Hacker News new | past | comments | ask | show | jobs | submit login
Why I'm saying goodbye to Dropbox and hello to SpiderOak Hive (dougbelshaw.com)
116 points by dajbelshaw on Aug 28, 2013 | hide | past | favorite | 117 comments

Chicago? Last time I checked, that city is within the jurisdiction of the United States and not immune to national security gag letters.

No thanks.

Swiss based Wuala.com is a much better solution.

Isn't switching from one closed source backup system to another closed source system overlooking the elephant in the room? These companies are legally required to rat you out when the government comes knocking (some even doing so without demanding a valid warrant, and profiting from LEO requests).

SpiderOak has been saying they "expect to make the SpiderOak client code open source in the not-distant future" [1] for years now, and their code still is not fully open-source. I completely understand their situation and know it's not always possible to fully open up the code, but I'm not able to overlook this deal breaker either.

Encrypt locally using only open source tools, then sync with whichever online backup/sync provider you like. It's the storage version of a 'dumb pipe', maybe we call it 'dumb containers'. Everything else is marketing bullshit which will evaporate once that first official demand for your data arrives.


Hey, SpiderOaker here!

While open-sourcing the desktop client isn't going as fast as we'd like, I'd like to point out that practically all current and future projects are open source on our GitHub (https://github.com/SpiderOak/), including our next-gen encryption system Crypton (which will eventually replace the data structures in the desktop client ANYWAY)

This is cool. Have you guys considered offering encryption as a service and let users pick their own data provider?

It's technically possible with Crypton. Note that the server-side components are under AGPL or commercial license; it's either pay fair or play fair.

I recently created a "petition" for SpiderOak to open source the client (and allow people to build it themselves from source) so that people can let SpiderOak know their thoughts. The petition signatures are sent to SpiderOak.

It's still available at the link below if any SpiderOak user (or potential customer) wants to use it to "show the numbers" on a single site (as opposed to scattered comments): http://www.change.org/petitions/spideroak-http-www-spideroak...

There's an online backup service called Cyphertite (cyphertite.com) that provides the sources for its client programs on all the platforms it supports. So I don't really see why SpiderOak, with its prominent proclamations of "zero knowledge", cannot walk the talk.

Of course, I understand that certain competitive advantages may take longer to provide in the open (until factors other than the client source code and backend architecture become competitive advantages). But I have to admit that SpiderOak has been dragging on opening up the source.

Edit: Let me also admit that I do like SpiderOak and the emphasis it places on privacy and in educating users about privacy. We need more services that strongly support what ought to be basic rights.

Thanks for your support and your efforts are much appreciated. We also agree that SpiderOak needs to be entirely open, and hope to have that completed within the next year. Everything new we've started in the last several years (including https://crypton.io/ and https://nimbus.io/ and a variety of other things on our GitHub) is GPL'd. Stay tuned!

You already have what you want. The source is here:


Actively in development, stable, ready for enterprise use.

Yeah, buggy and unstable and just hangs when you throw large quantities of small files at it.

"It's the storage version of a 'dumb pipe', maybe we call it 'dumb containers'. Everything else is marketing bullshit..."


If only there was such a provider that gave you the dumb pipe version of an offsite filesystem ... it's on the tip of my tongue ...

Hey I'm no expert, and have absolutely no evidence, but do know that there was an issue some years ago where the Swiss were allegedly strong-armed by the IRS into lifting their privacy restrictions [1] and [2]. The story, as I remember it, was that Swiss banks had to share information about US depositors with the IRS if the Swiss wanted to continue operating offices is the US.

While I trust the Swiss a lot more than I do anything in or from the US, I certainly wouldn't bet my life on it.

The links below are what a quick search yielded. Not much time to dig deeper at the moment.

[1] http://web.archive.org/web/20080611115027/http://www.treas.g...

[2] http://web.archive.org/web/20060717203642/http://useu.usmiss...

You're correct - but only with the big international banks. The tax issue is a different can of worms. At least there's a pretty good chance that NSA doesn't have a back door to wuala.

I don't know if they have a similar system for wired traffic, but the Swiss have one of the most extensive COMINT systems called Onyx http://en.wikipedia.org/wiki/Onyx_(interception_system) that primarily focuses on satellite. Regardless of US gov't pressure, I think it's a reasonable assumption the Swiss gov't has access.

Right. That mostly has to do with FATCA, the legislation Congress passed to try to get US persons/entities to stop hiding money overseas in tax shelters: http://en.wikipedia.org/wiki/FATCA

That might protect your "data at rest", but communicating with a foreign endpoint makes your "data in motion" even more vulnerable to NSA spying. http://www.zdnet.com/the-lunacy-of-trying-to-avoid-nsa-spyin...

It protects you against a certain kind of threat, namely the National Security Letter that can force a US-based company to install backdoors in their system while forbidding them from telling anyone that they have been forced to do so. If SpiderOak had been compromised by the US government forcing them to install a backdoor, they would be forbidden by law from telling anyone about this. They would not be allowed to remove the clauses from their service description that claim no-one is able to decrypt your data.

This is the special risk of dealing with US-based companies. They can be forced to install decryption backdoors or hand over their users' data while continuing to tell the users they are unable to do so. So you must assume no US-based service is truly secure.

What about BitSync, it strikes me as good option, but i'm no crypto guy. http://labs.bittorrent.com/experiments/sync.html

Bitsync is very good but it is not quite a dropbox clone as it lacks the ability to retrieve the files via web, it does very limited version control, it has a pretty rigid structure of sync'd folders (for instance you can't sync a subfolder of a folder you are already syncing). Some of those functions can be implemented using owncloud but this latter is still bit buggy and requires you to have server space.

It is not as polished as Dropbox yet, but since this is Hacker News one solution would be to have BitTorrent Sync running on a home server then you could just SSH/sFTP to retrieve files. I have a Raspberry Pi running 24/7 on my home broadband with DDNS + BitTorrent Sync on it.

Just noticed the iOS app has dropped.

Might take a serious look at it now...

That's my preferred option. I like my data to sit on my computers.

I certainly understand the sentiment given recent events. :(

For what it's worth, SpiderOak Blue is often purchased by enterprise customers as a "private cloud", where an organization can run the server side components locally.

By the way, if I recall correctly, Wuala is owned by LaCie which is owned by Seagate, which is US based. IMO, open products are the solution. We're making it a priority.

Valid point. Conversely though (I'm probably over simplifying here) wouldn't this require some sort of secret instructions in the encryption software to send the user's key to HQ? Wouldn't said transmission be detectable by logging traffic from the encryption program? Granted many won't do that but it would only take one person sniffing packets on their machine to reveal it.

The password would be a number of bytes. They could easily use stenography and hide it in an upload or download of the file. Or have an update that would weakly encrypt the data, or encrypt and decrypt to a key known to them, making it trivial to retrieve the data.

Without the source, their security is meaningless. You've just given a closed source application access to the network, and to your files. You've already lost the game.

Edit: Thinking about it, this is the real problem with encryption: the good is the enemy of the perfect. A 90% solution is worse than a half assed one, because you know not to trust the bad solution.

Looks like you were bitten by autocorrect (and meant steganography).

You only need to transmit the key once, and the timeframe for that is anytime between installation and the first request of the NSA.

That is a lot of regular ping message, directory listing, software update that can be overlooked in that period.

As another commenter pointed out that you voluntarily give the password if you use the web UI. Probably the same if you use a mobile client. So there is build-in room for honest mistake in their service definition.

So basically, you still need to trust a third party, and looking at the recent news, they are really out there to get you.

Another thing that nobody is talking about and at the heart of internet. What about all those SSL certificates ?

I use Wuala, but only because I think I can trust more Swiss than US based software company.

That being said, it's all about trust, since both are closed source and there's only trust that's left to the users.

I wish there existed an ubiquitous open source alternative.

I was typing another comment just as you posted this but making essentially the same point.

If you are using Linux, FreeBSD or Mac OSX you can use local open source encryption before your data touches the sync program (or even the online backup servers) with EncFS.[1] I'm using it with Dropbox and it is solid, easy to use and set up, and does efficient file-based encryption (so no re-uploading folders just because you changed a file inside).

Gnome desktops even have the Gnome EncFS Manager[2] if you want a GUI way to set it up.

[1]https://en.wikipedia.org/wiki/EncFS [2]https://bitbucket.org/obensonne/gnome-encfs/

Thanks for the info, but I said ubiquitous exactly because I need something that "just works" on each one of Windows, Linux, Android and iOS. And I'm not aware of any open source solution there, hence have to use Wuala.

Linux & OS X: encfs

Windows: encfs4win

Android: Cryptonite

iOS: Boxcryptor

Granted Boxcryptor isn't open source, but otherwise you get yourself a full encfs-compatible Dropbox stack.

IIRC, Boxcryptor isn't specific to iOS, I have it running on OSX at home, and I believe it also runs on Windows, though I've never had a reason to put it on my VM.

Sure, though the key redeeming point of the product would be that it's compatible with the (notably open-source) encfs.

There is Tarsnap. While it has licensing restrictions that prevent it from meeting the Free Software or Open Source definitions, the source code is available to study and build yourself. It's run by Colin Percival (cperciva here on HN, former FreeBSD security officer and designer of scrypt, bsdiff, and other useful tools), who many consider quite trustworthy. Data is stored on Amazon AWS, which you may not like, but since it's all encrypted client side all they can really do is traffic analysis.

The big advantage of Tarsnap is that it supports efficient encrypted deduplicated snapshots; it only stores block that have not been stored before, so you can have many versioned backups using much less space than they would otherwise.

Unfortunately, Wuala was bought by the French company LaCie. No idea where they have their data nowadays, but I'm guessing France, since LaCie made them give up P2P storage functionality, likely leading to a sudden higher storage demand.

Yeah I wish it was more common reaction to America based services. Especially for foreigners it's like putting public folder out there on the Internet which is fine for cat pictures but not really something you want any sort of private data on. One interface might be more shiny than the other or maybe one of the services offer few more GB's what's good is that when there are 100's or 1000's individuals who are in position to read your data at will at any moment.

Just sidestep the whole issue and encrypt the contents with a key only you know/possess. Then the choice is simply "who gives me the simplest offsite platform with the fewest layers of abstraction (preferably none) between my data and the underlying filesystem".[1]

Switzerland is not some magic amulet that solves these problems once and for all.

[1] You know who that is.

Won't syncing an encrypted file store result in a lot of sync churning each time you modify a file inside, because deltas won't work?

With a properly designed container, it should (and that's actually a feature, else you're much more vulnerable to traffic analysis). That's a tradeoff between security and convenience, IMHO.

I really don't think it matters what platform you use, as long as you use you own software to encrypt and do it locally, it doesn't matter much if someone else can access your cloud store. Personally, I use AWS because it's a mature platform with good support and the chances of me loosing data are astronomically slim. But as far as Amazon is concerned, I'm just uploading noise.

SpiderOak user here.

Just remember to not use the Web UI: if you do so, your plaintext password is sent to the servers, because decryption happens on the servers. This is mentioned in their FAQ. Unless things have changed since the last time I checked.

I've always assumed that Dropbox's light encryption was because of their Web UI, which is a pretty big feature for most users.

Different crowds.

Is it feasible to do the decryption in JS? LastPass for example encrypts the passwords and never sees the plaintext. Although decrypting a plaintext password is a significantly smaller problem than decrypting large files.

They don't utilise https? Please tell me that isn't true.

HTTPS doesn't matter. Without client-side decryption, you are forced to give the server your password so it can decrypt the file for you.

See other reply below. And to answer your question, yes, they use HTTPS.

I've seen a lot of people recommend Lastpass lately, but couldn't the government force Lastpass to create a backdoor for them to get the passwords before they are encrypted?

I'd also worry about a catastrophic event of Lastpass losing those passwords somehow, and then remaining locked out of many websites.

And what about Bittorent Sync with an old PC as an alternative? They even have an iOS app now.

I personally use keepass and keepassx (the alpha compatible with keepass2.x) and sync my passwords with SpiderOak. That's worked pretty well for me, and I don't actually have to trust a website with my passwords. Even if there's an insecurity in SpiderOak, they'd only get my encrypted keepass database which they'd then have to also decrypt.

I definitely recommend keepass over lastpass.

Exactly what I do too, for exact same reasons. Crazy imho to store your passwords in a cloud service, using only their encryption.

> keepassx (the alpha compatible with keepass2.x)

A bit OT, but I'm guessing you're using keepassx for non-Windows OS? Is there a benefit to it compared to simply using keepass with Mono?

If I'm not mistaken, LastPass keeps both a local and cloud version of your password. When you're having trouble connecting to LastPass's servers, LastPass still functions. I think it's just that if the password changed on another device since the last time it synced locally, you'll still have the old one.

So I'm pretty sure that you'd have to lose basically every device it's on and have LastPass's cloud deleted to lose them all.

They don't keep a server version of the password (they don't have access to your password), but they do have the authentication credentials. A password manager that only worked online would be frustrating.

Yeah that's my concern too - any vendor can be compelled through secret courts to include backdoors in software.

I've had this worry as well, in regards to loosing passwords. I still believe writing everything down on a piece of paper can help. I have a little black journal that I carry with me everywhere that has all my passwords in it. Typing them in is the issue when they are longer strings, and mixed symbols.

Only issue is protecting that journal.. Hopefully I can eat the pages if things were to arise. Ha

If you are sufficiently paranoid about having to destroy the notebook, tissue paper and water soluble ink go a long way to making it easier. I made about a dozen for a murder mystery party about two years ago and still have one lying around somewhere. A small waterproof bag should make sure it isn't inadvertantly damaged in the rain.

The more dramatic solution is flash paper, which destroys all conceivable evidence. Don't fly with it.


I'd be very wary about carrying a book of flashpaper in my pocket.

> Only issue is protecting that journal

Or losing it.

Haha, yes or loosing it. I think that having a back up would be much needed. It's really too bad to think that we have gotten to this point. Not to be the paranoid one.

I just use Truecrypt volumes within Dropbox for anything I'd really care about losing. I guess it's an extra step, but I find I just like Dropbox better than the competition. And things I really care about (tax returns, for instance) I find I access rarely and always on a PC.

This solution has 2 issues though that kind of drive me crazy.

1) It won't sync the truecrypt volume while it's open (cause the file is in use), so if you want to encrypt stuff you work on regularly, you have to close the truecrypt volume regularly to sync it, which is a PITA.

2) Since it's one big volume, it takes forever to sync up even if you only modified a single file inside it. Say, for example, I have a 5 GB truecrypt volume containing some project I'm working on. If I open it, update the readme, then close it, it has to resync 5 GB...

So overall, this is far from an optimal solution...

EncFS keeps files separate (with encrypted filenames), avoiding this problem.

For #2 I keep the truecrypt file size more like 500MB. Fortunately my projects don't have big files. For old tax returns and the like I have archived truecrypt files that no longer change.

#1 is indeed a PITA. I don't know of a better alternative I trust though. In practice the files I'm changing daily are small and aren't top secret, so I zip them and put the zip file in the DropBox. Then I don't have to unmount the truecrypt volume so often.

I guess the resynchronisation time is taken up mostly by Dropbox reading and hashing all 5 GB to detect changes? Just that it considers each file as a series of contiguous chunks and should only transfer those chunks that have changed. A bit like how BitTorrent works.

Um, you should be regularly dismounting volumes every time you are done using them anyway. Your enemy can quite likely read out your passphrase from cryopreserved ram or its hibernated equivalent.

The best cloud security solution is one where you control the encryption keys AND stuff is encrypted on your device BEFORE uploading to the cloud.

We tried SpiderOak but the security was hard for our users. We ended up using Syncdocs which encrypts Google Drive. It lets our team share and use Google Docs normally, but secure folders we need to keep encrypted. They also disclose their AES encryption source.


I think the new 'Hive' feature makes things a whole lot easier. Just drag-and-drop (as you would with Dropbox) :-)

I'm embarking on my own backup solution: For $1.38 USD/month (Ramnode OpenVZ SSD-Cached 128mb RAM VPS with 31% off for life coupon) I get 50gb.

I just need to setup a synchronization/encryption schedule. I'm thinking rsync remotely to the server. Not sure on encryption yet.

I'm also using the servers as development and minor hosting for myself. It's practically a free storage solution?

Am I crazy?

I do something similar, though I use git-annex / assistant to manage the files. It can have remote data repositories using rsync with transparent encryption (using GPG keys).

I also have a bigger drive at home mounted on a raspberry, which stores both the important files (as a second backup) and a lot of unimportant crap.

Thanks for the tip!

I'm hoping to look at rsync in order to do partial changes, so I could synchronize VM disks and other large files.

I don't like keeping my PC turned on to perform a sync, so I would love to setup a Raspberry pi to do the work for me, but it only has USB 2.0...

If your are using linux, encfs should work fine with rsync based solution.

no - where did you find the deal?


I would just write the code here, but I'd rather you visit the wonderful site ;)

Edit: Do a search for RamNode.

SpiderOak does have one problem. It has no arm build for linux (and they apparently have no plans to make one soon). If you frequently use a Raspberry Pi or linux on an arm Chromebook then you'll be out of luck on syncing your files.

I wish they'd release simple sourcecode for a headless sync client or that someone would reverse engineer it enough for that to happen. As it is, you can sshfs mount a folder synced by one of your x86 computers, but that's definitely not ideal.

Other than that complain I've enjoyed using SpiderOak and it's a great piece of software.

Cloudfogger[0] has an interesting solution. Anything within the cloudfogger folders gets encrypted before it can be synced with the cloud service. It also changes the filename to add its own extension. When you open a file, cloudfogger uses the password cached on your system to decrypt and then run the file, providing a fairly seamless experience.

The one main problem is that it's not an open source client, which seems like the ideal solution.

[0] http://www.cloudfogger.com/en/

Edit: Why downvotes?

I have only seen one outdated blog post benchmarking upload speed of the various services being suggested here. http://www.proposedsolution.com/downloads/online-storage-ser...

As a Dropbox user, I find that the files get synced very quickly and I wonder if these alternatives (Spideroak/Wuala) being suggested will match that speed. That will be a factor as well to consider.

What's disappointing about SpiderOak is the inability to do two-way sharing of your data - so it's not really usable in a corporate setting.

Oh, you're saying it wouldn't be possible with client-side encryption? I say it should be, using a mix of symmetric and asymmetric encryption:

- have all data of a repository encrypted using a symmetric key, at first known only by the repository owner.

- the symmetric key gets sent on the cloud host's server, encrypted using the owner's public key.

- every new device or share with a new user will require a previous user (in this case the owner) to decrypt the symmetric key using his private key and encrypt it using a new public key that the new user / device has sent together with its access request.

- the cloud host simply grows a table of encrypted symmetric keys, with one entry per device/user, besides the actual encrypted data. note that the cloud host still can never decrypt the data, as long as the private keys never get sent around.

It's coming! Existing SpiderOak accounts all contain a 3072 bit RSA keypair, which is reserved for this future purpose. But it's not as simple as it seems. Things like garbage collection, and space accounting, and various race conditions between parties become the hard parts.

In any case, it's on the way, and it's entirely open, built with Crypton.io, our new open source framework for building zero knowledge applications. (Which we'll eventually port the main SpiderOak desktop app to use.) For details https://crypton.io/ and https://www.youtube.com/watch?v=pn9DAwggza0 (...and to be clear, the threat model is intended for for HTML5 desktop and mobile apps, not browser Javascript.)

Thanks, good to know. The challenges you describe are interesting, I'd love to read an article about it ;-).

So I go to the Startup Guides, then to Getting Started. I open the PDF and under step one I see:

"NOTE: Curious about how we retain ‘zero-knowledge’ privacy while password creation happens on the web? Click here for more details."

But no link. So... is this a joke? why can't they explain this in their FAQ instead of having to get a PDF then a (non-existent) link to it? I've been searching the FAQs and under Privacy and Passwords and all I can find is:

"More information about this is on our website in the engineering section of our website, which talks about our zero knowledge approach, the password policy, and encryption specifications."

Engineering section? I can't see where it is.

My point is, if "security and privacy" are one of the main selling points of the product... yet you have to jumpo through hoops and loops to get some details on the implementation and STILL don't have the info... smells fishy..

The Sign-up process is explained here: https://spideroak.com/blog/20111206101528-new-browser-based-...

This is the Engineering Page with Encryption Specifications: https://spideroak.com/engineering_matters

@Doug: have you tried our (free) product: http://ncryptedcloud.com? We currently work with Dropbox and will eventually with Google Drive & SkyDrive. Our product works with Windows, Mac OSX, iOS & Android. We also have the Cloud Web Portal which allows you to see your secure file via web. Keys are generated client-side. We use open standard. We don't have access to your data AND you can securely share your files with other people (nCryptedCloud user or not!).

I've written about the problem of cloud security and cloud privacy here: http://vuongnguyen.com/personal-business-cloud-security.html.

We're just a startup who was trying to solve our own problem with the cloud security & privacy. Would love to hear from you.


Thanks! Appreciate the link. I have looked at some third party add-ons, but don't want to use two cloud products when one will do.

I will take a look at ncryptedcloud.com though in case it's useful for people I advise. :-)

Any chance of a Linux client?

Interesting solution, but the reason why I use Dropbox is due to the ever increasing storage space limit for non-premium users. I have about 6 GBs of space available to me, and as soon as I get remotely close to that capacity, they usually give me an additional half of a GB.

Thanks, it's the first time one of my posts has made the front page of HN and it kind of took me by surprise.

The cache should be able to deal with it now, but I appreciate the mirror. :-)

One fail in the article: "It’s worth saying at this point that I don’t, to my knowledge, do anything wildly illegal."

The definition of illegal varies over time and you have no control over it at all.

He's almost certainly done something illegal.


Oh, I agree. What I'm trying to say is that I'm not a Silk Road user or hosting illegal images.

+1 to changing definitions of 'illegal' (along with 'madness', etc.)

All well and good ... until Spideroak stops syncing, customer support can't explain it and you're told it will be ... get ready ... at least one month before one of their tech guys can look at the problem. I was with Spideroak for over a year before this happened to me, and I switched to competitor's product. sure, no real security, but at least it's backing up my files.

I agree our ability to scale support is a problem. Very sorry it didn't work out for you. Unfortunately on our side it's a big challenge to provide detailed troubleshooting with individual users, especially if they are not paying. We took Patio11's advise and offer a money back guarantee for paid users, but we also do try to investigate and support them much better.

Since the product is zero knowledge, we can't just look at the server to see what a problem might be. Trobleshooting involves analyzing logs from the end point devices, find out all the relationships involved in the sync (one machine is Mac using case preserving insensitive unicode form D, the next is Windows with relevant regional settings, another is a Linux NFS server, a FAT32 volume that doesn't preserve certain characteristics and has a limitations for MAXPATH, etc.)

It often take a couple of hours of analysis to understand what a specific situation's problem might be, and the median case is that it comes down application level things that SpiderOak can't do much about other than explain to people why syncing (for example) Quickbooks files between two open and running instances of Quickbooks at the same time is not going have the effect they desire. Or any number of combinations like that. People put very weird stuff in filesystems.

In any case, sorry it didn't work for you. We did recently finally resolve a couple of long standing edge cases in the Unicode sync logic in the 5.0.3 release. Let me know if you'd like to give it another try. In any case, thanks for your interest in SpiderOak.

Just to clarify, I was a paid user, and am still yet to receive my refund. As I've recommended Spideroak to my clients, and several of them are also paid customers of yours, this puts in me in a difficult position.

I would love to find a replacement to Dropbox that 1Password supports. Was looking at AeroFS but turns out not to support 1Password at this time.

In related news, the Chinese operator TenCent is offering 10TB online storage for free. http://www.weiyun.com/act/10t.html

At least your data will be behind a strong firewall

Although having your data encrypted everywhere is a good idea in principle, using closed-source tools like LastPass and SpiderOak Hive isn't a good way to do it since you have no way to verify that the data is encrypted well or at all.

That's a good point and I'm certainly not saying this is a full tinfoil-hat solution. But's it's better than I had before and an easy change to make for the 99% :-)

A question I have whenever I see this come up: do people who say this generally do their own personal code audit of the open-source tools they use? How can you trust anybody else to do it for you? Do you compile all of the code on your own? Can you trust your compiler? How far do you go with this line of questioning?

It seems to me that for many people, using an open-source tool does more to provide peace-of-mind than actual security assurances.

How does their data-encryption relate to something like Mega (https://mega.co.nz/)?

Mega's Privacy policy says:

"Your data is encrypted by you before upload to our system and therefore we do not and cannot access that content unless we are provided with the decryption key. You may give access to others by providing them with a link and decryption key and you shall be responsible for their compliance with this Policy."

But they also say that they'll comply with legal requests. These article explain it better than me:



How about using btsync and hosting your own cloud?

Yes, lots of suggestions to use BTSync. I am using it, just not for this particular use.

I want to backup and sync at the same time to an offsite server.

While I could roll my own solution, I want something that I can recommend to family/friends/my network (and that's congruent with their technical skills). :-)

Not open source - not possible to trust it. I switched to duplicity and a cheap storage (shell) provider accessible via ssh.

also, there's the weird and confusing details / thread from yesterday where dropbox seem to be relying on security through obscurity - https://news.ycombinator.com/item?id=6286674

could you pls document your experiences after some weeks of usage, how it compares to Dropbox?

Yep, I'll do that. :-)

I've racked up 7.9GB on my free Dropbox account. Until there is an alternative that offers more for free, I probably wouldn't consider switching. However, I'm encouraged by the amount of cloud hosting services emphasizing privacy, maybe at some point dropbox will follow suit.

I bet their competitors can't wait for you to switch to their free accounts.

In other words: why not pay?

You could try Copy.com[1] if you want more space for free. They are providing 15GB as the starting storage space, while 5GB for each referral.

[1]https://copy.com?r=C3kqI8 (This is a referral link providing 5GB extra to both.)

Bitcasa are offering 10GB for free. Their unlimited service is cheap too. I cannot comment of their security.

Microsoft just upped their SkyDrive to 25 gigs I believe.

Edit: Actually, I guess that's for their basic paying account.

Or, if you'd had a SkyDrive account before the change.

Encrypt your files within Dropbox.

Why Hive and not AeroFS?

Once you use AeroFS you might as well use BitTorrent Sync.

Im not familiar with AeroFS, could you elaborate?

AeroFS is a filesync clone that operates without any central storage cloud, but you still need to make an account that connects to their central server.

This means they control your access to the syncing your own files.

BitTorrent Sync lets me do the same thing, but under my own control. Only thing missing there is being able to choose your own tracker.

I prefer RoachBirch Anthill, or occasionally BeePine Mound.

Think of your files as termites. BeePine Mound is like a secure mound in the cloud for all your stuff.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact