Jump to content

why?

Level 2
  • Content Count

    73
  • Joined

  • Last visited

Posts posted by why?

  1. 6 minutes ago, JMichaelTX said:

    Who are you to make that judgement?  You have a forum username of "why?", and I don't recognize you has having any authority or expertise about internet security.   So you can continue to pontificate all you want.  I'll not waste any more of my time responding to you.  Anyone that listens to you does so at their peril.

    I'm not, the researchers in the article are. They clearly outline the extent to which encrypted PDFs are at risk. They also highlight the criteria putting PDF's with encryption at risk. They also clearly talks about the complexity and difficulty to exploit such PDFs.

  2. 3 minutes ago, JMichaelTX said:

    It is NOT "scaremongering".  It is a review of the issues with PDF 256-AES.  There are other review that have found similar issues.  Each person can decide if it is an issue for their needs.

    This is not a blanket review of PDF 256-AES per se. Apart from the fact the the attacker first needs to get a copy of your PDF from EN, which is a tough enough task. The first attack is only applicable  "for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking."

    The second method is more complex "…an attacker can stealthily modify encrypted strings or streams in a PDF file without knowing the corresponding password or decryption key. In most cases, this will not result in meaningful output, but if the attacker, in addition, knows parts of the plaintext, they can easily modify the ciphertext in a way that after the decryption a meaningful plaintext output appears." Eve the researchers themselves say that this would be extremely difficult.

    These really are not a security issue for the vast majority of the populace. If someone has the knowhow and specifically targets you then there are other options for stealing your data. This is scaremongering because a blanket statement that PDF encryption is not good enough will stop people from using it when in reality they are talking about fringe cases created in a laboritory with hi end tech and staff. Hardly something that will hit main stream hacking. And chances are the loopholes will be closed well before it ever really poses a threat to anyone.

    This is the problem with the internet and it does depend on your level of paranoia. You could argue that good old common sense says you may be hit with bird ***** as you go about your daily work and therefore sporting an umbrealla at all times is the only sensible thing to do. As has been mentioned in this thread, it's not just about what is possible, but what is probable. Is it possibe that someone could hack your PDF? Yes, is it probable, No. Is it possible that all your hard diskd expire at the same time, Yes. Is it probable, No.

  3. It has been interesting to read this thread dating back to 2014. I don't think agreement is going to be reached on what is safe. I do think there's much scaremongering going on. I read the PDF encryption security may not be safe article, but it requires a particuler set of circumstances and is just not realistic. Having said that, if someone is determined to get your specific data nothing will stop that, even hiding it in a file in a safe in your house is not secure. I tend to live with the general idea that I'm not being specifically targeted. If I were a journalist, I would most likely have a computer not connected to any network. My passwords live in a password manager as does other needed sensitive data. My HDD is encrypted and apple do not have the keys. Most other info goes into EN. I see no point in having many different repositories. I use a specific naming convention so that folders in the main are not required. I've used GPG and it's a pain in the butt. Not only to encrypt but to manage keys and keep them up-to-date and know what was encrypted with which keys. EN encryption is pants and so I don't use it. I also don't encrypt and store in EN. No point in having none searchable data in a searchable repository. I could create an specific notebook and place all encrypted notes in that notebook, but if I used GPG, decrypting on othe devices would also be one major headache. If it needs that much security, then it shouldn't be online.

    In the end you have to live with your own level of paranoia and act accordingly 😁

  4. I would agree with GrumpyMonkey. EN is way behind in terms of security. For this reason I have now abandoned it, even though I still have a paid subscription. I keep checking back hoping they'll see the light. However, the longer they wait the more people will abandon ship; well, those who care about their data!.

    Voodoopad 5 is not yet Abandonware. An update was released Dec 2015. I'm hoping they'll release a version six soon.

    I've been beta testing the new Devonthink Go 2 iOS app and it's fantastic. It securely syncs all your data to ios. You can use their cloud, but I'm avoiding cloud storage without a clear zero-knowledge encryption.

    If you're new to EN, they I would encourage you to think clearly about what you're using EN for. It's great for many things, but not personal or sensitive data. If you need secure data then GrumpyMonkey has listed some good alternatives.

  5. Sorry for the duplicate content, but this is not my doing. There is something seriously wrong with this forum. Constantly getting errors. I submitted once and an error message appeared. I then pressed back and found the post on twice. Cannot seem to delete the duplicate post either.

  6. 4 minutes ago, GrumpyMonkey said:

    i don't know about legislation (users who are interested might want to visit the eff site), but the app is what it is, and i doubt there is much incentive for evernote to spotlight its weak points, so i don't expect that will happen. the security situation is fairly easy to ascertain by googling a bit. 

    as for microsoft, i am not convinced yet about how secure its products really are, especially after the snowden leaks revealed its complicity in giving out our data by opening up skype, bypassing encryption, etc. and, of course, they also spied on their own users in the past (hotmail). the news today is that democratic presidential candidates are even avoiding its free software offers because they don't trust it. i mentioned onenote as an option, but i can't recommend it to anyone who is concerned about security. it could just be my ignorance or paranoia, of course...

     

     

    But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states:

    Quote

    WARNING   Choose and type your passwords carefully. If you forget your password, no one will be able to unlock your notes for you — not even Microsoft Technical Support. Write down your passwords and keep them in a safe place if you think you may not be able to remember them.

    If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies.

    My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.

  7. 4 minutes ago, GrumpyMonkey said:

    i don't know about legislation (users who are interested might want to visit the eff site), but the app is what it is, and i doubt there is much incentive for evernote to spotlight its weak points, so i don't expect that will happen. the security situation is fairly easy to ascertain by googling a bit. 

    as for microsoft, i am not convinced yet about how secure its products really are, especially after the snowden leaks revealed its complicity in giving out our data by opening up skype, bypassing encryption, etc. and, of course, they also spied on their own users in the past (hotmail). the news today is that democratic presidential candidates are even avoiding its free software offers because they don't trust it. i mentioned onenote as an option, but i can't recommend it to anyone who is concerned about security. it could just be my ignorance or paranoia, of course...

     

     

    But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states:

    Quote

    WARNING   Choose and type your passwords carefully. If you forget your password, no one will be able to unlock your notes for you — not even Microsoft Technical Support. Write down your passwords and keep them in a safe place if you think you may not be able to remember them.

    If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies.

    My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.

  8. EN's security seems somewhat behind Microsoft's. Whereas there may be benign data, I believe that to be miniscule. I can understand the a web designer's portfolio or coder's code, may be benign, or perhaps a classes teaching material or a companies standard documentation. My difficulty is that with each passing year there are more companies being hacked and security is becoming a big issue. It's all well an good for EN to say you, the user, are responsible, but then they should stop telling you to put everything in it, that in my opinion is irresponsible.

    If you are offering a service for people to put everything in then you should jolly well make sure everything is going to be secure. If you cannot do that then there should be a prominent section in the documentation, website and purchase page, highlighting what you should not store in EN. EN has a far better handle on security issues than most users. That doesn't absolve them, but places a responsibility on EN to make sure they understand. And not in some policies hidden under piles of other polices.

    I would love to see legislation change to make the companies responsible. Banks are responsible for my money. If it gets stolen they are held to account. This is why they have high levels of security. Information, it could be argued, is a lot more valuable than money and perhaps it's time companies like EN treated it as such. If they did, then perhaps their users would too?

    By the way, Onenote is in front of EN in terms of security. The ability to protect whole sections is excellent. Also, EN only encrypts text, this is a massive short-coming. No attachments in EN can be encrypted. Onenote encrypts anything in the section you protect

  9. The difficulty is that there seems to be no simple solution. Although I appreciate the "encrypt the note content" method this is not viable with large amounts of data. Essentially for EN to be secure it needs to create a secure environment to work in. Much in the same way 1password operates. You login and do your work and log out. Everything remains encrypted and secure.

    In essence, encrypted environments do not seem to cover cloud or mobile well. Getting items encrypted is not an issue, there are many tools. Decrypting on the fly on any device is an issue. If this is not possible, then placing encrypted data in the cloud serves no purpose apart from backup.

    I believe that as information hacks and theft increase companies like EN will have to create such environments or loose custom. I've been very happy with EN, but the internet is rapidly evolving and sadly hacking is here to stay. I'm finding my use of online services decreasing simply because they are not secure, from email to sending text messages. Am I prepared to store years worth of data on company servers in an unencrypted form with the possibility that at some point the company may be hacked? No I'm not.

  10. Many thanks, I appreciate that HIPPA and FERPA are specific, but thought there must be some governing standard for businesses? Can they store their clients payments details in EN? I just seem not to understand how EN business works as I assumed that that would invariably include some sensitive data or personal information and would have to follow some government standards similar to FERPA. I know as UK charity you cannot use EN for personal information from those in your charity data.

  11. 1 hour ago, DTLow said:

    And given your concerns (as you say, paranoia) I understand your desire for complete encryption of your Evernote data. Since it's not currently an option, the only solution I see is a third party application to encrypt your data before adding it to Evernote.
     

    I think the real decision is to either separate clearly all sensitive from non-sensitive data and place the sensitive elsewhere. However, I don't think that there is any non-sensitive data, certainly not in terms of prolonged collection of data that EN encourages. Encrypted notes in EN are essentially the same as local notebooks as searching and reading them becomes impossible on mobile. Let's face it EN needs data unencrypted for it to be viable. Without that most of EN's features become irrelevant. Maybe the position I have arrived at is in setting my personal criteria for acceptable cloud storage. This has to be zero knowledge full encryption. So sadly EN is no longer suitable.

    I do wonder if anyone else thinks this way and if EN are going to have to offer this at some point or lose custom?

    What I don't understand is that if EN is not FERPA HIPPA compliant how can businesses be using EN to store sensitive client details? Do businesses have no legally required compliancy is storing customer data?

  12. 6 hours ago, JMichaelTX said:

    Do you use any Google products

    Nope. For that very reason. Google are a massive concern as they do not respect anyone's privacy. I don't even use their search engine. Google are more like a virus that looks to get its tentacles into every area of your life. After not agreeing with Google's latest privacy policy (where they now store your browsing history on their servers not in cookies on your machine, so you can't delete it) I found I was locked out of using google as a search engine. In my opinion google is no longer a search engine but a classified ads service that ranks results according to payment and their opinion on how people should build there websites.

    It seems that until something changes, the cloud is not a secure place bar those offering zero knowledge encryption. If only every cloud based organisation offered that facility. Pardon my paranoia, but I live in the UK and we're the worst. We're the most CCTV covered country in the world and our governments policies on privacy are rapidly removing our right to keep your information private. I'm beginning to understand why people are going offline.

    Is there anyway to run evernote off a USB?

  13. I'm asking if EN are becoming HIPPA and FERPA compliant or at least moving to a more secure information repository.

    Although I agree that generally keeping your shopping list in the cloud doesn't need encryption that's exactly the kind of information amazon, google etc are interested in. It comes back to being able to accurately profile people. The more information you have on an individual the the easier to sell them something or impersonate them. One shopping list may not be an issue, but if I had your shopping lists for the past 12 months that may begin to compromise your security. My mobile phone contract can be altered by telephone with only three pieces of information. DOB, zip code, and payment method. On there own these pieces of information may seem insignificant and not requiring encryption, but together they could be used to steal your identity. Image that you store 10 years of your life in evernote. Little pieces of information that may seem to pose no security threat whatsoever, but add them together; your parking tickets, shop receipts, tweets, facebook posts, emails, text messages, etc and someone could build enough of a profile to begin to hack your life. Why would folks want to do that? Usually money.

    Sadly the internet isn't secure anymore, really it was never secure, but we're now in the position where people know that they can get information from unwitting folks and use it to extract money. The internet is not the same as it used to be. You've now got to look at possible scenarios. Most folks are often too lazy to store one set of data in an encrypted format because of effort. So they mix sensitive and less sensitive data. Many large corporations have been hacked. Just because EN hasn't doesn't mean it's secure. The real security is in how people can access the information once they're in.

    I don't know what the answer is. The more security the less easy the software becomes to use. Increase the number of plugins that can access the service and you increase the possiblity of holes. Even the great Apple corporation have not yet fully stopped jail breaking and they've been trying for 7 years. Is it unreasonable to expect EN to make sure that I can encrypt my data on my client? Now i know this is already possible, but it is piecemeal at best. I want to encrypt notebooks, I want a password entered when opening the app and another one when opening specific notebooks, I'd like data encrypted at rest. Ultimately it's a fight between ease of use and security. This will change when someone hacks EN and data is stolen, but that is putting up the fence after the event in my opinion.

  14. Does anyone know if there is an update on this?

    I've not been using EN for 6 months and am looking at my options. Secure encrypted data is now a must. I see no value of unencrypted data in the cloud. Even personal family data requires security. EN is becoming less and less viable unless this changes. What are the chances of that happening? People keep mentioning the local notebooks, but that defeats the purpose of EN for me especially as I also have Devonthink.

    If EN added an ability to sync via wifi to mobile devices that would solve most problems.

    Will EN find less and less people/organisations will use EN? I work for a charity in the UK and charity law forbids the use of EN as I must prove that I'm using reasonable precautions when dealing with personal data. Reasonable means encrypted, from email to online storage. At the rate things are going either everything will need to be encrypted or digital systems will be unviable.

    Perhaps I need to start carrying my data on an Encrypted USB and forget the cloud. The only problem is that there doesn't appear to be access to encrypted USBs on mobile devices from apple. If I could just plug my USB into my iphone and search that would be great!

  15. GrumpyMonkey, you sound like your gradually going off EN?

     

    The attraction to EN for me is that many ways of getting things in. I can add anything easily to EN from any device. That can't be said for Devonthink. Also the retrieval on mobile is also great.

     

    The whole security and encryption has ruined the simplicity of the internet. I know it was never there, but tools that were great to use now need to be filtered with a whole bunch of security questions. At this rate I won't be using the cloud period. Especially if Cameron manages to push through his crazy anti-encryption legislation.

  16. Sorry, by talking about encryption preventing searching I meant the present EN setup. The content of an encrypted note is not searchable.

     

    I'm leaning more and more towards saferoom. I have to spend some time thinking through the cloud issue. As how I go on now reflects the future. If i remove sensitive data to a mac only app, I see little point in retaining the use of evernote. The idea is to have everything in one place. I have Devonthink Pro Office, but never liked using it although it is powerful, plus it's iOS app is woeful.

     

    An EN alternative would be to place sensitive data on a local notebook only. Does anyone do this how how is it working out practically? I'm assuming that local and synced notebooks are all searchable with the local EN app?

  17. Many thanks for the responses. It seems that if you want security, then forget the cloud!

     

    I've tried various encryptions, to encrypting the text myself with gpg, using saferoom (easiest option) or Encrypto. However, I've come to realise that zero-knowledge encryption would remove the majority of EN features. If everything was encrypted in EN then you'd be able to find nothing. Especially if the content was is what you're trying to search!

     

    I've been using saferoom and think it's probably the best way to go. Saferoom encrypts the notes content, but not tags or title. If you have a descriptive title and tags, you should be able to find your content with ease.

     

    I would imagine EN will never bring out proper zero knowledge encryption as it would stop them being able to search and index stuff. Any item that is encrypted would be removed from the index. Saferoom is probably as close as we're going to get.

     

    It has made me ask the question whether I really need things in the cloud, but it is useful to have your data everywhere as more than once I've needed a particular document at the bank, at an airport or in a meeting an EN has been great. I do have Devonthink Pro office, but this really doesn't have proper mobile support as the iOS app hasn't been developed in a long time. I also like the fact the EN gives me an extra layer of backup offsite, being in the cloud. Encrypted documents in Dropbox is ok, but decrypting them on mobile is a problem.

     

    I fear that with the rise of government snooping and global hacking, the cloud is on a long course for failure. Searching has become the defacto way of retrieving data and encryption closes that door. Apart from searching within an encrypted environment, I cannot see a way forward. It essentially means all our systems need to change. We need tools that provide an encrypted environment and all the other tool features need to run inside this environment.

  18. Now that EN has a business subscription model, how does this fare with security? To run a business you need to put sensitive data online to share with other employees such as client information, payment methods, invoices.

     

    If this is not secure is EN a viable business solution?

     

    I'm in the UK. Am I right in believing that my data is stored in Switzerland not the US? Also, if my data is stored in the US not being a US citizen does the US government need a court order to access my data?

  19. I don't know about doc support, but find 7notesHD Premium pretty good and it integrates with evernote nicely.

    You can actually write with a stylus and it converts the hand written notes to text as you write.

    You could convert the doc to pdf and then annotate using something like notability. If you have the premium version of evernote it will make the pdf searchable as far as I am aware.

×
×
  • Create New...