[tahoe-dev] Thoughts about filerock and dedup

Alessandro Manfredi alex at filerock.com
Tue Feb 5 12:50:30 UTC 2013 

Hi all,

I'm Alessandro Manfredi, head of development at FileRock.
Since we have been mentioned here, I'd like to answer some of the questions asked.

> I've been looking at https://www.filerock.com/ and although I have some
> reservations (server isn't open source, reasons to believe they collect
> statistics - e.g. web interface has google analytics, etc.)


The server isn't open-source because we designed the service in such a way that,
from a security standpoint in the client perspective, it doesn't need to be.
By design, the open-source client (you can check the code) does not trust our servers for data confidentiality and integrity.
That is, both data encryption and integrity verification are performed client-side.
The servers are used for signaling and to provide the proofs required by our integrity verification mechanism:
such proofs are then checked client-side to validate the data on retrieval.

> it's still interesting as something I could tell granny: "use this, it's pretty safe"
> (tried this with LAE and she's still recovering :) ), so any insight about them is welcome.


We'd be happy if your granny will become our user! :-)
I'm trying to give some insights here,
but if you have more questions just ask and I'll try to answer.

>> 2. Last I heard, the Tahoe-LAFS Software Foundation had google
>> analytics on https://tahoe-lafs.org. Was that taken down? If not, can
>> I see the resulting statistics?
> 

> It's not the same (although it's still ok to fill a wee bit of shame),
> because filerock have it on their equivalent of the WUI.
> Not sure whether anything could leak that way (I'm sure there are people at
> google who know much more about this than me :) ), but it shows that - at
> least to some extent - analyzing my "anonymous information" *is* their
> business, and that's a bit of "bad taste".


We apologize for that.
We have removed Google Analytics from our Web Interface, where users actually use the service.
We kept it just on the landing page and some website contents,
at least until we have enough resources to make our own analytics software to avoid Google snooping :-)

> BTW, one interesting thing regarding "dropbox functionality" is that
> they've found a simple way to avoid race conditions: only a single client
> is allowed at a time. They have a notion of "session", and when you connect
> your "magic folder" client, it would tell you "you're already on web. log
> you out from there?" (also works in the other direction).


We are working to support the usage of several clients simultaneously,
although as you can imagine it's not trivial because of the data integrity verification.

So, thank you for mentioning FileRock here, we are glad to join the discussion.
If you have any more question please do not hesitate to write us,
as well as if you have comments about our client source code and inner mechanisms.


Best Regards,

Alessandro

More information about the tahoe-dev mailing list