Is that an oxymoron?
Let's assume I was willing to pay for a service to allow me to share pictures and documents with family members and very close friends. Even better if we could do E-mail. What would that service be?
I would also entertain a 'server in the basement' scenario, but I suspect it would be a full time job to keep something like that secure over the long term.
Would Dropbox work?
Your own private server (can be hosted) accessed with a VPN.
tuna55 wrote: I would also entertain a 'server in the basement' scenario, but I suspect it would be a full time job to keep something like that secure over the long term.
Its not like there would be a bunch of people out there that want to get into that stuff. Roll your own Owncloud or something with a Pi and it should be simple.
My family just shares everything with google photos or docs. Its easier, free, backed up, and still seems secure.
Roll your own owncloud...
hosted with VPN...
Say it like I'm twelve.
David, I have no clue, is dropbox secure? Does it offer E-mail?
In reply to tuna55:
Dropbox has had some issues in its past, I'm not sure how they are now. There was a problem with their API where when a file was shared it created a URL which was then searchable through a search engine like Google. As a result numerous tax returns were leaked. Article here. They also have a couple of things that are a little iffy in their privacy statements.
You could buy a domain and server space which would allow you to run both email and storage with some off the shelf hardware pretty easily for a couple bucks a month. GSuite makes that pretty easy.
Google Drive is pretty good as a far as a free service goes but comes with the same "is this really secure" issues that Dropbox does.
You could also build a server in your basement if you wanted. That obviously comes with some maintenance and IP addressing issues.
The0retical wrote: In reply to tuna55: Dropbox has had some issues in its past, I'm not sure how they are now. There was a problem with their API where when a file was shared it created a URL which was then searchable through a search engine like Google. As a result numerous tax returns were leaked. Article here. They also have a couple of things that are a little iffy in their privacy statements. You could buy a domain and server space which would allow you to run both email and storage with some off the shelf hardware pretty easily for a couple bucks a month. GSuite makes that pretty easy. Google Drive is pretty good as a far as a free service goes but comes with the same "is this really secure" issues that Dropbox does.
OK, the buy a domain thing:
So I buy a website, tuna55.com, and I use it for my E-mail, Fishy@tuna55.com, and my wife uses it also, wifey@tuna55.com, etc... and we can put stuff there, and someone else physically owns the server and secures it, and that's what we pay for?
How does the software for that work out?
In reply to tuna55:
You'd buy the domain using one of the domain providers (rackspace, godaddy et.al) then buy a hosting package with specific features you want to use. Some offer an Office365 email solution for instance and offer cloud storage that you'd access using either a built-in browser API or an FTP.
For GSuite, which might be a little overkill for you, you'll buy the domain from one of Google's partners (tuna55.com) and they'll setup the backend and do the hosting and maintenance of the software for you. In that instance you'd be using Google Drive and Gmail
The0retical wrote: In reply to tuna55: So you'd buy the domain using one of the domain providers (rackspace, godaddy et.al) you can also generally add some features to it. Generally, they take care of the hosting and software backend of the equation. Most of them use an Office365 solution.
Not a Google fan...
SHow me more about this. Is there some form of online tutorial? Do you use something like Thunderbird to actually interact with your E-mail? How do others see files stored there? Is it something you pay based on how much storage that you want?
In reply to tuna55:
Sorry I keep editing to try to clarify a bit. This overview is a few years old but OwnCloud is still around. (Sorry it's a Lifehacker link if you care about that sort of thing.)
Most other solutions work about the same way. Major items of not are you should have the domain, know what OS they run, and how the mail server is configured. That's all super easy to come by when you sign up for a service.
tuna55 wrote: Roll your own owncloud...
http://www.instructables.com/id/OwnCloud-9-on-Raspberry-Pi-DIY-Dropbox/
You could run email on your server as well if you want. Or you could probably just get email service from whoever you get your domain from.
WD Mycloud would be a more out of the box solution. I think people have done plugins to serve email from one as well.
tuna55 wrote: Is that an oxymoron?
Yes, if someone really wants what you put on the net they will find it.
First: Good question.
Second: I write software for a living, took two grad-level computer security classes before I got my degree, and am still basically certain I'm going to berk something up if I try to do this sort of thing myself.
Third: One thing that struck me from said classes was the description of computer security on a network as being often a bit like an armored car delivering something between a park bench and a cardboard box. Lock down the transfer of files all you like, if someone in the sharing group is inclined to add every browser toolbar, forward every email, etc... then things become iffy very quickly once they have the files on their machine.
Fourth and most important: I'm way behind, not an expert, and my idea should probably be set on fire and thrown out before you have a chance to take it with a grain of salt, but I might be inclined to look at something like Pretty Good Privacy as a means of making sure that only people you want to see something will be able to see it. I might look first at GPG (Gnu Privacy Guard, an open source implementation of PGP, unless I'm further lost than I thought) for how it can be managed for the group you want to work with.
Anything you do is going to involve some management. I'm half-inclined to think that after setup, you should be able to use email more or less per normal, and get GPG to take care of making sure that things sent by plain ol' email get where they're going unread and undisturbed. I have no idea at this point whether you can set up Aunt Matilda's email client so it always does communications with you encrypted, etc...
The reality is that I haven't done any of the above, and my approach to "security" is to avoid putting anything I'm that worried about on a computer if I can help it, and try not to panic the rest of the time.
Unless you are sharing really sensitive stuff, it is likely that nothing will be any more secure than a shared Facebook that someone owns in terms of doing periodic checks making sure it stays set to private.
At the end of the day your data travels through many unknown servers and companies between you and family. Even if you have the most awesome home server security with everyone using bio metric and RSA tokens on encrypted computers the data travels the public wire and so is vulnerable.
So if people really really want your data they will eventually get in.
Since most of us normally don't have that level of sensitivity in personal data the security of Facebook or Google+ is fine.
There are a lot of undeclared elements here.
GPG/PGP email is really great, but requires everyone involved understand how it works. See "Why Johnny Can't Encrypt" series of papers to see how it can go wrong. If you're dedicated, it's a good and long-standing solution to this problem. There are several software solutions for this. I like Thunderbird and Enigmail.
OpenWhisper Signal has just today been updated to support arbitrary file types, and uses phone numbers as identifiers. It's mobile first and quite a bit more modern. There is a desktop web app for Chrome, depending on your security needs.
Whatsapp uses the Signal protocol, has a desktop option, and is more popular. It's very slightly less secure than Signal itself, taking some minor but reasonable choices toward usability.
Telegram is supposedly very secure, but they're not showing their work, and appear to be engineering their own encryption, which is a no-no.
SpiderOak Semaphor looks really good for a collaborative, end to end encrypted Slack competitor. I don't know a ton about it, but it looks nice. No passwords, and you can add people to your Semaphor rooms by scanning codes to swap keys, which I really appreciate.
Ransom wrote: Third: One thing that struck me from said classes was the description of computer security on a network as being often a bit like an armored car delivering something between a park bench and a cardboard box.
Reminds me of a very clever analogy a Slashdot user came up with when Facebook announced their .onion site:
"That's like putting a condom over the car you drive to the whorehouse"
More on-topic, if OwnCloud is too difficult, sharing encrypted files through DropBox seems like a decent solution to me. That way even if someone gets your files who shouldn't, they still can't see them without the encryption key. It's easy to put serious encryption on .zip files.
This should work:
I don't think you are asking the right questions.
Better questions:
What level of security do you need to accomplish?
Are you the NSA or a top secret entity?
If you didn't want to be seen naked, why did you take your clothes off?
etc, etc...
EVERYTHING can be hacked. The only way to completely avoid this would be to not be connected by electronic devices. No wires, no wireless.
But behind this question is, Is anyone gonna actually care? You best security is probably coming to terms with the fact that no one actual cares about your pictures, and will therefore not bother them. Leave the security issues to the big guys who it matters to (Google, FaceBook, Imgur, etc.). Security matters to those folks and they put a LOT of effort into it. You will never be able to do a better job than they do._
In reply to SVreX:
I like you.
I went to a Radioshack once trying to buy a set of walkie talkies which were voice activated, no button to press, to use while skiing with buddies. The dude spent like 1/2 hour telling me all the reasons that it wouldn't work, so I went somewhere else and bought them. They worked great.
Don't be Radioshack.
In reply to tuna55:
Fair enough.
It wasn't my intention to be Radio Shack, it was my intention to agree with your original statement. Yes, its an oxymoron.
I apologize, but also think the reality is for 98% of people that efforts to avoid things like Google and do it themselves often lead to significantly less secure approaches.
YMMV.
tuna55 wrote: In reply to SVreX: I like you. I went to a Radioshack once trying to buy a set of walkie talkies which were voice activated, no button to press, to use while skiing with buddies. The dude spent like 1/2 hour telling me all the reasons that it wouldn't work, so I went somewhere else and bought them. They worked great. Don't be Radioshack.
That's the best thing I've read in a long time.
Just so you know, I'm going to use it like it's mine.
In reply to tuna55:
I like you too.
No homo. 
(Angry would be proud!)
tuna55 wrote: I went to a Radioshack once trying to buy a set of walkie talkies which were voice activated, no button to press, to use while skiing with buddies. The dude spent like 1/2 hour telling me all the reasons that it wouldn't work, so I went somewhere else and bought them. They worked great.
Hahaha, the guy at RadioShack obviously had no idea what he was talking about...I'm pretty sure voice-activated radios can be made with analog electronics.
If you're worried that Google drive isn't secure enough for you, you definitely don't want Dropbox. Our company moved away from Dropbox due to ownership concerns of the data they host for you.
You'll need to log in to post.
