As I covered in a previous post, I use an online backup service as part of my backup strategy for my laptop. When I wrote that post I was having horrible problems with Mozy and decided to evaluate other options.
After considering a number of factors I decided on Backblaze and so far it has worked exactly as promised without excessive resource and CPU usage like the old mozy client. However, the problem is that now only my laptop is protected from dataloss. I still have a linux machine (Debian) that needs to be backed up and I have been searching for a product that would allow for unlimited storage and secure backup.
Enter SpiderOak. As I mentioned in my older post, I looked at spideroak and thought it looked like a really good solution. I mean who wouldn’t like true zero knowledge privacy (unlike Mozy) and clients for Windows, Mac and Linux?
While doing some more testing tonight I realized that the SpiderOak client does not verify that you know your current password when you go to change it. What does this mean? Well, if someone steals your computer and wants access to your data on SpiderOaks servers, all they have to do is change your password and they are in. In addition to this, you don’t have to know the current password to restore files from any computer in your “network”. What does this mean? Anyone with physical access to your computer has access to everything you have backed up with SpiderOak. No thanks, until this glaring security hole is fixed I’m not going to be using SpiderOak for anything sensitive.
So what am I using to backup my Linux box? Duplicity+S3. Duplicity has it’s own issues, primarily that it requires a large number of arguments and has no graphical restore functionality, but it’s working well for me.
WOW: Pertaining to your post, we do apologize greatly for the oversight and we will add this verification step to our next release (due out in another week or so). Additionally, we are also adding the preference option to enforce the password verification anytime the application is opened. Thank you again for your consideration and interest in SpiderOak.
WOW: I was reminded by our development team that the reason we do not require a password when changing your current password is to allow users who have forgotten their password to enter in a new one that they will then remember. As we do not store the password this is the one way a user can still gain access to their account if they have a client running on a machine. That said and per my note above, we will add this as a preference option so that you can control the applications function. Thank you again for your interest.
First off, ERO thank you for replying to my post. I was surprised to see a personal reply.
I just downloaded the latest version of spideroak (3.6.9643) and the option you mentioned is still not present. Any idea what the ETA is on this? Also, to solve the problem of allowing a user to reset a forgotten password without knowing the current password, what about using another piece of information from the user? For example, you could ask the user to enter their birthdate and mothers maiden name.
Birth date and maiden name are both exceptionally easy to find out and any shuch test would compromise security grately. I’m in no way affiliated with SpiderOak, but the way they do it is exactly how it should be! You are suppose to prevent physical access to your computer at ALL TIME!
E.g. by locking the screen EVERY time you leave your PC. There are numerous other ways people can exploit an unlocked computer. A good attacker can read the password from the RAM of your machine or calculated it from the cleartext data you want to backup and its encrypted chunks sent to SpiderOak. Even Firefox will just show you saved passwords, because its so easy to get them from an unlocked PC. Even the highst encryption standards for hard drives are not secure if an attacker has access to a running, unlocked machine. Its just the way it works. Its only truly secure, when is encrypted and turned off or when you can be sure no one tempered with it because while it was unlocked.
If this really bothers you, you can enable the “Ask for password at startup” option for a little moore (false) security.