I'm not sure I want someone doing weird things to my file system.
I really hated the way they described what it does. I also disliked the "new technology" to "instantly transfer files, no matter how many".
I have no idea if they've implemented the encryption in any kind of sensible way. I guess we'll hear later if someone breaks it. I guess it's nice that there's more encrypted traffic going over the Internet - regular people using encryption means encrypted traffic is not automatically suspicious and needs the same legal process of warrents to intercept it.
Yes, the real magic here is not the technology....it's their marketing. I'd love to find out the particular shade of lipstick they put on this pig...it would be interesting to know the referrers for the traffic to that page.
I figured that's what it was. I was shopping around for one of those early this year and it looked like they're just not very widespread, and the few models that are easy to get have some serious issues. I decided to get a raspberry pi instead since it is in the same price range and can serve the same purpose, plus a lot more.
All your devices need to install plugs software, at which point you provide a login and a password, and bam, you now have full access to your files connected to your plug...
what?
So we go out and contact plugs central server, provide a username and password, and now we have remote access to all our files.
ALL of them. Plug syncs everything.
PRISM, the program that secretly told internet service companies to provide access and tell no one. and plug, the device that makes every single file you have visible on a network connection that they hold the keys to.
Plug is going to have to go a long way to convince me that they can't be compelled to release my credentials to a government authority, even if they said they never would and they really really meant it, that still means they have complete and total access to my life.
Anti-PRISM here isn't meaningless, it's outright wrong. Your product is only anti-PRISM if your product assumes the author can't be trusted in addition to not trusting the lines the data is sent on (At least they did that).
From the security FAQ:
"Plug uses asymmetric cryptography. When Plug is installed, the application generates a RSA-2048 pair of keys, identifiable by the user's email, and with a private key protected by the user password. This private key, which is what authenticates a user in the Plug system, is stored in your Plug and your devices. We don't know this key because we don't have your password, so we cannot - us or anyone else - steal your identity."
So it really does seem to be zero knowledge, and therefore could be the magic UI that finally makes proper asymmetric encryption tolerable to the general public.
The NSA could still steal the key off of any of the devices, but it would be hard to do that systematically on a global scale. The closed source nature of this software probably still makes it a no-go though, they can just coerce them to patch it ala skype.
I wonder how this would fair against TSA also. If your entire home server looks like a folder, and they can copy that folder at the border, they now get every file you care about rather than just the ones on any one device.
The usage of "anti-PRISM" is becoming meaningless. It's like the new rockstar node.js on rails ninja. Just a buzzword. If you think that using your own server instead of DropBox, switching from Gmail to another email provider, and encrypting the content of your files and emails will protect you from PRISM, well, you just don't understand at all what PRISM is all about.
First, nothing prevent government to listen to what happening on the backbone cables (and they do, we now have the confirmation, they don't just ask a finite list of service providers for the content of their users). Hiding the content is one thing, but what these government programs mostly consist of is to recreate people's networks. This is the main point. Sure it's always good to encrypt stuff, but it's not sufficient to be called anti-PRISM. Most of the "anti-PRSIM" thing I read about are not anti-PRISM at all, it's just used as a buzzword. And it's a shame that a community such as HN fells for this.
It seems you don't know what PRISM is either. AFAIK, PRISM allows them to retrieve data from several companies that have given them access to do so. One of the leaked slides also mention the capturing of data from the fiber cables, but that wasn't part of PRISM
I do agree with your point however, I'm just nitpicking
Okay, if you call PRISM just that part of the big picture, you're probably right. But then what's the point of being anti-PRISM? It would be like saying "this meal is anti-food poisoning because one of the many ingredients has been thoughtfully tested against known problems.", not that convincing to me.
PRISM means that the (US) government can ask MicroSoft/Google/Apple for your files stored in the cloud without a warrant. So you get no protection against "unreasonable searches" specified in the 4th amendment.
This drive is controlled by you and stored in your house (with no key stored in the cloud). So the 4th amendment applies, and the government can't just look at your files any time it wants.
In this case what exactly does anti-PRISM means? How I see it it would be PRISM 2.0, since the NSA will now not only have access to your cloud files, now it will have access to your personal physical drives.
will I need to have a Plug account to access my drives? Will I be able to access those drives from outside my house or office? Will my users/password for that account will be stored at some king of Plug centralized server?
> With Plug, all your devices are connected with each other thanks to a zero-configuration, private and encrypted VPN (asymmetric encryption based on RSA-2048/SHA-1 keys). We had excellent speed benchmarks on this network. It goes through any main NAT & firewall we tested, it's decentralized when possible, and it doesn't require any user configuration. It's safe and does the job.
> When Plug is installed on your computer, our application intercepts all the input/output operations performed on your files, using several patent pending technologies. When Mac OS X, Windows or Linux want to store or access data, they ask our application instead of manipulating the hard drive. When needed these operations are redirected to Plug. Thanks to this, we give you the best experience possible. We show in your OS all the files you have in your Plug, even if they're not actually in your computer. We use your local storage memory as a cache, to store both the files recently used and the ones you want to keep for offline-viewing.
I don't blame you for not knowing what the heck it is; I had to plough through a bunch of nonsense to find the above two paragraphs.
But all the magic is in their client-side software. It's more like having your home directory on NFS, but it allows you to keep some files locally, and it keeps revisions, and it transparently sets up VPNs for you, etc.
So, if you're a techie, it's "just a NAS". But if you're a non-techie, it's 100 times more useful than a NAS.
I felt so excited to see Plug. I was ready to sign up to Kickstarter to back my first product. It's a plug-and-play NAS, a data solution I've been trying to find. I really, really wanted to use it. But I can't for ethical reasons.
I hate to sound like I'm preaching open-source but it's unacceptable anymore, although I will give them credit that it's a step in the right direction. We need devices like Plug. Just make them open and I'll happily back it.
Why feel bad about it? It gets straight to the crux of the problem. If you're running closed-source software that is presumably taking updates from a third party outside your control, how much of an improvement is that over SkyDrive or Dropbox?
As far as I can tell the only problem with these services is snooping by intelligence agencies and the consequences of that (potential espionage, etc.). One could hypothetically argue that the NSA would be less willing or capable to snoop on data that is stored inside hard drives in citizens' houses - but from the outside we can never know that.
We need to have pretty damn good confidence that we have control over our own gear and data, and that means using open source software that is popular or interesting enough for third parties to review it.
> One could hypothetically argue that the NSA would be less willing or capable to snoop on data that is stored inside hard drives in citizens' houses
No, even the secret FISA court would have a hard time getting access to this device without a warrant:
Courts have ruled that "cloud storage" (not owned or controlled by you) is not in "your possession". Therefore, the 4th amendment protection against "unreasonable searches of your possessions" doesn't apply. So the government can ask MicroSoft/Apple/Google for your files.
But this drive is clearly in your possession. The keys for it are clearly in your possession. The cloud company website does not do security or have access to your files -- it just helps you locate your device.
Technically, this is no different than a NAS in your house. But the client-side software is 100 times better. (client-side caching, revision tracking, etc.)
My experience with open-source software is somewhat a love/hate relationship. Most of the tools I use (vim, nginx, go, etc...) are amazingly high quality but others are seemingly poor - i.e GIMP vs Photoshop, Pages/Word vs LibreOffice Writer. They look pretty awful, they have unintuitive UIs and generally I have a bad time using them. As such, my attitude towards open-source software is it's "shit" because it looks terrible. The code may be solid but the UX hasn't been refined. This is the main reason why I run OS X; I get to use vim and Photoshop.
In some small way, I feel like I'm forced to use software I genuinely do not enjoy using. I like using Windows and I like using OS X. So far, every Linux distro has forced me back to either OS within a few weeks. Even Elementary OS; practically a clone of OS X ships with sub-par software.
Almost all software I run is closed-source/proprietary. I'm making an effort to adopt better software but it's difficult to find high-quality open-source software. I'm currently looking into contributing so I am actively working on the issue rather than sitting here complaining.
A common love/hate relationship I think; don't beat yourself up too much.
I think it's okay and even important to insist on open-source for a system like Plug even if you're not interested in using FOSS for all your computing. For many of the proprietary software examples you cited the "loss of freedom" is kind of nebulous (apart from the price tag!). The odds of a backdoor appearing in a product like Photoshop are relatively slim I think.
By comparison Plug is a perfect target - it is hosting documents and other data belonging to users who have likely made a conscious decision not to store it on the cloud. I don't think it's hypocritical to own a Mac and say that closed-source is not the right model for this application.
What are you talking about? Quote from the kickstarter:
"Under the hood, the average transfer speed for your data will be around 30Mb/s"
That is megabits/s, pretty far from 100mbps. At home between my boxes I've got 1Gbps, why should I be unable to utilise that speed? That's just another argument to why it should be Free Software so I/we can run it on any hardware.
It's an inexpensive way to create a SAN with some software to tie stuff together. Assuming your router doesn't already do most of this, I suppose it could be useful for home users. I find the anti-Prism claims to be getting old quickly, and probably dubious in this case considering users with no security knowledge are being encouraged to create a single access point to all of their data. This obviously resonates with people, but I'm rather surprised at the success so far.
That's the beauty of marketing, you don't have to tell users the whole truth and you can make it look extremely easy to use. I'm curious to see how this will work out for users in the real world.
Okay so you just plug this in to storage on one side, and internet on the other. Then it works on LAN, but apparently also outside your LAN? They showed that in the video. So there must be some sort of udp/tcp hole punching to get through the NAT?
And then the files sync at the speed of my 832kbps upload speed? So much for "one memory on all devices" when you barely reach 100KB/s reading speeds from your "memory", divided by the number of users/devices, except for any cached files. But the whole point was: no more moving, copying, downloading or uploading, so caching files (which they showed) is in direct violation with that vision and should not needed to be used.
Seems this product is just not for me and it's going to disappoint a lot of users (500k backed shows they put a lot of trust in it). I'm happy to store things in a cloud, but files will be encrypted before transmission and it has to be open source software (preferably even already existing utilities).
Just to clarify, the is no synching. The file requests are on demand. Only the metadata (oh, there is that word again) would appear when listing a file/folder. Just like the rest of the net. It's not a synchronization service but a file access system. That the reason you can have 1TB space on a phone. It's a NAS device, or is it a SAN? Anyway, it just a Linux server that connects to the Internet so you can get your goods. I'd rather they open up the entire OS and software though. People need to know this is secure and not just trust someone, again.
> I'd rather they open up the entire OS and software though. People need to know this is secure and not just trust someone, again
With open source software, too, you have to trust someone. In this case this someone is the people who review it. Of course it's always possible to check the source code yourself, but I doubt that most people would invest the time to audit a codebase that has been worked on for two years or more, by several developers. And even if they invest the time, chances are that weaknesses are overlooked (see, for example, Cryptocat). And even if the source code does exactly what is claimed to do, how do you know that the compiler works correctly? Does the machine code really correspond exactly to the source code?
It always comes down to trusting _some
one_. With open-sourced software, that person is usually "someone on the internet". With Plug, you have to trust the people who produce it. It is their business interest to provide a relatively secure product, and from kickstarter they got a lot of resources to put into this.
I for one would rather trust a company with a financial interest in providing a secure product, than a couple of volunteers who are in it for other reasons.
You can lock up your data all you want, but with the NSA deeply embedded in telecoms and mobile device manufacturers, once you try to access said data in a manner consistent with the project's marketing, e.g. on an apple-engineered device running Verizon's comm middleware, the NSA gets your data anyway.
This is the same problem projects like Moxie's silent circle have. It's trivial for the authorities to grab data between the device's interface and the software - they don't need to decrypt a damn thing.
Right, but they have no control over interception rootkits installed on the client. And all of their marketing material suggests that the client in question will usually be your phone. After the VPN software decrypts the data and before it is emitted from the speaker and/or displayed on the screen, there is a cleartext data stream that could be intercepted by a rootkit that the feds could order your telecom provider to silently install.
If 'kickstart fund the Plug, to obtain cloud-like secure home storage' is code-speak for 'kickstart fund the purchase of some blackmarket nukes, and vaporize the NSA datacenters' then this just might work.
But seriously, there's some fundamental reality denial going on here. You're going to try and solve this problem with a gadget? Uh... and that problem would be that the Rule of Law has broken down, fascist criminals have taken control of the government, and seriously intend to impose a total information surveillance regime by whatever methods are required. Including, apparently, several hundred million rounds of hollow point ammunition.
Yeah, with gadgets like this you might make the process slightly more tedious for them. Assuming they don't enjoy simply dragging people off to indefinite secret detention and crushing fingers until encryption keys are given up. But that's a very shaky assumption. At best.
Also, closed source. Ha ha ha...
Plot twist: Cloud Guys Corp are really NSA, preparing a backup plan in case their major net service provider taps go sour due to current temporary difficulties.
What could be really nice would be a kickstarter to get that poor Snowden out of Russia on a private jet and onwards to one of the countries offering him asylum.
This is why the project would have been better off as open source with anonymous donations. Decentralization is still the best way to defeat aggregation.
A USB device can boot the needed software when it is plugged in, and the device can have its authorisation interface (say a numeric keypad). It should be able to interface to Windows and OSX devices without much rigmarole.
The hardware is already made and available. Here's the manf listing for the Wanser-R: (http://www.mrt-communications.com/WANSER-R.html) Here's the Alibaba page for the MRT communications NAS Dongle device (http://www.alibaba.com/product-free/103191249/NAS_Dongle.htm...)
Here's an Amazon listing for something similar (http://www.amazon.com/Addonics-NASU2-NAS-Adapter/dp/B001OC5J...) and the manf page for that (http://www.addonics.com/products/nasu2.php)
I'm not sure I want someone doing weird things to my file system.
I really hated the way they described what it does. I also disliked the "new technology" to "instantly transfer files, no matter how many".
I have no idea if they've implemented the encryption in any kind of sensible way. I guess we'll hear later if someone breaks it. I guess it's nice that there's more encrypted traffic going over the Internet - regular people using encryption means encrypted traffic is not automatically suspicious and needs the same legal process of warrents to intercept it.