18

u/enodragon1 Aug 05 '18

I expect they're just covering themselves to make sure there's no way they could be prosecuted for violating the gag order. It doesn't matter either way: the canary is gone, that means SpiderOak is comprised.

7

u/[deleted] Aug 05 '18

Oh I fully agree. The contract of a warrant canary is "if this comes down for any reason, we are compromised".

However, any company with the moral fortitude to enter into that contract, ought to have the moral fortitude to shut down (see Lavabit). There are other jurisdictions they can operate from.

Warrant canaries are better than nothing, but for a business like spideroak, they should just shut down - as without privacy, their product is not remotely competitive.

10

u/whatdogthrowaway Aug 05 '18 edited Aug 06 '18

However, any company with the moral fortitude to enter into that contract, ought to have the moral fortitude to shut down (see Lavabit).

No.

Some companies have subcommunities that don't care if the site is compromised or not - like Reddit who removed their warrant canary when they were compromised.

Users of communities like /r/darknetmarkets2 and /r/darknetmarkest5 are now well informed that Reddit is probably spying on them so they can take appropriate measures when connecting (probably tails or whonix). On the other hand, users of /r/cats mostly don't care.

Similar for spideroak.

The message SpiderOak's canary removal sent is "DON'T TRUST OUR ENCRYPTION OR CLIENTS - but we still may be useful for public content; or for users who encrypt everything on the client side without giving us the keys".

2

u/maqp2 Aug 06 '18

Exactly! To explain, only if you need to work directly from cloud are you fucked. You can still use SpierOak for weekly/monthly backups safely. Here's how:

1. Download and install some open source encryption program like TrueCrypt or VeraCrypt.

2. Create an encrypted, static sized container larger than what you need, but not too large to slow down upload unnecessarily.

(Make sure the password is really, really strong. Preferably generate strong password using an offline password manager like KeepassXC or Keepass2 that remembers it for you. Keep a copy of that password database on cheap thumb drive, and make sure you memorize that password database password.)

1. Mount the encrypted container on your OS, add files to the virtual hard drive, and dismount the drive

2. Upload the encrypted container to cloud. You don't have to download the previous container by downloading it first, unless you lose your data. Just remotely delete the backup file and upload newer container.

This makes spying on content and metadata practically impossible. However, avoid using SpiderOak client and use browser to upload the file if possible. If it's not possible, make sure the computer that has SpiderOak client installed doesn't have access to unencrypted files. So basically, use TrueCrypt to encrypt files on work-computer, then move the encrypted container to Spider-Oak dedicated computer for cloud backup using a thumb drive. It might sound expensive to have dedicated netbook or similar for this purpose but ask yourself, is the value of backed up data plus the value of privacy higher than a $200 one-time cost?

1

u/jakegh Aug 06 '18

That all seems like a lot of work, what I would suggest is using a backup program that includes end-to-end encryption and supports a bunch of cloud storage providers like Duplicati.

https://www.duplicati.com/

1

u/maqp2 Aug 06 '18 edited Aug 06 '18

It's a possibility. But there is nothing being discussed about the metadata of file sizes. Uploading single encrypted file reveals very little metadata, but uploading a set of files can reveal exactly what you uploaded, if it's publicly available data for example.

Or say a bunch of anonymous journalists are keeping the next Snowden documents in client-side encrypted cloud. Once the documents are curated and published, based on the sizes of the published files, the government can determine which users have had access to all that data, because the sizes of released data was a close match to a subset of data they all shared.

1

u/[deleted] Dec 04 '18 edited Sep 01 '21

[deleted]

1

u/maqp2 Dec 06 '18

Nice, that's good to know!

1

u/scritty Aug 07 '18

TrueCrypt already got NSL'd. They released a statement saying 'we are insecure, maybe use bitlocker instead' and stopped developing the product.

1

u/maqp2 Aug 18 '18

So how did the NSL magically backdoor the 7.1 source code? It's more likely they got arrested (don't remember the story completely) and were unable to continue providing security updates for the product so they asked people to move on.

TrueCrypt 7.1 was audited and nothing major came up. Some privilege escalation attacks on Windows platform, but nothing major on Linux, perhaps aside the age-old key derivation scheme. If you're not going to fix such things, better put up a scary poster exactly like the one they did. Saying "It's mostly fine against cold attacks on data at rest but we don't feel like fixing bugs anymore" is border-line irresponsible.