Hacker News new | comments | show | ask | jobs | submit login
Backify Offers 512 GB Free Online Backup Storage (tomshardware.com)
67 points by vgcuwnkh 1814 days ago | hide | past | web | 61 comments | favorite



WARNING: DON'T SIGN UP.

I signed up, and as makethetick pointed out, they sent me the plaintext password via email. I decided to close my account but first thought I should change the password. The change password form just spits error alerts showing the underlying html code.

I can't trust these guys with ANYTHING.


I was just going to post this. I signed up, activated my account, and then immediately received my password in plaintext! What are these guys thinking? Way to subvert trust...


It's because of sites like this that I started using unique passwords for every new login. Chrome + OSX Keychain make this reasonably easy now. Looking forward to the day when the browser will just automatically generate one for me.

Of course, I'd not trust backing up my data to a site that fails so miserably at basic security.


  > Looking forward to the day when the browser will just automatically generate one for me.
Well, almost: https://www.pwdhash.com/


I use pwdhash for pretty much everything. It's great, but it can be a pain for signing into services on an application or device that doesn't support automatic expansion.


If you need more than Dropbox's 2GB for free, SkyDrive offers 25GB. It's not as usable, though.


This is a reseller account of LiveDrive - http://www.livedrive.com/ForResellers/Pricing

I looked into the exact same thing to resell to my customers (non techie, average users interested in digital preservation)

Easy for me to tell based on the "briefcase".

The reseller costs like $60 a month and has "unlimited users, unlimited space" - so you decide if it is sustainable.

White label (which I assume they are doing) is $1100/year.

I considered doing this for $5/month, the break even is very low.


I used to have LiveDrive probably 6 months ago (Whom they are reselling from), but I found the Mac client quite buggy. Breifcase didn't work and backups took ages, far longer than they should have done. I will give them credit for fantastic support and no questions asked refund, which was pretty awesome. They might have fixed the issues now, I hope they have, but still I would go directly to LiveDrive rather than a reseller, particularly since the site appears to have been thrown together. Someone probably thought they could make some quick money. I only hope when they shut down, LiveDrive are considerate enought to migrate everyones accounts.

Currently quite happily using BackBlaze for my personal computers, and working on an open source backup tool for servers </shameless>


I dropped my LiveDrive account a while ago due to poor client software. It's sad to hear their Mac client still sucks. You'd think by now they would have worked out the problems.


Do you have a link to your open source backup tool?


It doesn't work yet =)

Because I like to work to specification, I wrote a readme before I started the project, which might show the general direction I'm trying to go with it. When I get home tonight I'll stick it on a gist and link it



I've just signed up and received my confirmation email along with my email and the PASSWORD that I defined.

WARNING: These guys use plaintext passwords!!

Edit: I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.


I've just signed up and received my confirmation email along with my email and the PASSWORD that I defined. WARNING: These guys use plaintext passwords!!

It's not difficult to send a confirmation email that contains your password without having to store your password in plaintext anywhere.

Now, I don't know whether they store passwords in plaintext, but it's unfair to make such accusations based on the content of a registration confirmation email.

Edit: I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.

Again, there could be a less-than-ideal explanation for this, so we don't know 100% (I was hoping to see a "forgot password" link somewhere to test this with), but this does raise suspicions.


Who cares if it's technically possible not to store a password in plain text even though it's in an e-mail?

If they're sending passwords in plaintext they're incompetent and not to be trusted, especially for this kind of service. Ouch.


Who cares if it's technically possible not to store a password in plain text even though it's in an e-mail?

For one, I do. There's a world of difference between handing a http post and storing passwords in the clear in the db.

If they're sending passwords in plaintext they're incompetent and not to be trusted, especially for this kind of service. Ouch.

I pretty much agree, but stand by my point that sending a password in a confirmation email is the lesser of the two evils.


Ok for me, storing an encrypted password that is reversible is the same thing as storing a plaintext password. Means that people at least in their company can see my PW. Which means that if I used same PW as my email, they have it.

Lets take it a step further... If this is insecure, how much trust can you put that your data is secure? The goal of good online backups is that the only way to actually read data from the backup is to have the user's password. They clearly don't have that as everything is reversible.

Dropbox used to claim to be like that, not anymore. Which is why I don't trust dropbox with private data. Instead I store it using AeroFS with local replication.


I don't think he meant that the password is stored in a reversible format. He meant that the e-mail is sent out before the password is encrypted and stored.


Thanks, this is exactly what I meant :)


No, it's not difficult, it's just extremely insecure.

Email should always be treated as an insecure channel, so sending passwords over it is just bad security practice.

The system should only hang onto the password for as long as it takes to hash it.


Usually, when you receive your password after signup that does not necessarily mean it is stored in plaintext, because password can be kept in memory through the process.

It is warning sign though, agreed.


I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.

Sorry, should of added that previously.


I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link

That's not a good sign. The best case scenario I can think of is that the email body is generated at registration and sent out once the activation link is clicked. After this the template is deleted. But it'd be far easier just to store your password in plaintext and go from there.

Like you, I'm suspicious.


Honestly, I would rather a site store my password in plain text than send it to me via email. At least if it's stored in plain text, it still requires a security breech to access it. Sending a plain text password via email is no worse than having an insecure (non HTTPS) login form.


Doesn't necessarily mean they store plain text passwords. Still a bad sign, but they could simply be sending you the email with your password before they hash it.


It looks a bit suspicious. There's no way they can cover their costs with these prices. Either prices will go up or the business will go down.


From http://www.backify.com/ :

> Even the employees of Backify can not access your data.

This is good news. It might be enough to make me switch from Dropbox, everything else being equal.


But they can access your password, stored in plaintext http://news.ycombinator.com/item?id=3110634


Ouch. Well, based on that and other comments, this definitely does not look like an appealing replacement for dropbox.


I tend to think that if the information I'm backing up is sensitive it should either be backed up only to services I run or should be encrypted before it gets sent to any 3rd party service. I wouldn't trust any "we can't see your data or know your credentials" assurance from a relatively unknown (or most known) 3rd parties.


I agree completely, although I do take comfort in someone claiming they cannot access my data. I wouldn't store any confidential data there in any event, but at least if they are trying to design it so that even they cannot access that data, it seems there is a slightly lower chance of it being leaked to the internet.

Dropbox already had one case where you could log in without a password. That could never happen if they actually needed the password to decrypt the data.


If they encrypt they have the key and someone must have access to it so this cannot be 100% true, same as Dropbox etc.


So, I go on the "Support" section to send them a message..:

  Hi, two things:

  1- The key <enter> should submit forms. (It didn't work in the signup form, the login form and some dialog box popping in).

  2- You sent me my password by e-mail.. which means you've got it in cleartext in the database. How can you then say it's secure..?
And, I get an infinite loop of javascript alert with "parsing error" and a bunch of html in it.

Seriously, not really professional. I mean, I can understand for other kinds of apps; but this is backup and highly confidential information.. this shouldn't happens. A little bit like you can judge a whole building based on the bathroom, a website with flaws everywhere talks a lot about the quality of the backend.


Somewhat offtopic... But does anyone know of an inexpensive backup provider that works with rsync (or at least has Linux compatible software that doesn't require inotify)? I'm looking for something that will run on my Synology DS211j NAS. Crashplan was looking great until I realized the DS211j kernel doesn't support inotify. Backblaze is the same story. I'm using S3 right now, but it costs quite a bit more than Crashplan or Backblaze.


I've heard good things about http://rsync.net/ .


It really is an issue that most backup providers do not offer a Linux client, I am also bound to S3 at the moment, I have been tempted to try out the windows clients in wine, but It would be great if someone would offer a good(cheap, reliable, non evil =D ) backup service with linux support, even if its just a commandline. Actually an API would be fantastic.. let the openSource community build you a client.


SpiderOak does all of the above. Your data is encrypted end-to-end.

https://spideroak.com/engineering_matters

They cannot peek.

Also, my favourite feature: The client allows you to mirror the encrypted blocks to a remote FTP/SFTP target owned by you.

There's your N+1.

Talk about a zero-trust environment!


So, crashplan and backblaze don't work for you? The previous poster has a problem with them because he is running on an embedded Linux platform that has chosen to omit support for an useful system call from their kernel.


Tarsnap? I haven't used it personally, but the guy seems open and honest about the product. It's open-source and runs on Linux (but you have to compile).


yes ive looked at that, but its double the gb/month cost of S3 and S3 has no inbound traffic cost


BQBackup.com -- inexpensive, but sincerely thought out / well done. Used them many moons ago & the owner Scott is a genius when it comes to hardware.


tarsnap is great, though bare-bones - you'll almost certainly need to write your own scripts on top of it.


Ok guys. This is Tarandeep from backify. First of all I want to apologize for all the errors. We just launched a day ago, and we were not expecting 10000 visitors in one hour. 99% of the errors were caused by server (written in nodejs) being restarted repeatedly, resulting in lost sessions. We have the fixed the restart issue and moved the session storage from in-memory to db, which we shud have done in first place. But again, the huge response was totally unexpected.

About the passwords, they are all hashed (md5 with salt). they were just stored temporarily in the session for the email, and the session was destroyed immediately. But we fixed this issue earlier yesterday and updated on our blog.

Rest assured we promise to provide even better support from now on. We might stop offering free accounts soon, but the ones already signed will continue to be free for atleast qn year, maybe longer.

Thanks again for the tremendous response and bringing the bugs and flaws to our notice.


That may sound stupid but all these google, dropbox and now backify services are so useless to me. Why? I sadly don't have the internet connection to upload 100+gig on these servers. So, I can use dropbox for text files.. but the second I have to backup bigger stuff I really need to be cautious into not moving that into dropbox.


AeroFS to the rescue :)


If they ever get out of semi-closed beta and let normal people actually use it...


Thanks for posting the warnings about plain-text passwords in the email. When I landed on their site, the design of the site didn't look trustworthy to me. I am not sure how to explain it best, but it doesn't give me a "secure" feeling.

There is no contact us/address page. Also, does this mean that the domain name is on sale by the owner? http://www.aftermarket.com/backify.com


Great. Except now the online backupmarket is going to be as cheap and reliable as consumer dsl.

Which is to say pretty cheap and mostly reliable, which is okay when you once or twice a year can't go online for a short time (clothing need to be changed anyway) it is just not good enough when your wedding pictures gets deleted.

Or worse this crazy offer banckrupts the business and you suddenly can't access it any more.


If you're going to back up sensitive information, I'd recommend spending a few extra bucks and using somebody reputable and established like Dropbox or SugarSync.

As all the comments here have covered, it's a reseller account for LiveDrive and the site itself has a number of issues, not the least of which includes sending plain text passwords via email.

Bottom line: if it sounds too good to be true, it probably is...


DUDE!!!! They store passwords in plain text. I just received an email with my login/password. Good thing its generated password.

Ok, they just lost my trust.


Is it me or this guys don't seem that legit? I'm not talking about the plaintext password. let's say that doesn't matter (in an utipic world), but the desing of the site isn't at all "professional". My advice, don't sign up! Use Dropbox or Ubuntu One. Want more? Pay for it. That means is a product that's worth it.


My crashplan subscription is still ongoing, so I have my backups covered already. However crashplan doesn't offer file sharing features, that is a plus for this.

Note that backed up files can be accessed through mobile apps, just that it could be a security risk for accessing files on the go.


I've seen good alternatives here like rsync.net but I wonder if a simple Linode wouldn't be a better option if you already need one for other purposes, because with the basic Linode you already got 20Gb, and it's only 10 cents/GB afterwards...


Seriously, have storage costs become this low already... funny that google can't find the name yet... this is the direct link: https://www.backify.com/


Not only that, but Google goes straight to "Backupify" as a spelling correction -- another backup-as-a-service provider already in the market.


With a little digging it appears they're reselling LiveDrive. http://www.livedrive.com/ForResellers


After reading all the comments, I'll definitely be sticking with Backblaze


Anyone else not assured by the fact they are "secured by comodo"?


No linux client :(.


I was thinking that, I'll be trying it on Wine tonight I think.


who dares to put 512GB data there?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: