Image for post
Image for post
Photo by Jeremy Perkins on Unsplash

For the last thirty years the prevailing approach to securing IT has been to secure the network from the outside world: “build a tall, strong, wall with well-guarded gates.” From many perspectives this has been a good choice; InfoSec teams focus their efforts and budget on ingress-egress points without having to manage the complexity and churn of an organization’s internal affairs. Unfortunately, it also means that any breach of the perimeter often leads to catastrophic failure.

In practice, organizations do watch the inside of their networks for threat actors, both insider and external, who might mean them harm; but even this approach still largely trusts the IT network. …

Image for post
Image for post
Photo by NASA on Unsplash

SpiderOak’s vision is to Secure the World’s Data.

Our goal is to reduce the complexity of the security surface to the point where it can be reasoned about, so that assumptions are few, and those that remain are well understood. This means reducing both lines of code and the number of people who must be trusted to enable secure data storage and access.

As a customer-focused company, we understand that technology alone cannot solve all problems. Products and support that work with your existing investments are required.

This is our new mission. We are a thirteen-year-old company which provides tens of thousands of businesses and consumers with best-in-class secure backup and messaging. Now with new management we have extended our expertise to deliver a whole new class of capabilities for securing shared data and managing authority. …

Image for post
Image for post

Cryptography, the art and science of encrypting sensitive information, is becoming increasingly commonplace in our day to day lives. From iPhones to bank accounts, most of us already interact with cryptography daily, and increasing numbers of people are recognising the value of VPNs when it comes to protecting their privacy. Computers and the internet have allowed the development of a public encryption standard (DES) and the invention of public-key cryptography, two processes which have hauled cryptography, traditionally the preserve of governments and militaries, into the public domain.

A Brief History of Cryptography

The history of cryptography and encryption can be traced much further into the past than most people might think, certainly beyond the dawn of the computer age. Evidence of cryptography has been discovered in Ancient Egypt, and Julius Caesar developed a cipher for his personal communications. Al-Kindi, an Arab polymath, developed cryptography as we recognise it today, however it remained a slow and clumsy method for communication. As recently as the Second World War, US soldiers were forced to make the decision whether to wait for hours to send or receive an encrypted message, or share the information with enemy eavesdroppers in the hope that allied forces would react more quickly. It was, however, during this conflict that a new encryption method was developed, based on the Navajo language, which remains the only spoken military code never to have been deciphered. …

This post is by Tomás Touceda, a member of SpiderOak’s Engineering team.

At SpiderOak we do a lot of coding in Go. I personally really like Go because it feels like Python with the type safety guard rails and almost magical concurrency helpers. But the point of this post is not to do yet another deep dive into why Go might be better than some other language, or how we use it at SpiderOak. The goal is to talk briefly about subtleties in coding that mean the difference between a secure environment and an insecure one.


DISCLAIMER: This finding is not mine, but Frank Sievertsen’s.

This post is by Renee Jackson, a member of SpiderOak’s Product Management team.

It’s 4:30PM on a Friday and the Sales representative working with your department says “I have a client meeting Monday — can you tell me how long it will take to implement the new feature we talked about today?” Groan.

Off-the-cuff estimate requests can be stressful; are you better off to overestimate and risk a long explanatory conversation? To give a quick estimate and cross your fingers you won’t be held to it if you discover there was a lurking dependency? …

This post is by Ben Zimmerman, a member of SpiderOak’s Engineering team.

In my last post I talked about planning features at a high level. This time I’ll talk about how we plan for an individual sprint. The goal with sprint planning is to accurately plan what you can accomplish while working at a sustainable pace.

Points system

For sprint planning we use a point system based on the fibonacci sequence. 1, 2, 3, 5, 8, 13, 21. The idea is that as estimates get larger uncertainty grows so the gaps between estimates grow. …

This post is by Chip Black, a member of SpiderOak’s Engineering team.

Markdown rendering is very important to the performance of Semaphor — every message you send and read is a Markdown document — so we’re always looking for ways to improve the performance of rendering Markdown. A couple months ago Jonathan Moore and I wondered how easy it would be to integrate WebAssembly into a React component, replacing the render() function, and we thought that moving Markdown parsing into Rust would be a great way to test this idea out.

What we came up with is react-wasm-bridge, an experimental component that passes props into a Rust WebAssembly module and provides an interface to build React render trees (and more!). …

Providing you with tools that help you get the most value out of SpiderOak products is a top priority for our customer success team, and our Help Center is a key component of this mission. We recently made some updates to our support site that we want to tell you about.


SpiderOak’s Help Center is now hosted at This is a small change from the original address,, but gives a big benefit for our users in terms of the speed and responsiveness of our Help Center. Direct links to support articles will all redirect to the new domain. …

This post is by Ben Zimmerman, a member of SpiderOak’s Engineering team.

Whenever I see discussions of agile workflows I read developers complaining about how it doesn’t work. They’re constantly pushed to do more and to do it faster. That leads to buggy code and missed deadlines. It also, makes working as a developer miserable. In this series I’m going to talk about some of the things we’ve done to make using an agile process enjoyable. I don’t expect this exact process to work for everyone. However, it does work for my team.

First up is planning a new feature. This involves writing a specification and providing a rough estimate. The purpose of these is to communicate with non-technical people within your company. You need everyone to agree on what you’re going to build and to know roughly when it’ll be ready. …

Over the weekend there has been chatter on the internet about the change at SpiderOak from a Warrant Canary to a Transparency Report. We understand that some people are concerned that this is a signal that we have in some way been compromised. To be completely clear: Nothing has changed other than the way we report our interactions with the government from the first time we posted a canary in August 2014.

We have received: 0 Search Warrants, 0 Subpoenas, 0 Court Orders, and 0 National Security Letters.

Even better for our customers, we couldn’t hand over their data even if we were asked to. The No Knowledge approach that SpiderOak uses means that we we don’t have the keys to decrypt the data you trust us to store for you. …



Security with no backdoors. End-to-end encrypted collaboration and backup. Protecting your security with No Knowledge software for 11 years.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store