This is awesome. AeroFS does everything I want in a file sharing system -- I can either run it entirely on my own machines on LAN and potentially VPN, or at a company on a network also not connected to the Internet, or I can use it as a direct Dropbox alternative (although it lacks some mobile clients and API support).
I've been using it for ~a year or two in beta, as well as all the other alternatives. I still use Dropbox for interoperating with other people who use Dropbox, and for a couple mobile devices which don't support anything else, and I use iCloud for mainly Apple app sync (although it seems to suck for most non-Apple apps) between OSX and iOS, but AeroFS is my preferred option for general file sharing use.
The only downside I've found is dealing with Java on certain OSes (OSX and Windows 7 at times), but generally OS-level Java is fine, it's browser Java which sucks.
I'm not too keen on the fact that AeroFS runs on Java as I would prefer to run Java free systems as much as possible (Go version would be nice =) but am willing to live with it if that's the only option.
Exactly, I removed java from all my computers about week ago. And since I am having my personal debian server, I installed ownCloud 5 on it for filesyncing.. and I am happy so far.. the clients are in C++
Every single release of OwnCloud includes security fixes. From XSS to SQLi. I have very little confidence in that PHP project from a security point of view.
How do you run it on a network disconnected from Internet? That's a very interesting scenario for the company I work at. I assumed that you need to login with AeroFS credentials when setting up clients and servers, is there an alternative?
AeroFS is awesome! I've been using it since the alpha release and have had nothing but positive experiences. Like rdl says, it does everything I want in a file sharing system.
I was also a long-time user of AeroFS, but SyncApp from BitTorrent has worked much better for me so I've switched over. I would recommend giving it a try.
Possibly Offtopic - If you are going to link directly to blog posts of companies (especially if they have been in private beta) could you PLEASE have a "What is $product" bit.
Either one or two lines in the initial part of each post or preferably in an easily noticeable sidebar.
I had to go to the main site before I could figure out what aerofs was.
Seriously, please do this. The grab on the homepage is great, but we have to click away before seeing what AeroFS actually is!
The grabpoint "AeroFS encrypts your data end-to-end, and only shares your files with those who you invite. Files are never stored in the public cloud." is good, you should stick that into the header, especially for a press release / HN submission where you will be getting attention.
Yeah, I think blog + discussion, and then edit, and then turn into a book (which people can download or if they want to buy from Amazon buy, etc.) makes the most sense.
A lawyer's input would be really helpful for some areas; I'm pretty confident from an entrepreneur's perspective, and from a technical perspective, but while I generally am aware of the laws which apply to me, I'm not qualified or credentialed to give anything approaching legal advice.
It would almost make more sense to do in the Founders at Work style, where you have a domain expert work on each checklist/chapter.
I've recently started using AeroFS although my invite email was gathering dust in my inbox for a long period of time and it was exactly because I couldn't figure out (in few second) why I should use it.
Well, this is actually a relatively different service compared to Dropbox and plethora of other store-your-files-in-the-cloud types. There is no storing of files in the cloud. However, it does the machine-to-machine sync very fast.
For me Java is a no no because of all the update and security problems with it. Beside it isn't a lightweight and fast platform. I know many people that waisted a lot of time with Java software upgrading problems because of broken backward compatibility.
The other problem is the pricing model. If I host everything and use my own bandwidth, what do I pay for ? Software development and upgrade ? This is very expensive for a user with a non profit activity who just want to stay in control with its own data.
As far as I understand there's no need to pay if you don't use the teams feature or don't have external collaborators.
Java seems to be a nice way to provide consistent experience across different platforms, I don't even want to think of installing OwnCloud on Windows. And with OwnCloud I'm even more concerned about security as it's written on PHP, but I may be biased here.
Even with Java this is miles more secure than something like Dropbox or other Cloud Storage where you host all your data on someones elses server. So yeah, Java as a technology choice might not be perfect but which other tech is flawless anyway ? Id argue that properly securing your servers/clients is a much bigger problem than someone exploiting the AeroFS software.
Pricing is for Teams only which makes sense, for everyone (teams of up to 3) its free, which is awesome!
I really want to use AeroFS, but I have a few criticisms.
a) One of its goals is privacy, but it asks for my first and last name. Why is this needed? I could always lie, but I'd much prefer a single field (e.g. display name) that doesn't explicitly ask for this.
b) It tries to download a .deb file if I'm using Linux. I'd much rather click this myself, and I suspect it does this regardless of whether my system is Debian-based.
c) When signing up, I got no notifications at all. This may be due to NoScript, but I had no indication that my signup was completed. I thought perhaps my password wasn't valid or something along those lines, but I eventually tried to sign in-- it worked.
d) "Non-Ubuntu users can also download the tgz archive." .deb files are specific to all Debian-based systems, not just Ubuntu. Is it fine to install the .deb (which you've tried to download for me) on other Debian-based systems or just Ubuntu? It's unclear.
AeroFS is potentially great, but this isn't the first time I've reported concerns over a, b, and d.
Nice! Just installed. I love the feature list. The fact that is was easier to install and has a nicer UI than Dropbox was a nice surprise :)
Since AeroFS never stores the files, the upload speed must be determined by the upload speed of every team member who is sharing the file, yes?
At the moment, how good is AeroFS at chopping up the bandwidth to get good speeds among, say, four users with upload caps of 1 mbps? How close will it get to 4 mbps?
Do external collaborators help upload on folders they are sharing?
.
P.S. for Ubuntu Unity users: after setup, as with Dropbox, there is one tweak. You need to run the old:
gsettings set com.canonical.Unity.Panel systray-whitelist "['all']"
I was just saying the same to a coworker of mine. Not to take away from the announcement of what seems to be a really great product, but I'm really confused why a lot of companies do this. It shouldn't frustrate/enrage me, but it does, almost as much as: Three. Word. Motto.
It's not the default for the blog software. Blog is usually as separate as possible from everything else about your site (which is good, because all the non-static blog engines have HORRIBLE security, especially Wordpress...)
1) I kinda feel like AeroFS has taken so long to come out that Dropbox occupies a huge chunk of mindshare. It's almost as if AerosFS will need to spend a bunch of time answering the "why should I switch" question. That said, I would love to see AeroFS succeed as I am less than keen on Dropbox less than stellar handling of security in the past as well as their general security model.
2) This leads to my second point. AeroFS, please please work with 1Password to do whatever you need to get 1Password+AeroFS working. If this is available, I'm switching right away.
OTOH, most businesses don't yet use Dropbox (much) today. If AeroFS's market is the enterprise, they're competing with Windows file sharing/SMB/Samba, NFS, etc., not so much with Dropbox. It's a bit skewed in Silicon Valley and in the consumer market.
A bunch of my enterprise clients seem to be fairly familiar and they seem to all have come through the personal use route.
If the target market is enterprise, companies like Box compete there and supposedly have more controls. That said, Box does not have filesystem integration, the last time I checked.
Cool product! Although the first thing I tried was to share a nested folder to see if it was REALLY a Dropbox killer for me ;)
Can't wait to start playing with the team server version! It would be great if I were able to get ad-hoc access to files on the team server from, say, the android app (the same way I do with Dropbox).
It is not clear from the site if the data I give to AeroFS is encrypted at rest. There is a section called "End-to-end Security" that states:
AeroFS uses AES-256 with 2048-bit RSA to create secure
connections directly from one device to another. Because
encryption is end-to-end, even we can't see your data or
even file names.
But this does not actually tell me in plain terms if you encrypt my data when it's sitting on your servers or not and that's actually a more important question to answer. Everyone expects data to be encrypted in transit. You don't get extra points for that. Would you mind clarifying if the data is ever on your servers in an unencrypted form?
Your data is never stored on our servers in an unencrypted form. Moreover, the data is never stored on our servers at all.
In some scenarios (when two clients are both behind aggressive firewalls, for instance) the data may be _relayed_ by our servers, but in those cases it is encrypted (end-to-end) between the devices syncing using their respective public/private keys, so we can't eavesdrop.
I really hope it's not a homebrew solution but something based off existing protocols. In either case, since the security and privacy is your primary feature, a full disclosure of hos it works inside is a must.
A proper writeup is in the works, but to cover the basics: we know not to implement our own crypto. :)
Passwords: we apply scrypt() before any use or storage. We never store the plaintext.
Device-to-device: standard PKI. We have a CA, and the CA's cert is bundled with the client software. Devices generate 2048-bit RSA keys at setup time. They then generate a PKCS10 CSR which our CA signs, provided you give a valid username/password. When peers wish to communicate, they establish a DTLS connection (we use OpenSSL's DTLS implementation, and AES-256-CBC as the default ciphersuite), verifying that the other device:
* is certified by our CA to represent the claimed user and device (identity)
* is not using a certificate with a revoked serial number
* is trusted to send and receive information about the relevant shared folder (authorization)
Device-to-server: Everything between your machine and our servers uses TLS. Where possible, we trust only our own CA. Implementation-wise, we use Java's crypto providers for TLS.
Revocation: When you unlink or remote-wipe a device, we mark the certificate associated with that device as revoked, and notify each of your clients either immediately (if they're online) or as soon as they come online and reconnect to our push notification service that the revoked device is no longer to be trusted. (This is one of the other tasks that our servers provide - prompt delivery of device revocation information.)
We update our libraries promptly and are subscribed to the appropriate mailinglists.
Finally, if you believe you have discovered a vulnerability in some part of the AeroFS system, please contact us at security@aerofs.com (PGP key 6E1DC9F9, if you prefer encrypted email).
Do you use certificate pinning on the clients? I.e. once a client sees peer's cert for the first time, it should remember it and warn if it ever changed afterwards.
Cert pinning only makes sense if you happen to trust multiple CAs, but want to stick to the cert issued by one particular one. We only trust one CA, and each issued cert is bound to a user and device id, so this is a non-issue. :)
It has nothing to do with that. Cert pinning is used to mitigate man-in-the-middle attacks whereby an attacker somehow obtains a valid certificate for peer's ID further down the road. If the certificate is not pinned, then the client will swallow a new cert without a peep, because it tracks back to a trusted CA.
Cert pinning is an equivalent of ~/.ssh/known_hosts. It allows me to pin specific public key to a peer and be notified if that key ever changes.
In your case, you might've gone with self-signed peer certs, but that would've obviously require manual verification of the peer's key on 1st contact. This is a bit of UX issue, because few people would bother to actually verify a string of hex numbers between two computers. So, naturally, you introduce a chaperon entity - your CA - that vouches for peer's credentials. I am willing to trust it, but consider it a "weak" trust that I put in place only for convenience purposes and to get stuff going quickly. Later on I may look and compare the key hashes (one provided by peer in an out of band fashion and the other I compute from my own copy of the key) and if they match only then I will know that I have a truly secure connection with the peer and that you didn't lie in your initial peer introduction. At this point I want to pin peer's key, so to be notified to repeat the manual verification process if/when the key changes.
tl;dr - Just add the cert pinning and display cert's public key hashes (mine and peers) somewhere in the UI.
What would make just as much (or more) sense for most of their enterprise deployments would be to let the enterprise's own PKI take over. A lot of businesses would probably want to be able to silently update keys (although I can see the value in pinning/local cache with notification on change). They may do that as part of the "custom LDAP/AD" tier.
Arguably you should also public key pin the key for https://www.aerofs.com/ anyway, just to get initial protection. IMO you're important enough and clueful enough to get this from Chrome, but I'm not agl.
Wow, finally! And congrats. This would be the only application which would require running Java on my dev server, so that's a point against it when evaluating it against other options. But I don't want to knock a developer reaching for the best tool for the job in getting this thing finally opened up to everyone. Thanks!
What we've done in the Windows installation is bundle a minimal JRE as a light-weight library. The JRE is loaded by AeroFS at runtime and is otherwise completely isolated, so no dependency exists on Java in Windows. Based on how well that has worked out so far, we'd like to do a similar approach for OSX and Linux soon.
Damn, so back to AeroFS? :) I was quite happy with the syncing (although sometimes the sync started after a long time), but I decided to dump java from my system..
Do you have ETA for os X and Linux of this "java free" versions?
The pricing doesn't make sense to me – 4 person teams are penalized vs. 3 person teams. The jump goes from $0/month to $40/month, so the incremental cost for going from 3 to 4 people is steep (at least compared to all the other incremental moves).
Yeah, I think you should be able to pay for support even with 10-20 users. If I were using this in a business as my primary file sharing system, even with 5 users, I'd be a lot more comfortable paying more to get the "custom" support. Although LDAP/AD integration would be really important for most deployments anyway, so you'd already be in the custom tier.
End-to-end encrypted private file sharing darknet that basically appears as a regular folder and doesn't share anything outside your friends. Given some critical mass, that'd just be way too user-friendly for sharing files with $FRIENDS.
Now I'd like to know what the MAFIAA can do about that? This is where it's headed anyway, what the world needs is a mass-market darknet software and this sort of thing just might be it, given Dropbox's popularity.
Been using it for over two months now during private beta and pretty much just gave up last week.
The main reason is because one of my linked computers is a Linux computer. I've tried on both Ubuntu, through the deb package, and Arch, through AUR, and the synching either never happens or happens after a few hours. For the former, restarting the service a few times somehow fixes it, but it's never clear why.
Hey, this is Drew from AeroFS. Sorry to hear you've been having trouble syncing. If you want to report an issue (AeroFS -> Help -> Report a Problem in the GUI, or aerofs-sh report "Description of your issue" from your terminal of choice), we will be happy to take a look at your issues and see what's going wrong.
You guys have been helpful when I've had problems, don't get me wrong. Sorry if it feels like I'm just dumping on your product. I just always assumed that since I'm just using aerofs from the AUR, it's not exactly completely supported, so I never bothered with sending in reports.
Officially, we only support Ubuntu, but in general we like to have things work for any setup that's not too exotic. Indeed, some of the more helpful bug reports I've looked at and fixed have come from Arch users.
Thanks for the feedback anyway, and let us know if there's anything else we can do. :)
Tahoe-LAFS is a secure storage system (protocol and free software implementation). It does not handle synchronization between devices (only RAID-like replication).
AeroFS is a sync service (proprietary software only). It does not provide any storage, but only syncs data between your devices.
Oh how nice it would be to be able to run this on my Raspberry Pi's and have off site backups on the cheap. Since most of the people I know now have fiber I'd make a nice distributed system of RPi's to keep everyone's pictures safe.
Can I point AeroFS at the root of my NAS and have it back up everything (including permissions and userid/groupid metadata) to another physical location?
I've been using it for ~a year or two in beta, as well as all the other alternatives. I still use Dropbox for interoperating with other people who use Dropbox, and for a couple mobile devices which don't support anything else, and I use iCloud for mainly Apple app sync (although it seems to suck for most non-Apple apps) between OSX and iOS, but AeroFS is my preferred option for general file sharing use.
The only downside I've found is dealing with Java on certain OSes (OSX and Windows 7 at times), but generally OS-level Java is fine, it's browser Java which sucks.