Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evernote Security Compromised

Posted by Soulskill on from the 12345-to-123456 dept.

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

104 comments

  1. Shocking... by ohzero · · Score: 3, Interesting

    One more trendy company that didn't have a security program gets compromised. It's almost as if ignoring the problem doesn't make it go away. Pentest, code review, remediate, and test some more. Or, you know, lose brand value...that's the other option.

    --
    -- http://www.criticalassets.com
    1. Re:Shocking... by Anonymous Coward · · Score: 1

      They took the time to properly salt and hash the passwords. I'm grateful to have that much security.

    2. Re:Shocking... by Mr+Thinly+Sliced · · Score: 5, Interesting

      As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

      It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

      At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

    3. Re:Shocking... by u38cg · · Score: 5, Insightful

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      --
      [FUCK BETA]
    4. Re:Shocking... by Majik+Sheff · · Score: 2

      Came here to post this exact thing. They REALLY screwed up the notification email.

      --
      Women are like electronics: you don't know how damaged they are until you try to turn them on.
    5. Re:Shocking... by nametaken · · Score: 4, Insightful

      Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

      Evernote seems to have done what you should do in a situation like this.

    6. Re:Shocking... by Snotnose · · Score: 1

      I never got notification email. I also can't log in with any password, now that it's hit /. I know to hit their site for a heads up.

      Evernote has my weakest throwaway passwords, and the only thing I use it for is grocery lists. Not too worried about this one.

    7. Re:Shocking... by ultracompetent · · Score: 1

      Glad I started using unique passwords for each site after the linkedin breech .. only one password for me to change :)

    8. Re:Shocking... by icebike · · Score: 2

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      Yeah, I expect they had so many to notify they had to use a service, but if so why leave a link in the email?

      I never even got notified by email, or if I did it was so spammy it got trapped and I'm too lazy to look.

      My android app got an update, and the reason for the update was a security announcement. So I installed it, and it insisted I much change passwords, and took me to the web page to do so.

      --
      Sig Battery depleted. Reverting to safe mode.
    9. Re:Shocking... by Anonymous Coward · · Score: 0

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      Right, for informed and techy users like most /.ers, they should not have included a link, and most /.ers would understandingly go to the website themselves.

      But what about the remaining half, or more, clueless users? Would you rather they get confused by the mail, or simply don't remember which website it is for, or put it aside for "later" and forgot about it, or just plain lazy and don't bother? Or would you put in a link to make maybe, 30% more users to click on it and reset their password, even though it may make some /.er think you are stupid? Which approach acheives better result security-wise?

    10. Re:Shocking... by Anonymous Coward · · Score: 0

      Why is it not stand practice to do the same with names and email addresses? These are almost as important as the password to spammers

    11. Re:Shocking... by Anonymous Coward · · Score: 1

      Because hashes are one way which means they cannot be used to retrieve the original information, only test information against the hash(...by hashing it).

      Consequence: when you want to send the user an email, now you can't because the email is stored as a non-reversible hash.

    12. Re:Shocking... by camperdave · · Score: 4, Funny

      I too have only one password to change. I have over a thousand sites I need to change it on, though.

      --
      When our name is on the back of your car, we're behind you all the way!
    13. Re:Shocking... by Seumas · · Score: 1

      I don't think being trendy has anything to do with it. It simply is another piece of evidence that demonstrates an industry-wide problem of security seeming to be very nebulous. Apple, Microsoft, Sony, Valve, Facebook, Twitter, EA, Pinterest, Tumblr, LastPass, NYT, Evernote, and countless other places in the last couple of years (800 breaches of business, government, and medical institutions in just the past year according to privacyrights.org). Hell, wasn't kernel.org even compromised in the past year?

      It seems to show that no matter how much attention you focus on security, there are always potential areas for exploit. Either that or absolutely everyone -- even with the biggest budget -- doesn't even bother, which seems unlikely.

      Also, the issue with Evernote is that if they suffer a real data breach, it's all over. My understanding is they do not encrypt your data, so if someone breaches their storage systems (and if they can breach their other systems, why not these, too?) -- they can access all the data that belongs to the users of their service including small businesses, corporations, home users, students and everyone else.

    14. Re:Shocking... by Seumas · · Score: 1

      The more concerning thing is that, as I understand it, your data is not encrypted on Evernote. By design, presumably, so they can index and perform OCR and searches and other things on your data. If they can breach the server with user credentials, why couldn't they breach the servers containing your actual documents and everything?

    15. Re:Shocking... by Seumas · · Score: 1

      At least you got an email. I woke up this afternoon and I couldn't access Evernote on my ipad. So I tried my laptop, desktop, then web interface. I assumed I had screwed up my password somehow. Eventually, it stopped giving me an error and gave me a "reset your password" warning, instead. So I did. I've checked my email and though I've received advertising from Evernote on January 15th and then February 9th, 25th, and 26th -- I've received nothing regarding a breach or password reset (and I'm also a premium customer, for whatever that's worth).

    16. Re:Shocking... by deniable · · Score: 1

      What notification email? Devices started having sync errors and I got a weird password prompt on the desktop. I assumed they'd nuked my account and went to the website. There's a link "If you received a password reset notification..." but you have to go to the blog for an explanation.

    17. Re:Shocking... by leaen · · Score: 1

      Well it is movie plot plan. Hacker A: gets access to evernote Hacker B: Look these passwords are hashed and salted Hacker A: Never mind. We issue password reset and send passwords to evil.com

    18. Re:Shocking... by Xest · · Score: 2

      It's a question of who they get broken into by though.

      For example, Google has been hacked sure, but it's been by state actors (China) who don't give a shit about leaking everyone's personal and credit card details but are more interested in information and espionage.

      No company should be allowing themselves to get hacked by a bunch of script kiddies though who do lose your details left and right like Sony was.

      Further, I'm not even sure your assertion that everyone gets broken into eventually is true. In the industry I work in if we got broken into we'd go out of business overnight so we simply can't afford to let that happen to us. I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked? eBay? (DDOS doesn't count, that's not a hack).

      Really, without knowing the details of this attack it's hard to speculate reasonably as to whether they should or shouldn't have had this happen to them. If it was something trivial and stupid like an SQL injection attack then they should give up on their business now for being a bunch of incompetent dickheads. If however it was something more sophisticated then fair enough, you can somewhat sympathise with them.

      But either way I think it's dangerous to try and make it acceptable that a company will get hacked by simply saying "Oh it happens to everyone, don't worry, as long as you clean up properly". That's bollocks, and it just gives companies an excuse "Yeah, we know all your credit card details got stolen because we had an open SSH port with root access available and password of 'password' but don't worry, we told you, and reset your password, consider us excused for the fact you will now be a victim of financial fraud!".

    19. Re:Shocking... by Mr+Thinly+Sliced · · Score: 1

      I can think of a number of companies such as banks that have simply never been hacked

      Having worked for a couple of banks in my time and had the ear of some of the security chiefs, I can tell you that it does happen. Unless it's a particularly visible breach (multiple account details stolen, loss of funds with transfers), very little of it makes it to the media. For obvious reasons.

      I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked?

      What makes you think you'd hear about it if happened? Most companies will only hold up their hands and admit problems when the evidence is undeniable. See Sony.

    20. Re:Shocking... by Anonymous Coward · · Score: 0

      Fuck yeah! The cloud is the where it's at. Local storage is for luddites!

    21. Re:Shocking... by Xest · · Score: 1

      A breach with only an account or two stolen makes no sense. It's more likely explained by the account holder themselves. Either the hacker managed to get access to banking details or they didn't, it really makes no sense that they broke in but only got one set of details.

      Which is precisely why we'd hear about it - when somewhere is really actually hacked, the fallout is big enough that it can't stay hidden.

    22. Re:Shocking... by Mr+Thinly+Sliced · · Score: 1

      A breach with only an account or two stolen makes no sense.

      I'm afraid the real world has a few more shades of grey than hacked or not hacked.

      The bad guys get caught with varying levels of "in" in the DMZ. High value single account targets are of interest to the bad guys too. A shotgun approach of attack can set off alarm bells where a surgical strike can go unnoticed for a bit longer.

      Banks in particular have improved over the last few years with two factor auth and dropping the "smart client" (java / flash) mess, but the bad guys are just as inventive - social engineering has been on the rise to counteract some of these advances.

      I realise I'm not going to convince you without any factual backup. On the other hand, I'm not willing to put former colleagues and employers in the spotlight.

    23. Re:Shocking... by nomadicGeek · · Score: 1

      I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibility in this respect. The value of their service diminishes greatly if it is not secure. They simply can't be seen as ineffective in this matter.

      I am especially impressed that they obviously had an effective plan together to quickly update client applications in the event that something like this happened. They pushed out updates for IOS and Android very quickly. They even updated Penultimate which was only recently integrated into Evernote. It seems like they had their act together as far as that was concerned.

      They obviously need to stay on top of this game. I'd like to see two factor authentication and better not encryption options. I have my concerns about using Evernote, but I am still a pretty heavy user with over 6000 notes. So far, the benefits outweigh the risks. From what I have learned about this incident so far, I don't think that my appraisal of the cost and benefit will tip the other way. I hope that it stays that way because we don't learn anything new about this incident that seems careless or irresponsible, and because they continue to develop the product and improve the security.

    24. Re:Shocking... by Anonymous Coward · · Score: 0

      I'm not surprised. Our university did a cloud security review of them last year, and it was clear that data protection and security ranked low on their priorities list.

    25. Re:Shocking... by thsths · · Score: 1

      > with the best will in the world you're always just one mistake away from letting the bad guys in.

      Not at all. With a bad security model you are only one step away from being owned. If you have a proper security model, you have several layers, and just a single one. So there should be no single point of failure. Combine this with decent testing etc, and you have a reasonable amount of security.

    26. Re:Shocking... by Xest · · Score: 1

      Yes, I understand people can penetrate to different levels of a network, but what is black or white is whether they penetrated and got anything of value or not.

      The fact is, you don't penetrate deep enough into a bank to get information of value and then only get one account's details, it just makes no sense.

      If anyone has breached deep enough to be of any real matter or value, we'd hear about it, that's the point.

      If you're going to risk hacking into a bank, you're going to come out with something of value whether it's for fame or money.

    27. Re:Shocking... by joea789 · · Score: 1

      Wait, wait, wait.... What's to keep hackers from spamming the world with the same exact email, but with the link pointing to their site? From there they collect your current password. With email clients showing the most recent emails first, the re-sent hacker phising email can appear before the one authorized by Evernote.

    28. Re:Shocking... by u38cg · · Score: 1

      That is the point I was making...

      --
      [FUCK BETA]
    29. Re: Shocking... by Anonymous Coward · · Score: 0

      Understood & agreed.
      Why not, however, keep a separate, *ahem* Secure copy of registered email addresses for CRM purposes? Sure, there's a potential that this separately "secured" DB may also be stolen - but it's a possible solution to the "why not hash salt email addresses" question. It makes the login DB less usable for spam purposes. Of course, if someone can compromise your security to steal login details you've f*ck ed up already, and there's no reason to expect the CRM DB is any more safe, but if not linked, there's a modicum of additional protection for users........ Thoughts?

  2. Keep it in the cloud by DFurno2003 · · Score: 2

    So that the government and whoever else wants to see your data has 24 hour access to it.

    1. Re:Keep it in the cloud by Seumas · · Score: 1

      Because your home system with a standard consumer router is so secure and impenetrable and the same government that could demand direct access to a full live stream of cloud data couldn't demand the major OS developers include a backdoor to them and access your home machine.

    2. Re:Keep it in the cloud by Anonymous Coward · · Score: 0

      Because your home system with a standard consumer router is so secure and impenetrable and the same government that could demand direct access to a full live stream of cloud data couldn't demand the major OS developers include a backdoor to them and access your home machine.

      Dude, seriously, lay off on the adderall, it's making you paranoid.

  3. Control the encryption layer by worip · · Score: 2

    If you use a cloud service, use a layer of encryption that is under your control, e.g. truecrypt with dropbox. Problem is that is usually breaks the service. A possible alternative is to build your own cloud with OwnCloud. Note though that nothing as good as Evernote is yet available as a private server.

    --
    A picture is worth exactly 1024 words.
    1. Re:Control the encryption layer by heypete · · Score: 1

      The last I checked with Owncloud (~2-3 months ago), their system would update the entire encrypted file rather than just the parts that changed. This might work for a relatively small TrueCrypt file but it becomes impractical if you have a large file. Dropbox updates only the changed parts, which is handy.

    2. Re:Control the encryption layer by bfandreas · · Score: 5, Insightful

      The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
      If you work under the assumption cloud == public then you will do no wrong.

      ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

      To whoever cracked Evernote:
      Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

      --
      20 minutes into the future
    3. Re:Control the encryption layer by Anonymous Coward · · Score: 0

      I use encrypted sparse images (OS X) on Dropbox and it works fine. Updates are fast - they're certainly not updating the entire 2 GB sparseimage. I've never had an issue with corruption. If somebody wants to try to hack at the encrypted file, they're welcome to try.

    4. Re:Control the encryption layer by AmiMoJo · · Score: 1

      It isn't access to your Evernote account you should be worried about, it is access to all the other accounts you used the same email address, user name and password for. Okay, from the sound if it you probably don't do that, but the majority of people do.

      Resetting all Evernote passwords isn't going to help them much. If their email account is vulnerable then they are pretty much screwed, because everything else seems to rely on being able to send password reset messages to that account and assumes it is secure.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Control the encryption layer by bfandreas · · Score: 1

      I use the same (throwaway) email account and password for all my low priority accounts. If they get owned have fun with my trivialities.
      I do use a password generator and a keystore for my important things, tho.

      If His Flying Noodlyness hadn't intended us to use throwaway email accounts for throwaway online services he wouldn't have given us Hotmail.

      --
      20 minutes into the future
  4. Right to be deleted by mescobal · · Score: 5, Insightful

    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

    --
    La culpa no es del chancho...
    1. Re:Right to be deleted by Anonymous Coward · · Score: 1

      You don't even have a right to self-terminate. What makes you think you have a right to delete your account?

    2. Re:Right to be deleted by Anonymous Coward · · Score: 2

      Your right to disappear from a service is already granted. The caveat is that it is nullified when you sign up. If you don't want to have troubles deactivating accounts, don't create them.

      You're borrowing their hardware, they're borrowing your content. They want you to come back, and they want you to sign up your friends for the service. This is the carrot, this is the stick.

      If your content is never deleted it also makes account reactivations and complying with court orders a breeze.

    3. Re:Right to be deleted by Threni · · Score: 2

      I just deleted my account, and had to reset my password first - no problem.

    4. Re:Right to be deleted by bfandreas · · Score: 5, Insightful

      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

      --
      20 minutes into the future
    5. Re:Right to be deleted by icebike · · Score: 1

      So go in, delete everything you've entered, then empty the trash and deactivate your account.

      Like everybody else, they probably have off-line backup, and your account may dwell on some
      tape media somewhere until that cycles out of existence.

      Good luck getting something like that passed into law, since it runs directly contrary to what your government (every government) wants.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Right to be deleted by jones_supa · · Score: 1

      Or even worse, the account is just marked hidden.

    7. Re:Right to be deleted by Anonymous Coward · · Score: 0

      "We need laws enforcing our right to disappear from a service."

      Should we also have "Forget me on the Internet" laws as well?

    8. Re:Right to be deleted by Anonymous Coward · · Score: 0

      What right to disappear? "I want to do something" doesn't automatically make it a right.

      If you introduce yourself to someone, you don't have a right to make them forget you - why would you have a _right_ to disappear from a service?
      I think the word "right" has become a little watered down these days...

    9. Re:Right to be deleted by Anonymous Coward · · Score: 0

      Why should you have that right? You have the right to stop interacting with a person/system that you once interacted with, but why claim you have a right to make the person/system forget what you did there?

      I like anonymity and I like privacy. But I'm also against bookburning and censorship. I don't want to extend that right to you, or to corporations or nations. You did something /with/ someone/thing else, and you do not get the solo right to remove that event. That has to be agreed by both parties.

      It's a sticky core issue. You do not own events you do with others.

    10. Re:Right to be deleted by Stormthirst · · Score: 1

      This

    11. Re:Right to be deleted by Rakishi · · Score: 2

      And if someone hacks your account and deletes it you'll be yelling at them to restore everything you had there.

    12. Re:Right to be deleted by antdude · · Score: 1

      Even if that does happen, wouldn't companies still have back ups?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    13. Re:Right to be deleted by bfandreas · · Score: 1

      So? If your data is deleted that will eventually propagate through all backups.
      That's a lousy reason and a lame excuse not to offer the big "DELETE PLX" button.
      And by deleted I mean deleted. Not flagged as deleted.

      --
      20 minutes into the future
    14. Re:Right to be deleted by cerberusss · · Score: 1

      What the fuck are you talking about, you dumb fuck?

      Evernote Premium users pay $40 per year. I'm not borrowing anything.

      --
      8 of 13 people found this answer helpful. Did you?
    15. Re:Right to be deleted by Anonymous Coward · · Score: 0

      It costs way more than that to actually provide such a service. You're still their bitch at that price.

  5. And Evernote Is? by hazem · · Score: -1

    The summary would be much more helpful if it spent a few words explaining who/what Evernote is.

    1. Re:And Evernote Is? by Scutter · · Score: 4, Insightful

      If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    2. Re:And Evernote Is? by hazem · · Score: 0

      I only bring it up because Slashdot at least used to call itself a news site, and putting useful information like that in the summary is generally a good thing to do for a news site. "News" is often about things a person might not have a direct interest in. From a news point of view it's good to answer the basic questions of who, what, when, where, etc.

      From the point of view of a site trying to derive revenue from ads, it's dumb to force people off the site to get that kind of basic information.

      When people complain regularly about the declining quality of Slashdot, paying attention to little things like this can help a lot.

    3. Re:And Evernote Is? by bfandreas · · Score: 1

      It's a bit like Notepad. but it saves teh dataz in teh cloud!
      You can edit a text snippet on your smartphone and it will automagically synch it with your tablet that's a couple of feet away. It also does images. So the picture you took of your genital warts with your phone will instantly appear on your laptop. Nifty, huh?

      --
      20 minutes into the future
    4. Re:And Evernote Is? by hazem · · Score: 1

      And here I was saying just last night how I wish there was an easier way to get picture of my genitals, warts and all, up into the cloud and back onto all my computers (and apparently everyone else's now).

      And people say the era of specialization is over!

    5. Re:And Evernote Is? by wonkey_monkey · · Score: 1

      If you don't know what it is, then you probably don't need to worry that it's been compromised.

      It's nothing to do with who needs to worry and who doesn't. It's the difference between this:

      Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.

      and this:

      Italian President Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.

      on what is ostensibly a news site.

      --
      systemd is Roko's Basilisk.
    6. Re:And Evernote Is? by wonkey_monkey · · Score: 1

      See, all Slashdot had to do was put "Genital wart image storage service Evernote" and no-one'd be complaining.

      --
      systemd is Roko's Basilisk.
    7. Re:And Evernote Is? by crashumbc · · Score: 4, Insightful

      It also used to be a "geek" site...

      If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.

    8. Re:And Evernote Is? by BrokenHalo · · Score: 1

      Also, anyone who doesn't know what it is probably wouldn't care much about it if they did. I had a look at it to see what all the hype was about a few weeks ago, and it struck me as a solution looking for a problem. A simple text editor suits my purposes quite adequately. Though obviously, there are many who don't agree - which is fine, since it's all about freedom of choice.

    9. Re:And Evernote Is? by greg1104 · · Score: 1

      Evernote makes it easy to synchronize text among all your computers and your phone too. I have things like my shopping list on there, so I can edit on either a desktop or while I'm out with the phone. It also allows some amount of formatting that's a pain get consistent in a simple text editor. I could use Markdown or something like that to do the same thing, but this is easier, and again the formatting also works on the phone.

    10. Re:And Evernote Is? by Anonymous Coward · · Score: 1

      It's ok to write "Today Twitter had ..." instead of "Today the popular microblogging platform Twitter had ...", it's not ok to do that for every Web 2.0 start up out there.

      Following your logic to the very end, every article on /. can be simply replaced with lone headline reading "Some kinda stuff happened at $company". What, can't you just use Google to search for "what happened at $company?" if you want to know more? We could even add summaries consisting of LMGTFY links for those who can't.

    11. Re:And Evernote Is? by Anonymous Coward · · Score: 0

      > And Evernote Is?

      I have no idea. Nor do I know what that "google" think is that everyone keeps talking about.

    12. Re:And Evernote Is? by Anonymous Coward · · Score: -1

      Who cares if the next president is Italian. We have a frickin nigga for president now dude.

    13. Re:And Evernote Is? by hazem · · Score: 1

      Yes - I've been on slashdot for many years, so I know what kind of site it's been.

      I've been plugged into things of a geek nature for quite a long time and with a fair amount of breadth and this was the first I'd heard of Evernote. Nobody can keep up with every fly-by-night web service that pops up and then has security problems.

      I'm just suggesting that if you're writing about something that is not as well known as Microsoft, Twitter, etc., and if your goal is to be a good news site, then it's probably worth spending an extra 20 characters saying what something is.

      And sure, anyone can Google for it, but again, if your site is funded by ad revenue, one of the dumbest thing you can do is drive people to other sites to figure out what the heck you're writing about. People only have a limited amount of time to be on teh web. If you drive them off to Google or some other site during the that time when they could be on your site and now someone else is collecting those ad revenues.

    14. Re:And Evernote Is? by bfandreas · · Score: 1

      It was only after I started organizing my shopping list on Evernote that I noticed a streak of insanity in myself.

      There I was standing in front of a shelf in a shop. I noticed I forgot to put something onto my list. And I proceeded to append my Evernote list with the item I forgot to put on it.
      The sane thing to do would of course have been to SIMPLY GRAB THE STUFF FROM THE SHELF and not bother with Evernote at all.
      Therefore Evernote == insanity. And I'm better now.

      --
      20 minutes into the future
    15. Re:And Evernote Is? by Anonymous Coward · · Score: 0

      Well, it's more a why-should-I-care issue. If I don't know what evernote is (I've never heard of it) my immediate question is - why should I care? Why should I expend time and energy researching it. Is it a nuclear secrets site? Does the government store tax information there? Is a data breach important or unimportant? So far, I am not getting a sense of importance. This may be an advertising stunt to get people to investigate what evernote is.

  6. Give us the keys! by Anonymous Coward · · Score: 0

    Why people trust third parties with the keys to their data, I don't understand.
    Why companies keep sprouting up that rely on holding the keys, I don't understand.

    1. Re:Give us the keys! by peragrin · · Score: 2

      Because if you haven't figured it out people are on average stupid idiots.

      Take email encryption. After 20+ years there still isn't an easy to use way to send encrypted emails to anyone and get the appropriate security keys.

      that means everyone is using plain text email still.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Give us the keys! by icebike · · Score: 2

      What keys are you speaking about?

      From TFA

      In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

      The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.

      Evernote has passwords, like just about every site. What you put on evernote is your business, but without additional layers of encryption most people don't put anything up there that is super secret. Most people use if for notes and stuff they need for quick reference on the go. Its a tool of convenience not a bank vault.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:Give us the keys! by Threni · · Score: 2

      No, we're using Dropbox, Evernote, Google Drive and email with Truecrypt files. I tend to not use email for secure comms now; just edit a text file in a folder dropbox is configured to watch and as soon as you unmount the file it gets synced up and the recipient notified. I'd use Drive except it doesn't understand the concept of only syncing the part of the Truecrypt file which has changed, uploading instead the whole Truecrypt file. Even that would work for small files though.

    4. Re:Give us the keys! by Anonymous Coward · · Score: 0

      Way too much trouble for most people. Basically everyone is using clear text e-mail and everyone has sent some e-mail that they'd really like to stay private.

      Someone could do well to synthesize a secure e-mail product that was affordable and easy to use. DHS would likely stop them, though.

    5. Re:Give us the keys! by Anonymous Coward · · Score: 0

      The keys to users' stored data, of course. If they weren't compromised this time, they will be the next.

      Companies like Evernote thrive on making cloud storage so convenient that you'll start storing things you really shouldn't, even if you're aware of the issues. I would hazard to guess the vast majority of the public doesn't have a clue about the security/privacy issues and thinks just having their own account and password is actually secure.

      Tell me you're not aware of all this.

    6. Re:Give us the keys! by icebike · · Score: 1

      They are log in keys. You already have those keys. They are your login passwords.

      --
      Sig Battery depleted. Reverting to safe mode.
    7. Re:Give us the keys! by Anonymous Coward · · Score: 0

      You apparently don't know how most cloud storage systems work. Yes, you have login keys, but the storage is typically protected by another key known only to the storage provider. That's the information that should be taken out of the providers hands and placed in the hands of customers, with a private key for each. Storage providers should have no practical ability to access your data, unless you willfully give them access to your private key.

    8. Re:Give us the keys! by Anonymous Coward · · Score: 0

      FYI: The more people like you (which seem to be in the majority) skirt the real privacy issues, the longer it will take to address them and the longer it will be before the full utility of the Internet can be exploited. And that's sad, coming from a geek site.

    9. Re:Give us the keys! by icebike · · Score: 2

      You apparently don't know how most cloud storage systems work.

      And you apparently don't have a clue about Evernote. Its not a "cloud storage" system.

      Run along now sonny. I've got work to do.

      --
      Sig Battery depleted. Reverting to safe mode.
    10. Re:Give us the keys! by Anonymous Coward · · Score: 0

      Evernote shills are out in force!
      Yeah, right, Evernote isn't cloud storage... it just uses it. Huge difference here. huge./sarcasm

  7. Note to self by Anonymous Coward · · Score: 0

    Nothing is forever secure.

  8. Evernote is bullshit anyway by Anonymous Coward · · Score: 0

    Anyone who actually believes that such a service is somehow
    "necessary" doesn't know how to manage information.

    If this episode wasn't enough to convince you to avoid cloud
    services, ask people who had Mobile Me accounts with Apple
    how they enjoyed having their data disappear.

    If the data matters, you need to be able to put your OWN hands
    on the storage devices used, and keep the hands of those who
    are not 100% trusted away.

    1. Re:Evernote is bullshit anyway by Anonymous Coward · · Score: 0

      Necessary and convenient are not the same apples. Data in the cloud can be stored locally. All data is not sensitive or private.

      You seem to want to paint the issue with a broad brush that does nothing but make a mess of the details.

  9. Is a password reset really appropriate? by kasperd · · Score: 1

    With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

    I am all for them going public with what they found. But sometimes you really need to have enough confidence in your own protection of the passwords to not go and force everybody to change their password.

    If the attackers had access to sniff the plaintext passwords at login, then it is a different story. But if there was only a leak of well protected hashes, then just let people know and let them decide if they want to change their password. It is not like a password reset is risk free either.

    --

    Do you care about the security of your wireless mouse?
    1. Re:Is a password reset really appropriate? by gottabeme · · Score: 1

      Yes, thank you for saying this. I'm so sick of forced password resets. I can't remember all the passwords I use, and for some sites that I might actually need to remember them for, having to make a new one means I no longer remember the password for that site! It means I'm more likely to choose a weak password which is easier to remember and easier to crack.

      Thus my theory that forced password resets actually decrease security.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    2. Re:Is a password reset really appropriate? by Anonymous Coward · · Score: 0

      You should look up Keepass. Seriously.

    3. Re:Is a password reset really appropriate? by Anonymous Coward · · Score: -1

      If you can remember all of your passwords you need to start playing blackjack or you are doing something wrong.

    4. Re:Is a password reset really appropriate? by gottabeme · · Score: 1

      I've been using KeePassX for years. You missed the point.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    5. Re:Is a password reset really appropriate? by gottabeme · · Score: 0

      If you can't comprehend what I said, you need to get off the Internet or you're doing something wrong.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    6. Re:Is a password reset really appropriate? by si618 · · Score: 1

      With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

      My guess would be the salt was either not unique per account, or was part of the compromised data. Either way it would make it (somewhat) easier to brute-force.

      --
      Sometimes I doubt your commitment to Sparkle Motion
    7. Re:Is a password reset really appropriate? by kasperd · · Score: 1

      My guess would be the salt was either not unique per account

      There is only one salt per account, so of course it is unique per account. But that is probably not what you meant. Could it be that the salt is not unique? It could be, but once you are doing any salting in the first place, it is trivial to make it unique. All you have to do is let the salt be a sufficiently long string of random characters, and the probability of collisions will be negligible.

      or was part of the compromised data.

      Salts are stored together with the hash, so leaking one without the other is totally unlikely. But don't worry. Salts are designed such that they don't need to be kept secret.

      --

      Do you care about the security of your wireless mouse?
    8. Re:Is a password reset really appropriate? by si618 · · Score: 1

      There is only one salt per account, so of course it is unique per account. But that is probably not what you meant.

      No, it is exactly what I meant. How do you know the salt is unique? Did you write the code? It's easier to use the same salt for every account rather than making it unique, since it can be hard-coded and doesn't need to be persisted with the hash.

      See here for a more thorough explanation.

      But don't worry. Salts are designed such that they don't need to be kept secret.

      Of course, but as I said, if you're using the same salt for all your hashes then it becomes less secure.

      --
      Sometimes I doubt your commitment to Sparkle Motion
    9. Re:Is a password reset really appropriate? by kasperd · · Score: 1

      No, it is exactly what I meant. How do you know the salt is unique?

      I did not say that I know the salt is unique. I said the salt is unique per account, which is a tautology because there is only one salt per account.

      as I said, if you're using the same salt for all your hashes then it becomes less secure.

      Of course. If you are using the same salt for every account, you are not salting at all. You'd be reducing the salted hash down to simply an unsalted but non-standard hash function. That would not require much more computing power to brute force than an unsalted hash.

      But producing a good salt is easy. All you'd need to do was "head -c56 /dev/urandom | base64" or the equivalent in whatever language the system is written in.

      We will keep seeing these stories until we get more secure protocols for password authentication. What we need is a ZK protocol such that the password never leaves the client machine in the first place. And when the password is initially set up, there need to be one salt from the client and one salt from the server such that as long as one of them do it right, the salt will end up unique.

      People are deliberately designing computationally inefficient algorithms for password validation. Imagine if we could turn all of that CPU usage into some public key cryptography being part of a ZK protocol. We'd get something more secure and could possibly even reduce the amount of CPU time a server need to spend on validating a password.

      --

      Do you care about the security of your wireless mouse?
  10. Forced to have an account... by Anonymous Coward · · Score: 0

    I used to have an evernote account for some time, because my smartphone came with the app pre-installed as the official "note app". It's very good, nice UI, etc...

    The only problem is that I'm FORCED to have an Evernote account to use it ! The syncing is done automatically by default if you don't disable it, come on... an account for a stupid note-taking app ? I understand we need it for the syncing feature but I really don't need to sync my stupid notes.

    So, I stopped using it, forced to have an account just turns me off, no wonder why the hackers are interested in their datas.

    Between my bank account, my Google account, my email account, my phone service provider account, my internet service provider account, my electricity account, I don't need a stupid note account, too many already, thanks...

    1. Re:Forced to have an account... by Geeky · · Score: 1

      The sync is the point though, otherwise you might as well just use a local note app.

      I use it for random technical notes, pointers to useful howtos, command line snippets I want to remember, ideas for my blog... nothing that requires much in the way of security. I like that I can write the notes at work and have them on my home PC, or jot an idea on my phone while I'm out and expand on it when I'm front of the keyboard. I was looking for a note app that let me organise notes into folders with a bit of markup. I'm sure plenty of them exist, but the sync is the killer feature for me.

      Yes, to maintain my geek card I know I could use text files in a dropbox synced folder structure, or hack something together with some kind of rsync, but sometimes it's just easier to use a nice GUI app that just works.

      --
      Sigs are so 1990s. No way would I be seen dead with one.
    2. Re: Forced to have an account... by Anonymous Coward · · Score: 0

      yes, but there is no good note-taking app that you can insert pictures and text and voice that just works offline without registration, they all requiert accounts !

      Evernote, OneNote, ... you name it.

    3. Re:Forced to have an account... by lennier · · Score: 1

      The sync is the point though, otherwise you might as well just use a local note app.

      A truly local note app is exactly what I want on my phone, for exactly the kind of security reason as this article highlights. I don't want my notes anywhere but in my pocket. That's why they're notes, not shared documents.

      But no. Most note apps out there automatically sync my private notes to some "cloud service" whether I want to or not. So far the best option I've found has been to install an app which wants to sync to a service I don't have an account on. But that's a dumb workaround to a dumber misfeature.

      Mobile and Cloud are two of the worst things that have happened to computer security at the moment. Far too many people are putting far to much data onto public storage with far too little privacy, and most of the time they're not even aware that it's happening. That's a problem, and eventually we're going to find out how much of a problem. But that will be long after the damage is done.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  11. And how do they know no content was accessed? by petsounds · · Score: 1

    So the attackers were able to get what sounds like direct access to the user database, or best case a backup copy, and yet we're expected to believe that the attackers couldn't gain access to the content database? (assuming it's even a different database) Or at least crack some really weak passwords within the two days before this was reported to users?

    In this kind of attack, the baddies are after the content. The user accounts themselves are mostly worthless -- can't really use them for spam or phishing. But there's probably some dummies out there who have put sensitive information in Evernote, and that's what I'd guess the bad guys are after.

    My guess is, Evernote has no frickin idea whether content was stolen or not, but they DO know that if they said that publicly they'd be in hot water.

  12. A secure alternative by Anonymous Coward · · Score: 0

    Found this piece on possible Evernote alternatives: http://www.dsc.net/techtips/more-secure-alternatives-to-evernote. Bottom line, there really isn't anything with the same level of integration.

  13. just passwords ? by Anonymous Coward · · Score: 0

    How can a hacker get to passwords and yet we are to believe that everything else has not been read ?

  14. OneNote by czth · · Score: 1

    I considered using EverNote at one point, but my concern was offline availability (for personal use on my laptop) and security (for use at work). I didn't think management would be happy with me storing proprietary/confidential data on someone else's remote server, so I stuck with OneNote. (I also didn't realistically think they'd get broken into, to be honest, just thought it would be frowned upon. Sometimes paranoia works for you.)

    I have looked into several open source alternate note-taking programs, but none of them worked for me as well as OneNote - some were too clunky, didn't have decent search, didn't do quick page hyperlinks, poor formatting, whatever. (Full disclosure: I used to work for Microsoft, which is where I started using OneNote - it was free for internal use - but I stuck with it after I left because it really is a great product.) I would be ecstatic to learn of a free/open source note-taking program that had parity with OneNote, but I haven't found one.

    1. Re:OneNote by Tool+Man · · Score: 1

      While formatting options make something like EverNote look interesting, I haven't yet found a must-have feature for me that negates the loss of control I feel over my info. I do like Pinboard for bookmarks, which I don't really treat as private, but most of the rest ends up in plain-text files that I can read anywhere. Combined with an encrypted file sync service like Wuala or SpiderOak, I feel 90% of the way there. I might end up adding Tiddlywiki in the same sync folders for items which need a bit more formatting though.