Comments on: Mozy and Carbonite receive high marks in security

By: Gary Sloane

Gary Sloane — Thu, 29 Jan 2009 21:51:21 +0000

So how does the user KNOW that the encryption, password protection, authentication, etc. actually occur? Is there a 'certification' that examines the actual practices of companies engaging in for-profit secure internet data transfer? How do I know that Carbonite isn't a front; that they don't simple *assert* that all of the security is in place, and actually they just collect all their user's data and sell it to the highest bidder, or run search engines to extract salable data? HOW DO I KNOW????? In the old days (mainframes) security was PHYSICAL; if you didn't want someone to access your data, you locked up the tape...

By: Joe

Joe — Thu, 26 Jun 2008 17:13:38 +0000

Hi Andrea,

Thank you very much for stopping by and for leaving the detailed information regarding MemoPal's security infrastructure. We will take a look at your service and evaluate it for inclusion on our comparison of online backup services.

Thanks again,
Joe

By: andrea cecchetti

andrea cecchetti — Thu, 26 Jun 2008 08:34:15 +0000

Memopal assures a high level standard of data security

In Memopals' infrastructure every connection to a server having an un-trusted
certificate is refused by the client to prevent the Man in the middle attack.
Memopal is constantly evolving its security model to assure a high level standard of
data security.

In Memopals' infrastructure, all the connection between client and server are SSLencrypted
using server-side certificate and every connection to a server having an
un-trusted certificate is refused by the client to prevent the Man in the middle attack.
The authentication phase starts only after a valid SSL connection is established, so
when a fake certificate is proposed to the client no username or password is sent
from the client to the server.

Moreover, to install the Memopal client is necessary to gain a privileged user
account, so nobody may have installed Memopal on your PC to steal your data.
Data are transferred encrypted from the client to the server, and are stored in an
encrypted FS also distributed in chunks with a RAID-5 like policy.
Watching inside the MGFS (Memopal Global File System) it's impossible to know
who owned the backuped file and the original filename. So if someone takes a
storage unit from the Memopal infrastructure, he never has access to a common
sense information to disclose it.
The data structure contains the associations between the file and the owner is also
encrypted and not accessible to the support people during the support phase.
In the current beta-release we are testing a client-side certificate validation to prevent
possible server-side attack.

Memopal is online backup and online storage software that archives your files in realtime
to a remote server. It doesn't matter how many times you change computers:
You will always know where your data is. You can browse all your files from any
internet location or internet-ready cell phone. You can share with friends and coworkers
files that are too big to send through email.

Andrea Cecchetti
Chief Information Security Officer – Memopal

By: NextAdvisor Daily » Blog Archive » Security breach at DivShare

NextAdvisor Daily » Blog Archive » Security breach at DivShare — Tue, 17 Jun 2008 19:50:13 +0000

[...] DivShare is not one of the online backup services we have reviewed and recommended. As we posted a couple of weeks ago, Mozy and Carbonite, two of the services that we do recommend, were recently found to be the two most secure online backup services according to Heise, a German computer security publication. Both successfully thwarted attempts by all testers to gain unauthorized data stored on either service. To learn more about Mozy, Carbonite and other online backup services we have reviewed, view our online backup service comparison. Please share this post: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]