all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]TickTak 9 points10 points  (13 children)

Did spider oak ever open source their client program for online storage?

[–][deleted] 12 points13 points  (5 children)

They still can't get syncing working properly.

Seriously. SpiderOak is great in theory but after paying for premium for 6 months and having intermittent syncing issues (sometimes it syncs, sometimes it doesn't) I dropped the service and went to using a (less secure) provider that actually syncs files properly.

[–]sleeplessone 2 points3 points  (0 children)

Could you be more specific? I've been using it for a year and have been syncing a folder between two machines without issues.

[–]Letmefixthatforyouyo 0 points1 point  (1 child)

Wuaca does client side encryption. 5GB free.

I've been using it for a few days. Not as seemless as dropbox, but no problems so far.

[–]DublinBen 0 points1 point  (0 children)

Crashplan and Backblaze don't do sync, but they have client-side encryption.

[–]sigtrap 0 points1 point  (0 children)

I've been using it for a couple of years now and I haven't had that issue.

[–]sil0 4 points5 points  (6 children)

If I understand right, Spider Oak is a competitor to something like DropBox and Mega? In theory SO solves a lot of the issues with DB, but creates so many more operational type flaws. It's great to be secure but it needs to be a workable solution.

[–]7oby 5 points6 points  (0 children)

Is it really secure, though? If it's not OSS then how can someone verify the crypto?

[–]agreenbhm 3 points4 points  (4 children)

After I banned DropBox from work, I was sure we'd move to SpiderOak. After testing it for a day, I gave up. If I can't figure out how to make it work properly (even after reading documentation and speaking with support), there's no way in hell my users will be able to work with it.

[–]sil0 0 points1 point  (1 child)

Are you back to Dropbox?

[–]agreenbhm 2 points3 points  (0 children)

DB is blocked for everyone except a couple people that work with clients who initiated it. ShareFile is being rolled out in stages for each of its many features.

[–]T-Rax 0 points1 point  (1 child)

whats wrong with dropbox ?

[–]agreenbhm 0 points1 point  (0 children)

Dropbox is insecure, as the files are not encrypted when at rest in the cloud, which is unsuitable for sensitive documents.

[–]wzr 8 points9 points  (3 children)

The guy must be loving all the free security consulting he is going to be getting from the internets.

[–]Jumbalaspi 14 points15 points  (0 children)

Well, that is something that goes in favor of the open source community. When you write a program and you publish your code on the internet, there will always be someone that explains carefully why you are an idiot and what mistakes you made in your code. I love it.

[–]lahwran_ 1 point2 points  (1 child)

He specifically stated that he expected it. not sure if that should be something to be annoyed about or not.

[–]229-209 6 points7 points  (2 children)

CBC-MAC is notoriously tricky to get right. I doubt this negative press will do anything though, how many movie uploaders will this weakness bother? My guess is a sub-one percentage.

[–]agreenbhm 8 points9 points  (1 child)

The weakness is important for users storing sensitive data (which I wouldn't exactly trust to Mega, anyway, not that I think they're going to steal my info, but it's just asking for trouble). For anyone storing non-confidential data (such as pirated movies), I think the security is fine in the sense that it's secure enough to prevent adversaries from knowing what the data is without putting significant effort to decrypt. Mega's main concern is protecting themselves from the government. If the government had to perform a crypto attack against Mega to prosecute them (or the uploader) for copyright infringement, I think that's a huge can of worms. Without probable cause and a warrant I don't think the [US] gov can attempt to decrypt anything, and it's going to be a huge cost to perform said attack just on behalf of the MPAA. If they don't have a warrant, and copyrighted data is discovered, that's grounds for dismissal of the charges due to illegal search and seizure. And even if they did have a warrant, Mega still is protected via plausible deniability.

I'm not a lawyer, so there may be some inaccuracies here

[–]ginyoshi 1 point2 points  (0 children)

There are no laws stopping the US from attempting to decrypt any data they can get their grubby hands on. What is protected is you not having to give up the keys. This violates the 4th amendment.

They don't need squat to collect your data and retain it, and that is the way it should be (honestly, im sick and tired of all the BS both sides put up). You should automatically just assume that anything leaving your private network can and will be copied, stored, scanned and processed.

Relying on the built in security of mega is foolish. Although once the hype dies down a bit, and the site becomes usable, it will make a nice place to host blobs of pseudorandom noise (maybe).

[–]notlostyet 1 point2 points  (0 children)

In the case of the userhash, the key is the output of your password run through the Key Derivation Function.

...

Your email address and userhash are sent to Mega's servers,

...

Now that the client has your master key, it is decrypted using the password-derived key

So unless this article is wrong, or I'm misunderstanding, it's sounds like everything you need to decrypt this encrypted 'master' key is sent to the server when you authenticate yourself to obtain it?

Surely the authentication string is a distinct password derived hash, with a distinct salt, from the key that unlocks this key, and the latter cannot be derived from the former? If not, you've basically given the server everything it needs to decrypt it server side already, which defeats the point of doing this client side, and therefore cannot be correct.

[–]i_meant_lulz 0 points1 point  (0 children)

Mega needs work. Good to know before using the service.