Open intothemoat opened 3 years ago
AndJLan8404
commented
3 years ago they're still turning the servers back on at Saturdays & Sundays for as long as needed, according to encryptr's twitter, so you can pull all your credentials out
Very thankful that they're doing this. Just got my .csv file downloaded and Encryptr removed from my PC.
absalomedia
commented
3 years ago It still is lawsuit territory as they seem to have removed the support path for those that didn't get the notification or were unable to migrate on the 25th
jaidmin
commented
3 years ago Same issue here. My mom just tried to access encryptr and it doesnt work anymore, she was not aware at all of the service shutting down (I also heard about it way too late).
Are the passwords stored locally as well? If they are can anybody give me some pointers on how to manually decrypt these files? I have no issue messing with the source code for a while to do this
Many thanks
jaidmin
commented
3 years ago I really glad SpiderOak is granting some kind of stay of execution this weekend for the users that didn't know about the March 4th EOL. I am sorry you have been affected by this.
I haven't worked on Encryptr for about 4 years now... but... For any one not able to take advantage of that (or for some reason you are reading this after the weekend amnesty)... not all hope is lost... the app does cache the encrypted entries locally in localStorage. It might be possible to concoct a tool or script to decrypt that local cache.
I might be able to help out with such a tool/script, though I hope it's not needed.
I have managed to extract the list of entries and decrypt it from localstorage, but the passwords are not among them. I strongly suspect that the actual passwords cannot be recovered without access to the crypton server.
There are a lot of cache files which might contain the passwords but decrypting probably needs some kind of session key provided by crypton servers after login.
creolis
commented
3 years ago Good news! The previous solution was lawsuit territory. At least according to Common law.
@VictorieeMan: As I'm not familiar with jurisdiction in sweden (or whatever countries "common" law you're referring to) - I am wondering: where exactly do we see this being "lawsuit territory" when a company that provided a FREE service and that intentionally does not gather or keep record of their users contact information choses to abandon their service.
This is no attack by any means, I am genuinely curious why they could be held liable for stopping providing a free service if they chose to. If SpiderOak - hypothetically - would file for bankruptcy, resulting in a shutdown of all their infrastructure, this would have the same effect and nobody would talk about lawsuits, or do I miss an important step along my train of thoughts?
VictorieeMan
commented
3 years ago Good news! The previous solution was lawsuit territory. At least according to Common law.
@VictorieeMan: As I'm not familiar with jurisdiction in sweden (or whatever countries "common" law you're referring to) - I am wondering: where exactly do we see this being "lawsuit territory" when a company that provided a FREE service and that intentionally does not gather or keep record of their users contact information choses to abandon their service.
This is no attack by any means, I am genuinely curious why they could be held liable for stopping providing a free service if they chose to. If SpiderOak - hypothetically - would file for bankruptcy, resulting in a shutdown of all their infrastructure, this would have the same effect and nobody would talk about lawsuits, or do I miss an important step along my train of thoughts?
It's okay, I was a bit blunt there anyways :) A better formulation would have been "possible lawsuit territory". Let me share the little I understand about Common Law, just for the case of your interest @creolis - since I don't think it's actually relevant to this issue anymore, since they did a fix.
Sweden doesn't practice common law, but it's the legal tradition of the Anglosphere (AU, CA, NZ, UK, US). Something that's possible within Common Law is to sue for damages due to Negligence of duty. Here Negligence is defined as "A failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances. The behavior usually consists of actions, but can also consist of omissions when there is some duty to act (e.g., a duty to help victims of one's previous conduct)." Read more about Negligence here.
For instance, in this Encyptr case, one might argue that a programmer of ordinary prudence would have notified its user about "End Of Life" by pushing an update with a notice. But instead it was just tweeted and published on their website. The ordinary user can't be expected to have noticed this until suddenly the service stopped working - by which point they would have had all their Encryptr stored data lost without the reasonable chance to back it up or migrated to another service.
And since Spider Oak marketed the Encryptr service as a safe place to store their passwords (and similar data) they Voluntarily undertook to protect their users' passwords. Under those circumstances within Common Law, there's a case to be made that Spider Oak had a Duty to act upon to properly and of "ordinary" prudence inform their users about "End Of Life" in a way that:
The existence of this GitHub thread kind of proves that wasn't the case at all.
That's why I think there was a legal case for a lawsuit until they addressed the problem by reopening the service. And by now probably all affected has solved their problems or at least ignored it being a problem. To have a full lawsuit case the plaintiff must also prove the result of harm to body or property. The possibility of a lawsuit actually increases the more users are using the service, because it increases the likelihood of someone somewhere storing something within Encryptr that when lost results in some kind of harm somewhere.
As for the bankruptcy case; For American companies U. S. bankruptcy law applies (called Title 11). What I think happens according to this, is that a bankruptcy court creates an estate of the company assets in order to liquify assets and pay of debtors. If the estate closed of the service without reasonable warning to the users, the users could most likely bring a similar lawsuit as described above, against the estate for "damages due to negligence of duty to reasonably inform of EOL." If loosing this the estate must pay and the debtors get less money in return of the liquidation of the company.
I'm not a legal scholar however, just a bit interested. I happen to like and follow what Spider Oak is doing, in terms of privacy and things. That's not enough to qualify for a legal pass though or a brand hit pass for that matter. I'll certainly think twice before recommending "Friends and Family" Spider Oak products again, because it wasn't fun this time around having to help many of them to recover their passwords and stuff - just because one day it wasn't there anymore.
Even if no one brings forward a lawsuit here (which I don't recommend anyone doing), I think there's a valuable lesson to be learned from this. Anglo-Saxon Common Law acknowledges Negligence as a reason to convict for a reason, because our actions (or inactions) have ripple effects on those associated with us. And acknowledges that this comes with the duty to behave reasonably to mitigate damages. I think there's something good in that, and would encourage programmers and people in general to try a live by the duty of: "What's the best service I can offer within the area I'm dealing with."
I can promise that companies that try to live by that rule of duty will get happier customers.
Hey dudes, dudettes. I'm trying to login this am and everytime I attempt to hit unlock I get this error "Uncaught node.js Error "
Any suggestions?