Ubuntu One needs cloud encryption like LastPass does it

Thu Apr 5 23:33:11 UTC 2012

On Thu, Apr 5, 2012 at 5:42 PM, Sam Smith <smickson at hotmail.com> wrote:
> The point is that SpiderOak (and Lastpass) never know the user's password.
> And never receive the encryption key. The key never leaves the user's
> computer. The server never gets it. The only thing that ever lands on the
> server is an encrypted blob.

>From their website "Retrieve files from any internet-connected
device", "Access all your data in one de-duplicated location"... I
know to the easy consumer that doesn't spell lies but to me it reads
"We do know your encryption key, if we want to and little do you know,
we do have the ability to get the key that encrypts the encryption key
too."  Companies lie all the time, or they tell pieces of a story and
never tell the entire story.  Though I don't know if it's more of a
lie then an assumption on their end and maybe even they themselves not
even understanding what could possibly go wrong, or they just don't
care because the user doesn't pay too much attention after "WE NEVER
KNOW."

The key to knowing the full story is read "Retrieve files from any
internet-connected device."  To add to it, let me point out this:
"Easily access all of your data from any device within your SpiderOak
network or on the web" which contradicts this: "SpiderOak never stores
or knows a user's password or the plaintext encryption keys which
means not even SpiderOak employees can access the data" and it's no so
much a direct contradiction as much as an arrogant assumption that we
(or I guess only I in this conversation) don't realise that their
employees do have a way to access it, they just need to do a couple
minutes worth of work, that is what makes it contradict.

> What this means is that the user doesn't have to worry about the 3rd party
> taking care of the data. If the 3rd party is hacked, if the 3rd party has a
> rogue employee, etc. The data has a much better chance of being safe than if
> it's implemented like say iCloud where even if the data is encrypted Apple
> holds the encryption key and can access the data anytime they want. If Apple
> can access the data, a rogue employee and a hacker can potentially access
> the data.

As you argue for encryption on UbuntuOne you need realise that all
third parties are adversaries, Ubuntu is one and so is SpiderOak.
It's not much more secure,  yes it *might* be considered more secure
from external adversaries after they have the data but it surely isn't
more secure from internal ones, the fact that you can access your data
from 'anywhere' proves that.  That rogue employee need only attack the
website from inside the company and all is lost, or push out a dirty
update and even more is lost.  You think it can't happen, ask Google
if it can. You aren't as safe as you assume, you are not even seeing
the entire picture of all possible attacks.

Just because Apple or Ubuntu can access the data doesn't mean that an
external 'hacker' can.  That is an arrogant assumption IMO, the only
difference in this case is that even if the so called 'hacker' gets
your data he need do more work but the fact he got your data in the
first place is just as bad in both cases, irregardless of the
encryption, you are just protected (somewhat, depending and one could
only really know if they actually know how they use the encryption. So
at this point I would assume I am no more secure if using SpiderOak.)
You are just as vulnerable to actual data theft encrypted or
unencrypted, and by data I mean any data, encrypted or not.