Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

10

Facebook Changes Privacy Setting for Teenagers

Posted by on Oct 29, 2013

Image from http://blogs.lse.ac.uk

Image from http://blogs.lse.ac.uk

 

Facebook has recently made some changes to its privacy rules for teenagers. According to the new policy, teenagers between the ages 13 and 17 can now share their posts with everyone on the Internet. They can post status updates, images and videos that can be seen by anyone, and not just their friends or people who know their friends.These changes might help Facebook to become more competitive against other social media networks that appeal to young users. Also, having public data on teenagers, and their likes/dislikes will attract more advertisers.

When an underage user signs up for a Facebook account their posts will be shown to a narrower audience by default –only to Friends. If teenagers decide to choose “Public” in the audience selector setting then they will see a reminder that the post can be seen by anyone, not just people they know, with an option to change the post’s privacy. And if they continue to post publicly, they will get another reminder saying that anyone in the public can see their posts now. Default settings for existing teenagers with profiles won’t change or affect past posts. Besides giving warnings to the users while changing their setting to private, Facebook also maintains the privacy of teenagers online by:

  • Designing features that will remind them of who they are sharing their information with and to limit interaction with strangers.
  • Protecting sensitive information of minors from appearing in the public like contact info, school and birthday.
  • Reminding minors that they should only accept friend request from people they know.
Image from www.facebook.com

Image from www.facebook.com

 

In a blog post, Facebook says that it has loosened the privacy restrictions to make its service more enjoyable for teenagers, and give them an opportunity to express their views and opinions in a public platform. Justifying its new move, Facebook states “Teens are among the savviest people using social media, and whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard. So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook.”

Image from http://therealtimereport.com/

Image from http://therealtimereport.com/

Although Facebook has implemented many security measures to protect teenagers, there are still certain risks that need to be addressed. Security risks with the new change in privacy policy for teen:

  • Technological advances have made it possible to analyze large amounts of data and identify patterns. Facebook collects massive amounts of personal data and its search engine allows users to filter through a trove of information, including “status updates, photo captions, check-ins and comments.” So, the more information teenagers share in public the easier it will for unintended parties to find them. Some of the searches on Facebook might reveal controversial or embarrassing views, relationships and experiences of underage users.
  • Teenagers might become a victim of targeted advertisement by sharing their interests on food, clothing or technology in public. The businesses that depend on social media for reaching out to their customers will be hugely benefited from this move. Valuable data on teen’s interests will help them in shaping marketing efforts for their businesses. For example “Favorite teen retailer Forever 21 engages its Facebook fans by posting pictures of models wearing its clothing on city streets. Customers can then purchase the items by clicking on a link that leads directly to its store. Since teenagers are statistically more susceptible to peer pressure than older Facebookers, seeing these outfits in action is more likely to prompt them to click through to see the items in the photo.”
  • Kids can bypass parental control and permission, and might end up offering sensitive information to strangers online. Cyberbullies can use that information to harass, blackmail or demean children. Through private profiles or fake identities, bullies can make outrageous claims and attacks without having to worry about retribution or consequences of any kind.
  • Facebook does not have a reliable way of verifying if somebody signing up a Facebook account is a minor or not. Millions of kids fake their age to get on to Facebook. Therefore Facebook needs to implement controls to verify user’s age and provide younger children with a safe, secure and private experience that allows them to interact with verified friends and family members without having to lie about their age.

Social Media & Security Through SpiderOak

Social media users should be aware of how their data is collected and used before using any social media site or platform. Don’t upload anything you don’t want shared and exploited for advertising purposes. And be sure to exclusively store anything sensitive to a secure cloud provider. For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access

 

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

10

Snapchat Not Safe From NSA Surveillance

Posted by on Oct 28, 2013

Image from http://s1.ibtimes.com

Image from http://s1.ibtimes.com

Snapchat is a photo sharing application that allows users to share images that disappear from devices after a set amount of time. You can take a picture or record a video, draw something on it and send it to your Snapchat pal. Once the receiver opens the photo or video, it will automatically disappear within 10 seconds or less. The photos will also be deleted from Snapchat’s server after the user has opened them. The unopened photos remain on the company’s server, which are run by Google for 30 days.

Given the short amount of time that images are available to the recipient it seems impossible that any third party could intercept them. However the company admitted in a blogpost that it will and had already handed over photos to US law enforcement agencies:

“Since May 2013, about a dozen of the search warrants we’ve received have resulted in us producing unopened snaps to law enforcement. That’s out of 350 million snaps sent every day.”

In the blogpost, Snapchat’s head of trust and safety, Micah Schaffer had explained how Snapchat handles user data. It is true that Snapchat deletes snaps from its servers after they are opened by the recipients. But what happens to the snaps before they are opened?  Snapchat’s unopened photos are kept on Google’s cloud computing service, App Engine, and Snapchat is capable of retrieving snaps from the App Engine’s datastore. So, in order to deliver desired snaps to receiver they have to retrieve the snaps from the datastore. This whole process of data retrieval is automated and the company does not look at user data under ordinary circumstances. However under certain circumstances they have to retrieve the photos manually using an in-house tool:

“For example, there are times when we, like other electronic communication service providers, are permitted and sometimes compelled by law to access and disclose information. For example, if we receive a search warrant from law enforcement for the contents of Snaps and those Snaps are still on our servers, a federal law called the Electronic Communications Privacy Act (ECPA) obliges us to produce the Snaps to the requesting law enforcement agency”.

The blog posting also states that the company sometimes has to preserve some snaps for longer periods of time. It would do this in cases where law enforcement was considering whether or not to make a formal request to access the images via the search warrant procedure. Currently only two people in the company have access to the in-house tool used for manually retrieving unopened snaps- Micah Schaffer and the company’s CTO and co-founder, Bobby Murphy.

Also, even though Snapchat deletes your snaps within 10 seconds after somebody views them, but some tech savvy user can take a screenshot of the photos within the10 second timeframe and can post them on social media sites. This is a huge risk to the privacy of users using Snapchat for photo sharing.

Image from http://www.idownloadblog.com/

Image from http://www.idownloadblog.com/

Here are some of the steps you can take to maintain your privacy while using online photo sharing applications:

  • Do not upload any pictures that you might regret later. Services like Snapchat might delete your snaps in 10 seconds but during this timeframe somebody can take a snapshot and share it on social media.
  • Use strong and hard to crack passwords in your photo sharing applications. Your password should be at least eight digits long and a combination of letters, numbers and special characters.
  • The photo sharing apps usually have a setting that allows you to share your photos only with your friends and families. You can limit unauthorized access to your photos by only sharing photos with people you know.
  • Last but not the least, use a trustworthy and completely secure cloud storage provider like SpiderOak for storing and sharing your photos online.

 

Protecting your photos with SpiderOak

 SpiderOak allows you to conveniently store photos online without having to worry about attacks or monitoring. This truly private storage and sync service is 100% anonymous, meaning that no one, not even the company’s own employees, can access the plaintext data uploaded to its servers. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

1

Impact of Surveillance on U.S Cloud Industries

Posted by on Oct 24, 2013

Image from http://xcluesiv.com/

Image from http://xcluesiv.com/

The cloud is a driving force behind today’s IT industry. However, the recent revelations about US government’s PRISM program has badly affected the reputation of US-based cloud industries. The ongoing public debate about privacy issues at the FISA court has raised concerns among foreign customers. As per international cloud customers, “if the FISA court can issue a “national security letter” to gain access to US-based Internet companies’ servers, any foreign company’s data stored on these servers could be accessed by the US government”.

The rivals of US cloud computing services were initially under the suspicion that the data is shared with surveillance agencies. The PRISM revelations in June, confirmed their suspicions; that the data stored on US servers can be accessed by the government. “Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” and should stop using American companies such as Google and Facebook, said German Interior Minister Hans-Peter Fredrich in July.US is a global leader in providing cloud computing services but the NSA leaks could cause a shift away from leading data storage providers like Google, Yahoo and IBM.

Image from http://www.washingtonpost.com

Image from http://www.washingtonpost.com

A report released by the Information Technology and Innovation Foundation (ITIF) claims that the  NSA’s PRISM program could cost the US cloud computing industry anywhere between $22 billion and $35 billion over the next three years. The news about the NSA cracking encryption of common online security products and placing secret doors at the access points can further undermine the confidence of foreign businesses. The NSA has been successful in cracking the majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion to crack the standard encryption technologies. Apart from cracking encryption of online products,  the NSA has devised programs to deliberately insert vulnerabilities in commercial products, so that they can collect more information by exploiting those vulnerabilities. Basically the NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

Image from www.theguardian.com

Image from www.theguardian.com

However these predictions can be considered as mere estimates, as various thought leaders in the cloud computing market has argued that they do not think that customers will be less inclined to put their data and IT operations online given the PRISM revelations. Brian Okun, regional sales director at Prevalent Networks in Warren, N.J said that “I think there will always be people who don’t feel safe putting data in the cloud, just as there are individuals who want to move to the cloud. First, you’re never going to be a 100 percent secure online. Second, you need a layered, multipronged approach to security. And third, you need to be an early adopter of new security technology instead of a laggard.”

People who have been enjoying the benefits of high quality US based cloud services will think twice before moving to alternate services. Many well-known and high profile cloud storage companies are making changes to their business model to remain competitive in the market, keeping the NSA surveillance in consideration. For example, Amazon Web Services have cut down prices by 80% because they fear that NSA’s revelations would turn their customers away. The losses were fairly marginal in reality. So, saying that the PRISM revelations would lead to an industry shift can be an exaggeration.

Similarly, companies are incorporating better security practices in order to protect customer data and live up to the trusts of their customers. They are implementing stronger encryption standards, larger keys, and complex hash algorithms to maintain the confidentiality and integrity of user data. Recently Yahoo has announced that it will enable default HTTPS encryption in its email service to keep the email messages private.

Under this situation, there are huge benefits for companies that provide client server security to protect customer data from government surveillance. Cloud startups whose prime goal is to secure their customer data will see a huge growth in their business in the near future.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

 

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

4

How secure is Apple iMessage?

Posted by on Oct 23, 2013

Image from http://www.imore.com

Image from http://www.imore.com

After the revelations made about NSA’s PRISM program by Edward Snowden in June, Apple claimed that conversations taking place over iMessage and FaceTime  “are protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, map searches or Siri requests in any identifiable form.”

However according to the recent findings of the security researchers at QuarlsLab, Apple’s iMessage is not as secure as it claims to be. “Apple can read your iMessages if they choose to, or if they are required to do so by a government order,” QuarksLab said in a white paper presented last Thursday at the Hack in the Box conference. Since Apple controls the encryption keys to encrypt the iMessage communication between the sender and receiver, it can theoretically conduct a “Man-in–the-Middle attack” on the two. While the sender and receiver will be chatting with each other assuming that the communication is secured, Apple can monitor their communications. Apple’s iMessage uses public-private key encryption system, where the public key is stored in Apple’s server and the private key on each device is linked to their accounts. The public and private key pair is generated when you create an account in iCloud. So, if you want to send a iMessage to someone then the message is encrypted using the public key of the recipient, which is retrieved from Apple’s server. The receiver who has the private key can only decrypt and read the message.

The problem with this system is that you do not have the control over the public key of the receiver that is used to encrypt the message. You are accessing the keys through Apple’s server, so it is possible for someone from Apple to monitor your communications or to send your messages to third parties like the NSA.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

The researchers emphasized that hacking iMessage to impersonate users, read and intercept private messages is only possible if the third party is a very skilled attacker. In this slide presented at Hack in the Box the conference it is discussed how it is technically possible to break into iMessage encryption?

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Independent security researcher Ashkan Soltani said, “I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network. Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated.”

Quarkslab also shared information regarding a tool called “iMTM protect” (available for download on GitHub) that will allow the iMessage users to protect themselves from security issues. Unfortunately, this tool is ready for highly skilled computer users only. At this point, it might be difficult for average iMessage users to use this tool properly.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Responding to the findings of QuarksLab, Apple clarified that it is not possible for them to break into the iMessage encryption and read user messages. “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

True Privacy with SpiderOak

The findings of QuarksLab revealed that in order to keep your data completely secured it is extremely important to have a properly implemented public/private key management system. Also even if the public key is available to the third party, there should be proper security controls to prevent unauthorized access to any plaintext data. At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

0

PR Newswire breach linked to Adobe exploit

Posted by on Oct 22, 2013

Image from http://www.dataprivacynetwork.com

Image from http://www.dataprivacynetwork.com

In a previous blog, I discussed the data breach at Adobe Systems from earlier this month. That breach exposed the personal information of 2.9 million customers and the source code of major Adobe products like Adobe Acrobat, Cold Fusion and others. From the recent revelations made by KrebsOnSecurity, it looks like the same hacker group was responsible for the security breach at press release distribution service PR Newswire. The hackers managed to steal a database containing usernames and encrypted passwords from PR Newswire. The stolen data was found on the same hacker server where the stolen source code of Adobe was found recently.

As per a blogpost by Hold Security, the same group of cybercriminals were responsible for data breaches at Dun and Bradstreet, LexisNexis and Kroll Background America. The PR Newswire archive that was found on the hacker’s server appears to be from March 8th 2013; however, it is still unclear if the hack happened on the same date or later because the archive was created on April 22nd. Hold Security worked with independent journalist Brian Krebs who alerted PR Newswire regarding the security breach.

PR Newswire notified Krebs that there were approximately 10,000 user records in the compromised database, but the number of affected users might be less because people generally maintain multiple accounts. The company said in a recent statement that they are “conducting an extensive investigation” to the breach and from the preliminary investigation it looks like the customer payment data was not compromised as a result of the attack.

“We recently learned that a database, which primarily houses access credentials and business contact information for some of our customers in Europe, the Middle East, Africa and India, was compromised. We are conducting an extensive investigation and have notified appropriate law enforcement authorities. Based on our preliminary review, we believe that customer payment data were not compromised.

As a precautionary measure, we have implemented a mandatory password reset for all customers with accounts on this database. As a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials. From an internal perspective, we continue to implement security improvements and additional protocols to help further protect user portals and customer and proprietary information”.

If the passwords were cracked, it might have been possible for the hackers to upload false earning warnings or similar fake news in order to manipulate stock prices and profit from the resulting confusion. However, nothing like this has happened so far. Another interesting thing that was revealed from this hack, was attack based on ColdFusion exploits. It seems earlier this year attack based on ColdFusion exploits was launched against multiple PR Newswire networks. The security breach might be the result of that attack. There is a coincidence between the Adobe and PR Newswire data breaches, as in both cases the hackers targeted vulnerabilities in the ColdFusion web application development platform.

Image from http://informationsecurityhq.com

Image from http://informationsecurityhq.com

In response to the data breach, the company has implemented mandatory password reset for its customers because the database containing encrypted user password was stolen. The passwords were hashed, so it is difficult to decrypt it and retrieve the original plaintext information. But the hash can be used to validate information inputted at a later time by rehashing it and comparing the results. However some hash can be cracked using brute-force attack method. The only way to resist such attacks is by creating strong and hard to crack password, using complex hashing algorithms, and other strengthening methods like salts. Therefore it is always a good practice to use strong passwords (at least 8-digit long and combination of letters, numbers and special characters). In case the password or password hash is stolen, the account owners should change the passwords for all websites where they might have used them.

Ninan Chacko, PR Newswire’s CEO said that “as a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials.”

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

4

Yahoo’s new move towards email encryption

Posted by on Oct 21, 2013

 

Image from www.yahoomail.com

Image from www.yahoomail.com

 

Yahoo has made significant cosmetic improvement to its user interface, but there are security flaws that still need to be addressed. It has been under the scrutiny of security experts because of the changes it has made to its email service lately. This summer Yahoo launched an email-recycling program, giving current users access to old email addresses from the accounts that are no longer active. Unfortunately this scheme of reengaging old users and rewarding active ones led to serious risks to user privacy. Some of the users with recycled Yahoo IDs received emails intended for the previous account holders. They were able to access all information intended for the original user including sensitive information like Social Security Number and credit card information of previous users.

Another issue related to this program was that Yahoo removed contacts from user’s contact lists without their consent. In doing so, Yahoo’s intent was to remove invalid addresses from people’s contact lists, so that they do not get any mails intended for previous account holders. However this move was not executed properly, and in some cases, Yahoo ended up deleting valid addresses. It also raised security concerns among the users, as Yahoo could get into their account and managed their contact details without their authorization. If Yahoo could delete their contact addresses, it is very likely that it can access some other critical information from the user accounts without their consent. Yahoo has acknowledged both of these issues, and steps have been taken to resolve them.

Image from www.pcworld.com

Image from www.pcworld.com

Unlike Google or Microsoft, Yahoo does not have default SSL encryption setting for Yahoo Mail users. Yahoo allows users to login into their accounts via SSL and then changes into an unencrypted connection during regular email sessions. As a result any email you send via Yahoo mail can be intercepted easily over public Wi-Fi connections. Yahoo has suffered a fair amount of criticism for not moving to SSL encryption, given the recent revelations by former NSA contractor Edward Snowden. “Interestingly, the Washington Post revealed that government spooks had collected twice as many contacts from Yahoo Mail as all of the other major web mail services combined. No reason was given for this, but one likely cause could be due to Yahoo Mail’s lack of SSL encryption”.

In a case study it was found that any non-protected SSL email could be hacked by using a Firefox add-on called Firesheep. Firesheep steals login IDs from the targeted PC and allows the attacker to gain access to your account for the duration of the current login period. During this time frame, the attacker will be able to read all your email messages and can access your contact data. Firesheep is just one example that shows how unencrypted email services can be hacked; there are various other tools that can be used to hijack unprotected online accounts.

Keeping all these security concerns into consideration, Yahoo has decided to introduce default SSL encryption in its email service. Yahoo has confirmed to The Washington post that it will enable HTTPS encryption by default for Yahoo Mail starting from January 8, 2014. The security experts have appreciated Yahoo’s move of implementing HTTPS encryption for Web email services. Amie Stepanovich, Director of the Domestic Surveillance Program at the Electronic Privacy Information Center commended Yahoo for the move. “It’s always a positive thing when companies take steps to protect their customers’ information,” she said, but noted,  ”Unfortunately, this often only happens after a harmful event.”

Yahoo has offered an option to opt –in to SSL encryption through Yahoo Mail’s setting during late 2012 or early 2013. However, it is disabled by default. But you can activate it by yourself by taking the following steps:

  • Click on the settings cog upper right corner of the Yahoo Mail Inbox.
  • Select “Settings” from the dropdown menu and then select “Security”.
  • In the “Security” section, tick the “ Always use HTTPS” checkbox and then press “Save”.
Screenshot by  author

Screenshot by author

  • Once the above-mentioned steps are completed, your Inbox tab will refresh and you will be able to see the lock icon on the left side of the address bar along with the letters “https”.

 

Secure your data with SpiderOak

 In this age of PRISM revelations, users sometimes find that selecting a truly protected third party cloud service can be a challenge. As most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

0

Lavabit’s security battle with NSA

Posted by on Oct 18, 2013

Image from http://lavabit.com/

Image from http://lavabit.com/

Lavabit, the secure email service provider, abruptly shut down its doors in August due to the Government’s request for data intrusion. Lavabit provided secured email service by encrypting the email messages and preventing anybody else from reading them, other than the sender and the receiver. The US government was after Lavabit to monitor the real time email usage of a single user. But when they found out that it is not possible to tap into the email of the user they were after, they asked Lavabit to hand over the SSL key, which would allow them to monitor every Lavabit user. The Lavabit email user the government wanted to monitor is believed to be Edward Snowden. “The government became embroiled with Lavabit in May, which is when Snowden disappeared from his job at Booz Allen Hamilton and the feds started looking for him”.

The District court for the eastern district of Virginia demanded Ladar Levison , the founder of Lavabit, to hand over the encryption keys. When he refused to comply with the court’s order, the court threatened him with a fine of $5000 per day. Ultimately Levison handed over the keys to the government but shuttered his 10-year old company to protect his customer’s information. He also filed an appeal against the court for forcing him to turn over the encryption keys. “The government would still be able to use Lavabit’s private keys to decrypt and access data that it had already intercepted (including customers’ usernames, passwords, and the contents of their emails),” the appeal details, “but Lavabit was forbidden from communicating this security breach to its customers or business partners.”

The government says it is entitled to get Lavabit’s private keys because of three reasons: Pen Resister Statute, Stored Communication Act and grand jury subpoena. Lavabit counteracts three of these arguments in its appeal.

  • Lavabit states that the Pen Register Statute only requires that a company can help government to install a “pen-trap” upon receiving a warrant from the court. It does not include handing over encryption keys, which interferes with the way Lavabit provides a secure service to its users. Also unlike telecom businesses, email businesses do not need to be wiretap enabled.
  • The Stored Communication Act allows the government to seize the contents of a particular communication. Lavabit argues that in this case private keys are not particular communication.
  • As per the industry standard Lavabit needs to keep its private keys private. Once it was revealed that the provider keys were shared with the government, Lavabit’s registrar, GoDaddy revoked its security certificate.

Lavabit is opening up temporarily to give its users a chance to recover their data. The data recovery service is expected to begin from October 18. Before the data becomes publicly available users can reset their passwords by logging on to https://liberty.lavabit.com. This move has become possible after Levison obtained a new SSL key to authenticate its server and encrypt the data travelling to and from the site. Lavabit has published its SSL certificate fingerprint and serial number on the password change page. The users are encouraged to verify the new SSL certificate before using the site.

You can take the following steps to verify the SSL certificate fingerprint and serial number in Chrome:

  • Go to https://liberty.lavabit.com/. It will take you to the “Change Password” page, where you can find the serial number and fingerprint of the new SSL certificate. Now click on the padlock icon on the left corner of the address bar. It will give you a dropdown window.
Screen shot 2013-10-17 at 2.49.08 PM

Screenshot by author

  • Click on the “Connection tab” in the drop down window. It will give you the option to verify the Certificate information.
Screen shot 2013-10-17 at 2.52.25 PM

Screenshot by author

  • Next click on the “Certificate information” and click “Details” and there you can check the serial number and fingerprint. Serial number is one of the first entries that you will see. To verify the fingerprint you have to scroll all the way down till “Fingerprints” entry and then match the Chrome fingerprint with the fingerprint on the “Change Password” page.
Screen shot 2013-10-17 at 3.01.45 PM

Screenshot by author

Fingerprint verification:

Screen shot 2013-10-17 at 3.04.22 PM

Screenshot by author

True Privacy with SpiderOak

After going through the story of Lavabit’s fight with NSA in order to secure it’s customer’s data, the question arises – how can businesses ensure that their customer data remains protected from NSA surveillance? It is possible with SpiderOak. SpiderOak does not have any key or plaintext data to handover to the government. At SpiderOak, sensitive user data is protected using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

0

Metasploit’s DNS Registrar Hacked Via Fax

Posted by on Oct 17, 2013

 

Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

Metasploit is a service used by computer and network security professionals worldwide to perform penetration testing of corporate systems and determine if the vulnerabilities are fixed. Recently, Metasploit was attacked by a group of pro-Palestinian hackers, who managed to hijack its website by simply sending a fax. The hackers are a group of four people, known as the KDMS Team. They came into prominence a few weeks back when they hijacked the websites of popular messaging service Whatsapp and the antivirus company AVG.

This time the hackers were able to trick the DNS registrar of Metasploit, Register.com by sending a fax, requesting to change the IP addresses associated with the URLs of Rapid7 and Metasploit. As a result, people who visited the homepage of these sites were redirected to a politically charged message. The hack redirected the domains to a page, which contained a message from KDMS Team, reading in part:

Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

This kind of attack is called a DNS redirect “which involves an attacker changing the records which tell web browsers what server lies behind any given web address”. According to HD Moore, chief research officer at security company Rapid7, the website was “hijacked through a spoofed change request FAXED to Register.com. Hacking like its 1964.”

Image from http://www.ibtimes.co.uk/

Image from http://www.ibtimes.co.uk/

Immediately after the attack, Rapid7 asked the registrar to block all changes to its domain, unless it gets authorization by phone. They are also considering top-level domain (TLD) to prevent unauthorized access to their DNS registrars. “These locks introduce hurdles for normal changes to our infrastructure and so we were still in the planning stages. In hindsight, we should have taken action sooner,” said Moore.

The attackers did not compromise the servers running these websites and the redirect was fixed within an hour. But this attack had the potential of causing serious damage by redirecting the users to a spoofed site asking for personal details like SSN and credit card numbers.

Similar kinds of attacks were carried out on the websites of Whatsapp, AVG and Avira by the KDMS group. They were able to perform a DNS redirect by sending a fake password reset request. But these firms were registered with a different registrar – Network Solutions. Besides Rapid7 and Metasploit, two other companies, Bitdefender and ESET registered with Register.com also fell prey to KDMS team’s DNS redirect attack.

These are some of the steps that businesses can take to protect themselves from similar kind of attacks:

  • Train employees to recognize phishing attacks: One of the things that led to this attack is the response to the fake fax request that came from the attacker, and changing the IP addresses of Metasploit and Rapid7. The employees need to be trained in order to differentiate between a fake and legitimate request. If they find any request suspicious they should call up the requestor directly and inquire about it.
  • Implement registry locks for better security: As Moore pointed out, all these DNS registrars who became victims of the attack lacked registry locks. “A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorized changes – including modifications, transfers or deletion of domain names and alterations to domain contact details – without first authenticating to the top-level domain operator.”
  • Monitor DNS Settings: Lastly, businesses should monitor DNS settings regularly to check for changes to registration information and DNS resolution to IP addresses in their business-critical domains. This will help the businesses to track any kind of security breach quickly and take suitable measures immediately to remediate it.

 

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

0

Russian Government Installs Olympic Surveillance

Posted by on Oct 16, 2013

Image from http://www.thelogofactory.com

Image from http://www.thelogofactory.com

The Russian government is planning to install extensive surveillance to keep tab on the athletes and spectators attending the Winter Olympics games in Sochi. They have taken all measures to ensure that no communication by the spectators or athletes goes unmonitored during the event. As per the research conducted by two investigative Russian journalists Andrei Soldatov and Irina Borogan, the Russian authorities have made excellent arrangements in terms of communication support, including 4G coverage and free WI-Fi coverage throughout the city of Sochi. But the Internet, telephone and other communication providers have to build their network in such a way that the Russian security service FSB, can access and monitor all the traffic using Sorm, Russia’s system for intercepting phone and internet communications.

The reports suggest that the FSB has been working on upgrading the Sorm systems across Russia keeping in mind the extra traffic during the games. All the Internet and telecom providers have to install Sorm boxes as per the law and once they are installed the FSB can access data without even notifying the service providers. Along with Sorm the Russian security service is also planning to install a technology called “deep packet inspection” that will allow intelligence agencies to filter users by particular keywords. This controversial technology will be installed across Russia’s networks, and is required to be compatible with the Sorm system for network monitoring and data analysis. “There is an element of meta-data gathering, but Russian security services are not so interested in meta-data. This is about content,” Soldatov told The Telegraph, citing an “information security concept” document laying out these measures. “The idea seems to be to make communications in Sochi totally transparent for the Russian authorities. “For example you can use the keyword Navalny, and work out which people in a particular region are using the word Navalny,” says Soldatov, referring to Alexei Navalny, Russia’s best-known opposition politician. “Then, those people can be tracked further.”

A diagram of Sorm Surveillance system. http://www.wired.com

A diagram of Sorm Surveillance system. http://www.wired.com

The US State Department Bureau of Diplomatic Society has also warned those travelling to Russia this year for the Olympics to take precautions with communications and devices. The brochure sent out by the US state department warns business travelers not to share any trade secrets, negotiating positions, and other sensitive information during the games, as that information might be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.

While this kind of intensive surveillance and monitoring poses risks to the privacy of people attending the Games, the Russian government claims to be taking such strict security measures for the protection of Sochi against terrorist attacks. Sochi neighbours Russia’s turbulent North Caucasus, where federal forces are fighting long-running separatist insurgencies, both Islamist and secular. Doku Umarov, a rebel leader who has claimed responsibility for a number of suicide bombings in Moscow in recent years, has called on his followers to attack the games.

Although the Russian surveillance program for the Olympics may sound similar to the PRISM program there are certain differences between the two. In US and Western Europe, a law enforcement agency needs to get a warrant from the court in order to request the network operator or Internet service provider to intercept the communication channels, and provide the requested information. On the other hand in Russia, FSB also needs to get an eavesdropping warrant, but it is not obliged to show it to anyone. The telecom and Internet providers have to pay for the Sorm equipments and installation but do not have access to the surveillance boxes. Therefore the FSB does not have to contact the service providers directly; instead they have to call on the security controller at the FSB HQ that is connected to the Sorm device on the ISP network.

"The Guardian quoted Ron Deibert, a professor at the University of Toronto and director of Citizen Lab, which co-operated with the Sochi research, as calling the Winter Games SORM upgrades “PRISM on steroids”. The difference in the two countries’ surveillance infrastructures can be found where the communications providers’ rights intersect with the government’s pre-emptive power to force its will upon them, he said: “The scope and scale of Russian surveillance are similar to the disclosures about the US programme but there are subtle differences to the regulations… We know from Snowden’s disclosures that many of the checks were weak or sidestepped in the US, but in the Russian system permanent access for Sorm is a requirement of building the infrastructure.”

Data privacy with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

Business & the Cloud Archives - Page 9 of 15 - The Privacy Post

1

Google’s new policy poses privacy risks

Posted by on Oct 15, 2013

Image from http://www.jeffbullas.com/

Image from http://www.jeffbullas.com/

Google has made an announcement recently that it will be modifying its Terms of Service. As per the new policy, Google will include the names and profile pictures of users for product endorsements in its advertisements. The change will be effective from Nov 11.

The endorsements will come from the people who have signed up for Google+ accounts. As of now Google+ has 390 million active users per month. According to the new policy, if any user above the age of 18 likes something by giving it +1s, comments, and follows on Google properties, then his name and photo can show up in the Google ads. This policy is not applicable to users under the age of 18. For example, “if you search for “Italian restaurants,” you might see an ad for a nearby restaurant along with your friend’s favorable review. Or, in Google Play, you might see that another friend has +1’d a new song or album”. In explanation of the changes the company said, “We want to give you — and your friends and connections — the most useful information. Recommendations from people you know can really help.” This information will only be shown to the people whom you have chosen to share the content with (friends, family or others). However it is possible that people who do not use Google+ will be able to see the endorsements based on public content.

Google has introduced a new feature called “ Shared Endorsements” that enables you to take control over the use of your name and photos in endorsements. You can opt out of the ads by turning off your Shared Endorsement setting. This change will only be applicable to the use in the ads. Your photo and profile name can still be used in other Google services like Google Play.

Image from http://www.insidefacebook.com

Image from http://www.insidefacebook.com

Google seems to be following the footsteps of Facebook who had made a similar announcement in the past. According to Facebook’s “ Sponsored Stories” feature user’s faces and names will show up in the ads about the products they have clicked “like”. But unlike Google, Facebook users cannot opt out from this service. This feature was extremely disliked by Facebook users and suffered severe backlash from security experts. This policy also resulted in a class action lawsuit, which claimed that the company made changes to its privacy settings without notifying the users. Facebook paid $20 million to settle the lawsuit and has proposed to clarify how user names and photos will be used in the ads to implement the change. However the implementation of the new policy is still pending and has been sent to the Federal Trade Commission for further review. FTC is reviewing Facebook’s new policy to determine if the change has violated the company’s 2011 privacy settlement with the federal government. That agreement required Facebook to give adequate notice of changes in privacy policies and to make sure users aren’t misled about how their data is going to be used.

Google’s new move has also led to protests by Google+ users. According to a report on CNET, some Google+ users  have changed their Google+ profile pictures to that of Google executive chairman Eric Schmidt. That way, Schmidt’s face would show up alongside any endorsements pulled from those users’ accounts

Image from http://news.cnet.com/

Image from http://news.cnet.com/

The privacy concerns about Google’s new policy has also prompted Sen. Ed Markey (D-Mass.) to send a letter to the Federal Trade Commission to evaluate Google’s new policy of including user names and photos in the advertisements. “Without users’ explicit permission, Google should not take consumer posts and turn them into product endorsements,” Markey said in a statement. He has asked the FTC to review Google’s new policy and determine if it violates an earlier agreement that the firm made with the FTC on privacy policy. Google has not commented on Markey’s letter.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.