Snowden: Dropbox is an NSA surveillance target, use Spideroak instead


A remarkable moment from last night's remarkable Snowden video from the Guardian.

Read the rest

Copyfraud, uncertainty and doubt: the vanishing online public domain


In Enclosing the public domain: The restriction of public domain books in a digital environment, a paper in First Monday, researchers from the Victoria University of Wellington document the widespread proactice of putting restrictions on scanned copies of public domain books online.

Read the rest

Bittorrent Sync seeks alpha testers

Bittorrent Sync is a Dropbox-like service through which the bittorrent protocol is used to synchronize all your devices. I recently used it to receive a large file from a friend in Los Angeles, and I was amazed and delighted by the speed an ease with which it came down. Bittorrent is calling for alpha testers to help it refine the product for its official launch.

Correction: An earlier version of this story got it wrong. I misremembered how the Bittorrent Sync product worked and erroneously believed that it used a cloud of bittorrent users to cooperatively share synch duties for one another.

It's exciting to see a more decentralized, redundant approach to cloud computing. Of all the resources we use with our computers, bandwidth is the scarcest and most fraught (since it's controlled by evil phone companies and mined by lawless spies). Storage, meanwhile, is fantastically abundant -- hard drives get so much cheaper so much faster that it's sometimes mindboggling. Many of us have storage to spare, and swapping that for cloud-based storage for backup, sharing and collaboration makes good sense.

The Bittorrent Sync architecture is reminiscent of the Freenet Project, a classic censorship-resistant file-sharing technology. I'm really looking forward to seeing what they come up with.

US businesses stand to lose up to $35B as a result of PRISM


How Much Will PRISM Cost the U.S. Cloud Computing Industry? [PDF], a report from the Information Technology and Innovation Foundation -- a highly regarded DC think-tank -- estimates that the US cloud computing companies will lose $22-$35 billion as a result of customers' nervousness about PRISM and other spying programs. The US had been leading the world in cloud computing, but analysts are seeing a rush to European cloud providers that are (presumably) out of reach on the NSA and in jurisdictions with tighter rules on government spying.

Read the rest

Ardent Industries to build raining voxel cloud on a forklift

Ardent Industries, the crazy people behind such large art installations as Dance Dance Immolation and SYZYGRYD, are building a giant 3D Mario cloud stuck to the top of a forklift so they can rain on people's parades. Their Kickstarter is fully funded and they're starting production and getting their forklift licenses! Rad!

Ardent Mobile Cloud Platform on Kickstarter

Schools and the cloud: will schools allow students to be profiled and advertised to in the course of their school-day?


Kate sez, "Technology companies are moving rapidly to get tools like email and document creation services into schools. This link to a recent survey of schools in the UK shows that use of such technology is expected to bring significant educational and social benefits. However, it also reveals that schools have deep concerns that providers of these services will mine student emails, documents or web browsing behaviour to build profiles for commercial purposes, such as serving advertisements. When data mining is done for profit, the relationship between the data miner and the consumer is simply a market transaction. As long as both parties are free to choose whether and when they wish to engage in such transactions, there is no reason to forbid them or place undue obstacles in their path. However, when children are using certain services at school and can neither consent to, control or even properly understand the data mining that is taking place, a clear line against such practices must be drawn, particularly when their data will be used by businesses to make a profit."

UK School Opinions of Cloud Services and Student Privacy [PDF]

(Thanks, Kate!)

Debunking the NYT feature on the wastefulness of data-centers

This weekend's NYT carried an alarming feature article on the gross wastefulness of the data-centers that host the world's racks of server hardware. James Glanz's feature, The Cloud Factory, painted a picture of grotesque waste and depraved indifference to the monetary and environmental costs of the "cloud," and suggested that the "dirty secret" was that there were better ways of doing things that the industry was indifferent to.

In a long rebuttal, Diego Doval, a computer scientist who previously served as CTO for Ning, Inc, takes apart the claims made in the Times piece, showing that they were unsubstantiated, out-of-date, unscientific, misleading, and pretty much wrong from top to bottom.

First off, an “average,” as any statistician will tell you, is a fairly meaningless number if you don’t include other values of the population (starting with the standard deviation). Not to mention that this kind of “explosive” claim should be backed up with a description of how the study was made. The only thing mentioned about the methodology is that they “sampled about 20,000 servers in about 70 large data centers spanning the commercial gamut: drug companies, military contractors, banks, media companies and government agencies.” Here’s the thing: Google alone has more than a million servers. Facebook, too, probably. Amazon, as well. They all do wildly different things with their servers, so extrapolating from “drug companies, military contractors, banks, media companies, and government agencies” to Google, or Facebook, or Amazon, is just not possible on the basis of just 20,000 servers on 70 data centers.

Not possible, that’s right. It would have been impossible (and people that know me know that I don’t use this word lightly) for McKinsey & Co. to do even a remotely accurate analysis of data center usage for the industry to create any kind of meaningful “average”. Why? Not only because gathering this data and analyzing it would have required many of the top minds in data center scaling (and they are not working at McKinsey), not only because Google, Facebook, Amazon, Apple, would have not given McKinsey this information, not only because the information, even if it was given to McKinsey, would have been in wildly different scales and contexts, which is an important point.

Even if you get past all of these seemingly insurmountable problems through an act of sheer magic, you end up with another problem altogether: server power is not just about “performing computations”. If you want to simplify a bit, there’s at least four main axis you could consider for scaling: computation proper (e.g. adding 2+2), storage (e.g. saving “4″ to disk, or reading it from disk), networking (e.g. sending the “4″ from one computer to the next) and memory usage (e.g. storing the “4″ in RAM). This is an over-simplification because today you could, for example, split up “storage” into “flash-based” and “magnetic” storage since they are so different in their characteristics and power consumption, just like we separate RAM from persistent storage, but we’ll leave it at four. Anyway, these four parameters lead to different load profiles for different systems.

a lot of lead bullets: a response to the new york times article on data center efficiency (via Making Light)

Dropbox: "We wuz hacked"

A couple weeks ago, a few hundred Dropbox users noticed they were receiving loads of spam about online casinos and gambling websites, at email addresses those users had set up only for Dropbox-related actions. The online file storage service now admits that hackers snagged usernames and passwords from third party sites, and used this data to break into those Dropbox users' accounts. Dara Kerr, reporting for CNET:

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked.

Read the rest

Attorney General set to destroy tens of millions of users' legitimate MegaUpload files

An attorney for MegaUpload -- which was shut down by the US government earlier this month, and whose assets have been frozen, following copyright complaints from the entertainment industry -- says that the US Attorney General is planning to destroy all its user data within a week. With its assets frozen, MegaUpload can no longer pay to host its data with its service provider, and so the AG will cooperate with the erasure of tens of millions of users' personal files -- backups, family photos, personal videos, financial records, and even movies and music in production by independent artists who used MegaUpload as a file-locker while their produced their work. TorrentFreak characterizes this as the destruction of evidence, and I think that's right.

Rothken explains that MegaUpload is determined to protect the interests of its users, but that its hands are tied without help from the authorities. The looming data loss is linked to unpaid bills at Cogent Communications and Carpathia Hosting where MegaUpload leased some of its servers.

“We of course would like to think the United States and Megaupload would both be united in trying to avoid such a consumer protection calamity whereby innocent consumers could permanently lose access to everything from word processing files to family photos and many other things that could never practically be considered infringing,” the lawyer told TorrentFreak.

“Megaupload’s assets were frozen by the United States. Mega needs funds unfrozen to pay for bandwidth, hosting, and systems administration in order to allow consumers to get access to their data stored in the Mega cloud and to back up the same for safekeeping.”

MegaUpload has contacted the US Attorney’s office with a request to unfreeze assets including money and domains so users can get access to their personal data. If this doesn’t happen, the consequences for many MegaUpload users and the future of other cloud hosting services will be disastrous.

MegaUpload User Data Soon to be Destroyed (Thanks, thatanonymouscoward!)

Dropbox CTO on their security policy

Arash Ferdowsi, CTO of Dropbox, wrote to me to clarify Dropbox's present and historical privacy policy:
first, I'd like to clarify what our intent was in how we represented privacy in our TOS. in our help article we stated "Dropbox employees aren't able to access user files" we didn't intend to mislead anybody with this statement - we prevent this via access controls on our backend as well as strict policy prohibitions. we don't feel this statement implies anything about who holds the encryption keys or what mechanisms prevent access to the data.

that said, it's become very clear to us that the statement wasn't explicit enough about what the barriers to access are. consequently, we've updated our help article and security overview to be explicit about this.

secondly, I'd like to clarify that we've never stated we don't have access to encryption keys. we've made quite a few posts in our public forums over the years about this very fact and we are quite open with our community: 1, 2, 3.

Dropbox's new security policy implies that they lied about privacy from the start

Dropbox's new security policy implies that they lied about privacy from the start -- UPDATED

Miguel de Icaza noticed that Dropbox's new security terms of service allows it to decrypt your stored files for law enforcement; but Dropbox has always claimed that it did not store the keys necessary to do this. This has been used as both a selling point ("we keep your files so safe, we can't access them") and an excuse ("don't ask us for help if you lose your crypto keys, we don't store them"), but it was, apparently, a lie. De Icaza worries that a company that lies about its crypto and security policy may not be trustworthy when it comes to files containing sensitive information:
If companies with a very strict set of security policies and procedures like Google have had problems with employees that abused their privileges, one has to wonder what can happen at a startup like Dropbox where the security perimeter and the policies are likely going to be orders of magnitude laxer.

Dropbox needs to come clear about what privacy do they actually offer in their product. Not only from the government, but from their own employees that could be bribed, blackmailed, making some money on the side or are just plain horny.

Dropbox needs to recruit a neutral third-party to vouch for their security procedures and their security stack that surrounds users' files and privacy. If they are not up to their own marketed statements, they need to clearly specify where their service falls short and what are the potential security breaches that

Unless Dropbox can prove that algorithmically they can protect your keys and only you can get access to your files, they need to revisit their public statements and explicitly state that Dropbox storage should be considered semi-public and not try to sell us snake oil.

Dropbox Lack of Security

Update: Arash Ferdowsi, CTO of Dropbox, wrote to me to clarify Dropbox's present and historical privacy policy:

first, I'd like to clarify what our intent was in how we represented privacy in our TOS. in our help article we stated "Dropbox employees aren't able to access user files" we didn't intend to mislead anybody with this statement - we prevent this via access controls on our backend as well as strict policy prohibitions. we don't feel this statement implies anything about who holds the encryption keys or what mechanisms prevent access to the data.

that said, it's become very clear to us that the statement wasn't explicit enough about what the barriers to access are. consequently, we've updated our help article and security overview to be explicit about this.

secondly, I'd like to clarify that we've never stated we don't have access to encryption keys. we've made quite a few posts in our public forums over the years about this very fact and we are quite open with our community: 1, 2, 3. via JWZ)

WPA Cracker cracks WiFi passwords in the cloud

WPA Cracker is a WiFi security compromiser in the cloud, running on a high-performance cluster. Send them a dump of captured network traffic and $35, and they will try 136 million passwords in 40 minutes, tops (for $17, they'll run the same attack at half speed) -- the same crack would take five days on a "contemporary desktop PC." They also have an extended, 284 million word dictionary that you can run for $55 in 40 minutes. They'll also use the same process to crack the passwords on encrypted ZIP archives.

You're safe if your password isn't in any dictionary, including the special dictionaries used for password cracking (these dictionaries will try random words in combination, as well as common letter-number substitutions such as "1" for "i" and so on). The crack works on WPA and WPA2-locked networks.

Your best bet is a long, random string for a password -- 64 bits of random noise will probably foil something like this for a good time to come. But good luck reading the password aloud to your visiting friend when she needs to get her laptop online.

Questions about WPA Cracker (via Schneier)

Tim O'Reilly explains the Cloud

Here's Tim O'Reilly on the future of Cloud computing and the "Internet of Things," speaking at the MySQL CE 2010 conference." As Bruce Sterling sez, "It looks like he's just telling disconnected alpha-geek anecdotes, in his customary, avuncular, visionary fashion. What Tim's really doing is throwing lit matches into his network. And boy is he the guru when it comes to doing that."

O'Reilly MySQL CE 2010: Tim O'Reilly, "O'Reilly Radar" (via Beyond the Beyond)

Google gets into the YouSendIt business: send 250MB attachments with Google Docs

Google is getting into the YouSendIt business: the free Google Docs now supports file-hosting of up to 250MB, along with access-restrictions based on Google accounts (just like other Google Docs). I'm thinking the 250MB limit has more to do with keeping the MPAA happy than any kind of technical limitation. But this will be well useful -- I've been tossing around big chunks of uncompressed audio for my upcoming experimental short-story collection's audiobook edition, and something like this would have been a godsend.
Because Google Docs now supports files up to 250 MB in size, which is larger than the attachment limit on most email applications, you'll be able to backup large graphics files, RAW photos, ZIP archives and much more to the cloud. More importantly, instead of carrying a USB drive, you can now use Google Docs as a more convenient option for accessing your files on different computers.
Upload your files and access them anywhere with Google Docs (via /.)

Grendel: free/open source software for protecting your cloud data

Marc Hedlund sez, "Wesabe just open sourced a project called Grendel that makes it easy for web apps to encrypt data using the user's login password, and only decrypt that data when the user is logged in. Let's say you're using a word processing web app and don't want your documents stored plaintext -- the web app could use Grendel to easily encrypt your docs for you, using OpenPGP. Log in and you can edit; log out and only you can get at the data again (since only you have your password). There are some hooks for encrypting with multiple keys if you want to share docs with selected other users on the system. Since people are throwing a ton of sensitive data in web apps these days I think having some tools to help make that safer would be a good thing."

Of course, data on web sites is usually shared with at least some other people in some way. Sometimes a user might want to share their information with the web site support staff, so the staff can help solve a problem or fix a bug. Or, the user might want to share their sensitive data with selected other users on the site, such as coworkers or family members. Grendel allows this, letting you encrypt data with multiple keys so that more than one user's password can gain access.

It's very easy to screw up when building a cryptography system -- check out Nate Lawson's excellent Google Tech Talk on common crypto flaws, or Matasano's Socratic dialog on similar topics, for a map of the pitfalls available to you, and us. We've been fortunate at Wesabe to have a number of people who think very carefully about security, and they've put a lot of effort into designing and building Grendel. That said, we have two goals in open sourcing Grendel: first, to make a tool available to others that could help make "cloud" applications in general much safer for everyone, and second, to open up what we've built so others can review and help us improve it. We would love comments on any aspect of Grendel, security or otherwise.

Protecting "Cloud" Secrets with Grendel (Thanks, Marc!)

(Disclosure: I am proud to serve on Wesabe's advisory board)