Slashdot Mirror

I wonder how successful would be a company providing data storage service like Dropbox, but with guaranteed data security.

There are several companies like that: http://www.wuala.com/ , https://spideroak.com/ , http://www.swissdisk.com/. They are doing OK, I believe, but don't have the hype of Dropbox. They don't have to say they guarantee the security because only the user has the keys (which is the best guarantee possible).

SpiderOak promotes zero knowledge storage. They have no way to break the encryption and couldn't do so in response to a subpoena if they wanted to.

I just tested this service as follows:

1. Uploaded a massive file to a private share folder - deliberately uploaded this from a machine on a slow connection (took approx an hour).
2. Added this folder to a public share folder
3. Fifteen seconds later disconnected the upload machine - certainly not enough time for it to reupload the file unencrypted.
4. One minute later downloaded the entire file to another machine on a fast network connection.

See the problem? In spite of them claiming to have zero knowledge of user data their server must've decrypted the file remotely in order for the file to be available in the share straight away. Who's to say they can't decrypt the rest of your data once they have your private decryption key? I hate to say this but their claim of 'zero knowledge' doesn't seem convincing.

We will disclose your Personally-Identifiable Data if we reasonably believe we are required to do so by law, regulation or other government authority [...]

From SpiderOak Service Agreement:

You may use the Services only for lawful purposes and solely in accordance with this Agreement and any other specific terms of use, rules or policies, as may be provided by SpiderOak from time to time, that may be applicable to any particular portion of the Services. You may not store, transmit or share through the Services any material, or otherwise engage in any conduct that: violates or infringes the rights of others, including without limitation patent, trademark, trade secret, copyright, publicity or other proprietary rights; involves uploading, posting, emailing, transmitting or otherwise making available Selected Data that you do not have the right to make available under any law or under contractual or fiduciary relationships (such as insider information, proprietary and confidential information learned or disclosed as part of employment relationships or under non-disclosure agreements, etc.); [... and a lot more stuff ... ]

Question: if they are truly "zero knowledge", why would they care? They cannot identify infringing data anyway, if it's true. Furthermore, we know that being in the US, they will have to comply with government requests to access your data and they are not allowed to tell you. Also, while IANAL, their terms offer many loopholes, such as the possibility to employ (very) weak encryption in cases where some 3rd party desires access to your data. Therefore I'd trust Wuala more, it's based in Europe, where such secret subpoenas are (AFAIK) not possible. For people who have an absolute need for "privacy" (or for breaking the law, which in some free speech-impaired countries is very dangerous), there's still Freenet, which can be used as a (cumbersome) file storage...

We will disclose your Personally-Identifiable Data if we reasonably believe we are required to do so by law, regulation or other government authority [...]

From SpiderOak Service Agreement:

You may use the Services only for lawful purposes and solely in accordance with this Agreement and any other specific terms of use, rules or policies, as may be provided by SpiderOak from time to time, that may be applicable to any particular portion of the Services. You may not store, transmit or share through the Services any material, or otherwise engage in any conduct that: violates or infringes the rights of others, including without limitation patent, trademark, trade secret, copyright, publicity or other proprietary rights; involves uploading, posting, emailing, transmitting or otherwise making available Selected Data that you do not have the right to make available under any law or under contractual or fiduciary relationships (such as insider information, proprietary and confidential information learned or disclosed as part of employment relationships or under non-disclosure agreements, etc.); [... and a lot more stuff ... ]

Question: if they are truly "zero knowledge", why would they care? They cannot identify infringing data anyway, if it's true. Furthermore, we know that being in the US, they will have to comply with government requests to access your data and they are not allowed to tell you. Also, while IANAL, their terms offer many loopholes, such as the possibility to employ (very) weak encryption in cases where some 3rd party desires access to your data. Therefore I'd trust Wuala more, it's based in Europe, where such secret subpoenas are (AFAIK) not possible. For people who have an absolute need for "privacy" (or for breaking the law, which in some free speech-impaired countries is very dangerous), there's still Freenet, which can be used as a (cumbersome) file storage...

We will disclose your Personally-Identifiable Data if we reasonably believe we are required to do so by law, regulation or other government authority [...]

From SpiderOak Service Agreement:

You may use the Services only for lawful purposes and solely in accordance with this Agreement and any other specific terms of use, rules or policies, as may be provided by SpiderOak from time to time, that may be applicable to any particular portion of the Services. You may not store, transmit or share through the Services any material, or otherwise engage in any conduct that: violates or infringes the rights of others, including without limitation patent, trademark, trade secret, copyright, publicity or other proprietary rights; involves uploading, posting, emailing, transmitting or otherwise making available Selected Data that you do not have the right to make available under any law or under contractual or fiduciary relationships (such as insider information, proprietary and confidential information learned or disclosed as part of employment relationships or under non-disclosure agreements, etc.); [... and a lot more stuff ... ]

Question: if they are truly "zero knowledge", why would they care? They cannot identify infringing data anyway, if it's true. Furthermore, we know that being in the US, they will have to comply with government requests to access your data and they are not allowed to tell you. Also, while IANAL, their terms offer many loopholes, such as the possibility to employ (very) weak encryption in cases where some 3rd party desires access to your data. Therefore I'd trust Wuala more, it's based in Europe, where such secret subpoenas are (AFAIK) not possible. For people who have an absolute need for "privacy" (or for breaking the law, which in some free speech-impaired countries is very dangerous), there's still Freenet, which can be used as a (cumbersome) file storage...

You can't escape an agenda, but a company could be run that sold services directly to customers, with a contract forbidding advertising / any sale of personal data. Their agenda could be to make money by selling you a service and not selling you out.

Actually if the idea is to make money directly from its users, that's fine and dandy. Beyond that, any plans to sell my data or even the fact that that I have data is out of the box a non-starter for me.

The fact that Drop Box can break the encryption any time they want/need is pretty much a non-starter as far as I am concerned. The fact that they lied about it initially is another black mark. At least Google tells you right up front exactly what they can and will do with the content of your email.

SpiderOak promotes zero knowledge storage. They have no way to break the encryption and couldn't do so in response to a subpoena if they wanted to. Windows, Mac, Android, Linux. And their fees are half of what Drop Box wants. In addition it can keep iterations of your data if you wish, so you can roll back those changes in your spread sheet one by one.

I just don't see what Drop Box has to offer in regard the topic of this post, Without breaking its basic promise to keep your data private, they have nothing to sell other than space. You won't get to be of Apple's size or Google's omnipresence just supplying disk space that can be had by government agencies without even going for a warrant.

If they want to convince me, change their system to a zero knowledge system in which they can't hand over the keys to anyone because they don't have them. They need to pick up the tab from the mobile carriers for data syncing mobile devices. Trying to build a cloud storage empire that gets shared with police is not likely to be all that successful in the age of data caps.

Depends on what you mean by security.

Granted you have no control over the reliability of the physical plant thr cloud operator uses.
But as an offsite backup and transfer mechanism clouds are really quite good.

Services like SpiderOak, https://spideroak.com/ where the coud operator couldn't decrypt your data even with a court order provide as much protection as you can realistically expect when asking someone else to hold your data.

I tried to roll my own for like forever, and eventually just gave up and went for SpiderOak:
https://spideroak.com/

It can be configured to do sync, backup, or something in between. Probably not exactly what you are looking for but perhaps worth a look none the less.

From https://spideroak.com/referral/

When you refer a friend to SpiderOak then you and your friend get an additional free GB of space.

Is this not correct then?

Plugging my own referral link: https://spideroak.com/download/referral/51147d38546a6f5732f981e052082a76

If you use the Promo code WORLDBACKUPDAY you start with even more free space (6 or 7 GB)

Why not use Spideroak instead of dropbox. Spideroak have a zero-knowledge privacy policy. I'd say it's not quite as polished a product as dropbox, but everything is encrypted before it leaves my computer (come on spideroak open source your client so we can check!) and stored encrypted, so NO ONE can read it. I have access to files from android to. (I am not affiliated with Spideroak in away way.) Join via this link and we both get an extra 1GB (I believe you start with 2GB free): https://spideroak.com/signup/referral/dd998cb68d2fba5eb916a000411c2263/

On first glance, it looks like what the original request is looking for. Thanks for sweet utility site tip, water and sewer ;)
Someone give the Spideroak tip some karma.

https://spideroak.com/

There are some decent-looking hosted alternatives to dropbox which do client-side encryption. I've looked into this a bit, but I haven't tried any of these yet, so YMMV...

One particularly interesting one is TarSnap. The best part is the client is OSS, so you can verify that encryption is done properly (strong & client-side). You could even reverse the protocol and design your own server software, if you want.
http://www.tarsnap.com/

Another interesting one is SpiderOak. However their client is not OSS, so you have to trust that they're doing the encryption properly
https://spideroak.com/

Here are some other potential hosts, but I'm not sure exactly how proper the encryption is:
http://www.boxcryptor.com/
http://syncplicity.com/products/

+1 for that.

People should really check out their blog, it's full of interesting tidbits. It seems SpiderOak are genuinely good guys, with a genuinely good service... even if sync between multiple computers is a bit wonky :)

Disclaimer: I'm using SO, the unpaid version.

This link is the single best reason why I chose spideroak over dropbox: https://spideroak.com/engineering_matters#true_privacy To quote: "SpiderOak's encryption is comprehensive -- even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders." I was not looking for a convenient file-sharing service though. If you want file-sharing, Dropbox probably does that better. I was specifically looking for a cloud backup service I could use to sync both my linux server and my windows laptop. I wish their android app was more than just a file-access point, I'd love to put the txt messages and pictures on my phone in there too.

From here: https://spideroak.com/blog/200811201300

"Most storage providers -- if they offer encryption at all -- only use one encryption key per account. Instead, SpiderOak uses a nested system of many small scoped encryption keys. When you create a ShareRoom, the SpiderOak client makes the encryption keys of appropriate scope for the contents of that share room public.
This makes it possible for our webservers to present the contents to visitors, but nothing beyond the Share Room is known.

So, the upload transaction to create a new ShareRoom and suddenly be sharing a lot of data within your account is very small, and your ShareRoom is ready for company very soon."

http://www.spideroak.com/

Go give them some love, will ya? Great company, actually zero-knowledge...replete with performance issues caused by it. Give your business to someone that's doing it right.

https://spideroak.com/engineering_matters#true_privacy

True Privacy

Your SpiderOak data is readable to you alone. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company's staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers.

With SpiderOak, you create your password on your own computer -- not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data.

SpiderOak's encryption is comprehensive -- even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data.

This means that you alone have responsibility for remembering your password or 'Password Hint' (which you can create to help you remember) allowing SpiderOak to create a true 'zero-knowledge environment' – keeping your data as safe and secure as it can possibly be.

I can't tell you have wonderful it is to be able to play a game like Puzzle Quest on my desktop and then continue my game right from where I left off on my laptop without having to hunt down the save game file and transport it myself.

If this is a big deal for you, why not just install something like Dropbox (referral link if you want extra storage for free) or Spideroak (Referral again if you want free stuff) and set it up to sync all of your saved games automatically without having to wait for Valve to do it for you?

It's simple, it's reasonably secure, and I have been using it to run the same games on my Windows workstation, Debian desktop and Ubuntu Notebook for quite a while without any troubles at all.

I can't tell you have wonderful it is to be able to play a game like Puzzle Quest on my desktop and then continue my game right from where I left off on my laptop without having to hunt down the save game file and transport it myself.

If this is a big deal for you, why not just install something like Dropbox (referral link if you want extra storage for free) or Spideroak (Referral again if you want free stuff) and set it up to sync all of your saved games automatically without having to wait for Valve to do it for you?

It's simple, it's reasonably secure, and I have been using it to run the same games on my Windows workstation, Debian desktop and Ubuntu Notebook for quite a while without any troubles at all.

I use SpiderOak
https://spideroak.com/

Installs on all major OSs, reasonably priced. Not amazing, but good enough and the $20 a month I'm paying for 200GB is not an issue compared to losing all the pics of the kids growing up.

Guys you need to check out Spideroak. It's an online storage system offering a free 2GB which syncs between computers. It features zero-knowledge encryption - they store your data on their servers but the decryption is done on your machine. Definitely worth checking out. Excerpt from the site: Your SpiderOak data is readable to you alone. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company's staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers. With SpiderOak, you create your password on your own computer -- not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data. SpiderOak's encryption is comprehensive -- even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. This means that you alone have responsibility for remembering your password or 'Password Hint' (which you can create to help you remember) allowing SpiderOak to create a true 'zero-knowledge environment' – keeping your data as safe and secure as it can possibly be.

https://spideroak.com/

I've tried Dropbox and SpiderOak. I think I've settled on SpiderOak for now, since it is cheaper per MB and offers really nice, granular controls. For example, I can sync specific sets of data between different computers and backup some computers without syncing them to others at all (unlike Dropbox which syncs everything to everyone). Like Dropbox, you get 2GB free with no purchase necessary and the client automatically encrypts data in such a way that allegedly the company cannot decrypt it without you providing them with your password. It also counts your quota against the size of your data once it has been "deduplicated" rather than before (Dropbox does it before).

As an added bonus, while the client takes more resources when sending data (since it encrypts it on the client side), it idles much lower -- virtually at 0% processor usage -- than Dropbox, I found.

Of course, giving a referral link is mandatory, right? This link provides both you and me with an extra gig of free space. :-)

I've tried Dropbox and SpiderOak. I think I've settled on SpiderOak for now, since it is cheaper per MB and offers really nice, granular controls. For example, I can sync specific sets of data between different computers and backup some computers without syncing them to others at all (unlike Dropbox which syncs everything to everyone). Like Dropbox, you get 2GB free with no purchase necessary and the client automatically encrypts data in such a way that allegedly the company cannot decrypt it without you providing them with your password. It also counts your quota against the size of your data once it has been "deduplicated" rather than before (Dropbox does it before).

As an added bonus, while the client takes more resources when sending data (since it encrypts it on the client side), it idles much lower -- virtually at 0% processor usage -- than Dropbox, I found.

Of course, giving a referral link is mandatory, right? This link provides both you and me with an extra gig of free space. :-)

FYI, even if you use your own key, Mozy only encrypts the contents, not the filenames. That's rather insufficient. A court could subpoena them for a list of your files, establish that particular files exists, and require you to produce them. See http://michaelshadle.com/2007/05/07/mozy-the-backup-client-damn-close-but-still-no-cigar/

Plug: In 2006 I founded https://spideroak.com/ specifically to provide a zero-knowledge approach to online backups. We don't know anything about your data, including your file and foldernames. On the servers we just see sequentially numbered data blocks. It's written in Python and C and we've always supported Linux and OS X (and Windows if that's what you're into.) SpiderOak keeps historical versions of your files and deleted files forever (or until you decide to remove them) and will sync folders for you across several computers. Some reviews are http://www.linuxplanet.com/linuxplanet/reviews/6644/1/ and http://www.maclife.com/article/reviews/online_storage_battle_which_cloud_backup_service_reigns_supreme

SpiderOak https://spideroak.com/ Why? Because it's encrypted and even spideroak can't decrypt your data. That makes all my stuff safe from prying eyes. No one else can do that.

Disclosure: SpiderOak is my primary contractor, I do stuff to help their infrastructure. That said, we do versioned, encrypted, zero-knowledge backup of Linux, Mac, and Windows machines.

Spideroak is the only company I know of that DOESN'T HOLD THE KEYS to your encrypted data. Even if they wanted to 'see' your data, they couldn't. https://spideroak.com/

Encryption specs are are here: https://spideroak.com/engineering_matters#encryption_specifications

We like to say that trust isn't necessary because we're incapable of betraying our users. It's makes good business sense too. We don't want to spend our time answering subpoenas. :)

To add your own layer of encryption, you can archive container files or whatever you like. No limits. If you a sector based encrypted disk image, SpiderOak will be able to efficiently snapshot it between versions, giving you history and only saving the changes between revisions.

If you want a layer of additional local control, there's a "Keep your own copy" option where SpiderOak will put a copy of every encrypted data block on your own server, so you can manually inspect them if you wish (and have offline/local access for very fast restores.)

There's no reason online can't be secure. Online means it's automatically offsite and that a 3rd party has the time and incentive to be sure it's actually working.

2 years ago I founded https://spideroak.com/ for this exact situation -- wanting a zero-knowledge approach to encryption. We explicitly don't know anything about your data. We just see boring sequentially numbered data blocks on the server. Instead of a EULA, we have a "remember your password" agreement.

You can combine data from unlimited devices and it de-duplicates, and can automatically sync folders for you. Storage is perpetual (unless you explicitly remove things.) FWIW, it's written in Python and we have always supported Linux.

If you want a couple gigabytes of online storage for free that's got a multi-platform client for regular syncing, you can already have it:

https://spideroak.com/

At least these guys encrypt your data instead of processing and farming it for marketing data and advertising cues. Ugh. What part of our lives aren't we going to hand over to google?

SpiderOak has a free 2GB plan, multiple PCs supported, with Windows/Linux support.

I've never had to recover, but their automatic backup is fairly straightforward. They don't store your encryption pass, either.

We've had good results with simply giving out actual trial programming tasks and comparing the results of several programmers.

Degrees don't seem to be a strong predictor of usefulness.

Incidentally, we're hiring right now.

https://spideroak.com/blog/200810280100

I've heard good things about Spider Oak (first 2GB free) so you might check them out. (disclosure, some of the people who work there are friends of mine)