Last week Bloomberg Businessweek published an article named The Big Hack. The authors claim that testers have found a tiny microchip on server mainboards that wasn’t part of the original designs:
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
These servers are used by many companies including Apple and Amazon. Apple forcefully denies that they found any signs of these chips on the servers they use and so does Amazon. The US Department of Homeland Security has no doubt in Apple’s and Amazon’s statements.
This whole story might or might not be true. But it’s at least conceivable. Why shouldn’t any serious secret service try to bribe people at the manufacturing facilities to add something to the boards or exchange one of the chips with their own, “extended” variant? Would the company that ordered the devices notice in their random checks if something very tiny changed? Or that a chip that works as expected does more than it should?
We at DEVONtechnologies fully trust Apple and Amazon in their intentions. They have no intrinsic interest in your or our data because they sell devices, storage space, and CPU time for money, not ads. And both companies have high security standards. However, that does not mean that they couldn’t get hacked, by software, by bribing their employees, or with tampered hardware. And then there are also bugs that can leak data unintentionally.
That’s why DEVONthink’s synchronization encrypts all data it uploads to servers when you’ve set an encryption key. All data is secured with strong AES 256 bit encryption before it leaves your Mac, iPad, or iPhone. And it’s not being decrypted before it reaches the other device you’re synchronizing the databases with. Even if someone has compromised the data center where your data is stored or any server inbetween, none of your documents would be exposed.
If you haven’t set up your synchronization with an encryption key (you can check in the sync settings) and you sync your databases over services out of your control we highly recommend that you remove your sync store and create a new one with an appropriately strong encryption key.
P.S. If your computer itself was tampered with, this wouldn’t help, of course. But then the only thing that would help would be going back to pen and paper.