Submission + - Jungle Disk remarkably insecure (daemonology.net)
A few weeks ago, in the wake of stories about Dropbox's poor security, a user of my Tarsnap online backup service mentioned that he had heard Jungle Disk recommended as a secure alternative. This surprised me, since I remembered from the early days on the Amazon Web Services developers forums that JungleDave — as the author called himself — was always far more concerned with ease of use than with security. Had things improved? I decided to investigate, and I wasn't impressed with what I found.
Unlike most online backup / storage companies, Jungle Disk has released source code, here and here. They did this because in the early days of Jungle Disk, people wanted some assurance that they could get their data back if Jungle Disk went out of business; since the Jungle Disk client stores data directly to Amazon S3 and Rackspace Cloud Files, it is also possible to read files directly from those services. (This is also a feature which Tarsnap users frequently request, but the design of Tarsnap — including amortizing S3 PUT costs across blocks uploaded from multiple users — makes it impossible to provide such a mechanism for Tarsnap.)
Now, this code is not the code used in the actual Jungle Disk client — like most other online backup services all you get is a binary, and you have to trust that it isn't doing anything wrong (either due to intentional mis-features or accidental bugs) — but the fact that the published source code can interoperate with the Jungle Disk client code does at least provide us with some information about what Jungle Disk does cryptographically.