Is spideroak really secure?
I know that when using spideroak you encrypt your data before it leaves your computer but how can you know if they arent behind the scenes transfering your private key to their computer as well as the password with the key.. is there any way of knowing for sure without working for the company?
|
Quote:
See Why isn't SpiderOak open source yet? When will it be? |
you can always encrypt before you upload to spideroak, then it will be double encrypted. if spideroak is "passing on their key" to others, the "others" will still have to decrypt YOUR encryption.
|
Quote:
And even if you work for the company if such practices are used, only a handful would know anyway. |
Quote:
If you dont encrypt yourself and only use spideroaks way of encrypting yourself it is based on the answers in this thread no way of knowing if its actually secure or not. |
Quote:
|
I would presume that such a service is not "secure," most-especially if they do not fully release their source code.
Furthermore, it is comparatively easy to achieve commercial-grade verifiable security, using any of these core technologies (properly applied using digital certificates, not passwords):
|
Quote:
That no service is that secure is sort of a problem though since i would like to have a place in the cloud where i can push my files and be sure that they are secure since i dont like having a backup disk which i might somehow manage to loose or it might get damaged or corrupt in some way, and making a backup of the backup isnt necessarily a good way to go either. I guess, if you are going to use the cloud as storage you just have to trust the vendor and know that is not totally secure but that it in theory should be. Do you have any recommandations on how to store backup in the best way without using backups disks which seems to dated these days..this is for personal use, not business, but everything from purchased items to somewhat sensetive information and produced music tracks and whatnot. I would like to use the cloud since its so incredibly easy and i know its always "there" and i cant loose it except if the company goes bankrupt but in that case i guess they would inform there users well in advance. |
"zero knowledge cloud storage service" = marketing hype.
What is Zero Knowledge? cloud !="secure". As for other people accessing what you store up there, it's only as secure as you make it before it's stored there. |
I would say that it is certain that the service provider is keeping a copy of everything that has ever been stored there, and complete records of everywhere it came from and went, and that it is probably providing a real-time "top secret" data feed about it to someone under a gag-order.
But then again ... every ISP along the way is probably doing the same thing. ... and the computer that you used to encrypt it might be "bugged" or have a "back door," too. :rolleyes: Today, we live in the most un-"anonymous" environment imaginable, and the laws have not yet changed. There are enormous amounts of money being made by companies who serve the "surveillance industrial complex" that sprang up in the 21st Century, and by the legislators who sit in office today. Human beings being 'the self-serving greedy b*stards' that we (heh ...) all really are, :rolleyes: "that's not going to change quickly." Plan Accordingly.™ Here are some practical suggestions:
|
Quote:
So we can rule out that we cant trust these guys in any way no matter what they write in their terms of service or how they secure your data. From what i can see spideroak has an application you use to upload you data, a client app. If you store your private key outside of the area spideroak knows about, encrypt your data with that key and then upload it, then spideroak would never have my private key and could not unlock my data, correct? If you use their app i understand that you might send the private key to them and dont have control but encrypting data outside of the directories spideroak or for example dropbox knows about shouldnt be a problem should it? Then they would have to have your key and/or cracked the algorithm. |
Quote:
|
Quote:
I wouldn't trust them, and especially their "client app" (ET, Phone Home) I trust NO internet accessible service to be secure. The "wild wild west" days of the internet are GONE. There are too many variables involved for me to make a reasonable reply to your many "shoulda, coulda. and wouldas" You want Secure Storage? Buy a thumb drive and stash it in a "cavity" off the internet. Where is Phil Zimmerman now on the issues? |
I don't trust cloud based services either. Just use an external HDD/USB stick preferably encrypted.
If you still want to use cloud just put files that have no sensitive information. :-] |
Quote:
That being said, no you should not trust anybody just like that...but you are holding the key and the vendor does not know where it is, like i mentioned several times, their systems and programs doesnt know where it it and how would they even know when or where you typed your password. You could even create the encryption key on a different computer before using it on the one you want to encrypt yout files. I dont see any constructive comments, only comments that indicate or directly quote that you cannot trust anyone, which even though might usually be the case, it might also no always be. If they had their software scan your harddrive they would still not be able to know your password if they found your key and that being said how would they even identify the right file when you might have several other keys. I see that we cant trust them but the fact that you can create the encryption key yourself, even on another computer and then use it, it seems highly unlikely that they would be able to use your key if they even could identify which file it was. I guess the reason for not having it open source it to protect their business so noone just clones it and uses it themselves to start an almost exact site with a few improvements. But, if i was asked at work by clients i wouldnt go for the cloud either, i guess when it comes down to knowing for sure, trust is too difficult with all the different components the traffic goes through like mentioned previously in this thread, but then again, how safe is your data really in a secure business location compared to having created the encryption key on a different computer not connected to the internet with a strong encryption cipher, then used on different computers to encrypt content before its being uploaded to the cloud. |
All times are GMT -5. The time now is 06:52 AM. |