Jump to content


Level 2
  • Posts

  • Joined

  • Last visited

About DCDawg

Recent Profile Visitors

782 profile views

DCDawg's Achievements



  1. If anyone is interested, I figured it out... Rather than creating the information in text, I added HTML markup tags including using the <a> tag for the link. Using Workflow's action to convert HTML to Rich Text, I converted the HTML to Rich Text and had the three lines saved as Rich Text. After running the Workflow, the information was appended to the proper note in the proper format, including the link! I wondered how I could save a webpage in the proper format. I started playing and then wrote a small stub of Rich Text (yes, I know how to manually write Rich Text format). I sent that stub to Evernote and it formatted! SIMPLE! :-)
  2. I am a big fan or Workflow on iOS (see workflow.is) and decided to use it as part of my blog to save the links to articles I share on Twitter. Everything works fine including appending the link to the designated note. However, all of the information in the note is saved in plain text. I would like the link to be interpreted as a link, not just plain text. All links include the protocol designator (http:// or https://). Normally, when I copy and paste a link in Evernote it will interpret the text as a link and make it clickable. However, when I add the lines using Workflow, all I get is plain text even though the link is http://...(whatever). Is there some way that when Workflow appends the link in Evernote that it can be recognized as a link? If I convert it to an HTML message, will it be interpreted correctly?
  3. According to the Google API for their encryption service, the client holds the keys. If Evernote assures us that the data at rest will be encrypted and that they will control the keys, then most of the discussion about Google and their proclivities for data mining is irrelevant. How about it, Evernote, can you comment on key management using Google cloud services? Who holds the keys (e.g., servers v. clients)? Who is responsible for managing the keys? Is there a key management and key recovery plan?
  4. 1. The FedRAMP question was not one of being compliant but of being a reviewer of their attempt at being FedRAMP compliant and finding issues that I would want address before any testing. I don't know what Evernote's "security review process" consists of, but I have questions about their abilities to meet basic requirements. Your last sentence in #1: "... but moving into Google Cloud Platform does help with built-in capabilities like encryption at rest." Are you saying that you will be using encryption for data at rest? If so, I remember reviewing their documents and was concerned about their key management process. Key management is difficult and I have seen very few do it right. I am not sure that Google is doing it right based on what I have seen. Maybe Evernote should be looking at alternate key management capabilities because I think that the risk to users may be leaving you open. 2. Many services have had the "oops, I'm sorry" moment regardless of their SLAs and TOS. Google has an aggressive reputation for data mining. If the encryption keys are being managed by Google and Google's services, what assurances do we have that there will not be an "oops, I'm sorry" moment? As part of the privacy of the user's data, will the notes be encrypted point-to-point. This means that the note encrypted on the user's computer or device, transmitted to Google encrypted, never decrypted but stored on their servers? This means Evernote's services cannot read them and all processing is being performed on the client. In that regard, what is Evernote doing to protect the browser users against browser hijacks? I am assuming Evernote is using Google as an IaaS and PaaS service. This means that the protection of the data falls on Evernote's programs. Would this mean that Evernote manages its own API for creating interfaces or will the clients be using Google's APIs to interact with our data? In case you were wondering: yes, I do this information security stuff for a living and have been doing so for over 30 years and the last 20 years in the federal government. I know this stuff is hard which is why I am asking!
  5. Before you jump to any conclusions, the purpose of commercial cloud systems is to make it look like your system. If Evernote owns the namespace and publishes the Virtual IP (VIP) address under an evernote.com domain (for example), then it would not be a google.com or their 1e100.net alternate address. It would all depend where the DNS is maintained and the VIP is served. Again, I am asking Evernote to respond to my Infosec-related issues. If it is not something you want to publish, you have my private email. Use it!
  6. I asked a cogent question about security and privacy based on their and Google's claims yet I have not heard anything from them. Let's see if Evernote responds to the following: Having been involved in a review Google's FedRAMP certification, it is difficult to trust Google's assertions of their security. The other certifications they mention are known to be less rigorous (ISO 27000 is close but the requirements are less than FedRAMP and PCI-DSS is far less than FedRAMP). This is NOT conspiracy theory. This is a serious review of Google's security assertions.[*] However, this would only be effective for the IaaS portion of the service. What changes for Evernote's security? Will Evernote undergo certification? While Google and their contract might say that your data is private, there is a risk of data at rest within a cloud infrastructure. Aside from the conspiracy theories of what Google will do, how can we know that Evernote is mitigating the risks to our data at rest? [*] Before someone says that their documentation is FedRAMP compliant, please read their words again. Their application engine has a few agency certifications. Their IaaS and services are NOT FedRAMP certified. Moreover, the application engine is distinct from their infrastructure which is not certified. Yes, I do this government infosec stuff for a living.
  7. Is Evernote going to respond to cogent questions or will they let this be a forum for some to vent?
  8. I don't know about the other alleged security certifications but Google has been trying to pass FedRAMP for nearly three years with no success. I have seen some of the artifacts from their FedRAMP attempts and what I saw was garbage. How can we trust Google when it can't even certify to FedRAMP standards? Also, I read Google's security info linked in the announcement and it says nothing about privacy. I want a guarantee that the data is not being manipulated by Google in any way. One thing Evernote can do is encrypt the data and hold the keys. Protecting data at rest would make me feel a little more comfortable.
  • Create New...