Serious Business FLAW for BOTH Devonthinks (Pro & Std ve

THE GOOD NEWS: BOTH versions of DEVONthink (Pro & Std) is a must have general purpose software program of the present and the future. Great work guys!

THE FLAW: Let’s face it, in todays world to keep all your work in a unsecure program like DEVONthink is “unrealistic”. Unless you have some kind of encryption capability to lock BOTH your Files AND Folders, Devonthink will always be “weak in comparision to any competitors” (both present and future). Given the times that we live in, to think no one will never try to break into your files and folders leaves you living in a fantasy world.

In the real world of today you need at least (at the very miminum) an encryption capability of either a 448bit Blowfish or 256bit AES to protect BOTH your files AND folders.

Its time to wake up to the reality of the business world guys.

  • Russell

What the hell are you talking about?

If you want security, you have a couple options already:

  1. Use filevault. Done.

  2. Create an encrypted disk image, and store all your DevonThink databases there. Done.

Why should the database itself do the encryption? That’s silly. “Wake up to the business world?” Sheesh.

Yikes. Well…

Some of us are quite aware of potential issues with data vulnerability yet consciously choose not to (over)react with fear and mistrust about it. Life’s too short to live in that sort of “fantasy world”… mine’s just fine, thanks.


You are making a point that is valid and important for several classes of users, including business, governmental and law enforcement users. Business users must worry about such information as customer lists and history, financial information, product details and plans, strategic plans and so on. “Routine” email and correspondence may contain information of interest to competitors. Governmental and law enforcement personnel often handle confidential data ranging from information with national security concerns to the privacy rights of individuals. Such information must be protected, sometimes against very determined intruders.

Journalists may have source information they wish to protect, as well as notes they would prefer their colleagues not view. Almost everyone has information they would like to protect, such as bank account numbers and passwords, credit card numbers, etc.

Looking back, I can count three times I’ve had on a computer information with national security implications, two occasions involving criminal investigations, and numerous cases involving highly sensitive information on settlement agreement negotiations for hazardous waste cleanups (potentially in the hundreds of millions of dollars) and negotiations on public bond issues (totaling a quarter of a billion dollars). Obviously, I didn’t want such information to get into the wrong hands.

Data security precautions start with physical protection of computers and media. For sensitive information, hold onto your laptop and store removable or backup media in a safe.

Minimize intrusion potential on networks and the Internet. Use a firewall, for example. Above all, use a Mac. :slight_smile:

Passwords and data encryption are commonly used methods of protecting sensitive data. There’s a wide range of ‘robustness’ in such protection measures.

But one of my former graduate students, a Secret Service agent, has told me that most successful information thefts involve human engineering. Granted that data is protected, the intruder cons someone into giving him the encryption password, takes advantage of human frailties in devising passwords, or is working from inside the organization. (So much for encryption robustness!)

So, where do DEVONthink and DEVONthink Pro currently stand on data security issues?

These applications provide a simple password protection for users who want to protect their database from normal levels of intrusion, such as prying by a visitor or the guy in the next cubicle. But a knowledgeable intruder could find that password on your computer and open your database. (And DEVONtechnologies Support can help you get your data back if you forget your password!) I read the forums of other applications occasionally, and I’m constantly amused by the tails of woe from people who have password protected their information, forgotten the password, and can’t recover their data. For most users who want some level of security, a ‘hidden’ but recoverable password scheme is probably quite reasonable.

Are high-level security provisions for DT and DT Pro databases available to those who need additional data protection (or for the truly paranoid)? Sure.

First, Apple provides File Vault security in OS X. You can turn it on and provide 128-bit encryption for your Home directory, and of course include your databases there. But remember Apple’s caveat: “WARNING: If you turn on FileVault and then forget both your login password and your master password, you will not be able to log in to your account and your data will be lost forever.” That’s reasonably good security – if you don’t let someone con you out of the passwords, or let him figure out that you used your dog’s name and your wife’s name as the passwords.

Or (or even on top of File Vault) you could store your database in an encrypted disk image. Even higher levels of encryption can be available this way. (But the proviso remains about forgetting passwords or using passwords that an intruder can obtain from you or figure out. And if you forget them, whoosh goes your information; it’s gone.)

And on top of that there are utilities that will password-protect your computer (desktop or laptop) in such a way that the computer can’t be started up without the proper password, even from removable media or in target disk mode. Forget that password and your computer becomes a doorstop. (Unless a good human engineer can figure out your password!)

So the short answer is that DEVONthink and DEVONthink Pro databases can be run under very high levels of security for those who may need to do this. (There are still other operational procedures that I haven’t discussed concerning true data security, even with very high level encryption, that could render the encryption scheme useless if not followed.)

DEVONtechnologies will be developing an enterprise edition of DEVONthink. Data security provisions will be considered for user needs.

Personally, I don’t use passwords or data encryption. I don’t have sensitive information, my credit cards and bank accounts have fraud protection (I’m more worried about restaurant waiters than hackers at the moment), and I don’t have child pornography photos on my computer.

Hope this helps.