Jump to content

Is Evernote safe from doxing? (i.e. Ashley Madison type hack)


Recommended Posts

  • Level 5*

There's really no such thing as a 100% secure system on the Internet. If you want to be 100% sure that no one will ever have access to your stuff then don't put it in Evernote (or anywhere else on the Internet)

Link to comment
  • Level 5*

i'm completely serious. If you have something that you don't want anyone to see then you shouldn't trust it to a cloud hosted provider.

 

Now I'm pretty relaxed about stuff so I put some personal information in Evernote, you have to have a balance between tin-foil-hat paranoia and usefulness. But do I trust Evernote to never get hacked? Absolutely not, because they will be.

Link to comment
  • Level 5*

Evernote is 'pretty safe' - the last issue they had didn't get as far as note content (as far as we know...) and given there's 150M users with databases spread across multiple servers you'd have to be pretty unlucky to be singled out,  or even 'outed' as part of a specific group.  Like Metro says - not impossible,  but pretty unlikely.  Equally if you're preparing plans for World Domination or recording your experiments in anti-gravity,  I'd recommend keeping that on paper,  or investigating encryption options - then it'd only be you and the gov'ment reading your stuff...

Link to comment
  • Level 5

For those who have personal stuff on Evernote, how safe is this against doxing?

Or is it not a good practice to put personal stuff on Evernote?

Can anyone comment on this?

 

Here are some comments from Evernote on the issue of security

 

https://discussion.evernote.com/topic/87847-evernote-data-or-business-continuity-in-event-of-data-loss-evernote-side/?p=375080

 

On Evernote podcast (#18) Andrew Sinkov, the Evernote VP of Marketing, said he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

Link to comment
  • Level 5*

other evernote staff have said they keep personal content on evernote servers. i wouldn't recommend it.

https://discussion.evernote.com/topic/88127-securing-documents-while-you-travel-in-evernote/?p=376496

however, it all comes down to the level of risk you are willing to tolerate in your own use case. for some people, nothing sensitive in any format goes onto an internet facing computer, much less the cloud, for others (me), nothing of a sensitive nature goes unencrypted onto the cloud. and, some people put anything there.

Link to comment

other evernote staff have said they keep personal content on evernote servers. i wouldn't recommend it.

https://discussion.evernote.com/topic/88127-securing-documents-while-you-travel-in-evernote/?p=376496

however, it all comes down to the level of risk you are willing to tolerate in your own use case. for some people, nothing sensitive in any format goes onto an internet facing computer, much less the cloud, for others (me), nothing of a sensitive nature goes unencrypted onto the cloud. and, some people put anything there.

 

 

for me personally, its the other way around...

putting stuff on a cloud service is protection for when my laptop gets stolen or is lost in a fire or something.

 

So I look to Evernote/dropbox as the place to store my personal stuff.

I couldnt sleep if my personal stuff would just be on a physical drive or a non-internet facing device, which is vulnerable to getting erased or lost forever.

Link to comment
  • Level 5*

Hmmn.  I wouldn't regard the cloud as 'protection' - it's pretty much like asking your next-door neighbour to store your files on a spare disk drive.  You're saving your stuff on someone else's computer,  which in addition to 'being vulnerable to getting erased or lost forever' happens to be a lot further away than next door and accessible only when both you and it have unrestricted access to the Internet....  I recommend backups.  Lots and lots of local backups...

Link to comment

Hmmn.  I wouldn't regard the cloud as 'protection' - it's pretty much like asking your next-door neighbour to store your files on a spare disk drive.  You're saving your stuff on someone else's computer,  which in addition to 'being vulnerable to getting erased or lost forever' happens to be a lot further away than next door and accessible only when both you and it have unrestricted access to the Internet....  I recommend backups.  Lots and lots of local backups...

 

Ok, then how would you advise on my situation: I don't have a home. I'm a digital nomad, I travel around the world with only a backpack and work completely from my laptop and tablet. I stay at places for a couple of months at a time. This means that for me, there is no "local". At any time, my laptop could perish or be grabbed. The cloud is my only safety net. 

Link to comment
  • Level 5*

 

Hmmn.  I wouldn't regard the cloud as 'protection' - it's pretty much like asking your next-door neighbour to store your files on a spare disk drive.  You're saving your stuff on someone else's computer,  which in addition to 'being vulnerable to getting erased or lost forever' happens to be a lot further away than next door and accessible only when both you and it have unrestricted access to the Internet....  I recommend backups.  Lots and lots of local backups...

 

Ok, then how would you advise on my situation: I don't have a home. I'm a digital nomad, I travel around the world with only a backpack and work completely from my laptop and tablet. I stay at places for a couple of months at a time. This means that for me, there is no "local". At any time, my laptop could perish or be grabbed. The cloud is my only safety net. 

 

 

here is my advice:

http://www.christopher-mayo.com/?p=962

 

i'm not quite a digital nomad, but i travel 2 or 3 months a year overseas. i always recommend having stuff on an external drive (see link for two different types of backup i do), but spideroak (zero-knowledge encryption on the cloud) is probably a good idea for your case.

 

by the way, as a side note, doxing is when you scour the web for personal information about someone, put it together, and share it with others. it is often used as a way to personally identify anonymous posters to forums or to supply the world with the home address or other contact information of famous folks as well (trump infamously did this to another politician in a speech the other day). in your situation, there probably isn't a lot of address data or contact information out there to worry about. at any rate, if someone got into your evernote account without your permission, i think the proper term would be "hacking," and that would be something quite different, because evernote's servers (and the data on them) are far better protected than the content just floating around on the web.

Link to comment
  • Level 5*

You might be that exception that proves the rule.. plus I'm madly jealous but way too old to do that sort of thing.  In your situation I'd suggest using EN desktop on your laptop so you have a local copy of your database,  and backing that up to DVD so you have your own copy of the content.  Presumably there's someone you could mail that to on a regular basis,  to hold in case of need...?

Link to comment

thanks alot for the tips.

Although I will not likely be dragging around hard drives or dvd's :-)

The laptop and tablet are heavy enough as it is.

Plus I feel unsafer with physical backups that can get stolen at anytime.

 

I guess it'll just have to be 

1. crazy complex password

2. two-step verification

3. remove my name,details from everything in Evernote so it can't get traced back in case of a doxing data-dump online

 

ps @gazumped, nobody is ever too old for anything!

greets from sweet bangkok ;-)

Link to comment
  • Level 5*

thanks alot for the tips.

Although I will not likely be dragging around hard drives or dvd's :-)

The laptop and tablet are heavy enough as it is.

Plus I feel unsafer with physical backups that can get stolen at anytime.

 

I guess it'll just have to be 

1. crazy complex password

2. two-step verification

3. remove my name,details from everything in Evernote so it can't get traced back in case of a doxing data-dump online

 

ps @gazumped, nobody is ever too old for anything!

greets from sweet bangkok ;-)

 

external drives are tiny these days (one sufficient for time machine can even fit on a thumb drive) and can be completely encrypted, so not a problem. laptops (the macbook) are also tiny. i've got a laptop and a macbook in my small messenger back right now (traveling) and my bag (more of a murse) is no larger than most women's purses. as for the password, please read my recommendations here:

http://www.christopher-mayo.com/?p=288

 

and, you are right about age. There are old folks everywhere, though I wonder if Gaz would enjoy being an old guy in a tropical country :)

Link to comment
  • Level 5*

By the way, this is beyond the OP's question (which seems to have found a satisfactory answer), there are some interesting points to note about Ashley Madison, Evernote, and risk factors. 

 

(1) If you use weak or unimaginative passwords (non-random) you are more at risk in a hack.

http://www.zdnet.com/article/these-are-the-worst-passwords-from-the-ashley-madison-hack/

 

(2) Evernote is pretty strict about security. With two-factor authentication, a team looking out for hacks, experience with hacks, and a very public profile, I think our data in Evernote is relatively well-secured. I think there is lots of room for improvement (encryption), but short of that, it seems (to this amateur, at least) like they are doing pretty well.

https://evernote.com/security/

 

(3) The AM hack was probably an insider job, which is good, because it means it's not the result of some kind of internet-wide security hole. But, I think inside jobs might be the most difficult and important to prevent (Snowden was also an inside job). In fact, it may be that  no one can prevent them completely. In such a world, I'd recommend being especially careful to encrypt sensitive data. Ideally, we'll get encrypted notebooks someday.

http://www.technewsworld.com/story/82455.html

Link to comment

By the way, this is beyond the OP's question (which seems to have found a satisfactory answer), there are some interesting points to note about Ashley Madison, Evernote, and risk factors. 

 

(1) If you use weak or unimaginative passwords (non-random) you are more at risk in a hack.

http://www.zdnet.com/article/these-are-the-worst-passwords-from-the-ashley-madison-hack/

 

(2) Evernote is pretty strict about security. With two-factor authentication, a team looking out for hacks, experience with hacks, and a very public profile, I think our data in Evernote is relatively well-secured. I think there is lots of room for improvement (encryption), but short of that, it seems (to this amateur, at least) like they are doing pretty well.

https://evernote.com/security/

 

(3) The AM hack was probably an insider job, which is good, because it means it's not the result of some kind of internet-wide security hole. But, I think inside jobs might be the most difficult and important to prevent (Snowden was also an inside job). In fact, it may be that  no one can prevent them completely. In such a world, I'd recommend being especially careful to encrypt sensitive data. Ideally, we'll get encrypted notebooks someday.

http://www.technewsworld.com/story/82455.html

 

It's the lack of encryption that is the problem. The data should be encrypted in transit through SSL, but if it's stored on their server's unencrypted, or even stored encrypted but they have the keys, then a hack could allow note contents to leak (not to mention government being able to compel Evernote to give them user's note data). The only way to ensure that your data remains private even in the event of a hack or government intervention is to use strong encryption that is "zero knowledge" or applied entirely at the client side with the cloud server never having access to the encryption keys. While I believe Evernote has some crude per note encryption features I've never used them as I don't particularly trust them and it's clearly not something that's been an Evernote priority.

 

If you want to use Evernote to store information that would ruin your life if it were to escape you would need to pre-encrypt locally and upload the encrypted data as a note attachment. The contents of such would not be searchable through Evernote or easily viewed online. There are arguably better services for this type of thing.

 

Personally, most of what I put in my notes would not be life ruining or overly embarassing so if it were to leak out I could live with it. Anything that I really don't want to leak (including banking information and other data that could be used to steal my identity) I keep on Lastpass, which I trust much more to give me strong client side encryption. Lastpass or something similar is useful for password management anyway, so I highly recommend it.

 

I'm already a pro subscriber, but I'd pay more for a version of Evernote with strong security: Zero Knowledge folders that are client side encrypted with Evernote not holding the keys. In order to maintain at least some of the overall Evernote functionality (searching, etc) with these folders the client would have to handle indexing and searching without sending data to the server (just for the encrypted folders). I think this is doable but would require a real commitment to software development. Frankly, the slow evolution of the Windows client doesn't give me much hope that this is feasible, but maybe they'll surprise me some day.

Link to comment

 

Hmmn.  I wouldn't regard the cloud as 'protection' - it's pretty much like asking your next-door neighbour to store your files on a spare disk drive.  You're saving your stuff on someone else's computer,  which in addition to 'being vulnerable to getting erased or lost forever' happens to be a lot further away than next door and accessible only when both you and it have unrestricted access to the Internet....  I recommend backups.  Lots and lots of local backups...

 

Ok, then how would you advise on my situation: I don't have a home. I'm a digital nomad, I travel around the world with only a backpack and work completely from my laptop and tablet. I stay at places for a couple of months at a time. This means that for me, there is no "local". At any time, my laptop could perish or be grabbed. The cloud is my only safety net. 

 

 

I'd say external hard drive and a local safe location (like A safe or safe deposit box) could work as well.

Link to comment

For those who have personal stuff on Evernote, how safe is this against doxing?

Or is it not a good practice to put personal stuff on Evernote?

Can anyone comment on this?

There are some good responses, and some that are a bit less.

 

History has shown that nothing is hack-proof, but in Evernote's case, there has been pretty good encryption (hash and salt) on passwords, so I think if you have a good password, and, even better, two factor authentication, your data is pretty safe.

 

The only completely safe option, is everything in Local Notebooks, and back then up yourself. This does tend to remove the biggest feature of Evernote, so just using text files on a USB stick will be the safest, unless the USB stick gets lost or stolen.

 

There is no perfect solution, but for me Evernote is safe enough for my needs.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...