Jump to content


Level 2
  • Content Count

  • Joined

  • Last visited

Community Reputation

3 Neutral

About ZonicBoom

  1. Ohh, yeah they do: https://www.mint.com/how-it-works/security/security-technology/ Your bank login credentials are encrypted.We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.
  2. Maybe EN staff should ask Mint.com/Intuit staff how they keep user's data secured and yet available for the core functionality of their platform. EN, I could get you in contact with a couple of helpful Mint people. I've helped them fix a few issues with banking sites before. Until then, I continue to see Evernote as "the little cloud service that couldn't"... care enough about its user's security options, that is. Somehow, "I told you so" doesn't quiet cut it.
  3. I think you missed the part of the article where it mentions: "Yet athough organized crime may have been, in volume, less active than the hacktivists, they were no less lethal in terms of what kind of cost they represented... Porter describes the impact of the organized criminals as “death by a thousand paper cuts." And also: "That can include tactics like skimming information from card machines at gas pumps, breaches of e-commerce sites, and big thefts of data records from cloud-based services, such as the situation that hit Sony PlayStation last year." Of course, with EverNote's lack of serious encryption in the back-end, they won't have to neither. Thank you for making my point.
  4. Ok, so we do understand that in the scope of your career (which is limited to one's personal experience), you've dealt mostly with over-zealous girlfriend/boyfriends looking for a individual's information. Understood. Now, I'm referring to every other real-world hacking scenario. You know, in the wild hackings can start as a way of having "fun" and challenge their abilities; granted. Until they get in, find any data that would compromise the company or its customers and then sell it on a board or post it in Wikileaks. They can do this for a living with the goal to gain a piece of the $114 billion pie. That's a possibility that can't be dismissed. Examples of both were given in my post.
  5. I'm back... Hell yeah! lol All good posts with good ideas and eloquent arguments specially from JMichael and GrumpyMonkey. It's all good and dandy, if Evernote wants to take the easy road to leave encryption solutions (most of them except plain text at least) out of their business plan; I would also 'suggest', to leave marketing to businesses and professionals out of the business plan as well, just saying... It's kind of funny that we keep comparing EN's security to email when email is well known to have no security features. All the opposite, email should always be compared to a post card. Email is as secured as a note in a piece of paper passed from one end of a room to another via several people as medium. Not a very good analogy to use when referring to security at all. Heather, it's well accepted that the weakest link is the user in any security policy. However, to use that as an excuse it's just well...sad. Let me put it this way. Let's say a network security engineer in an enterprise environment decides that proxy servers, database encryption, firewalls and IDS/ADS are useless because they offer a false sense of security to the users. The users, in this engineer's mind, will somehow get around computer usage policy by ignorance or on purpose and end up getting a backdoor downloaded bypassing all those layers anyways. The engineer essentially gives up on all layered security solutions and decides to dump all responsibility of security on the end-user and hope for the best. If any issues arise, the engineer's excuse is: "the user is the weakest link, they should be more careful with their data". What do you think about this approach which in an effort to avoid giving a "false sense of security"... all efforts to give security is dropped? Personally, I would think that non-security approach to security is careless at best, suicidal for the business at worst. Because of risky thinking like this is that we are loosing the war on hackers. The application layer is a big issue/liability for network security experts. Also, please stop telling people that hacking "*almost always* been targeted against that particular individual"... Tell that to RSA and all US military contractors (Boeing, Northrop, Lockheed, etc), or to Amazon, CNN, Ebay (worth $1.2 billion losses), or to the 70 million Sony users ($1-2 billion losses), or Epsilon ($4 billion losses), or TJ Maxx's 45.7 million users. The data theft and black hat hacking industry is worth an estimated $114 billion... all for grabs to those criminals who now are in front of computers rather than breaking into cars in Russia or your local neighborhood (remember US still accounts for at least 36% of all hackings). You tell me if there is no clear motivation. If you refer to volume of breaches, maybe... but it only takes one BIG breach to make big money and that's more than enough motivation to these criminals. One lucky/clever breach is all it takes. BTW, to those folks that claim customers can't demand features... I tell you there is a big difference between "entitlement" and "responsible consumerism". Learn the difference please. Besides that, like I said a while back, if any of our suggestions are picked up and incorporated, then awesome. More power to the EN platform! In the meantime, do it yourself one document at the time folks. Sorry if my approach is different. No need for sugar coatings; I just call it like it is.
  6. Go ahead, entrust your data in an unencrypted cloud service. Hopefully, you'll never forget to encrypt that file before uploading it; and hope your lawyer, doctor, accountant, school teacher or real state agent won't forget neither.
  7. Just so we are clear, and note that by no means I'm legal literate, you can accuse your ex-girlfriend or neighbors all you want by submitting a "bill of information" or by presenting evidence for a charge. In order to gather evidence you just need a subpoena ad testificandum (request for testimony) or a subpoena duces tecum (request for physical evidence) from a judge or lawyer (acting as an officer of the court) to gather pertinent documents for the case. It's up to a grand-jury to decide whether your claim and the evidence you gather is court-worthy and can proceed in the process or not. So, yes... you can sue someone without immediately having evidence, as there is a process in law which allows publicly known facts to be issued in a bill of information or by subpoenaing information (such as security logs, audit trails, incident postmortem, etc) to get a court hearing. SLA claims come and go in the telecom sector and teaches any engineer to document everything in case of a subsequent subpoena. Anyways, I raised a theoretical scenario based on legal precedence in the security community. Don't ask for evidence because such scenario hasn't happened yet. But, it doesn't mean the possibility doesn't exist. I don't work for EN, so I can careless if they prepare by having a contingency plan for such scenario. As an end-user though, it would suck to see the company getting hit with an issue it could have simply avoid by doing some of the things we all mentioned and agreed could be improved. We can only hope some of our points get across and up the corporate latter, and it won't get ignored, buried in a little corner of their forum.
  8. Far from attacking, my input has been based on the hope of helping improve the service so at some point in the future more users could use it worry-free. Now, do I have evidence that Evernote would be sued if data breach in their servers happen? No, but I there is reasonable precedence. Go back to my one example of Sony services last year. They did get sued, even though they make no claim of privacy liability to their users. That's why I said I'm not in a position to say if that would apply here too or not; but in an increasingly litigious society, it's reasonable to presume so.
  9. She sounds like a real *****. Feel sorry for you. --------- Anyways, about the actual security concerns. I think no one has answered yet JMichael's question about allowing at least partial server-side DB encryption in notebooks. Is it, or is it not, feaseable (even at some point in the future) to allow mass encryption rather than relying on end-user know-how? It would potentially save a lot of time for users and offer more value for professionals and institutions.
  10. @GrumpyMonkey, I'm not a judge, nor I claim to be. Therefore, I answered your question when I said, "it would be up to a judge to decide if Evernote did enough to prevent loss of data and possible financial damage to their users." Damage claims would be tested against laws such as the US Patriot Act, Electronic Communications Privacy Act, Children's Online Privacy Protection Act and the Gramm-Leach-Bliley Act. I'm not here to discuss legal technicalities since that's not my field. I'm sure EN's legal team has a much better grasp of their liabilities and responsibilities to the users from a legal standpoint. I agree, professionals who use this service for non-personal work should (and probably would be) liable based on their own practices. But I find it disconcerting that more and more sanctioned examples of EN usage provided by the company involve professional and institutional use. Security risk disclaimers should be attached to each and all of those examples, you know... just to remind professionals that this is an unencrypted internet-facing server infrastructure. @Heather, thank you for setting the record straight. Your RP staff should probably send a note to Mary, so she can update the article on that one point.
  11. Following is from the December issue of Inc Magazine naming their Company of the Year: Evernote. Then Libin showed activity rates, or, roughly, how often an average user was actually using Evernote over time. For many software companies, that curve runs relentlessly downward. Most people who try an app abandon it pretty quickly or use it less frequently as time goes on. But for Evernote, the curve was a smile. There was a slight drop-off in usage after the first few months, but then it went up again—not only because active users were finding the service more and more useful, but also because customers who had stopped using the service were returning to it. People who left Evernote missed it. Morgenthaler invested. So did Sequoia Capital, another top Silicon Valley VC firm. So did other VCs. Altogether, Evernote has raised $95 million. "We didn't need most of the money," says Libin. "But that's when you can get it, so we took it." Evernote didn't need it because the company became profitable early in 2011, not long before hitting 10 million users and reaching annual sales of about $16 million.Latest number I've seen is that Evernote's "ability to grow" is doing very well. They have over 20 million users now.. According to Devindra Hardawar from MobileBeat, a little over 1/3 of new accounts stay active in the application, although those who stay do find increased value as they use it more and more therefore generated revenue: The March 2008 cohort, for example, consisted of 31,334 users. By June 2008, only 11,000 of those users remained, and the company earned a measly $700 from them in that month. But by January 2011, those users ended up contributing over $10,000 in a month. That’s because users find Evernote more valuable the longer they use it, which leads them to subscribe to premium features. Some of that money should have been used to ramp up security rather than acquire other start-ups making the a secure app ecosystem even more complex to tackle. They'll have to do this soon or later and we know it. http://venturebeat.c...-mobile-summit/ Medical records is an issue when you have a psychologist in YouTube named Jeffrey A. Betman who says uses the program. He doesn't specify whether he uses it for professional purposes, but he does infer he uses it constantly. That's a possible HIPAA issue there. There are other usage the company is aware they are happening even though their security is not to par with industries like accounting (look up my links to articles in EN website) and law. In Facebook, Evernote presented an user profile for Andrew Flusche, a young and upcoming lawyer from Fredericksburg, VA who uses Evernote for everything, including client's info and apparently believes that's acceptable. Now, lots of you say you are confident you use Evernote safely, but... would you risk your lawyer using Evernote when it's your information that might be at risk as his client? If Evernote is letting users know of their limitations and unwillingness to be secure, then they are doing a really bad job by sending mixed messages. Do you think there won't be legal complications if this young lawyer's client info is compromised? Legal issues would arise to both him and from him to Evernote. Not that it's illegal to be insecure in non-regulated industries, but it would be up to a judge to decide if Evernote did enough to prevent loss of data and possible financial damage to their users. BTW, not sure if you guys had read this before, but Mary Landersman, and old-time telecom security expert from About.com had the following to say about Evernote's text/note encrypting abilities: http://antivirus.abo...evernotetip.htm Premium users can highlight a portion of text notes for an an additional layer of password protection, but third-party tests reveal that in the local database, the selected text still remains searchable in plain text. Further, whole notes, images, and notebooks cannot be encrypted. Of course, you could secure the local database using third-party encryption tools, but that would prevent access from other devices (and defeat the purpose of being "in-the-cloud"). Bottom line: storing unencrypted data on an Internet-facing server is not a great idea.
  12. I mentioned in the first post that most people are oblivious to the depth of the issue. I don't expect them to care about it, until their information is stolen right out of EN's servers which at that point, it would be too late. Does that mean the problem doesn't exist? Hardly so. In addition, security concerns have been voiced in your forum for a while now; It's not a rare occurrence by any means. Most of them are shutdown by Evans and even Staff who fail to realize the value integrated security improvements would give to the application. Recently, Phil voiced his concern about most people signing up for Evernote don't stay and move on. I think an increasing number of those people will realize the huge security hole in the back of Evernote as a cloud service and move on without saying much. Evernote's ability to grow as a platform will be measured in their willingness to cater to all users, not just those who want to share recipes only, or have the time to encrypt every other document they want to upload.
  13. Heather, I would suggest, putting a nice disclaimer in those "cute" posts that most users will read. End-users don't care about the security posts where I found most useful information, however they still need to be made aware of the risk they run if they don't encrypt PDFs before uploading. You see, educating users of risks and limitations should not be limited to obscure technical blogs and forum postings that need to be researched. Anything less is just playing with the non-technical user's trust and I find it unacceptable. Personally I don't care about the evangelists, fanboys are fanboys regardless of labels and they isolate those non-fanboys (yet hopeful) users fairly quickly. There is, I think some other people have mentioned here, a good opportunity for Evernote to become an all-inclusive integrated memory archiving system. However, that won't happen (and I think it shouldn't happen) unless encryption security is integrated in the upload process and at server-side storage. I also think the same way as other users which mention that encrypting documents (PDF, attachments, etc..) individually is just awkward. Believe me, my wife and I (and hopefully someday my daughter as well) wants to use Evernote to save our memories in the cloud, but if we have to encrypt one memory at the time, then... I'll have to stick with my aging Windows Home Server.
  • Create New...