Conversations about life & privacy in the digital age

Responsibly Bringing a new Cryptography Product to Market

Post Snowden, technologists have rushed a variety of “liberation tech” projects to market, making boastful claims about their cryptographic capabilities to ensure the privacy of their customers. These goals are noble but the results have sometimes been embarrassing.

We’re building a new crypto product ourselves: a high-level secure-by-default framework developers can use to build end-to-end cryptographic applications without writing crypto.

Here’s what we required:

  1. To be independently verifiable it must be open source
  2. Have a spec
  3. Have a threat model
  4. Have clear, well documented code
  5. Be audited by security professionals with a crypto background

In this post I’ll share how we’re going about #5. We’re committed to development in the open, including security review.

The first audit we could schedule was with 3 researchers from the Least Authority team. Among other reasons we chose them because they have deep experience building verifiable storage systems. For anyone in that market, Tahoe-LAFS is a must read.

Auditing is both expensive and hard to schedule, with leading organizations booked months in advance.  The best teams are not limited by their ability to sell their services but rather by their ability to hire and fulfill that work. Consequently there’s very little downward pressure on their rates.

To get the most from a security audit, it’s best to go in with the cleanest code possible. It’s like brushing your teeth before you visit the dentist. It’s impolite and ineffective to ask someone to puzzle over the subtleties of code you haven’t clarified [1].

We focused this first audit narrowly on a bare bones single-user (no collaboration or multi-user sharing) demo application built with the Crypton framework. Our goal was good coverage of the framework’s core fundamentals: account creation, authentication, and single-user data storage.

Unfortunately, at the time we could schedule the audit to begin, there were three issues that the Crypton team knew about but hadn’t a chance to fix or even document. The auditors independently discovered two of those three issues with a lead to the third issue (less severe) tagged [UNRESOLVED] in their report. Additionally they found three other serious issues unknown to the team. Overall, some of the best money we’ve ever spent!

Since the purpose of this post is to give clear expectations, I think it’s important to share real numbers and cleared this with Least Authority.

Zooko explained, “We gave SpiderOak a small discount on our normal price, and moreover we pushed back our other projects in order to get the work done for you first. We did these two things because we wanted to form a relationship with SpiderOak since you provide end-to-end-encrypted storage, and we wanted to support Crypton because it is end-to-end-encrypted and is fully Free and Open-Source Software.”

Our bill was $30,000, or about $5k/researcher per week.

We have a second audit with the nice folks at Leviathan Security, covering the multi-user features of Crypton, and we’ll share that report when it’s complete. In the meantime, here’s the report (rst, pdf) from the first audit by Least Authority.

Here are some of the resulting GitHub issues and pull requests to
resolve the findings. Issue B, C, D, and E.

The resolution for Issue A involves a switch to SRP based authentication. This was part of the longer term roadmap as it provides several additional benefits, but proved to be a nontrivial undertaking and that effort is still ongoing. Some attention is given to this implementation in the next audit by Leviathan Security.

Update: Zooko at Least Authority just published an article discussing their motivation for accepting the project.

Update 2: The originally published version of this post erroneously linked to a non-final draft of the report from Least Authority. That link is corrected; and the final audit report should say “Version 1, 2013-12-20″ at the top.

NOTES:


[1] Zooko shared a story about an experiment that was conducted by Ping Yee in 2007. The results of the experiment illustrate auditing challenges.

In short several very skilled security auditors examined a small Python program — about 100 lines of code — into which three bugs had been inserted by the authors. There was an “easy,” “medium,” and “hard” backdoor. There were three or four teams of auditors.

1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and then spent the rest of the day failing to find any other bugs.

2. One team of two auditors found the “easy” bug in about five hours, and spent the rest of the day failing to find any other bugs.

3. One auditor found the “easy” bug in about four hours, and then stopped.

4. One auditor either found no bugs or else was on a team with the third auditor — the report is unclear.

See Chapter 7 of Yee’s report for these details.

I should emphasize that that I personally consider these people to be extremely skilled. One possible conclusion that could be drawn from this experience is that a skilled backdoor-writer can defeat skilled auditors. This hypothesis holds that only accidental bugs can be reliably detected by auditors, not deliberately hidden bugs.

Anyway, as far as I understand the bugs you folks left in were accidental bugs that you then deliberately didn’t-fix, rather than bugs that you intentionally made hard-to-spot.

The Crypto-Cherub Asks You: What Apps Should He Shoot Privacy Into?

We’re wildly, madly in love with privacy but we’re not keeping it a secret.

Many of you know we’ve spent a lot of the past year working on Crypton. And we believe it is the future. We plan to use it to build a new internet, and hope others will take its open source code to infuse their apps with privacy. We’re about ready to get started: our Crypton code just underwent two large security audits, of which we plan to share the results in the coming two weeks here on the blog.

There are also some other exciting things happening in the next few weeks. We believe strongly that in all conversations about data security, the cloud, and the future of the Internet, Zero-Knowledge privacy should be at the table:

On the cusp of these events, and in celebration of our passion for privacy this Valentines Day, we ask for your help, input and ideas. You always make us better and influence what we do. (Yes, we love you!)

What apps do you want to see our Crypto-Cherub shoot his privacy arrows into in 2014?

SpiderOak to Become OSS & More: What to Expect From Us in 2014 (PART I)

To kick off the New Year, we asked our followers on Twitter what they wanted to see from us in 2014. Our CTO and Co-Founder Alan Fairless specifically addresses everyone who sent in their request, below. In Part II, our CEO Ethan Oberman will share even more about what you can expect from us throughout the year.

By the way – we just launched our new web portal design! Check it out and tell us what you think.

What you said you wanted to see from us (in no particular order):

SpiderOak improvement suggestion from Twitter

Alan: 5.1.1 was a big improvement in this regard, but there’s still some edge cases (particularly with garbage bin and many purges) or folders with hundreds of thousands of items that we’ll optimize further.

SpiderOak improvement suggestion from Twitter

Alan: SpiderOak already gives you your own encryption keys (derived from your password.)  We don’t control those! Agree we need to update our 2-factor option. Google Authenticator protocol and yubikey are top items to support.

SpiderOak improvement suggestion from Twitter

Alan: OK! We already sign our Windows installer but this is a great idea.

SpiderOak improvement suggestion from Twitter

Alan: Email support@spideroak.com anytime and we’ll make you a nice offer for these :) Otherwise we have plans to do more A/B testing on the pricing options we offer and make some changes in the coming year.

SpiderOak improvement suggestion from Twitter

Alan: Maybe…

SpiderOak improvement suggestion from Twitter

SpiderOak improvement suggestion from Twitter

Alan:  YES!!!  The need for this has never been greater, and it’s become a priority! We expect SpiderOak to become OSS in 2014. But also, every new project we’ve created in the last four years has been open source since day one, including Nimbus.io and Crypton.io.

SpiderOak improvement suggestion from Twitter

Alan: Point in time recovery! Yes! I agree this is a useful option.  Of course right now SpiderOak stores all historical versions, so all the information is there and you could do it manually, but there’s no current interface for doing this automatically.

SpiderOak improvement suggestion from Twitter SpiderOak improvement suggestion from Twitter

Alan: Underway! And our new web portal just went live yesterday.

SpiderOak improvement suggestion from Twitter

Alan: An easy fix might be to an a wildcard exclude (in preferences) for the lock files. Agree this can sometimes be annoying — deleting from syncs is a harder problem than it seems, because the app doesn’t always know exactly when the deletion happened.  It knows that the file was there at one point, and gone at another point, and knows the deletion happened sometime between those two, but not exactly when.  So sometimes getting the calculation of which files should be there is hard.  We err on the side of caution of not deleting the file if we’re not sure.

SpiderOak improvement suggestion from Twitter

Alan: Coming!

SpiderOak improvement suggestion from Twitter

SpiderOak improvement suggestion from Twitter

Alan: Coming!

SpiderOak improvement suggestion from Twitter

SpiderOak improvement suggestion from Twitter

Alan: AGREE!  Sorry, we just got absolutely slammed over the holidays, but we are hiring now and will have support caught hopefully in the next few days.  Thanks for your patience in the meantime.

Thanks to everyone who wrote in.

What about you? What do you want to see from SpiderOak this year?

And Now: a SpiderOak Video Singalong (12 Days of Privacy)

“On the 12th Day of Privacy, SpiderOak gave to me….”

For those of you who would like to see a slightly embarrassing and quite silly compilation of SpiderOakers singing what we’ve deemed The 12 Days of Privacy*, then this is for you! We have more than 50 employees all over the world, and this is but a selection of them – from our developers, to customer support, to sales and marketing folks, and yes – even our co-founders. (If you make it through all four minutes – you deserve an award.)

But seriously, thanks for watching! We had fun.

Meanwhile, for the rest of December, you CAN in fact nab 25% off all yearly plans. Here’s how.

What lyrics would you include in the “12 Days of Privacy”?

Happy Holidays! 

*Disclaimer: We do know the 12 Days of Privacy typically begins on Christmas, but we chose to celebrate it before the holidays.

12 Days of Privacy SpiderOak

12 Days of Privacy: 25% Off!

12 Days of Privacy

On the fifth day of Privacy

SpiderOak gave to me:

25% off!!

On December 13, we introduced the 12 Days of Privacy* – sung to the tune of the 12 Days of Christmas. We hope to share with you what the 12 Days of Privacy means to us with this little holiday spin off.

Today is the 5th day of our 12 Days of Privacy which means you can enjoy “Twenty-fiiiiiive percent off!” all yearly plans!

Current Users:

  1. Login to your account online.
  2. Go to your ‘Account‘ tab at the top
  3. Click ‘Buy More Space,’ and then choose ‘Upgrade My Plan.’
  4. Plug in the promo code 12DaysofPrivacy, and choose which plan you want under Yearly Billing.

New Users (Welcome!):

  1.  Sign up here
  2. Download and install the client
  3. Click  ‘Buy More Space’ in the client itself, or via the web portal (which will then take you to a new screen, where you need to choose ‘Upgrade My Plan.‘)
  4. Use the promo code 12DaysofPrivacy and choose which plan you want under Yearly Billing.
What do you think the 6th Day of Privacy will bring?

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

12 Days of Privacy: 4 ‘Zero-Knowledge’

 

 

12 Days of Privacy

On the fourth day of Privacy

SpiderOak gave to me:

4 ‘Zero-Knowledge’ 

On December 13, we introduced the 12 Days of Privacy* – sung to the tune of the 12 Days of Christmas. We hope to share with you what the 12 Days of Privacy means to us with this little holiday spin off.

You can join in too!

We don’t want to have all the fun so we invite you to submit your own lyrics. Share them with us on Facebook, Twitter, or in the comments section, and we’ll promote them throughout the week! We can’t wait to see what the 12 Days of Privacy means to you. To find out what the SpiderOak staff and fans come up with, follow #12DaysOfPrivacy.

Tis the season of Privacy!

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

The Crypto-Think & The 12 Days of Privacy

At the beginning of the year, we predicted that 2013 was going to be “The Year of Privacy.” It’s been amazing to watch privacy take the forefront in national and international debates as well as have growing attention and importance in the online world. As the new year approaches, we can only hope 2014 brings increased efforts to fight for the right to privacy across the globe.

Today, Dec. 13, we will be holding The CRYPTO-THINK – our very first Web Privacy Think Tank – in San Francisco at our SpiderOak headquarters. SpiderOak and the ‘Zero-Knowledge’ Privacy Foundation have invited a diverse group of developers from around the country to an open discussion around the good, the bad, and the ugly truth of privacy. “One small step for Javascript, one giant leap for browser privacy.”

We hope this is the first of many events and hackathons that will help improve and change web privacy as we know it. Will you help chart a course to the unthinkable?

The CRYPTO-THINK

SpiderOak Crypto Think Event Browser Privacy Javascript Privacy

 12 Days of Privacy

12 Days of Privacy SpiderOak Public Private RSA key

On the first day of Privacy

SpiderOak gave to me:

A public/private RSA key!

Starting today – the first day of privacy – we will be sharing over the next 12 days what that means to us as a company. Our version of the song is called the 12 Days of Privacy* in the same tune as the 12 Days of Christmas. Stay tuned to learn via Twitter, Facebook or this blog to see what we’ve come up with and submit your own lyrics for a chance to win free GBs.

Tis the season of Privacy!

12 Days of Privacy SpiderOak

*We do know that the original 12 days of Christmas begins on Christmas day, but we wanted to do our own spin off before the holidays. 

We’re hiring a new CR rep!

SpiderOak is in the market for a new customer relations associate. This is a full-time, flexible hours, work from home position which is available to any city in the world (although we’ll give preference to someone living in Kansas City, Chicago, or San Francisco). SpiderOak is an all-telecommute company of about 40 people; we use chat rooms, wikis, email, voice and video conferencing, to coordinate.

This job requires a lot of self motivation, since you’re going to be working by yourself without a set “assignment” every day. It’s not important to know how to code but we are definitely looking for more tech-savvy individuals. For the first several weeks you’ll be working with us closely to get up to speed, but after that you’ll manage your own workload every day and work schedule independently.

As a customer relations representative, you’ll spend most of your time working directly with our users over email, but SpiderOak always offers the opportunity to learn and grow within the company. This can be a challenging job, but it’s balanced by the freedom of working from home and a really fun and supportive work environment. Geeky/nerdy/goofy types a plus. =)

Interested? Send us a brief email at customerrepwanted@spideroak.com about why you’re interested in working for SpiderOak, your past work experience and qualifications, and anything else you think we should know about you. We look forward to hearing from you!

Join SpiderOak and Thousands of Others to Demand ECPA Reform

Today, SpiderOak is joining a nationwide day of action calling for reform of the Electronic Communications Privacy Act (ECPA), the law that says the government can access your email and documents in the cloud without a warrant.

ECPA is one of the Internet’s most outdated laws – it was enacted in 1986, before most people had access to a home computer or email. While the public has been rightfully outraged over reports that the NSA accesses communications without a warrant, ECPA says that hundreds of other government agencies—like the IRS, FBI, and DEA, as well as state and local law enforcement agencies—can access many of our stored emails, private social media messages, and documents in the cloud without getting a warrant from a judge. The law flies directly in the face of our Fourth Amendment values.

Bills to reform ECPA have gained huge support in recent months from both parties in Congress. However, legislation is now being blocked by a power grab from the Securities and Exchange Commission, which is pushing for a special carve-out for regulatory agencies to get your documents from online providers without a warrant. The SEC carve-out would neuter ECPA reform.

That’s why we’re calling on the White House to break its silence and stand up for ECPA reform. We need President Obama to tell the SEC to back down in its demands for troubling new powers and make clear that the time for ECPA reform is now.

Today we ask you join us by signing this petition to the White House. It’s time for the President to join hundreds of tech companies, startups, advocates, and Members of Congress by supporting this commonsense, long overdue reform to ensure our privacy rights online.

Hey from QA & how we run sync testing in SpiderOak

Hi people of the internet (and mom!).

My name is Rebecca and I am a quality assurance tester with SpiderOak. This means that I test EVERY aspect of EVERY release on EVERY operating system — catching functional and style issues before the product goes live. I report issues to the developers, who then write a patch or some other sort of tech wizardry. Then, they send me the new builds to test again – this loop repeats until we create a product we’re excited to push live!

Sometimes, testing compatibility across different operating systems can get tricky – especially with syncing. A user can sync any two folders connected to a SpiderOak account, from any operating systems we support, and with any filetype exclusion. Testing this can get confusing, and worse – boring. So we came up with an idea that is fun and very efficient.

Here’s a glance at sync testing in SpiderOak!

First, I create uniquely-themed folders on each operating system in my Virtual Machine. Each folder must contain a variety of image and text files, and at least one subfolder. Pinterest and food blogs are my favorite sites for this. For example, my Windows 8 OS has a folder named “Cupcakes,” with images of cupcakes and some recipes and cookbook reviews, whereas my Ubuntu OS has a folder of cheeses and cheese/wine pairing notes. Each OS has a distinct theme, so I instantly know what files are coming from which location, without even having to track it in the “view” tab in the SpiderOak desktop client!

Second, I test the syncing within one operating system. I create a sync name and description (RecipeShare / sharing recipes for allergies), select two folders (“Cupcakes” and “Gluten-free cookies”), select wildcards to exclude (*.jpg, *.gif), approve it, and start the sync. With this particular sync, only the text files should sync across – if I see cupcake pictures in my my “Gluten-Free Cookies” folder, I’ll instantly know something is wrong. Also, folders that are synced cannot be in another sync (endless sync loop). So if I were to try to sync “Vegan Cookies” and “Gluten-Free Cookies” after the previous sync, an error message should appear.

Third, I test the syncing of folders from different operating systems. Both operating systems need to be running and set for the same – if one OS is set for yesterday, the sync will not complete (and you probably have bigger problems than a sync issue if you’re some sort of fancy time-traveller). I find this type of sync really useful for creatives – you can pull together inspirations and notes from your work, personal, and mobile devices, much more quickly than emailing attachments and texting reminders. I repeat the same steps as syncing within one operating system, and since each OS has a unique theme, I can instantly tell what files originated in which OS.

Finally, I repeat this on each OS to hunt down any anomalies. I also cancel syncs and then add files to one of the folders, to make sure the sync isn’t still active. If I cancel the above “RecipeShare” sync, and add a recipe for almond flour snickerdoodles to my “Gluten-Free Cookies” folder, it should no longer appear in the “Cupcakes” folder as well.

By creating special themes for each OS, I instantly remember where everything originates and ends up. Picking themes I personally enjoy and creating scenarios for why one would need folders synced in particular ways helps me understand the customer experience. This way I can also provide suggestions to make syncing more user-friendly and efficient! I, and the rest of SpiderOak, want to get you your data in the most clear and most secure way possible!

Themed syncs also allow for some silliness, so I’ll test your understanding of syncs with this:

What do you get when you combine a folder from your work computer about bathroom renovations, a folder from your home computer about Ancient Egypt, and a folder from your tablet of 90s hits?

Syncing your sinks with a sphynx and N*SYNC.

Happy Syncing!

Rebecca