Free online backup (in Off-topic)

At my day job, I write code for a company called Berkeley Data Systems.

Our first product is free online backup at mozy.com. (I work on the Python back-end.) Our second beta release was today; the obvious problems have been fixed, so I feel reasonably good about unleashing the CB hordes on it. :)

Please note that after the beta period (my guess: at least a month) the "price" for mozy is that every so often we'll send you advertisements by email. (But we'll never sell your address to anyone else, and we promise not to allow any body-part-enlargement crap.) We recognize that some potential users may be turned off by this, and we will probably offer for-pay options in the future, but I can't give a time frame on when that might be.

But again, we won't be sending any ads out during beta, and you're free to cancel your account at any time, so there's no risk in trying it out.

(Posting this is one of the perks of running the game. We now return you to your regularly scheduled NUB and USD flames.)

A couple of questions... If everyone is allowed 2 GB space, how much in total do you have running down there?
...Is 448-bit encryption really necessary? wouldn't that take millions of years to break? :S

How can you do this to me. You've ruined everything! I quit.

--Tyr
:via autoresponder. (patent pending)

Right now we have over 10 TB. I probably shouldn't say how much exactly. :)

448-bit blowfish is Serious Encryption, but that's what you need these days.

I think you already know what question I'm about to ask... ;)

When will the 5th FAQ be updated?

Awwwww, it doesn't work on Win2k? :(

I'm shocked and appalled!

I don't have a timeline on when non-XP platforms will be supported.

Would you promise no one would look into my data if i secure my private videos on this? i just dont want my stuff run around Ares and the alike.

That's supercool, Jon. I'll be partaking of this service very shortly, I think. Considering my DVD writer gave up the ghost a few days ago. I've been sweating it, but now... looks like my worrying is over. Thanks.

Your data is encrypted on our servers, Major. (See the faq for details.)

I will see about making this more clear on the front page.

I wish I had XP here at work now, this would be rather ideal for my data.

Very cool app Jonathan. Backing up my "My Document" folder right now. :)

hmmm sounds interesting

Jon is involved therefore I don't question the integrity of mozy.com and what they are offering.

However...(from the privacy section)

"We may use Personal Data and other data we receive from you or collect to determine which advertising and promotional material to provide to you."

...would make me uncomfortable if I came across this with no referral. It's the "other data we receive from you" that caught my eye on the first pass.

448-bit blowfish suck, bit-wise compared to other stronger encryption scheme, like AES.

G_Beee, thats the part where Jonathan says the company sends out advertisements to you. Normally, these are targeted ads based on personal information that you put in during registration if I'm not mistaken.

I guess the question would really be, will the company snoop (trawl, mine, etc.) on data that we have put onto the servers?

Ahh, I can see why Jon company used blowfish:

Taken from Bruce Schneiner website:

Block cipher: 64-bit block
Variable key length: 32 bits to 448 bits <------ (the most you can get)
Designed by Bruce Schneier
Much faster than DES and IDEA <------ (doesn't say much, DES & IDEA are the weakest around, bit-wise)
Unpatented and royalty-free <------ (free stuff!!)
No license required
Free source code available <------ (free code!!)

we tried to make the privacy statement clearly state that we don't snoop your data.

it's a little less clear after 3 or 4 passes through the lawyers, unfortunately.

... saying blowfish sucks vs AES just tells me that you're a poser who doesn't know what he's talking about. Sorry.

changed to "other data you explicitly agree to send to us"

(will go live with our next site update, probably in a few days)

Actually, after looking at more sites who offer similar services none of them make me feel secure in the knowledge that my data will remain my own. However, they do bury the small print in a lot more gobbledegook than mozy.com and it's therefore less obvious.
I guess they've all been to the same lawyers Jon and I assume it's a legal necessity rather than a macabre plot to get their hands on my bank statement :)

Does your information get checked on content?

for instance: could someone put in plans to assassinate somebody without anybody knowing it?

just a question, haven't visited the site yet so carp me if its explained in there ;)

I believe the client already encrypts it. As I tend to trust Jonathan enough to assume that "no spyware" really means "no spyware", only the NSA and you know what actually is stored on those backups.

i hope that no one in Berkeley Data Systems is able to "snoop/peep" at all. Should it be already encrypted the mili-seconds i upload the files into the server. Without the random automatic key (or chosen by user) no one else can decrypt, right?

yes, like bartjan said, it's encrypted on the client before it's even sent to the server.

you could verify this by creating an ssl "man in the middle" proxy and telling your computer that the proxy is data.mozy.com, if you really wanted to. :)

What's "NSA" ?(per bartjian) {Sorry, I am not too nerdy -in a good way-as you all can already tell}

National Security Agency a.k.a NSA

To my knowledge the F.B.I. has all the keys of encryption that is on the market for obvious reasons.

you're misinformed, Mokaba.

Nobody would use an encryption product that gave the FBI a back door.

Or the NSA, bart's joke aside.

I also have all the keys of all encryption on the market. Finding the right key is what the challenge is ;)

In the cryptography world, it is a standard assumption that the NSA is able to crack any system, or at least it was 3 years ago when I was into that stuff. Of course, they probably spread rumours like that intentionally...

O, yes, they have to give it. But there is a way around it. If you are a suspect the F.B.I., can penetrate your computer and if there are encrypted files on it, they have to read it. Yes, the F.B.I., has a back door. But not many people know it, lol. Normally encryption is safe but not for those guys. :)

dude

you're an idiot

there is no backdoor in blowfish. the code is available, check it out. or pay someone to do it, since I'm guessing that you don't have that kind of expertise or you wouldn't be making these claims.

I'm an idiot, fine Jonathan have it your way.

Looks pretty slick Jon, I might start sending some of my CFD work there. Honestly, who can whine about 2 GB of free encrypted offsite storage? Oh wait, you posted the info on CB...

/me watches the 8 year olds whine about encryption and the "133t h4x0r F81 4g3nts" who are going to get your stuff...

Mokaba, let me assure you, you truly are an idiot.

There are all kinds of people out there, good and bad, who are using encryption precisely because they know no law-enforcement agency can break it.

The code is secure. The keys, however, are only as secure as the least secure person/PC involved.

And, lastly, remember the great words of Bill Gates: "The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers."

[quote Jon] saying blowfish sucks vs AES just tells me that you're a poser who doesn't know what he's talking about. Sorry.


.... Blowfish is developed by the same author, who later developed Twofish to enter AES competition.

Twofish was one of the 17 candidate for first round of AES to replace DES standard in US. Twofish remained to be one of the final 5 candidate comming into the second round of AES.

Twofish lost to Rijndael and Rijndael becomes de-facto encryption standard for US government...


Time line: blowfish ---> twofish ---> AES

I said blowfish blow, bit-wise... example Encryption Strength (weaker to stronger)
1042 DES
Jon, you of all people should know more bit does not equate to stronger protection. 8^)


-------------

BTW, I implemented both Blowfish, Twofish and AES in hardware, so I think I know somewhat about these encryption scheme.

On another note, any implementation of encryption standards developing in US that cannot crack by NSA in a timely manner will face with exporting restriction by US government. Open free codes = usually good for commercial but not against NSA; otherwise, US government would interfere already.
/nospellcheck>

This got cut off somehow: I said blowfish blow, bit-wise... example Encryption Strength (weaker to stronger) 1042 DES

LOL.. quote script cut my stuff again

1024-bit DES is less than 512-bit IDEA which less than 448-bit blowfish which less than 256-bit AES.

More bit per key does not mean stronger encryption.

Well, the US got rid of those export restrictions (except to the 7 "axis of evil") several years ago.... Maybe time to update your info?

I'm not sure if you know this but Blowfish does have weak key, which is a main draw back of the algorithm. It is POTENTIALLY very weak with implementation with 14 rounds or less. Also, it is weak in differential and power attack.

So unless you know how implement the "free" code correctly, you end up with a really weak core. 448-bit key does not mean much. I rather see 256-bit AES or 126-bit ECC (yah! the strongest of all so far)

Come here to see the *author* talking about his algorithm.
http://www.schneier.com/blowfish.html

Bartjan. You may be right, but for software only. Hardware implementation is still restricted.

Jon, does your software restrict uses to users in those countries?

bart is indeed correct, as usual

and yes, we know what we're doing with blowfish

One last thing before I go home today. My previous profession was cryptography and hardware implementation. I implemented blowfish, twofish, des, tripple-des, aes, ecc, rsa and others in *hardware*. I consider blowfish better than tripple-des; but not much else.

I rather use twofish, myself, rather than blowfish. Considering blowfish was a pre-twofish. Twofish has all of the characteristic of blowfish, but with more protections against attack.

Blow-fish, Two-Fish, Red Fish, Blue Fish?

I have written credit card encryption using symmetric key algorithim for two companies now (one being a public company). It is 256 bit encryption and I know of no one that has cracked 256 bit encryption yet. If blowfish is comparable (which it probably is) your data is completely safe. Even Triple DES encryption can be broken by the government, but that is pretty much the extent of their encryption cracking AFAIK.

According to Tom Clancy it's possible to crack any encryption package as long as you meet a beautiful female stranger and have her fall in love with you before the end of the novel.

hmm, not sure which is harder. Meeting a beautiful female stranger who falls in love with you or cracking some state of the art tip top encryption software.

As far as I'm concerned mozy.com looks very interesting and a worthwhile piece of software to download.

I wrote a simple encryption system using hashes, passwords and timestamps a while ago, it was pretty neat. I don't know how to make complex encryption systems, but I bet the most advanced ones use combinations of multiple encryption systems on-top of each other, or something, I mean I assume at some point it is redundant to try and encrypt the data with the same encryption system again and again. I do like encryption though, even though I will admit I know very little about it.

the blowfish paper gives a fair amount of information about the thinking behind the algorithm, and is far more readable than most.

http://www.schneier.com/paper-blowfish-fse.html. (See "Design Decisions" section.)

I use those markers, the ones that write clear then you take the special other marker and draw over it to reveal the secret launch codes.

This method can not be broken, except with the use of a magic decoder ring. However, they are rare to find.

i got one of those decoder rings in a box of cap'n crunch i remember cause i got it 2 weeks after i got the whistle.

I wish my data was as secure as that :(
I don't buy cracker jacks...

I dont understand one thing. Would this be eventually turn out to have monthly payment? ( i do see 'free' as in beta testing) or it will perm. considered with that little "catch". I saw secured email was going as low as 1$/email (which ended up to be millions dollar company)

I'm backing up right now. And look Ma, no hands!

there will always be a free version

maybe we will add a "pay us and you don't get ads" version, like I posted, but the free version is definitely not going away

(the founder has a well-developed sense of social obligation; he wants to make the world a better place, even if it's only by making free backup available :)

just out of curiousity, would one day algorithm for encryption would be available as free source?

google blowfish

Too many people here have been reading Dan Brown novels.

Nice product, I'll use it

Honestly, I found the VC firms funding Berkeley more interesting than Mozy itself. But that's just me - kinda peculiar.

Hey I'm reading Digital Fortress right now, entertaining as it may be, I do get a sense that the actions, characters and situations in it almost seem too typical. Besides that, I would be wary of thinking that reading a book of fiction on encryption gives you any real insight into the REAL NSA, or any real encryption systems.. ;)

I talked to quite a few colleagues about this at work today and all bar none were initially interested. Everyone immediately thought that it was a great place to back-up their IPod music / family photographs etc. Unfortunately interest vanished as soon as they found out that the limit was "only" 2GB.

Feedback I get is that until there is a lot more space available (~40GB) they won't even download the BETA.

What's the plans for increasing capacity ? Perhaps it may be of value to mozy.com if some information about this was posted clearly on their overview page, even if only to explain that it's 2GB whilst in BETA. Yes, I understand that they clearly state "What You Get (We're in beta, so these are subject to change!) but that wasn't enough for the audience I was discussing with today.

On a positive note I found it difficult to locate what I considered to be a half decent alternative that was free. In the UK you pay up to 20GBP/month for 1GB only :/

Bottom line is that the folks I talk to in work will continue to follow one of the alternatives that mozy.com themselves mention and that is - "Do nothing and don't worry about backup".
The issue is not with mozy, but with mindset of the "customer".
The "customers" I talked with today are all computer literate with an engineering background and would most likely be the kind of target audience that mozy would be aiming at ? - imo

we may end up being able to offer more than 2 GB for free by the end of the beta, but the 40 GB range is not going to be within the realm of possibility unless or until we start offering paid premium levels of service.

hell, that's more than most laptop drives :)

Yeah, that's the issue I ran into last night. I put in my whole 'My Pictures' folder and I was over. I ended up excluding all the movies and was able to fit in, but just barely. At just under 1 MB per picture, it doesn't take long to take 2000 pictures.

Maybe it's intended more for email files or text documents. I guess I never thought about just how much stuff I was backing up. Big drives with a RAID setup still seems like the best solution for MP3s and movies.

I still intend on using this service though. It's not a complete waste. :)