
Responsibly Bringing a new Cryptography Product to Market - rarrrrrr
https://spideroak.com/blog/20140220090004-responsibly-bringing-new-cryptography-product-market
======
tptacek
Be careful. It is easy to pay for an audit from a firm that doesn't have a
serious cryptography practice. You would reasonably think that any software
security firm would be competent in evaluating crypto, or at least crypto
basics like whether you're using a sane block cipher mode or failing to
authenticate your ciphertext. But it turns out that the opposite is true: the
overwhelming majority of firms, including some of the best, have no crypto
literacy at all. (The best firms that don't do crypto will tell you this and
refer you).

We've seen some horror stories. It's hard not to get a little irritated when
you're the second firm to assess a target and own it up on day 2 with a
trivial CBC padding oracle.

All this means is, when you're talking to a potential auditor, ask them hard
questions about cryptography. Ask them to describe some of the crypto
vulnerabilities they have found on projects. If they talk about "weak keys" or
"bad ciphers", they're unserious.

Zooko's team at Least Authority is a serious crypto practice. Engaging Zooko
was a good call!

$1000 per auditor/day is less than you'd pay to get someone to run Nessus on
your network from a normal firm. Zooko did you an _enormous_ favor. For crypto
work, a rate four times as high wouldn't be out of the ordinary.

~~~
zooko_LeastAuth
Thank you so much for the kind words. I'm proud of our work on the Crypton
audit, and I hope you have a chance to look at our report at some point:
[https://spideroak.com/share/PFXWQM3PN5FGK/LeastAuthorityAudi...](https://spideroak.com/share/PFXWQM3PN5FGK/LeastAuthorityAuditResults/tmp/LeastAuthorityAuditResults/LeastAuthority-
Crypton-audit-report.pdf)

------
zooko_LeastAuth
I just posted a comment on the SpiderOak blog about how I was rather startled
when I found out that they had waited until _after_ we did the security audit
before they informed us that they knew about bugs going in:

[https://spideroak.com/blog/20140220090004-responsibly-
bringi...](https://spideroak.com/blog/20140220090004-responsibly-bringing-new-
cryptography-product-market#comment-27142)

However, after I got over my surprise, I started thinking that this was a
really good move on SpiderOak's part. If you hire a security auditor, it might
be hard for you to tell whether you're getting value for your money. Leaving
known bugs in the code and then observing whether the auditors find them is
potentially a good way to overcome that.

Mind you: this will make life harder for we in the security auditing industry
if this practice takes off. ☺

~~~
deezthugs
:)

------
daira
I was one of the auditors for Least Authority. Just wanted to add that this
audit was really fun to do! If you have the necessary experience and are part
of a good team, security auditing is a fantastic job. \-- Daira Hopwood

------
dmunoz
Interesting read. I remember Crypton being announced almost a year ago [0],
and for awhile I paid attention the GitHub repo, but it really felt like a
dead product. Looking back at the commit history, I'm not so sure why I had
this impression, as it seems pretty lively. I'm thinking that perhaps a lot of
those commits were not pushed publicly until recently, but in either case it's
good to see it active again.

On a bit of a tangent, regarding this post and the requirements (1-5) they
posted, I really wish they would hurry up and finally bring this to their
backup clients. It's for far too long been a joke in my mind that they promise
"100% Private", "Zero-knowledge", "Secure" online backup, sync and sharing
with a closed-source client. I went as far as to sign up with them and
download the client, only to never install it because I realized I didn't
believe a word they said. They promised (again) at the start of this year to
open source their client [1]. I have actually followed the issue closely, and
just last year one of the founders was admitting on reddit that it simply
wasn't a priority. I don't see why not, as it makes their service complete
snake oil, and I can't be the only one who refuses to use their service
because of it. Anyway, my point is... perhaps from their perspective this was
because of point #4 in the post for this submission (Have clear, well
documented code).

[0]
[https://news.ycombinator.com/item?id=5283072](https://news.ycombinator.com/item?id=5283072)

[1] [https://spideroak.com/blog/20140110144419-spideroak-to-
becom...](https://spideroak.com/blog/20140110144419-spideroak-to-become-oss-
what-to-expect-in-2014)

Edit: Here [3] is where they prioritize "growth and profit" over providing
what they promise. The granularity on the visible submission date is not very
informative, but if you look at the posts JSON, you can see the Unix time in
the field created_utc. It was the fist of April, so a little less than a year
ago.

[3]
[http://www.reddit.com/r/IAmA/comments/rmp9l/we_are_spideroak...](http://www.reddit.com/r/IAmA/comments/rmp9l/we_are_spideroak_and_we_are_handing_out_5gb_free/c4725dt)

~~~
rarrrrrr
Thanks for your feedback and your interest in Crypton!

First, for the record, from that Reddit AMA, Daniel isn't a SpiderOak founder
and is no longer with the organization.

Next, we throughly agree of the necessity for open sourcing our desktop backup
and sync product, and are working towards that. There are licensing issues
that have to be worked out. We started SpiderOak in 2007. Everything new we've
created since 2009 has been open source from the start. Our expectation is
that the existing SpiderOak product will someday transition to using Crypton
internally.

~~~
dmunoz
Apologies for claiming it was a founder, that was my faulty memory. I see now
that he was head of marketing for some time at SpiderOak.

I hope you get the licensing issues worked out soon.

------
rarrrrrr
By the way, once we've established confidence in the code directly included in
the project, we're hoping to also arrange audits for some of the popular
crypto libraries involved such as SJCL.

~~~
benzim
Have any of those libraries been audited so far? Seems like a necessary step
for widespread js crypto.

~~~
rarrrrrr
SJCL had substantial peer review during its development, but I'm not aware of
a public 3rd party audit from a security firm.

Oh yeah, and before people with torches show up, let me clarify that is a
Javascript based crypto product but not browser and website based crypto. The
deployment target is situations where the code delivery problem is solved:
HTML5 mobile apps (including phonegap / cordova), desktop apps with things
like AppJS, browser extensions, etc. It's a high level secure-by-default
framework for building collaborative realtime and storage applications.
Javascript is a natural language for this, because the framework provides
storage through an object database, and that approach is natural an convenient
in Javascript. We're spending the time and money to make a secure framework
now so we don't have to spend quite as much time in reinvention and security
review for each new crypto application we build.

~~~
tptacek
SJCL has been audited.

You should ping me via email if you're serious about arranging for OSS crypto
to get reviewed, not because I want to sell you audit services, but because
someone already beat you to the punch in a big way, and you should talk to
them. :)

~~~
deezthugs
Will do! Thanks! Is there a public report available? How long ago was this?

~~~
tptacek
There's no public report available.

------
ostensibly
It's interesting to see what's involved in a security audit and how much it
costs. It's nice to see this kind of information being freely given.

------
kenmanheimer
Some programming efforts can be casual, some can not. Cryptography is is one
that often requires not just rigor, but also expensive investment. The
combination can be an obstacle to open source inroads. I'm part of SpiderOak,
and proud of their investment in Crypton. It is expensive - like, not just the
coding, but sponsoring these audits - but, I believe, extremely valuable.

------
0xdeadbeefbabe
That's great you found good auditors, and that will probably work out just
fine.

Another idea is that real attackers are your only hope
([https://news.ycombinator.com/item?id=7238750](https://news.ycombinator.com/item?id=7238750))
maybe. Auditors are supposed to simulate real attackers, and maybe these
serious auditors are identical to attackers except you don't pay them as much
as they could get some other way like publishing your exploits on the black
market. Speaking of market, Schneier said you really need a mass market to
test things (from the above link).

------
ekrizzle
Least Authority's blog post about the audit:
[https://leastauthority.com/blog/least_authority_performs_sec...](https://leastauthority.com/blog/least_authority_performs_security_audit_for_spideroak.html)

------
ekrizzle
Glad to see real numbers and specifics about the audit being used in the post.

~~~
peawee
For people to give a crap about FOSS crypto, you need the audits, and there's
just not that much information out there. Audits are pricy and a great way to
prematurely age a developer team, but the alternative is "looks OK" crypto
code like the Debian SSL debacle.

Crypton's definitely an effort at all-cards-on-the-table corporate-sponsored
FOSS, and this includes the project itself and not just the code.

------
dougfort
This is critical. If you don't think about this stuff, use the existing code.

