I do care about dropbox, it's the only cloud system that works well on linux systems . It used to be overpriced but now the pricing is good.
Also Google Drive is terrible on Windows if like me you have a lot of files. One drive is limited to 2GB of file size.
Owncloud is great, and avoids the moral complexities of contributing to a board that includes at least one endorser of torture and warrantless surveillance.
And yes, I will wear my downvotes with pride. We can't always separate our tools from the organizations which produce them, and we should be careful what behaviours we wish to reward, and thereby encourage.
… if you have the knowledge, money and time to manage your Owncloud server in a secure way. Since such configuration includes a more advanced firewall, most users will not have the necessary skills I am afraid …
Focused on Owncloud only, the latest version is indeed great! :)
I have tried Owncloud, but I don't want to host a service myself (I do have the knowledge to do so).
But on average it would cost me more than paying a service. I"m trying to minimize my monthly costs, it's hard to beat 8.25$ for a good server for Owncloud.
I didn't downvote, but it wasn't a productive comment -- it was just snarky and condescending.
I don't think this is front-page worthy of HN, sure, but anytime someone at Google/Dropbox/Apple does so much as pass gas, people around here get excited.
Helping Dropbox grow is arguably the single greatest achievement of YC to date. I think in that light it makes sense that news about Dropbox gets on the front page of news.ycombinator.com.
I don't really care about it, but your comment was worthless and deserved to be downvoted. If you don't care about a story, ignore it. If you think it's wildly inappropriate, flag it. If you feel compelled to share your disdain with others, I recommend Twitter for that.
All I want is to encryptedly back up some directories on my home server, but nothing* really does that. I use SpiderOak at the moment, but it's not OSS.
We currently allow 1.1 PB in a single "namespace" (zpool).
There are non-obvious ways to make a petabyte-sized zpool non-scary ... but even with those employed we still utilize raidz3 and have contingencies for rollbacks.
edit: for obvious reasons, that 1.1 PB number will grow by 50% in the very near future...
It's easy enough to jam enough disks into a rack with these 90disk 4u super micro jbods. The thing that always scared me (ESP with rsync) is how do you get performant metadata for a few billion files? Or even tens of millions.
And raidz3 resilver must be horrible at those densities!
Again. Just curious. Email at jmancuso@expandrive if you feel like chatting. I know we offer a similar product, but we are about to leave zfs for the above concerns. Wouldn't mind sending some business your way.
I can't say one way or another if the client is OSS, but I do know you can run it headless, I've done it before.
IIRC, you need to tweak a non-headless client to direct it to the headless instance (some config file to point to the server vs localhost) and everything works from there.
No OSS linux client, but we do have a closed source one. CrashPlan Does work headless[1], but note that that setup out of the scope for our support team.
No one (almost) needs 1TB... the way they can afford it is they expect most people to use at most a few hundred GB, but with the peace of mind that they could store more
Personal photos and videos I don't want to lose, which are of course backed up to actual backup systems, but I also want access to wherever I am. That's what I need 1TB for.
Indeed, Dropbox can respond to google drive in two ways: (1) drop the price of the existing plan to match google drive or (2) increase the storage to compete on the $/GB/mo rate. Option 2 is much better for them because they can keep all their existing $9.99/mo customers on the same recurring plan even though the vast majority don't need the extra storage anyway.
If you bought it personally (i.e. a B2C sale) you should be fine, but as a warning for any (update: UK based, at least) VAT-registered traders or businesses, you will need to reverse charge the VAT which mostly defeats the point.
Maybe VAT law is different in your country but that is not true in the UK where reverse charging of VAT is required on services where the supplier is "outside the UK" (including outside the EU). Indeed, HMRC's guidance on this includes an example of a US-based Web hosting company providing hosting to a UK business: http://www.hmrc.gov.uk/manuals/vatpossmanual/vatposs14300.ht...
HMRC do note that "the UK applies the reverse charge provisions more widely than elsewhere in the EU", however, and for this I get the joy of having to reverse charge about 50 invoices a quarter for US services (all our hosting, SaaS bills, etc) ;-) For example, if a host in the US bills us $100, we then have to reverse charge $20 converted into GBP at approved rates, then claim the equivalent back.. so the net position is zero but it has to be accounted for (holds head in hands and rocks back and forth).
^ to peter
[edited] Aha, just checked with my accountant and that is indeed the case, it is a net zero operation. Still doesn't matter for the $ / € story though.
It's weird because it doesn't really say anywhere, but prices should include VAT, although unless they're selling as an EU-based or VAT-registered company, it's not mandatory.
Since this seems more B2C than B2B, I'm assuming the £79/year I see includes VAT, so that's £65.83 without 20% VAT, which is $109.17 at today's rates. I would not consider this too unfairly deviant of the US pricing considering the volatility of exchange rates.
Many American cloud providers, software vendors etc. charged their USD prices in EUR to European customers, even to European customers outside the Euro zone. An American VPN and sometimes some further fiddling with your browsers usually allows to purchase in USD …
For my commercial purchases, i.e., purchases as a company, I have to pay the local VAT anyway upon import including digital services like Dropbox.
Dropbox does not claim to encrypt your data on the client side. They only claim encryption on their servers but that is not helpful in terms of encryption of your data …
In CrashPlan, you can at least set your own private key if you like. You still need to trust the provider/vendor, however, the software is at least built to do local encryption. Dropbox does not work that way.
No, Dropbox does NOT encrypt your data on the client site.
Alternatives would be Spideroak and Wuala or addon software like Boxcryptor. They work but not as flawlessly and user-friendly as Dropbox usually does …
Please be cautious: EncFS was not designed to resist an attacker having ongoing access to the volume, as they would in this scenario!
In particular, an attacker having access to the ciphertext at two or more different times violates EncFS's security assumptions; undetected malicious modification of files is also feasible in this scenario.
Many encrypted filesystems do not include such a property in their design criteria - for example, XTS mode as-is is not suitable for use in this scenario either, so please also try to avoid putting TrueCrypt (et al) on Dropbox!
For a broad general example of what a system would look like which tries to address this use case more naturally and effectively (although, caveat: I have not reviewed it in great detail myself), please see Tahoe-LAFS.
Damn! What's the vulnerability? Do they reuse IVs or something? No wonder I got stuck when designing my own encrypted filesystem, I didn't have this assumption. On the plus side, mine was safer. I'll have to revisit it.
I've been using Dropbox with EncFS, and I feel foolish about not thinking of the fact that Dropbox has ongoing access to the encrypted files.
Would you recommend something other than Dropbox + EncFS as the best compromise for a file-sync solution that has reasonable security, a non-buggy client, supports block-level sync, is reasonably priced and "just works"? BitTorrent Sync + EncFS?
Was this thread then manually flagged as "noflame"? It seems that the general sentiments on HN lean toward the "very critical" spectrum whenever dropbox is brought up, which seems like it would set off the flamewar filter constantly.
No, we haven't moderated it. The only thing affecting its rank are upvotes and flags, which are in the usual tug-of-war that we see with controversial threads.
It is disappointing that Dropbox still does not offer any options for secure storage. Personally, you might be fine with unencrypted stories but at least for companies in Europe, having (all) your data with an American cloud provider without local encryption on your side is simply not a legal option …
Dropbox is a great service, however, it would be even greater if I could use Dropbox for all my data and not only selected data where I do not consider local encryption necessary.
(I know about add-on software like Boxcryptor but all options I have tested so far were not user-friendly enough … Dropbox competitors with encryption like Spideroak and Wuala work good enough but are in no way as user-friendly and convenient as Dropbox.)
Agreed. This was the first thing I checked. Still no client side encryption! Truly unfathomable in light of current world events, competitive offerings and the feasibility of the required technical implementation.
> Dropbox competitors with encryption like Spideroak and Wuala
Unless one doesn't really cares about security and wants encryption for the sake of having encryption, there's no way their implementations could be considered sufficient.
Without audit you're just taking their word for it — which is exactly as when you take Dropbox's word that they won't peek at your data (unencrypted or possibly encrypted but one can't verify that). And to audit those one needs to spend a lot of time reverse engineering their applications, and then auto-update mechanism could render those efforts void at any moment. I've spent about a weekend debugging and looking at decompiled SpiderOak code and while I hadn't found anything suspicious (although I'm not a crypto or security expert) the only judgement I was certain with was "this behemoth's too complex to study in detail, not worth the time to continue the research"
The point is, the data could be encrypted, but it's pointless to just have the encryption — to assume some security one must be certain about many aspects of how it's done — when, how and where encryption keys are generated, when, where and how data's processed, what are exact crypto algorithms used and how they are composed together and so on. And, obviously, a possibility to verify the description completely matches the actual implementation.
So, I think, security should be really done by a separate software module that could be completely reviewed by anyone (from tech-savvy end-users to security researchers) and can't be remotely auto-updated without explicit user consent.
I don't know about SpiderOak but I totally trust Tarsnap.
But agreed we have to trust the software companies/devs when using crypto.
Not many people really trust Dropbox anymore to build client-side encryption themselves. But you could use a different program for encryption with dropbox as simple storage. That being said, you still have to trust the Dropbox binaries installed on your system as well. Security paranoia can go deep.
IIRC, Dropbox has HTTP-based API that allows basic file operations, like uploading, downloading and listing files. So, proprietary client isn't really required.
Well, if someone would code a Dropbox-based TAHOE-LAFS backend, I'd seriously consider really using Dropbox. (My phone came with 1-year "free" 50GB offer, so I'm using it for some completely non-private files, like my cat's photos I've publicly shared.)
It is not sufficient but it might be enough to fulfill compliance requirements. Yep, that is only cover your ass security but it is still better than no encryption at all … the glass is half full vs. the glass is half empty although we should of course aim for the full glass.
There's an opinion that it's actually harmful, as it creates a false sense of security when there's none (when a powerful malicious party can possibly force vendor to make the software silently auto-update and disclose your encryption keys — that really means "none").
I think it is only available if you were already signed up for it. I just chose to continue with the packrat add-on for my pro account. It seems like the alternative they are now offering is only extended version history. (which would save changes for a year)
So I have the $20/month a plan, and my reward appears to be that I pay twice as much and still have 200GB...? Do I have to cancel and re-subscribe? Anyone from Dropbox out there..???
I've got something I like better than Dropbox. It's called rdiff.
It does one thing only: deduplication.
All the other stuff needed for remote, incremental backups, e.g., moving files back and forth over a network, can be done with other open source tools. I think I have a pretty good command of moving files around with open source software... I do not need a third party to help me via an obfuscated blob of Python and who knows what else.
I like having control over my backups versus trusting it all to some closed-source, third party, "all-in-one" application.
In my mind having control and transparency will always be more powerful than handing over my data deduplication and backup to a third party, such as "Dropbox".
But I imagine there are few others who would agree. Forgive me for not loving Dropbox. Maybe some day I will see the light.
If you don't mind hosting yourself, Seafile is also open source and has really nice Mac/Windows/Linux/Android/iOS client apps. It also does delta syncs, which I don't believe ownCloud supports yet:
What's with the lack of delta syncs in all these systems? As far as I know, neither Google Drive nor OneDrive do it. Now you're saying ownCloud doesn't do it either. I didn't even think to look at it for oneCloud because obviously they'd support it.
I consider it to be an essential feature, to the point that I won't bother with something that doesn't support it. I guess I'm unusual in that respect.
I suspected I would get downvoted for not loving Dropbox. And I was right. Interesting.
FYI
rdiff is the reference implementation or first example of a utility written with librsync, which is the library that Dropbox used to build their "business".
I wish OS vendors weren't asleep at the wheel. This sort of service needs to be integrated into the OS. I'm sick of having an OS that doesn't include next-generation features like seamless p2p filesharing. I guess its time to make one ..
These are just backup services between Microsft/Apple/Ubuntu, Inc., and the users.
What I want is true p2p. Like, nobody in between necessary, because the OS has everything onboard to make it happen. That sort of 'asleep at the wheel'..
The point is that seamless peer-to-peer hasn't happened, at the OS level. If Dropbox' NS servers go splooey, there goes your backup.
However if me and every family member want to share our own private files, internally across the vast Internet, without any 3rd-party interaction - i.e. really peer-to-peer, only the open-source/3rd-party-app route works, feasibly, at the moment.
Which is what I mean when I say that I think that OS designers are asleep at the wheel; or, perhaps, brain-dead. An OS which does point to point encryption across untrusted networks, successfully, and which wraps up the whole thing in a workable GUI provided by the OS vendor .. its just not there yet. I suppose soon, though.
Dropbox is morally corrupt and support for them by HN users is disappointing.
I wrote to Dropbox and said I wanted to cancel my account and get a pro-rated refund because of their hiring of Condoleezza Rice. Her involvement in the Iraq war and the mass surveillance of Americans is deplorable.
A few days after my request my account was converted to the free version, with the limitations of the free version. I could no longer sync any files. When I saw this I assumed I was going to get the refund.
Days passed. I asked about the refund. The support email included disturbingly fawning about Ms. Rice and how amazing she was, and insisted that the Dropbox ToS made it flat-out impossible for them to issue any refunds. My account was changed back to allow the 100 GB of storage and Dropbox acted like it never botched my request.
It almost funny that they would not even respect differing opinion on their hiring of Ms. Rice and graciously offer a refund to those offended by such a move. Hiding behind their own ToS just shows how deaf they are to the matter. They basically don't give a fuck, and they don't have to because they have enough people who are more concerned with convenience than principles as amply shown on HN.
There are very good alternatives to Dropbox. Both SpiderOak and ownCloud work great on Windows, OSX, and Linux. You can get managed ownCloud hosting if you don't want to set up your own: https://owner.io.
It's puzzling that anyone would trust them with their data given their behavior.
Why are you entitled to a refund? You disagree with their hiring policies? You already paid the $99 for 1 year of service. You already bought it. It's done. Your option is to cancel at renewal or not.
That's my take, anyway. I also asked for a refund when Google announced their far cheaper plans for GDrive, and this just a month after I renewed. They told me the same thing -- a policy of no partial refunds. So I asked them to ensure I would not be auto rebilled, and that was that. Why exactly are they morally corrupt for this?
That's not what OP said. The conversion to a free account and then back is not related to the refusal to refund his money. They temporarily took away paid features, but only because they botched his cancellation/refund request. When he pointed out their confusion, they corrected it. He didn't get a refund because they have a no refund policy.
It was neglect for sure, but I think it stemmed from poor communication and not malice. He requested that they cancel his premium service and refund him for the remaining duration. They cancelled the premium service, but neglected to tell him that he wouldn't get a refund. Also, this was during a time when a lot of people were trying to cancel, so I'm sure the customer service team was overloaded with this type of request.
You already bought it. It's done. Your option is to cancel at renewal or not.
This is technically true.
In the bigger picture we should judge people and companies by what they choose to do, not by what they have to do.
Had Drobox even replied that they understood my complaint but decided that it did not warrant their making an exception to their ToS I might be less disgusted. At least it would show some sort of backbone. Instead they pretend their hands are tied. That's dishonest.
> It almost funny that they would not even respect differing opinion on their hiring of Ms. Rice and graciously offer a refund to those offended by such a move.
I'm not surprised at all that a company doesn't want to refund you because of a political disagreement you have with them.
I'm not surprised at all that a company doesn't want to refund you because of a political disagreement you have with them.
What's important here is how they handled this. A company can issue a refund anytime it likes, the ToS notwithstanding. Those are rules they made up.
Telling me that it is impossible to issue a refund is just lying. It's not impossible; it's very doable.
If they (or any company) deliberately choose not to issue a refund they should state it like that, in plain language, not pretend that they have no choice in the matter.
Likewise with botching my account downgrade; only after I pointed out there error did they restore the quota but then acted like it never happened.
It isn't simply the lack of a refund, it's the bogus way they did it. Actions like this reveal the character of a company.
>What's important here is how they handled this. A company can issue a refund anytime it likes, the ToS notwithstanding. Those are rules they made up.
The customer service representative you spoke to did not make those rules up. Unless you were speaking to the CEO of Dropbox personally, then yes, there is nothing that person could do. There may not even be a function of their support system that allows refunds. How do you know how simple it is for a CSR to offer you a refund?
I canceled my pro account when Dropbox first hired Rice, and I haven't looked back. It took far too long to get my data out, but it was well worth the effort.
If only there were a cloud storage provider that took a strong, substantive stand against government surveillance and supported true security and privacy for their users.
As long as we're dreaming, wouldn't it be great if you could use this make-believe product with standard unix tools on the command line, and access over SSH ?
I suppose a fanciful firm like this would offer a deep "HN readers" discount to anyone that asked.
rsync.net aren't really competing with DropBox so I don't see the relevance.
DropBox has multi-platform support on all major mobile and desktop platforms. They also have a GUI application that will "just work" for syncing your files off site.
rsync.net is really UNIX only since the offering doesn't work particularly well when not combined with popular Linux/UNIX tools (e.g. rsync). On Windows you're left using FTP and doing the sync-ing yourself somehow and there is no mobile presence at all.
The software is 1/2 of DropBox's (and Google Drive's) value. rsync.net is certainly inexpensive but not really competing for the same business or customers.
With Macs there are predominantly two "types" of users. Those who use a Mac because they want a UNIX machine that works well as a desktop/has a widely supported GUI, and then there are those who use Macs because they find them easier than Windows (due to the better consistency and less clutter).
I think rsync on OS X will widely appeal to this first group, but not appeal at all to the second group. As far as those people are concerned if it isn't in the store then it doesn't exist, and if it doesn't have a GUI it definitely doesn't exist.
As to Android you guys don't, as far as I know, offer an app? Maybe my information is out-of-date on that one.
I completely respect that you guys want to appeal to a certain demographic and there is something to be said for that. I was just pointing out above that rsync.net is niche and isn't "really" competing 1:1 with DropBox, Google Drive, or to a lesser extent One Drive.
Your prices remain quite impressive and I'm sure you do what you do very well.
'In the summer of 2014, Sam Altman became president of Y Combinator. Y Combinator also announced a Board of Overseers: Brian Chesky, cofounder of AirBnB, Adora Cheung, cofounder of HomeJoy, Patrick Collison, cofounder of Stripe, Drew Houston, founder of DropBox, Jessica Livingston, David Rusenko, Emmett Shear, and Sam Altman, cofounder of Loopt.'
Y Combinator, and by extension HN, is in cahoots with the people at Dropbox.
So you don't approve of Condoleezza Rice backing the invasion of Iraq in 2003. Okay, I agree with you that the invasion of Iraq was the wrong thing to do.
I don't approve of you attacking Dropbox, and Ms. Rice in her capacity as a Dropbox employee, for actions that have nothing to do with the company.
Would you like it if I wrote to your employer demanding you be fired because of your actions here? No? You would say, wouldn't you, that your posts on HN have nothing to do with your employer and regardless of what I think of your posts, it would be a dick move on my part to drag your employer into it?
How well do you know "Ms. Rice"? Personally? Professionally? Politically? Psychologically?
Ms. Rice, and her associates, were responsible for committing acts of open war on another country and in so doing violated - criminally - much international as well as national law. Charges at the ICC mean something. Such individuals, no matter what, should not be allowed more access to the masses until they have answered for their crimes.
The fact that this is of no consequence to someone who 'publically defends Ms. Rice' may not surprise me. She must answer to crimes against humanity, sir! This is why she should not be associated with the Western worlds growing fascination for documenting itself ..
I switched to Copy since the Condoleeza Rice situation and I have had no problems whatsoever. I have the app running on a macbook pro, an imac and two android mobile devices. It's also about half the price that Dropbox charges. I recommend it.
Honest question, how good is their client? The Google Drive client on OSX appears to be bit shit and I am considering moving everything away to a new system.
Honest answer: it seems to be a bit slower than Dropbox, but it's still pretty good. I haven't had any issues yet (no lost files). They also offer the same auto-upload of your photos from your smartphone, which I am running on an Android device, and that works wonderfully as well. I'm a very satisfied customer.
Ah, I did not check the updated dropbox pricing. At the time, I was getting 250GB for $9.99/mo, and Dropbox was offering me 100GB for the same price iirc.
Ditch Condi Rice and apologize for allowing her in, and I'll consider using Dropbox again.
As it stands, there are an abundance of other companies doing the same thing as Dropbox which do not associate with known war criminals. This makes them more desirable business partners.
Was privacy ever a feature? Will it ever become a Dropbox feature or is it impossible due to either today's political climate or Dropbox's internal views on the matter?
Dropbox having good Linux support is a big reason I use them personally and professionally (both paid).
But geez do they mess other things up. For example you can only share top level folders. We have to share with various outside parties and that limitation leads to a very cluttered file structure.
The solution for multiple accounts is beyond annoying. The correct way of doing it how google does it - you provide however many sets of credentials and can then easily select the current set to use/view. Dropbox do this idiotic thing where you tie your personal one into a business one, then logging into the latter also logs you into the former and everything works as though it is one account, with enforced folder names. I'm sure there is some weak justification about how this prevents issues with free accounts, but making paying users have a horrible time isn't the way to achieve that.
While they all have desirable attributes, especially for individual usage, they are harder to cooperate with others. (By that I mean try to get friends and relatives to use them with you, when those folk aren't tech savvy and certainly don't have their own storage.)
Mount Dropbox as a network drive. Smart local cache. Access the data on demand without syncing the repo in first. Also supports gdrive, s3, sftp, onedrive, box and more.
Makes a 1TB account make a lot more sense if you only have a 128GB SSD. Use selective sync with the primary client to only sync a portion of your Dropbox. Then use ExpanDrive to offload the rest and access it as needed.
The biggest benefit of Dropbox is the mobile app client support. On iOS, you see Dropbox and iCloud support, but rarely anything else.
When other sync services like Box and friends get more integration, I’ll gladly switch away since I would love some sort of encryption, which Dropbox, and Evernote damn you, appear unable or unwilling to implement.
150 comments
[ 0.22 ms ] story [ 226 ms ] threadI have yet to find a great alternative to it.
Focused on Owncloud only, the latest version is indeed great! :)
> it's the only cloud system that works well on linux systems
AeroFS (what I use), Bittorrent Sync and Syncthing (Golang, OSS) all work well on Linux (and Mac/Win).
I don't think this is front-page worthy of HN, sure, but anytime someone at Google/Dropbox/Apple does so much as pass gas, people around here get excited.
Look into Crashplan. Client-side encryption, unlimited versioning, never deletes files, and only $6/month for truly unlimited backup.
All I want is to encryptedly back up some directories on my home server, but nothing* really does that. I use SpiderOak at the moment, but it's not OSS.
* Except attic, but I'd rather pay for a service as important as this (I don't trust the remote server to not lose files): http://www.stavros.io/posts/holy-grail-backups/
http://rsync.net/
- HN Discount for new customers is 10c per GB, per month. No charges for usage or traffic, etc.
- We just began announcing 3c pricing for 1PB and above. That may be more space than you require, however.
We've adjusted our pricing quite a bit in the last 30 days in conjunction with offering our PB filesystems, etc.
It's always worth emailing us.
Why so?
And if not one filesystem, curious how it would work in practice.
There are non-obvious ways to make a petabyte-sized zpool non-scary ... but even with those employed we still utilize raidz3 and have contingencies for rollbacks.
edit: for obvious reasons, that 1.1 PB number will grow by 50% in the very near future...
And raidz3 resilver must be horrible at those densities!
Again. Just curious. Email at jmancuso@expandrive if you feel like chatting. I know we offer a similar product, but we are about to leave zfs for the above concerns. Wouldn't mind sending some business your way.
Filesystem: ExpanDrive :)
IIRC, you need to tweak a non-headless client to direct it to the headless instance (some config file to point to the server vs localhost) and everything works from there.
1: https://support.code42.com/CrashPlan/Latest/Configuring/Conf...
If Google Drive offered 500GB I would go with them, for now I'll stay with Dropbox as it's the same pricing (Dropbox's client is better quality).
Does that include VAT? Did they get a datacentre somewhere in the EU?
[edited] this is bullocks, IANAA(ccountant) applies here deservedly.
HMRC do note that "the UK applies the reverse charge provisions more widely than elsewhere in the EU", however, and for this I get the joy of having to reverse charge about 50 invoices a quarter for US services (all our hosting, SaaS bills, etc) ;-) For example, if a host in the US bills us $100, we then have to reverse charge $20 converted into GBP at approved rates, then claim the equivalent back.. so the net position is zero but it has to be accounted for (holds head in hands and rocks back and forth).
Since this seems more B2C than B2B, I'm assuming the £79/year I see includes VAT, so that's £65.83 without 20% VAT, which is $109.17 at today's rates. I would not consider this too unfairly deviant of the US pricing considering the volatility of exchange rates.
For my commercial purchases, i.e., purchases as a company, I have to pay the local VAT anyway upon import including digital services like Dropbox.
Or does Dropbox have the power to pilfer through my data, along with official snoopers and hackers?
In CrashPlan, you can at least set your own private key if you like. You still need to trust the provider/vendor, however, the software is at least built to do local encryption. Dropbox does not work that way.
Alternatives would be Spideroak and Wuala or addon software like Boxcryptor. They work but not as flawlessly and user-friendly as Dropbox usually does …
In particular, an attacker having access to the ciphertext at two or more different times violates EncFS's security assumptions; undetected malicious modification of files is also feasible in this scenario.
Many encrypted filesystems do not include such a property in their design criteria - for example, XTS mode as-is is not suitable for use in this scenario either, so please also try to avoid putting TrueCrypt (et al) on Dropbox!
For a broad general example of what a system would look like which tries to address this use case more naturally and effectively (although, caveat: I have not reviewed it in great detail myself), please see Tahoe-LAFS.
Would you recommend something other than Dropbox + EncFS as the best compromise for a file-sync solution that has reasonable security, a non-buggy client, supports block-level sync, is reasonably priced and "just works"? BitTorrent Sync + EncFS?
If you want to have security against the cloud storage provider, it is better to use some other encryption solution.
I thought the sales page contained better information than the blog post.
That aside, I feel this needs to be brought up in every Dropbox thread:
Get rid of Condoleezza Rice and I'll happily use your product.
I like Dropbox, it solves a none trivial problem in a good way and I don't care that they hired Condoleeza Rice for their board.
I'm not a American.
Was this thread then manually flagged as "noflame"? It seems that the general sentiments on HN lean toward the "very critical" spectrum whenever dropbox is brought up, which seems like it would set off the flamewar filter constantly.
Dropbox is a great service, however, it would be even greater if I could use Dropbox for all my data and not only selected data where I do not consider local encryption necessary.
(I know about add-on software like Boxcryptor but all options I have tested so far were not user-friendly enough … Dropbox competitors with encryption like Spideroak and Wuala work good enough but are in no way as user-friendly and convenient as Dropbox.)
Unless one doesn't really cares about security and wants encryption for the sake of having encryption, there's no way their implementations could be considered sufficient.
Without audit you're just taking their word for it — which is exactly as when you take Dropbox's word that they won't peek at your data (unencrypted or possibly encrypted but one can't verify that). And to audit those one needs to spend a lot of time reverse engineering their applications, and then auto-update mechanism could render those efforts void at any moment. I've spent about a weekend debugging and looking at decompiled SpiderOak code and while I hadn't found anything suspicious (although I'm not a crypto or security expert) the only judgement I was certain with was "this behemoth's too complex to study in detail, not worth the time to continue the research"
The point is, the data could be encrypted, but it's pointless to just have the encryption — to assume some security one must be certain about many aspects of how it's done — when, how and where encryption keys are generated, when, where and how data's processed, what are exact crypto algorithms used and how they are composed together and so on. And, obviously, a possibility to verify the description completely matches the actual implementation.
So, I think, security should be really done by a separate software module that could be completely reviewed by anyone (from tech-savvy end-users to security researchers) and can't be remotely auto-updated without explicit user consent.
But agreed we have to trust the software companies/devs when using crypto.
Not many people really trust Dropbox anymore to build client-side encryption themselves. But you could use a different program for encryption with dropbox as simple storage. That being said, you still have to trust the Dropbox binaries installed on your system as well. Security paranoia can go deep.
Well, if someone would code a Dropbox-based TAHOE-LAFS backend, I'd seriously consider really using Dropbox. (My phone came with 1-year "free" 50GB offer, so I'm using it for some completely non-private files, like my cat's photos I've publicly shared.)
But Wuala doesn't work without a network connection, which makes it pointless to me.
Looks like you just have to wait a few days.
It does one thing only: deduplication.
All the other stuff needed for remote, incremental backups, e.g., moving files back and forth over a network, can be done with other open source tools. I think I have a pretty good command of moving files around with open source software... I do not need a third party to help me via an obfuscated blob of Python and who knows what else.
I like having control over my backups versus trusting it all to some closed-source, third party, "all-in-one" application.
In my mind having control and transparency will always be more powerful than handing over my data deduplication and backup to a third party, such as "Dropbox".
But I imagine there are few others who would agree. Forgive me for not loving Dropbox. Maybe some day I will see the light.
I'm a big fan of open source when it works but there is nothing as seamless as Dropbox when it comes to syncing.
https://owncloud.org/
You don't even need to set it up yourself:
https://owncloud.org/providers/
http://seafile.com/en/download/ http://manual.seafile.com/
What's with the lack of delta syncs in all these systems? As far as I know, neither Google Drive nor OneDrive do it. Now you're saying ownCloud doesn't do it either. I didn't even think to look at it for oneCloud because obviously they'd support it.
I consider it to be an essential feature, to the point that I won't bother with something that doesn't support it. I guess I'm unusual in that respect.
FYI
rdiff is the reference implementation or first example of a utility written with librsync, which is the library that Dropbox used to build their "business".
Usage: rdiff [OPTIONS] signature [BASIS [SIGNATURE]] [OPTIONS] delta SIGNATURE [NEWFILE [DELTA]] [OPTIONS] patch BASIS [DELTA [NEWFILE]]
Options: -v, --verbose Trace internal processing -V, --version Show program version -?, --help Show this help message -s, --statistics Show performance statistics Delta-encoding options: -b, --block-size=BYTES Signature block size -S, --sum-size=BYTES Set signature strength --paranoia Verify all rolling checksums IO options: -I, --input-size=BYTES Input buffer size -O, --output-size=BYTES Output buffer size -z, --gzip[=LEVEL] gzip-compress deltas -i, --bzip2[=LEVEL] bzip2-compress deltas
What I want is true p2p. Like, nobody in between necessary, because the OS has everything onboard to make it happen. That sort of 'asleep at the wheel'..
However if me and every family member want to share our own private files, internally across the vast Internet, without any 3rd-party interaction - i.e. really peer-to-peer, only the open-source/3rd-party-app route works, feasibly, at the moment.
Which is what I mean when I say that I think that OS designers are asleep at the wheel; or, perhaps, brain-dead. An OS which does point to point encryption across untrusted networks, successfully, and which wraps up the whole thing in a workable GUI provided by the OS vendor .. its just not there yet. I suppose soon, though.
I wrote to Dropbox and said I wanted to cancel my account and get a pro-rated refund because of their hiring of Condoleezza Rice. Her involvement in the Iraq war and the mass surveillance of Americans is deplorable.
A few days after my request my account was converted to the free version, with the limitations of the free version. I could no longer sync any files. When I saw this I assumed I was going to get the refund.
Days passed. I asked about the refund. The support email included disturbingly fawning about Ms. Rice and how amazing she was, and insisted that the Dropbox ToS made it flat-out impossible for them to issue any refunds. My account was changed back to allow the 100 GB of storage and Dropbox acted like it never botched my request.
It almost funny that they would not even respect differing opinion on their hiring of Ms. Rice and graciously offer a refund to those offended by such a move. Hiding behind their own ToS just shows how deaf they are to the matter. They basically don't give a fuck, and they don't have to because they have enough people who are more concerned with convenience than principles as amply shown on HN.
There are very good alternatives to Dropbox. Both SpiderOak and ownCloud work great on Windows, OSX, and Linux. You can get managed ownCloud hosting if you don't want to set up your own: https://owner.io.
It's puzzling that anyone would trust them with their data given their behavior.
That's my take, anyway. I also asked for a refund when Google announced their far cheaper plans for GDrive, and this just a month after I renewed. They told me the same thing -- a policy of no partial refunds. So I asked them to ensure I would not be auto rebilled, and that was that. Why exactly are they morally corrupt for this?
A) Pro-rate the cost and immediately drop down to a free tier or cancel the service
B) Disable renewal, but keep the same level of service until the renewal date.
According to OP, he was knocked down to free tier but not issued a refund. That is incredibly odd, given that he already paid for the service
To be clear: The knocked me back to the lower free tier and quota, and only restored the quota a few days later when I saw no refund and complained.
This is technically true.
In the bigger picture we should judge people and companies by what they choose to do, not by what they have to do.
Had Drobox even replied that they understood my complaint but decided that it did not warrant their making an exception to their ToS I might be less disgusted. At least it would show some sort of backbone. Instead they pretend their hands are tied. That's dishonest.
I'm not surprised at all that a company doesn't want to refund you because of a political disagreement you have with them.
What's important here is how they handled this. A company can issue a refund anytime it likes, the ToS notwithstanding. Those are rules they made up.
Telling me that it is impossible to issue a refund is just lying. It's not impossible; it's very doable.
If they (or any company) deliberately choose not to issue a refund they should state it like that, in plain language, not pretend that they have no choice in the matter.
Likewise with botching my account downgrade; only after I pointed out there error did they restore the quota but then acted like it never happened.
It isn't simply the lack of a refund, it's the bogus way they did it. Actions like this reveal the character of a company.
The customer service representative you spoke to did not make those rules up. Unless you were speaking to the CEO of Dropbox personally, then yes, there is nothing that person could do. There may not even be a function of their support system that allows refunds. How do you know how simple it is for a CSR to offer you a refund?
I don't. So I asked the CSR to please pass my request on to someone higher up.
The response?
Nothing.
Zilch.
Not even the decency to tell me, "No."
I gather then that once Dropbox decides you're not a potential revenue source they can't be bother with even basic consideration.
Perhaps you could instead consider that not everyone shares your beliefs or principles.
As long as we're dreaming, wouldn't it be great if you could use this make-believe product with standard unix tools on the command line, and access over SSH ?
I suppose a fanciful firm like this would offer a deep "HN readers" discount to anyone that asked.
If only such a company existed ...
DropBox has multi-platform support on all major mobile and desktop platforms. They also have a GUI application that will "just work" for syncing your files off site.
rsync.net is really UNIX only since the offering doesn't work particularly well when not combined with popular Linux/UNIX tools (e.g. rsync). On Windows you're left using FTP and doing the sync-ing yourself somehow and there is no mobile presence at all.
The software is 1/2 of DropBox's (and Google Drive's) value. rsync.net is certainly inexpensive but not really competing for the same business or customers.
You are correct that there is no mobile presence at all ... except for every single android phone.
There is a "must be this tall to ride" bar at rsync.net and that's working very well for us and our customers.
With Macs there are predominantly two "types" of users. Those who use a Mac because they want a UNIX machine that works well as a desktop/has a widely supported GUI, and then there are those who use Macs because they find them easier than Windows (due to the better consistency and less clutter).
I think rsync on OS X will widely appeal to this first group, but not appeal at all to the second group. As far as those people are concerned if it isn't in the store then it doesn't exist, and if it doesn't have a GUI it definitely doesn't exist.
As to Android you guys don't, as far as I know, offer an app? Maybe my information is out-of-date on that one.
I completely respect that you guys want to appeal to a certain demographic and there is something to be said for that. I was just pointing out above that rsync.net is niche and isn't "really" competing 1:1 with DropBox, Google Drive, or to a lesser extent One Drive.
Your prices remain quite impressive and I'm sure you do what you do very well.
'In the summer of 2014, Sam Altman became president of Y Combinator. Y Combinator also announced a Board of Overseers: Brian Chesky, cofounder of AirBnB, Adora Cheung, cofounder of HomeJoy, Patrick Collison, cofounder of Stripe, Drew Houston, founder of DropBox, Jessica Livingston, David Rusenko, Emmett Shear, and Sam Altman, cofounder of Loopt.'
Y Combinator, and by extension HN, is in cahoots with the people at Dropbox.
if investment > ethics: keep story on front page
[1] http://en.wikipedia.org/wiki/Y_Combinator_%28company%29
I don't approve of you attacking Dropbox, and Ms. Rice in her capacity as a Dropbox employee, for actions that have nothing to do with the company.
Would you like it if I wrote to your employer demanding you be fired because of your actions here? No? You would say, wouldn't you, that your posts on HN have nothing to do with your employer and regardless of what I think of your posts, it would be a dick move on my part to drag your employer into it?
Do unto others as you would have done unto you.
Ms. Rice, and her associates, were responsible for committing acts of open war on another country and in so doing violated - criminally - much international as well as national law. Charges at the ICC mean something. Such individuals, no matter what, should not be allowed more access to the masses until they have answered for their crimes.
The fact that this is of no consequence to someone who 'publically defends Ms. Rice' may not surprise me. She must answer to crimes against humanity, sir! This is why she should not be associated with the Western worlds growing fascination for documenting itself ..
I think right now any american company is in bed with NSA until proved otherwise.
As it stands, there are an abundance of other companies doing the same thing as Dropbox which do not associate with known war criminals. This makes them more desirable business partners.
But geez do they mess other things up. For example you can only share top level folders. We have to share with various outside parties and that limitation leads to a very cluttered file structure.
The solution for multiple accounts is beyond annoying. The correct way of doing it how google does it - you provide however many sets of credentials and can then easily select the current set to use/view. Dropbox do this idiotic thing where you tie your personal one into a business one, then logging into the latter also logs you into the former and everything works as though it is one account, with enforced folder names. I'm sure there is some weak justification about how this prevents issues with free accounts, but making paying users have a horrible time isn't the way to achieve that.
AeroFS (what I use), Bittorrent Sync and Syncthing (Golang, OSS) all support Linux (and Mac/Win) and are good alternatives.
http://www.expandrive.com/expandrive
Mount Dropbox as a network drive. Smart local cache. Access the data on demand without syncing the repo in first. Also supports gdrive, s3, sftp, onedrive, box and more.
Makes a 1TB account make a lot more sense if you only have a 128GB SSD. Use selective sync with the primary client to only sync a portion of your Dropbox. Then use ExpanDrive to offload the rest and access it as needed.
What have I missed in the last 6 months concerning db and Condoleezza Rice?
When other sync services like Box and friends get more integration, I’ll gladly switch away since I would love some sort of encryption, which Dropbox, and Evernote damn you, appear unable or unwilling to implement.