

As Customers Seek Privacy, AeroFS Emerges With Stealthy File Sharing Software - newy
http://blogs.wsj.com/venturecapital/2013/11/22/as-customers-seek-privacy-aerofs-emerges-with-stealthy-file-sharing-software/

======
yurisagalov
I want to quickly distinguish our Hybrid Cloud offering from our Private Cloud
offering since I thinks this may keep coming up in this thread.

In the Hybrid Cloud offering (this is our 'classic' or previous offering
that's been available for quite some time) we don't store any data on our
servers. However, because some communication does happen with our servers
(e.g. for registration), we heard from businesses and enterprises that they
would like a completely on-prem solution to guarantee no data goes to our
servers.

This completely on-prem solution is the AeroFS Private Cloud. It's a virtual
machine that is packaged as either an OpenStack image or an OVF/OVA file
(supporting VMWare/Virtualbox), and in this VM absolutely no communication
happens with our servers, period.

(and you can easily verify that)

~~~
marquis
I'm curious how you can make money on selling software as an appliance, and
guarantee that a customer won't just replicate the system to have more
servers?

~~~
mattzito
As the other reply said, to a certain extent you have to trust your customers.
Big companies don't want to be exposed to liability - I know of a large
organization that accidentally skimped on their license accounting for a
database product (not Oracle) and got handed a $40m bill. They negotiated it
down from there, but still, people lose their jobs over things like that.

Along those lines, the contracts that customers sign should always include a
clause that says you have the right to audit them if you believe they are not
in compliance. Typically, you don't want to do that unless you absolutely have
to, but it can be a useful tool when renegotiating enterprise "all-you-can-
eat" support contracts.

Still, there's technical stuff you can do. Log the IP address, hostname,
hostid, mac address, and so on into your logs on startup. Then, when a
customer submits a support case and uploads log files, store that info
somewhere. Or create a "support package" that includes anonymous usage data
and ask customers to upload.

But the absolute last thing you want to do is deal with licenses and keys and
hard limitations. All you'll do is piss off your customers when they hit their
hard limit under a deadline at Friday at 4pm.

------
pwnna
AeroFS is not open source.. and really in this climate we can't say it is
going to guarantee privacy.

(This does not mean that OSS guarantees privacy, it is just a necessary
condition.)

~~~
yurisagalov
Actually, with our Private Cloud offering you pretty well can guarantee
privacy by simply firewalling the virtual appliance from the rest of the
world, if you would like to :)

Feel free to sign up and packet inspect the traffic!

~~~
LiamMcCalloway
It's a nice way to alleviate the barrier to monetization that open-source-as-
security poses. In short, instead of having lamdba user trusting 'the
community' for security audits, now each user has to implement security
measures.

This leaves users holding the bag. Well, it should work for you but remains
subpar.

Congrats nonetheless.

~~~
clarry
In my experience "the community" cannot be trusted for security audits, as far
as most FLOSS goes. In fact if a program can be "made secure" by _yourself_
just by firewalling it properly, I'd be more inclined to trust that measure
over any FLOSS community audit.

Having said that, the idea of running software I mistrust so much that I
_have_ _to_ firewall it on my network is unacceptable.

~~~
LiamMcCalloway
I agree wrt security-through-community and its weaknesses. And indeed turning
your guns inwards seems like the wrong move.

------
davidjgraph
What interest me at the moment, as someone who builds a web application
without any user management or storage (i.e. purely to integrate which other
storage solutions), is how to integrate with solutions like this behind the
firewall.

I get asked this question probably 10-15 times a month and the rate is
growing. The problem is that without there being a common solution that
application vendors can share, they all seem to end up implementing something
custom and that looks a complete mess.

Anyone know of any inside-firewall storage solution that implements something
like this, or is the best available solution LDAP + WebDav and do the rest
yourself?

------
nacs
I've been using AeroFS for over a year now and its fantastic.

I switched from Dropbox to Aero for all my home computers (of which I have
Windows and Linux desktops and Mac laptops) and the unlimited storage (as much
as your home computers can hold) is great. Plus the files are only synced
within your own computers so security/privacy is much better than uploading
all your files to a public service like Dropbox.

The only negative as compared to Dropbox is that their client is not as
efficient (it's Java based and takes a bit more resources than Dropbox).

~~~
hsshah
Did u look into Tonido or owncloud before deciding on this? Curious to know
your take on them.

~~~
nacs
I was looking for a fast file syncing solution that worked on Win/Mac/Lin and
didn't really need any GUI or web interface for my files like those 2 services
seem to focus on.

Also Tonido has a 2GB limit on their free plan whereas AeroFS lets me sync as
much files as I have storage space on my computers (so literally hundreds of
GB).

------
fatbat
Anyone know of a simple comparison chart with the many options available now?
(eg- AeroFS/BTSync/SpiderOak/Mega/Bitcasa/Cubby/Younited/Dropbox)

------
gwu78
Not sure if others agree, but I think these "privacy"\- centered alternatives
to "cloud" need to be open source to be taken seriously.

Now that is only my opinion - and I am not in sales. But in my view, you
cannot pitch a privacy solution honestly without disclosing the architecture
of your proposed system, and the only practical way for anyone to verify that
architecture and your implementation is going to protect privacy is to look at
the source code.

Of course, you can pitch a solution and be less than 100% transparent about
how it works. And this may be enough to make sales. But there's no way for the
customer to really know if you're being honest unless they, or their trusted
agent, can read and compile the source code.

Assuming there are open source alternatives to "cloud" (e.g. peer-to-peer
architectures), then maybe there is a market for "privacy consulting" where
customers pay consulting fees for the know-how to use open source alternatives
to construct data transfer and storage systems that can deliver a level of
privacy that the "cloud" architecture cannot. I don't know. I'm just thinking
out loud.

Anyway, it's good to hear WSJ saying customers are seeking privacy. The market
will no doubt respond.

~~~
rcthompson
You don't think even their "Private Cloud" solution is sufficient for a
security-conscious customer?

~~~
gwu78
Do you have a link to a tarball for "Private Cloud"? Then I'll tell you what I
think.

------
Pxtl
I'd rather see proper home-hosted solutions - a nice turnkey
OwnCloud/IMAP/webmail box. The problem is that devices like this would also
have to act as your wifi router to get proper turnkey user-friendly behavior.

~~~
pknight
ArkOS is worth a look

------
rcthompson
So, if you use the Hybrid Cloud version, does all syncing have to go through
the AeroFS servers, or can machines on the same LAN sync directly to each
other?

~~~
yurisagalov
Machines can sync directly in most cases (especially on the LAN, and even over
the Internet). If, for some reason, communication cannot be established
directly between machines, a relay server is used, but the traffic is
encrypted end-to-end between the devices, so the relay server cannot decrypt
it or MITM it.

Take a look here[1] for the security spec

[1]
[https://www.aerofs.com/security/spec](https://www.aerofs.com/security/spec)

------
jkahn
I've been watching AeroFS for quite a while. How does it compare to Citrix
ShareFile? It sounds like they are both in the same problem space.

------
johncoltrane
Customers who seek privacy won't find it in the cloud. If they want to keep
their stuff private, they should keep them for themselves.

~~~
orthecreedence
Why? You can have both. Encrypt everything before uploading, decrypt on
download (and I don't mean SSL, I mean client encrypts, sends _encrypted data_
over SSL, data is stored encrypted, only decrypted by client).

Data is kept private _and_ data is in the cloud.

~~~
bostik
> _You can have both. Encrypt everything before uploading, decrypt on download
> (and I don 't mean SSL, I mean client encrypts, sends encrypted data over
> SSL, data is stored encrypted, only decrypted by client)._

Yep, client-side encryption is the only working solution.

The funky bit is that on Linux you can make this fully transparent at the OS
level. Expose remote storage via iSCSI, and attach to it so the storage shows
up as a block device on your client system. Then put regular on-disk
("partition level") encryption on top of the blockdevice using cryptsetup, and
that's it. All storage data sent over the wire is now encrypted, and the
crypto mapping layer takes care of hiding the gritty details.

Because the encryption happens beneath the filesystem layer, all the usual
tools work as before. For them the only difference is the latency. (Network
connection naturally causes an upper bound that is way lower than a local
drive.) Works wonderfully for backups, where you want to do incrementals in
any case. Just ship rdiff deltas and have a backup tool which takes care of
the work.

I actually implemented this as my Master's thesis back in 2006, only to be
informed later on that logically identical construct had been shown as early
as 2003.

------
natch
What does this give me that I couldn't build with rsync?

I'm not challenging it, just wondering.

~~~
btgeekboy
Imagine if rsync was called automatically after every single time a file was
changed. And that rsync was done in a mesh, with all of your clients getting
synced simultaneously and almost-instantly.

------
bcx
Congrats on the WSJ article.

------
galapago
I'm getting "404: Page Not Found"..

~~~
yurisagalov
seems like the WSJ site is having intermittent problems. It looks like the
article is back now

