zlacker

[parent] [thread] 7 comments
1. mitter+(OP)[view] [source] 2022-02-08 18:02:08
Sometimes I wonder what the chances are that certain (highly privileged) staff at Google (or other similar data storage or e-mail companies) could run a query across Google Drive looking for a specific public key. Much like a malware scanner, just looking for "a key", just to see if there is an account matching. Unofficially, of course. A rogue employee perhaps. And, what if, in such a case, the employee (in the best of cases) reports the person anonymously, or in other cases, takes off with the private key if also found.

Or does anyone know if the data is so encrypted that nobody at Google can override? I would highly doubt that, looking at US law enforcement pressure. And I am sure there's a million and one barriers and access requests blocking raw queries, but technically...

Of course, a hefty hefty conspiracy-laden thought, but I just found myself curious if that would even remotely be an option.

replies(5): >>bagacr+I6 >>paulpa+d7 >>sjg007+oa >>rehitm+Pa >>manque+PX
2. bagacr+I6[view] [source] 2022-02-08 18:28:29
>>mitter+(OP)
I think the perp encrypted the file themselves before uploading to Google cloud (or wherever). The encryption was not provided by the platform.
3. paulpa+d7[view] [source] 2022-02-08 18:30:54
>>mitter+(OP)
this would be trivial to code and could search for one of the bip 39 dictionary words. github key thieves do this already.
replies(1): >>vmcept+Ue
4. sjg007+oa[view] [source] 2022-02-08 18:45:16
>>mitter+(OP)
Google already scans drives for copyright infringement.
5. rehitm+Pa[view] [source] 2022-02-08 18:47:17
>>mitter+(OP)
I haven't work for google, but other cloud provider I worked has very strict production access policy. You cannot just access prod, or run script. Even in cases that you must access prod, it needs special temporary access. (Just in Time Tokens), which is audited, and linked to a case. Few people in management line have to approve the access, and it expires once used. I would say the chance that some random engineer does this is very very low. Unless Google actually does something like that as a product for law enforcment. I have heard few cases of these scripts for things like child abuse images. I have never seen one though in action.
◧◩
6. vmcept+Ue[view] [source] [discussion] 2022-02-08 19:03:17
>>paulpa+d7
Happened to many on dropbox too

You would never know if it was somebody employed there or at the data center or at the government agency tapping the servers

replies(1): >>dannyw+Io2
7. manque+PX[view] [source] 2022-02-08 22:20:36
>>mitter+(OP)
The I/O cost would be more than any loot you find !.

Jokes apart, it is not easy even for Google in-house teams such a query scanning all their drive folders would be very, very expensive computationally.

Most files are stored as binary blobs, i.e. bin formats like PDF etc with some level of compression. Retrieval costs and file read costs for even most common formats can be expensive and slow

◧◩◪
8. dannyw+Io2[view] [source] [discussion] 2022-02-09 10:43:32
>>vmcept+Ue
Yep, I definitely recall numerous incidents of people putting a private key onto a dropbox file, never sharing it with anyone, have 2FA on their accounts (with no unauthorized activity), and then seeing funds disappear.
[go to top]