Posts by Rarely Posts

Another one...

Keeping to the sweets theme but expressing similar sentiments to earlier postings:

Pip

(https://www.aquarterof.co.uk/hard-boiled-pips.html)

Almost as small as the number of devices that will get it...

I Don't Get It.....

I may have missed the nuances of this as I am not currently a person who feels I have a true need for such security. I understand that there are those that do and that I may also at some time if I ever store anything more than those hilarious cat pictures out there on the Internet.

If a single “Canary” covers anyone in the entire user-base, rather than being on an account-by-account basis, killing the “Canary” will kill the business (or a least put it in hospital). Even those that never actually felt the need to check the “Canary’s” pulse will get spooked when sites like The Reg report that the SpiderOak “Canary” has, “… run down the curtain and joined the bleedin' choir invisible!!”. This is very likely to bring on an unnecessary bout of paranoia and an unnecessarily closed account, as users not actually affected by any court order think that someone is after them.

So regardless of whether the health status is supposed to be updated every week, month, six months, SpiderOak is going to want to be really, really, really sure it needs to shut up shop before pressing what is tantamount to a self-destruct button, regardless of the time period stated.

However my points are:

If the server has “zero-knowledge” then the customer encrypts at their end and sends encrypted data ONLY to the SpiderOak server for storage.

If the key is not on the server then only the customer has the key.

Therefore any requirement to disclose data will only provide encrypted data.

If the sort of person who would seek such an order already has the key then they have penetrated the users system(s) to a point where they most likely have access to all the data anyway (assuming that they “key” involves some kind of LOCAL cert and a passphrase rather than just using the user’s password with any old SpiderOak client software and a private cert provided by SpiderOak).

So unless the encryption is weak, or unless the SpiderOak system already has a method of removing a user’s encryption, or unless the SpiderOak business just feels the need to build in its own self-destruct button, what is the actual point of this apart from traumatising ALL users when the “Canary” croaks?

Apologies if I have missed something simple it is just that as I see it shouldn't SpiderOak's design mean that such a "Canary" system is not actually needed?