Jump to content

SECURITY or rather LACK OF


Recommended Posts

It's 2016 folks, NSA, big brother etc. etc.

Where does EVERNOTE stand on security? Only "feature" I can find is in regards to TLS encryption of "DATA IN TRANSPORT". NOTHING is mentioned of DATA AT WREST

So given the seriousness of encrypting my data to where only I can access my data. Preferably x.509 certificates provided by data owner.

Talk to me GOOSE!

Link to comment
  • Level 5*
16 hours ago, Magpiper said:

It's 2016 folks, NSA, big brother etc. etc.

Where does EVERNOTE stand on security? Only "feature" I can find is in regards to TLS encryption of "DATA IN TRANSPORT". NOTHING is mentioned of DATA AT WREST

So given the seriousness of encrypting my data to where only I can access my data. Preferably x.509 certificates provided by data owner.

Sorry, I don't have any specific info on the Evernote security.

If I was concerned about security, I would encrypt my data prior to importing it to Evernote. I do this for my private data.

I also have the option of using local notebooks so my data never leaves my device

 

Link to comment
  • Level 5

Here are some more links on security issues.

  • Type of encryption used by Evernote

http://evernote.com/contact/support/kb/#/article/23480996

  • Evernote’s Three Laws of Data Protection 

http://blog.evernote.com/blog/2014/06/03/evernotes-three-laws-data-protection-update/

  • Evernote two-step verification

https://help.evernote.com/hc/en-us/articles/208314238

  • Cookie usage

https://evernote.com/legal/cookies.php

  • Some technical stuff (dated 2011)

http://blog.evernote.com/tech/2011/05/17/architectural-digest/

Link to comment

My master's degree in security management included courses on basic information security. Nasheri, in Economic Espionage and Industrial Spying said, "There are two types of companies. Those who know they have been hacked, and those who don't know they have been hacked." 

Evernote insists they haven't been hacked.

Draw your own conclusions.

Link to comment
  • Level 5*
On 6/9/2016 at 10:57 AM, Coach Wade said:

My master's degree in security management included courses on basic information security. Nasheri, in Economic Espionage and Industrial Spying said, "There are two types of companies. Those who know they have been hacked, and those who don't know they have been hacked." 

Evernote insists they haven't been hacked.

Draw your own conclusions.

Indeed. Multi-billion dollar banks and retailers with large security budgets have been hacked. The odds of a much smaller company, whose entire existence is internet-based, and whose users often store lots of personal information in online notebooks, not having been hacked are very low. And if it hasn't happened yet, the odds of never being hacked are zero.

Link to comment
  • Level 5*

evernote has been hacked. it happened in 2013. i am not sure why there is a perception in this thread that evernote is oblivious to the threats or the state of its security. they know and have been open about it.

hacks will probably happen again. that's life in the cloud these days. hence, my suggestion that they offer encrypted notebooks. 

as for the cybersecurity rule of thumb, comey (fbi) has modified it to say: companies that know they have been hacked by the chinese, and those that don't know. what i think this points to is the very real threat from state-sponsored hackers (china is often mentioned, but comey didn't talk about the massive us hacking programs). the hackers essentially have unlimited resources, and not availing yourself of encryption is a huge missed opportunity to protect users. too bad :(

Link to comment
On 6/12/2016 at 10:28 AM, GrumpyMonkey said:

evernote has been hacked. it happened in 2013. i am not sure why there is a perception in this thread that evernote is oblivious to the threats or the state of its security. they know and have been open about it.

hacks will probably happen again. that's life in the cloud these days. hence, my suggestion that they offer encrypted notebooks. 

as for the cybersecurity rule of thumb, comey (fbi) has modified it to say: companies that know they have been hacked by the chinese, and those that don't know. what i think this points to is the very real threat from state-sponsored hackers (china is often mentioned, but comey didn't talk about the massive us hacking programs). the hackers essentially have unlimited resources, and not availing yourself of encryption is a huge missed opportunity to protect users. too bad :(

You know I like you, GM, but that perception exists solely because of Evernote's absolute lack of communication with the users on this subject... and really on almost EVERY subject we have asked for information from them on; bugs that aren't fixed, features that don't work or aren't necessary, security that isn't implemented... I'm not sure I'd ask them who's leading in the football scores at this point.

This is the first I've heard of Evernote being hacked in 2013. Which I'd known about it when I was taking my cybersecurity classes. It would have been relevant information and interesting to do a paper on. 

Link to comment
  • Level 5*

That's strange, because it seems to me that they are quite communicative. If you google "evernote hacked" you'll get lots of stuff. If you put in "evernote blog hacked" you'll see Evernote's thoughts on the hack. There are also plenty of posts in this forum about it. That seems pretty open and transparent to me, but I wouldn't expect them to repeatedly revisit any old topic (good or bad) over the years. 

As for bugs, they are talking about them all the time on this forum, often fixing things, promising fixes, and thanking users for their assistance. But, this is a user forum, not customer support, so I imagine there are a lot more interactions behind the scenes. 

Here is an example of a bug reported on the forums. It got an immediate response, and it was fixed. But, it came back (apparently). 

Perhaps it would be better to say that Evernote is communicative (as seen with the hack and the bug report), but the solutions they implement are unsatisfactory, because security is still not good enough (I think they ought to have encrypted notebooks) and bugs keep cropping up (I think there is a big problem when things like bullets never get fixed). Then the question is really one about ability to solve problems, recognition of things as problems (I don't think anyone seems to take encryption seriously yet), or commitment to solving them (rewrite the entire thing to kill off the bullet bug for good?).

None of these are communication issues. I think that is where we disagree. It seems to me that they are more fundamental structural or cultural ones. I'd expect to see any startup or established software company struggling with similar ones, though, so I usually take a look at where an app is (not where it was or where I want it to be), and if it isn't meeting my needs now (for whatever reason) I look for something else. Evernote does a lot of things well, and I still use it, but (because of the security needs I have) now I only spend a tiny fraction of my time with it. In order for Evernote to get me back as a  power user (for lack of a better term), they have to implement something like encrypted notes or (ideally) encrypted notebooks. Until then, their lack of action is communication, isn't it (besides posts in this forum stating pretty clearly that it has not been a priority and is not one now)? I don't really expect developers to be spending time chatting here instead of working on the product.

In other words, actions speak louder than words. If you aren't seeing the features you need, and you aren't seeing the fixes you expect, no amount of chatter on the forums or voting on stuff is going to do anyone any good, though it might feel (temporarily) good to rant or hammer on an up-vote button. The app itself is a statement.

Link to comment
  • Level 5*
32 minutes ago, GrumpyMonkey said:

In other words, actions speak louder than words. If you aren't seeing the features you need, and you aren't seeing the fixes you expect, no amount of chatter on the forums or voting on stuff is going to do anyone any good, though it might feel (temporarily) good to rant or hammer on an up-vote button.

In terms of Evernote's response, I certainly agree that actions speak louder than words.

However, I disagree that voicing one's complaints, issues, bugs, preferences, etc in these forums (and elsewhere like Twitter) will do no good.

I have seen Evernote numerous times respond to specific bugs, and to unwanted behavior (design) in these very forums.

In fact, Evernote has asked for our feedback, and continues to do so, in some cases stating that we (the users) need to continue to "push" for a certain change.  Just read the recent EN Win update threads for examples.

Link to comment
  • Level 5*

In the context of this thread, in the context of this post, in the context of everything else I have said, and judging from the number of posts I have made over the years, I hope it is clear that I am not simply saying that it will do no good to post. Is this a willful misreading of my post?

To rephrase: If things are not getting added that you want (encrypted notebooks, selective sync, etc.) and if things are not getting fixed as you ask (bullets), ranting or an up-vote won't get do any good (in my opinion). Sure, changes may happen someday, and I have seen developers be quite repsonsive, but never because of any rant I made. I don't think it is fair to say that there is insufficient communication. 

In other words, I encourage folks to come on the forums, voice their opinions, and engage in the discussions. Heck, you can even rant if you want :) But, ultimately, the direction the app takes is up to Evernote developers, and the actions they take (or don't) count as communication (in my opinion). It's not that the developers are uncommunicative about security or bugs. The app itself is a statement from the developers. 

In the case of my pet peeves, the developers have said (in words and with the design of the app) that they are not prioritizing encryption, selective sync, more sorting options in iOS, etc. They are quite communicative! Sometimes, though, we just don't like what they are saying :)

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...