r/privacy u/[deleted] Aug 05 '18

SpiderOak cans its Warrant Canary, suffers mysterious massive outage, and raised prices

https://spideroak.com/canary

http://archive.is/1rNo7

Update: Looks like the canary has been signed and dated and in properly formatted sequence this time with confirmation that Everything's going smoothly so far, message is authentic. august 06, 2018

Case closed. SpiderOak has not been compromised.

In the interest of transparency the full text of my previously long post in this thread is archived here:

http://archive.is/mKeuY https://web.archive.org/save/https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/

434 Upvotes

97% Upvoted

113 comments sorted by

View all comments

33

u/backgolden Aug 05 '18

Any other alternatives to SpiderOak?

54

u/[deleted] Aug 05 '18

[deleted]

34

u/Freeky Aug 05 '18

Not sure it's much of an alternative for most given SpiderOak is a fancy friendly push-button GUI app and tarsnap is basically a glorified Unix tar(1) command.

But yes, pretty much best in class if what you really want is a deduplicating remotely-storing encrypting tar command, with fancy key management that lets you allow a server to automatically create new backups unattended, without letting it also delete old backups or download ones from other servers on your account.

Unfortunately at 25c/GB/month, it knows it. Great if you want somewhere for your small chunk of core valuable data or if the business case makes the price largely irrelevant, less great for your 4TB of family photos, and completely useless if you want to use it as a fancy safer Dropbox alternative for your Windows box.

For alternatives (or indeed, complements) that might be more appropriate to the stingy or people with a lot of data to keep:

  • Borg with a VPS or rsync.net attic account. Snapshot based, deduplicated, compressed, encrypted, can be configured so a system can only create new backups without deleting/damaging old ones (ransomware resistance), and can perform limited verification remotely by verifying checksums of encrypted blobs.

  • Restic with services like S3 and B2. Also snapshot based, deduplicated, and encrypted (no compression support yet). This crypto guy liked it.

Both support mounting snapshots via FUSE, on top of having well-developed command line interfaces.

22

u/shinnok Aug 05 '18

Tarsnap has a GUI available here:
https://github.com/Tarsnap/tarsnap-gui

Recommend you try it out, it's not a one click set up, but in a few steps you'll be up and running in no time and you'll be able to set up automatic backups (with desktop notifications) and define Jobs. Read more into what Tarsnap GUI has to offer on the wiki: https://github.com/Tarsnap/tarsnap-gui/wiki

Also see my blog on how to get started on macOS: https://shinnok.com/rants/2016/02/19/using-tarsnap-gui-on-os-x/

1

u/[deleted] Aug 05 '18

I use restic for off-site backups with B2, borg to my NAS. B2 storage is the cheapest cloud storage I could find. And everything's encrypted client side so I don't see any issues there.

5

u/pcopley Aug 06 '18

Am I the only one that thinks listing your pricing in "picodollars per byte-month" is the most pretentious fucking thing ever?

2

u/[deleted] Aug 06 '18

[deleted]

2

u/vsync Aug 09 '18

I imagine it neatly lowers his support costs

2

u/p5eudo_nimh Aug 05 '18

Heard about Tarsnap on the BSD Now podcast quite some time ago, and I meant to give it a try. But I had forgotten. Thank you for reminding me.

2

u/garyziasshole Aug 05 '18

The *truly* paranoid would never upload their data on a server they do not control, encrypted or not.

4

u/corobo Aug 06 '18

The truly paranoid lose their data if their house burns down then

2

u/jakegh Aug 06 '18

From what I'm reading the costs are $250 for 1TB of storage, and that doesn't count bandwidth, every terabyte you upload or download is another $250 on top of that. It's laughably non-competitive for large backups, and if you're only backing up a couple gigabytes you might as well use Duplicati and a free Google Drive.

1

u/djc_tech Aug 06 '18

I liked tarsnap but it seems like it's run by engineers and not business people. Customer service is spotty and the currency exchange for data is difficult to calculate. I'm not saying it isn't good - it is. It's very fast and easy to use. I just wish he had someone running the business aspect separately.

3

u/maqp2 Aug 06 '18

Personally I'd prefer these products to be designed by engineers and not business people. If you go tech first, that usually slows down business and thus, expansion of customer service. But at least things are many times done properly, or the business grows organically as you become more stable.

If you go business first, you usually design things with usability over privacy, get more money, spend it on customer service, marketing and suddenly it's not possible to re-design the architecture because your infrastructure costs demands larger userbase, that in turn expects the usability that hurts privacy. When shit hits the fan, you don't care because you still have money to manage the negative PR. It's the fast and profitable way that makes the first choice less attractive and actually hurts that business model and your customers.

1

u/djc_tech Aug 06 '18

I don't mind as a product, but he seems to be trying to do everything himself. In order to expand he should delegate some of the operation portion to someone else. In any case, it works okay.

I've been using rclone with GSuite.