Jump to content

Loose Cannon

Level 1
  • Content Count

    9
  • Joined

  • Last visited

Community Reputation

3 Neutral

About Loose Cannon

Profile Information

  • Subscription
    PREMIUM

Recent Profile Visitors

1,533 profile views
  1. We have a discussion going on this :
  2. BINGO. The URL's could be hashed in a new column in the evernote backend. Then the evernote clipper would be allowed to re-clip the same note at the browser or client end. When the new duplicate clip is received, it's URL can be hashed and compared to the existing hash table. If the clip is a duplicate, the new clip should be discarded. It's as simple as that, no user interaction is required. Though as mentioned in some of the posts above, it would be nice if the clipper's color could be changed to different color after clipping, at least that way, if you came back to an open tab that you've already clipped (at least in the same browser session), you'd know that you already clipped it. No back end to client communication is necessary for that. The web clipper could maintain a session based ephemeral flag for URL's clipped in the current browser session, or it could maintain a permanent local hash set in a local webclipper db. /rant on BTW IMHO "it's too hard" isn't an answer that I would expect from "evangelists". An evangelist is defined as a person seeking to convert others to their religion. How useful is it for an evangelist then to resist product suggestions by saying "it can't be done that way" or "it isn't possible". It is possible and it can be done, should be their attitude. Now mind you I understand that there are many many product feature requests from consumers that are simply inane, superfluous, or not possible from a business economics perspective. This particular feature isn't one of those. /rant off
  3. Evernote uses SSL as a crutch in lieu of providing actual security for the vast amounts of user data it stores on its servers. Our data is stored in plaintext, which means that any compromised servers would yield attackers unrestricted access to the entire database of any and/or all users. Because Evernote is such a rich treasure trove of data, it is only a matter of time before an APT attacker makes use of data stored in evernote. What someone out there should do is build a plugin or extension to evernote that allows users to easily PGP encrypt notes before sending them off to be stored. In fact, there is no reason you cannot do this already, other than that this process would not seamlessly decrypt your notes i.e. you would have to manually decrypt the notes on each client platform.
  4. Evernote could help protect our privacy and help to make us just that little more secure if they stored our data in encrypted form on their disks. That way if a hacker compromised their servers our data wouldn't be stored in the clear. Two factor authentication would also be a great idea.
  5. First they ignore you, then they laugh at you, then they fight you, then you win. - Ghandi My vote is definitely for improved password protection! I suggested this in my own post here: I also agree that some "evernote evangelists" tend to have an abrasive attitude on this topic, while not displaying any knowledge of Best Computer Security Practices, especially when considering that cloud data storage is pretty new. See: Do You Encrypt Your Data? A Plea to Businesses from an Identity Theft Victim I am not trolling so I'll move on. The product should be enhanced in the future to support encryption. Evernote should not store your most personal data on disk in plaintext period. If this presents a problem for the indexing paradigm/functionality they've employed, then they should give you the option of turning it off in favor of security, and/or should transition the indexing functionality to the client. I don't mind making my CPU work just a bit harder to search, even on mobile devices. There are many other things they could do to, like support Google based HMAC based OTP's (one-time-passwords) or even SMS notification when logging in from new devices, etc. My 0.02 cents. First they ignore you, then they laugh at you, then they fight you, then you win. - Ghandi
  6. Thanks, I have read that and it answers my question #3. In that post an Evernote employee suggests that a Windows Screen saver password would be better than a simple password check in the Evernote application. While this is true in certain contexts, I don't see a reason why Evernote doesn't encrypt (on closing) and decrypt (on opening) the local user database file using a simple symmetric encryption algorithm using the initial user specified login password as the encryption key. This method would be much better than using a Windows screen saver password because it would prevent someone from accessing your Evernote Data if your machine was stolen (like as in a laptop, or PDA) and the hard drive was removed and mounted on another computer. I don't see a way of protecting the Evernote Databases by using drive encryption unless you are willing to encrypt your system partition. To ask users to do this to protect a single application is not realistic. Also it is a bit of a stretch for non-technical users to be asked to run their primary OS on an encrypted partition. Evernote can be installed on other drives, but there is no way to make it use a different data directory ((on a partition that is encrypted). Upon installation it does not prompt you to make such a choice if my memory serves me correctly, and please correct me if I am wrong. If the application does not provide a user with a choice, then it should assume the responsibility of protecting the user's data. I am not so much worried about my desktop but more so about my laptop and or mobile device. One thing I would also like to point out is that it isn't necessary for the device in question to be stolen either. The data stored on these devices can be captured and read by malicious applications if you are infected for instance with a trojan or virus. Any attacker that gains access to your machine can copy and read your entire database. It is trivial to do so once the attacker has compromised the machine Evernote stores the data in plain text in: C:Users%username%AppDataLocalEvernoteEvernoteDatabases Android and other Mobile OS applications also do not store the data in an encrypted format. In Evernote's defense, the majority of Mobile applications do not store your data using Encryption either, making you an easy target for either a malicious attacker to steal your data, or for Law Enforcement to run forensic data recovery tools. Thanks, LC Disclaimer: the main impetus of this thread is not to expose details related to Evernote data storage, but instead simply to get real answers about real concerns regarding storing my data in the cloud. What happens if Evernote corporation ceases to exist for whatever reason, will my data be recoverable and secure?Or will the servers and disk array's that host the data simply be sold off at auction, which in that case who knows who will end up in possession of my private data? I bring this up because it has already happened. Not storing user data in the cloud in encrypted form is just bad, bad, bad. Welcome to the Cloud.
  7. Hi, Few question on Evernote Security Policies and procedures: 1. Is everyone's data stored on Evernote servers in an encrypted fashion? Or are the only notes that are secure those notes which I have enabled the Text Encryption feature? 2. What security policies and measures does Evernote put in place to protect a users account? a. What happens when a user loses his password, and how secure is the password recovery functionality? 3. Are Evernote Sync Operations on mobile devices performed over SSL connections to protect users who may be on unfriendly Wireless Networks? 4. Do you have multiple data centers in case a group of servers in a particular data center go down? What about offsite backups? What else should us users know about maintaining the security of all our most valued data stored with the Evernote Cloud service, (like a discussion of how backups are performed and what the Corporate Disaster Recovery Plan is if any). Thank you, LC
×
×
  • Create New...