Results 1 to 13 of 13
  1. #1
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Update: Results of a new backup test (26-29/Abr) with Mozy show that everything works fine now.
    -----------------------------------------------

    I think that this is very important and want to share it with the community

    I tried in the past weeks the Mozy Online Backup Mozy and I found two very very serious problems.

    When I read the documentation provided by a widely used service like this I trust the information given by them, I just discovered that this is dangerous.

    First problem: (the most serious for private/sensitive information):
    In Mozy's web page (and in his executable) they claim that if I use my own password my files are encrypted even before they was transmitted, and neither they nor anyone else without my password has access to my data. (If I lost my password they can't help me).

    I took several files, I set my own password and then I did a backup to test the service. Then, in another machine I did a restore of my data files.

    Surprise!!, after few hours the restore package was ready to download (an .EXE with the compressed files), and after download and execute it then all my files was ready in the new machine. But I never typed my password!. So if I did not have to enter my password and they can give me an executable with all my files ... they have access to my files unencrypted.

    (To clarify, I'm talking about the password to encrypt the files, not the password used to enter in the Mozy account, and I never wrote this password in the second machine at any time before)

    Second problem: (also very serious)
    My test consist in about 10k files (1.6 GB of data). After the restore I binary-compare the files and found 20 files with garbage. (Unpacked and compared twice). So the backups with Mozy are not binary-exact, be careful if your information is more than photos, music or homework (and you're ok with a little of garbage in some of your files in case of a restore). If you backup consist in finantial, executables or important information (that not accept any garbage), stay away from Mozy.

    If you currently use Mozy then you can test this and see it by yourself.

    Best Regards

  2. #2
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,577
    Thanks
    5
    Thanked 1,057 Times in 926 Posts
    Have you taken this up with Mozy? If so, what was their response?

    Joe
    Joe

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Did you raise these issues with the vendor to see whether there is an explanation?

    Is it possible the 20 scrambled files were encrypted, but not the others?

  4. #4
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by JoeP View Post
    Have you taken this up with Mozy? If so, what was their response?

    Joe
    I first discover the problem #2 and talked to them (email), the person had no idea what it was a binary comparison, after some days and exchanging some emails she transferred me to technical support, but before they contact me I descover the problem #1 and then I left the whole thing.

    It's common sense, if they can give me my files without I enter my password then they don't need it to see my files, so they lie. I do not care whatever they say after that, I do not trust them any more.

    Quote Originally Posted by jscher2000 View Post
    Did you raise these issues with the vendor to see whether there is an explanation?

    Is it possible the 20 scrambled files were encrypted, but not the others?
    No, my test consist in a sample of many different files and no file was encrypted before the backup, besides that the files were randomly altered (some exe's, some dll's, some ascii, etc.)



    If I wanted to backup only photos then I would have no problem, a bit of trash in some pictures does not do much damage, besides the big majority of them would be fine. BUT if I want to backup exe's or financial information... these "small" errors are critical

    Regards

  5. #5
    New Lounger
    Join Date
    Apr 2010
    Location
    Pleasant Grove, Utah
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I work at Mozy and am happy to help clarify.

    Mozy provides its customers with an option of choosing to use either a Mozy encryption key or to create their own personal encryption key. But it's important to note that an encryption key is different than a password. When you sign up with Mozy, you register with your e-mail and you create a password. We can help you reset your password. But we can't reset your encryption key. That is why we encourage you to keep your personal encryption key in a safe place.

    From what I can tell from reading the thread above, the customer selected a Mozy encryption key to encrypt his data. That is why he was able to decrypt the data without inputing the "password." He wouldn't need to use his password. As I mentioned before, a password is different than an encryption key.

    Feel free to contact me directly at devin@mozy.com for further clarification.

    Devin Knighton
    devin@mozy.com
    www.mozy.com

  6. #6
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Devin Knighton View Post
    I work at Mozy and am happy to help clarify.

    Mozy provides its customers with an option of choosing to use either a Mozy encryption key or to create their own personal encryption key. But it's important to note that an encryption key is different than a password. When you sign up with Mozy, you register with your e-mail and you create a password. We can help you reset your password. But we can't reset your encryption key. That is why we encourage you to keep your personal encryption key in a safe place.

    From what I can tell from reading the thread above, the customer selected a Mozy encryption key to encrypt his data. That is why he was able to decrypt the data without inputing the "password." He wouldn't need to use his password. As I mentioned before, a password is different than an encryption key.
    ...
    Hi Devin

    No, I clearly mentioned that I was talking about the Encryption Key (altought in my post I refered to it as "password to encrypt the files"), and not, I'm 100% certainty that I was not used the defaul Mozy encryption key, I established my own encryption key.

    Quote Originally Posted by Hugo G View Post
    ...
    (To clarify, I'm talking about the password to encrypt the files, not the password used to enter in the Mozy account, and I never wrote this password in the second machine at any time before)
    I hope, for the good of your customers, you also check your backup system to be binary-exact (as a backup must be).

    Best regards.

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Devin Knighton View Post
    Mozy provides its customers with an option of choosing to use either a Mozy encryption key or to create their own personal encryption key.
    The online help explains:
    Mozy gives you the ability to select your data's encryption method: a Mozy key with 448-bit Blowfish encryption or your own private key with 256-bit AES encryption. Your files are encrypted on your computer using the key of your choice, and then transferred to the Mozy servers using 128-bit SSL encryption, the industry standard for safe and secure data transfer. Please note that if you select to use your own private key, it is impossible for Mozy to decrypt your data, so you must be very careful not to lose it.
    Source: Mozy Help: How do I know that my data is safe and secure?

    Quote Originally Posted by Devin Knighton View Post
    From what I can tell from reading the thread above, the customer selected a Mozy encryption key to encrypt his data. That is why he was able to decrypt the data without inputing the "password." He wouldn't need to use his password. As I mentioned before, a password is different than an encryption key.
    Presumably the user would need his Mozy account password to get into his account on the server to generate his web restore file. But what you seem to be saying is that the restore file either is not encrypted, or it contains the necessary credentials to decrypt its contents on the target machine. In that scenario, the user's protection would be that the encoded URL for downloading the restore file is impossible to guess in a reasonable amount of time (it is available on the web for a limited period).

    If the user wants to avoid having an unencrypted restore file hanging out on the web for download, would the two options be:

    (1) Use a personal encryption key; or
    (2) First install the Mozy client software on the target machine and then use its restore feature to retrieve the files?

    Thanks for participating in this thread.

  8. #8
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hi

    Quote Originally Posted by jscher2000 View Post
    Presumably the user would need his Mozy account password to get into his account on the server to generate his web restore file. But what you seem to be saying is that the restore file either is not encrypted, or it contains the necessary credentials to decrypt its contents on the target machine. In that scenario, the user's protection would be that the encoded URL for downloading the restore file is impossible to guess in a reasonable amount of time (it is available on the web for a limited period).

    If the user wants to avoid having an unencrypted restore file hanging out on the web for download, would the two options be:
    (about your last line) This has nothing to do with the problems mentioned, I understand perfectly that situation.

    Quote Originally Posted by jscher2000 View Post
    (1) Use a personal encryption key; or
    for the test I used a personal encryption key, I'm 100% sure about this.

    Quote Originally Posted by jscher2000 View Post
    (2) First install the Mozy client software on the target machine and then use its restore feature to retrieve the files?
    You enter to your Mozy account and ask for a restore, wait some hours and then download a EXE file with all your data (compressed, NOT encrypted).


    a graphical example of the problem:
    1) In machine 1 you have SOME.TXT with the text "ABC" inside.
    2) Install Mozy. Your password to your Mozy account is "X1"
    3) Set your Personal Enpryption Key to "STRONGKEY" and backup your file SOME.TXT

    then, on ANOTHER machine:
    4) Enter to your Mozy account with your password "X1"
    5) Ask for a restore
    6) Download "restore_2010_02_10_09_12_9828465.exe"
    7) Execute the file, and then you get SOME.TXT with "ABC" inside.
    NOTE: I NEVER used "STRONGKEY" in this second machine... then, how I get SOME.TXT if it is supposedly encrypted??????

    The point is that they say that when you use a Personal Encryption Key the information is sent encrypted and nobody can see it, even they, but if I do not need to write "STRONGKEY" at any time to recover my file, also they do not need it.

    Now, about the problem 2 (binary comparision), in that situation after the restore you get "A%C" inside SOME.TXT instead of "ABC" (of course just in a small percentage of your files, but for me anyway is unacceptable and the error was significant).

    I invite Mozy's users to restore your information in a diferent location and do a binary comparision with the originals to confirm that you can successfully recover your files if necessary (I mean your files with the correct content, not altered). If not your full backup, at least your most importat information. And I invite you to share your results (Of course you must compare static files, not altered since the las backup. Some system files are modified continuously. Your picture and video files are static, or your financial information while you don't enter the corresponding program, also EXEL and WORD files while not open, etc.)

    Regards

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Hugo G View Post
    I invite Mozy's users to restore your information in a diferent location and do a binary comparision with the originals to confirm that you can successfully recover your files if necessary (I mean your files with the correct content, not altered). If not your full backup, at least your most importat information. And I invite you to share your results
    I finally got around to creating a free Mozy account and testing with some files. From home, I backed up a folder containing numerous .php (text) files, and a couple subdirectories of .jpg files. I chose to use a "personal" encryption key:

    [attachment=88640:PersonalKey.png]

    This backed up about 316MB of files, which took several hours over a basic DSL connection.

    At the office, I selected one portion of the backup for restoration using an emergency web restore. This generated a download of about 70MB. I unzipped the download and confronted .php files full of unrecognizable characters, and JPG files with no thumbnail and which would not open in an image editor. This is pretty good evidence that the files were encrypted.

    I downloaded the mozydecrypt.exe utility, imported my key from a .dat file saved on my home system, and re-extracted the files in decrypted form. I then ran a binary file compare using WinMerge between the source files and the restored files, and all were identical. (A new log file in the restored set was the only difference.)

    So I would consider this test a complete success.

    Because I backed up a folder that seldom changes, I don't know whether an incremental backup might somehow lead to corruption; perhaps that was a factor in your case, or perhaps there is a problem with the hard drive or the volume shadow service.
    Attached Images Attached Images

  10. #10
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    I just noticed that your download was a .exe file and mine was a .zip file. I wonder why? (I created a new restore to see whether I would get an .exe but again I got a .zip)

    When you pick up your web restore, does it instruct you to download the crypto utility? Perhaps yours was a prepackaged bundle?

    [attachment=88643:WebRestoreAvailableCrypto.png]
    Attached Images Attached Images

  11. #11
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hi jscher2000!

    Quote Originally Posted by jscher2000 View Post
    ...
    I downloaded the mozydecrypt.exe utility, imported my key from a .dat file saved on my home system, and re-extracted the files in decrypted form. I then ran a binary file compare using WinMerge between the source files and the restored files, and all were identical. (A new log file in the restored set was the only difference.)

    So I would consider this test a complete success.
    This is new to me, in my test they never mentioned that utility, and it was not necessary (the file was an EXE, no a ZIP). I am sure what I did so or there was a bug in my account or now they already corrected the problem (my tests were a month ago), anyway that's good news for Mozy users (although it will be good to do more binary comparisons with a bigger amount of information).

    Quote Originally Posted by jscher2000 View Post
    Because I backed up a folder that seldom changes, I don't know whether an incremental backup might somehow lead to corruption; perhaps that was a factor in your case, or perhaps there is a problem with the hard drive or the volume shadow service.
    Although I used the incremental backup several times before the test (to check it), the binary comparision problem occurred in many static files, so I think that the incremental backup should not be the guilty for the problem in my test.

    Quote Originally Posted by jscher2000 View Post
    I just noticed that your download was a .exe file and mine was a .zip file. I wonder why? (I created a new restore to see whether I would get an .exe but again I got a .zip)

    When you pick up your web restore, does it instruct you to download the crypto utility? Perhaps yours was a prepackaged bundle?
    Mine was an .exe, never mentioned the crypto utility and the .exe restored directly all the files.

    I appreciate that you was taken the time to do these tests and I really am glad that your results have been positive

    I encourage everyone that when you choice your backup system (no matter wich one, even local) do a binary comparision to check that your backup really works. In the past I have encountered this problem several times in programs that make local backup using incremental backup, is necessary to do tests to make sure you find a good one.

    Thanks jscher2000

  12. #12
    Star Lounger
    Join Date
    Dec 2009
    Posts
    78
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Just want to add my 2p as a long term satisfied user of Mozy.

    Their terminology and interface can be confusing but aside from those two aspects the only serious downside is the first line tech support - they don't appear to have clue one. Once you get transferred to a US rep then you start getting the answers you expect.

    Outside of this I have never had an issue with teh use of the account.

    Restores have always been 100% correct and accurate.

    I am happy that the security / encryption on my account is just fine - but aside from this I don't store anything of a sensitive nature anyway.

    And my restores have always been as ZIP files, never an exe - so as you say, maybe something odd with your account.

    As I say, just my 2p worth as happy user of Mozy.

  13. #13
    New Lounger
    Join Date
    Apr 2010
    Location
    Veracruz, Mexico
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Update:

    I did a new test 26-29/April, 4367 files, 1.7GB, "self encryption key".

    In my test results found that Mozy is working fine now.

    1) I did a full restore (received in an .exe file)
    2) The restore was encrypted (file by file) and I needed the utility to decrypt it.
    3) In a binary comparision versus his originals all files were identical

    So, the problems are now gone.
    Regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •