Ubuntu One needs cloud encryption like LastPass does it

Fri Apr 6 01:04:57 UTC 2012

On Thu, 2012-04-05 at 18:33 -0500, Jordon Bedwell wrote:
> On Thu, Apr 5, 2012 at 5:42 PM, Sam Smith <smickson at hotmail.com> wrote:
> > The point is that SpiderOak (and Lastpass) never know the user's password.
> > And never receive the encryption key. The key never leaves the user's
> > computer. The server never gets it. The only thing that ever lands on the
> > server is an encrypted blob.
> 
> From their website "Retrieve files from any internet-connected
> device", "Access all your data in one de-duplicated location"... I
> know to the easy consumer that doesn't spell lies but to me it reads
> "We do know your encryption key, if we want to and little do you know,
> we do have the ability to get the key that encrypts the encryption key
> too."  Companies lie all the time, or they tell pieces of a story and
> never tell the entire story.  Though I don't know if it's more of a
> lie then an assumption on their end and maybe even they themselves not
> even understanding what could possibly go wrong, or they just don't
> care because the user doesn't pay too much attention after "WE NEVER
> KNOW."
> 
> The key to knowing the full story is read "Retrieve files from any
> internet-connected device."  To add to it, let me point out this:
> "Easily access all of your data from any device within your SpiderOak
> network or on the web" which contradicts this: "SpiderOak never stores
> or knows a user's password or the plaintext encryption keys which
> means not even SpiderOak employees can access the data" and it's no so
> much a direct contradiction as much as an arrogant assumption that we
> (or I guess only I in this conversation) don't realise that their
> employees do have a way to access it, they just need to do a couple
> minutes worth of work, that is what makes it contradict.

None of the statements you quote above are proof of lying (or
incompetence), or even indicative of it.

The crux of the issue is simply that SpiderOak is a proprietary program
and so you don't know what it REALLY does.  The model that SpiderOak
documents on their web site IS secure.  It's definitely more secure than
ubuntuOne.  The passphrase is never sent to the server at all and the
content cannot be (reasonably) decrypted without the passphrase.  They
have a downloadable application that runs on your local system, and if
you use that and never use their web interface to browse your files then
your passphrase is never transmitted over any network at all, encrypted
or not.

If the software behaves as documented, then they are right: SpiderOak
employees cannot decrypt your files.  Period.  Phrases like "retrieve
files from any internet-connected device" don't matter: it just means
you enter that passphrase into the application running on the local
device to decrypt the files after they're downloaded from the servers:
it doesn't require the passphrase to be transmitted to the servers.

Of course the problem is "IF", above: the _documented_ model is secure,
but that doesn't stop a SpiderOak employee with sufficient access from
adding a back door to the application, which will grab the passphrases
and send them along.  That's a risk with ANY encryption software that
you didn't write completely yourself, of course, even ssh etc., but it's
much more risky with proprietary software for obvious reasons.

If that's what you meant, then you should have just said so clearly
instead of couching it in ominous-sounding hints and accusations.