More Secure Dropbox Alternative

[c0dege3k]

I found a dropbox alternative called Spideroak (spideroak.com) that, as far as I can tell, is definitely more secure.

This is a quote from the "Engineering matters" page on the site:

With SpiderOak, you create your password on your own computer -- not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data.

I'm no security specialist or anything, but it sounds pretty good to me. Thoughts?

(and if you're gonna join use this link please :) https://spideroak.com/download/referral/78131cdb2e740f8b2b2bf6cd6eda5e15)

Edited July 2, 2011 by c0dege3k

[Infiltrator]

With SpiderOak, you create your password on your own computer -- not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data.

It doesn't really matter if the password is generated on your end or their end. One way or the other, they need to know who you are before you can login. Even though they don't know what your original password is, they have what's called a "digital finger print" or a hash of your original password. Which looks something like the one below.

5f4dcc3b5aa765d61d8327deb882cf99

When you create your password on your computer, their encryption algorithm will generate a hash of your password and upload it to their servers. To prevent an attacker from sniffing that hash, they use HTTPS on their website to secure the communication between your PC and their servers.

However if an attacker really wants to steal that hash of yours, he/she will need to find other ways to break into the system. Such as exploiting services or vulnerabilities in their software in order to gain access to the system.

[digip]

Problem I have with third party sites storage information is, people know that other people are storing info on these sites. So in the event they get compromised, your stuff does too. The fact that people found a flaw in Dropbox should come as no surprise. Skype for example, touted as being secure, was broken as well. So if you take any popular services, eventually someone will find a flaw, and this risks exposing all of the persons data. Look at the Amazon S3 issues, faced with people who don't know how to set the security settings for non-public access. DigiNinja has his s3 brute forcer which works great if your wordlist has the right combinations of finds. Its even easier to let Google do the work for you, although this is the easy way and won't nab everything there is out there, I just haven't got all day to try brute forcing s3 sites.

Mubix retweeted something today that was a link to 40 drop box alternatives. All that means to me is, 40 more places for people to have their stuff stolen or broken into, and its only a matter of time before its done. if you do decide to use any third party storage solution, encrypt that data BEFORE uploading to any site. This way, only you can open it, so long as you use something secure, like Truecrypt or AES type encryption schemes.

Edited July 3, 2011 by digip

[Infiltrator]

Agree with Digip, you should always take pre-cautions when uploading any personal information to third party services. Its not because they claim their system is 100% secure that you should trust their word entirely. Dropbox is still a very good service for storing information or data on a short term, but as an end user you need to be aware of its weaknesses too.

Encrypting your information is a must before it leaves your computer. That's the only security guarantee you will have if it falls on the wrong hands.

[_m3x_]

You Should try Boxcryptor 1st 2GB Free..

[Guest Deleted_Account]

I use wuala. It encrypts everything with AES-128 bit before uploading to their servers. It also only sends back your hash and NOT your password. Meaning they don't even know your password. I still upload PGP virtual disks but this is one of the most secure solutions out there that i know of.

[Infiltrator]

I use wuala. It encrypts everything with AES-128 bit before uploading to their servers. It also only sends back your hash and NOT your password. Meaning they don't even know your password. I still upload PGP virtual disks but this is one of the most secure solutions out there that i know of.

They don't what your password is, but they have your password hash stored in their database, correct!

[digip]

Best drop box alternative, external HDD with full disk encryption. Just have to remember to take it with you everywhere you'll need those files. The fact that all of these services are forced to hand over everything to the US or any other government when they ask for it(look at Microsoft's disclosure about its cloud services recently) means if someone wants access, they'll get to your stuff. So unless you encrypt with your own, high level encryption schemes before storing it anywhere, locally or 3rd party in the cloud, it doesn't make any difference what service you use, because the inherit trust ends once it leaves your machine and your control of where and how its stored.

[Guest Deleted_Account]

They don't what your password is, but they have your password hash stored in their database, correct!

Yes and no. They do what last pass does:

Username and password hashed SHA256 = encryption key

password + encryption key hashed SHA256 = Unique authentication ID

UAID + 256 bit SHA256 blob (Generated during first setup) hashed sha256 = Digest (This is what they store and compare).

Also note that SHA256 bit is a secure hash and hash functions are ONE way. This means there is NO way anyone can get your password from the hash short of trying EVERY possible combination. That will take along time to calculate every SHA256 combination and then look it up to figure out the password. The attacker would have to repeat this 2 times (even more unlikely).

Also I ONLY upload PGP Volumes encrypted with AES-256 Bit. So they now would have to break a second layer of encryption to get my data. (This isn't anything that needs a ton of security anyways anything like that is on a HDD Encrypted with AES256 or my IronKey flash drive (AES256).

I do understand the risk but none-the-less that set up is secure and does mean no ONE but you has access.

Edited July 13, 2011 by x942

[Infiltrator]

Yes and no. They do what last pass does:

Username and password hashed SHA256 = encryption key

password + encryption key hashed SHA256 = Unique authentication ID

UAID + 256 bit SHA256 blob (Generated during first setup) hashed sha256 = Digest (This is what they store and compare).

Also note that SHA256 bit is a secure hash and hash functions are ONE way. This means there is NO way anyone can get your password from the hash short of trying EVERY possible combination. That will take along time to calculate every SHA256 combination and then look it up to figure out the password. The attacker would have to repeat this 2 times (even more unlikely).

Also I ONLY upload PGP Volumes encrypted with AES-256 Bit. So they now would have to break a second layer of encryption to get my data. (This isn't anything that needs a ton of security anyways anything like that is on a HDD Encrypted with AES256 or my IronKey flash drive (AES256).

I do understand the risk but none-the-less that set up is secure and does mean no ONE but you has access.

Too many layers of encryption that is bloody secure, I doubt anyone would be able to break that.

Thanks for sharing that.

[Guest Deleted_Account]

Too many layers of encryption that is bloody secure, I doubt anyone would be able to break that.

Thanks for sharing that.

No problem. I trust Last Pass more. Mainly because they have not only shown that's their method but also because they have gone to great lengths to give evidence of it. Also Steve Gibson (GRC and Security Now!) Love's it and claims it's great and they covered everything which was enough to sell me on LastPass.

Wuala still needs to prove to me it's as good. Until than only Encrypted Volumes are being uploaded.