It will probably be fairly brutish and short. If you are, indeed, handling such information, I would suggest running, not walking to your FSO for a conversation. CLASSIFIED has a VERY specific meaning in certain domains - including the domain that you seem to indicate that you work in. If you deal with certain information, you would certainly NOT use the term CLASSIFIED in discussing the status of that information. So - your use of terminology would lead me to think that you haven't been at this too long (I apologize in advance for the snark if that is not the case). Not all subcontractors could handle sftp and friends. I use it for some SOHO confidential data it wouldn't be the end of the world if the data were disclosed, but we have committed to make good faith effort(s) to keep it secure, so we do (rather than moving files to subs via email, etc.). Of course, if the client isn't trustworthy (and you have to take their word for it >) that goes out the window even if the algorithms are secure themselves > "All" you need to do is encrypt the data before it goes offsite, encrypt it well enough that the data is protected commensurate with its value, etc.įor commercial users, provides a very usable interface and GUI. Think serious civil as well as criminal consequences).įrom a technology angle, it may be "possible" if the folks in charge sign off. Otherwise, as others have noted, you may be very deep waters (not only will you be in violation, but anyone in the organization using the service will be, and you will have induced them to do it. To get a ruling on whether you may do what you want. It may be perfectly secure, but that's not what you will be evaluated against. Can you get away with a crypto library that you downloaded from Internet? I don't think so. Cryptographers know what to watch for, and even they make mistakes sometimes. One can have a good algorithm that is implemented with a small bug, and that bug turns it from unbreakable to reversable in milliseconds. DSS workers are not cryptographers even most of NSA personnel are not cryptographers (as we know now.) It takes an inordinate amount of effort to approve a cryptosystem for a particular use. If you start building your own, nobody is even going to check what you did. If you can get NSA to approve a cryptosystem for your setup, you are golden. NSA does that, and they approve and provide cryptosystems for various end users. This is why you never invent your own cryptosystem.
Can you guarantee that it won't get worse? Your adversary has all the resources of the state (albeit a poor one) and they are not constrained as much as you are. But there was no such leak before, and now there is a foothold. Unless salted, every block of same plaintext will produce the same ciphertext. AES may prevent you from reversing the key, but it still a block cipher - and many technical documents have similarities that can be exploited. You used /dev/random, and it is random enough. Or something equally trivial.īut let's imagine you have a secure key. Right? No, wrong - because I used a key that consists of all zeros. What does it mean "well encrypted?" What is even the criteria for "wellness" of your encryption? Would it be OK if I use ROT13? Ok, perhaps not.
#Git annex dropbox portable#
You could have a server in North Korea and safely store all the secrets of portable nukes there, as long as they are well encrypted.īut the devil is in details. It is checked against an approved list of measures and actions that you are supposed to have and perform. Am I wrong?"Īs many posters indicated in their comments, compliance is not even checked against your arbitrary list of technical measures. Unless I'm severely missing something, I'm just blown away that no one offers this functionality with today's tech capabilities. I've been calling different companies and just can't seem to find a decent solution. We tried using Box as a more secure replacement but ended up canceling the service due to lack of functionality 40,000 file sync limit, Linux-based domain controller compatibility issues and the fact that the sync application does not work while our computers are locked (which is an explicit policy for my users). Some of our data is classified under International Traffic in Arms Regulations (ITAR) which requires that all data to remain inside the US, including any cloud storage or redundant backups.
We are currently using DropBox and I am terrified of seeing another data leak like last year. First time accepted submitter MrClappy writes "I manage the network for a defense contractor that needs a cloud-based storage service and am having a lot of trouble finding an appropriate solution that meets our requirements.
0 kommentar(er)
