// >> September 2011

Art’s post below got me thinking about BitCasa and the security of the data…and it seems BitCasa’s CEO mentioned something about how they plan to protect the data in a recent interview (http://techcrunch.com/2011/09/18/bitcasa-explains-encryption/). The obvious answer is encryption, but the question is how? Note, I’m not stating this is HOW BitCasa works, simply presenting an option for how this may work.

One issue with successfully de-duplicating data is data encryption itself. So for example, if I have a file and you have a file but our encryption keys are both different than the file appears completely different to the de-duplication system. It fails to identify two exact files because they no longer match. However, there is another way in which we can secure the data using the same key if we derive the encryption key from the data itself. So in a new example, let’s take the file mentioned above and split it into chunks of data. Now, if I hash a chunk and use the hash as the encryption key for the chunk I have a “secure” chunk. If I transmit the chunk across the wire and it is intercepted by an adversary it is still secure as the adversary doesn’t know the plaintext which generated the key for encryption. Sure, depending on the size of the chunk we could be subject to brute-force attacks…so care needs to be taken to make brute-force possible only after the data has “expired” or lost all value (you choose: years, decades, millennia, etc.). Next, I upload the chunk to the server for assessment. Thinking about de-duplication for a second, since the hash and algorithms are all the same (SHA-256 and AES-256 in BitCasa’s case) and the key, which is derived from two identical chunks of data is also the same, the resulting cipher text will also be identical. And if I see two identical chunks on the server-side I know I have a duplicate chunk and only need to store one of the two.

Given that I’m talking about chunks there is another layer to this system which I’m still trying to understand…the metadata. Something has to map all of those chunks to a single file if we are indeed breaking it up into smaller pieces. But that’s for another post…hopefully after BitCasa tells us more on how the system works. Also, the secret-sauce that stores “something” on the local drive needs some explanation as well.

Recently got wind of a new startup cloud service, Bitcasa,  pieced together from some ex-Mastercard and Verisign guys.  Essentially, it is a cloud service that offers its users UNLIMITED storage.  I’ve scoured the web for more details, but they’re pretty vague at this point.  From what I can gather, it is basically Dropbox without the local syncing.  The service uses your local hard drive as a temporary cache with some patent pending mumbo-jumbo where it attempts to guess what files you will use the most.   Yea, I don’t really understand it either.

A few things thoughts come to mind:

1) With the advent of other streaming cloud services (Spotify, Netflix, etc), I would argue that the routine of buying larger and larger hard drives are a thing of the past.  I’ve already begun deleting my music and movie “backups”, and am currently at pre-2003 hard drive space levels.  Look out Moore’s Law!

2) The things I actually do use my hard drive for (operating system, games, applications, etc), aren’t hard drives cheap enough now that I don’t really need cloud storage for this?  I can get a 1TB 7200 RPM drive right now for 50 bucks.  Now that I think about it, I probably can’t even run applications off Bitcasa anyways.

3) What happens if I don’t have an Internet connection? How do I get files if their patented guessing algorithm is wrong?

Putting on my security hat for a second, this service poses an interesting issue should it take off.  In one of my earlier posts I had guessed that the ever increasing sizes in hard drives would be the end of forensics.  While this may still happen, it will be a gradual, slow death.  But what if the actual coup de grace is the shift from using traditional hard drives to cloud based storage?  Don’t get me wrong, this idea isn’t novel or groundbreaking, but what I’m trying to highlight is that instead of cloud being a “down the road technology”, the train is already in the station and will only gain momentum.  Certain host-based forensics you could probably still do, like web history and security log analysis.  But from an e-discovery perspective, what would you do if a company had made the switch to store their data using a service such as Bitcasa?  Who knows if any trace of the files exist locally, and its not as if they can goto the cloud vendor with a subpoena to seize data.  Looking 2-5 years down the road, I can see most companies migrating their email infrastructure to the cloud as well.  I know the Microsoft’s cloud mail solution, BPOS, comes with a master account should mail need to be retrieved for a user.  But what if Bitcasa’s “no keys to your kingdom” security model were applied at other email vendors? I suppose corporate email and personal storage operate on two very different premises, but hey, I’ve seen crazier trends come out of this industry.