Insights For Success

Strategy, Innovation, Leadership and Security

OneDrive

Wormhole could be the free file transfer app Firefox Send wanted to be

GeneralEdward Kiledjian
jakob-soby-RjPG-_LVmiQ-unsplash.jpg

Firefox Send was a fantastic tool that allowed anyone on the internet to send large files for free using encryption. Unfortunately, the bad guys started using it, and Firefox pulled the plug.

The concept is simple, by visiting the service page, you upload your files, and the service provides a link that allows anyone to download the content. The challenge with most free services is that they are insecure, and most are slow (encouraging you to buy their faster service).

Wormhole one such service that leverages WebTorrent for fast transfers, promises end-to-end encryption and is free (with no upsell). Wormhole doesn't even require registration. Transfers of 5GB or less are handled by their servers, which means your browser doesn't even have to remain open. 

Traditional torrents require special clients, but WebTorrent is a gateway that allows any torrent files to be shared through a web browser (no special client or unique configuration).

When you create a new transfer, your device generates a unique encryption key used to encrypt the content before it is sent to the Wormhole servers. 

The unique twist

Remember that Wormhole is built with a combination of traditional web technologies married to torrenting. This unique combination makes their service faster than most competitors. But the magic is that the recipient can start downloading the content before you have completed the upload. This streaming functionality is something no other competitors (that I am aware of) offer. This means you can share the link with the recipient while you are uploading the content (and not have to wait until everything is uploaded). 

It's good but not perfect

Perfection is the enemy of good and there are some limitations you should be aware of:

  • If you upload content larger than 5GB (up to the 10GB limit), you have to keep your browser page open because Wormhole won't store the files on their servers (they do up to 5GB)

  • Uploaded content is only available for 24 hours

  • A file can be downloaded up to 100 times

If you are curious, they share their roadmap here.

Screen Shot 2021-06-13 at 1.00.46 PM.png

Conclusion

This is a new service, but it has already found a place in my online toolkit. Obviously, the long-term viability will depend on some time of premium service, but there aren't any details yet. I guess that the premium service will allow larger transfers, longer storage and more download slots. 

The security write-up (here) seems interesting, and the product looks to be designed securely. Still, because it is not open-source, there is no way to be sure they have implemented the security controls they say they have. If something is very sensitive, encrypt it using 7-zip before uploading (using a unique password shared with the recipient out of band). 

Google One finally available to all US customers

GeneralEdward Kiledjian

I first wrote about Google One in May 2018, when it was still shrouded in secrecy.  The new storage program with improved storage capacities was an invitation-only program until today (for US residents anyway).

Per the original (Google Drive) model, storage is shared across all of the Google properties you use (GMAIL, Photos stored in full resolution, Drive, etc.)

  • 100 GB for $1.99
  • 200 GB for $2.99 (New)
  • 2 TB for $9.99 (2TB for the price of 1TB on the old plan)
  • 10 TB for $99.99
  • 20 TB for $199.99
  • 30 TB for $299.99

If you use the Google Family sharing program (not available to Google Apps accounts, unfortunately), you can share your Google One storage with up to 5 family members. In addition to storage, Google is offering Google Play credit to Google One subscribers and promises to add even more benefits (24x7 support is now also included).

Many still see the Google One page as invitation only but expect this to change shortly. Rolling this new program out to its millions of customers is likely being undertaken in stages.

As a Canadian, I anxiously await any indication about when it will open for us.

Review of SpiderOak encrypted online storage

GeneralEdward Kiledjian

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

  • Bruce Schnier on TNO here
  • Steve Gibson on TNO here.

Do this to keep your free Microsoft OneDrive Storage

GeneralEdward Kiledjian
4027405769_3f7c23844c_o.jpg

What Microsoft giveth, Microsoft can taketh away. And so Microsoft did the unthinkable last year and announced it would be rolling back the free storage add-ons it gave users (base free 15GB storage going down to 5GB and camera roll bonus) and was clawing back the unlimited Office 365 storage to 1TB.

Understandably there was an uproar and now Microsoft has a setup a special webpage where you can ask them to keep your free storage levels. 

There doesn't seem to be any downside to using this function so go do it now using this link

 

 

 

 

A great free service to transfer files

technologyEdward Kiledjian

As a casual internet user, you probably don't need to send large files too often but there are times when a clean, fast and simple solution can be a lifesaver (sharing pictures, video, etc).

There are a bunch of for pay services catering primarily to the enterprise space but what does a user do? Enter WeTransfer.com. The site is clean, simple and functional. The free version (doesn't even require an account) allows you to send files of up to 2GB (per transfer). 

When you visit the site, you are greeted with a little transfer box on the left and a beautiful sponsored background covers the rest of the page. This one is a house ad but most a unobtrusive and visually appealing.

2014-03-18_21-16-00.jpg

All of you interaction will be with the little box on the left hand side.

You can enter up to 20 recipient email addresses, you enter your own email address (of it auto populates this if you have sent files in the past and haven't cleared your cache) and you choose files up to 2GB. You press Transfer and wait for your files to be uploaded.

Once uploaded, your recipients will receive an email with a link to download all of the files as a single compressed cross-platform ZIP.

In my testing, every recipient I sent files to received the notification email (aka it never went to SPAM which is a good thing). You receive an emailed confirming the recipients, your message and the download link. 

If you make an error with an email address, you will receive another email from WeTransfer notifying you that the recipient email bounced. For each recipient that downloads the files, you will receive an email specifying who downloaded the files, which files and when.

Another advantage is that the site is clean for your file recipients. There aren't any misleading banner ads, pop-up ads or other elements that distract from your transfer or that could be dangerous,

This is what the download page looks like. 

2014-03-18_21-29-05.jpg

What about upload and download speeds? I compared upload speeds on a 2GB file to WeTransfer, Google Drive, Microsoft SkyDrive and Dropbox. All of the services took about the same about of time. This means that you are not penalized by using the free service (no intentional slow downs). Every transfer I threw at it worked at almost my maximum internet connection upload speed.

There are a handful of other sites that offer free file transfer services but every single one of them had ugly ad covered websites. One even showed adult content. 

My conclusion is that WeTransfer is a great reliable free service that will likely fill a gap most home users have. You are sending your files to a third party so I recommend zipping all of your files in an archive (Zip, RAR, DMG, etc) and using that format's native encryption function. This will make sure that no one (except the intended recipients) will be allowed to uncompress and access your files.