Hacker News new | past | comments | ask | show | jobs | submit login
SpiderOakONE – Zero Knowledge Cloud Storage (spideroak.com)
99 points by ergot on Jan 2, 2017 | hide | past | favorite | 91 comments

Spider Oak - Please stop describing your service as "Zero Knowledge" unless and until you deploy a service that is actually is. E2E encryption great, but it is not the same thing.

In cryptography, "zero knowledge" means something very different than "service providers cannot access cleartext data".

> In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.

source: https://en.wikipedia.org/wiki/Zero-knowledge_proof

z.cash is a zero knowledge system and has a good definition of it on its FAQ:

> Zero knowledge proofs are a scientific breakthrough in the field of cryptography: they allow you to prove knowledge of some facts about hidden information without revealing that information. The property of allowing both verifiability and privacy of data makes for a strong use case in all kinds of transactions, and we’re integrating this concept into a block chain for encrypting the sender address, the recipient address, and the amount. A block chain that encrypts transaction data (making it private) and lacks zero-knowledge proofs also lacks the assurance that all the transactions are valid. This is because the nodes in the network can’t determine whether the sender really had that money or whether they previously sent it to someone else, or never had it in the first place. The encrypted data becomes unverifiable by network nodes.

source: https://z.cash/support/faq.html?page=0

A lot of customers are going to assume that zero knowledge means no cleartext data is ever stored. I assumed it, and I'm no newbie.

This seems to be an abuse of the motte and bailey kind: they use a word which everyone believes means one thing, but when questioned they resort to a less commok definition because they 'didn't mean it that way.'

SpiderOak founder here...

A few cryptographers have noticed SpiderOak's marketing term Zero Knowledge is inconsistent with the academic definition. Maybe it doesn't mean what we think it means[1]? SpiderOak was one of the first companies to use this phrase commercially and the need has only grown stronger.

At the heart of the issue is the difficulty for end users to decipher the terms cloud vendors use to describe their security. Doing so would require discrimination between transport encryption, data encryption, meta data encryption, encryption at rest vs. in motion, and then most importantly evaluate key management and access. This vocabulary is foreign to most folks. Vendors often exploit the inaccessibility of these topics to make a series of statements that, while often factually correct individually, together create a false sense of privacy.

SpiderOak launched a online backup product for Linux, Mac, and Windows in 2007. The competitors were companies like Xdrive, Mozy, Carbonite and SugarSync. Each claimed that customer data was fully encrypted. Even the most credible journalists writing for well funded publications with fact checking budgets were fooled and repeated these misleading claims to end users. [2]

In 2009 when Dropbox launched, they made misleading claims about the encryption of customer files and their internal ability to access customer's data or provide that data to 3rd parties, leading to a well publicized FTC deceptive trade practices complaint. [3] The deception had been so effective that leading software engineers were shocked to discover Dropbox had full access to the data they had stored online. [4]

In response to customer requests on one of their forums, Mozy explained why it would be "impossible" for a storage service to protect users' privacy by encrypting the file and folder names customers store in a way Mozy could not read. SpiderOak customers had benefited from the impossible for years.

Recently Slack made the unbelievable claim on Twitter that their service includes end to end encryption (it doesn't.) Perhaps they mean from your end to their end?

Lately there's a new phrase "customer managed keys" used by cloud providers, which sounds really great, but is typically just elaborate hand waving that ultimately allows the vendor and their staff the same level of data access as if it were not encrypted.

In 2007 we found ourselves frequently explaining "we don't know the names of your files, the names of your folders, the date they were created or last modified or accessed, their size, their checksums or hashes... in short we know nothing about your data except how much you store." We started using the phrase Zero Knowledge as a headline to this long explanation.

It's important to recognize that cryptographers already understand encryption and the terminology is intended for everyday folks. When I'm speaking with a technologist about how SpiderOak products work, I would typically use the phrase end to end encryption.

If we want to end mass surveillance, the only way this can happen is through viral adoption of end to end encrypted products and services. Great UX, education, and terminology are powerful tools, and unlike phrases involving the word "encryption", to my knowledge no company has yet been shameless enough to deceptively use the term Zero Knowledge.

[1] https://www.youtube.com/watch?v=G2y8Sx4B2Sk

[2] http://allthingsd.com/20080403/sugarsync-offers-the-best-met...

[3] https://www.wired.com/2011/05/dropbox-ftc/

[4] http://tirania.org/blog/archive/2011/Apr-19.html

"Doing so would require discrimination between transport encryption, data encryption, meta data encryption, encryption at rest vs. in motion"


"This vocabulary is foreign to most folks."

Please, please keep taking these customers. Can we send you leads directly from our pre-sales inbox ?

"If we want to end mass surveillance, the only way this can happen is through viral adoption of end to end encrypted products and services."

Actually, what we need to do is throw some money at the guy writing borg[1][2]. Or maybe sponsor a code audit. I think I am going to put that on our to-do list for this spring ...

[1] https://borgbackup.readthedocs.io/en/stable/

[2] https://www.stavros.io/posts/holy-grail-backups/

The issue is not you vs. other companies; it's you vs 25+ years of cryptographic literature.

> no company has yet been shameless enough to deceptively use the term Zero Knowledge.

Except you guys? Why use the phrase "zero knowledge" when you fully know that it has a predefined meaning? Call it no information, no leakage, zero leakage, whatever, but why the one term that is already used to refer to a different concept?

I get that it's a sexy name, but that's why cryptographers use it to refer to a much cooler concept than mere encryption.

A lot of words are overloaded, across domains as well as within domains, that is not ideal but also no unsurmountable problem, you can always clarify your usage by providing definitions. There is certainly not much of a point to explain things in precise and correct terminology if this prevents the intended audience from understanding you. On the other hand, people aware of the technical details will have no big difficulties to understand something despite simplifications or inaccurate terminology.

I am actually not even sure whether zero-knowledge is not technically correct here. Terms like zero-knowledge proof or zero-knowledge protocol have very specific meanings and certainly do not apply here, but is zero-knowledge on its own really used for something more specific or other than not leaking knowledge? I also immediately thought of zero-knowledge proofs and protocols but nothing like that is mentioned anywhere, at least as far as I can tell, so it was kind if my mistake to read something into it that was not actually there.

EDIT: Zero-knowledge seems to indeed have a very specific technical meaning on its own [1], at least in the context of zero-knowledge proofs.

[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof#Definitio...

This particular term is not overloaded. People familiar with encryption know it to mean something specific.

Thanks for the feedback. For what it's worth, we did try a bunch of alternative wordings, and Zero Knowledge was the phrase that non technologists found most accessible.

We prioritized making the explanation clear to non-experts vs. to the community of cryptographers.

I believe your explanation but it still strikes me as the wrong thing to do.

I'd like to propose "Zero Access", as in zero access to the plaintext.

That's actually not bad. I was fine with SpiderOak going for a term that is simple, catchy, and easy to market. Zero Access is the kind of alternative that might work. That specific one might have a problem: send perception of user having zero access to their own data when most clouds constantly reinforce "access from anywhere any time."

You're thinking along the right lines. I think variations of the words safe and vault have worked for other companies, too, given people understand what they do. "Your data is in a locked vault that we hold for you while you keep the keys or combination." That sort of thing.

They could go with "Know nothing".

(Or "Jon Snow", for short, if they can get away with it without being sued - "Jon S. crypto, we dont know nuthing" ;-)

This doesn't feel like the correct solution.

This happens all the time with marketing, surely this is not the first time you have seen a company co opt a term for marketing purposes.

This seems like a case of perfect being the enemy of good.

Since you're speaking the language of product marketing, which is one I sort of speak too, can I gingerly offer you some advice?

Until you come up with some other cool-sounding term for end-to-end encrypted storage, every time your product is discussed in a forum that includes people familiar with cryptography, the discussion is going to be dominated with threads about how your product doesn't do what its name claims it does.

If it were me, I would think of this as a very suboptimal situation; sort of the worst case for what a product name can do.

Unless your target audience is not people who read such forums.

Exactly. The obvious counterpoint. Those people aren't buying shit from them and represent basically no market share. It's privacy-conscious users of services like DropBox they're going after. Most of them don't know crypto or a lot of terms people suggested here. Marketing wisdom dictates you call it whatever gets them to see its value & buy it. Then ignore the haters as you roll around in cash.

Business 101 if goal is max adoption & profit.

Being the storage service that no cryptographer will recommend seems like a gambit that may backfire. Any day now the mainstream press will start asking experts for advice, and you'll be left out of the recommended list.

We've had some time for that to happen. So, whose top players in online storage, whose top in secure storage, and did that match your prediction? Im betting against it.

Except when people look for third party reviews of said products, and find threads upon threads of cryptographers calling out SpiderOak for misleading advertisement. Surely that's just bad PR?

It really isn't. For the third party reading this thread only shows that some cryptographers are calling bullshit on semantics of their advertisement, which is more of a nitpick to most people, and some replies from people who say they use it and it's pretty good.

I get that, I do, but "zero knowledge" isn't all that compelling to begin with; this strategy just seems like it's almost all downside.

I really want to give you guys money, but can't trust you without having client and server side source. I need client side source so third parties can freely audit your work. I need server side source so I can store my data at some random colo and wrap the rack in tinfoil (more realisitcally, so I know I can just switch providers if you are out of business in ten years).

Have you considered licensing your stuff using the BSL: http://monty-says.blogspot.com/2016/08/applying-business-sou...

This would let me pay you to continue your (very important!) work, and let me recommend your service to others.

[edit: For people not familiar with the BSL: It makes it easy to say things like:

"This release of the software is free for the first 100MB, then $10/TB after that. Licensing the software gives you non-transferrable rights similar to a BSD license. On Jan 2, 2027, the above usage restriction will expire, leaving the software with a BSD-style license"

You bump the expiry date on each release, so cheapskates have to wait 10 years for new features, and the developers have to continuously improve the software to maintain a revenue stream.]

Thank you for your interest in SpiderOak and valuing work to improve the choices available that preserve privacy.

For what it's worth, everything we've built since 2008 has published source code. Most recently that's Semaphor[1], which is written in Go and React.

I think it's very important that products have what Zooko calls an "economic feedback loop" to be successful. As just one example, volunteer projects rarely have staff that do the grinding but necessary work of testing that each release works well on every version of all support operating systems and platforms, because it isn't fun. I think this is why although some teams publish their client source code, very few service providers publish their server source code. It would make it too easy for competitors to emerge and undercut on price while giving little back (the biggest cost is the often the development work itself.)

That said, we've been in business for 10 years and are not going away! Thanks for your feedback.

[1] https://spideroak.com/solutions/semaphor/business/tour

I'm sympathetic to the economic feedback problem you're describing. I think the BSL addresses the concern about undercutting. Sure, people could pirate your software, but short of that, it probably makes more sense to implement from scratch than either wait ten years, or fork code that is ten years old, which is all your competitors could do with the source. Honestly, I would probably just pay for your service after spending a few hours spot checking the source.

Anyway, I'd love to hear your thoughts on the licensing model, even if you're not considering it at spideroak.

Is open source really required? We at Haystack Software make a backup app (Arq) with client-side encryption that doesn't require any server side code (it supports a number of cloud providers' APIs). We don't publish the app's source, but the data format is open/documented, the data go in your cloud account, and you can monitor network traffic from it to ensure it's not connecting to us or anyplace unwanted. Your data don't come to us at all -- they're sent to your cloud account.

any plans for a linux client?

I don't think you have to be a cryptographer to notice this and it makes you sound likes snake-oil salesmen even if you aren't. The misuse of 'zero knowledge' doesn't seem any clearer to non-technical users but it does a good job of confusing the sort of people you want recommending your product.

Thank you. I'm all for switching if we can find a phrase that's accessible to non technical people.

Ideally it would be a phrase that's adopted by many sites, the press, etc. (as Zero Knowledge has been, for better or worse.) It should accurately convey the situation that 1) the data is meaningfully encrypted 2) the meta data is meaningfully encrypted and 3) only the customer has access to the encryption keys.

Thank you for the clarification. I really appreciate all the hard work you guys do in trying to combat unwarranted breaches of privacy.

I've had my reservations about companies that make such bold claims as yours but I will look into your platform more and give the free trial a whirl.

I think it is worth giving SpiderOak a try. I've been a SpiderOak customer for several years, and have been quite satisfied with it. The UI wasn't the best at first, but it has gotten better recently. I haven't used rsync.net for a while, but their service is great too. It just takes a little more work to set up.

This came up in a previous thread (can't find atm) and I suggested alternate, more cryptographically correct terms: "provider-obscured" and "homomorphic" (this is like homomorphic encryption, but where the only operation allowed is retrieval).

Thanks for jumping in with suggestions. It's actually a harder problem than it seems! I have a feeling "provider-obscured" and "homomorphic" (while accurate!) are significantly less accessible to end users. I'll try to break it down:

Do end users talk about the services they purchase using the word "provider"? Is for example, Facebook or Twitter commonly referred to as a social media "provider?" The most common example I can think of is ISP, but I rarely hear non technical people say "ISP". They say something like "I get Internet from Time Warner" instead.

Is "obscured" a commonly used, highly accessible word? Can you think of a few popular movies or books with that word in the title? Is it commonly used in news headlines?

So the proposal is a hyphenated phrase of these two uncommon words. I think it's likely "Zero Knowledge" would crush "Provider-Obscured" in an A/B test. Ditto for "Homomorphic."

Seeing highly technical terms in headings makes non technical people believe that the software is complex and hard to use, and is therefore not for them. IMO, this is one of the classic failings of security products in general. It needs more study.

Thanks for the explanation of your thinking there. FWIW, I don't think (contra the other posters) that it's that much of a stretch (of standard terminology) to call this "Zero knowledge" -- you are, after all, preventing information from flowing in a certain direction, just like in the ZK proofs.

With that said, what about "opaque" instead of "obscured" and "host" or "cloud" instead of "provider"?

Host-Opaque Cloud Storage

Cloud-Obscured Cloud Storage (okay, bad acronym)

(And I know it's kind of late for a name change anyway.)

You do realize that he is talking about terminology for the general public? The names you are suggesting are just terrible. They don't sound good and are not even close to widely understood terms (no offense intended). Perhaps you are not a native English speaker?

Well said and I encourage you to continue promoting your product with this strategy. Being overly precise with lingo will result in a worse world where only domain experts understand what's going on.

I am a paying customer for storage and use your free Encryptr app and service.

I have no problem with your use of the phrase zero knowledge, but I understand the complaints.

My main beef with SpiderOak is that I have no way of verifying these claims, so why should I use it over, say, Crashplan, which actually does do a better job of backup. I'll just use a tool like Veracrypt when I need the extra layer of protection, and Crashplan does a better job of incremental backup of these files, too, while SpiderOak uploads the entire file each time.

> If we want to end mass surveillance, the only way this can happen is through viral adoption of end to end encrypted products and services.

I strongly disagree. The "only" way mass surveillance will end is when is made illegal and the entities that practice it are treated as pariahs by civilized humanity.

It is purely a political issue.

Following to their architectural design, they do not get access to any encryption key and no key leaves user device in unprotected form. Is not this enough to be advertised as "zero-knowledge" service provider?

As a technical term zero-knowledge has a very specific meaning [1] and is not what they are using. Here it is just a marketing term and may confuse people knowing about the technical meaning but that is certainly only a very small fraction of the population and so it is probably not a huge issue.

[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof

Your link is for zero-knowledge proof. They aren't claiming anything in the realm of proofs, zero-knowledge or not.

If "zero-knowledge" implicitly meant "zero-knowledge proof", there would be no reason to ever use the latter phrase. Zero-knowledge is an adjective. It's a modifier. It's the "proof" part in "zero-knowledge proof" that's important in describing what it is. "Zero-knowledge" is a property of the method employed.

The irony is that, wrt the original comment, it's end-to-end encryption that would be a misleading and misapplied label.

I'm not affiliated with this company and I've never even used this service before, and yet it's immediately clear what zero-knowledge means in the context of a cloud storage provider: you never need divulge your keys, so the question of whether you trust your provider or not is moot.

Back when Firefox Sync first launched, I was chasing the idea of referring to it and any similar service as "zero-trust" systems. But building a service and referring to it as "zero-knowledge cloud storage" is totally acceptable.

Not sure whether I was clear enough, but I understand both sides of the argument. It is a very specific technical term and the zero-knowledge proof Wikipedia article states that zero-knowledge is the name of one of three properties that zero-knowledge proof have to satisfy, on the other hand it is also a nice, catchy and probably understandable marketing term if you want to express that you know (almost) nothing about the users' data.

Developer me would certainly prefer technical accuracy but we all know that users certainly could not care less what is the technically correct name for the thing. So I don't care at all whether they call it zero-knowledge or not, they are not trying to trick anybody into believing they are doing zero-knowledge stuff in the cryptographic sense. I actually like zero-trust but I can see how this could easily be interpreted in the wrong way, should or must not be trusted instead of need not be trusted.

Zero knowledge means a very specific thing in cryptography, and is used exclusively to refer to zero knowledge proofs; in all of cryptographic literature over the past 25 years I have not seen any other usage of "zero knowledge".

Either way, this system isn't "zero knowledge", even if that term were well defined for this situation; you leak file sizes and access patterns.

That's kind of bullshit though, you can't claim 2 common words from the English language in order to only describe a concept many of us don't understand. I'm a software developer, have been for 15 years, I've stayed fairly awake in college during my cryptography classes, have implemented hashing functions (mentioning this because such a history already place somebody in the 0.01%) and I've never heard of "zero knowledge proof".

Not surprisingly, the link you've given is about a phrase with 3 words in it, not 2.

And while I've always been annoyed about overloads of "open source", at least that's a words association that you won't hear from non-technical folks and that wasn't in use before OSI happened. And even so, note that OSI couldn't trademark it.

Just because people don't know the term doesn't mean cryptographers don't know the term; any cryptographer with any formal cryptography training has heard of the term, and it's not used to refer to any other concept in the cryptographic literature.

The usage of the term matters when it'll be cryptographers reviewing the work; almost every thread about SpiderOak I've seen calls them out on misleading marketing. Hardly good for PR.

The term "zero knowledge" has a specific technical meaning in cryptography: https://en.wikipedia.org/wiki/Zero-knowledge_proof

Passing encrypted data through a storage device isn't a "zero-knowledge protocol" in a cryptographic sense, it's just normal cryptography.

No, that's called end-to-end or client-side encryption. Zero-knowledge is a property of a certain class of methods that allow one party to prove to another that a certain statement is true, without revealing anything else about it.

Have you built something better? Its amusing to hear comments like this when there are really no commercially available alternatives that come close without managing your own. My time is much too valuable to run my own. If yours isn't, build one and share it and charge and market it using your favorite parlance and consider avoidin trolling the one company that's at least trying not to suck.

In addition to not being (fully) open source, something that also should be mentioned is, that if u use the mobile apps it unfortunately still isn't "zero knowledge" [0].

[0] https://spideroak.com/manual/spideroak-on-mobile

Until recently, mobile platforms were not capable of doing the on-device encryption necessary for SpiderOak's Zero Knowledge implementation.

Anyone any idea what the issue is or was? What would prevents you from doing PBKDF2, RSA and AES [1] on a mobile device?

[1] https://spideroak.com/manual/zero-knowledge-explained

It's mostly that the desktop app is Python and C, and there wasn't a clear path to make that same code base run on mobile, so the mobile app is just a reader.

However for Semaphor, our encrypted group chat and file sharing tool (akin to IRC, to Slack or HipChat) the internals are written in Go and it's the same code base on all platforms, including mobile. That source code is also published for security review. We plan to migrate SpiderOakONE to use that same stack so the mobile experience is the same as desktop.

They've been around for a while and are highly regarded.

The one thing that makes their privacy weak is: The software involved in the encryption/password handling is not open source. We have only their word for it that they are not snooping or letting anyone else snoop.

If you're willing to do the extra work, you can get a cloud service like Dream Objects, and use software like duply/duplicity to store your files online and encrypted. You may lose some flexibility, though.

"If you're willing to do the extra work, you can get a cloud service like Dream Objects, and use software like duply/duplicity to store your files online and encrypted. You may lose some flexibility, though."

I encourage you to look into borg backup[1][2] which appears to have replaced duplicity as the de facto standard for "robust backups that the provider knows nothing about".

This is really the direction you look for providers[3] to go in - giving you a blank slate to write whatever bits you want to and allowing you to control the encryption with your own tools.

If you point borg (or duplicity) at even the most privacy-antagonistic provider, they still have nothing but gibberish.

[1] https://borgbackup.readthedocs.io/en/stable/

[2] https://www.stavros.io/posts/holy-grail-backups/

[3] http://www.rsync.net/products/attic.html

I use borg on rsync.net (and I just noticed the second link is to my post), and I'd recommend it strongly. Basically, if you need to back stuff up, use borg, period.

Rsync.net have also been very good and competitively priced, as per the above link. I can recommend them as well. (no affiliation with either product).

I tried spider oak a while ago, and I thought it was horrible in terms of ui, performance and bloat. I'm assuming they didn't change their stack/devs, so I will not even try this one.

I find that surprsing.

I've been using SpiderOak for years without noticing any bloat or performance issues with the background service. On the contrary, I was often surprised how little space I'm using in spite of the fact that they store multiple versions of my files. It doesn't hog memory or bandwidth or CPU at all.

The UI is indeed a bit weird and its performance can be erratic sometimes, but it gets the job done and has a lot of useful features.

Most importantly, SpiderOak has reliably protected me from losing data and I don't have to babysit it. It just works.

(I'm a happy paying customer. No affiliation with them whatsoever)

I used to be a paying customer (years ago, things may be better now), and I had many issues with CPU getting stuck at 100% for long stretches of time, or uploads/downloads would transfer a bunch of data, or would be slow, things like that.

Then, one day, my account got full, and I couldn't delete anything unless I got some more free space first (see the problem?). I believe support gave me a few extra GB just for the deletion, but that didn't work either and I decided to stop using the whole thing. That's when I switched to attic/borg, which is much superior for my use case (backups).

Thanks for the feedback. Sorry it didn't work out for you.

FYI, the SpiderOakONE app and the backend storage service received a refresh in 2016, and another one is underway right now (now all needed libraries are Python3 compatible!)

The existing UI is oriented toward power users, and is a bit complex for most people. The upcoming refresh simplifies many things while retaining the flexibility under "advanced" settings.

Spideroak One is miles better in terms of UI than the old version, but the performance is still baffling sometimes. eg. Edit a single ~5kb file and you can be seeing multiple minute upload times. Encryption doesn't take that long and even dial-up is faster for upload.

EDIT: I only use the free version though, so maybe the paid plans have better speeds.

Depends on how long "a while" ago was. They had a big client overhaul something like a year (?) ago, which (after a few months of bugfixing) made quite a difference.

Now they also have a galaxy of related products (IM, collab, etc) which more or less integrate with ONE, although I haven't really used them.

Ah ok.

No it was actually a couple of years ago, more than 3

I might give it a try.

> They've been around for a while and are highly regarded.

By who?

My only experiences with them have been horrible. Their client is buggy, slow and horrible and their support left tickets for literally months until they basically gave up and gave me a refund.

Whenever SpiderOak comes up I can't help but share my experience with them.

In February SpiderOak dropped its pricing to $12/month for 1TB of data. Having several hundred gigabytes of photos to backup I took advantage and bought a year long subscription ($129). I had access to a symmetric gigabit fibre connection so I connected, set up the SpiderOak client and started uploading.

However I noticed something odd. According to my Mac's activity monitor, SpiderOak was only uploading in short bursts [0] of ~2MB/s. I did some test uploads to other services (Google Drive, Amazon) to verify that things were fine with my connection (they were) and then contacted support (Feb 10).

What followed was nearly __6 months__ of "support", first claiming that it might be a server side issue and moving me "to a new host" (Feb 17) then when that didn't resolve my issue, they ignored me for a couple of months then handed me over to an engineer (Apr 28) who told me: "we may have your uploads running at the maximum speed we can offer you at the moment. Additional changes to storage network configuration will not improve the situation much. There is an overhead limitation when the client encrypts, deduplicates, and compresses the files you are uploading"

At this point I ran a basic test (cat /dev/urandom | gzip -c | openssl enc -aes-256-cbc -pass pass:spideroak | pv | shasum -a 256 > /dev/zero) that showed my laptop was easily capable of hashing and encrypting the data much faster than SpiderOak was handling it (Apr 30) after which I was simply ignored for a full month until I opened another ticket asking for a refund (Jul 9).

I really love the idea of secure, private storage but SpiderOak's client is barely functional and their customer support is rather bad.

I have to agree that SpiderOak is terrible. Whenever I try to run it, my Mac goes crap. Everything seems to be freezing and OS is not usable at all.

Indeed it seems that they are moving to another products...

I have been using SpiderOak (SO) for nearly 6 years. However, I have been keeping an eye out for a viable alternative as I feel SO is starting to be neglected. In the past year or so, SO has barely received any updates (apart from the occasional minor bug fix). Semaphore seems to be taking up all their dev time. This would not be such an issue if everything ran well.

SO has no UI means to control version history. In order to limit version history (for example, to hourly versions per day, then 1 per day for a month, then 1 per week indefinitely), I need to run a script to close SO and run SO with some command line arguments. Having this functionality available in the UI would be nice.

The SO UI is slow to use. Over 6 years I have accumulated a lot of files and whenever I goto the manage tab to browse my files, it can take several seconds each time I expand tree nodes. The UI also becomes unresponsive, making browsing files take a while.

Manually deleting files/folders/version history is an absolute pain. Often, when deleting a folder in SO, only some of the contents are deleted, taking multiple attempts to delete. In some cases the contents of the folder disappear, but it shows root locations of drives as contents of the folder. When deleting anything, the UI becomes unresponsive for upwards of 30s, often significantly more for large folders or many version histories. Even selecting multiple files can take several seconds where the UI is unresponsive, the more files you select, the longer it becomes unresponsive. This makes file management take forever.

If I move a file temporarily, SO assumes it has been deleted and moves it to the 'Deleted items' folder. However, when I move the file back, SO create a new version of that file, leaving all version history in the deleted folder. It does not recognise the files are the same. This means that if a file is created and deleted numerous times (compiling pdf, or binary), hundreds of files with the same name are added to the 'Deleted items' folder. SO should be able to recognise the files are linked (perhaps checking the similarity of the files, only rejecting a link if they are more than 75% different) and create version histories instead of new files.

There is also no way to delete items in the 'Deleted items' folder after a period of time (2 years for example). The only way to delete items is to manually do it or clear everything, which I don't want to do as there are version histories that should be linked to currently existing files in the 'Deleted items' folder. I have had to resort to once a year putting a movie on and just manually going through folders for a few hours.

I really like the idea of SpiderOak, but it really is a poor implementation and just an all round pain to use. In the past I havn't minded waiting for new features and fixes, but its been 1.5 years since the new UI and nothing much has changed.

EDIT: And just to prove my point, I just tried to deleted a folder in the 'Deleted items' folder. The first attempt deleted everything within the folder, but a 'c:/' item appeared inside it. So I deleted the folder again. Half the contents of the folder a level above it just disappeared. This has happened before.

I think I give up.

The thing is that there's nothing actually special about SpiderOak as a service. Since the data is encrypted end to end, the only special thing is the client and as you've pointed out, there's is terrible.

On that note, once I gave up on SpiderOak I went looking for alternatives and they actually exist:

- Syncany: https://www.syncany.org/ - Java based, works on Windows and *NIX, uses S3, Dropbox, Flickr, FTP, Openstack Swift, SFTP and WebDAV as backends.

- Rclone: http://rclone.org - Go based, works on everything Go supports, uses Google Drive, S3, Swift, Dropbox, Google Cloud Storage, Amazon Drive, OneDrive, hubiC, Backblaze B2 and Yandex.Disk.

Syncany at least supports limited file versioning but not as granular as you seem to be after. The upside is that unlike SpiderOak, Syncany is open source and you can contribute features you want. If you're only after backup, there's also Borg which might work for you: https://borgbackup.readthedocs.io/en/stable/.

I looked at Syncany, but it looks like the project is dead:

> The core team of Syncany is on hiatus for an indefinite amount of time. Feel free to do with the code what the license allows and encourages, but please don't expect any maintenance. The team thanks everyone who has contributed to Syncany in one way or another.

rclone doesn't really have the features i'm looking for.

I have however found Duplicati: http://www.duplicati.com, which looks like it might serve my needs.

@rarrrrrr - Do you have a more precise timeline of when the SpiderOak Notes App will be launched in 2017? Would love to try it out as I'm getting tired of various issues w/ Evernote and haven't been able to find a good alternative yet.

Thanks for asking! I'm really excited about a ZK note app!

We haven't yet determined the priority of this vs. other projects in 2017. If you haven't already, please signal your interest below[1].

So far it is a prototype, although it is based on the already proven code used in Semaphor[2], our encrypted group chat and file sharing application, so it's "just" a bunch of UI work now :-)

[1] https://spideroak.com/about/noteapp-signup [2] https://spideroak.com/solutions/semaphor/business/tour

At this moment I'm a paying user of both Evernote and Dropbox and I do not like how they are focusing on extra bells&whistles instead of investing time in their encryption methods to make my data more safe.

From a business perspective you can get the money that I give to Evernote and Dropbox if Spideroak offers competing products. And for me the advantage is that my data is more secure because of the zero knowledge(1) idea and I do not need to worry about wild ideas from companies think about employees reading my notes "to make my experience better". Yes I'm looking at you Evernote.

(1) until 10 minutes ago I did not know that zero knowledge had a specific technical meaning that is different than what Spideroak implements. And I even have Bruce Schneiers Applied Cryptography on my bookself. I'll need to read that again. Maybe it should be called "Full stack encryption" because it covers everything from data transport, to storage, to metadata encryption, etc...

I've liked SpiderOak's focus on privacy and security, but find the pricing to be expensive at every tier, and the space available not in tune for my needs (a jump from 100GB to 250GB, which is kinda ok, and then to a whopping 1TB).

Thanks for your feedback.

Just as a data point for comparison, Dropbox charges $100/year for 1000 GB, but they don't do meaningful encryption, and therefore can de-duplicate your files vs. the files of all their other customers, which significantly reduces their storage costs (and allows for some entertaining information leakages!)

SpiderOak charges $120/year for 1000 GB.

Edit to add: SpiderOak deduplicates files within a single user's account (i.e. copies are free, and if you add another layer to a photoshop file and re-save, it won't take up the full space to archive both versions) but it is not possible [1] for us to deduplicate data across multiple users.

[1] https://spideroak.com/articles/why-spideroak-doesnt-deduplic...

How do you "dedupe within a single user's account" without violating "zero knowledge"?

Great question. The database work is all done client side.

Here's an explanation of the architecture I wrote in 2009: https://spideroak.com/articles/why--how-spideroak-architectu...

Just wanted to drop a note here… I've been a long time user of SpiderOak and am really satisfied with it. A much better alternative to Dropbox and alikes.

@rarrrrrr How many devices does this support. Can I add three devices in the same plan?

Can I sign up for 100GB first and then later upgrade to a higher plan seamlessly?

I really want to use this, but the mobile app (Android) really lacks very basic functionality - uploading files.

I recently stopped renewing my Dropbox on an annual license and will switch once I find a good alternative..

The thing that keeps me on dropbox is the price. I can't find a provider of raw storage that charges less.

I have used them for some years and have 2 main issue:

Their servers are slow compared to other cloud providers.

You can't upload files using their ios or Android clients, they are read only.

I don't have a ton of data in Dropbox but it's large and growing.

Any word if they're going to hook up a "import from Box/Dropbox" feature here?

SpiderOak can backup and sync arbitrary folders (including external drives, network volumes, etc.) So one migration path is just to select the Dropbox folder for backup by SpiderOak. (Or just move data from Dropbox folder to the SpiderOak Hive folder.)

Is this a new service they have launched? I mean what's bringing this on front page? I read the link but couldn't figure out.

Years ago I attempted to use this but the linux client was unusable and buggy on Ubuntu LTS.

does anybody know if www.sync.com is any better regarding their mobile apps ? They do also client-site,end-to-end encryption but their white paper only mentions their web-app which apparently does everything on the client.

You should also check out Tresor End to End Encryption [1] https://tresorit.com/

Disclaimer: This is a promotional post with an intention to pass on Reseller Discounts so that we have more individuals who can subscribe to secured cloud storage

As part of ensuring that our business clients have access to secured cloud storage services, we have initiated enlisting with Tresorit as Resellers and will be passing on discounts* to our clients. Interested individuals can procure the service at a discounted rate subject to the total number of individuals registering and converting as a paid users is 250 or above

Please leave your email id and we will contact you if we area able to enlist the required number of individuals


Is there a full pricing overview available?

2nd row on https://spideroak.com/about/price-list


100GB - $5 monthly ($59/y)

250GB - $9 monthly ($99/y)

1TB - $12 monthly ($129/y)


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact