Is spideroak really secure?
 

I know that when using spideroak you encrypt your data before it leaves your computer but how can you know if they arent behind the scenes transfering your private key to their computer as well as the password with the key.. is there any way of knowing for sure without working for the company?

Since they haven't released the source code of the client, you have to trust them...

See Why isn't SpiderOak open source yet? When will it be?

you can always encrypt before you upload to spideroak, then it will be double encrypted. if spideroak is "passing on their key" to others, the "others" will still have to decrypt YOUR encryption.

No. ANYTHING that is stored on another computer should NOT to be regarded as secure data (encrypted or not).
And even if you work for the company if such practices are used, only a handful would know anyway.

Well, if you encrypt the files yourself they would have to have the private key and the password. The word "secure" in your sentence is regarding if they can break the encryption algorithm that has been used like for example AES 256 bit which i cant see happens except someone from for example the NSA has some backdoor to every encryption algorithm in the world which is a whole different question though.

If you dont encrypt yourself and only use spideroaks way of encrypting yourself it is based on the answers in this thread no way of knowing if its actually secure or not.

I thought about that but then i could just use a service like dropbox and i wouldnt have to use what the vendors are calling it a "zero knowledge cloud storage service" or something close to that.

I would presume that such a service is not "secure," most-especially if they do not fully release their source code.

Furthermore, it is comparatively easy to achieve commercial-grade verifiable security, using any of these core technologies (properly applied using digital certificates, not passwords):

• VPN ... there are also excellent hardware implementations, built in to modems.
• SSH tunneling, if SSH is configured to not allow password entry.
• OpenSSL
• PGP or GPG
• etc, etc ...

Always(!) remember that the weakest link in any real-world security system has arms and legs, and that the second-weakest link is the management of keys. Cipher algorithms are not the problem. Neither, really, is the NSA. In most cases, the parties to the "not-so secret" communication are (over-)confident that their communications are "perfectly secure," when in fact they are undisciplined.

So the service is not secure, but if you encrypt yourself it should be impossible for the vendor to decrypt your files right ? At least i dont see any reason for them being able to do so. I mean you do not use spideroaks way of encrypting the files yourself but for example pgp or something like that, dont really know what spideroaks are using though.

That no service is that secure is sort of a problem though since i would like to have a place in the cloud where i can push my files and be sure that they are secure since i dont like having a backup disk which i might somehow manage to loose or it might get damaged or corrupt in some way, and making a backup of the backup isnt necessarily a good way to go either.

I guess, if you are going to use the cloud as storage you just have to trust the vendor and know that is not totally secure but that it in theory should be.

Do you have any recommandations on how to store backup in the best way without using backups disks which seems to dated these days..this is for personal use, not business, but everything from purchased items to somewhat sensetive information and produced music tracks and whatnot. I would like to use the cloud since its so incredibly easy and i know its always "there" and i cant loose it except if the company goes bankrupt but in that case i guess they would inform there users well in advance.

"zero knowledge cloud storage service" = marketing hype.
What is Zero Knowledge?
cloud !="secure".

As for other people accessing what you store up there, it's only as secure as you make it before it's stored there.

I would say that it is certain that the service provider is keeping a copy of everything that has ever been stored there, and complete records of everywhere it came from and went, and that it is probably providing a real-time "top secret" data feed about it to someone under a gag-order.

But then again ... every ISP along the way is probably doing the same thing.

... and the computer that you used to encrypt it might be "bugged" or have a "back door," too. :rolleyes:

Today, we live in the most un-"anonymous" environment imaginable, and the laws have not yet changed. There are enormous amounts of money being made by companies who serve the "surveillance industrial complex" that sprang up in the 21st Century, and by the legislators who sit in office today. Human beings being 'the self-serving greedy b*stards' that we (heh ...) all really are, :rolleyes: "that's not going to change quickly."

Plan Accordingly.™

Here are some practical suggestions:

1. Of course, don't even attempt to use the Internet for illegal purposes. For instance, you can buy a song for a buck, and a movie-download for three, all from their legitimate online distributor. So, do that, and keep a record of your purchases. And so on. In the old days of video-stores, you didn't try to sneak out the front door with a tape, did you? (Well, maybe you tried, but you never did it, did you?)
2. Use existing, commercial-grade public-key based encryption systems, such as the ones listed above, and use them in the manner intended. Don't buy snake-oil from anyone. Read the directions. Twice. Teach everyone else how to do it correctly, and constantly "trust, but verify" that they do and did.
3. If the application is seriously important, hire expert help. (I am not such an expert.)
4. Use multiple layers of security, but strive to make every one of them as transparent as possible for the authorized users of the same. There are serious advantages to a "fuhgeddaboudit it cloud-based file sharing service" as one of the links in your chain.
5. Keep records, encrypted of course. You might be handed a court-order compelling you to "produce" such information as you might be expected under "due diligence" to have kept, and such orders require you to produce it right-away. Your nose is completely clean; your purposes, completely honorable; and you can prove it.

Yes, it is a marketing hype, but i think you understood what i was saying.
So we can rule out that we cant trust these guys in any way no matter what they write in their terms of service or how they secure your data.

From what i can see spideroak has an application you use to upload you data, a client app. If you store your private key outside of the area spideroak knows about, encrypt your data with that key and then upload it, then spideroak would never have my private key and could not unlock my data, correct? If you use their app i understand that you might send the private key to them and dont have control but encrypting data outside of the directories spideroak or for example dropbox knows about shouldnt be a problem should it? Then they would have to have your key and/or cracked the algorithm.

Regarding point number 5, how could you get a court order if you have encrypted the data on the client side and using private keys that live on the filesystem in directories not known to the cloud storage solution, then they shouldnt be able to know what kind of data you have (not using the private key created my spideroaks software if it generates one, or maybe you have to generate one manually, i havent tried this software though)

I understand what you are saying. :)
I wouldn't trust them, and especially their "client app" (ET, Phone Home)

I trust NO internet accessible service to be secure.
The "wild wild west" days of the internet are GONE.

There are too many variables involved for me to make a reasonable reply to your many "shoulda, coulda. and wouldas"
You want Secure Storage? Buy a thumb drive and stash it in a "cavity" off the internet.

Where is Phil Zimmerman now on the issues?

I don't trust cloud based services either. Just use an external HDD/USB stick preferably encrypted.

If you still want to use cloud just put files that have no sensitive information.

:-]

I guess this is an interesting question then, is it easier to crack an AES 256 encryption cipher than to break into an apartment? What would be the most secure if you dont have access to a business location protected by access codes and security guards. That being said these kind of buildings have security flaws (like everything else) and might be easily bypassed if you are a little creative, especially during normal work hours if its a large company. Even if you had a secure business location, would it still be better to keep your harddrive in that place instead if encrypting it with a strong encryption cipher before uploading it to the cloud. From what i can see, your trust might be because of the lack of knowledege because if you encrypt something yourself that no program knows about then it would be nearly impossible to break the encryption. So many times there seems to be a lack of trust just because of people not knowing enough to make use of technologies that can really help you.

That being said, no you should not trust anybody just like that...but you are holding the key and the vendor does not know where it is, like i mentioned several times, their systems and programs doesnt know where it it and how would they even know when or where you typed your password. You could even create the encryption key on a different computer before using it on the one you want to encrypt yout files. I dont see any constructive comments, only comments that indicate or directly quote that you cannot trust anyone, which even though might usually be the case, it might also no always be. If they had their software scan your harddrive they would still not be able to know your password if they found your key and that being said how would they even identify the right file when you might have several other keys. I see that we cant trust them but the fact that you can create the encryption key yourself, even on another computer and then use it, it seems highly unlikely that they would be able to use your key if they even could identify which file it was.

I guess the reason for not having it open source it to protect their business so noone just clones it and uses it themselves to start an almost exact site with a few improvements. But, if i was asked at work by clients i wouldnt go for the cloud either, i guess when it comes down to knowing for sure, trust is too difficult with all the different components the traffic goes through like mentioned previously in this thread, but then again, how safe is your data really in a secure business location compared to having created the encryption key on a different computer not connected to the internet with a strong encryption cipher, then used on different computers to encrypt content before its being uploaded to the cloud.