April 20, 2011

Et Tu, DropBox?

by with 18 comments

Friends, Netizens, Countrymen, lend me your eyes!
I come to blog on SpiderOak, not to praise it!
The evil that cloud syncs do live after them; the good is oft interred in their bones.

So let it be with SpiderOak.

The noble DropBox hath told you that SpiderOak was untrustworthy,
if it were so, it was a grievous fault. And grievously hath SpiderOak answered it,
Here, under leave of DropBox and the rest; for DropBox is an honourable service.

So are they all, all honourable services!

Come I to scribe in the SpiderOak Git repo, previously it was just my backup service, faithful and just to me. But DropBox says it is untrustworthy, and DropBox is an honourable service.

SpiderOak hath brought home many encrypted blocks to the machine room, whose parity’ed and securely de-dup’d cypther text did the disk platters fill. Did this in SpiderOak seem untrustworthy?

When that the privacy rights are threatened, SpiderOak hath wept.
Yet DropBox says it is untrustworthy, and DropBox is an honourable service.

You all did see on the internets, the FBI thus wants your data.
Which to these demands we refuse; is this untrustworthy?
Yet DropBox says we are untrustworthy, and, sure, DropBox is an honourable service.

I speak not to disprove what DropBox spoke, but here I am to speak what I do know.
You all do love your secure, versioned, and synchronized backups, not without cause; what cause withholds you then, to

O judgement! Thou art fled to brutish beasts, and men have lost their reason. Bear with me;

My data is on the servers at SpiderOak, and there it shall be safely only for me.

  1. It really sucks that DropBox employees are making bad comments against SpiderOak. I don't know which marketing school teaches fellow students to criticize competition. But SpiderOak no matter what happens stay as you are…We like you :)

  2. What makes DropBox response to the critique from users on their TOS and storage model curious is that instead of explaining the reasoning behind their storage model and the technological limitations leading to them choosing to not implement client side encryption etc, they choose to deflect the criticism by claiming that it's 'industry standard' and 'all providers do it this way'.

    Something that is just plain untrue!

  3. Jeepers if I care if you fulfill law enforcement requests for my data, if they can't possibly read my data.

  4. I have to admit that I was an ignorant fool when I first started using cloud storage (dropbox). That is until I stumbled upon lovely SpiderOak. I found the blog through omgubuntu and started reading the articles. I was amazed at the lack of de-duplication across accounts and the security flaw is doing that. Needless to say, I'm glad I found Spideroak and made the switch. I don't get the shared folders across accounts, but the benefit of security is better than the benefit of convenience from shared-multiple-user folders. Not to mention looking back, both users of the shared folders got docked the space used in the folder even though it obviously only took up server space once.

  5. I'm a little surprised at the surprise. I've long assumed that Dropbox could rifle through my files if they so desired, so I use a truecrypt volume for anything private. SpiderOak's superior encryption and handling of soft links would make it by far my preferred sync solution –if the sync was more reliable. As is, my code winds up polluted with old file versions so I have to use Dropbox for everything critical. Bad sync isn't integral to SpiderOak's business model, wheras mediocre encryption is to Dropbox, so I hope the situation changes soon.

  6. I looked at Dropbox a couple of years. When I read through their material carefully it was obvious that they had access to the encryption key. However, if you have a limited understanding of how encryption works –probably most people–their discussion of encryption and privacy controls might be considered very misleading. So I don't think any of this is news but it does seem to be catching up with them.

    What is news is the authentication flaw, which Dropbox dismissed as not really a flaw at all. That hardly inspires trust.

  7. I'm trying to move away from DropBox totally.
    At the moment i'm only using it with my android phone.
    Specifically for the "Phone-2-Chrome" app that requires a dropbox account to update a file with weblinks that's picked up by my desktop chrome browser.

    I don't trust ANYTHING sensitive with DropBox.

    I keep all my sensitive stuff backed up on my SpiderOak account.

  8. Yep, this "we'll hand your files over if asked" thing was the last straw for me – it's now perfectly obvious that DB do _not_ use a zero-knowledge protocol, or anything close to it. I'm in the process of moving all my files from DB to SpiderOak.

  9. By reading this comment you ("You") have been duly notified of the aforementioned policy, whereby SpiderOak, Inc. ("SpiderOak") has been placed under federal investigation until such time as all files have been made available to the Bureau. Be it known that NO party, either of or associated with SpiderOak or its users, shall have further access to these files until such time as the Bureau has concluded this investigation.

  10. I can't believe what I'm reading in the DropBox article. It's a disgrace they can even call themselves a secure online storage solution.

    Imagine if DropBox's servers get breached, like the Playstation Network's, and the intruder downloads the encryption keys along with the data. Probably wouldn't take them long to brute force the password and decrypt the entire DropBox database.

    DB's website is really vague about their cryptography, but not anymore. "DropBox can decrypt your data and we have been able to do this since the beginning".

    At least SpiderOak understands how cryptography is supposed to work. "No one reads your data, but YOU!"

    Thanks SpikerOak! You understand your customers. :)

  11. To be honest, that response by DB is fairly accurate. To paraphrase: if you enter the password to log in via the website, spideroak has your password, whether it be in encrypted has form or not, they have it. That's why they really discourage logging in from the website. Instead you can access the site through the local client which handles the login part locally (again, trusting spideroak).

    The one person made a good comment though, if you are really concerned about data, encrypt it before it leaves your computer. That's the only 100% surefire way to know the data is truely secure.

    The key thing is knowing each services strengths and weaknesses. For example I use DB to store various funny pictures I find online so I can access them from anywhere. I use simplenote a lot, which I doubt if there's any encryption happening there aside from the ssl connection to their server, so none of my notes in there are particularly sensitive (at least until some clients exist that encrypt locally). I use Lastpass to store my passwords because I trust them when they say it's zero knowledge. And I use spideroak to backup all my personal documents.

  12. Any particular reason why the password is sent to the server when using the web client? Couldn't you "simply"* perform key derivation, encryption, decryption, etc in the user's browser, inside the client's computer, in pure javascript?


    *"simply" may be a tad misleading here… but I have seen working javascript implementations of SHA256 hashing, ElGamal encryption and other strong cryptographic primitives and functions… so possible it is.

  13. Big problem I have – please correct me if I'm wrong – that somebody physically at one of SpiderOaks devices can change your password without entering the former password. Then data is lost if they start to delete. SpiderOak can't help because 'we never knew your password'
    I can't see myself running this for anything more than a conduit for my soon to retire assistant to easily scan daily mail while I'm out of the country. Then encrypting it and putting the bulk of it into … Dropbox.. sigh.
    Seriously, make it so that you have to enter old password to change password. Then I'd really be down with all this 'ultimate security'.
    If I'm wrong about this and don't know what I'm talking about I'd sure like to know… I'd like to flip everything to SpiderOak.

  14. Spideroak also offers zero-knowledge and non-responsive support staff!

    If you have a problem with payments or are about to sign-up for their
    service they bend over backwards to respond to your questions. However,
    if you are already a paying customer it takes them 13 days (and still
    counting) without resolving problems or responding to emails.

    I suggest you stay away from SpiderOak. It works great for small sizes
    like 2GB but their service simply cannot scale to bigger sizes. Every
    time you need to make a reinstallation of a new or existing device it
    will take ***weeks*** to synchronize your computers; and I'm talking
    about 100GB which nowadays is not considered a huge size. And this ONLY
    IF you are lucky enough to get passed the painstakingly SLOW
    syndication process! This process is like a roulette: you try about
    20-30 times to get it work and only if you are lucky. "Syndication
    process: Step 3 out of 10" is often what you end up seeing for 3-4 days
    in a row. If you are lucky you may also the also exciting message of
    ""Syndication process: Step 7 out of 10" for a couple of days before it

    I tried talking to support and they simply don't know what's going on.
    I did all the tests they asked and sent them the results… and then
    they were gone. No reply, no response to other emails, no nothing. They
    simply do not know what's going on and they avoid answering. I saw
    several posts online about these problems as well.

    This is not the first time this has happened either. Their solution
    last time(a year ago) was to give me two months of free service and let
    me figure it out by myself. I ended up downloading one file at a time
    for a month. Also their connections are extremely slow and unrealiable.
    I have a 100Gbit connection and often I had the impression that I was
    transferring files from a Win98 SpiderOak laptop and trying to get my
    files one byte at a time!

    I am very disappointed by their product but even more disappointed by
    their service. I'm quitting for another service after almost 2 years of
    constant problems. Yes they have a fancy interface and zero-knowledge
    privacy but behind the interface and all this fancy lingo is a product
    full of problems with an also zero-knowledge support staff.

    If you don't believe me, please feel free to waste your time with this.

    And just to clarify, I am not an employee of another service. I am just a frustrated paying customer who just came to the sad realization that SpiderOak is just a gimmick and completely unprofessional.