Note256 features modern online notepad with a strong client-side encryption. An everyday tech tool.
Here's the thing. As developers, we've constantly been working with some kind of credential data mess: host configurations, deployment options, backup copies of certificate keys, & so on. Then, we need it all to be privately available online - to share with colleagues, client tech admins or those freelance guys.
What is the way all this data is being stored in a real-world process, 95% of cases? Sad but true, I tell you: something in a plain text file on a host; [or] inside dropbox/gdocs shared doc; [or] even buried into an email archive ("I had sent you the SSH pass few months ago"). This can not be considered a secure approach by any means.
And what is «secure» in our cloud-era? It should mean that no authorized third party can physically access your data, even the storage host itself. We've seen stories where a bad guy or a malware code gained root access to servers and was able to bypass the «outside» security measures - because, you know, it's a root. Data can be considered secure if it's accessible on authenticated client premise ONLY - which means, an industry-grade client security endpoint has to be implemented in your browser. So we did it.
Just in case you missed the magic button:
We had added PWAT because we basically want to get new users and some buzz at this point. The service now features no ads at all, no hidden/paid features, everything is accessible right now «as is» for everyone, so a small tweet looks fair.
Guys and gals, i need to say that: we built some promising platform, which is now used by an amount of cool people - you, to be specific.
- - -
As for me, i keep some of my sensitive data inside Note256, you know. Of course. And during these years of service with Note256, once in a lifetime is has to happen: i forgot my master key for it. For my data. That small part of data i need now. Completely lost.
We are all humans after all. Ironic, isn't it :)
I spent some time, trying to reach my data, given the fact i have all backups, sources, possible time span analysis on the data timelines, exact signature check routines - that small part that ensures in your browser that everything is encoded and decoded properly. Everything. But here is the joke: when i built Note256, i really was into idea that security of our data should have NO slight compromise and NO possible workarounds in the data pipeline.
So here i am, sitting with a files that proven to be a white noise without proper keys. Even with the fact i know the exact internal structure and i am the author of this code.
* Your files are up and running, 100% intact, you can check it any time you want - no worries. That's just my story.
- - -
But now i'm 100% sure we have no even a slight hole in the platform. It will cost me another 3 or 4 months to restore all the material and data i have here, encrypted. Because without the key it's useless and now i'm sure with it, like never before.
I did some math. Given that i know my possible key length, symbols that i used in it, and imagine the fact that i possibly may brute-force it, for instance, with 100 000 000 checks per second (which is a _very_ optimistic approach if i use server farm that will cost me hundreds of $$$), that task still need roughly ~3 billion of CPU days.
Our life seems to be so short, when looking with such approach.
Anyway, treat this like a somehow sad, but a funny story :) I just wanted to share. 4 months of duplicate work is still a significally better option for me :)
* I once cracked the Microsoft Bitlocker algorithm, which is "unbreakable" y'know, just because a) my life was depending on it, literally and b) i knew how it operates to the bare metal, because i worked inside MSFT. That's i save for another story, maybe. On this exact case, despite being not the worst person in a world to write and break crypto code, i have no ideas and no magic for me.
Your data is bulletproof safe. Secure at its bare math core - and i mean it :D
- - -
Somewhere in background, i have ideas how to improve the platform to give it modern features and maybe modern look and feel (who is using jquery in 2020?), so eventually i'll give it a try. If you have bright ideas, feature requests, feel free to drop me a word in Twitter @note256 or any media you like.
Or just say cheers for my story :D It was nice experience for me.
Keep safe, stay home, rule the world.
First time here? Start now, it's free and 30" sec fast
Registerfree #paywithatweetMake a tweet or a post in any social network of your choice to gain access. Help us spread the word
Looking for premium? :)
Hold on a sec. We're about to implement some ideas with a payment basis, but surely not now.
If you're using note256 more than a week and got ideas, drop us a word here:
google.form
«Y U NO do anonymity?»
1. Because we care about your data and it's integrity. Finding all your data under one consistent protected realm is a part of complex secure approach.
2. Because security through obscurity is a flaw, like «no one knows my url so they cannot find anything». It just doesn't work.
3. There already are too many pastebin-like services which don't serve our needs.