Thanks guys

I only use th galaxy to GET ( not GIVE) info. For example I use the galaxy to surf stock trading forums for hints & insights but not to do trading.

Iam still new to the Galaxy thing and still stumbling around it. So when I logged in this forum to writr this I accidently found myself out. The first time it asked me if I wanted username & password saved. I chose NEVER option. Second time logging in I was starting to write username when it gave the suggestion (chisel) .. LOL. So much for NEVER!!

Internet security is much like regular security like door locks and car alarms. It's very difficult, impossible perhaps, to completely secure information, just like no home door lock is entirely immune to attack. Your goal is to make it so difficult and time consuming that the thief moves on to greener pastures.

Public WiFi does have it's security problems. If your worried about someone eavesdropping on you (and that's a very real possibility), there are several VPN solutions for Android.

I have used AVAST Antivirus for years (It's free and decent), and they make clients for both Windows and Android.

They also have a Secure VPN client just for Android. It's a subscription, and not free, but it works very well and would take the risk out of using public Wifi.

And looking through these posts, I can't help but comment on some of the more "Don't trust the internet, the government see's and knows all!" posts.

[redacted]

This was actually the first mention of government at all in this thread. This post was off topic and inappropriate.

UPDATED: It's been pointed out to me that there was a previous mention of the government in this thread.



chaosmagnet

While we're on the topic of computer security, let me ask about a situation I found myself in today.

My online backup service offers "default encryption" and "private encryption." In the former, the company would store your data encrypted, but you don't have to choose the key. In the latter, you choose your own key "for even greater protection." If you forget your key, your data cannot be decrypted (unless you're the NSA, I guess). Both systems use the 256-bit AES encryption. The tech support reassured me again and again that with default encryption, my data is perfectly safe, that their employees would have no access to my data. I kept asking, "But the key would have to be stored somewhere, right?" They kept avoiding answering that question. So that doesn't give me a lot of confidence. Even though I only have personal stuff, nothing of commercial or national importance, I still wonder whether using an encryption key I don't control is a gaping hole.

That's a really good question, Bingley. It's analogous to one of the most fundamental and important questions in information security, the key distribution problem.

Briefly, we can make encryption that cannot ever be broken through cryptanalysis of intercepted traffic, using a one time pad (OTP). Why doesn't everybody use OTP then? Because distributing the keys, securely, to everyone with whom you might want to communicate is an absurdly difficult problem if you're going to communicate with more than a few people or if you don't already have a secure channel already -- and if you have a secure channel already, why do you need an OTP?

Back to your questions.

First, AES256 is really, really strong, so strong that using current supercomputer technology it would take more time than there is left before the end of the universe to crack your key. Nation-state actors who want to decrypt AES256 need to get the key some way other than cryptanalysis.

Second, you're right: If you let your online backup service manage your key, that means that they have access to your key. While the service I use claims to -- and almost certainly does -- use strong internal controls to prevent unauthorized access to keys, keys could still be compromised by a sufficiently advanced attacker or by legal process.

So how do you balance the risk? For me, I read about the (claimed) security procedures used by the online backup service I subscribe to. I decided they were using a pretty secure method, and that the risk (to me) of key compromise was less than the risk of losing the stored data.

I let my online backup service manage my key.

Thanks for the thoughtful response, and for taking the time to compose it! You are truly a help. For me, it's also a matter of weighing the compromise. I just wish the tech support guy were more informative than repeatedly asserting "your data is safe!"

You're welcome. I've been doing infosec for my entire adult life. Your tech support rep probably wasn't trained to discuss the complexities of key management.

As the Prisoner once asked 'WHY?' to the General all those years ago.

Perhaps this Video JADE HELM (Master The Human Domain) decoded might begin to start answering that Question.

https://www.youtube.com/watch?v=oqGEz9IqOrE

I apologize, my comments here were not constructive to the conversation. I am truly sorry if I offended anyone.