Oh, these are the guys that are confused about XTS mode[1], thinking it was designed for protecting "bulk data". See my wonderful exchange with them on Twitter:
Yikes. If you're going to accuse everyone around you of being snakeoil salesmen, you probably shouldn't defend the fidelity of your own stuff by insulting the skeptics.
Bindshells are shells that are bound to a port, see Wiki for a brief explanation[1]. Basically, without authentication you have no way of knowing that the `ls` you backed up is the same `ls` you get back out. If your remote backup is compromised and uses XTS, its possible for someone to own you by replacing an oft used binary that when run gives them a remote shell.
On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode binds to a certain port on which the attacker can connect to control it.
It's in Niels Ferguson's public comments to NIST regarding XTS-AES and storage that's not on physical hardware. tptacek explained it in his comments how this attack works if you search them https://news.ycombinator.com/item?id=7675698#up_7676864
This service if I remember encrypts files/container with user keys then they encrypt it again on their cloud backup with their key, so it's not an encrypted backup sitting on a dropbox server. Of course you have to trust their keys won't be stolen by somebody wanting at those XTS-AES encrypted backups.
ls is a file listing in unix/linux. a 'bindshell' would essentially open a telnet port that goes directly into a command line shell. So, if your system was attacked, you might (since it's the most often command typed) use the 'ls' command to list your files. When you do that, you also open a shell on a specific port on your computer that has root access.
There are a few reasons why many people would not (or should not) use Cyphertite:
* It's been such a long time in development and there's still no client for OS X. Building from source should be an option, not the only way, if this is ever meant for mass adoption.
* There's no information about accessing backup files from mobile devices.
* Most importantly, unless you have more than 100GB of data to backup, you're better off with the premium plan (enterprise segment) than the expensive personal plan where you would get a lot lesser in return.[1] I had pointed this out to them a year or two ago, but there's been no change and this structure does not make sense for the section of home users who may have only a few tens of GBs to backup.
I didn't see an Open Source license listed anywhere on the website, so I downloaded the client to verify. Looks like Cyphertite uses the ISC license, an all-permissive Open Source license.
https://twitter.com/Cyphertite/status/450616668126203904
https://twitter.com/Cyphertite/status/450616106001399808
which ended up with them calling me "some jerk on twitter who has nothing better to do than talk shit".
https://twitter.com/Cyphertite/status/450623654288969728
—
[1] See this tptacek's post explaining XTS: http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/