
Why I'm saying goodbye to Dropbox and hello to SpiderOak Hive - dajbelshaw
http://dougbelshaw.com/blog/2013/08/28/why-im-saying-goodbye-to-dropbox-and-hello-to-spideroak-hive/
======
cpursley
Chicago? Last time I checked, that city is within the jurisdiction of the
United States and not immune to national security gag letters.

 _No thanks._

Swiss based Wuala.com is a much better solution.

~~~
tombrossman
Isn't switching from one closed source backup system to another closed source
system overlooking the elephant in the room? These companies are legally
required to rat you out when the government comes knocking (some even doing so
without demanding a valid warrant, and profiting from LEO requests).

SpiderOak has been saying they "expect to make the SpiderOak client code open
source in the not-distant future" [1] for years now, and their code still is
not fully open-source. I completely understand their situation and know it's
not always possible to fully open up the code, but I'm not able to overlook
this deal breaker either.

Encrypt locally using only open source tools, then sync with whichever online
backup/sync provider you like. It's the storage version of a 'dumb pipe',
maybe we call it 'dumb containers'. Everything else is marketing bullshit
which will evaporate once that first official demand for your data arrives.

[1][https://spideroak.com/faq/questions/35/why_isnt_spideroak_op...](https://spideroak.com/faq/questions/35/why_isnt_spideroak_open_source_yet_when_will_it_be/)

~~~
newscracker
I recently created a "petition" for SpiderOak to open source the client (and
allow people to build it themselves from source) so that people can let
SpiderOak know their thoughts. The petition signatures are sent to SpiderOak.

It's still available at the link below if any SpiderOak user (or potential
customer) wants to use it to "show the numbers" on a single site (as opposed
to scattered comments): [http://www.change.org/petitions/spideroak-http-www-
spideroak...](http://www.change.org/petitions/spideroak-http-www-spideroak-
com-open-source-all-client-software-code-3)

There's an online backup service called Cyphertite (cyphertite.com) that
provides the sources for its client programs on all the platforms it supports.
So I don't really see why SpiderOak, with its prominent proclamations of "zero
knowledge", cannot walk the talk.

Of course, I understand that certain competitive advantages may take longer to
provide in the open (until factors other than the client source code and
backend architecture become competitive advantages). But I have to admit that
SpiderOak has been dragging on opening up the source.

Edit: Let me also admit that I do like SpiderOak and the emphasis it places on
privacy and in educating users about privacy. We need more services that
strongly support what ought to be basic rights.

~~~
rsync
You already have what you want. The source is here:

[http://duplicity.nongnu.org/](http://duplicity.nongnu.org/)

Actively in development, stable, ready for enterprise use.

~~~
fxlv
Yeah, buggy and unstable and just hangs when you throw large quantities of
small files at it.

------
taway2012
SpiderOak user here.

Just remember to not use the Web UI: if you do so, your plaintext password is
sent to the servers, because decryption happens on the servers. This is
mentioned in their FAQ. Unless things have changed since the last time I
checked.

~~~
coherentpony
They don't utilise https? Please tell me that isn't true.

~~~
seabee
HTTPS doesn't matter. Without client-side decryption, you are forced to give
the server your password so it can decrypt the file for you.

------
devx
I've seen a lot of people recommend Lastpass lately, but couldn't the
government force Lastpass to create a backdoor for them to get the passwords
before they are encrypted?

I'd also worry about a catastrophic event of Lastpass losing those passwords
somehow, and then remaining locked out of many websites.

And what about Bittorent Sync with an old PC as an alternative? They even have
an iOS app now.

~~~
TheEskimo
I personally use keepass and keepassx (the alpha compatible with keepass2.x)
and sync my passwords with SpiderOak. That's worked pretty well for me, and I
don't actually have to trust a website with my passwords. Even if there's an
insecurity in SpiderOak, they'd only get my encrypted keepass database which
they'd then have to also decrypt.

I definitely recommend keepass over lastpass.

~~~
SkyMarshal
Exactly what I do too, for exact same reasons. Crazy imho to store your
passwords in a cloud service, using only their encryption.

------
mattmaroon
I just use Truecrypt volumes within Dropbox for anything I'd really care about
losing. I guess it's an extra step, but I find I just like Dropbox better than
the competition. And things I really care about (tax returns, for instance) I
find I access rarely and always on a PC.

~~~
FreeKill
This solution has 2 issues though that kind of drive me crazy.

1) It won't sync the truecrypt volume while it's open (cause the file is in
use), so if you want to encrypt stuff you work on regularly, you have to close
the truecrypt volume regularly to sync it, which is a PITA.

2) Since it's one big volume, it takes forever to sync up even if you only
modified a single file inside it. Say, for example, I have a 5 GB truecrypt
volume containing some project I'm working on. If I open it, update the
readme, then close it, it has to resync 5 GB...

So overall, this is far from an optimal solution...

~~~
sirsar
EncFS keeps files separate (with encrypted filenames), avoiding this problem.

------
SilliMon
The best cloud security solution is one where you control the encryption keys
AND stuff is encrypted on your device BEFORE uploading to the cloud.

We tried SpiderOak but the security was hard for our users. We ended up using
Syncdocs which encrypts Google Drive. It lets our team share and use Google
Docs normally, but secure folders we need to keep encrypted. They also
disclose their AES encryption source.

[http://www.syncdocs.com/forums/topic/syncdocs-encryption-
is-...](http://www.syncdocs.com/forums/topic/syncdocs-encryption-is-superior-
to-googles-recently-announced-drive-encryption)

~~~
dajbelshaw
I think the new 'Hive' feature makes things a whole lot easier. Just drag-and-
drop (as you would with Dropbox) :-)

------
JimmaDaRustla
I'm embarking on my own backup solution: For $1.38 USD/month (Ramnode OpenVZ
SSD-Cached 128mb RAM VPS with 31% off for life coupon) I get 50gb.

I just need to setup a synchronization/encryption schedule. I'm thinking rsync
remotely to the server. Not sure on encryption yet.

I'm also using the servers as development and minor hosting for myself. It's
practically a free storage solution?

Am I crazy?

~~~
icebraining
I do something similar, though I use git-annex / assistant to manage the
files. It can have remote data repositories using rsync with transparent
encryption (using GPG keys).

I also have a bigger drive at home mounted on a raspberry, which stores both
the important files (as a second backup) and a lot of unimportant crap.

~~~
JimmaDaRustla
Thanks for the tip!

I'm hoping to look at rsync in order to do partial changes, so I could
synchronize VM disks and other large files.

I don't like keeping my PC turned on to perform a sync, so I would love to
setup a Raspberry pi to do the work for me, but it only has USB 2.0...

------
TheEskimo
SpiderOak does have one problem. It has no arm build for linux (and they
apparently have no plans to make one soon). If you frequently use a Raspberry
Pi or linux on an arm Chromebook then you'll be out of luck on syncing your
files.

I wish they'd release simple sourcecode for a headless sync client or that
someone would reverse engineer it enough for that to happen. As it is, you can
sshfs mount a folder synced by one of your x86 computers, but that's
definitely not ideal.

Other than that complain I've enjoyed using SpiderOak and it's a great piece
of software.

------
tghw
Cloudfogger[0] has an interesting solution. Anything within the cloudfogger
folders gets encrypted before it can be synced with the cloud service. It also
changes the filename to add its own extension. When you open a file,
cloudfogger uses the password cached on your system to decrypt and then run
the file, providing a fairly seamless experience.

The one main problem is that it's not an open source client, which seems like
the ideal solution.

[0] [http://www.cloudfogger.com/en/](http://www.cloudfogger.com/en/)

 _Edit:_ Why downvotes?

------
fatbat
I have only seen one outdated blog post benchmarking upload speed of the
various services being suggested here.
[http://www.proposedsolution.com/downloads/online-storage-
ser...](http://www.proposedsolution.com/downloads/online-storage-services-
performance-test/)

As a Dropbox user, I find that the files get synced very quickly and I wonder
if these alternatives (Spideroak/Wuala) being suggested will match that speed.
That will be a factor as well to consider.

------
m_mueller
What's disappointing about SpiderOak is the inability to do two-way sharing of
your data - so it's not really usable in a corporate setting.

Oh, you're saying it wouldn't be possible with client-side encryption? I say
it should be, using a mix of symmetric and asymmetric encryption:

\- have all data of a repository encrypted using a symmetric key, at first
known only by the repository owner.

\- the symmetric key gets sent on the cloud host's server, encrypted using the
owner's public key.

\- every new device or share with a new user will require a previous user (in
this case the owner) to decrypt the symmetric key using his private key and
encrypt it using a new public key that the new user / device has sent together
with its access request.

\- the cloud host simply grows a table of encrypted symmetric keys, with one
entry per device/user, besides the actual encrypted data. note that the cloud
host still can never decrypt the data, as long as the private keys never get
sent around.

~~~
rarrrrrr
It's coming! Existing SpiderOak accounts all contain a 3072 bit RSA keypair,
which is reserved for this future purpose. But it's not as simple as it seems.
Things like garbage collection, and space accounting, and various race
conditions between parties become the hard parts.

In any case, it's on the way, and it's entirely open, built with Crypton.io,
our new open source framework for building zero knowledge applications. (Which
we'll eventually port the main SpiderOak desktop app to use.) For details
[https://crypton.io/](https://crypton.io/) and
[https://www.youtube.com/watch?v=pn9DAwggza0](https://www.youtube.com/watch?v=pn9DAwggza0)
(...and to be clear, the threat model is intended for for HTML5 desktop and
mobile apps, not browser Javascript.)

~~~
m_mueller
Thanks, good to know. The challenges you describe are interesting, I'd love to
read an article about it ;-).

------
saganus
So I go to the Startup Guides, then to Getting Started. I open the PDF and
under step one I see:

"NOTE: Curious about how we retain ‘zero-knowledge’ privacy while password
creation happens on the web? Click here for more details."

But no link. So... is this a joke? why can't they explain this in their FAQ
instead of having to get a PDF then a (non-existent) link to it? I've been
searching the FAQs and under Privacy and Passwords and all I can find is:

"More information about this is on our website in the engineering section of
our website, which talks about our zero knowledge approach, the password
policy, and encryption specifications."

Engineering section? I can't see where it is.

My point is, if "security and privacy" are one of the main selling points of
the product... yet you have to jumpo through hoops and loops to get some
details on the implementation and STILL don't have the info... smells fishy..

~~~
fx5
The Sign-up process is explained here:
[https://spideroak.com/blog/20111206101528-new-browser-
based-...](https://spideroak.com/blog/20111206101528-new-browser-based-signup-
process-maintaining-zero-knowledge-privacy)

This is the Engineering Page with Encryption Specifications:
[https://spideroak.com/engineering_matters](https://spideroak.com/engineering_matters)

------
VuongN
@Doug: have you tried our (free) product:
[http://ncryptedcloud.com](http://ncryptedcloud.com)? We currently work with
Dropbox and will eventually with Google Drive & SkyDrive. Our product works
with Windows, Mac OSX, iOS & Android. We also have the Cloud Web Portal which
allows you to see your secure file via web. Keys are generated client-side. We
use open standard. We don't have access to your data AND you can securely
share your files with other people (nCryptedCloud user or not!).

I've written about the problem of cloud security and cloud privacy here:
[http://vuongnguyen.com/personal-business-cloud-
security.html](http://vuongnguyen.com/personal-business-cloud-security.html).

We're just a startup who was trying to solve our own problem with the cloud
security & privacy. Would love to hear from you.

-V.

~~~
dajbelshaw
Thanks! Appreciate the link. I have looked at some third party add-ons, but
don't want to use two cloud products when one will do.

I will take a look at ncryptedcloud.com though in case it's useful for people
I advise. :-)

------
cantbecool
Interesting solution, but the reason why I use Dropbox is due to the ever
increasing storage space limit for non-premium users. I have about 6 GBs of
space available to me, and as soon as I get remotely close to that capacity,
they usually give me an additional half of a GB.

------
temuze
Cached/mirror: [http://cc.bingj.com/cache.aspx?d=1033629403347&mkt=en-
US&set...](http://cc.bingj.com/cache.aspx?d=1033629403347&mkt=en-
US&setlang=en-US&w=VK2A0hF5_W8dUTufWle_RZ8HydZJ3Gfb)

~~~
dajbelshaw
Thanks, it's the first time one of my posts has made the front page of HN and
it kind of took me by surprise.

The cache should be able to deal with it now, but I appreciate the mirror. :-)

------
VLM
One fail in the article: "It’s worth saying at this point that I don’t, to my
knowledge, do anything wildly illegal."

The definition of illegal varies over time and you have no control over it at
all.

~~~
chiph
He's almost certainly done something illegal.

[http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.asp...](http://www.threefeloniesaday.com/Youtoo/tabid/86/Default.aspx)

~~~
dajbelshaw
Oh, I agree. What I'm trying to say is that I'm not a Silk Road user or
hosting illegal images.

+1 to changing definitions of 'illegal' (along with 'madness', etc.)

------
mb_72
All well and good ... until Spideroak stops syncing, customer support can't
explain it and you're told it will be ... get ready ... at least one month
before one of their tech guys can look at the problem. I was with Spideroak
for over a year before this happened to me, and I switched to competitor's
product. sure, no real security, but at least it's backing up my files.

~~~
rarrrrrr
I agree our ability to scale support is a problem. Very sorry it didn't work
out for you. Unfortunately on our side it's a big challenge to provide
detailed troubleshooting with individual users, especially if they are not
paying. We took Patio11's advise and offer a money back guarantee for paid
users, but we also do try to investigate and support them much better.

Since the product is zero knowledge, we can't just look at the server to see
what a problem might be. Trobleshooting involves analyzing logs from the end
point devices, find out all the relationships involved in the sync (one
machine is Mac using case preserving insensitive unicode form D, the next is
Windows with relevant regional settings, another is a Linux NFS server, a
FAT32 volume that doesn't preserve certain characteristics and has a
limitations for MAXPATH, etc.)

It often take a couple of hours of analysis to understand what a specific
situation's problem might be, and the median case is that it comes down
application level things that SpiderOak can't do much about other than explain
to people why syncing (for example) Quickbooks files between two open and
running instances of Quickbooks at the same time is not going have the effect
they desire. Or any number of combinations like that. People put very weird
stuff in filesystems.

In any case, sorry it didn't work for you. We did recently finally resolve a
couple of long standing edge cases in the Unicode sync logic in the 5.0.3
release. Let me know if you'd like to give it another try. In any case, thanks
for your interest in SpiderOak.

~~~
mb_72
Just to clarify, I was a paid user, and am still yet to receive my refund. As
I've recommended Spideroak to my clients, and several of them are also paid
customers of yours, this puts in me in a difficult position.

------
newman314
I would love to find a replacement to Dropbox that 1Password supports. Was
looking at AeroFS but turns out not to support 1Password at this time.

------
RachelF
In related news, the Chinese operator TenCent is offering 10TB online storage
for free.
[http://www.weiyun.com/act/10t.html](http://www.weiyun.com/act/10t.html)

At least your data will be behind a strong firewall

------
kudu
Although having your data encrypted everywhere is a good idea in principle,
using closed-source tools like LastPass and SpiderOak Hive isn't a good way to
do it since you have no way to verify that the data is encrypted well or at
all.

~~~
dajbelshaw
That's a good point and I'm certainly not saying this is a full tinfoil-hat
solution. But's it's better than I had before and an easy change to make for
the 99% :-)

------
akg
How does their data-encryption relate to something like Mega
([https://mega.co.nz/](https://mega.co.nz/))?

~~~
dajbelshaw
Mega's Privacy policy says:

"Your data is encrypted by you before upload to our system and therefore we do
not and cannot access that content unless we are provided with the decryption
key. You may give access to others by providing them with a link and
decryption key and you shall be responsible for their compliance with this
Policy."

But they also say that they'll comply with legal requests. These article
explain it better than me:

[http://www.technewsdaily.com/16484-mega-encryption-
flaws.htm...](http://www.technewsdaily.com/16484-mega-encryption-flaws.html)

[http://gizmodo.com/5977265/how-megas-encryption-will-
protect...](http://gizmodo.com/5977265/how-megas-encryption-will-protect-you-
but-mostly-kim-dotcom)

------
oorion
How about using btsync and hosting your own cloud?

~~~
dajbelshaw
Yes, lots of suggestions to use BTSync. I am using it, just not for this
particular use.

I want to backup and sync at the same time to an offsite server.

While I _could_ roll my own solution, I want something that I can recommend to
family/friends/my network (and that's congruent with _their_ technical
skills). :-)

------
pppp
Not open source - not possible to trust it. I switched to duplicity and a
cheap storage (shell) provider accessible via ssh.

------
andrewcooke
also, there's the weird and confusing details / thread from yesterday where
dropbox seem to be relying on security through obscurity -
[https://news.ycombinator.com/item?id=6286674](https://news.ycombinator.com/item?id=6286674)

------
diminish
could you pls document your experiences after some weeks of usage, how it
compares to Dropbox?

~~~
dajbelshaw
Yep, I'll do that. :-)

------
kylelibra
I've racked up 7.9GB on my free Dropbox account. Until there is an alternative
that offers more for free, I probably wouldn't consider switching. However,
I'm encouraged by the amount of cloud hosting services emphasizing privacy,
maybe at some point dropbox will follow suit.

~~~
loceng
Microsoft just upped their SkyDrive to 25 gigs I believe.

Edit: Actually, I guess that's for their basic paying account.

~~~
jasonlotito
Or, if you'd had a SkyDrive account before the change.

------
nodata
Why Hive and not AeroFS?

~~~
warcode
Once you use AeroFS you might as well use BitTorrent Sync.

~~~
jug6ernaut
Im not familiar with AeroFS, could you elaborate?

~~~
warcode
AeroFS is a filesync clone that operates without any central storage cloud,
but you still need to make an account that connects to their central server.

This means they control your access to the syncing your own files.

BitTorrent Sync lets me do the same thing, but under my own control. Only
thing missing there is being able to choose your own tracker.

------
dgreensp
I prefer RoachBirch Anthill, or occasionally BeePine Mound.

Think of your files as termites. BeePine Mound is like a secure mound in the
cloud for all your stuff.

