesn't care at all if you copy the bits from there drives and publish them. What they care about is if you copy the content and publish that. With the right crypto, the bits would be indistinguishable from random data. There are well established crypto systems that requires any n keys to decrypt. Plug in n=2, and you have a crypto enforced 2 person policy.

If you push decryption to the client (where it should be anyway, don't want plain text over the wires), then even with access to the data center, you cannot get the plaintext.

What I don't think pure crypto can get you is a quota on how much an individual can access.

Also, the fact that a single person can bypass whatever alarm systems they have means that if an external adversary gets root, they are undectable.




> the implied means of power, the threat of force, rather than by direct military force

Sure, right, that's kinda what I implied with my post. As long as I have access to decrypted bytes in memory and I have access to: my eyeballs + pen + paper, then the jig is up.

The TPM+BitLocker scenario would protect the data on the hard disk and prevent offline attacks and would prevent someone from trying to extract the key from the running OS.

> the implied means of power, the threat of force, rather than by direct military force

Ding ding, exactly. That's why I mentioned "Group Policy". At best, you could attempt to restrict user access to the LIVE mounted decrypted data... but at that point you're trusting the client and a dedicated individual would get around it.

You'd almost need this:

Request remotely-stored invididual encrypted file -> Receive it locally -> Decrypt locally.

which would give you a chokepoint to be able to cut off access to the encrypted data, but there are a thousand problems with this scenario as well, just from a technical standpoint.


>the implied means of power, the threat of force, rather than by direct military force

What is this quote?

>Request remotely-stored invididual encrypted file -> Receive it locally -> Decrypt locally.

Is there any reason you wouldn't want to do it this way. Aside from the security benifits of having the data be in plain text for as little as possible (and eliminates a centralized point of failure), this also offloads CPU resources to the local computer, which is a win from a purely efficiency standpoint as well.


>What is this quote?

Sigh, no idea how that slipped onto my clipboard. I was looking up a good "hegemony" definition for an unrelated discussion. Sorry about that. I meant to reference the line in your post, but it's not important.

>Is there any reason you wouldn't want to do it this way

Hm, so I didn't spend a ton of time thinking about it, but it doesn't seem conventional to me and thus I'm inclined to think there's probably something "bad" obviously... but I'm not sure.

It seems like it would be hard to have work "properly", in terms of actual day-to-day usage. For example, what if I really do need to access hundreds of 1GB files all day? Or a thousands of tiny files? Or one massive file? Etc.

Additionally, you'd lose any advantage of having plain-text on server, like potentially losing collaborative editting/viewing, etc.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: