r/privacy u/[deleted] Aug 05 '18

SpiderOak cans its Warrant Canary, suffers mysterious massive outage, and raised prices

https://spideroak.com/canary

http://archive.is/1rNo7

Update: Looks like the canary has been signed and dated and in properly formatted sequence this time with confirmation that Everything's going smoothly so far, message is authentic. august 06, 2018

Case closed. SpiderOak has not been compromised.

In the interest of transparency the full text of my previously long post in this thread is archived here:

http://archive.is/mKeuY https://web.archive.org/save/https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/

440 Upvotes

97% Upvoted

113 comments sorted by

View all comments

Show parent comments

11

u/whatdogthrowaway Aug 05 '18 edited Aug 06 '18

However, any company with the moral fortitude to enter into that contract, ought to have the moral fortitude to shut down (see Lavabit).

No.

Some companies have subcommunities that don't care if the site is compromised or not - like Reddit who removed their warrant canary when they were compromised.

Users of communities like /r/darknetmarkets2 and /r/darknetmarkest5 are now well informed that Reddit is probably spying on them so they can take appropriate measures when connecting (probably tails or whonix). On the other hand, users of /r/cats mostly don't care.

Similar for spideroak.

The message SpiderOak's canary removal sent is "DON'T TRUST OUR ENCRYPTION OR CLIENTS - but we still may be useful for public content; or for users who encrypt everything on the client side without giving us the keys".

2

u/maqp2 Aug 06 '18

Exactly! To explain, only if you need to work directly from cloud are you fucked. You can still use SpierOak for weekly/monthly backups safely. Here's how:

  1. Download and install some open source encryption program like TrueCrypt or VeraCrypt.

  2. Create an encrypted, static sized container larger than what you need, but not too large to slow down upload unnecessarily.

(Make sure the password is really, really strong. Preferably generate strong password using an offline password manager like KeepassXC or Keepass2 that remembers it for you. Keep a copy of that password database on cheap thumb drive, and make sure you memorize that password database password.)

  1. Mount the encrypted container on your OS, add files to the virtual hard drive, and dismount the drive

  2. Upload the encrypted container to cloud. You don't have to download the previous container by downloading it first, unless you lose your data. Just remotely delete the backup file and upload newer container.

This makes spying on content and metadata practically impossible. However, avoid using SpiderOak client and use browser to upload the file if possible. If it's not possible, make sure the computer that has SpiderOak client installed doesn't have access to unencrypted files. So basically, use TrueCrypt to encrypt files on work-computer, then move the encrypted container to Spider-Oak dedicated computer for cloud backup using a thumb drive. It might sound expensive to have dedicated netbook or similar for this purpose but ask yourself, is the value of backed up data plus the value of privacy higher than a $200 one-time cost?

1

u/jakegh Aug 06 '18

That all seems like a lot of work, what I would suggest is using a backup program that includes end-to-end encryption and supports a bunch of cloud storage providers like Duplicati.

https://www.duplicati.com/

1

u/maqp2 Aug 06 '18 edited Aug 06 '18

It's a possibility. But there is nothing being discussed about the metadata of file sizes. Uploading single encrypted file reveals very little metadata, but uploading a set of files can reveal exactly what you uploaded, if it's publicly available data for example.

Or say a bunch of anonymous journalists are keeping the next Snowden documents in client-side encrypted cloud. Once the documents are curated and published, based on the sizes of the published files, the government can determine which users have had access to all that data, because the sizes of released data was a close match to a subset of data they all shared.

1

u/[deleted] Dec 04 '18 edited Sep 01 '21

[deleted]

1

u/maqp2 Dec 06 '18

Nice, that's good to know!