Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evernote Security Compromised

Posted by Soulskill on from the 12345-to-123456 dept.

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

72 of 104 comments (clear)

  1. Shocking... by ohzero · · Score: 3, Interesting

    One more trendy company that didn't have a security program gets compromised. It's almost as if ignoring the problem doesn't make it go away. Pentest, code review, remediate, and test some more. Or, you know, lose brand value...that's the other option.

    --
    -- http://www.criticalassets.com
    1. Re:Shocking... by Anonymous Coward · · Score: 1

      They took the time to properly salt and hash the passwords. I'm grateful to have that much security.

    2. Re:Shocking... by Mr+Thinly+Sliced · · Score: 5, Interesting

      As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

      It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

      At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

    3. Re:Shocking... by u38cg · · Score: 5, Insightful

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      --
      [FUCK BETA]
    4. Re:Shocking... by Majik+Sheff · · Score: 2

      Came here to post this exact thing. They REALLY screwed up the notification email.

      --
      Women are like electronics: you don't know how damaged they are until you try to turn them on.
    5. Re:Shocking... by nametaken · · Score: 4, Insightful

      Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

      Evernote seems to have done what you should do in a situation like this.

    6. Re:Shocking... by Snotnose · · Score: 1

      I never got notification email. I also can't log in with any password, now that it's hit /. I know to hit their site for a heads up.

      Evernote has my weakest throwaway passwords, and the only thing I use it for is grocery lists. Not too worried about this one.

    7. Re:Shocking... by ultracompetent · · Score: 1

      Glad I started using unique passwords for each site after the linkedin breech .. only one password for me to change :)

    8. Re:Shocking... by icebike · · Score: 2

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      Yeah, I expect they had so many to notify they had to use a service, but if so why leave a link in the email?

      I never even got notified by email, or if I did it was so spammy it got trapped and I'm too lazy to look.

      My android app got an update, and the reason for the update was a security announcement. So I installed it, and it insisted I much change passwords, and took me to the web page to do so.

      --
      Sig Battery depleted. Reverting to safe mode.
    9. Re:Shocking... by Anonymous Coward · · Score: 1

      Because hashes are one way which means they cannot be used to retrieve the original information, only test information against the hash(...by hashing it).

      Consequence: when you want to send the user an email, now you can't because the email is stored as a non-reversible hash.

    10. Re:Shocking... by camperdave · · Score: 4, Funny

      I too have only one password to change. I have over a thousand sites I need to change it on, though.

      --
      When our name is on the back of your car, we're behind you all the way!
    11. Re:Shocking... by Seumas · · Score: 1

      I don't think being trendy has anything to do with it. It simply is another piece of evidence that demonstrates an industry-wide problem of security seeming to be very nebulous. Apple, Microsoft, Sony, Valve, Facebook, Twitter, EA, Pinterest, Tumblr, LastPass, NYT, Evernote, and countless other places in the last couple of years (800 breaches of business, government, and medical institutions in just the past year according to privacyrights.org). Hell, wasn't kernel.org even compromised in the past year?

      It seems to show that no matter how much attention you focus on security, there are always potential areas for exploit. Either that or absolutely everyone -- even with the biggest budget -- doesn't even bother, which seems unlikely.

      Also, the issue with Evernote is that if they suffer a real data breach, it's all over. My understanding is they do not encrypt your data, so if someone breaches their storage systems (and if they can breach their other systems, why not these, too?) -- they can access all the data that belongs to the users of their service including small businesses, corporations, home users, students and everyone else.

    12. Re:Shocking... by Seumas · · Score: 1

      The more concerning thing is that, as I understand it, your data is not encrypted on Evernote. By design, presumably, so they can index and perform OCR and searches and other things on your data. If they can breach the server with user credentials, why couldn't they breach the servers containing your actual documents and everything?

    13. Re:Shocking... by Seumas · · Score: 1

      At least you got an email. I woke up this afternoon and I couldn't access Evernote on my ipad. So I tried my laptop, desktop, then web interface. I assumed I had screwed up my password somehow. Eventually, it stopped giving me an error and gave me a "reset your password" warning, instead. So I did. I've checked my email and though I've received advertising from Evernote on January 15th and then February 9th, 25th, and 26th -- I've received nothing regarding a breach or password reset (and I'm also a premium customer, for whatever that's worth).

    14. Re:Shocking... by deniable · · Score: 1

      What notification email? Devices started having sync errors and I got a weird password prompt on the desktop. I assumed they'd nuked my account and went to the website. There's a link "If you received a password reset notification..." but you have to go to the blog for an explanation.

    15. Re:Shocking... by leaen · · Score: 1

      Well it is movie plot plan. Hacker A: gets access to evernote Hacker B: Look these passwords are hashed and salted Hacker A: Never mind. We issue password reset and send passwords to evil.com

    16. Re:Shocking... by Xest · · Score: 2

      It's a question of who they get broken into by though.

      For example, Google has been hacked sure, but it's been by state actors (China) who don't give a shit about leaking everyone's personal and credit card details but are more interested in information and espionage.

      No company should be allowing themselves to get hacked by a bunch of script kiddies though who do lose your details left and right like Sony was.

      Further, I'm not even sure your assertion that everyone gets broken into eventually is true. In the industry I work in if we got broken into we'd go out of business overnight so we simply can't afford to let that happen to us. I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked? eBay? (DDOS doesn't count, that's not a hack).

      Really, without knowing the details of this attack it's hard to speculate reasonably as to whether they should or shouldn't have had this happen to them. If it was something trivial and stupid like an SQL injection attack then they should give up on their business now for being a bunch of incompetent dickheads. If however it was something more sophisticated then fair enough, you can somewhat sympathise with them.

      But either way I think it's dangerous to try and make it acceptable that a company will get hacked by simply saying "Oh it happens to everyone, don't worry, as long as you clean up properly". That's bollocks, and it just gives companies an excuse "Yeah, we know all your credit card details got stolen because we had an open SSH port with root access available and password of 'password' but don't worry, we told you, and reset your password, consider us excused for the fact you will now be a victim of financial fraud!".

    17. Re:Shocking... by Mr+Thinly+Sliced · · Score: 1

      I can think of a number of companies such as banks that have simply never been hacked

      Having worked for a couple of banks in my time and had the ear of some of the security chiefs, I can tell you that it does happen. Unless it's a particularly visible breach (multiple account details stolen, loss of funds with transfers), very little of it makes it to the media. For obvious reasons.

      I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked?

      What makes you think you'd hear about it if happened? Most companies will only hold up their hands and admit problems when the evidence is undeniable. See Sony.

    18. Re:Shocking... by Xest · · Score: 1

      A breach with only an account or two stolen makes no sense. It's more likely explained by the account holder themselves. Either the hacker managed to get access to banking details or they didn't, it really makes no sense that they broke in but only got one set of details.

      Which is precisely why we'd hear about it - when somewhere is really actually hacked, the fallout is big enough that it can't stay hidden.

    19. Re:Shocking... by Mr+Thinly+Sliced · · Score: 1

      A breach with only an account or two stolen makes no sense.

      I'm afraid the real world has a few more shades of grey than hacked or not hacked.

      The bad guys get caught with varying levels of "in" in the DMZ. High value single account targets are of interest to the bad guys too. A shotgun approach of attack can set off alarm bells where a surgical strike can go unnoticed for a bit longer.

      Banks in particular have improved over the last few years with two factor auth and dropping the "smart client" (java / flash) mess, but the bad guys are just as inventive - social engineering has been on the rise to counteract some of these advances.

      I realise I'm not going to convince you without any factual backup. On the other hand, I'm not willing to put former colleagues and employers in the spotlight.

    20. Re:Shocking... by nomadicGeek · · Score: 1

      I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibility in this respect. The value of their service diminishes greatly if it is not secure. They simply can't be seen as ineffective in this matter.

      I am especially impressed that they obviously had an effective plan together to quickly update client applications in the event that something like this happened. They pushed out updates for IOS and Android very quickly. They even updated Penultimate which was only recently integrated into Evernote. It seems like they had their act together as far as that was concerned.

      They obviously need to stay on top of this game. I'd like to see two factor authentication and better not encryption options. I have my concerns about using Evernote, but I am still a pretty heavy user with over 6000 notes. So far, the benefits outweigh the risks. From what I have learned about this incident so far, I don't think that my appraisal of the cost and benefit will tip the other way. I hope that it stays that way because we don't learn anything new about this incident that seems careless or irresponsible, and because they continue to develop the product and improve the security.

    21. Re:Shocking... by thsths · · Score: 1

      > with the best will in the world you're always just one mistake away from letting the bad guys in.

      Not at all. With a bad security model you are only one step away from being owned. If you have a proper security model, you have several layers, and just a single one. So there should be no single point of failure. Combine this with decent testing etc, and you have a reasonable amount of security.

    22. Re:Shocking... by Xest · · Score: 1

      Yes, I understand people can penetrate to different levels of a network, but what is black or white is whether they penetrated and got anything of value or not.

      The fact is, you don't penetrate deep enough into a bank to get information of value and then only get one account's details, it just makes no sense.

      If anyone has breached deep enough to be of any real matter or value, we'd hear about it, that's the point.

      If you're going to risk hacking into a bank, you're going to come out with something of value whether it's for fame or money.

    23. Re:Shocking... by joea789 · · Score: 1

      Wait, wait, wait.... What's to keep hackers from spamming the world with the same exact email, but with the link pointing to their site? From there they collect your current password. With email clients showing the most recent emails first, the re-sent hacker phising email can appear before the one authorized by Evernote.

    24. Re:Shocking... by u38cg · · Score: 1

      That is the point I was making...

      --
      [FUCK BETA]
  2. Keep it in the cloud by DFurno2003 · · Score: 2

    So that the government and whoever else wants to see your data has 24 hour access to it.

    1. Re:Keep it in the cloud by Seumas · · Score: 1

      Because your home system with a standard consumer router is so secure and impenetrable and the same government that could demand direct access to a full live stream of cloud data couldn't demand the major OS developers include a backdoor to them and access your home machine.

  3. Control the encryption layer by worip · · Score: 2

    If you use a cloud service, use a layer of encryption that is under your control, e.g. truecrypt with dropbox. Problem is that is usually breaks the service. A possible alternative is to build your own cloud with OwnCloud. Note though that nothing as good as Evernote is yet available as a private server.

    --
    A picture is worth exactly 1024 words.
    1. Re:Control the encryption layer by heypete · · Score: 1

      The last I checked with Owncloud (~2-3 months ago), their system would update the entire encrypted file rather than just the parts that changed. This might work for a relatively small TrueCrypt file but it becomes impractical if you have a large file. Dropbox updates only the changed parts, which is handy.

    2. Re:Control the encryption layer by bfandreas · · Score: 5, Insightful

      The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
      If you work under the assumption cloud == public then you will do no wrong.

      ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

      To whoever cracked Evernote:
      Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

      --
      20 minutes into the future
    3. Re:Control the encryption layer by AmiMoJo · · Score: 1

      It isn't access to your Evernote account you should be worried about, it is access to all the other accounts you used the same email address, user name and password for. Okay, from the sound if it you probably don't do that, but the majority of people do.

      Resetting all Evernote passwords isn't going to help them much. If their email account is vulnerable then they are pretty much screwed, because everything else seems to rely on being able to send password reset messages to that account and assumes it is secure.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Control the encryption layer by bfandreas · · Score: 1

      I use the same (throwaway) email account and password for all my low priority accounts. If they get owned have fun with my trivialities.
      I do use a password generator and a keystore for my important things, tho.

      If His Flying Noodlyness hadn't intended us to use throwaway email accounts for throwaway online services he wouldn't have given us Hotmail.

      --
      20 minutes into the future
  4. Right to be deleted by mescobal · · Score: 5, Insightful

    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

    --
    La culpa no es del chancho...
    1. Re:Right to be deleted by Anonymous Coward · · Score: 1

      You don't even have a right to self-terminate. What makes you think you have a right to delete your account?

    2. Re:Right to be deleted by Anonymous Coward · · Score: 2

      Your right to disappear from a service is already granted. The caveat is that it is nullified when you sign up. If you don't want to have troubles deactivating accounts, don't create them.

      You're borrowing their hardware, they're borrowing your content. They want you to come back, and they want you to sign up your friends for the service. This is the carrot, this is the stick.

      If your content is never deleted it also makes account reactivations and complying with court orders a breeze.

    3. Re:Right to be deleted by Threni · · Score: 2

      I just deleted my account, and had to reset my password first - no problem.

    4. Re:Right to be deleted by bfandreas · · Score: 5, Insightful

      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

      --
      20 minutes into the future
    5. Re:Right to be deleted by icebike · · Score: 1

      So go in, delete everything you've entered, then empty the trash and deactivate your account.

      Like everybody else, they probably have off-line backup, and your account may dwell on some
      tape media somewhere until that cycles out of existence.

      Good luck getting something like that passed into law, since it runs directly contrary to what your government (every government) wants.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Right to be deleted by jones_supa · · Score: 1

      Or even worse, the account is just marked hidden.

    7. Re:Right to be deleted by Stormthirst · · Score: 1

      This

    8. Re:Right to be deleted by Rakishi · · Score: 2

      And if someone hacks your account and deletes it you'll be yelling at them to restore everything you had there.

    9. Re:Right to be deleted by antdude · · Score: 1

      Even if that does happen, wouldn't companies still have back ups?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    10. Re:Right to be deleted by bfandreas · · Score: 1

      So? If your data is deleted that will eventually propagate through all backups.
      That's a lousy reason and a lame excuse not to offer the big "DELETE PLX" button.
      And by deleted I mean deleted. Not flagged as deleted.

      --
      20 minutes into the future
    11. Re:Right to be deleted by cerberusss · · Score: 1

      What the fuck are you talking about, you dumb fuck?

      Evernote Premium users pay $40 per year. I'm not borrowing anything.

      --
      8 of 13 people found this answer helpful. Did you?
  5. Re:And Evernote Is? by Scutter · · Score: 4, Insightful

    If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  6. Re:Give us the keys! by peragrin · · Score: 2

    Because if you haven't figured it out people are on average stupid idiots.

    Take email encryption. After 20+ years there still isn't an easy to use way to send encrypted emails to anyone and get the appropriate security keys.

    that means everyone is using plain text email still.

    --
    i thought once I was found, but it was only a dream.
  7. Re:And Evernote Is? by bfandreas · · Score: 1

    It's a bit like Notepad. but it saves teh dataz in teh cloud!
    You can edit a text snippet on your smartphone and it will automagically synch it with your tablet that's a couple of feet away. It also does images. So the picture you took of your genital warts with your phone will instantly appear on your laptop. Nifty, huh?

    --
    20 minutes into the future
  8. Re:Give us the keys! by icebike · · Score: 2

    What keys are you speaking about?

    From TFA

    In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

    The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.

    Evernote has passwords, like just about every site. What you put on evernote is your business, but without additional layers of encryption most people don't put anything up there that is super secret. Most people use if for notes and stuff they need for quick reference on the go. Its a tool of convenience not a bank vault.

    --
    Sig Battery depleted. Reverting to safe mode.
  9. Re:And Evernote Is? by hazem · · Score: 1

    And here I was saying just last night how I wish there was an easier way to get picture of my genitals, warts and all, up into the cloud and back onto all my computers (and apparently everyone else's now).

    And people say the era of specialization is over!

  10. Re:And Evernote Is? by wonkey_monkey · · Score: 1

    If you don't know what it is, then you probably don't need to worry that it's been compromised.

    It's nothing to do with who needs to worry and who doesn't. It's the difference between this:

    Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.

    and this:

    Italian President Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.

    on what is ostensibly a news site.

    --
    systemd is Roko's Basilisk.
  11. Re:And Evernote Is? by wonkey_monkey · · Score: 1

    See, all Slashdot had to do was put "Genital wart image storage service Evernote" and no-one'd be complaining.

    --
    systemd is Roko's Basilisk.
  12. Re:And Evernote Is? by crashumbc · · Score: 4, Insightful

    It also used to be a "geek" site...

    If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.

  13. Re:And Evernote Is? by BrokenHalo · · Score: 1

    Also, anyone who doesn't know what it is probably wouldn't care much about it if they did. I had a look at it to see what all the hype was about a few weeks ago, and it struck me as a solution looking for a problem. A simple text editor suits my purposes quite adequately. Though obviously, there are many who don't agree - which is fine, since it's all about freedom of choice.

  14. Re:Give us the keys! by Threni · · Score: 2

    No, we're using Dropbox, Evernote, Google Drive and email with Truecrypt files. I tend to not use email for secure comms now; just edit a text file in a folder dropbox is configured to watch and as soon as you unmount the file it gets synced up and the recipient notified. I'd use Drive except it doesn't understand the concept of only syncing the part of the Truecrypt file which has changed, uploading instead the whole Truecrypt file. Even that would work for small files though.

  15. Re:And Evernote Is? by greg1104 · · Score: 1

    Evernote makes it easy to synchronize text among all your computers and your phone too. I have things like my shopping list on there, so I can edit on either a desktop or while I'm out with the phone. It also allows some amount of formatting that's a pain get consistent in a simple text editor. I could use Markdown or something like that to do the same thing, but this is easier, and again the formatting also works on the phone.

  16. Re:And Evernote Is? by Anonymous Coward · · Score: 1

    It's ok to write "Today Twitter had ..." instead of "Today the popular microblogging platform Twitter had ...", it's not ok to do that for every Web 2.0 start up out there.

    Following your logic to the very end, every article on /. can be simply replaced with lone headline reading "Some kinda stuff happened at $company". What, can't you just use Google to search for "what happened at $company?" if you want to know more? We could even add summaries consisting of LMGTFY links for those who can't.

  17. Re:Give us the keys! by icebike · · Score: 1

    They are log in keys. You already have those keys. They are your login passwords.

    --
    Sig Battery depleted. Reverting to safe mode.
  18. Re:And Evernote Is? by hazem · · Score: 1

    Yes - I've been on slashdot for many years, so I know what kind of site it's been.

    I've been plugged into things of a geek nature for quite a long time and with a fair amount of breadth and this was the first I'd heard of Evernote. Nobody can keep up with every fly-by-night web service that pops up and then has security problems.

    I'm just suggesting that if you're writing about something that is not as well known as Microsoft, Twitter, etc., and if your goal is to be a good news site, then it's probably worth spending an extra 20 characters saying what something is.

    And sure, anyone can Google for it, but again, if your site is funded by ad revenue, one of the dumbest thing you can do is drive people to other sites to figure out what the heck you're writing about. People only have a limited amount of time to be on teh web. If you drive them off to Google or some other site during the that time when they could be on your site and now someone else is collecting those ad revenues.

  19. Re:Give us the keys! by icebike · · Score: 2

    You apparently don't know how most cloud storage systems work.

    And you apparently don't have a clue about Evernote. Its not a "cloud storage" system.

    Run along now sonny. I've got work to do.

    --
    Sig Battery depleted. Reverting to safe mode.
  20. Is a password reset really appropriate? by kasperd · · Score: 1

    With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

    I am all for them going public with what they found. But sometimes you really need to have enough confidence in your own protection of the passwords to not go and force everybody to change their password.

    If the attackers had access to sniff the plaintext passwords at login, then it is a different story. But if there was only a leak of well protected hashes, then just let people know and let them decide if they want to change their password. It is not like a password reset is risk free either.

    --

    Do you care about the security of your wireless mouse?
    1. Re:Is a password reset really appropriate? by gottabeme · · Score: 1

      Yes, thank you for saying this. I'm so sick of forced password resets. I can't remember all the passwords I use, and for some sites that I might actually need to remember them for, having to make a new one means I no longer remember the password for that site! It means I'm more likely to choose a weak password which is easier to remember and easier to crack.

      Thus my theory that forced password resets actually decrease security.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    2. Re:Is a password reset really appropriate? by gottabeme · · Score: 1

      I've been using KeePassX for years. You missed the point.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    3. Re:Is a password reset really appropriate? by si618 · · Score: 1

      With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

      My guess would be the salt was either not unique per account, or was part of the compromised data. Either way it would make it (somewhat) easier to brute-force.

      --
      Sometimes I doubt your commitment to Sparkle Motion
    4. Re:Is a password reset really appropriate? by kasperd · · Score: 1

      My guess would be the salt was either not unique per account

      There is only one salt per account, so of course it is unique per account. But that is probably not what you meant. Could it be that the salt is not unique? It could be, but once you are doing any salting in the first place, it is trivial to make it unique. All you have to do is let the salt be a sufficiently long string of random characters, and the probability of collisions will be negligible.

      or was part of the compromised data.

      Salts are stored together with the hash, so leaking one without the other is totally unlikely. But don't worry. Salts are designed such that they don't need to be kept secret.

      --

      Do you care about the security of your wireless mouse?
    5. Re:Is a password reset really appropriate? by si618 · · Score: 1

      There is only one salt per account, so of course it is unique per account. But that is probably not what you meant.

      No, it is exactly what I meant. How do you know the salt is unique? Did you write the code? It's easier to use the same salt for every account rather than making it unique, since it can be hard-coded and doesn't need to be persisted with the hash.

      See here for a more thorough explanation.

      But don't worry. Salts are designed such that they don't need to be kept secret.

      Of course, but as I said, if you're using the same salt for all your hashes then it becomes less secure.

      --
      Sometimes I doubt your commitment to Sparkle Motion
    6. Re:Is a password reset really appropriate? by kasperd · · Score: 1

      No, it is exactly what I meant. How do you know the salt is unique?

      I did not say that I know the salt is unique. I said the salt is unique per account, which is a tautology because there is only one salt per account.

      as I said, if you're using the same salt for all your hashes then it becomes less secure.

      Of course. If you are using the same salt for every account, you are not salting at all. You'd be reducing the salted hash down to simply an unsalted but non-standard hash function. That would not require much more computing power to brute force than an unsalted hash.

      But producing a good salt is easy. All you'd need to do was "head -c56 /dev/urandom | base64" or the equivalent in whatever language the system is written in.

      We will keep seeing these stories until we get more secure protocols for password authentication. What we need is a ZK protocol such that the password never leaves the client machine in the first place. And when the password is initially set up, there need to be one salt from the client and one salt from the server such that as long as one of them do it right, the salt will end up unique.

      People are deliberately designing computationally inefficient algorithms for password validation. Imagine if we could turn all of that CPU usage into some public key cryptography being part of a ZK protocol. We'd get something more secure and could possibly even reduce the amount of CPU time a server need to spend on validating a password.

      --

      Do you care about the security of your wireless mouse?
  21. And how do they know no content was accessed? by petsounds · · Score: 1

    So the attackers were able to get what sounds like direct access to the user database, or best case a backup copy, and yet we're expected to believe that the attackers couldn't gain access to the content database? (assuming it's even a different database) Or at least crack some really weak passwords within the two days before this was reported to users?

    In this kind of attack, the baddies are after the content. The user accounts themselves are mostly worthless -- can't really use them for spam or phishing. But there's probably some dummies out there who have put sensitive information in Evernote, and that's what I'd guess the bad guys are after.

    My guess is, Evernote has no frickin idea whether content was stolen or not, but they DO know that if they said that publicly they'd be in hot water.

  22. Re:And Evernote Is? by bfandreas · · Score: 1

    It was only after I started organizing my shopping list on Evernote that I noticed a streak of insanity in myself.

    There I was standing in front of a shelf in a shop. I noticed I forgot to put something onto my list. And I proceeded to append my Evernote list with the item I forgot to put on it.
    The sane thing to do would of course have been to SIMPLY GRAB THE STUFF FROM THE SHELF and not bother with Evernote at all.
    Therefore Evernote == insanity. And I'm better now.

    --
    20 minutes into the future
  23. Re:Forced to have an account... by Geeky · · Score: 1

    The sync is the point though, otherwise you might as well just use a local note app.

    I use it for random technical notes, pointers to useful howtos, command line snippets I want to remember, ideas for my blog... nothing that requires much in the way of security. I like that I can write the notes at work and have them on my home PC, or jot an idea on my phone while I'm out and expand on it when I'm front of the keyboard. I was looking for a note app that let me organise notes into folders with a bit of markup. I'm sure plenty of them exist, but the sync is the killer feature for me.

    Yes, to maintain my geek card I know I could use text files in a dropbox synced folder structure, or hack something together with some kind of rsync, but sometimes it's just easier to use a nice GUI app that just works.

    --
    Sigs are so 1990s. No way would I be seen dead with one.
  24. Re:Forced to have an account... by lennier · · Score: 1

    The sync is the point though, otherwise you might as well just use a local note app.

    A truly local note app is exactly what I want on my phone, for exactly the kind of security reason as this article highlights. I don't want my notes anywhere but in my pocket. That's why they're notes, not shared documents.

    But no. Most note apps out there automatically sync my private notes to some "cloud service" whether I want to or not. So far the best option I've found has been to install an app which wants to sync to a service I don't have an account on. But that's a dumb workaround to a dumber misfeature.

    Mobile and Cloud are two of the worst things that have happened to computer security at the moment. Far too many people are putting far to much data onto public storage with far too little privacy, and most of the time they're not even aware that it's happening. That's a problem, and eventually we're going to find out how much of a problem. But that will be long after the damage is done.

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  25. OneNote by czth · · Score: 1

    I considered using EverNote at one point, but my concern was offline availability (for personal use on my laptop) and security (for use at work). I didn't think management would be happy with me storing proprietary/confidential data on someone else's remote server, so I stuck with OneNote. (I also didn't realistically think they'd get broken into, to be honest, just thought it would be frowned upon. Sometimes paranoia works for you.)

    I have looked into several open source alternate note-taking programs, but none of them worked for me as well as OneNote - some were too clunky, didn't have decent search, didn't do quick page hyperlinks, poor formatting, whatever. (Full disclosure: I used to work for Microsoft, which is where I started using OneNote - it was free for internal use - but I stuck with it after I left because it really is a great product.) I would be ecstatic to learn of a free/open source note-taking program that had parity with OneNote, but I haven't found one.

    1. Re:OneNote by Tool+Man · · Score: 1

      While formatting options make something like EverNote look interesting, I haven't yet found a must-have feature for me that negates the loss of control I feel over my info. I do like Pinboard for bookmarks, which I don't really treat as private, but most of the rest ends up in plain-text files that I can read anywhere. Combined with an encrypted file sync service like Wuala or SpiderOak, I feel 90% of the way there. I might end up adding Tiddlywiki in the same sync folders for items which need a bit more formatting though.