Educause Security Discussion mailing list archives
Re: File Hosting/Sharing Services [dropbox, mobile me, etc.]
From: John Hoffoss <John.Hoffoss () CSU MNSCU EDU>
Date: Fri, 14 Jan 2011 10:13:34 -0600
That's true, but then why bother trying to encrypt this data in the first place? Each of the scenarios you accurately laid out are still valid and can still lead to data compromise. The real reason, I think, as several others have skirted around, is that we want to appear like we've done our best if (when?) we get breached to avoid legal liability. Hence "encrypt and email (or post) that file, then email the password separately." Doesn't actually get us all that much, but it looks good on paper. Back to the original question, I'm a huge, huge fan of Dropbox. It's fast, easy, uses TLS, and reportedly remains encrypted at rest on Dropbox's servers. If the data your researcher is sharing is not PHI/data on individuals, Dropbox alone is probably an excellent solution. If it's PHI, Take steps to zip, encrypt, then share over Dropbox. And have your researcher send the password to that zip file over the phone, not via email. -jth -- John T. Hoffoss, CISSP, GCIH -- Information Security Specialist E: john.hoffoss () csu mnscu edu -- O: +1.651.201.1453 -- M: +1.612.867.1432 Minnesota State Colleges and Universities -- Information Security Office 30 7th Street East, Suite 350 St. Paul, MN 55101-7804 USA
Valdis Kletnieks <Valdis.Kletnieks () VT EDU> 01/14/11 9:31 AM >>>
On Fri, 14 Jan 2011 07:23:36 CST, "Pratt, Benjamin E." said:
Sending password over e-mail, unless that e-mail is encrypted with something like GPG or PGP, is an incredibly scary thought.
All depends on the value of the password and what your threat model is. Assume we're talking about a one-off password that decrypts exactly one encrypted file. The total risk isn't all *that* high. Remember, although it's *possible* to intercept an e-mail, it's *likely* to happen in only a few major cases: ... Yes, it is indeed a mildly scary thought, but if you find it "incredibly" scary, I wonder what words you use to describe the truly bad news stuff, like "140 million compromised PCs". Now *that* is a scary thought - that no matter what care you take to get the data safely to the other end, there's like a 1 in 5 or 1 in 10 chance that it will be processed on a computer under somebody else's control. Now, given that - how hard do you *really* need to try to get the password there safely? :)
Current thread:
- File Hosting/Sharing Services [dropbox, mobile me, etc.] Chris Kidd (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Adam Nave (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Alexander Kurt Keller (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Ben Marsden (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Justin Azoff (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Jeremy Vight (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Pratt, Benjamin E. (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Valdis Kletnieks (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Pratt, Benjamin E. (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Jones, Dan (Jan 13)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Russ Leathe (Jan 14)
- <Possible follow-ups>
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] John Hoffoss (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Valdis Kletnieks (Jan 14)
- Re: File Hosting/Sharing Services [dropbox, mobile me, etc.] Adam Nave (Jan 13)