|
PASSWORD/DATA PROTECTION REQUEST (Please Sign)
I have all three Omnifocus apps: the mac, iPad and iPhone. I use them but I don't feel safe to place personal info on them because they're not password-protected. I am dismayed that the Omni Group does not make it a priority to protect a user's data with either password or encryption.
So many other To-Do apps already offer this, why not Omnifocus? This is an anathema to my business practice. In my office I can keep hard copies under lock and key yet I cannot do that in Omnifocus. For it not to have a password is like leaving one's diary open. It goes to the heart of the GTD philosophy which is to prioritize the essence of one's personal dreams enable to actualize them. Allowing potential access of this info to people who borrow my iPad/iPhone is not something I feel happy about. I'd gladly send a check for $20 or whatever enable to get the Omni Group owners to take this suggestion serious and implement this immediately. Can any other user please co-sign their interest to at least want this feature, sans the monetary offer? Thanks. |
I seriously don't get it. You can lock your computer, you can lock your iPad, and you can lock your iPhone. All 3 products have that functionality built in, and it works great.
If you leave any of them unlocked, there's data in a lot of places besides just OmniFocus. Should each and every application that handles data have its own password lock? Behind that way lies madness. There are perfectly good security mechanisms built into all the devices already, perhaps you should learn to use them. |
[QUOTE=CatOne;107629]I seriously don't get it. You can lock your computer, you can lock your iPad, and you can lock your iPhone. All 3 products have that functionality built in, and it works great.
If you leave any of them unlocked, there's data in a lot of places besides just OmniFocus. Should each and every application that handles data have its own password lock? Behind that way lies madness. There are perfectly good security mechanisms built into all the devices already, perhaps you should learn to use them.[/QUOTE] Thanks for your reply CatOne, but not constructive. I asked for co-signs on those that were interested in it and not in shooting holes in the idea. (I'm trying to get something positive done). The functionality you mention is a pacifier. Those mechanisms can be broken and OF is a database, which can be hacked. Just having the password on the device is not enough. Let me ask you this: You own a safe at home? You of course have a home with a front door on it that's locked right? Well say you own that safe, do you just leave it unlocked and pray that the crooks don't break through your front door and steal everything in the safe? If you owned a gun would you not lock that away and forget about putting the safety on? Would you only get collision coverage on car insurance? What's the worth to your right to privacy? Wouldn't you want to have as much protection as possible? To enlighten you about the "silver lining" to iCloud check this out. It's a lecture by Columbia law professor Eben Moglen describing the new cloud-computing world as "the architecture of the catastrophe.": [url]http://www.softwarefreedom.org/events/2010/isoc-ny/FreedomInTheCloud-transcript.html[/url] What you don't realize in this day of the cloud-computing is that your data is being controlled by other people that can access it and exploit it for financial gain. It's already happened with google: [url]http://online.wsj.com/article/SB10001424052970204880404577225380456599176.html?mod=WSJ_hp_LEFTTopStories[/url] When are people going to wake up and see that their personal/private details to their lives must be protected otherwise they've lost the freedom of their own identity and individuality. Are we now just a collection of digits in this monopoly of technology? I certainly don't want to be exploited, tracked or invaded for the benefit of enriching someone else's bank account. Perhaps one day you'll see the light pasts the clouds.... |
Hi - I am not sure I get this either. Whilst understanding your perspective about not shooting holes in the idea I equally don't think this is thought through.
Take iOS security which now includes encrypting all contents. You say this is a "pacifier" and these things can be broken. Well, you think OMNI have the resources to build a more secure platform than Apple?! Adding a password would be a futile gesture if we are to talk about real security! Password access would necessarily require encryption....and then the entire debate around how good that encryption is. I am not mocking the need for security but I would say this. If you classify iOS and Mac OS X security as easily broken and nothing more than a pacifier then you haven't thought through what type of secure solution OMNI could possibly offer! And as good as they are I do not believe they are going to offer a solution that is better than what apple already provide! IMHO - referring to your house analogy - switch on encryption and strong password protection, disable cloud services, and your front door becomes way safer than any safe you have inside of your house! And this is built into the mac and iOS covering all of your data! As for transmitting data in the cloud for sync purposes --- do you really think encryption is that valuable? There are many debates about what encryption has and has not been broken. Bottom line - if your data is that sensitive omnifocus isn't the place to store it! And in any event you can use a myriad of utilities to encrypt txt you store in omnifocus ---- far better to use those which allow different encryption for different data rather than a crack one access all data method! IMHO of course :) |
[QUOTE=Amilius;107630]Thanks for your reply CatOne, but not constructive. I asked for co-signs on those that were interested in it and not in shooting holes in the idea. (I'm trying to get something positive done).
[/QUOTE] Looks like you're 0 for 2, so far. Good luck with your "constructive" approach, though… you could always put this in as a feature request via OF support as they recommend. The Omni folks take all the requests and prioritize them as they see fit. Or I guess this could be your attempt to "rally the troops" if they already said they'd put it in the queue. Whatever… calling the default iOS security a "pacifier" is silly. Just so you know, there's this little thing called "data protection" on iOS which makes it pretty much impossible to access application data on an iOS device, if it's implemented in an app. So the most secure option the Omni Group would have would be to implement data protection in OF (I don't know whether they've done this; I suspect not, as it would prevent things like notifications when the phone is locked). As for your other analogies, I disagree that belt and suspenders are necessary and that "more security is always better." It's a trade-off. As a WAG, let's say they implement something like this and 3% of users leverage it. What percentage of them call the Omni Group at some point because they forgot their PIN, which is different to the main iPhone PIN? And if they can't recover their data, how upset are they? Not to mention, of course, the data is located in other areas, (i.e. servers) which, statistically, are probably more likely to be compromised. A much better option is to use a strong passcode on your iOS device. And on your Mac, if you're not using FileVault 2 this whole thing is a fool's errand. There's no reason the Omni Group should have to implement in-app encryption for the data file when you can do it for the entire OS at the click of a button. And the disk is locked and encrypted the second you sleep it. I really think you're barking up the wrong tree here. You can say I'm being "non-productive" but I'm just pointing out there are more than one viewpoint, and it really seems like you've not considered a number of things which are actually quite important. Worse than being insecure, is false security. |
[QUOTE=Amilius;107628]
In my office I can keep hard copies under lock and key yet I cannot do that in Omnifocus. For it not to have a password is like leaving one's diary open. It goes to the heart of the GTD philosophy which is to prioritize the essence of one's personal dreams enable to actualize them. Allowing potential access of this info to people who borrow my iPad/iPhone is not something I feel happy about. [/QUOTE] Do you lend other people the filing cabinet that contains your sensitive documents? How about your laptop? Toothbrush? If it is your device, just decline to lend it. I've read all of David Allen's books, but I saw nothing about the importance of having one's diary secured. Do you happen to remember where that is? :-) |
I agree Amilius. I sent this in a couple years ago, but can only imagine how many things OmniGroup gets asked for.
I would want more than password, but encryption. Especially if it's going to be in the cloud. There is a level of GTD where it becomes more than the old fashioned grocery list. Once you start putting in your dreams, your ideas for new things to bring into the world, business ideas or relationship issues you are working through, the data becomes much more personal and important. This is why I don't sync to any server, because it's wide open for anyone to look at. There are many companies that wouldn't allow using OmniFocus because of the security issues. You think apple is using it to map out the things to do for the next product? You think they are syncing to the OmniFocus company server? I've personally had odd occurrences happen at work where things on my action list are brought up, ideas taken before I have a chance to work them out. It's gotten to the point where I have my work OmniFocus database separate from my personal database, because i keep a lot of personal projects and ideas seperate. I have to choose which database I want on the iPhone, which is unfortunate, because then I don't have a way to capture ideas that are not work related. I keep the work database on the work computer and home database at home. It's odd there is such a great reaction against this? Way more energy fighting against something that wouldn't affect a user if they didn't want to use it? Makes you wonder about those posting with such vim and vigor against this idea? :) Either they work for OmniGroup and don't want to put the effort into the change Or They are getting fed off others OmniFocus database Or They are really bored I've heard on one of David's podcast that he uses a blackberry due to security issues with the iPhone. |
[QUOTE=StefMercury;107631]Hi - I am not sure I get this either. Whilst understanding your perspective about not shooting holes in the idea I equally don't think this is thought through.
Take iOS security which now includes encrypting all contents. You say this is a "pacifier" and these things can be broken. Well, you think OMNI have the resources to build a more secure platform than Apple?! Adding a password would be a futile gesture if we are to talk about real security! Password access would necessarily require encryption....and then the entire debate around how good that encryption is. I am not mocking the need for security but I would say this. If you classify iOS and Mac OS X security as easily broken and nothing more than a pacifier then you haven't thought through what type of secure solution OMNI could possibly offer! And as good as they are I do not believe they are going to offer a solution that is better than what apple already provide! IMHO - referring to your house analogy - switch on encryption and strong password protection, disable cloud services, and your front door becomes way safer than any safe you have inside of your house! And this is built into the mac and iOS covering all of your data! As for transmitting data in the cloud for sync purposes --- do you really think encryption is that valuable? There are many debates about what encryption has and has not been broken. Bottom line - if your data is that sensitive omnifocus isn't the place to store it! And in any event you can use a myriad of utilities to encrypt txt you store in omnifocus ---- far better to use those which allow different encryption for different data rather than a crack one access all data method! IMHO of course :)[/QUOTE] I was rallying for some checks and balances. I don't want to put all my eggs in one basket with Apple regarding these apps and their data transmission--of which, YES, I do think is that important. It's your personal data and to reiterate, I want protection. Now Apple does have a "Kill Switch" built in to the iOS so therefore they must have some process to execute orders that the Emperor wants to command. Law enforcement have devices that can download a users data from their phones without needing to get Apple's approval. So I don't put all my trust with one company. My request is from the position as a paying customer that has some leverage because of my dollars spent on their products. I'm not going to just roll over and salivate at new snazzy ICONS (a-hem) updates! I'm gonna tell them what I deem is important to me. If you don't ask then you don't get what you want. What's the negative in that? I make a request and they figure out satisfying their customer and everyone else reaps the benefit cause it makes the product better. I'd really like OF to be the best GTD app out and something that works for my life. I'm not satisfied with this product though. Now take a masterful product and company like 1Password and that suits the needs I'm asking for. Too bad they can't do GTD processing otherwise I'd delete my OF. This app has a master password and encryption. I already made the offer, and I would back up that offer, to the staff of Omni Group to take this up and do it--thereby increasing there ability to add resources. Nothing of what I was asking would be a detriment. So I don't really get why there's opposition to this idea? But I do appreciate your thoughts and POV. |
[QUOTE=CatOne;107632]Looks like you're 0 for 2, so far. Good luck with your "constructive" approach, though… you could always put this in as a feature request via OF support as they recommend. The Omni folks take all the requests and prioritize them as they see fit. Or I guess this could be your attempt to "rally the troops" if they already said they'd put it in the queue.
Whatever… calling the default iOS security a "pacifier" is silly. Just so you know, there's this little thing called "data protection" on iOS which makes it pretty much impossible to access application data on an iOS device, if it's implemented in an app. So the most secure option the Omni Group would have would be to implement data protection in OF (I don't know whether they've done this; I suspect not, as it would prevent things like notifications when the phone is locked). As for your other analogies, I disagree that belt and suspenders are necessary and that "more security is always better." It's a trade-off. As a WAG, let's say they implement something like this and 3% of users leverage it. What percentage of them call the Omni Group at some point because they forgot their PIN, which is different to the main iPhone PIN? And if they can't recover their data, how upset are they? Not to mention, of course, the data is located in other areas, (i.e. servers) which, statistically, are probably more likely to be compromised. A much better option is to use a strong passcode on your iOS device. And on your Mac, if you're not using FileVault 2 this whole thing is a fool's errand. There's no reason the Omni Group should have to implement in-app encryption for the data file when you can do it for the entire OS at the click of a button. And the disk is locked and encrypted the second you sleep it. I really think you're barking up the wrong tree here. You can say I'm being "non-productive" but I'm just pointing out there are more than one viewpoint, and it really seems like you've not considered a number of things which are actually quite important. Worse than being insecure, is false security.[/QUOTE] CatOne, thanks for the score count. Good points to consider. I have already put it in with development and sent an email to offer to pay for this feature. I was trying to reach out to other like-minded users but have attracted other POV's which I greatly appreciate because it expands my opinion on the subject. As I stated above, even though Apple says that it's not unlockable I know that the iOS system does have certain "hidden" orders that could allow it to be broken--otherwise there wouldn't be ways to hack and change iphones and have law enforcement agents access it. To address notifications there's possibly a way with the Unique Identify Code of the phone or iOS devise to allow the encoding or decoding of encrypted data like Keychain on mac. Or there could be a preference to allow some data to be kept encrypted and other data to be free to access through the notification system, sort of like a sandbox in a park. The park is free "turf" and the sandbox could be limited to the encrypted data. Now I don't want to get caught with my pants down--as you might allow with lack of using the suspenders and belt. But I was suggesting going more with some boxers and a belt. I'm not sure if you go commando or not but I know no one wants to see my big ass. As I mentioned above with 1Password, they specifically state that if you forget your master password then they can't help you. If that's the case then even on a server it must be bloody difficult to break into. One can easily hide that password somewhere (perhaps the box of Captain Crunch) and keep it separate from their data. You see I don't even have that option to use Omnifocus like 1Password cause they don't offer it. If AgileBits Inc can make it work why not Omni Group? I mean I know they're "Ninjas" and all but they kinda get ginsu'd by their lack of options for the customer (who wants it) regarding showing encrypted data or not. At least if they gave us the option then the customer who has the memory capacity of a floppy disk could forego the option of master password/encryption. It makes it much better of a system to have more than one company providing protection because then the user has a balance of power for who is in control of their data and how it's being used. I don't trust Apple to look after my cat (no pun intended) if they can't keep the crap out of their litter box (iOS)--there's many news stories about apps and cracks in their iOS. It's not purrrfect. They said Titanic was un-sinkable but then there was a little iceberg to come and pierce that falsehood. The fallacy of accepting what system is given to you is like being on the Titanic and accepting that it has no lifeboats. To me that kind of thinking, with Ominfocus, is un-SYNC-able. (Pun intended) |
[QUOTE=whpalmer4;107633]Do you lend other people the filing cabinet that contains your sensitive documents? How about your laptop? Toothbrush? If it is your device, just decline to lend it.
I've read all of David Allen's books, but I saw nothing about the importance of having one's diary secured. Do you happen to remember where that is? :-)[/QUOTE] Whpalmer, great to talk to another GTD'r. I find it to be a Godsend for organization. It's totally changed my productivity and clears up the clutter of the mind. The best thing is that the stress with projects has been eliminated. I skate through them with the method. However the issue that I have with Omnifocus is that it has created TWO in-boxes for me: 1) Private/Encrypted, 2) Open Projects that are not proprietary. I write and work on projects that require contracts and NDA's, there are business partnerships and associations where I have to protect this data to ensure that other eyes do not have access to it. That said I don't loan out my tooth brush (but I will offer the listerine). The problem is that Omnifocus' lack of protection smacks against the philosophy of GTD - where there should be ONE inbox that funnels through and organizes EVERYTHING into one system of process. I can't do this with Omnifocus. How do you suggest I do this? Please offer a solution for ONE system of process while still using OF. (I wish that the Omni Group people addressed this situation as directly and assertive as some of you who have responded to me. Thanks for your comments.) |
As for FileVault
[url]http://www.tuaw.com/2011/07/26/security-firm-extracts-mac-os-user-login-passwords-over-firewire/[/url] [url]http://reviews.cnet.com/8301-13727_7-57370628-263/security-concerns-on-apples-filevault-decryption-via-firewire/[/url] |
[QUOTE=SpiralOcean;107637]I agree Amilius. I sent this in a couple years ago, but can only imagine how many things OmniGroup gets asked for.
I would want more than password, but encryption. Especially if it's going to be in the cloud. There is a level of GTD where it becomes more than the old fashioned grocery list. Once you start putting in your dreams, your ideas for new things to bring into the world, business ideas or relationship issues you are working through, the data becomes much more personal and important. This is why I don't sync to any server, because it's wide open for anyone to look at. There are many companies that wouldn't allow using OmniFocus because of the security issues. You think apple is using it to map out the things to do for the next product? You think they are syncing to the OmniFocus company server? I've personally had odd occurrences happen at work where things on my action list are brought up, ideas taken before I have a chance to work them out. It's gotten to the point where I have my work OmniFocus database separate from my personal database, because i keep a lot of personal projects and ideas seperate. I have to choose which database I want on the iPhone, which is unfortunate, because then I don't have a way to capture ideas that are not work related. I keep the work database on the work computer and home database at home. It's odd there is such a great reaction against this? Way more energy fighting against something that wouldn't affect a user if they didn't want to use it? Makes you wonder about those posting with such vim and vigor against this idea? :) Either they work for OmniGroup and don't want to put the effort into the change Or They are getting fed off others OmniFocus database Or They are really bored I've heard on one of David's podcast that he uses a blackberry due to security issues with the iPhone.[/QUOTE] Thank you SpiralOcean, excellent points. Yes I really want them to do encryption but it appears that might be asking too much from them according to others. I was al the least hoping for a password protection option. I have that option on a simple text app program yet when it involves my most "personal and important" information to my heart I'm Sh!t outta luck. (Thanks Omnifocus). I wish other GTD'rs that took David's classes or read the books and did the system would jump on the bandwagon instead of the Apple-trains like it was the final solution of their needs. GTD is much more vital and important to not have encryption. I guess what I have to do is take what I learned and build my own OF app and compete. I'd sell it for half the cost of OF and include an option for password protection and encryption. If you can't join them then beat them! I used to be a die-hard Mac guy but because of what Apple is starting to implement with iCloud and the new iOS (especially the new OSX) it's becoming clear that they are turning their users into Facebook-ified zombies. After all the "i" in iOS, iMac, the iPhone, the iPad and iCloud is not just an acronym for its system but philosophy that the user is the small i -- a cog in the wheel of their business plan. They used to be the Rebel Alliance but have turned into the Empire. A case in point: Final Cut Pro--newer version has conflict with XML files, every other platform handles them. It's crap as far as for editing. I have editor friends that are switching back to PC. I'm thinking the same as all these Apple devices are just not worth the exorbitant price tag anymore. No flash on devices. Apple has their way or the high way. Something tells me that Omnifocus has been swayed to this dark side. For those doubting thomas' regarding this info just scan through [url]www.patentlyapple.com/[/url] and see where the future of Apple is going with users and their lives and privacy will be forever modified with this technology. |
[QUOTE=SpiralOcean;107642]As for FileVault
[url]http://www.tuaw.com/2011/07/26/security-firm-extracts-mac-os-user-login-passwords-over-firewire/[/url] [url]http://reviews.cnet.com/8301-13727_7-57370628-263/security-concerns-on-apples-filevault-decryption-via-firewire/[/url][/QUOTE] Good ones. Did you see this one: [B] Apple bans researcher for app exposing iOS security flaw Flaw lets malware run on iPhones, iPads [/B] By John Cox, Network World November 08, 2011 12:00 PM ET [url]http://www.networkworld.com/news/2011/110811-miller-ios-bug-252886.html[/url] --A security flaw that Apple purposely let happen. Apple used to be very secure on Unix and PowerPC, then went to Intel and now using iOS. Seems like things keep getting more and more diluted and weak. Of course Apple doesn't want to reveal this truth cause that would destroy the myth. So they ploy their users with diversions like Twitter/Facebook integration and Game Center built right into the system to keep the shell game going. So much for security... |
[QUOTE=Amilius;107643]
I guess what I have to do is take what I learned and build my own OF app and compete. I'd sell it for half the cost of OF and include an option for password protection and encryption. If you can't join them then beat them! [/QUOTE] Yes. This is what it boils down to. Accept what you have or build a better mousetrap. I've learned the state the software is what it is. There is a part of me that wants to improve, but there is a part of me that needs to accept it for what it is and love the current state. It's always easier said than done. Easier to point out what is wrong or should be changed than doing the change. To quote Truman's Speech at Shenandoah: [QUOTE=Truman;] You must have hardihood, courage, strength, the desire not to sit at home in ease and say how wrong the world has gone but the desire to go out and do your part to right it. You remember in 61 to 65 there was plenty to stay at home and say how poorly the war was being carried on, but the fellow that did the job was the man who went out and did his duty on the field of battle. That is the man that counts. And so it is now: [B]The man that counts in life is the man that goes out and tries to do the thing. [/B] [/QUOTE] As for OmniGroup developing software based entirely on popular votes... I don't agree with that model. It's important to know what direction the users want the software to go, as that may affect sales, but more important is developing a product you are proud of. If companies only listened to the whining of the majority, we'd loose out on much of the inventions and progress that drive us forward. We all know OmniFocus isn't made for businesses, if it was, it would have some level of encryption / password protection. Especially if you have all your personal stuff with your work stuff. You don't want your co-workers seeing your personal stuff, and your company doesn't want your business stuff available to your entire household. When OmniFocus is ready to step up to the next level, they'll include the password / encryption. Until then, it is what it is. As for FCPX, it took courage to release a product so different from the previous version. Apple is attempting to jump ahead a couple years to see if they can develop a product that is ahead of what is already here. What most people don't see in the product is the incredible performance that is underneath the hood. Don't be fooled by the simplicity. [Quote=Wayne Gretzky]skate to where the puck's going, not where it's been [/Quote] |
[QUOTE=Amilius;107644]Good ones. Did you see this one:
[B] Apple bans researcher for app exposing iOS security flaw Flaw lets malware run on iPhones, iPads [/B] By John Cox, Network World November 08, 2011 12:00 PM ET [url]http://www.networkworld.com/news/2011/110811-miller-ios-bug-252886.html[/url] --A security flaw that Apple purposely let happen. Apple used to be very secure on Unix and PowerPC, then went to Intel and now using iOS. Seems like things keep getting more and more diluted and weak. Of course Apple doesn't want to reveal this truth cause that would destroy the myth. So they ploy their users with diversions like Twitter/Facebook integration and Game Center built right into the system to keep the shell game going. So much for security...[/QUOTE] Apple hires iPhone hacker: [url]http://techcrunch.com/2011/08/26/apple-hires-iphone-hacker-nicholas-allegra-comex/[/url] Apple hires iPhone jailbrake developer: [url]http://arstechnica.com/apple/news/2011/12/design-student-scores-apple-internship-to-spiff-up-ios-notifications.ars[/url] |
I am all for more security! I don't backup my database to the cloud or to the omni server. I have a lot of confidential information that would have hefty monetary penalties if they were disclosed publicly.
|
[QUOTE=SpiralOcean;107642]As for FileVault
[url]http://www.tuaw.com/2011/07/26/security-firm-extracts-mac-os-user-login-passwords-over-firewire/[/url] [url]http://reviews.cnet.com/8301-13727_7-57370628-263/security-concerns-on-apples-filevault-decryption-via-firewire/[/url][/QUOTE] Those articles are odd. The issue mentioned (DMA over Firewire) was fixed in 10.7.2 So why the company issued that release after 10.7.3 shipped, when it has been fixed for 4+ months, is curious. Oh, that's right, it's not. They're selling a $1000 toolkit. |
[QUOTE=lashultz;107658]I am all for more security! I don't backup my database to the cloud or to the omni server. I have a lot of confidential information that would have hefty monetary penalties if they were disclosed publicly.[/QUOTE]
Thanks Lashultz! This is the only response I got from Omni Group: "Thanks for following up. You bring up completely valid concerns, and I've added your comments to the development database. Thanks again! Sincerely, J. B. Support Ninja Omni Group" So we'll just see how much more demand they get until they get serious and implement it. |
Encryption of Sync Data would be good
OF without synch is a partial solution, what makes it work for me is the multi-platform approach.
I don't (currently) have anything that is client confidential on OF, just my own notes and ideas, so sync via the omni server doesn't present a problem for me at the moment - I can see that it could in the future - even just from a 'due diligence' standpoint. If I had the option of entering an encryption key (which I would have to do on all three devices - OF, iPad & Iphone) or leaving my data un-encrypted, I would choose the encryption option. As OF files are zipped, how complex would it be to encrypt prior to sync? The user could choose the complexity of the key from none(default) to a 256 byte complex alphanumeric with symbols (or something in between). That said, there are some issues with encryption with zip files. [URL="http://en.wikipedia.org/wiki/Zip_(file_format)#Encryption"]http://en.wikipedia.org/wiki/Zip_(file_format)#Encryption[/URL] I think that it is almost impossible these days to protect information from someone determined to get my specific data - what is appropriate is to make it harder for my data to be gathered as part of a wider sweep or harvest. If the omni server got hacked and everybody's files copied - any criminal is likely to go through the plain text ones first leaving encrypted ones to the end. Assuming no security flaws that entirely defeat the key (Think WPA) if I have a very long and complex encryption key my data will be at the end of the list. In summary: +1 on the list for encryption of synched data. |
If it's important to you that you have end-to-end responsibility for your data, you can run your own sync server and the problem is solved.
|
[QUOTE=philrob;107701]
As OF files are zipped, how complex would it be to encrypt prior to sync? That said, there are some issues with encryption with zip files. [URL="http://en.wikipedia.org/wiki/Zip_(file_format)#Encryption"]http://en.wikipedia.org/wiki/Zip_(file_format)#Encryption[/URL] [/quote] The issue is with the built-in encryption in the old standard, not putting encrypted contents in Zip files. Omni just uses Zip to make the files smaller, and there's nothing really stopping them (except convenience and a SMOP) from putting encrypted files in the Zip files. [quote] If the omni server got hacked and everybody's files copied - any criminal is likely to go through the plain text ones first leaving encrypted ones to the end. Assuming no security flaws that entirely defeat the key (Think WPA) if I have a very long and complex encryption key my data will be at the end of the list. [/QUOTE] The bad guys don't know in advance that you have a long and complex key, do they? I agree that encryption of the data before zipping could be useful, as it protects against a compromised server and makes eavesdropping on sync traffic (normally encrypted in transit) more difficult. With the current sync implementation, there's no need for the server to have your encryption credentials if the data is encrypted before zipping, so you don't have the DropBox situation where your data is encrypted but the people running the server can decrypt easily. It also protects against someone swiping the database off the client, which putting a password on the app does not (unless it is used to encrypt the data). |
Catching up on the forums after a pretty busy week; sorry I didn't see this until now.
Data encryption is absolutely something we're interested in providing, but in general - and in particular when it comes to adding new features - we feel that we're best off working on the ones that the greatest number of customers have expressed interest in. For every request we've gotten for this, we have 4 requests for "Bring Forecast to the Mac" and we have 7 for "Make a web-based version of OmniFocus". Development work is a zero-sum game; time spent working on A takes time away from working on B. Adding encryption now means that many more folks have to wait longer for the things they want. That isn't intended to dismiss the importance of the request, or the passion of the folks that do want this. We think this is a great idea, and we want to add it at some point. We just can't do it right now. |
[QUOTE=Amilius;107630]Thanks for your reply CatOne, but not constructive. I asked for co-signs on those that were interested in it and not in shooting holes in the idea. (I'm trying to get something positive done).
The functionality you mention is a pacifier. Those mechanisms can be broken and OF is a database, which can be hacked. Just having the password on the device is not enough. [/QUOTE] I'm sorry, but I agree. If you want to protect the database, you need to lock your devices. Yes security should always be layered as much as possible, but you're talking about password encryption on the database and that severely slows things down. It's not something that I've felt the need to request and even now you mention it, it's not even in my top ten things I'd improve within Omnifocus. I suggest you contact the ninjas to log your interest in the feature. |
Interesting article about Federal governments moving away from Blackberry to iOS / Android.
[url]http://www.politico.com/news/stories/0212/73369.html[/url] For Government agencies to use OmniFocus, I wonder how important encryption would be? |
Two iPhone apps that use encryption because they store sensitive data on Dropbox are MoneyWell & 1Password.
|
[QUOTE=SpiralOcean;107964]Interesting article about Federal governments moving away from Blackberry to iOS / Android.
[url]http://www.politico.com/news/stories/0212/73369.html[/url] For Government agencies to use OmniFocus, I wonder how important encryption would be?[/QUOTE] Not very important. The iPhone itself is encrypted. Note, it wouldn't be all that difficult for the Omni Group to secure OmniFocus for iOS further; all they have to do is implement data protection, and then the data in the OF library would be further encrypted when the device is locked. But, really, per-app lock screens are a bad precedent. Having 27 different lock screens with 27 PINs on iOS is a bad idea because people are going to be forgetting their PIN codes. iOS provides a very secure option with data protection, which leverages the device password. Implementing data protection in an app has little or no performance impact. And then you just put a secure password on the device and set it to lock quickly. And… don't share your iOS device with others. They're really intended to be single-user devices. |
There's this interesting phenomenon on the Internet where people have a hard time seeing beyond their way of doing things. It often goes one step further, and you see people telling other people that they're using their devices the wrong way. This same discussion happened in the Evernote forums, too, when a segment of that community asked that the app be password-protected.
Personally, this feature isn't a big deal to me, but I can see how someone might want/need it. I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family. One of the Android ROMs has an interesting features where you can restrict access on an app by app basis. Perhaps overkill, but helpful in some ways. |
[QUOTE=Venture;108110]I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family.[/QUOTE]
I know plenty of people who do stupid things. I do some myself. It doesn't make those things be any less stupid, just because they are more convenient than the less stupid alternative. I don't know if CatOne was joking or not (I think not). I know I'm not joking. If you don't trust someone with your data, don't give them unsupervised access to a device that contains it. If you can't control the device because it belongs to your employer, don't put your private data on it. I agree it's a bit myopic, though; I wouldn't lend my laptop to someone I don't trust with my data, either! |
[QUOTE=Venture;108110]
I'm assuming the "don't share your iOS device" comment was a joke, but, if not, it's pretty myopic to tell someone that his use of his iPad is "wrong," because he shares the device with a family member. I know plenty of people who share their iPads in the family. [/QUOTE] I'm not joking. iOS devices are really designed as "personal" devices. They're not intended to be multi-user, shared devices, where you have lots of people who don't trust each other using them. Seriously, putting a passcode on each and every app individually that has private data is a horrible hack. |
[QUOTE=tippf2011;108134] <spam removed>[/QUOTE]
Brian did answer it pretty clearly above. |
[QUOTE=CatOne;108151]Brian did answer it pretty clearly above.[/QUOTE]
He's a spammer/spam bot-just registered today. Look at the 'hidden' link in all his posts that only displays when his posts are quoted in a reply. |
[QUOTE=Greg Jones;108163]He's a spammer/spam bot-just registered today. Look at the 'hidden' link in all his posts that only displays when his posts are quoted in a reply.[/QUOTE]
LOL. That's a new one. |
[QUOTE=whpalmer4;108111]I know plenty of people who do stupid things. I do some myself. It doesn't make those things be any less stupid, just because they are more convenient than the less stupid alternative.
I don't know if CatOne was joking or not (I think not). I know I'm not joking. If you don't trust someone with your data, don't give them unsupervised access to a device that contains it. If you can't control the device because it belongs to your employer, don't put your private data on it. I agree it's a bit myopic, though; I wouldn't lend my laptop to someone I don't trust with my data, either![/QUOTE] I do appreciate that these forums, unlike others, seem to have thoughtful debate. I also appreciate that you recognize that although you wouldn't want your kids or family to use your device, you recognize (hopefully I'm not reading into your post) that for some of the thousands or millions of other users users out there, it isn't "stupid." I'm thinking of a lawyer friend of mine. He has a personal iPad, that his child plays around with on plane rides (anyone with a young child knows what a pacifier that can be in an otherwise horrible situation). He might like to use OmniFocus. Maybe the data in it isn't even that big of a deal, but he knows that technically he should be taking steps to secure it. That leaves him with three choices - spend $500 on a second iPad for that limited use, hope that OmniFocus can be password-protected, or don't use OmniFocus. Anyway, that's the use case I can think of, although with all the users out there, I'm sure there are many more. |
[QUOTE=Amilius;107644]
Apple used to be very secure on Unix and PowerPC, then went to Intel and now using iOS. Seems like things keep getting more and more diluted and weak. Of course Apple doesn't want to reveal this truth cause that would destroy the myth. So they ploy their users with diversions like Twitter/Facebook integration and Game Center built right into the system to keep the shell game going. So much for security...[/QUOTE] I have an easy solution. Buy an attack dog, and chain the device to the dog, and then not one but three home security systems and attach them to the dog... [URL="http://images.wikia.com/cnc/images/1/1e/RA3_AttackDog1sm.jpg"]this dog[/URL]. Security problem solved. |
Personally, I don't want to see yet-another-passcode option on the device, but at the same time there are a great many other apps that have this [i]option[/i], so I can't see the harm in adding it as an [i]option[/i]. I don't bother with passcode locks on [i]anything[/i] -- even things like Mint, Evernote and Dropbox, which in some cases [i]do[/i] have considerably more sensitive data, as i rely on my on-device passcode lock and remote wipe capabilities.
OmniFocus is actually the least of my worries... I have used it for confidential/NDA projects in the past, but the reality is that there's an easy way around that problem for me -- the [i]tasks[/i] are rarely confidential to the point where it matters what's in OmniFocus. I don't store documents or photos in there, and in those few cases where I"ve been working on something that I might be under a legal or contractual obligation to keep confidential, I simply word my tasks carefully, since all they need to be is a reminder to jog out information that should already be in my head. It's also worth keeping in mind that the idea that data on the device is already encrypted is technically correct, but is actually a fallacy from a privacy and data protection point of view. The standard hardware encryption in iOS exists to support a fast remote wipe and can otherwise be easily overcome with most simple jailbreak tools that bypass the password. [i]Data Protection[/i] is another story, but an app has to specifically enable that, and OmniFocus doesn't. So the bottom line is that a passcode lock on OmniFocus would protect you against casual intrusion, but only Data Protection or Omni's own encryption algorithms are going to do you any good in terms of actually protecting your data. |
That's an excellent point about the tasks themselves often not being sensitive information, even though they may deal with sensitive material.
If you store the project reference data in something like DevonThink To Go, you skip the part about sensitive data going to someone else's server, but still can have links to it embedded in OmniFocus that will sync successfully. You still need to secure the device, of course, but you don't have to worry about theft of the data from someone else's server. |
| All times are GMT -8. The time now is 07:41 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.