 MxxCon
join:1999-11-19
Brooklyn, NY | reply to Da Geek Kid
Re: For Online Backup... Read some more details of what exactly they are encrypting with blowfish and aes.
And just because they say they use blowfish or aes, doesn't mean they use it properly. Just read »www.elcomsoft.com/download/BH-EU-2012-WP.pdf as an example of password managers that don't properly use standard encryption algorithms.
CrashPlan refuses to publish their specs, so the best you can hope for is "Trust us, we are secure".
What part of "They also REQUIRE connection to their servers, even if you do local backup" did you miss?
--
[Sig removed by Administrator: signature can not exceed 20GB] |
|
2 edits | Ok. So, I am sorry where do I find the exact tech spec of BackBlaze's Security process?
eh that link is irrelevant of CrashPlan as there's no remote mention of it.
»datasafemag.com/top-10-online-ba···ankings/
BTW -- did you mention BackBlaze support Solaris and Linux cause it does not. |
|
|
|
MxxCon
join:1999-11-19
Brooklyn, NY | I don't give a fuck about what Blackblaze does.
We are talking about CrashPlan here.
A few month ago I contacted CrashPlan support. Request #141900
I asked them:
If I setup an offsite/peer-to-peer/friend only backup and for whatever reason your servers are not available, what's going to happen to my backups? What about situation when I setup private encryption key? Michael W. of CrashPlan replied:
You would not be able to process a backup or restore without being able to communicate with the servers, we do this as a security checksum. If we were to go out of business, or discontinue the software for any reason (which is unlikely) then we would remove that requirement from the software. I asked:
So I must be able to communicate with your servers even when I do local backups/restore? I am worried about some situation during a catastrophic failure/outage that I need to recover my data without internet connectivity. His reply:
Yes, you do need a connection to the internet to backup or restore any files with the software, even if it is a local backup.
I also asked him
What functionality/tools/proof do you have that you are doing what you claim you are doing? How can I confirm to myself that you are encrypting my data only with my private key and there's nothing going on such as you don't include your own key in there? He replied:
While we do not furnish any direct "proof" you can test those scenarios on your own. If you use the data key encryption and someone tries to use the wrong key to access your data from a remote system, it will wipe the archive. I followed up:
I'm not so much worried that somebody will try to use wrong private key to access my data, but rather than you are encrypting my data with my private key and not your key to which you have access.
I'm looking for a technical analysis similar to what was done with LastPass here »blog.tinisles.com/2010/01/should···ass-com/ He did not reply.
So it's safe to assume they don't do proper security on your data, and they REQUIRE connectivity to their servers, even if you do local backup.
--
[Sig removed by Administrator: signature can not exceed 20GB] |
|
| props on that... now, with all that in mind, how do you presume, Cisco, Google and others trust them enough to use crashplan as their solution? |
|
MxxCon
join:1999-11-19
Brooklyn, NY | I question that claim that Cisco, Google and others trust them a whole company.
I wouldn't be surprised if it was just a single purchase for a single license for personal use or just for a sake of completeness of during evaluation process.
I can claim my website is "used by Google" if I see just 1 hit from Google's IP.
We don't know and they don't say specifics of how it's used at Cisco or Google. Maybe they back up their spam folders and don't care about privacy or integrity of that data. 
--
[Sig removed by Administrator: signature can not exceed 20GB] |
|
