Stop leaving private data in the cloud
Online file-syncing services such as Dropbox, Google Drive, and SkyDrive are among the best innovations to grace the Internet. But while the convenience of viewing your latest photos on Dropbox or of pulling text documents from iCloud may be fantastic, much of your data sits unencrypted on those company servers.
That means your data is available to law enforcement officials who obtain the right paperwork, regardless of how little objective justification they have for looking at your stuff. And any well-informed hacker can break into your account by using social engineering techniques, by discovering weaknesses in a company's server security, or by conducting a brute-force attack that tries to guess your password.
For sensitive data that you need to sync across devices, a better alternative is to use an encrypted cloud storage service. You can build one yourself by encrypting data on your PC before sending it to Dropbox, using free software such as BoxCryptor or the open-source TrueCrypt.
A far simpler method, however, is to find a file-syncing service that offers built-in storage encryption.
Two popular encrypted storage services are SpiderOak and Wuala (pronounced like voilà ). Both services bill themselves as "zero-knowledge solutions," meaning that they don't know what you're storing on their servers--and that they have almost no way of knowing, even if they wanted to. When you use SpiderOak, for example, the password you choose is factored into the encryption keys generated by the SpiderOak client. The only way for anyone, even a SpiderOak employee, to access your files--short of a quantum computer or a lucky guess--is by inputting your password. Password-building best practices dictate you should choose a phrase of at least ten characters that consists of an assortment of letters, numbers, and symbols.
The downside of services like SpiderOak and Wuala is that if you forget your password, you're pretty much out of luck. Both companies say they have no way of retrieving your password and can provide only a password hint that you entered during the signup process.
Despite the tight standard security, you can access your data on both services in a less secure way. If you log into your SpiderOak account from the company's website or from a mobile device, your password gets stored in encrypted memory for the duration of your session. This is the only situation, SpiderOak says, where your data might be read by someone with access to its servers. For maximum privacy, you should access your files only via the SpiderOak desktop client.
Wuala claims to encrypt and decrypt your data on a mobile device similar to the way it handles the task on your PC. But when you share folders from Wuala using a Web link, the encryption key gets included in the URL. So anyone who receives the URL can view the contents of that folder, and the key has to be sent to Wuala's servers for decryption. Wuala claims its service "forgets" the key after decryption, but that's still one instance where using Wuala is less secure.
Sign up for Computerworld eNewsletters.