36 comments

[ 1.6 ms ] story [ 84.6 ms ] thread
How does it work? Who is hosting the data and what incentive do they have for storing and serving unlimited amounts of your private data?
Simply put, it works like this: -Check the file or folder you want to send -Compress it, if it is needed and wise -Split and Encrypt with advanced standards -Give you an optional choice to add a heavy layer of password protection -Give you a nice link to share -Upload the parts, in the meantime, the receiver can get the file as you upload them

We are using a Gaia provider, and give users a limited 512MB per file plan, that should cover most of the daily uses. But, you can make your own provider and set it at sign up, then all the files will be uploaded on that provider, and no files, key, or metadata will touch our servers. Also, PLUS plan is on the way.

Why blockchain? Because there's one FAQ that you're obviously missing: "How do I delete a compromised/accidentally-uploaded file?" and I suspect it's because the answer is "You can't."

This would be the last place I'd upload anything important. Once that URL/password get out, whatever "secure" file I've uploaded is exposed forever.

> Once that URL/password get out, whatever "secure" file I've uploaded is exposed forever.

That is true even if you can delete the uploaded file. Once someone else has seen it you no longer control distribution.

That said, you are right to distrust file transfer services by default. They are in a position to mess with you in many ways.

I'd say the primary use case is data which you want to keep public forever. Such as your legacy before you pass away (it is pay once, host forever, right?). Such as an encrypted insurance file for Mr. Assange. I can also imagine this would be interesting for copyright infringement (eventually with spliced files; e.g. with RAR .rar .r01 r02 etc), or for an activism, or whistle-blower. I suppose though that once that 'blockchain' has a too bad ratio of 'morally bankrupt content' (that'd be our jurisdiction's definition) it'd just be forced to closed down the hard way.
In that case, that should be part of the selling point of the service. If it were pitched like that, I wouldn't have even considered "can't delete it" as an objection as I did, more as a strength.
Agreed. Without that selling point then I'd say for all non-sensitive content, the cross-platform (Python) magic-wormhole [1] should suffice.

[1] https://github.com/warner/magic-wormhole

It seems a nice project, but BlackHole point is to give nontechnical people a hassle-free way to send file without sacrificing privacy.
Speaking of did anything happen with all those insurance files he posted during his exile/asylum in the embassy? Were the conditions extradition or did nothing ever come of them.
Yes Fnoord, this is one potential use case but not the primary one. Our focus is on giving people an EASY and SECURE way to send their file to each other. Most other services out there are easy to use but not secure or private, or very secure, but you need to be a semi developer to use them. If anyone shares their file publicly, it will be their responsibility.
https://send.firefox.com/ is probably the easiest way to securely send a file that I can think of off the top of my head. You don't need to be a developer, and the file is automatically deleted after a period of time.

With a file stored on the blockchain, I remain continuously and permanently vulnerable to a data breach or any other loss of secrecy control. The moment that link/password combo is compromised, that file is permanently public.

Now, you could argue that the moment a file is briefly public, it can be downloaded and thus is outside of your control anyway, and you'd be correct. But the case I'm more specifically thinking of is trying to send a large, reasonably secret file through email. You can't attack 1GB to mail, so you upload it somewhere and send the email with the url/password.

If you use Firefox Send, that file gets to its recipient, and then shortly thereafter, the link becomes invalid. If I use this service, that link stays valid forever. If my company's email archive is then later exfiltrated by a hacker or disgruntled employee, that secure file in the first case remains secure. In the second case, it's now compromised.

This doesn't invalidate certain uses of your service, but to not mention anywhere on your site that uploaded files will remain available irrevocably and forever is negligent.

All the files will be split and encrypted, then uploaded to a random hub on your provider of choice. Of course, we provide a free provider. No matter what provider, all files will be encrypted before leaving your machine. About delete, as the name suggests, we don't have control on your file, we will encrypt it, give you the key, and then send it, like a very secure post.
Cool. Congrats on the launch. What's plus going to cost?
"We're sorry but web doesn't work properly without JavaScript enabled. Please enable it to continue."

This appears to be a static content site after I enabled JS. Why can't the site display static content without JS?

Because it's done in a JS framework without server side rendering.
"server side rendering", cool, I was doing that in 1995
What is a better alternative to server side rendering?
I think he's more referring to the fact that we were already at a point where it was normal to do server side rendering. Now it's an add-on that the JS framework may support (https://vuejs.org/v2/guide/ssr.html).
What blockchain does it run on? How is it free? Who's paying the blockchain transaction fees?
It's freemium. It's free for files up to 512MB.
Bitcoin. It uses Blockstack DNS made on Bitcoin blockchain to give decentralized access to anyone. The PLUS plan is on the way.
You can have your own private web-based file transfer server in maybe around 100 lines of PHP where you have total control over file expiry and no need to trust any third parties except perhaps your VPS provider. If you need more secure than that, courier an encrypted thumb drive or something.
I can't tell if this is a reference to the infamous Dropbox reply or not.
What is the infamous Dropbox reply? Are you talking about the Steve Jobs thing?
Specifically this part from the linked profile:

"For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software."

Probably not, this might to push blockstack's possible ico.
As I point out earlier, BlackHole goal is to give you a hassle free way to send your file in a private way. Many many users cannot and do not want to make their own service. Also, BlackHole has many layers of security and a nice interface to work with. For pro users, we are making a cool CLI version. Also, you can use your own Gaia provider at signup, and all the files will be uploaded there.
Ugh. What a dismal experience trying to try this on my Darwin machine. I felt like I'm running into constant bait and switch moments.

> App added an icon to my menu bar and has no clickable menu to close it.

> The app opens up asking for a Blockstack login... no mention of this on the website. I have one but are typically people supposed to sign up for something seemingly unrelated?

> The 'x' button on the app minimizes it instead of closes it.

> The only way I figured out how to actually close it was by killing the process from the command line.

Do you normally just install whatever you find on the internet, or are modern os secure enough?
It's no big deal if you sling around vms.
Sorry for hearing that. You mentioned really good points here. Please contact us from our website so we can work on problems you faced, and get you early access to new versions. We appreciate your help.
This service will be used by people who have a sexual interest in children to share images of child sexual abuse.

What processes do you have in place when law enforcement approach you for information?

We do not store any info from the users, except authentication info getting at signup that Blockstack needs. BlackHole is not a social network or sharing service internally, see it like a secure post or a flash drive, whoever use it or post it publicly owns the responsibility, and where the links are shared, could be controlled.