Wuala: Secure Cloud Storage (wuala.com)
I am evaluating this cloud service since yesterday, and it looks promising so far. Since data are not stored un-encrypted on the company servers, it means that there is not a web access to files, but I am not missing this feature that much. Real-time syncing works fine, although it seems to be a bit slower comparing to Dropbox.
203 comments
[ 2.9 ms ] story [ 233 ms ] thread> Make sure Java [...] is installed.
:C
The only thing that one can be suspicious is whether they are transferring your key or not. But, at least they claim your data is safe and encrypted, while Dropbox, GDrive and similar services don't even pretend that they encrypt your data.
However, would still love to see an open source product like this that I can truly trust.
would it make you happier if they kept their services the same, but just pretended to introduce encryption? ;-)
> would it make you happier if they kept their services the same, but just pretended to introduce encryption? ;-)
No it wouldn't. What I wanted to say is that Wuala at least claims that they do client side encryption. I believe them, but someone else doesn't have to. So, data being safe with Wuala has probability between 0-100%, while data being safe with Dropbox has probability of 0.
It's an offline application that runs on your computer that is transparent to your actions. You just use the drive BC mounts instead of where Dropbox tells you to use, the rest automatic.
It's not Wuala's fault, but forcing me to put java back on my desktop is a big hurdle. It's going to take an absolutely amazing piece of software to make me deal with that horrendous bug-ridden security hole again.
But I don't see how the desktop runtime is a security hole (you're running binaries you trust outside a sandbox) and I very much doubt it's any more buggy than your average Python, Ruby, Node.js, etc. runtime. Or, for that matter, your average native library.
In the end, IMHO, the only software which can be trusted is the FOSS. From this perspective Dropbox is good: the client is open source. Of course nothing is encrypted in there.
Still, FOSS solutions are indeed better from a security perspective.
On the first I was like "ops, said bullshit"... but actually it seems like it's GPL.
For anyone curious about the technology behind here is an early tech talk from one of the founders. It may be a little bit outdated now but still interesting: http://www.youtube.com/watch?v=3xKZ4KGkQY8
(No, I'm not connected to Wuala in any way, I don't even use the service myself, but as an alternative to Dropbox I think its a good one.)
I'm still looking for a locally encrypted Dropbox-alternative. So if any of you are making one, please speak up :)
(Edit) I should specify that it was the user experience that made me give up on Wuala, and any proper Dropbox alternative would need to offer at least decent user experience. Looking forward to trying the alternatives you are suggesting :)
If you want to host it yourself there's Seafile but I haven't seen any in-depth review of it and it's Chinese-based (if that's a problem [for you]).
Bittorrent's Sync almost gets there, but isn't open source. I haven't really looked at it, but ownCloud might do what I want.
I'd like to know more about this. Working on a encrypted FOSS alternative to conventional storage would totally be a perfect side project
Then it also seems to do a full scan of teh entire folder each time it sync's, if you then have for example your iPhoto library (usually a few GBs) there, the sync process will consume lots of CPU and tend to be out of date across devices.
Wouldn't that be nice?
At this point: gpg keys shared among chains of trust. Need the file X? DHT consulted says the file is stored in accounts Y, Z and W (plus at your home - we don't want users to kill our files, right?). Take the file, decrypt it.
You can do this on Linux (and presumably OS X, as well) fairly easily.
On Windows, there is a single-developer port of EncFS, which from what I've heard works fairly well: http://members.ferrara.linux.it/freddy77/encfs.html
A quick search turns up a guide which (at first glance) seems fairly comprehensive on how to set this up if you're unfamiliar with the way EncFS works: http://www.howtogeek.com/121737/how-to-encrypt-cloud-storage...
With that said, if you're worried about any highly confidential data, potential for watermarking attacks or plausible deniability, this is not the right solution for you.
If you're looking for a way to protect your data from dragnet surveillance, your provider, or low-level law enforcement interception, this is a great drop-in solution.
I'd say the real world risk of this is (fairly) low, however if you're legitimately worried about it, you can use EncFS over a network share or FUSE file system, to your own systems. In which case you'd be using entirely open source software.
If you're that worried about security though, you'd probably be better off using a container based encryption method, anyway, as it wouldn't leak timestamps, file sizes and other data which could be sensitive. EncFS has some known issues with metadata leaking, but it's a decent solution for most general use cases.
Of course, just like web servers, the server implementation and hardware it runs on has a lot to do with it. One of our top development priorities is building a very robust, scalable self-hostable server implementation to power apps like file sync and even more demanding applications.
Currently not. Opening the source code of Wuala would consume quite some time and effort, and commitment to maintain it. If you are a software engineer and would like to see how Wuala works, feel free to apply for a job at Wuala."""
ಠ_ಠ So.. an alternative, but not the solution we need.
A non-answer if I've ever seen one.
What about someone who applies for a job at Wuala, gets rejected, but still wants to look at the source code?
I don't think that I will be able to trust secure trough obscurity solution.
Unless you host the data yourself, if you don't trust Wuala there is no guarantee the binaries you use are built from the source code you have.
Technically if the client is not sending not encrypted data and encrypts without a foul, then nothing they can do on the server-side can cause leaking your data.
Through auto updates you can make sure that you get the backdoored version or you can have an exploit within the software to allow "silent" remote updates (good luck finding that).
So well... Either you do it end to end, or you trust the third party.
Furthermore, for the software to be able to even auto-update, it would have to be able to change its own binary. I don’t know how this particular piece of software works, but it is possible to run FUSE ‘drivers’ as a user on Linux, with the binary safely sitting in /usr/bin, hence removing any possibility to auto-update (if you don’t do shady tricks like placing an ‘updated’ binary somewhere and changing the user’s PATH – and even that could – in theory – be avoided by mounting all user-writeable things noexec).
> The package installs Wuala and registers our repository for further updates.
This is even more harmful that it sounds, as someone who has repo access (be it some evil staff member or, more possibly, inturder) may push not only malicious Wuala build, but any package with higher version number than in other repos (say, a linux-image-999.999 with a bundled rootkit) and if user was incautious it will be installed on system update.
[1] http://www.debian.org/security/2008/dsa-1571
Completely agree. We need 100% opensource client-side encryption tools.
And at least in this space (cloud backup), we already have it, thanks to HN's own cperciva:
http://www.tarsnap.com/
To secure my data, I just use BoxCryptor. It creates an encrypted volume within my Dropbox. It is free for non commercial use.
One advantage is that there's no third-party storage of data involved.
When push comes to shove, governments everywhere will have no qualms about invading people's privacies en masse.
Human nature is the same everywhere. Power corrupts everywhere.
When power is centralized corruption effects are worse, exactly like when software is centralized failure effects are worse. Distribution is the answer. Distribute power, in a way in which it cannot be exploited.
I'm not an expert in politics, but I guess that communism had this kind of principle, but it totally failed in implementing it.
They should have offered to replace your drive, but no more. Hardly unscrupulousness.
However, you should have backed up your stuff in more than one physical place and never assumed that the disk was entirely reliable.
Buy a quality drive enclosure and a quality hard disk, put them together yourself and make sure you have a half decent backup strategy.
Edit, 4 years 10 months. Lacie merge in 2010
Hard drives and other storage mediums fail all the time, this is not hyperbole, these devices are not designed for 100% ever. The companies work on the assumption that if they fail they will offer a replacement within warrenty, but expecting to get data recovery for free is not reasonable.
If I was you I would spend a thousand dollars on getting the data off and never making the mistake of keeping important data on 1 storage medium again. Whenever I meet someone who has all their precious data on 1 device like this I tell them that you might as well just throw all that data away now, thats how much you care about it.
Sorry if it hurts dude, just spend the money to have the platters recovered individually and never make the mistake again.
Another annoyance is that you cannot change the size of a drive after you create it [1] and it doesn't shrink to fit the data either.
[1] http://www.truecrypt.org/docs/?s=issues-and-limitations
> The ciphertext block size used by TrueCrypt is 16 bytes (i.e., 128 bits).
Meaning one bitflip should only sync 16 bytes since dropbox only transmits deltas. Of course this now depends on dropbox' delta sync implementation.
From a quick google search [1]:
> For what it's worth, Dropbox claims to create hashes on every 4MB of each file. That way, if you change a contiguous 2MB of a 100MB file, it will likely only need to upload 4MB (or 8MB if you cross into a second 4MB block) to re-sync the file.
So worst case if a bitflip happens to change a truecrypt block that doesn't align with dropbox' chunks you're looking at around 8MiB. That's still quite an amout for a bitflip but i think it's feasible with todays connection speeds.
[0] http://www.truecrypt.org/faq
[1] http://serverfault.com/questions/52861/how-does-dropbox-vers...
This isn't security, it's security by obscurity - in the best case, mind you.
Could you provide a link to those hints, please?
But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”
Some purported info about data protection for Switzerland:
http://www.dataprotection.ch/en/disclosing-personal-data.asp
> Restrictions on disclosure
The DPA does not permit the disclosure of sensitive data or personality profiles to third parties without lawful justification. The consent of the data subject can constitute a lawful justification. Breach of this prohibition is an offence if knowledge of the sensitive data has been gathered in the course of a professional activity requiring knowledge of such data and can be punished by a fine of up to CHF 10'000.--. If the fine is not paid, it can be replaced by imprisonment for up to 3 months.
And Wuala's own policy: http://www.wuala.com/en/about/privacy
> 6. Disclosure to third parties
Basically, your data is not transmitted to third parties. However, LaCie may release personal data if the law requires it to do so or in the good-faith belief that such action is necessary to comply with any laws or respond to a court order, subpoena, or search warrant or to protect LaCie's rights and interests. Furthermore, you expressly agree that LaCie can disclose personal data to identified third parties (e.g. owners of intellectual property rights) and/or government enforcement bodies in order to enforce the General terms and conditions, particularly in case of founded indications that the laws or the rights of a user or of third parties, particularly copyrights, other industrial property rights or personal rights, have been violated , insofar as such is necessary.
Isn't that one of those entirely vacuous sentences. Basically they have a disclaimer there that so long as it's in their interests to release it they can. So offer some money, "oh yes we're inclined to make money here's the data".
http://labs.bittorrent.com/experiments/sync.html
First, this is how Wuala works: You as an user place a file in the client. The file gets encrypted (including using your password and username) and then gets uploaded and split into different pieces. We are currently using AES-256 for encryption (and RSA 2048 fpr signature and key exchange when sharing a folder and SHA-256 for integrity checks). The password does NOT get transmitted and there is nothing like a master key or similar. That means in worst ever case if someone would have access to our servers somehow, they'd get a piece of encrypted data which is not readable and not decryptable (not even for us as the provider.
Secondly, some people tend to confuse security with anonymity. Wuala is secure, but how about anonymity? We have your email address, your username and we know how much storage space you have. As you see, that is not anonymous, but has nothing to do with the security of your files.
Are we planning to open source the code? Eventually yes, but as we already stated, this takes a lot of time and effort. Oh and yes, we are nice guys. Not because we're Swiss, but in general :)