Insights For Success

Strategy, Innovation, Leadership and Security

Review of SpiderOak encrypted online storage

GeneralEdward Kiledjian

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

  • Bruce Schnier on TNO here
  • Steve Gibson on TNO here.

Why you need a Glo-toob LED powered Glow Stick

GeneralEdward Kiledjian

Each year, I test hundreds of new and different items that compete to find a place in my everyday carry kit (EDC). To be clear, my EDC is build for the urban environment and not wilderness survival. 

4 years ago, I tested and fell in love with the Glo-toob lights and it has been part of my kit ever since. I just realized I have never written about it an wanted to share it with you. 

Why not use a cheap glow stick?

Anyone that is building a serious EDC kit knows that you need redundancy. My main everyday carry (EDC) flashlight is the OLight S15R baton with a rechargeable battery. My secondary flashlight is the Ti3 by thrunite (which uses easy to find AAA batteries). there are times when you need a glow stick type of light and for those times, I rely on the Glo-Toob.

Why not use a cheap $5 glow stick? The typical (even high quality) glow stick or Chemical light stick is first and foremost not environmentally friendly (it is disposable and an environmental pollutant). Anyone that has carried them knows that they leak (which also means it won't work when you need it). Plus once you activate it, that's it.

Most of the time, I need it for 5 minutes, 60 minutes or even 180 minutes but that's it. With a chemical glow stick, once you activate it, it's end of life. 

Why I chose the Glo-Toob

I knew I wanted something else as my everyday carry glow stick alternative, but it took several tries until I found the Glo-toob.

First thing you notice is the solid construction (it can withstand the rigors of constant travel and being bumped in a pocket, bag or briefcase). It's waterproof to 200 feet (60 meters). I have taken it night scuba diving to 135ft and have never had issues but it's most common use is in rain or snow and it has worked flawlessly.

It is a small rounded cylinder which means it is small enough for everyday carry. This is something you overlook until you start carrying it all the time. Small and light are critical and the Glo-toob is 10/10 on both points (weights 34g with the battery).

It can be powered with different types of batteries (depending on the model) but I chose the AAA powered one (Original GT-AAA). As I travel and carry this with me, I need to know that I can buy the required power source for my gadgets easily and AAA batteries are available in every street corner anywhere in the world.

The last point was that it had to provide a 360 degree stream of light (similar to a glow stick), which it does. 

Using it

I own 2 GT-AAAs: one with a white LED and one red a one. It has 3 modes (you activate by twisting the cap on and off) high intensity (100%), low intensity (25%) and rapid strobe. Other models offer up to 11 modes and I saw a Chinese competitor with 21 modes but... and the but here is that simple is better. If I need to use this in an emergency, I don't want to fiddle with my EDC gear. By having only 3 modes, choosing the right one is simple.

In low power mode, it is a great long lasting marker light that you can strap on a dog collar or backpack. In high powered mode, it is a great emergency light (during a power outage) or a light you can give the kids without worrying about it breaking.

I have used it while camping to mark our campsite. I have used it when I had to stop on the side of a busy highway at night as a safety beacon. I have used it as a market when canoeing at night. I have used it during power outages and once when  I was stuck in a stopped elevator.

I have used it in high powered mode for about 6-7 hours (with a single AAA battery).

Negative comments

When working on a review, I scour the internet looking for comments (positive or negative) from other users. In this case, I saw a handful of comments touching similar points and I wanted to address these ones:

  • disappointed by the amount of light : this is not a flashlight replacement. If you buy it thinking it is you will obviously be disappointed. This is a replacement for a chemical glow stick.
  • leaked during a dive : With over 85 dives under my belt, I can tell you that I have lived through all kinds of equipment failure at depth. That's one of the reasons everything is done in twos. You never dive alone, you have 2 regulators, etc. Anytime you are in a remote location (whether on land or in the water), you need backups for all your primary systems. Failures happen either because the gear is defective, improperly maintained or improperly used. 
  • worked only a couple of times : I have 2 of these lights and other friends have bought them after testing my units. My units have been in my EDC kit for 4 years now and even after diving, camping and being abused in torrential rain and deep snow, they perform flawlessly. Of the 10 or so units owned by friends and acquaintances, none have failed. It's important to realize that any electronic product can fail and buying it from a reputable reseller (like Amazon) means you have someone to contact if you do need a warranty replacement. 

The Chinese knockoffs

Search AliExpress.com for Glo-toob, EDC warning light or a combination of these types of keywords and you will find hundreds of listings selling these types of tubular lights. I ordered 3 of them ranging from 8.99-14.99 and most ended up being branded EDCGear. 

These are cheap knockoffs and you can feel it immediately. The plastic is light and flimsy. The units have cheap O-rings and none of them lasted more than a couple of uses. The light quality wasn't as good. Build and construction weren't as good and all 3 died immediately when I performed the sink dunking water test (even though they were marketed as waterproof). 

Sometimes the Chinese versions as just as good but this is not one of them. Save yourself the frustration and buy the original from a retailer that will stand behind the warranty.

Conclusion

Priced at around 4-5 times the price of a high quality chemical glow stick, these Glo-toobs are a great investment and will quickly become part of your EDC, camping and survival gear. I love them and recommend them.

Encryption isn't just for terrorists

GeneralEdward Kiledjian

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work. 

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible. 

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive. 

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know. 

Creating a backdoor for the good guys means you are also creating it for the bad guys. 

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge. 

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.

Your ISP is always watching, tracking and profiling you

GeneralEdward Kiledjian

The media loves stories about how Google, Facebook and Microsoft are tracking users and profiling them. These stories sell papers and draw in eyeballs. What they don't tell you is that your ISP actually has more visibility into what you do online than any of those giant service providers. 

If you don't see what the big problem is, read this article : How Target knows you are pregnant through data analytics. You may not realize it but the bread crumbs you leave behind are incredibly valuable to marketers, insurers and anyone else interested in using psyops to trick you.

Choose your ISP wisely

The most important fist step is choosing an ISP that will stand up for user privacy. When I moved to Toronto, I went with Teksavvy that seemed to have a more open corporate policy regarding the protection of customer information and at least says they try to limit data collection.

Choose an ISP (if possible) that has policies protecting you.

HTTPS

I have been extolling the virtues of SSL/TLS for 10+ years and Google gave the machine a kick in the but when it started favoring secure connection in its search results. Anytime you see https and that green lock icon near the URL, it means all traffic to and from that site is encrypted and cannot be modified, copied or eavesdropped on. All very good things.

A group of small to medium sites still didn't want to go through the cost and hassle of implementing TLS but a consortium called Let's Encrypt made the process easy through automation and free. Large internet site providers like Wordpress and Squaresapce jumped on-board and offered this as a checkbox addon to any site they host. So now there i no excuse.

As a user, you have to remember to force the connection to the secure https protocol (since most sites still support both and not all automatically redirect to the secure version.) Enter the free browser plugin called HTTPS Everywhere

 

HTTPS Everywhere

EFF makes this browser extension so that users connect to a service securely using encryption. If a website or service offers a secure connection, then the ISP is generally not able to see what exactly you’re doing on the service. However, the ISP is still able to see that you’re connecting to a certain website. For example, if you were to visit https://www.eff.org/https-everywhere, your ISP wouldn’t be able to tell that you’re on the HTTPS Everywhere page, but would still be able to see that you’re connecting to EFF’s website at https://www.eff.org

While there are limitations of HTTPS Everywhere when it comes to your privacy, with the ISP being able to see what you’re connecting to, it’s still a valuable tool.

If you use a site that doesn't have HTTPS by default, email them and ask them to join the movement to encrypt the web.

VPNs

In the wake of the privacy rules repeal, the advice to use a Virtual Private Network (VPN) to protect your privacy has dominated the conversation. However, while VPNs can be useful, they carry their own unique privacy risk. When using a VPN, you’re making your Internet traffic pass through the VPN provider’s servers before reaching your destination on the Internet. Your ISP will see that you’re connecting to a VPN provider, but won’t be able to see what you’re ultimately connecting to. This is important to understand because you’re exposing your entire Internet activity to the VPN provider and shifting your trust from the ISP to the VPN.

In other words, you should be damn sure you trust your VPN provider to not do the shady things that you don’t want your ISP to do.

VPNs can see, modify, and log your Internet traffic. Many VPN providers make promises to not log your traffic and to take other privacy protective measures, but it can be hard to verify this independently since these services are built on closed platforms. For example, a recent study found that up to 38% of VPN apps available for Android contained some form of malware or spyware.

Below, we detail some factors that should be considered when selecting a VPN provider. Keep in mind that these are considerations for someone who is interested in preventing their ISP from snooping on their Internet traffic, and not meant for someone who is interested in protecting their information from the government—a whistleblower, for instance. As with all things security and privacy-related, it’s important to consider your threat model.

  • Is your VPN service dirt-cheap or free? Does the service cost $20 for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.

  • How long has your VPN provider been around? If it is relatively new and without a reliable history, you’d have to trust the provider a great deal in order to use such a service.

  • Does the VPN provider log your traffic? If yes, what kind of information is logged? You should look for one that explicitly promises to not log your Internet traffic and how active the VPN provider is in advocating for user privacy.

  • Does the VPN provider use encryption in providing the service? It’s generally recommended to use services that support a well-vetted open source protocol like OpenVPN or IPSec. Utilizing these protocols ensures best security available.  

  • If your VPN provider uses encryption, but has a single shared password for all of the users, it’s not sufficient encryption.

  • Do you need to use the VPN provider’s proprietary client to use the service? You should avoid these and look for services that you can use with an open source client. There are many clients that support the above-mentioned OpenVPN or IPSec protocols.

  • Would using the VPN service still leak your DNS queries to your ISP?

  • Does the VPN support IPv6? As the Internet transitions from IPv4 to the IPv6 protocol, some VPN providers may not support it. Consequently, if your digital device is trying to reach a destination that has an IPv6 address using a VPN connection that only supports IPv4, the old protocol, it may attempt to do so outside of the VPN connection. This can enable the ISP to see what you’re connecting to since the traffic would be outside of the encrypted VPN traffic.

Now that you know what to look for in a VPN provider, you can use these two guides as your starting point for research. Though keep in mind that a lot of the information in the guides is derived from or given by the provider, so again, it requires us to trust their assertions.

Tor

If you are trying to protect your privacy from your Internet company, Tor Browser perhaps offers the most robust protection. Your ISP will only see that you are connecting to the Tor network, and not your ultimate destination, similar to VPNs.

Keep in mind that with Tor, exit node operators can spy on your ultimate destination in the same way a VPN can, but Tor does attempt to hide your real IP address, which can improve anonymity relative to a VPN.

Users should be aware that some websites may not work in the Tor browser because of the protections built in. Additionally, maintaining privacy on Tor does require users to alter their browsing habits a little. See this for more information.

 

It’s a shame that our elected representatives decided to prioritize corporate interests over our privacy rights. We shouldn’t have to take extraordinary steps to limit how our personal information can be used, but that is clearly something that we are all forced to do now. EFF will continue to advocate for Internet users’ privacy and will work to fix this in the future.

New US Border Control rules for Canadians

GeneralEdward Kiledjian

Since the tightening of US border entry rules, readers have been emailing asking:

What should I do when crossing the USA / Canada border?

Canadian readers (and non-US) travelers to the US wanted to know what the new tighter controls mean when crossing into the US. 

The first important truth most travelers need to accept is that "entering another country is a privilege and not a right". Although the controls may have tightened a bit, they haven't changed materially. Having visited over 40 countries in the last 30 years, I accept the fact that anytime I cross a national border, I am subject to the controls of that country and prepare accordingly.

The cardinal rule of information security is "know your risk". The first step is to determine all your risk factors (status entering that country, data you will be traveling with, travel history, your background, travel risk level of the region you are entering, etc).

Before you leave

  1. Minimize the amount of information you travel with. People often forget the treasure trove of information they carry on a daily basis. Your smartphone (as an example) contains all your contacts, login information for all your social networks, health information, GPS location history, networks you have connected to, etc. Anytime you cross a border (not just the USA but this applies to any national border crossing), the agents are tasked with protecting that county and may "take" any information you are entering the country with to determine your traveler risk. Do not take anything you wouldn't want to hand over.
  2. Minimize the amount of devices you travel with. This may sound stupid but I have seen business travelers cross the border with a personal smartphone, work smartphone, a personal tablet, a work tablet and a work laptop. Understand that anything you enter the country with can be seized or taken  for analysis. With all the Snowden, Vault7, Wikileak dumps, its clear that if a border agent touches your device, you shouldn't use it anymore. You should assume it has been permanently hacked. Where possible, do not bring devices with you. If you do, try to bring "disposable" devices you wouldn't mind throwing away if need be.

What should I do before crossing the border?

  1. Remove all information from your devices that you do not absolutely need to bring with you.
  2. Anything you could need, try to move it to the cloud and securely delete your local copy.
  3. Delete any apps from your smartphone for which you don't want to hand over login credentials to.
  4. If you use a password vault solution synchronized with the cloud, you may want to delete that (Lastpass, 1Password) and reinstall it after you enter the country.
  5. If you use a cloud synchronized 2-factor authentication solution, you may want to delete that (Authy) and reinstall it after you enter the country.
  6. If you can, leave the device at home. If you have a work phone, bring it with you but leave your personal back home.  Instead of bringing a tablet, try to load your content on the smartphone.
  7. If you can, travel with the least complex device possible (chromebook instead of a laptop or tablet instead of a laptop)
  8. Ensure device encryption is turned on.
  9. Turn off your devices before crossing the border.
  10. Switch the unlock mechanism from fingerprint to password based.

At the border

Never lie to a border agent. Never! Ever! Ever!

Any foreigner that refuses to comply with a border agent request (any border not just the USA) will likely be turned away and sent back to their home country. In extreme cases, you can even be bared from entering that country again.

This means that you are "forced" to comply with any request made by the border agent. If asked for your device password, you can provide it and cooperate or defy them. If you defy the request, they will likely take the device and send it for investigation while denying you entry (maybe even keeping you for secondary questioning). Either way, once you "lose control" of your device, you should assume it has been permanently hacked and that a clean re-install will not make it trustworthy again.

They may also ask you for your social media login information. Even if you do not have the app installed on your devices, they know you have an account and can ask for the credentials. Never lie. Refusing to cooperate can cause you to be detained for additional questioning and given an entry ban.

What should I do while crossing the border?

  1. Always be polite and respectful. Remember the agent is doing his/her job.
  2. Never lie. Always be truthful. 
  3. If asked to hand over a device or password, I would do it without putting up a fight. Once you are at the border, you have decided you are engaged and have to cooperate. 

After crossing the border

If your work device was accessed at the border, notify your company information security group immediately. 

If your personal device was accessed, you have to think long and hard about what you want to do. Know that there may be a permanent (un-removable) backdoor or tracker installed on the device. In some cases even a complete factory reset won't remove it. What do you want to do? In the security space, we recommend throwing the device away and buying a new one but this is a personal decision especially with a $1000 smartphone, tablet or laptop.

Also if they accessed your device or asked for your social media login information (username/password), assume they downloaded you social graph (all of your contact info and the contact info of your contacts). I would change all my social media passwords and double check my account information (email address, recovery phrases, telephone numbers, etc). Also notify your network that you lost control of your social media account and to be extra vigilant with requests and the information being shared with you. 

Other recommendations

If you travel to the US regularly, think about applying for a Nexus card (if you are a Canadian). Having a Nexus card means you have been deeply vetted and all of your fingerprints are on file. My experience has been that the Nexus has made crossing into the USA much easier. 

If you are a tech neophyte, take the time to read up on device security and security best practices. The truth is you are solely responsible for your privacy and security.