

Ice Box Pro: The best of Dropbox and Amazon Glacier combined - patrickod
http://www.iceboxpro.com/

======
RKearney
FYI Anyone can see your name, email, and AWS ID/Access Key.

The games on Stripe's CTF were more secure than this site...

EDIT: Looks like it was just patched. Still managed to get a few dozen AWS
keys though.

~~~
erenemre
Update: I misunderstood, I'm sorry. I wasn't trying to attack but trying to
show my concern because I thought he saved some id/keys for himself. Please
ignore my comment below.

\--

"Still managed to get a few dozen AWS keys though"

Good for you! What a nice person you are. Please abuse more small projects
like this. Even if they say they say it was "was only meant for friends to
test out".

Oh I see, you just found a security hole and trying to get some reputation?
Cute. Please do it by abusing the small power you found and hurting innocent
users. That's really, really nice of you.

"Still managed to get a few dozen AWS keys though"

Wow. Just wow.

You sir, just ruined my night. Thank you.

Ps. I am really concerned about your company and its users. If you can do
something like this, I wonder what else you could do (or doing) at your
current company. I hope, I'm assuming wrong.

edit: "the" » "your". last paragraph.

~~~
RKearney
Perhaps you're misunderstanding my course of action.

1\. I didn't disclose how to do it, merely that it was possible.

2\. By "get" I in no way mean harvested. I just manually incremented the ID in
the URL by hand in my web browser to see how many users could be affected.

3\. Since I never saved any of the information (just viewed the pages) I no
longer have it since the flaw was patched.

Nothing malicious was done.

~~~
erenemre
Sorry, I think I misunderstood your comment. I thought you saved some info to
yourself.

I'll update my comment above.

------
reitzensteinm
This sounds great, but since this is using your own AWS account, there is a
very serious poison pill; Glacier only lets you retrieve 0.17% of your data
for free per day. Beyond that, you get charged based on _your peak hour_ of
retrieval.

How much? $7.20 per gigabyte for your highest hour (minus a negligible free
allowance if you're using it in this manner).

i.e. the cost to restore m gigabytes over n hours is:

$7.20 * m / n

I'm sure Ice Box Pro will have warnings in place, so nobody will get a $350
bill by accident by restoring a 50 gig account in an hour.

But for disaster recovery, the time will come to decide between a large bill
or a very slow retrieval.

Pricing details are here (though quite difficult to follow):
[http://aws.amazon.com/glacier/faqs/#How_much_data_can_I_retr...](http://aws.amazon.com/glacier/faqs/#How_much_data_can_I_retrieve_for_free)

~~~
biturd
That seems too costly for even large businesses that don't care. When you lose
data, you want it back fast. In this case, the faster you take it back the
more it costs.

I wonder why they don't use S3. Is it not reliable enough? The charging
infrastructure at least is simpler to figure out.

~~~
Spooky23
There is a huge market for data that needs to be retained indefinitely, or for
some long period of time. Oftentimes this is related to compliance. The
frequency that the data is accessed is incredibly small -- or even zero.

For example, in several states, all records relating to a minor in state
custody, an adoption, or receiving certain nbenefits must be kept for 26 years
after the minor turns 18. Today, states are either storing this data on tape,
or paying some government contractor to do it for them -- at an expense
several times that of Glacier.

Another example is litigation holds. One former employer was forced to hold
around a petabyte of data 7 years for a complex civil suit, because... A judge
said so. In that case, the high cost of retrieval may be a _benefit_ , because
the plaintiff would be footing the bill.

------
dfc
For an open source alternative (and my tool of choice) check out git-annex
with s3[1]. joehy has a todo for git-annex and glacier[2] and someone has
already submitted the beginings of a patch. When i first heard of Glacier I
was excited about the possibilty of using it for a backend to git-annex, but
then I read cpercival's discussion of glacier[3,4].

[1] <http://git-annex.branchable.com/tips/using_Amazon_S3/>

[2] [http://git-
annex.branchable.com/todo/special_remote_for_amaz...](http://git-
annex.branchable.com/todo/special_remote_for_amazon_glacier/)

[3] [http://www.daemonology.net/blog/2012-09-04-why-tarsnap-
doesn...](http://www.daemonology.net/blog/2012-09-04-why-tarsnap-doesnt-use-
glacier.html)

[4] [http://www.daemonology.net/blog/2012-09-04-thoughts-on-
glaci...](http://www.daemonology.net/blog/2012-09-04-thoughts-on-glacier-
pricing.html)

EDIT: Removed comment about competition.

~~~
rlpb
I've written glacier integration with git-annex and it's fully functional.
Details in [2]. The Glacier retrieval pricing uncertainty just means that I
store less in Glacier - but for critical data where the paid retrieval cost is
worth it, I happily "git annex copy --to=glacier".

------
smeagol
hey guys,

i built this with a friend and didn't expect it to get posted to HN already.
we just got it approved and i accidentally hit our Like button before we were
even ready. my friends immediately commented on the story so we just said,
what the hey :-)

in any case, it just "launched" today, was only meant for friends to test out,
and yes i agree we need to write more copy.

to address some concerns:

\- this is really only meant for developers at the moment; i.e. those who
actually know their way around AWS. if and when we decide to take payments and
provide a service, you can expect a lot more documentation and support. we
have no desire to dupe normal folks. we built this for ourselves and really
only expected friends to try it out first.

\- you don't need to go to your AWS console to get your files. once a file
archives, you can click a button to download it back to your Dropbox

\- putting in warnings about the quota is a great idea! we'll do that ASAP.

keep the feedback coming, we really appreciate it and wanna build something
useful for everyone.

~~~
silverlake
Perhaps you could offer a service where everyone saves their files under your
corporate account. When 1 person needs to restore, it will mostly fit within
the free download % of the total. So if 10 people store 1 TB each, you can
download 500GB/month for free. It's like insurance. We all pay a small amount
to cover when one person has a problem.

~~~
smeagol
we hope to get to that very soon!

most likely, we'll just keep a small data center. something to get around the
bandwidth limitation and availability. we would definitely need to charge then
in order to cover those costs.

------
akmiller
I'd like to see someone provide a service in a similar vein to this but just
for photos.

What I'm thinking is a service that uses Glacier to store my photo library and
some type of front end service (like dropbox) that keeps a low res version of
that photo along with some meta data about it.

My reasoning for this is that we all build up pretty significant photo
libraries (mines already over 60GB) and I'm always trying to make sure I have
them backed up. I currently use a paid plan at Dropbox so I can put them all
up there but it's kind of a waste since I hardly ever pull many of them down
again. Every once in awhile I browse through them looking for certain pictures
that I might need to get a copy of (which is why I'd need the low res copies
easy to access/browse) and then be able to choose which ones to pull down from
glacier. The other good thing about a service like that is the need is not
typically immediate.

Maybe I'll look into building this since it's something I'd love to have for
myself!

~~~
matthew-wegner
I use Backblaze--$50/year--primarily for photos. My photo drive sits at around
900GB currently. It's entirely in Backblaze, in case it ever explodes and
local backups fail.

I let it handle other drives, too, although I exclude my
media/music/download/etc drive for simplicity.

~~~
StavrosK
Is it encrypted on the client side? That's pretty much my only requirement
now, since I have separated my two use cases (backups and syncing). I use
encfs on Dropbox for encrypted syncing, and it works great, but I need backups
encrypted on the client, and I haven't found anything great and cheap yet.

~~~
rhizome
What do you mean by "backups encrypted on the client?"

~~~
dkokelley
I would guess he means that the data is encrypted before ever being sent to
backblaze. The answer is yes according to <http://www.backblaze.com/backup-
encryption.html>

Rather, it's an optional yes.

~~~
StavrosK
Yep, that's what I meant, thanks.

EDIT: Actually, it looks like they can decrypt your data to restore it on
their end, so it's a no.

~~~
matthew-wegner
I believe Tarsnap is your only viable option, if you want that enforce that
degree of paranoia: <http://www.tarsnap.com/>

~~~
bifrost
Bitcasa is also in the same realm, although I think Bitcasa has some cooler
de-dupe technology.

------
biturd
Anything that uses Dropbox as the middleman scares me a bit. Dropbox scares me
a bit. It silently ignores a lot of meta data , restores files with dates that
aren't what the original was ( last I checked ) and has corrupted a few Mac OS
X sparse bundles beyond repair.

There's a great app called Arc that handles all of Mac OS X meta data
perfectly, works with the relative ease of Dropbox, and backs up to S3 at
great savings. De-duplication and other "smarts" are all there.

It's sort of like a Time Machine that you can point to S3.

------
rolleiflex
I love the idea, but besides the retrieval fees involved that you're not
disclosing, I wonder if people will grasp the fact that the files they are
putting into the icebox folder are not reachable with opening the same folder
and looking into it—instead you need to go to a web site to find them. This is
rather disorienting for a non-technical user as the way of putting files in
gives a false sense of immediacy to a future retrieval availability.

------
damncabbage
The security problem that was found (now fixed) is less of an issue than the
responses they gave afterwards: <http://news.ycombinator.com/item?id=4619652>

------
almost
Wow, I've been working on almost the exact same thing! Except I'm charging a
yearly fee instead of using the users own AWS account, this makes it easier
for users without an AWS account and also means you don't have to worry about
the crazy Glacier fee structure.

Try it out if you want, 1GB accounts are free at the moment:

<https://www.tidy.io/>

~~~
randomchars
Some feedback about the landing page:

It doesn't show any pricing. I don't want to sign up for something just to see
the pricing.

~~~
almost
Thanks for the feedback!

The landing page not being finished was why I'd been waiting to launch, wish
I'd got it done sooner now!

EDIT: Until I sort out the landing page here's the current pricing: 50GB is
$25/year, 100GB is $40/year and 500GB is $189

------
forensic
There's this nefarious sense of: Give me your data so I can sell it back to
you!

------
ikken
Don't give your data to this site until they fix this:

[http://blog.ryankearney.com/2012/10/never-give-your-
informat...](http://blog.ryankearney.com/2012/10/never-give-your-information-
to-10-minute-old-startups/)

~~~
hnriot
And even when it's fixed after the way they responded, don't trust them with
your data or anything at all.

------
encoderer
This is a little OT, but I was thinking about putting together a weekend
(read: week) project that would offer a cloud service (details aren't
important) but require a user to add an AWS key. The idea is that it would use
the free micro instance Amazon gives a user.

The benefit I see is that customers would have total visibility into their own
data, and, of course, it's very cheap to run a system like that.

I'd love to hear any opinions anybody might have about it.

~~~
jmathai
That's a subset of what we're trying to do with The OpenPhoto Project.
<http://theopenphotoproject.org>

------
erenemre
Trying it now (800mb is uploading).

This tool is great for me because the data I'm backing up is something I'll
need to access maybe twice a year, or less. But I still need to have this data
backed up somewhere.

I love how it's as simple as Dropbox. Set it up once, the rest is just drag
and drop.

------
alanh
My Dropbox isn’t big enough for the file I would want to send to Glacier.

Does Amazon provide a fairly decent interface? Or, failing that, are there
clients that can work with AWS Glacier already, the way some FTP clients can
speak to AWS S3?

------
oron
I actually thought about it some time ago and even started working on a
prototype, got dropjar.com for that, but after seeing how low companies like
backblaze sell unlimited backup for ... I figured it's a hard sell.

Good luck with icebox.

------
alinspired
Great Idea, although to realy archive terabytes with a relatively small
dropbox account you'd have to do it in 10-100 steps.. Recovering it via
dropbox would be even more challenging.

------
madrona
I'm not sure you can use competitors' logos like that.

~~~
smeagol
all Dropbox apps require approval. someone from Dropbox actually signed up,
reviewed IceBox, and approved it.

we have no intentions of competing with Dropbox. (like that's even possible.)
if we get a complaint, we're more than happy to comply.

we love both Dropbox and Amazon Glacier so we decided to pair them. i'm almost
certain Dropbox will eventually add a similar feature soon--we may just be
beating them to the punch.

~~~
randomchars
You might want to make that logo a link to Dropbox since it's required in
their guidelines.

<https://www.dropbox.com/developers/reference/branding>

------
smoody
Is the data stored on Glacier encrypted?

~~~
StavrosK
They're encrypted, but nothing's secure if it leaves your computer in
plaintext.

