Building for New Threat Models in the Modern Era
THE THREAT MODEL
When we started building SpiderOak in 2006, the threat model was an attacker who would want to compromise SpiderOak and steal customer data. Our code was written in an era when these types of attacks were the only real threat that were considered. Almost every company works to protect against this kind of threat model. However, we took a different approach than 99% of companies and built our products with No Knowledge, end-to-end encrypted architecture so that in the event of a compromise, there would be nothing to take — all an attacker would find is encrypted data blocks. And only you, the customer, holds the key to decrypt your data.
Because this was a legacy mindset, the SpiderOak ONE backup code base (like that of most other companies) is not robust against a different kind of threat model: SpiderOak, the company, as the active attacker. Today, technically any company, or someone who hacks them, could send you a malicious binary or software update that attacks you. You place a lot of trust in every service, tool, product, app, and company you use.
HOW WE RESPONDED TO NEW THREAT MODELS
We know we need to do more. This is why we started building a new code base and robust platform called Flow. This is what Semaphor is built on.
Our plans for Flow include source releases https://spideroak.com/solutions/semaphor/source, deterministic builds, and a release transparency log which will work like Certificate Transparency but for software releases. We plan to move everything to this architecture to defend against SpiderOak as an active attacker so you don’t have to worry or trust us as a company.
We have big ideas about the Flow platform — from Encryption as a Service (EaaS), moving our other products Encryptr and SpiderOak ONE onto the platform, and even building out other apps like a No Knowledge document collaboration tool (like Google Docs) and a note taking application (like Evernote). While it’s our vision for the future and something that we’re working on, the true purpose of sharing this information with you is to give you an insight into where we stand as a company, the exciting future we see for secure No Knowledge technology, and the new kinds of threat models that are important to consider in today’s world.
Originally published at SpiderOak.com on June 5, 2017.