Jump to content

(Archived) Are my notes private at work?


Gusterman

Recommended Posts

I rely on Evernote at work to capture every thought that goes through my head. Some of these thoughts are not related to work, and some are not necessarily compliant material. I believe my cached notes are being saved in my C drive.

It is a normal practice at organizations to warn employees that, for example, corporate communications such as e-mail, are not private, and every message is able to be read if necessary.

I use my own Evernote account at work, as opposed as a corporate account. (Working in web development, I have some liberties as to what I can install in my work conputer.)

The way Evernote is built, is there a possibility that the organization could peek into my notes or otherwise access them?

Sincerely

G

Link to comment
  • Level 5*

Yes, your notes database is stored on your local drive, if you use the Windows client. You could use the web client, if you wanted access to your notes at work; that's accessed via https:, so that would be secure, on the other hand, your browser has a cache, so that could be a problem. There are also mobile clients for, for example, iOS and Android devices, so if you have mobile Internet access or Wi-Fi, that's a possibility, as well.

Link to comment

No. Ultimately, nothing is truly private on a computer you don't own.

Sorry, but that's the truth of it.

The may be "private" in the sense that they cannot see them on an ongoing bases, but anything on that computer is available to your employer whenever they want to look at it.

Link to comment

You can get a decent degree of security in your current setup by using an encrypted USB device to store the Evernote database files.

I use TrueCrypt but you may need administrative rights to install it. Otherwise there are plenty of self-encrypting USB devices on the market.

Once you have one of those in place, just set the location of 'Evernote local files' in Evernote's options to be a folder on your encrypted device.

Link to comment

your notes database is stored on your local drive.

g.gif

'Local' as far as Evernote is concerned means on a device attached to your computer.

In fact with TrueCrypt it's not necessary to have a separately encrypted device, you can just create an encrypted file container and use that to store Evernote's database. The encrypted file container is an encrypted file that can be mapped to a drive letter and treated as a local disc.

Link to comment
  • 6 months later...
  • 6 months later...

Hi,

 

I like Evernote very much and have been using it for a long time. I also recently upgraded to Premium for one and only one very simple reason, a very tiny minor feature - PIN lock for my Android app. I'm somehow OK with the potential security risks that come with storing personal data in the cloud, however, I'm more aware about what I store locally on my device (a smartphone, PC, laptop, etc.). So with the PIN lock my local security was in line - the Windows client I use is secured with the password of my account.

 

So, today I was modifying some settings in the Windows client when I noticed that I can choose the location of the local databases, the Windows client uses to cache the data in my Evernote account. I immediately went there and tried opening the snippets and main database files and guess what? Voila! They opened and every bit of info I'd put into Evernote was there, accessible to everyone interested. There's lots of other info in these files, which is not human readable but the content of all notes is there. (Additionally, there is a folder attachments, which contain images for me and probably other stuff for other users - yes, completely unprotected.)

 

I'll try to put this mildly - this is a joke. I know - almost everything that has a lock can be unlocked. However even the minor trace of security is missing here. Yes, the encryption Evernote is using for transmitting your data over the wire is weak. But it's there. What if my device gets stolen and a malicious person goes there and just opens these files and get all of my data without any effort? I don't want to test this on my Android device, which is the most vulnerable device I have in terms of security, because I'm afraid of what I might discover there.

 

Is it so hard to encrypt the local files and decrypt them when the user logs into the client and encrypt them again when they log out?

 

Please consider this as a Feature Request.

 

Regards,

A big fan and an Evernote evangelist in my social circles.

Link to comment

Hi,

 

I like Evernote very much and have been using it for a long time. I also recently upgraded to Premium for one and only one very simple reason, a very tiny minor feature - PIN lock for my Android app. I'm somehow OK with the potential security risks that come with storing personal data in the cloud, however, I'm more aware about what I store locally on my device (a smartphone, PC, laptop, etc.). So with the PIN lock my local security was in line - the Windows client I use is secured with the password of my account.

 

So, today I was modifying some settings in the Windows client when I noticed that I can choose the location of the local databases, the Windows client uses to cache the data in my Evernote account. I immediately went there and tried opening the snippets and main database files and guess what? Voila! They opened and every bit of info I'd put into Evernote was there, accessible to everyone interested. There's lots of other info in these files, which is not human readable but the content of all notes is there. (Additionally, there is a folder attachments, which contain images for me and probably other stuff for other users - yes, completely unprotected.)

 

I'll try to put this mildly - this is a joke. I know - almost everything that has a lock can be unlocked. However even the minor trace of security is missing here. Yes, the encryption Evernote is using for transmitting your data over the wire is weak. But it's there. What if my device gets stolen and a malicious person goes there and just opens these files and get all of my data without any effort? I don't want to test this on my Android device, which is the most vulnerable device I have in terms of security, because I'm afraid of what I might discover there.

 

Is it so hard to encrypt the local files and decrypt them when the user logs into the client and encrypt them again when they log out?

 

Please consider this as a Feature Request.

 

Regards,

A big fan and an Evernote evangelist in my social circles.

This has been discussed at great length already. Please search the board on security & encryption for more info. And to clarify, PIN codes typically only keep someone out of the app. They do not encrypt or hide the database or work files from people who are tech savvy enough to dig around in the bowels of your hard drives.

Link to comment
  • Level 5

Not just local but system wide.

After the coordinated hacker attack into Evernote's password (hashed and salted) database in March, Evernote came up with 3 new security features.
http://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/

The Access History is interesting, but should to be checked regularly.

Unfortunately, Evernote continues to rely on 64-bit RC2 crypto.
http://evernote.com/contact/support/kb/#/article/23480996

 

It would be reassuring to see Evernote increase their security from the rather archaic and easily broken 64-bit RC2 to a more robust 256-bit AES.
 

Link to comment

If you can't trust the physical security of your PC, then encrypt the files with Bitlocker, TrueCrypt, etc. Same goes for every other device, I don't bother with the Evernote PIN on my Android device, I encrypt the whole device and have it lock after 30s automatically, that protects everything.

 

It's not the application's job to deal with file encryption etc on a device in my opinion, there are too many potential vulnerabilities that can never all be anticipated adequately. If you're worried about your Evernote files being picked apart, surely you have other files that are similarly vulnerable (in my case it's mainly the stuff I can't entrust to Evernote due to security concerns, sadly).

 

Also I'd dispute that Evernote's encryption over the wire is weak, I haven't checked, but I expect it's 128-bit SSL or better. The RC2 encryption available within individual notes is laughably bad though, they're almost better off removing that feature if they can't or won't implement something credible.

 

On a related note, if EN could implement client-side en/decryption of what gets stored on their servers I'd be able to use EN for just about everything I do. Until then, I have to restrict its use practically to what I'm willing to reveal to the world. Until last week I was only worried about hackers breaking into EN, but it turns out I also have to consider the US government poking around :-(

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...