On Thu, Apr 5, 2012 at 5:42 PM, Sam Smith <smick...@hotmail.com> wrote: > The point is that SpiderOak (and Lastpass) never know the user's password. > And never receive the encryption key. The key never leaves the user's > computer. The server never gets it. The only thing that ever lands on the > server is an encrypted blob.
>From their website "Retrieve files from any internet-connected device", "Access all your data in one de-duplicated location"... I know to the easy consumer that doesn't spell lies but to me it reads "We do know your encryption key, if we want to and little do you know, we do have the ability to get the key that encrypts the encryption key too." Companies lie all the time, or they tell pieces of a story and never tell the entire story. Though I don't know if it's more of a lie then an assumption on their end and maybe even they themselves not even understanding what could possibly go wrong, or they just don't care because the user doesn't pay too much attention after "WE NEVER KNOW." The key to knowing the full story is read "Retrieve files from any internet-connected device." To add to it, let me point out this: "Easily access all of your data from any device within your SpiderOak network or on the web" which contradicts this: "SpiderOak never stores or knows a user's password or the plaintext encryption keys which means not even SpiderOak employees can access the data" and it's no so much a direct contradiction as much as an arrogant assumption that we (or I guess only I in this conversation) don't realise that their employees do have a way to access it, they just need to do a couple minutes worth of work, that is what makes it contradict. > What this means is that the user doesn't have to worry about the 3rd party > taking care of the data. If the 3rd party is hacked, if the 3rd party has a > rogue employee, etc. The data has a much better chance of being safe than if > it's implemented like say iCloud where even if the data is encrypted Apple > holds the encryption key and can access the data anytime they want. If Apple > can access the data, a rogue employee and a hacker can potentially access > the data. As you argue for encryption on UbuntuOne you need realise that all third parties are adversaries, Ubuntu is one and so is SpiderOak. It's not much more secure, yes it *might* be considered more secure from external adversaries after they have the data but it surely isn't more secure from internal ones, the fact that you can access your data from 'anywhere' proves that. That rogue employee need only attack the website from inside the company and all is lost, or push out a dirty update and even more is lost. You think it can't happen, ask Google if it can. You aren't as safe as you assume, you are not even seeing the entire picture of all possible attacks. Just because Apple or Ubuntu can access the data doesn't mean that an external 'hacker' can. That is an arrogant assumption IMO, the only difference in this case is that even if the so called 'hacker' gets your data he need do more work but the fact he got your data in the first place is just as bad in both cases, irregardless of the encryption, you are just protected (somewhat, depending and one could only really know if they actually know how they use the encryption. So at this point I would assume I am no more secure if using SpiderOak.) You are just as vulnerable to actual data theft encrypted or unencrypted, and by data I mean any data, encrypted or not. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
