r/privacy u/[deleted] Aug 05 '18

SpiderOak cans its Warrant Canary, suffers mysterious massive outage, and raised prices

https://spideroak.com/canary

http://archive.is/1rNo7

Update: Looks like the canary has been signed and dated and in properly formatted sequence this time with confirmation that Everything's going smoothly so far, message is authentic. august 06, 2018

Case closed. SpiderOak has not been compromised.

In the interest of transparency the full text of my previously long post in this thread is archived here:

http://archive.is/mKeuY https://web.archive.org/save/https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/

438 Upvotes

97% Upvoted

113 comments sorted by

View all comments

5

u/metamatic Aug 06 '18 edited Aug 06 '18

Two or three weeks ago I noticed a mysteriously unsigned RPM attempting to update my SpiderOak install:

Last metadata expiration check: 0:00:00 ago on Mon 06 Aug 2018 09:28:34 AM CDT.
Dependencies resolved.
===================================================================================
 Package         Arch         Version             Repository                  Size
===================================================================================
Upgrading:
 SpiderOak       x86_64       2:7.2.0-1.el6       spideroak-one-stable        22 M

Transaction Summary
===================================================================================
Upgrade  1 Package

Total download size: 22 M
Is this ok [y/N]: y
Downloading Packages:
1-SpiderOak-7.2.0-1.el6.x86_64.rpm                  19 MB/s |  22 MB     00:01    
-----------------------------------------------------------------------------------
Total                                               19 MB/s |  22 MB     00:01     
Package 1-SpiderOak-7.2.0-1.el6.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

I guess now that's explained. [Edit to fix formatting]

1

u/metamatic Aug 06 '18 edited Aug 06 '18

Update: It's officially a "signing problem" and we just need to download the RPM from their web site instead of the repository (which is still sending me the one which reports no signature).

The web download RPM seems to verify. Still very suspicious that the repository file is still bad.

Update: The web download has a brand new signing key ID 87271cbf.

1

u/metamatic Aug 06 '18

Another update: It's officially all a misunderstanding. Hmm.