
SpiderOakONE – Zero Knowledge Cloud Storage - ergot
https://spideroak.com/solutions/spideroak-one
======
Canada
Spider Oak - Please stop describing your service as "Zero Knowledge" unless
and until you deploy a service that is actually is. E2E encryption great, but
it is not the same thing.

~~~
rarrrrrr
SpiderOak founder here...

A few cryptographers have noticed SpiderOak's marketing term Zero Knowledge is
inconsistent with the academic definition. Maybe it doesn't mean what we think
it means[1]? SpiderOak was one of the first companies to use this phrase
commercially and the need has only grown stronger.

At the heart of the issue is the difficulty for end users to decipher the
terms cloud vendors use to describe their security. Doing so would require
discrimination between transport encryption, data encryption, meta data
encryption, encryption at rest vs. in motion, and then most importantly
evaluate key management and access. This vocabulary is foreign to most folks.
Vendors often exploit the inaccessibility of these topics to make a series of
statements that, while often factually correct individually, together create a
false sense of privacy.

SpiderOak launched a online backup product for Linux, Mac, and Windows in
2007. The competitors were companies like Xdrive, Mozy, Carbonite and
SugarSync. Each claimed that customer data was fully encrypted. Even the most
credible journalists writing for well funded publications with fact checking
budgets were fooled and repeated these misleading claims to end users. [2]

In 2009 when Dropbox launched, they made misleading claims about the
encryption of customer files and their internal ability to access customer's
data or provide that data to 3rd parties, leading to a well publicized FTC
deceptive trade practices complaint. [3] The deception had been so effective
that leading software engineers were shocked to discover Dropbox had full
access to the data they had stored online. [4]

In response to customer requests on one of their forums, Mozy explained why it
would be "impossible" for a storage service to protect users' privacy by
encrypting the file and folder names customers store in a way Mozy could not
read. SpiderOak customers had benefited from the impossible for years.

Recently Slack made the unbelievable claim on Twitter that their service
includes end to end encryption (it doesn't.) Perhaps they mean from your end
to their end?

Lately there's a new phrase "customer managed keys" used by cloud providers,
which sounds really great, but is typically just elaborate hand waving that
ultimately allows the vendor and their staff the same level of data access as
if it were not encrypted.

In 2007 we found ourselves frequently explaining "we don't know the names of
your files, the names of your folders, the date they were created or last
modified or accessed, their size, their checksums or hashes... in short we
know nothing about your data except how much you store." We started using the
phrase Zero Knowledge as a headline to this long explanation.

It's important to recognize that cryptographers already understand encryption
and the terminology is intended for everyday folks. When I'm speaking with a
technologist about how SpiderOak products work, I would typically use the
phrase end to end encryption.

If we want to end mass surveillance, the only way this can happen is through
viral adoption of end to end encrypted products and services. Great UX,
education, and terminology are powerful tools, and unlike phrases involving
the word "encryption", to my knowledge no company has yet been shameless
enough to deceptively use the term Zero Knowledge.

[1]
[https://www.youtube.com/watch?v=G2y8Sx4B2Sk](https://www.youtube.com/watch?v=G2y8Sx4B2Sk)

[2] [http://allthingsd.com/20080403/sugarsync-offers-the-best-
met...](http://allthingsd.com/20080403/sugarsync-offers-the-best-method-yet-
for-replicating-files/)

[3] [https://www.wired.com/2011/05/dropbox-
ftc/](https://www.wired.com/2011/05/dropbox-ftc/)

[4]
[http://tirania.org/blog/archive/2011/Apr-19.html](http://tirania.org/blog/archive/2011/Apr-19.html)

~~~
Ar-Curunir
The issue is not you vs. other companies; it's you vs 25+ years of
cryptographic literature.

> no company has yet been shameless enough to deceptively use the term Zero
> Knowledge.

Except you guys? Why use the phrase "zero knowledge" when you fully know that
it has a predefined meaning? Call it no information, no leakage, zero leakage,
whatever, but why the one term that is already used to refer to a different
concept?

I get that it's a sexy name, but that's why cryptographers use it to refer to
a much cooler concept than mere encryption.

~~~
rarrrrrr
Thanks for the feedback. For what it's worth, we did try a bunch of
alternative wordings, and Zero Knowledge was the phrase that non technologists
found most accessible.

We prioritized making the explanation clear to non-experts vs. to the
community of cryptographers.

~~~
StavrosK
I'd like to propose "Zero Access", as in zero access to the plaintext.

~~~
nickpsecurity
That's actually not bad. I was fine with SpiderOak going for a term that is
simple, catchy, and easy to market. Zero Access is the kind of alternative
that might work. That specific one might have a problem: send perception of
user having zero access to their own data when most clouds constantly
reinforce "access from anywhere any time."

You're thinking along the right lines. I think variations of the words safe
and vault have worked for other companies, too, given people understand what
they do. "Your data is in a locked vault that we hold for you while you keep
the keys or combination." That sort of thing.

------
tinodotim
In addition to not being (fully) open source, something that also should be
mentioned is, that if u use the mobile apps it unfortunately still isn't "zero
knowledge" [0].

[0] [https://spideroak.com/manual/spideroak-on-
mobile](https://spideroak.com/manual/spideroak-on-mobile)

~~~
danbruc
_Until recently, mobile platforms were not capable of doing the on-device
encryption necessary for SpiderOak 's Zero Knowledge implementation._

Anyone any idea what the issue is or was? What would prevents you from doing
PBKDF2, RSA and AES [1] on a mobile device?

[1] [https://spideroak.com/manual/zero-knowledge-
explained](https://spideroak.com/manual/zero-knowledge-explained)

~~~
rarrrrrr
It's mostly that the desktop app is Python and C, and there wasn't a clear
path to make that same code base run on mobile, so the mobile app is just a
reader.

However for Semaphor, our encrypted group chat and file sharing tool (akin to
IRC, to Slack or HipChat) the internals are written in Go and it's the same
code base on all platforms, including mobile. That source code is also
published for security review. We plan to migrate SpiderOakONE to use that
same stack so the mobile experience is the same as desktop.

------
BeetleB
They've been around for a while and are highly regarded.

The one thing that makes their privacy weak is: The software involved in the
encryption/password handling is not open source. We have only their word for
it that they are not snooping or letting anyone else snoop.

If you're willing to do the extra work, you can get a cloud service like Dream
Objects, and use software like duply/duplicity to store your files online and
encrypted. You may lose some flexibility, though.

~~~
jbverschoor
I tried spider oak a while ago, and I thought it was horrible in terms of ui,
performance and bloat. I'm assuming they didn't change their stack/devs, so I
will not even try this one.

~~~
fauigerzigerk
I find that surprsing.

I've been using SpiderOak for years without noticing any bloat or performance
issues with the background service. On the contrary, I was often surprised how
little space I'm using in spite of the fact that they store multiple versions
of my files. It doesn't hog memory or bandwidth or CPU at all.

The UI is indeed a bit weird and its performance can be erratic sometimes, but
it gets the job done and has a lot of useful features.

Most importantly, SpiderOak has reliably protected me from losing data and I
don't have to babysit it. It just works.

(I'm a happy paying customer. No affiliation with them whatsoever)

~~~
StavrosK
I used to be a paying customer (years ago, things may be better now), and I
had many issues with CPU getting stuck at 100% for long stretches of time, or
uploads/downloads would transfer a bunch of data, or would be slow, things
like that.

Then, one day, my account got full, and I couldn't delete anything unless I
got some more free space first (see the problem?). I believe support gave me a
few extra GB just for the deletion, but that didn't work either and I decided
to stop using the whole thing. That's when I switched to attic/borg, which is
much superior for my use case (backups).

------
_slwy
Whenever SpiderOak comes up I can't help but share my experience with them.

In February SpiderOak dropped its pricing to $12/month for 1TB of data. Having
several hundred gigabytes of photos to backup I took advantage and bought a
year long subscription ($129). I had access to a symmetric gigabit fibre
connection so I connected, set up the SpiderOak client and started uploading.

However I noticed something odd. According to my Mac's activity monitor,
SpiderOak was only uploading in short bursts [0] of ~2MB/s. I did some test
uploads to other services (Google Drive, Amazon) to verify that things were
fine with my connection (they were) and then contacted support (Feb 10).

What followed was nearly __6 months__ of "support", first claiming that it
might be a server side issue and moving me "to a new host" (Feb 17) then when
that didn't resolve my issue, they ignored me for a couple of months then
handed me over to an engineer (Apr 28) who told me: "we may have your uploads
running at the maximum speed we can offer you at the moment. Additional
changes to storage network configuration will not improve the situation much.
There is an overhead limitation when the client encrypts, deduplicates, and
compresses the files you are uploading"

At this point I ran a basic test (cat /dev/urandom | gzip -c | openssl enc
-aes-256-cbc -pass pass:spideroak | pv | shasum -a 256 > /dev/zero) that
showed my laptop was easily capable of hashing and encrypting the data much
faster than SpiderOak was handling it (Apr 30) after which I was simply
ignored for a full month until I opened another ticket asking for a refund
(Jul 9).

I really love the idea of secure, private storage but SpiderOak's client is
barely functional and their customer support is rather bad.

~~~
elementalest
I have been using SpiderOak (SO) for nearly 6 years. However, I have been
keeping an eye out for a viable alternative as I feel SO is starting to be
neglected. In the past year or so, SO has barely received any updates (apart
from the occasional minor bug fix). Semaphore seems to be taking up all their
dev time. This would not be such an issue if everything ran well.

SO has no UI means to control version history. In order to limit version
history (for example, to hourly versions per day, then 1 per day for a month,
then 1 per week indefinitely), I need to run a script to close SO and run SO
with some command line arguments. Having this functionality available in the
UI would be nice.

The SO UI is slow to use. Over 6 years I have accumulated a lot of files and
whenever I goto the manage tab to browse my files, it can take several seconds
each time I expand tree nodes. The UI also becomes unresponsive, making
browsing files take a while.

Manually deleting files/folders/version history is an absolute pain. Often,
when deleting a folder in SO, only some of the contents are deleted, taking
multiple attempts to delete. In some cases the contents of the folder
disappear, but it shows root locations of drives as contents of the folder.
When deleting anything, the UI becomes unresponsive for upwards of 30s, often
significantly more for large folders or many version histories. Even selecting
multiple files can take several seconds where the UI is unresponsive, the more
files you select, the longer it becomes unresponsive. This makes file
management take forever.

If I move a file temporarily, SO assumes it has been deleted and moves it to
the 'Deleted items' folder. However, when I move the file back, SO create a
new version of that file, leaving all version history in the deleted folder.
It does not recognise the files are the same. This means that if a file is
created and deleted numerous times (compiling pdf, or binary), hundreds of
files with the same name are added to the 'Deleted items' folder. SO should be
able to recognise the files are linked (perhaps checking the similarity of the
files, only rejecting a link if they are more than 75% different) and create
version histories instead of new files.

There is also no way to delete items in the 'Deleted items' folder after a
period of time (2 years for example). The only way to delete items is to
manually do it or clear everything, which I don't want to do as there are
version histories that should be linked to currently existing files in the
'Deleted items' folder. I have had to resort to once a year putting a movie on
and just manually going through folders for a few hours.

I really like the idea of SpiderOak, but it really is a poor implementation
and just an all round pain to use. In the past I havn't minded waiting for new
features and fixes, but its been 1.5 years since the new UI and nothing much
has changed.

EDIT: And just to prove my point, I just tried to deleted a folder in the
'Deleted items' folder. The first attempt deleted everything within the
folder, but a 'c:/' item appeared inside it. So I deleted the folder again.
Half the contents of the folder a level above it just disappeared. This has
happened before.

I think I give up.

~~~
Veratyr
The thing is that there's nothing actually special about SpiderOak as a
service. Since the data is encrypted end to end, the only special thing is the
client and as you've pointed out, there's is terrible.

On that note, once I gave up on SpiderOak I went looking for alternatives and
they actually exist:

\- Syncany: [https://www.syncany.org/](https://www.syncany.org/) \- Java
based, works on Windows and *NIX, uses S3, Dropbox, Flickr, FTP, Openstack
Swift, SFTP and WebDAV as backends.

\- Rclone: [http://rclone.org](http://rclone.org) \- Go based, works on
everything Go supports, uses Google Drive, S3, Swift, Dropbox, Google Cloud
Storage, Amazon Drive, OneDrive, hubiC, Backblaze B2 and Yandex.Disk.

Syncany at least supports limited file versioning but not as granular as you
seem to be after. The upside is that unlike SpiderOak, Syncany is open source
and you can contribute features you want. If you're only after backup, there's
also Borg which might work for you:
[https://borgbackup.readthedocs.io/en/stable/](https://borgbackup.readthedocs.io/en/stable/).

~~~
elementalest
I looked at Syncany, but it looks like the project is dead:

> The core team of Syncany is on hiatus for an indefinite amount of time. Feel
> free to do with the code what the license allows and encourages, but please
> don't expect any maintenance. The team thanks everyone who has contributed
> to Syncany in one way or another.

rclone doesn't really have the features i'm looking for.

I have however found Duplicati:
[http://www.duplicati.com](http://www.duplicati.com), which looks like it
might serve my needs.

------
junhopark
@rarrrrrr - Do you have a more precise timeline of when the SpiderOak Notes
App will be launched in 2017? Would love to try it out as I'm getting tired of
various issues w/ Evernote and haven't been able to find a good alternative
yet.

~~~
rarrrrrr
Thanks for asking! I'm really excited about a ZK note app!

We haven't yet determined the priority of this vs. other projects in 2017. If
you haven't already, please signal your interest below[1].

So far it is a prototype, although it is based on the already proven code used
in Semaphor[2], our encrypted group chat and file sharing application, so it's
"just" a bunch of UI work now :-)

[1] [https://spideroak.com/about/noteapp-
signup](https://spideroak.com/about/noteapp-signup) [2]
[https://spideroak.com/solutions/semaphor/business/tour](https://spideroak.com/solutions/semaphor/business/tour)

~~~
thesimp
At this moment I'm a paying user of both Evernote and Dropbox and I do not
like how they are focusing on extra bells&whistles instead of investing time
in their encryption methods to make my data more safe.

From a business perspective you can get the money that I give to Evernote and
Dropbox if Spideroak offers competing products. And for me the advantage is
that my data is more secure because of the zero knowledge(1) idea and I do not
need to worry about wild ideas from companies think about employees reading my
notes "to make my experience better". Yes I'm looking at you Evernote.

(1) until 10 minutes ago I did not know that zero knowledge had a specific
technical meaning that is different than what Spideroak implements. And I even
have Bruce Schneiers Applied Cryptography on my bookself. I'll need to read
that again. Maybe it should be called "Full stack encryption" because it
covers everything from data transport, to storage, to metadata encryption,
etc...

------
newscracker
I've liked SpiderOak's focus on privacy and security, but find the pricing to
be expensive at every tier, and the space available not in tune for my needs
(a jump from 100GB to 250GB, which is kinda ok, and then to a whopping 1TB).

~~~
rarrrrrr
Thanks for your feedback.

Just as a data point for comparison, Dropbox charges $100/year for 1000 GB,
but they don't do meaningful encryption, and therefore can de-duplicate your
files vs. the files of all their other customers, which significantly reduces
their storage costs (and allows for some entertaining information leakages!)

SpiderOak charges $120/year for 1000 GB.

Edit to add: SpiderOak deduplicates files within a single user's account (i.e.
copies are free, and if you add another layer to a photoshop file and re-save,
it won't take up the full space to archive both versions) but it is not
possible [1] for us to deduplicate data across multiple users.

[1] [https://spideroak.com/articles/why-spideroak-doesnt-
deduplic...](https://spideroak.com/articles/why-spideroak-doesnt-deduplicate-
data-across-users-and-why-it-should-worry-you-if-we-did)

~~~
WireWrap
How do you "dedupe within a single user's account" without violating "zero
knowledge"?

~~~
rarrrrrr
Great question. The database work is all done client side.

Here's an explanation of the architecture I wrote in 2009:
[https://spideroak.com/articles/why--how-spideroak-
architectu...](https://spideroak.com/articles/why--how-spideroak-architecture-
is-different-than-other-online-storage-services)

------
gtramont
Just wanted to drop a note here… I've been a long time user of SpiderOak and
am really satisfied with it. A much better alternative to Dropbox and alikes.

------
sumedh
@rarrrrrr How many devices does this support. Can I add three devices in the
same plan?

Can I sign up for 100GB first and then later upgrade to a higher plan
seamlessly?

------
lyonlim
I really want to use this, but the mobile app (Android) really lacks very
basic functionality - uploading files.

I recently stopped renewing my Dropbox on an annual license and will switch
once I find a good alternative..

~~~
Skunkleton
The thing that keeps me on dropbox is the price. I can't find a provider of
raw storage that charges less.

------
msh
I have used them for some years and have 2 main issue:

Their servers are slow compared to other cloud providers.

You can't upload files using their ios or Android clients, they are read only.

------
caseysoftware
I don't have a ton of data in Dropbox but it's large and growing.

Any word if they're going to hook up a "import from Box/Dropbox" feature here?

~~~
rarrrrrr
SpiderOak can backup and sync arbitrary folders (including external drives,
network volumes, etc.) So one migration path is just to select the Dropbox
folder for backup by SpiderOak. (Or just move data from Dropbox folder to the
SpiderOak Hive folder.)

------
sidcool
Is this a new service they have launched? I mean what's bringing this on front
page? I read the link but couldn't figure out.

------
borplk
Years ago I attempted to use this but the linux client was unusable and buggy
on Ubuntu LTS.

------
nenadst
does anybody know if www.sync.com is any better regarding their mobile apps ?
They do also client-site,end-to-end encryption but their white paper only
mentions their web-app which apparently does everything on the client.

~~~
fluxby
You should also check out Tresor End to End Encryption [1]
[https://tresorit.com/](https://tresorit.com/)

~~~
wchrisn
Disclaimer: This is a promotional post with an intention to pass on Reseller
Discounts so that we have more individuals who can subscribe to secured cloud
storage

As part of ensuring that our business clients have access to secured cloud
storage services, we have initiated enlisting with Tresorit as Resellers and
will be passing on discounts* to our clients. Interested individuals can
procure the service at a discounted rate subject to the total number of
individuals registering and converting as a paid users is 250 or above

Please leave your email id and we will contact you if we area able to enlist
the required number of individuals

[https://goo.gl/forms/P7oEvaE5aTnLsFLn1](https://goo.gl/forms/P7oEvaE5aTnLsFLn1)

------
Numberwang
Is there a full pricing overview available?

~~~
tinodotim
2nd row on [https://spideroak.com/about/price-
list](https://spideroak.com/about/price-list)

SPIDER OAK ONE PRICES

100GB - $5 monthly ($59/y)

250GB - $9 monthly ($99/y)

1TB - $12 monthly ($129/y)

~~~
Numberwang
Cheers.

