Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Jungle Disk remarkably insecure (daemonology.net)

An anonymous reader writes: Insecurity in the Jungle (disk)
A few weeks ago, in the wake of stories about Dropbox's poor security, a user of my Tarsnap online backup service mentioned that he had heard Jungle Disk recommended as a secure alternative. This surprised me, since I remembered from the early days on the Amazon Web Services developers forums that JungleDave — as the author called himself — was always far more concerned with ease of use than with security. Had things improved? I decided to investigate, and I wasn't impressed with what I found.

Unlike most online backup / storage companies, Jungle Disk has released source code, here and here. They did this because in the early days of Jungle Disk, people wanted some assurance that they could get their data back if Jungle Disk went out of business; since the Jungle Disk client stores data directly to Amazon S3 and Rackspace Cloud Files, it is also possible to read files directly from those services. (This is also a feature which Tarsnap users frequently request, but the design of Tarsnap — including amortizing S3 PUT costs across blocks uploaded from multiple users — makes it impossible to provide such a mechanism for Tarsnap.)

Now, this code is not the code used in the actual Jungle Disk client — like most other online backup services all you get is a binary, and you have to trust that it isn't doing anything wrong (either due to intentional mis-features or accidental bugs) — but the fact that the published source code can interoperate with the Jungle Disk client code does at least provide us with some information about what Jungle Disk does cryptographically.

Comment Re:It is not impossible (Score 1) 333

Tarsnap's snapshotting model is a bit more sophisticated than how duplicity works, and its separate keys for writing/reading/deleting archives makes it possible to do some things you can't do with rsync.net (e.g., you can have a server which does daily backups with Tarsnap while still making it impossible for someone who roots the server to tamper with said backups).

But yes, tarsnap and duplicity+rsync.net are certainly more similar than, say, tarsnap and dropbox.

Comment Re:It's all about entropy (Score 1) 467

If all you ever want to compress is files which contain the same byte repeated many times, then yes, that's how you would compress them.

But most compression formats are tuned to produce good results for the sorts of files which people are more likely to need to compress; so even when run-length encoding is used, it will typically have a low limit -- say, 255 -- on the run length.

Comment Re:Go work for RethinkDB! (Score 1) 207

If you don't want to live in the bay area, then don't work for RethinkDB, I guess? I don't think they're hiring anyone remote (but I might be wrong).

And what's wrong with rsync for backups?

  1. rsync isn't backups, it's synchronization. It will happily synchronize corrupted files and (if you use the relevant option) file deletions.
  2. rsync requires you to trust the location you're syncing your data to.
  3. Because rsync is designed for synchronization, it doesn't store your data compressed.
  4. Because rsync works file-by-file, it can't take advantage of duplication between files.

Probably other things too, but those are the first ones which come to mind.

Comment Go work for RethinkDB! (Score 1) 207

I've talked to Slava a lot, and he's a really smart guy. Unlike most startups, RethinkDB is actually doing innovative things. If you're looking for work in the bay area and you're good at algorithms, GO WORK FOR RETHINKDB!

(If I didn't have my own startup, I'd be working there right now -- instead I'm cheering them on from afar.)

Comment Re: unintentionally? (Score 1) 414

When your own saved seeds include them, even if you would not select at all?

That's a good question, but it's purely hypothetical. This guy did actively select the Monsanto seeds to plant them. The court specifically said that they didn't believe it was accidental that 95% of his field ended up having Monsanto genes.

Comment Re:unintentionally? (Score 1) 414

But if his fields had been naturally pollinated, why should he be responsible for Monsanto's inability to contain their pollen?

Because he specifically decided to replant the Monsanto seed. It's one thing to have your crops polluted; it's quite another to say "hey, I like this pollution and I'm going to spread it further".

In fact, if he was in the business of selling non-GMO, the contamination of his fields could cost him value, customers, or even entire markets.

Which is why Monsanto agreed to pay him for the costs of eliminating the Monsanto seed which had been accidentally blown into his field.

Comment unintentionally? (Score 4, Interesting) 414

Reader n4djs notes that Monsanto has been known to sue farmers for patent infringement when their crops unintentionally contain genetically modified plants.

This might have happened, but the Percy Schmeiser case is not such a case. The Supreme Court of Canada found that Schmeiser deliberately harvested and planted his field with seed which he knew had Monsanto's genetic modifications.

It rather scares me that one of the leading anti-GMO spokesmen is someone who deliberately planted his field with genetically modified seed and then lied about it when he got caught.

Comment This is an opportunity, not a threat! (Score 2, Interesting) 135

Providing that humanity still exists in the year 1.5M but hasn't yet spread to other solar systems, this is a huge opportunity: Rather than needing to travel 3-4 light years in order to reach another star, we'll need to travel less than one light year -- thus making the trip both faster and much cheaper.

Who knows, it might even be possible to slowly spread across the entire galaxy without ever venturing into interstellar space.

Comment This sucks, but is it wrong? (Score 1) 253

This definitely sucks for cryptome. But has PayPal actually done anything wrong?

It seems to me that PayPal isn't trying to be evil here; rather, they made a business decision that cryptome wasn't an organization they wanted to do business with. Businesses make such decisions every day -- car rental companies in Canada, for example, often refuse to rent cars to anyone under age 25 -- so why is it different when PayPal does the same thing?

(For the record, my company only takes payments via PayPal, but I'm eagerly looking forward to the day when Amazon Payments or Google Checkout start accepting Canadian merchants. I don't like PayPal either; I just think they're not being evil in this case.)

Slashdot Top Deals