
Show HN: File.io – Ephemeral file sharing - ca98am79
https://www.file.io/
======
_nvs
i personally prefer file.pizza, especially considering it is an open source
webrtc implementation that doesn't persist the data via any middle man
([https://github.com/kern/filepizza](https://github.com/kern/filepizza))

~~~
redwards510
Thanks for sharing that, it is also very cool! I think the two projects have
slightly different use cases though. Two things come to mind: * Sender and
Receiver must directly connect using file.pizza, revealing IP addresses to one
another. * Both users must be online at the same time with file.pizza, and be
able to communicate in near real time to exchange the link.

------
rwallace
Pastebin for binary files? By the look of things, clean and easy to use?
Handy!

It's probably time to start thinking about ways to monetise this to pay for
the hosting costs at least.

Also, have you talked to a lawyer yet? If this takes off and you keep it up
long enough, inevitably you're going to get people using it for child porn,
stolen credit card numbers, leaked classified documents, instructions on how
to make home-made bombs etc and someday a relevant law enforcement agency is
going to want to have a conversation about the content that Mr Smith sent to
Mr Jones via your server. It's probably a good idea to get your legal position
straight before that day rather than trying to do it after the fact. And yes,
I do recommend talking to an actual lawyer. Internet commentary is not an
adequate substitute for legal advice here.

~~~
pkulak
Seems like a lot of the issues are mitigated by the file going away after the
first download. Especially if there really are no logs or anything at that
point.

~~~
ixtli
I am not a lawyer™ but the creators should definitely consult one to 1)
determine how much risk they are exposing themselves to and 2) determine a
reasonable course of action to limit that risk exposure. The question is not
on whether or not we believe something to be "legal" or "illegal" but whether
or not some part of their service might draw the attention of a group large
and angry enough that might try to make them prove something in front of a
judge. This is the real danger to a small group of developers: the RIAA has
many lawyers on retainer while the upfront cost of dealing with a lawsuit
would bankrupt most individual developers.

------
mfkp
> How did you get such a great domain name? From the awesome service at
> park.io

A little disingenuous since the domain was never listed on park.io and this
site was made by the same company as park.io.

Makes me believe that they snatch up the best domains for themselves so people
can't bid on them.

I've bought multiple domains from park.io before and had a good experience,
but I was always worried about this.

~~~
ca98am79
Thanks for using park.io and I'm glad you had a good experience.

park.io doesn't just get domains from drop-catching when they expire.
Sometimes we buy them from the previous owner directly. Also, not all sales go
through the drop-catching/auction process, for example users can park their
domains on park.io and set a "Buy it Now" price for their parked domain, so
domains also sell in this way.

file.io was never listed because it never expired/dropped or went to auction.
We bought it directly from the previous owner and it was parked on park.io. I
have now used it for the service posted here. What you quoted above was said
to advertise park.io, and I apologize if it is misleading.

~~~
tw04
So I assume "park.io" posted the domain for sale and gave the market ample
time to buy the domain before snatching it up for them/your selves?

You buying it before posting it is no better than you drop-catching it.

~~~
saiko-chriskun
you're free to buy the domains yourself? he bought it from the previous owner
and has every right to use it as he sees fit, and in this case actually
launched a useful service in place of just sitting on it.

------
ca98am79
I built this site and appreciate any feedback from the HN community

~~~
Torgo
THANK YOU for giving this an api I can use from Curl.

~~~
ca98am79
you are welcome, I am glad to have people using it - let me know if you have
any feedback

~~~
jonny_eh
In addition to the token returned, it'd be handy if it returned the full url
as well.

------
calebm
Very nice. Also very similar to [https://transfer.sh/](https://transfer.sh/)

------
chbrown
tl;dr from the FAQ:

Q: "Why should I trust you?" A: "Because you should! We're good people!
Honest!"

I'd love to trust a service like this, but there's no credible effort to
actually establish that trust.

~~~
j_s
So encrypt client-side?

~~~
STRML
I built a service for this a few years back - it encrypts and decrypts on each
side, all in JS. It's pretty quick with web workers.

[https://securesha.re](https://securesha.re)

~~~
tattler
This is close to something I keep meaning to make.

It would be awesome if I could download the file without the password to
verify that it's stored encrypted though.

~~~
STRML
That could be faked. The best way to ensure I'm not cheating is to watch the
network requests and to look at the code
([https://github.com/STRML/securesha.re-
client/tree/master/jqu...](https://github.com/STRML/securesha.re-
client/tree/master/jquery-spaghetti)).

You'll see the POST to the server going up encrypted, and the subsequent GET
when you download the file coming down encrypted as a binary XHR.

------
stfnhh
I created a little CLI for it -
[https://gist.github.com/stfnhrrs/76b0e1df901a68c82f6b](https://gist.github.com/stfnhrrs/76b0e1df901a68c82f6b)

~~~
ca98am79
awesome - thanks!

------
prajjwal
I wrote a small shell script to make the upload process painless -
([https://github.com/Prajjwal/dotfiles/blob/master/bin/fileio](https://github.com/Prajjwal/dotfiles/blob/master/bin/fileio)).

This is an extremely useful service, btw. I can see myself using this a _lot_.
Kudos.

------
Paul-ish
Although perhaps more constraining, why not use a website that uses WebRTC
data channels to transfer the files? Then you can be more sure the data isn't
persisting in a datacenter somewhere. Plus, it is more plausible that the
service can remain free and private.

~~~
brandonjlutz
I did exactly what you're suggesting at:
[https://filesender.io](https://filesender.io)

As you pointed out, it is a bit more constraining due to the support for
WebRTC and users behind an SNAT, but I think for the majority of users it
works well.

------
forgotmypassw
You should probably filter out .exe files otherwise Chrome and other websites
might block you off.

------
coffeecheque
It might be a bug (could be a feature?) but when I paste the link into Slack,
Slack visits the link and then when a contact goes to download it, it's
already been deleted.

Love the site though. Maybe it's not designed for sharing files over services
like Slack.

------
russellbeattie
1\. Nice implementation of a potentially useful micro service. 2. Nice domain
name. 3. You should put more details in your FAQ like "no, this is not
guaranteed to be a perfect technical solution" and "we'll happily work with
law enforcement if you're a pedophile". 4. I always look down on services that
don't have an immediate and obvious way of making money, as it'll likely be
gone tomorrow. 5. MVPs are all well and good, but a few more simple features
wouldn't hurt: time-based expiration, multiple downloads allowed and
passwords, or whatever else seems simple and useful.

------
bascule
Data remanence is a really hard problem. Are you sure this lives up to your
claims that "the file is completely deleted without a trace"? How are you
storing them? Do they ever hit e.g. an SSD in plaintext?

~~~
moe
Claims are irrelevant, data breaches happen all the time.

If you are concerned about the confidentiality of a file then use encryption
or don't upload it to the internet.

------
ErikRogneby
"Also, no illegal files are allowed."

Is this a "(our lawyers made us put this in)" sentence?

It's not like there is a .ilgl file type, and with 1 time downloads DCMA
takedowns are unlikely.

~~~
pekk
Do you think that it makes sense for a new ephemeral files hosting site to
signal that it accepts child porn on its servers, in a jurisdiction where
child porn is completely illegal and can potentially get the creators of the
site onto a sex offender list? Is that wise? Why are we punishing people for
being careful about this?

~~~
ErikRogneby
CYA language on a FAQ is not prevention. I am guessing that they are not
performing heuristic analysis of uploaded files against NCMEC databases.

~~~
dublinben
Is the NCMEC hashset even publicly available? Last time I checked you have to
"partner" with them in order to possibly get a copy.

------
xt
Personally I use [http://filebin.net/](http://filebin.net/) which has nice and
simple looks and uses Drag & Drop for easy uploading. Source available at :
[https://github.com/espebra/filebin](https://github.com/espebra/filebin)

It is made in Flask and is licensed in AGPL.

Project comes with Vagrant and Puppet-files for easy deploy!

~~~
kijin
Is drag & drop really easier than just selecting a file from a dialog box?
Almost every modern file uploading service has it, but I've never really found
it useful. I've always thought of it as a feature that people enable "just
because they can."

As a developer, it's pretty rare for me to have the folder containing the file
I'd like to upload already open in an Explorer/Finder/whatever window. (I'm
more likely to have it open in a terminal.) So it will take exactly the same
amount of work for me to navigate to the folder in a dialog box as in an
Explorer window.

Even if I happen to have the folder open in Explorer, it's a hassle to move,
resize, or otherwise organize my non-tiled windows so that both the file I'd
like to drag and the space where I need to drop it are visible at the same
time. Larger or multiple screens won't help, as I'll just clutter them up with
more windows. I could drag to the taskbar to bring the browser to the
foreground, but again that's the kind of hassle that I won't need to incur if
I just used the dialog box.

For ordinary people with small-screened laptops and tablets, I assume it will
be even harder to keep two apps open in a way so as to enable drag & drop,
especially since a lot of people just maximize every window. (Can't blame them
when they're stuck with 1366x768 screens and/or platforms that encourage
fullscreen apps.)

~~~
drumdance
I love drag & drop with Trello, especially when dragging Skitch screen shots.
You don't even have to save the file.

------
alfg
Something similar I made a while back for those interested in hosting their
own file-upload service via S3. You can configure S3's object expiration to
delete/expire files after a set amount of days.

I still use it today for sending files here and there. :)

[https://github.com/alfg/dropdot](https://github.com/alfg/dropdot) \- Source
with demo.

------
digi_owl
Maybe tangential, but i find myself reminded of a article/blog entry a year or
more ago that talked about how the ISPs and big media was to blame for why we
still don't have simple, practical ways of transferring files across the net.

Sadly i didn't bookmark it at the time, and i would like to revisit it and
check some of the details.

------
shadeslayer
Isn't [https://curl.io/](https://curl.io/) the same thing?

------
yellowapple
No privacy policy, no technical details on how the files are stored /
"securely deleted" / etc., no definition of what "illegal" means (i.e. which
national/state/provincial/local/etc. jurisdiction is relevant for this site).
Looks cool, but I'm certainly not touching this without client-side encryption
until those missing things are made not-missing.

------
currysausage
Don't try to share the link via Facebook though - Facebook will visit the URL
and gone is the file.

~~~
jszymborski
Not sure if OP is listening, but I had this same problem and SO had a simple
solution.

[https://stackoverflow.com/questions/8195663/block-
facebook-f...](https://stackoverflow.com/questions/8195663/block-facebook-
from-my-website)

~~~
ca98am79
yes, thank you - this will be fixed sometime soon

------
dubcanada
Do you store the IP of the uploader and downloader? If you don't you're going
to want to.

~~~
dublinben
>If you don't you're going to want to

Why?

~~~
theoneone
If authorities ask you/demand with a court order "who uploaded this file" you
can hand out his ip. I also believe( haven't checked his one) you must retain
a copy of all files for a short period of time even if they inaccessible to
end users.

~~~
dublinben
You can't provide information that you don't have. Keeping no logs is the best
default practice from a legal and privacy perspective.

~~~
theoneone
Privacy yes, but legal? If you operate a website/ service that may be used for
illegal purposes then I think you need to be able to track down illegal
activities.

~~~
dublinben
The US actually does not have any kind of legally mandated data retention for
internet services. If you do not log the data, you cannot be compelled to turn
it over.

[http://www.internetlawyer-blog.com/2013/09/isp-data-
retentio...](http://www.internetlawyer-blog.com/2013/09/isp-data-retention-
policies-in-the-united-states.html)

[https://www.ivpn.net/data-retention-laws/united-
states](https://www.ivpn.net/data-retention-laws/united-states)

[https://www.bestvpn.com/blog/5539/data-retention-and-vpn-
log...](https://www.bestvpn.com/blog/5539/data-retention-and-vpn-logging-in-
the-united-states/)

------
tomashertus
This is nice service and I like these kind of microservices, but I miss
security here. I think you should consider some integration with services such
as metascan-online.com(I work for company who is creating this), or other
services for file scans. I always try to answer following question with
services like this:

How can I know, that there is no malware in the shared file?

------
cmdrfred
Very nice, no sign up, no nonsense.

------
rdegges
Love this service -- beautiful site, simple docs, simple API, great concept.

------
neonbat
Well I guess I now know who bought the file.io domain name...

------
flipcoder
Add a privacy policy

------
FOSSbot
Where's the source?

------
schuyler2d
good luck hosting this. Are you blocking any filetypes?

------
theunixbeard
From the username I noticed the creator is also the owner of
[http://park.io](http://park.io) \--- a cool domain dropcatching service for
.io, .ly, .to, and .me domains.

The one time I had a support request it was dealt with promptly by the founder
himself.

Be careful though --- I got the bright idea to be an amateur domain
speculator... So far I've spent a cool $1000 on 10 domain names and am now
discovering flipping them is harder than I thought!

Shameless self-plug for anyone who might be interested in my portfolio:
[http://cerebral.io](http://cerebral.io)

~~~
ca98am79
haha, thanks for using park.io! I'm glad you were pleased with the support, it
is important to me. Best of luck selling the domains - you have some nice ones

