Hacker Newsnew | comments | show | ask | jobs | submit login

So can you say more about that? Specifically

"If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version."

What if it was explicit? What if Evernote said, "Since it would cause us to lose money if we spent time on both more sophisticated security in the free product. Its basically secure against random threats but dedicated people will be able to break into it. If you want a truly secure product you should sign up for the paid product, part of that fee goes to paying the salaries of the security team we have on staff who are keeping it that way."

We also need to be clear what we mean by "security" here, there is "security" as in we make sure if someone breaks in they cannot easily get your password (they seem to have done that with salted passwords), and their is security as in "Even our operations staff can't get you access to your files if you lose your access token." level of security which takes a lot more work.

I'll admit I was pretty put off by Mark's assertion that Evernote doesn't care about security, his basis for that are three claims, that 2 factor authentication is late, that SSL isn't forced on, and that 64 bit RC2 is used in the free product. What is the purpose of the free product anyway? Is it to prove their security? I don't think it is, I think it is to give you a way to test drive what their product does without risking any money.

Anyway, someone broke in and got access to hashed and salted passwords and Evernote reset those. LinkedIn had the same issue, some Facebook apps grabbed similar data, Google has hosted malware in their App Store which tried to install banking trojans on your phone.

I am not persuaded by the assertion that "Evernote doesn't care about security" any more than "Google doesn't care about security" (and I happen to know they care very deeply and still get compromised now and then).

I defended Evernote because I felt Mark was unfairly maligning them and their CEO. I would be more sympathetic if he was a paying customer, and less sympathetic if he only has a free account.




Where does it say that RC2 is only used for the free product?

AFAIK it's all the time which is ABadThing (tm)

FWIW, if one has to rely on security being a differentiator in 2013, that's IMO a bad sign. Compete on other features but not security.

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: