Jump to content

why?

Level 2
  • Content Count

    73
  • Joined

  • Last visited

Community Reputation

29 Good

About why?

Profile Information

  • Subscription
    PREMIUM
  1. I'm not, the researchers in the article are. They clearly outline the extent to which encrypted PDFs are at risk. They also highlight the criteria putting PDF's with encryption at risk. They also clearly talks about the complexity and difficulty to exploit such PDFs.
  2. This is not a blanket review of PDF 256-AES per se. Apart from the fact the the attacker first needs to get a copy of your PDF from EN, which is a tough enough task. The first attack is only applicable "for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking." The second method is more complex "…an attacker can stealthily modify encrypted strings or streams in a PDF file without knowing the corresponding password or decryption key. In most cases, this will not result in meaningful output, but if the attacker, in addition, knows parts of the plaintext, they can easily modify the ciphertext in a way that after the decryption a meaningful plaintext output appears." Eve the researchers themselves say that this would be extremely difficult. These really are not a security issue for the vast majority of the populace. If someone has the knowhow and specifically targets you then there are other options for stealing your data. This is scaremongering because a blanket statement that PDF encryption is not good enough will stop people from using it when in reality they are talking about fringe cases created in a laboritory with hi end tech and staff. Hardly something that will hit main stream hacking. And chances are the loopholes will be closed well before it ever really poses a threat to anyone. This is the problem with the internet and it does depend on your level of paranoia. You could argue that good old common sense says you may be hit with bird ***** as you go about your daily work and therefore sporting an umbrealla at all times is the only sensible thing to do. As has been mentioned in this thread, it's not just about what is possible, but what is probable. Is it possibe that someone could hack your PDF? Yes, is it probable, No. Is it possible that all your hard diskd expire at the same time, Yes. Is it probable, No.
  3. It has been interesting to read this thread dating back to 2014. I don't think agreement is going to be reached on what is safe. I do think there's much scaremongering going on. I read the PDF encryption security may not be safe article, but it requires a particuler set of circumstances and is just not realistic. Having said that, if someone is determined to get your specific data nothing will stop that, even hiding it in a file in a safe in your house is not secure. I tend to live with the general idea that I'm not being specifically targeted. If I were a journalist, I would most likely have a computer not connected to any network. My passwords live in a password manager as does other needed sensitive data. My HDD is encrypted and apple do not have the keys. Most other info goes into EN. I see no point in having many different repositories. I use a specific naming convention so that folders in the main are not required. I've used GPG and it's a pain in the butt. Not only to encrypt but to manage keys and keep them up-to-date and know what was encrypted with which keys. EN encryption is pants and so I don't use it. I also don't encrypt and store in EN. No point in having none searchable data in a searchable repository. I could create an specific notebook and place all encrypted notes in that notebook, but if I used GPG, decrypting on othe devices would also be one major headache. If it needs that much security, then it shouldn't be online. In the end you have to live with your own level of paranoia and act accordingly 😁
  4. I would agree with GrumpyMonkey. EN is way behind in terms of security. For this reason I have now abandoned it, even though I still have a paid subscription. I keep checking back hoping they'll see the light. However, the longer they wait the more people will abandon ship; well, those who care about their data!. Voodoopad 5 is not yet Abandonware. An update was released Dec 2015. I'm hoping they'll release a version six soon. I've been beta testing the new Devonthink Go 2 iOS app and it's fantastic. It securely syncs all your data to ios. You can use their cloud, but I'm avoiding cloud storage without a clear zero-knowledge encryption. If you're new to EN, they I would encourage you to think clearly about what you're using EN for. It's great for many things, but not personal or sensitive data. If you need secure data then GrumpyMonkey has listed some good alternatives.
  5. Sorry for the duplicate content, but this is not my doing. There is something seriously wrong with this forum. Constantly getting errors. I submitted once and an error message appeared. I then pressed back and found the post on twice. Cannot seem to delete the duplicate post either.
  6. But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states: If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies. My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.
  7. But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states: If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies. My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.
  8. EN's security seems somewhat behind Microsoft's. Whereas there may be benign data, I believe that to be miniscule. I can understand the a web designer's portfolio or coder's code, may be benign, or perhaps a classes teaching material or a companies standard documentation. My difficulty is that with each passing year there are more companies being hacked and security is becoming a big issue. It's all well an good for EN to say you, the user, are responsible, but then they should stop telling you to put everything in it, that in my opinion is irresponsible. If you are offering a service for people to put everything in then you should jolly well make sure everything is going to be secure. If you cannot do that then there should be a prominent section in the documentation, website and purchase page, highlighting what you should not store in EN. EN has a far better handle on security issues than most users. That doesn't absolve them, but places a responsibility on EN to make sure they understand. And not in some policies hidden under piles of other polices. I would love to see legislation change to make the companies responsible. Banks are responsible for my money. If it gets stolen they are held to account. This is why they have high levels of security. Information, it could be argued, is a lot more valuable than money and perhaps it's time companies like EN treated it as such. If they did, then perhaps their users would too? By the way, Onenote is in front of EN in terms of security. The ability to protect whole sections is excellent. Also, EN only encrypts text, this is a massive short-coming. No attachments in EN can be encrypted. Onenote encrypts anything in the section you protect
  9. The difficulty is that there seems to be no simple solution. Although I appreciate the "encrypt the note content" method this is not viable with large amounts of data. Essentially for EN to be secure it needs to create a secure environment to work in. Much in the same way 1password operates. You login and do your work and log out. Everything remains encrypted and secure. In essence, encrypted environments do not seem to cover cloud or mobile well. Getting items encrypted is not an issue, there are many tools. Decrypting on the fly on any device is an issue. If this is not possible, then placing encrypted data in the cloud serves no purpose apart from backup. I believe that as information hacks and theft increase companies like EN will have to create such environments or loose custom. I've been very happy with EN, but the internet is rapidly evolving and sadly hacking is here to stay. I'm finding my use of online services decreasing simply because they are not secure, from email to sending text messages. Am I prepared to store years worth of data on company servers in an unencrypted form with the possibility that at some point the company may be hacked? No I'm not.
  10. Many thanks, I appreciate that HIPPA and FERPA are specific, but thought there must be some governing standard for businesses? Can they store their clients payments details in EN? I just seem not to understand how EN business works as I assumed that that would invariably include some sensitive data or personal information and would have to follow some government standards similar to FERPA. I know as UK charity you cannot use EN for personal information from those in your charity data.
  11. I think the real decision is to either separate clearly all sensitive from non-sensitive data and place the sensitive elsewhere. However, I don't think that there is any non-sensitive data, certainly not in terms of prolonged collection of data that EN encourages. Encrypted notes in EN are essentially the same as local notebooks as searching and reading them becomes impossible on mobile. Let's face it EN needs data unencrypted for it to be viable. Without that most of EN's features become irrelevant. Maybe the position I have arrived at is in setting my personal criteria for acceptable cloud storage. This has to be zero knowledge full encryption. So sadly EN is no longer suitable. I do wonder if anyone else thinks this way and if EN are going to have to offer this at some point or lose custom? What I don't understand is that if EN is not FERPA HIPPA compliant how can businesses be using EN to store sensitive client details? Do businesses have no legally required compliancy is storing customer data?
  12. Nope. For that very reason. Google are a massive concern as they do not respect anyone's privacy. I don't even use their search engine. Google are more like a virus that looks to get its tentacles into every area of your life. After not agreeing with Google's latest privacy policy (where they now store your browsing history on their servers not in cookies on your machine, so you can't delete it) I found I was locked out of using google as a search engine. In my opinion google is no longer a search engine but a classified ads service that ranks results according to payment and their opinion on how people should build there websites. It seems that until something changes, the cloud is not a secure place bar those offering zero knowledge encryption. If only every cloud based organisation offered that facility. Pardon my paranoia, but I live in the UK and we're the worst. We're the most CCTV covered country in the world and our governments policies on privacy are rapidly removing our right to keep your information private. I'm beginning to understand why people are going offline. Is there anyway to run evernote off a USB?
  13. As I mentioned in my earlier comment. Data secure at rest and encrypted. Not individual notes, but all data.
  14. I'm asking if EN are becoming HIPPA and FERPA compliant or at least moving to a more secure information repository. Although I agree that generally keeping your shopping list in the cloud doesn't need encryption that's exactly the kind of information amazon, google etc are interested in. It comes back to being able to accurately profile people. The more information you have on an individual the the easier to sell them something or impersonate them. One shopping list may not be an issue, but if I had your shopping lists for the past 12 months that may begin to compromise your security. My mobile phone contract can be altered by telephone with only three pieces of information. DOB, zip code, and payment method. On there own these pieces of information may seem insignificant and not requiring encryption, but together they could be used to steal your identity. Image that you store 10 years of your life in evernote. Little pieces of information that may seem to pose no security threat whatsoever, but add them together; your parking tickets, shop receipts, tweets, facebook posts, emails, text messages, etc and someone could build enough of a profile to begin to hack your life. Why would folks want to do that? Usually money. Sadly the internet isn't secure anymore, really it was never secure, but we're now in the position where people know that they can get information from unwitting folks and use it to extract money. The internet is not the same as it used to be. You've now got to look at possible scenarios. Most folks are often too lazy to store one set of data in an encrypted format because of effort. So they mix sensitive and less sensitive data. Many large corporations have been hacked. Just because EN hasn't doesn't mean it's secure. The real security is in how people can access the information once they're in. I don't know what the answer is. The more security the less easy the software becomes to use. Increase the number of plugins that can access the service and you increase the possiblity of holes. Even the great Apple corporation have not yet fully stopped jail breaking and they've been trying for 7 years. Is it unreasonable to expect EN to make sure that I can encrypt my data on my client? Now i know this is already possible, but it is piecemeal at best. I want to encrypt notebooks, I want a password entered when opening the app and another one when opening specific notebooks, I'd like data encrypted at rest. Ultimately it's a fight between ease of use and security. This will change when someone hacks EN and data is stolen, but that is putting up the fence after the event in my opinion.
  15. Does anyone know if there is an update on this? I've not been using EN for 6 months and am looking at my options. Secure encrypted data is now a must. I see no value of unencrypted data in the cloud. Even personal family data requires security. EN is becoming less and less viable unless this changes. What are the chances of that happening? People keep mentioning the local notebooks, but that defeats the purpose of EN for me especially as I also have Devonthink. If EN added an ability to sync via wifi to mobile devices that would solve most problems. Will EN find less and less people/organisations will use EN? I work for a charity in the UK and charity law forbids the use of EN as I must prove that I'm using reasonable precautions when dealing with personal data. Reasonable means encrypted, from email to online storage. At the rate things are going either everything will need to be encrypted or digital systems will be unviable. Perhaps I need to start carrying my data on an Encrypted USB and forget the cloud. The only problem is that there doesn't appear to be access to encrypted USBs on mobile devices from apple. If I could just plug my USB into my iphone and search that would be great!
×
×
  • Create New...