17 comments

[ 4.8 ms ] story [ 53.9 ms ] thread
Oh, these are the guys that are confused about XTS mode[1], thinking it was designed for protecting "bulk data". See my wonderful exchange with them on Twitter:

https://twitter.com/Cyphertite/status/450616668126203904

https://twitter.com/Cyphertite/status/450616106001399808

which ended up with them calling me "some jerk on twitter who has nothing better to do than talk shit".

https://twitter.com/Cyphertite/status/450623654288969728

[1] See this tptacek's post explaining XTS: http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/

Hmm, that last tweet is enough to make me disregard this and wish I hadn't upvoted.
I keep seeing this in your blog post: "Attackers could [rewrite] /bin/ls into a bindshell."

What does that mean? And how is it related to disk encryption?

ls is a file listing in unix/linux. a 'bindshell' would essentially open a telnet port that goes directly into a command line shell. So, if your system was attacked, you might (since it's the most often command typed) use the 'ls' command to list your files. When you do that, you also open a shell on a specific port on your computer that has root access.
Bindshells are shells that are bound to a port, see Wiki for a brief explanation[1]. Basically, without authentication you have no way of knowing that the `ls` you backed up is the same `ls` you get back out. If your remote backup is compromised and uses XTS, its possible for someone to own you by replacing an oft used binary that when run gives them a remote shell.

[1] https://en.wikipedia.org/wiki/Shellcode

On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode binds to a certain port on which the attacker can connect to control it.

It's in Niels Ferguson's public comments to NIST regarding XTS-AES and storage that's not on physical hardware. tptacek explained it in his comments how this attack works if you search them https://news.ycombinator.com/item?id=7675698#up_7676864

This service if I remember encrypts files/container with user keys then they encrypt it again on their cloud backup with their key, so it's not an encrypted backup sitting on a dropbox server. Of course you have to trust their keys won't be stolen by somebody wanting at those XTS-AES encrypted backups.

You'd be essentially wilfully ignoring a massive security hole which would allow complete "pwnage" of the box.
Yikes. If you're going to accuse everyone around you of being snakeoil salesmen, you probably shouldn't defend the fidelity of your own stuff by insulting the skeptics.
(comment deleted)
There are a few reasons why many people would not (or should not) use Cyphertite:

* It's been such a long time in development and there's still no client for OS X. Building from source should be an option, not the only way, if this is ever meant for mass adoption.

* There's no information about accessing backup files from mobile devices.

* Most importantly, unless you have more than 100GB of data to backup, you're better off with the premium plan (enterprise segment) than the expensive personal plan where you would get a lot lesser in return.[1] I had pointed this out to them a year or two ago, but there's been no change and this structure does not make sense for the section of home users who may have only a few tens of GBs to backup.

[1]: https://www.cyphertite.com/plans.php