Comments on: Our provider has been hacked, but Passpack is safe. Zero data compromised.

By: Francesco

Francesco — Mon, 24 Oct 2011 17:30:49 +0000

@Dave, Firehost is a good solution, but it is expensive. Currently our 4 dedicated servers cost about 300 dollars a month. On Firehost we will spend ten times this amount.

By: Dave

Dave — Mon, 24 Oct 2011 16:55:37 +0000

Is there any point on you hosting on FireHost.com ?? It sounds as a perfect match for you. Please let us know.

By: Lorenzo

Lorenzo — Fri, 07 Oct 2011 11:17:01 +0000

Well done Francesco! ;)

By: Francesco

Francesco — Fri, 07 Oct 2011 00:40:39 +0000

@John, the code injection is the primary risk for a Javascript application. So we constantly monitor all the files, with an automatic procedure that, if there is any anomaly, overwrites the files and immediately alerts us.

Until now, I received alerts only during tests.
And I hope that I will never receive further alerts :)

By: John

John — Thu, 06 Oct 2011 23:29:56 +0000

I’m concerned about the Javascript that deals with my passpack password locally in my browser; did you store, and have you checked the hashes of the Passpack Javascript files that actually handle the local password interaction and decryption?

Thanks.

By: Francesco

Francesco — Thu, 06 Oct 2011 22:50:59 +0000

@Luca, I still don’t trust cloud infrastructure for critical data. And, in fact, our servers are physical machines.
Also, I prefer software raid for our disks, because you must turn off the server to take a snapshot.
So: no downtime, no snapshot :)

By: Luca

Luca — Thu, 06 Oct 2011 22:22:41 +0000

Full transparency is always appreciated. Thanks!

Having said that, I just want to raise another concern. Paranoia is a virtue, isn’t it?

I assume that the provider is actually using virtual machines. In that case, having access to the provider’s management system, they could have created a snapshot (no noticeable downtime here).

Having physical access, full filesystem encryption is the only real mitigation.

Cheers,
L.