

Protect Yourself From The NSA With WireOver’s (YC W12) Encrypted File Sharing - tashmahalic
http://techcrunch.com/2014/01/17/wireover/

======
devcpp
Closed source, no thanks. I'm going to follow their approach of "trust no one"
and not trust them and warmly recommend everyone to do the same. If you
actually mind about security, use GPG.

~~~
dcposch
After the NSA leaks, the security community is scrambling to verify that
_widely-used, open-source_ software is free from backdoors. With dual_ec_drbg,
we know at least one case where a cryptographic primitive itself was
compromised. Furthermore, we know now that governments can and do force
companies to compromise their own users, in secret, under gag orders.

Why anyone would use closed-source "security" software today is beyond me.

------
edj
_Really_ good copy on the WireOver homepage. Kudos!

I counted a mere 99 words (not including navigation) and every one of them
tells. Concise and casual is a powerful combination.

I especially like the slogan/pitch:

 _Send Big Files Really Securely_ tells me exactly what the product does and
makes me think it'll be easy and fun to use.

~~~
hnriot
unlike the techcruch article which has some glaring errors (don't they have
proof readers anymore?) as

"You can just upload a file, email someone a link, and shut off your
computer."

* should be "can not"

~~~
tashmahalic
They fixed it.

------
mintplant
Important to note that only paid accounts get end-to-end encryption. Transfers
on free accounts are unencrypted.

[http://www.wireover.com/pricing/](http://www.wireover.com/pricing/)

~~~
derefr
That... kind of stinks, actually. If your free version doesn't offer the value
proposition that makes people excited about your service in the first place,
you should perhaps rethink having a free version. It's like giving away
popsicles without the stick.

~~~
gfodor
or, depending on your point of view, sticks without the popsicle :)

------
eps
I tried it few months ago and was not impressed. The installer hung on the
first run. The app itself crashed. When I tried again in a week they seemed to
have a new version and that one actually launched. However it looked
completely foreign in Windows as if it were written in Tcl/Tk or some other
cross-platform oddity. I clicked through the UI, tried to initiate the file
transfer and then gave up. The reason was not that it didn't work, but that it
looked as a half-baked product that shouldn't really be let out, even into the
beta. You'd expect to find something like this on SourceForge, but not in a
form of a commercial _security_ product. It just wasn't trust inspiring :-|

That said I realize that they could've redone the app from scratch in past few
months, so take the above for what it is - an impression from a beta.

~~~
tashmahalic
I suspect that you tried it when we were in private beta. The UI and
reliability are significantly improved. Give it another try.

------
2bluesc
I use [https://www.sharefest.me/](https://www.sharefest.me/) for quick file
transfers and it just works with only a web browser. Only downside is Chrome
and Firefox don't inter-operate.

Not that sure about level of security, but I have a harder time trusting
proprietary software over OSS stuff.

With sharefest I could even run my own service if I wanted to, all the code is
on Github.

------
malandrew
Source visible? How are keys exchanged? How do you make sure the person you
are sending the file to is in fact that person and not someone else?

~~~
eliteraspberrie
They say key exchange is by Diffie-Hellman, and authentication is by
validating fingerprints.

[http://www.wireover.com/security/](http://www.wireover.com/security/)

~~~
ctz
"WireOver uses what we believe are the most appropriate, safe, up-to-date,
peer-reviewed crypto primitives, implementations, and parameters [...]
Fingerprint Algorithm: MD5"

I fear this page was written with a straight face :(

~~~
tashmahalic
There's a tradeoff between collision resistance and fingerprint string length.
We chose MD5 because people are comfortable with it in ssh, it's a shorter
string to verify than something like SHA-256, and because we planned to make
your peer's entire public key base64 available if you really wanted to go that
extra mile (currently not available).

What would you prefer personally: (1) MD5 fingerprint for convenience AND
entire peer public key base64 available if you really want; vs (2) just a
longer SHA-256 fingerprint.

~~~
pjscott
If you just want a shorter string, I'd prefer truncated SHA-256.

~~~
tptacek
Yes, this is the correct way to get a shorter hash. Using MD5 is a terrible
idea.

~~~
tashmahalic
We're changing it.

~~~
tptacek
Good call.

------
benologist
Why did it take so long to launch? It looked like it was ready to go ~2 years
ago.

~~~
logicallee
who cares? Comments like this are why innovators have to work in deathly
secrecy.

------
abemassry
for a free similar service check out:

[https://github.com/abemassry/wsend-gpg](https://github.com/abemassry/wsend-
gpg)

its a little different premise, but worth checking out

~~~
diasp
Send encrypted PGP messages by one click:

[https://github.com/encrypt-to/encrypt.to](https://github.com/encrypt-
to/encrypt.to)

Another free service with PGP support.

------
kabouseng
So if sending files in the clear is free, whats stopping me from encrypting
the files myself and then sending them? Is their value in key exchange,
convenience?

~~~
eliteraspberrie
Try explaining encryption to a doctor/lawyer and you'll have the answer to
your questions.

~~~
yapcguy
In my experience they are fine with encrypting PDFs. Adding a password to a
ZIP seems to be more of a stretch.

------
ernestipark
Congrats on launching! I met Trent briefly a few months ago, but it's clear he
has an awesome focus on building a solid, secure product. It seems like it
took a while to get this out the door but when your core value prop is
security, you can't really cut corners.

Haven't sent a file yet but the download/signup flow was super easy - I was
ready to send in about 20 seconds.

------
lowglow
Didn't Sendoid do this from YC W11?

~~~
tashmahalic
Indeed, but they are no more. There’s still a relatively unmet need for
sending huge files fast (and free) and for sending with incredibly strong
security.

~~~
lowglow
Have you chatted with them and asked them what their experience was like?

~~~
tashmahalic
Yes.

------
MWil
I like their warrant canary for the simple reason that it says "we have
received 0 requests from any government agencies to provide any information
about any of the following: our users, transfers, code, security architecture,
or security credentials."

Although, making a list explicit like that is a creative lawyer challenge to
look forward to - I'm not going to ask for something on that list, but I'll
ask about something else...

~~~
trobertson
I'm not sure how useful that canary is going to be, though. Secure transfer of
large files is a powerful tool for many people, including unsavory types like
child porn distributors. I expect and encourage the government to investigate
things like that, and those lawful, ethical investigations are going to bump
the counter, making a lot of people think "The NSA is all up in our filez!".

~~~
MWil
I think that's why it's important to pay attention to the President's reforms
- as in, see which ones can make actual improvements even if they all can't.
Changing the gag order process has the ability to do this b/c you can have,
for example, a counter for child porn, a counter for domestic terrorism, a
counter for foreign terrorism. Not by providing the service with any
confidential files that are part of the case but by making sure some public
advocate who does know the type of case can see to it that it's been coded
into the gag order appropriately. I'm just spitballing off the top of my head
but what argument would they have to not allow a service provider to show that
child pornographers should not expect to be safe here - it's win win.

------
dpweb
Just started using btsync and pretty impressed with the ease of use so far..
Couldn't get dropbox going on Linux..

------
tashmahalic
Thank you, commenters. Your feedback carries weight.

We have a "Friends of WireOver" group that we'll occasionally ask for
feedback, advice, and new release testing. Email friends_at_wireover_dot_com
to join.

------
sachleen
How do you uninstall this?

Edit: Click gear icon, go to About tab and there is an uninstall button.
Support was very quick to respond to me.

------
hobbes78
I just create a torrent for the big file and email that torrent to the
recipient...

~~~
derefr
Torrents don't necessarily work behind NAT, especially corporate NAT. (And
they never will, because there's really no cost-effective way to provide an
M:N equivalent of TURN[1], unless you throw the advantages of peer-to-peer
transfer away entirely by creating a hub-and-spoke model.)

[1]
[http://en.wikipedia.org/wiki/Traversal_Using_Relays_around_N...](http://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT)

------
vollmarj
Congrats on the launch!

------
elwell
If not in-browser, not interested; sorry.

