

AeroFS (YC S10) exits private beta - theboos
http://blog.aerofs.com/336/open-for-business

======
rdl
This is awesome. AeroFS does everything I want in a file sharing system -- I
can either run it entirely on my own machines on LAN and potentially VPN, or
at a company on a network also not connected to the Internet, or I can use it
as a direct Dropbox alternative (although it lacks some mobile clients and API
support).

I've been using it for ~a year or two in beta, as well as all the other
alternatives. I still use Dropbox for interoperating with other people who use
Dropbox, and for a couple mobile devices which don't support anything else,
and I use iCloud for mainly Apple app sync (although it seems to suck for most
non-Apple apps) between OSX and iOS, but AeroFS is my preferred option for
general file sharing use.

The only downside I've found is dealing with Java on certain OSes (OSX and
Windows 7 at times), but generally OS-level Java is fine, it's browser Java
which sucks.

~~~
newman314
I'm not too keen on the fact that AeroFS runs on Java as I would prefer to run
Java free systems as much as possible (Go version would be nice =) but am
willing to live with it if that's the only option.

~~~
yurisagalov
We're working on it (a Java-free system, not a Go version, sorry ;)

See my response here: <https://news.ycombinator.com/item?id=5484566>

~~~
songgao
Yeah it's still considered Java. While it's been working wonderfully, this
still bothers me a little bit. And why not a Go version?

Any chance to open the protocol so other people can work on different clients?

------
rurounijones
Possibly Offtopic - If you are going to link directly to blog posts of
companies (especially if they have been in private beta) could you PLEASE have
a "What is $product" bit.

Either one or two lines in the initial part of each post or preferably in an
easily noticeable sidebar.

I had to go to the main site before I could figure out what aerofs was.

~~~
orangethirty
That's marketing 101 folks. You should always include a short paragraph
describing your offerings.

~~~
veb
At least the logo goes to the main page of the website, and not the main page
of the blog.

EDIT: heh, that was fixed 46 minutes ago.

~~~
yurisagalov
Yup, our bad. Turns out we still have a lot to learn about blogging.

~~~
orangethirty
Funny bit is that YC companies always miss this. I think ya'll need a launch
checklist. (:

~~~
rdl
I've actually been thinking about putting together a book/list of checklists.

1) Launch 2) Onboarding employee 3) Firing employee 3.5) Firing cofounder(s)
4) Getting hacked 5) Trolled 6) M&A offers 7) Running out of cash 8) Raising
(per type of round) 9) Board meetings 10) Annual reporting etc.

~~~
amirmc
Sounds like a great series of blog posts too. I'd definitely be interested as
some of those topics are rarely discussed.

~~~
rdl
Yeah, I think blog + discussion, and then edit, and then turn into a book
(which people can download or if they want to buy from Amazon buy, etc.) makes
the most sense.

A lawyer's input would be really helpful for some areas; I'm pretty confident
from an entrepreneur's perspective, and from a technical perspective, but
while I generally am aware of the laws which apply to me, I'm not qualified or
credentialed to give anything approaching legal advice.

It would almost make more sense to do in the Founders at Work style, where you
have a domain expert work on each checklist/chapter.

------
nsmartt
I really want to use AeroFS, but I have a few criticisms.

a) One of its goals is privacy, but it asks for my first and last name. Why is
this needed? I could always lie, but I'd much prefer a single field (e.g.
display name) that doesn't explicitly ask for this.

b) It tries to download a .deb file if I'm using Linux. I'd much rather click
this myself, and I suspect it does this regardless of whether my system is
Debian-based.

c) When signing up, I got no notifications at all. This may be due to
NoScript, but I had no indication that my signup was completed. I thought
perhaps my password wasn't valid or something along those lines, but I
eventually tried to sign in-- it worked.

d) "Non-Ubuntu users can also download the tgz archive." .deb files are
specific to all Debian-based systems, not just Ubuntu. Is it fine to install
the .deb (which you've tried to download for me) on other Debian-based systems
or just Ubuntu? It's unclear.

AeroFS is potentially great, but this isn't the first time I've reported
concerns over a, b, and d.

Edit: added d, modified last sentence for clarity

------
chmike
For me Java is a no no because of all the update and security problems with
it. Beside it isn't a lightweight and fast platform. I know many people that
waisted a lot of time with Java software upgrading problems because of broken
backward compatibility.

The other problem is the pricing model. If I host everything and use my own
bandwidth, what do I pay for ? Software development and upgrade ? This is very
expensive for a user with a non profit activity who just want to stay in
control with its own data.

~~~
kayoone
Even with Java this is miles more secure than something like Dropbox or other
Cloud Storage where you host all your data on someones elses server. So yeah,
Java as a technology choice might not be perfect but which other tech is
flawless anyway ? Id argue that properly securing your servers/clients is a
much bigger problem than someone exploiting the AeroFS software.

Pricing is for Teams only which makes sense, for everyone (teams of up to 3)
its free, which is awesome!

~~~
chmike
Thank you for the princing clarification. I missed that, my bad.

------
eupharis
Nice! Just installed. I love the feature list. The fact that is was easier to
install and has a nicer UI than Dropbox was a nice surprise :)

Since AeroFS never stores the files, the upload speed must be determined by
the upload speed of every team member who is sharing the file, yes?

At the moment, how good is AeroFS at chopping up the bandwidth to get good
speeds among, say, four users with upload caps of 1 mbps? How close will it
get to 4 mbps?

Do external collaborators help upload on folders they are sharing?

.

P.S. for Ubuntu Unity users: after setup, as with Dropbox, there is one tweak.
You need to run the old:

    
    
      gsettings set com.canonical.Unity.Panel systray-whitelist "['all']"

~~~
jcastro
You don't need to do this for dropbox, it has a native indicator.

------
newman314
3 things.

1) I kinda feel like AeroFS has taken so long to come out that Dropbox
occupies a huge chunk of mindshare. It's almost as if AerosFS will need to
spend a bunch of time answering the "why should I switch" question. That said,
I would love to see AeroFS succeed as I am less than keen on Dropbox less than
stellar handling of security in the past as well as their general security
model.

2) This leads to my second point. AeroFS, please please work with 1Password to
do whatever you need to get 1Password+AeroFS working. If this is available,
I'm switching right away.

3) Mobile support. Yes, please.

~~~
rdl
OTOH, most businesses don't yet use Dropbox (much) today. If AeroFS's market
is the enterprise, they're competing with Windows file sharing/SMB/Samba, NFS,
etc., not so much with Dropbox. It's a bit skewed in Silicon Valley and in the
consumer market.

~~~
newman314
A bunch of my enterprise clients seem to be fairly familiar and they seem to
all have come through the personal use route.

If the target market is enterprise, companies like Box compete there and
supposedly have more controls. That said, Box does not have filesystem
integration, the last time I checked.

------
dools
Cool product! Although the first thing I tried was to share a nested folder to
see if it was REALLY a Dropbox killer for me ;)

Can't wait to start playing with the team server version! It would be great if
I were able to get ad-hoc access to files on the team server from, say, the
android app (the same way I do with Dropbox).

~~~
yurisagalov
Android app is currently being beta tested, and will indeed grab files from
the team server as you requested :) --yuri

------
rdl
Not to be "that guy", but the logo in the upper left of your blog needs to go
to www.aerofs.com, not blog.aerofs.com.

~~~
Whitespace
I was just saying the same to a coworker of mine. Not to take away from the
announcement of what seems to be a really great product, but I'm really
confused why a lot of companies do this. It shouldn't frustrate/enrage me, but
it does, almost as much as: Three. Word. Motto.

~~~
rdl
It's not the default for the blog software. Blog is usually as separate as
possible from everything else about your site (which is good, because all the
non-static blog engines have HORRIBLE security, especially Wordpress...)

------
erohead
We've been using AeroFS to share multi-GB folders and files for the last year.
It's perfect for video and images...no size caps!

------
andymoe
It is not clear from the site if the data I give to AeroFS is encrypted at
rest. There is a section called "End-to-end Security" that states:

    
    
      AeroFS uses AES-256 with 2048-bit RSA to create secure
      connections directly from one device to another. Because
      encryption is end-to-end, even we can't see your data or
      even file names.
    

But this does not actually tell me in plain terms if you encrypt my data when
it's sitting on your servers or not and that's actually a more important
question to answer. Everyone expects data to be encrypted in transit. You
don't get extra points for that. Would you mind clarifying if the data is ever
on your servers in an unencrypted form?

~~~
zarvox
Your data is never stored on our servers in an unencrypted form. Moreover, the
data is never stored on our servers at all.

In some scenarios (when two clients are both behind aggressive firewalls, for
instance) the data may be _relayed_ by our servers, but in those cases it is
encrypted (end-to-end) between the devices syncing using their respective
public/private keys, so we can't eavesdrop.

~~~
eps
Do you have a spec of your security model?

I really hope it's not a homebrew solution but something based off existing
protocols. In either case, since the security and privacy _is_ your primary
feature, a full disclosure of hos it works inside is a must.

~~~
zarvox
A proper writeup is in the works, but to cover the basics: we know not to
implement our own crypto. :)

Passwords: we apply scrypt() before any use or storage. We never store the
plaintext.

Device-to-device: standard PKI. We have a CA, and the CA's cert is bundled
with the client software. Devices generate 2048-bit RSA keys at setup time.
They then generate a PKCS10 CSR which our CA signs, provided you give a valid
username/password. When peers wish to communicate, they establish a DTLS
connection (we use OpenSSL's DTLS implementation, and AES-256-CBC as the
default ciphersuite), verifying that the other device:

    
    
      * is certified by our CA to represent the claimed user and device (identity)
      * is not using a certificate with a revoked serial number
      * is trusted to send and receive information about the relevant shared folder (authorization)
    

Device-to-server: Everything between your machine and our servers uses TLS.
Where possible, we trust only our own CA. Implementation-wise, we use Java's
crypto providers for TLS.

Revocation: When you unlink or remote-wipe a device, we mark the certificate
associated with that device as revoked, and notify each of your clients either
immediately (if they're online) or as soon as they come online and reconnect
to our push notification service that the revoked device is no longer to be
trusted. (This is one of the other tasks that our servers provide - prompt
delivery of device revocation information.)

We update our libraries promptly and are subscribed to the appropriate
mailinglists.

Finally, if you believe you have discovered a vulnerability in some part of
the AeroFS system, please contact us at security@aerofs.com (PGP key 6E1DC9F9,
if you prefer encrypted email).

~~~
abcd_f
Do you use certificate pinning on the clients? I.e. once a client sees peer's
cert for the first time, it should remember it and warn if it ever changed
afterwards.

~~~
zarvox
Cert pinning only makes sense if you happen to trust multiple CAs, but want to
stick to the cert issued by one particular one. We only trust one CA, and each
issued cert is bound to a user and device id, so this is a non-issue. :)

~~~
abcd_f
No, no, no.

It has nothing to do with that. Cert pinning is used to mitigate man-in-the-
middle attacks whereby an attacker somehow obtains a valid certificate for
peer's ID further down the road. If the certificate is not pinned, then the
client will swallow a new cert without a peep, because it tracks back to a
trusted CA.

Cert pinning is an equivalent of ~/.ssh/known_hosts. It allows me to pin
specific public key to a peer and be notified if that key ever changes.

In your case, you might've gone with self-signed peer certs, but that would've
obviously require manual verification of the peer's key on 1st contact. This
is a bit of UX issue, because few people would bother to actually verify a
string of hex numbers between two computers. So, naturally, you introduce a
chaperon entity - your CA - that vouches for peer's credentials. I am willing
to trust it, but consider it a "weak" trust that I put in place only for
convenience purposes and to get stuff going quickly. Later on I may look and
compare the key hashes (one provided by peer in an out of band fashion and the
other I compute from my own copy of the key) and if they match _only then_ I
will know that I have a truly secure connection with the peer and that you
didn't lie in your initial peer introduction. At this point I want to pin
peer's key, so to be notified to repeat the manual verification process
if/when the key changes.

tl;dr - Just add the cert pinning and display cert's public key hashes (mine
and peers) somewhere in the UI.

~~~
rdl
What would make just as much (or more) sense for most of their enterprise
deployments would be to let the enterprise's own PKI take over. A lot of
businesses would probably want to be able to silently update keys (although I
can see the value in pinning/local cache with notification on change). They
may do that as part of the "custom LDAP/AD" tier.

------
gexla
Wow, finally! And congrats. This would be the only application which would
require running Java on my dev server, so that's a point against it when
evaluating it against other options. But I don't want to knock a developer
reaching for the best tool for the job in getting this thing finally opened up
to everyone. Thanks!

------
eps
Any plans for Java-free implementation of the client software? It's a pretty
big and an unwelcome dependency.

~~~
yurisagalov
We've actually just released a Java-free installable for Windows about a week
ago (see release 0.4.173 @
[http://support.aerofs.com/knowledgebase/articles/93285-relea...](http://support.aerofs.com/knowledgebase/articles/93285-release-
notes)).

What we've done in the Windows installation is bundle a minimal JRE as a
light-weight library. The JRE is loaded by AeroFS at runtime and is otherwise
completely isolated, so no dependency exists on Java in Windows. Based on how
well that has worked out so far, we'd like to do a similar approach for OSX
and Linux soon.

~~~
urza
Damn, so back to AeroFS? :) I was quite happy with the syncing (although
sometimes the sync started after a long time), but I decided to dump java from
my system..

Do you have ETA for os X and Linux of this "java free" versions?

------
futhey
Great news, best of luck, but you might have to iterate on the pricing...

~~~
incongruity
The pricing doesn't make sense to me – 4 person teams are penalized vs. 3
person teams. The jump goes from $0/month to $40/month, so the incremental
cost for going from 3 to 4 people is steep (at least compared to all the other
incremental moves).

It's a minor detail, but it seems odd to me.

~~~
rdl
Atlassian goes from $10 to $1500 from 0-10 and 10+....

------
yason
End-to-end encrypted private file sharing darknet that basically appears as a
regular folder and doesn't share anything outside your friends. Given some
critical mass, that'd just be way too user-friendly for sharing files with
$FRIENDS.

Now I'd like to know what the MAFIAA can do about that? This is where it's
headed anyway, what the world needs is a mass-market darknet software and this
sort of thing just might be it, given Dropbox's popularity.

------
dataisfun
Congrats Yuri. I love the product.

------
ineedtosleep
Been using it for over two months now during private beta and pretty much just
gave up last week.

The main reason is because one of my linked computers is a Linux computer.
I've tried on both Ubuntu, through the deb package, and Arch, through AUR, and
the synching either never happens or happens after a few _hours_. For the
former, restarting the service a few times somehow fixes it, but it's never
clear why.

~~~
zarvox
Hey, this is Drew from AeroFS. Sorry to hear you've been having trouble
syncing. If you want to report an issue (AeroFS -> Help -> Report a Problem in
the GUI, or aerofs-sh report "Description of your issue" from your terminal of
choice), we will be happy to take a look at your issues and see what's going
wrong.

~~~
ineedtosleep
You guys have been helpful when I've had problems, don't get me wrong. Sorry
if it feels like I'm just dumping on your product. I just always assumed that
since I'm just using aerofs from the AUR, it's not exactly completely
supported, so I never bothered with sending in reports.

~~~
zarvox
Ah, I understand completely; no worries. :)

Officially, we only support Ubuntu, but in general we like to have things work
for any setup that's not _too_ exotic. Indeed, some of the more helpful bug
reports I've looked at and fixed have come from Arch users.

Thanks for the feedback anyway, and let us know if there's anything else we
can do. :)

------
afics
How does it compare to Tahoe-LAFS¹?

¹<https://tahoe-lafs.org>

~~~
drdaeman
Two different things.

Tahoe-LAFS is a secure storage system (protocol and free software
implementation). It does not handle synchronization between devices (only
RAID-like replication).

AeroFS is a sync service (proprietary software only). It does not provide any
storage, but only syncs data between your devices.

------
irrelative
Nice job guys! You've built a really nice product and it's great to see you
expanding your user base!

------
kayoone
When i just have 2 clients syncing with each other and one of them is not
permanently available to sync, this isnt going to work very good right ?

So id need some central always-on server to sync my stuff to, to habe it all
synced and secure all the time.

------
teekert
Oh how nice it would be to be able to run this on my Raspberry Pi's and have
off site backups on the cheap. Since most of the people I know now have fiber
I'd make a nice distributed system of RPi's to keep everyone's pictures safe.

------
wiradikusuma
How does it different than existing "built-in" folder sharing (e.g. SMB)?

~~~
glesica
It works over the Internet. It is basically Dropbox, but peer-to-peer within
your personal collection of machines. They do not provide the storage.

------
veesahni
Can I point AeroFS at the root of my NAS and have it back up everything
(including permissions and userid/groupid metadata) to another physical
location?

------
kevinsd
I am experimenting Dropbox + Truecrypt. The trade-off is between limited free
space v.s. hassle of maintaining your own cloud.

~~~
ripperdoc
Try Boxcryptor, probably even less hassle to set up?

------
andybak
Had hoped support for syncing arbitrary folders was going to be in for launch:
[http://support.aerofs.com/forums/67721-feature-
requests/sugg...](http://support.aerofs.com/forums/67721-feature-
requests/suggestions/1695105-to-be-able-to-sync-existing-folders-files-
without-#comments)

------
brass9
Why did you obfuscate the jar files? :( Why no love for opensource?

~~~
sultezdukes
Even if they didn't obfuscate the jar files, it wouldn't be open source.

------
ukd1
Linux support!?! <3

------
Myrth
Sign up doesn't work?

Get dummy html in json request...

------
aganek
Congrats AeroFS team!

