
Show HN: End-to-End Encrypted Cloud Storage. All Open Source - dominikmauritz
https://www.disk42.com
======
Mawaai
What is actually modified since you cloned the Seafile sourcecode? I found
this in the sourcecode:

    
    
      <div class="other-info fright">
      <!--    
         <p>Server Version: 3.1.7</p>
         <p>© 2014 Seafile</p>
         <p><a href="http://seafile.com/en/about/"  target="_blank">About Us</a></p>
      -->
         <p>
           <a href="https://www.disk42.com/imprint" target="_blank">Impressum</a></p>
      </div>

~~~
dominikmauritz
Please find our code base here:
[https://github.com/disk42com/](https://github.com/disk42com/)

------
digital-rubber
"All of our code is open source and can be reviewed by anyone. This guarantees
maximum security."

Can be reviewed doesn't mean has been reviewed. Nor does it imply any quality
of review, or the quality of the reviewers itself.

And the knife cuts on two sides, though only one side is mentioned, the one
side that should attract users. Not the side, that every evil minded person
can look through the source code, abuse it, before we were able to counter/fix
etc it.

~~~
nmjohn
> that every evil minded person can look through the source code, abuse it,
> before we were able to counter/fix etc it.

I think this is a worthy application of the phrase It's a feature, not a bug.

Closed source necessitates that the software hasn't been reviewed by
independent programmers, only the authors.

Open source, while it doesn't necessitate that the software has been reviewed,
it at least provides the potential for it.

~~~
digital-rubber
In my opinion, it's misleading to advertise your application/products as
'security guaranteed' because it's open source and _can_ be reviewed.

The fact that something is possible to review, doesn't imply it will actually
happen. See recent example issues of software like OpenSSL, Bash etc.

Though personally i don't see any motivation that would make me believe the
open or closed choice is the better. They both have risks and costs, which you
need to weight and make your choice upon. And most important accept the risks
of your choice (, which you can of course try to minimise and should).

I _typo_ do cheer for any software you can choose to run/host yourself on your
own network/hardware. And not be relying on another party to run and/or host
it for you. (Which brings the additional security issues you can't control,
physical access etc).

------
kcorbitt
I love Seafile, and am running it on my own VPS right now as my primary file
sync/store.

I'd love for more companies to pop up offering hosted Seafile instances. Right
now I'm hosting my own because I like having the guarantee that it won't get
pulled out from under me or change the TOS in an unexpected way, but I don't
like being my own sysadmin when things go wrong (not that things go wrong
frequently -- the software is high quality and stable). If there were multiple
competing providers it could form an ecosystem like Wordpress where the risk
of bad actors is low because of how easy it is to pick up your data and move
to another platform with a minimum of fuss.

However, based on the lengths disk42 has gone to to omit any reference to the
Seafile project, it appears they aren't interested in participating in that
ecosystem, which is a shame. I guess I'll just have to keep waiting.

~~~
dominikmauritz
Currently we are settings thins up. In the future we will definitely
participating in our ecosystem. You might be interested in this:
[https://github.com/disk42com/disk42/blob/master/README.markd...](https://github.com/disk42com/disk42/blob/master/README.markdown)

------
nodata
The lack of positive, constructive feedback in this HN comments thread worries
me. Come on people!

~~~
aw3c2
This is just a hosted seafile installation from an out-dated fork. Negative
feedback is what this should get by all means, if only for being dishonest and
evasive about the software used.

~~~
nodata
Then the comments should be both constructive and negative, explaining the
situation like yours did.

------
mobiplayer
This is the pinnacle of bootstrapping or even the lean startup: Launch early.
So early that they didn't need to code much, which is great! it is also great
to see businesses growing (or trying to) around open source developments.

Doesn't anyone want to see Seafile further developed? If these guys get
traction, they surely will have to chip in Seafile, be it with cash or
contributing code themselves.

What's wrong with this, HN? Seafile could be great, but it's nothing if not
implemented. Someone has to maintain those servers and take care of security.
That's why SaaS does exist.

Why is no one asking questions about how they deployed Seafile? What are they
plans to scale? Did they run any load test? Please, something interesting.

------
winstonschmidt
Look great! Could you explain the differences to SeaFile whose code you built
upon?

~~~
dominikmauritz
Seafile is a great software we modified to fit our needs. At this point most
of the changes we made to Seafile make sure that files are encrypted on the
users device.

~~~
aw3c2
Seafile already lets users simply encrypt repositories if they want. What did
you actually change, just made it default and obligatory?

------
dcposch
This is awesome. End-to-end encryption is the natural solution to the problem
of universal surveillance as well as more mundane issues, like companies
losing data and servers getting hacked. I think it's very elegant that one can
build useful services with untrusted servers.

The algorithms for end-to-end encryption are there, but usability of actual
implementations has been pretty terrible so far. For example, compare the
usability of Gmail vs Thunderbird+Enigmail. Or compare the usability of
Dropbox and Tarsnap. I've actually wondered why there isn't a good end-to-end
encrypted Dropbox alternative that's remotely as easy to use. I hope this
works out.

Beautiful, usable end-to-end encrypted software is the future. See, for
example, Keybase, @moxie's Signal or Whatsapp. The only caveat is that writing
secure software is really hard. I just made a disk42 account, but I'll treat
it as a untrusted demo until it's had more test mileage and outside code
review.

Also, curious:

* How do you detect changes in the synced folder?

* How do you do conflict resolution (if a file is edited simultaneously on two different client machines)?

* What algorithms, key sizes, etc do you use for the actual encryption?

~~~
aw3c2
See [http://freeplant.gitbooks.io/seafile-server-
manual/](http://freeplant.gitbooks.io/seafile-server-manual/) and
[https://github.com/haiwen/seafile-docs](https://github.com/haiwen/seafile-
docs) , that's the software this provider uses.

------
aw3c2
What revision of the seafile components was used as base?

~~~
aw3c2
[https://github.com/disk42com/disk42](https://github.com/disk42com/disk42) ==
[https://github.com/haiwen/seafile/releases/tag/v3.1.7](https://github.com/haiwen/seafile/releases/tag/v3.1.7)
(almost 2 months out of date)

[https://github.com/disk42com/ccnet](https://github.com/disk42com/ccnet) ==
[https://github.com/haiwen/ccnet/tree/dd3f1fab491dfcec8b8ca30...](https://github.com/haiwen/ccnet/tree/dd3f1fab491dfcec8b8ca30dbcc75b890cb3529a)
(3 months out of date)

Looking at seafile-client at the moment, this reeks of an unmaintained and
dishonest fork. They did not even bother merging encryption related changes
from upstream. Stay away.

Code is sometimes commented out and sometimes marked with a "code42" comment.

------
mosselman
Can I self-host this? If not, then how can I be sure that your server is
running the version of the software in the open-sourced repo?

~~~
nodata
Why would you need to be sure of that?

~~~
stephenr
Because they can say "hey look at our code here" when in fact they're running
something else entirely.

~~~
danbruc
But that does not matter if you trust your client and everything gets
encrypted locally. That's the entire point of client-side encryption, not
having to trust the server. Just review and then compile the client. And just
self-hosting the server will not make you any saver because the client may be
rogue and send your data to anyone.

------
ubergesundheit
Nice!

Since your imprint states you have your offices in Germany, I presume you are
also hosting in Germany? What providers do you use?

------
finid
I just installed the Ubuntu client on Linux Mint 17.1. Ran into a dependency
issue, but "sudo apt-get -f install" fixed it.

The client and the Web dashboard still need some work, which they alluded to
in the introductory video.

Overall, I think this looks very promising. will wait and see what the next
few months brings.

------
geographomics
Interesting project, but I'm rather wary that the claimed security could be
attacked in a similar manner to Hushmail:
[http://www.wired.com/2007/11/encrypted-e-
mai/](http://www.wired.com/2007/11/encrypted-e-mai/)

------
davidw
That raised fist has some political connotations in many places:

[http://en.wikipedia.org/wiki/Raised_fist#Logo](http://en.wikipedia.org/wiki/Raised_fist#Logo)

------
nodefortytwo
With ubuntu client, is there a cli exposed? we use ubuntu servers for our
infrastructure, it would be nice to deliver files from certain servers to non-
techincal users, is that possible

~~~
dominikmauritz
Thats not possible. At least not yet.

------
XorNot
So this seems bold. I just cloned all the repos, thinking I'll try and
dockerize the server end to see what it's like.

~~~
aw3c2
Watch out, the repos are out of date from upstream which is
[https://github.com/haiwen/](https://github.com/haiwen/) . You probably want
security fixes and updates from that...

------
_jomo
Can you explain how the data is encrypted?

Why so you only support _Ubuntu_ Linux? It doesn't run on other distros?

~~~
finid
I'm guessing they had to start somewhere, and that support for other distros
will follow probably after they've implemented support for mobiles.

------
Rafert
Typo on the main page: "At disk24 we believe in privacy."

~~~
dominikmauritz
Thanks. Fixed.

~~~
xnull2guest
May I suggest "At disk24 we believe in liberty"?

I know it's more heavy handed, but it falls in like with the Appelbaum quote
"What we used to call liberty and freedom we now call privacy... and in the
same breath we will say that privacy is dead."

------
3zzy
Logo is a floppy disk? seriously?

