

FileRock, secure Dropbox clone, has published its pricing - jivemind
https://www.filerock.com/pricing

======
FileRockDA
Hey, Daniele (FileRock CEO) here.

Just a clarification about the (seemingly high) price: the idea is to offer a
limited space where users can put their critical files (business and sensitive
personal stuff, not downloaded PDFs or DivX movies).

Something like your own private safe on the cloud, which is really really
secure because we do:

\- client-side encryption (we're not able to look at your files even if we
wanted to);

\- integrity check (you can verify that your files have not been tampered.
This is our proprietary technology, I daresay nobody else does that as
efficiently as we do);

\- transparency (our client is open-source, so you can actually verify our
claim that the software is secure. This is also something that few others do).

~~~
tptacek
I don't understand what you mean by "proprietary" "integrity check". I looked
at your code (only the client is open-source) and I see something about skip-
lists, "proofs", and MD5.

File integrity is a solved problem, so I'm not clear on why you'd want to have
a proprietary solution here.

~~~
FileRockDA
The "proprietary" part of the solution is the efficiency it brings. MD5 hashes
for a large set of data are slow to update and not really usable for a dynamic
dataset. Our technology makes integrity checks possible in real-time.

~~~
tptacek
I'm somehow even more confused than I was before I asked. Why are you using
MD5? Stop doing that. And while I'm sure there is some scenario where simply
hashing files might be costly, I don't see how that applies to you; for
instance, every TLS record you send to your service is being "integrity
checked" using a simple hash-based MAC.

~~~
StavrosK
It seems to me that they're using a tree-based structure to avoid hash-
checking the entire file, but do hash checking in blocks and update it. Since
they're using MD5, this probably makes it easier to find a collision and
change a specific block.

Looks like they're using AES in CFB mode, which would probably complicate
things, but I don't know why people don't use CTR mode more (it looks like it
has many advantages to me, but I don't know much about crypto anyway),
although in this scenario you'd probably want to use XTS.

Anyway, "proprietary" and "cryptography" in the same sentence is generally a
big red flag to me.

~~~
FileRockDA
Sorry if I wasn't clear. We're not using MD5. And we're not using proprietary
cryptography.

What's "proprietary" is the implementation of the integrity check technology,
which is based on published research.

~~~
wglb
Ok, I see lots of calls to compute_md5.

So is the integrity check demonstrably better than HMAC?

------
wcfields
Quite pricey: monthly - €9.99 for 1gb?

SpiderOak, a secure cloud file storage, offers 2gb free for life (plus a
handful more GBs for various promos).

------
shin_lao
Or you can use Wuala which is at least as secure and not as outrageously
expensive.

<http://www.wuala.com/>

~~~
dchest
Is it open source? Or we should just trust them without checking?
<https://www.google.com/search?q=site%3Adaemonology.net+wuala>

~~~
shin_lao
Whether you decide to trust a software publisher is a personal choice which
may or may not depend on the availability of the source code.

------
da_n
I just don't get this. Well done for open sourcing the client, but on the
front page the product is touted as fully open source so it can be audited,
but the client is only half the product (arguably less) so security cannot be
audited. The prices are also incredibly expensive, I can understand why you
pictures of old fashioned USB sticks. Good luck with your business but I can't
see how this is going to disrupt anything.

------
davidcollantes
Not open source (would you stop using the buzz word already?). Expensive as
well.

~~~
isaacaggrey
It appears their client is open source, but I agree that they are not open
source in the expected way (i.e., can't self-host):
<http://blog.filerock.com/2012/12/were-going-open-source/>

~~~
FileRockDA
Yes, our client is open-source but our server isn't. But from the point of
view of security this is sufficient, as the client does not "trust" the server
and every server reply is verified.

The client code is GPLv3, so it could be a building block for other projects
if they want to use it with a different server.

~~~
davidcollantes
Talking about the service you offer, and presenting it open source because the
client is, is misleading and sensationalist.

Also, it isn't a Dropbox clone (you wish!).

------
DeadRat79
They seem a bit expensive

~~~
tudorconstantin
They ARE expensive...and not a bit. At least for the legal uses i can think
about. Who knows, they might have a market though. Wish you best of luck guys.

