undefined | Better HN

0 pointsvidarh12y ago0 comments

And you don't believe your data passes through a "communications provider"?

By the argumentation on your page, almost none of the electronic data targeted by the data retention directive would in fact be retained if the directive is not also applied to data that merely transit a providers network, given that the vast majority of e-mail addresses in use today are not hosted by "communications providers". If that is indeed an actual loophole, it will be closed quickly if/when everyone realizes that they're not getting the data they expect.

This is in any case a minor point, as in terms of dealing with backup data, it's the two first points of my message that are by far the most serious. And I don't think they're that serious, in that I don't really believe there are any suitable alternatives that are safe enough that you can prevent surveillance based on location, so you'll depend on the crypto, and the combination of the two makes the location of the data rather moot.

0 comments

Kimmono12y ago

It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/

What you call a loophole, was no secret in the hearings about the new law. The government wanted this implemented mainly for the phone providers. They understood that foreign email providers like Gmail and Hotmail that most use in Norway, could not be under the law in any practical way, so they restricted who this is applicable to.

tombrossman12y ago

I read your website and tried your service for a few days this past April. I cancelled immediately after you emailed both my web hosting and support account credentials. In plain text. That is egregious.

I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.

I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.

mpyne12y ago

If you're worried about the NSA or other nation-states then I wouldn't stop with hashing+salting. You need to be using something like scrypt/bcrypt/PBKDF2. cperciva has a paper about scrypt, bcrypt is at least widely known for this use case, and PBKDF2 is even a "certified" way to do that.

Kimmono12y ago

Both your web hosting and support account credentials are encrypted. I see you point not sending them to you when you setup the services, but you have to understand that we do offer services for a wide range of people. Some really want a copy of their login in their email that they have locally.

But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.

j / k navigate · click thread line to collapse

0 pointsvidarh12y ago0 comments

And you don't believe your data passes through a "communications provider"?

0 comments

Kimmono12y ago

It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/

tombrossman12y ago

I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.

I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.

mpyne12y ago

Kimmono12y ago

But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.

j / k navigate · click thread line to collapse