Writing, publishing, geekdom, and errata.

Don't Put Secure Info In The Cloud: [UPDATED WITH NEW INFORMATION]

No comments
UPDATED 2240 20140505:  Insync HQ has gotten back to me (and considering they're in the Philippines, the delay makes sense).  And they've been very quick about replying to e-mails and seem very anxious to make sure this problem is fixed.  But it doesn't seem that it's something they can control They state:

...we only access your Google Drive so it's possible that it's orphaned and thus not showing on Drive web (ie it's impossible for Insync to access someone else's Drive as Insync would need access to the user tokens which is approved by the user). 
I've still only been able to get a hold of one of the users whose data I saw;  they suggested that it might have been an accidental share as well by an employee.  Which makes the lesson below even more important.   I know that I was accidentally e-mailing someone with a letter difference for about two months earlier this year.

I use quite a few cloud services - Dropbox and Google Drive being two of the more flexible.  And I use InSync to manage synchronizing the data between Google Drive and the desktop.

It's been a great service - and then today I noticed something strange as I was cleaning up and organizing my Drive folder.  There were a bunch of "shared with me" documents that I hadn't synced.

And when I did start them synchronizing... well, I was surprised.

If you aren't gasping yet, then this screengrab should make you sweat:

Yes, that file is exactly what it looks like.  The account information for every bit of financial and web information I would need was in plain text.  I have successfully contacted one party (they had designs for business cards in the folder), and resetting my syncing and purging shared folders seems to have gotten rid of the unwanted data.
I still don't know if this was a Google Drive problem or an InSync problem.  (InSync has not gotten back to me at this point, and I have no idea who to start with at Google.)  I have no reason for either of the folders to have been shared with me.  I don't know how the verification for the client works either.

But it does not matter.

Even if it was the most innocent of hiccups, this sort of thing will keep happening.  

If you have confidential information - and I mean passwords and the like - shared on the cloud, the individual files must be encrypted.   Whether you use a tool like TrueCrypt to manage a volume inside your synced drive or GPG (which, you might remember, I suggested you install anyway), you have to make sure that your data is secure whenever it passes through another's hands.

And while you're at it, check out my (still relevant) guide to securing your online life, okay?

No comments :