| Not sure that the 'export' law isn't bafflegab. SpiderOak seems to be working just fine at https://spideroak.com/. According to their site:
SpiderOak uses a layered approach to encryption, using a combination of 2048
bit RSA and 256 bit AES. Most importantly, however, the outer level keys are never stored plaintext
on the SpiderOak server. They are encrypted with 256 bit AES, using a key
created by the key derivation/strengthening algorithm PBKDF2 (using sha256),
with 16384 rounds, and 32 bytes of random data ("salt"). This approach prevents
brute force and pre-computation or database attacks against the key. This means
that a user who knows her password, can generate the outer level encryption key
using PBKDF2 and the salt, then decipher the outer level keys, and be on the
way to decrypting her data. Without knowledge of the password, however, the
data is quite unreadable.
On 2013-07-11, at 11:22 AM, T.Rob <
">
> wrote: Is that for general public consumption? Last I looked, the Evernote web site still said they are constrained by export laws. I know Steve Gibson would be VERY interested to hear it. He and Leo LaPorte are both users but constantly warn listeners not to put anything important there. I'm sure Evernote is taking a hit from the negative publicity and the news could reverse that trend. But I won't forward to them without knowing Evernote can confirm it or that it's already published. Or Evernote can just contact them directly. I'm sure Steve and Leo would at least tone down the "don't put important stuff here" message if they knew there is better crypto on the way soon. -- T.Rob From: Matt Hogan [mailto:matt@datacoup.com]
Sent: Thursday, July 11, 2013 10:50 AM
To: T.Rob
Cc: Drummond Reed; ProjectVRM list
Subject: Re: [projectvrm] Evernote (Was: FetchThis: Q about credentials) I chatted with a friend over at evernote, and here is the official word they gave back as far as 64-bit RC2 vs. 256-bit AES: Evernote is planning to launch significant upgrades to the optional client-side encryption features later this year, including updated algorithms to take advantage of the additional flexibility allowed under changes to the US export control laws, as well as other user-selectable features. Just figured I'd let the group know, and any evernote users, know. I put a Flattr button on my web site. Does that count? In any case, you've given me a great idea what to do for the holiday. I'm going to stand by the freeway ramp with a sign that says "Will consult for tips" which has a certain symmetry in that I'd be both giving and getting them. T.Rob, if the list had a tip jar, I'd be filling it for you. Thanks for the good practical advice. For what it's worth, Personal uses 256-bit AES and Evernote uses 64-bit RC2 with 40-bit keys to encrypt your data. If you don't have an account yet, steer towards Personal instead of Evernote. If you do have an Evernote account, consider that their explanation for using RC2 is due to crypto export restrictions. Those restrictions were removed long ago when it became apparent that everything under the original crypto restrictions was brute-forceable. Not the place for your most sensitive data. This is a truly tough issue to deal with and I empathize with you. I was part of the team that built the worlds first commercially secure operating system (http://www.secure64.com) so I understand what it takes to really lock down an OS (it's ridiculous). If hackers can get in to Govt. sites etc then unfortunately there's no way anymore to say that a system is truly secure. Without Root Trust, and a hardware platform and operating system that compliments it, it's impossible to offer that level of security with Linux or Windows in a commercial environment (vs. Military). Security & Privacy is a process not a product. VRM will need to apply a defense in depth strategy that increases identity authentication requirements as the value of the data goes up. This is why Kevin's idea of distributing your date through multiple clouds makes a lot of sense. If all the data is distributed it will be harder to hack every site to access your data. However if the hacker guesses your login then it doesn't matter anyway. And this is why I want to introduce another concept to VRM… contact. The smartphone is the marriage of content and contact, and it's really the first to do so in a convenient package. I believe that VRM solutions of the future will require voice authentication to access data as well as additional forms of physical identification such as a retinal scan. BTW still nothing showing up in Evernote. I'll update you in the am. _________________________
Peter J. Cranstone
CEO. 3PMobile Boulder, CO USA <image001.png>
Improving the Mobile Web Experience CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.
-- CEO/Founder
DataCoup, Inc.
|