|
Dan Neely wrote: If you're able to go to www.somewebsiteyoudontown.pwndyou and download files off your home computer there has to be at least one application running on your home computer to send you the files. Yeah.
It's called an Internet browser.
When you close the window/tab, the site is closed.
This isn't like DropBox, in that it copies all files to all machines.
I repeat: There is no background app/service. I looked for one, and if I didn't find it, then it doesn't exist.
They cannot do anything that cannot be executed by a web browser, and I don't know about you, but I have three separate programs that keep an eye out for suspicious web-page activity.
Dan Neely wrote: The biggest question I've got is if they store an index of all the files you're sharing on their site or not Of course they do, so that they can present it to you when you open the site in a web browser.
If you think that a list of files attached to an (anonymous) e-mail account is somehow dangerous, then you probably ought to stop drinking so much coffee.
And let's bear in mind what the other options are, eh?
The google drive thing, for example, retains the content of your files, attaches them to an account (which you have to verify, by providing your telephone or credit-card number), which stores way too much information about you, and links them to just about everything you do on the Internet.
It also requires you to install a number of programs on your system, at least two of which are running constantly, doing whatever the Hell they like, because, well, because you installed them, so it's your fault if they do things you don't like.
BaseFolder doesn't even try to find out who you are; all it asks for is an e-mail address and a user-name, neither of which have to be connected to your off-line life or to any other thing you do/have on the Internet.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
OK, looking on the "server" machine into services that aren't running (because it does seem pretty weird that it manages to do everything using only the browser), I found upload/download/sync services, and a bunch of XML config files.
Three of the config file are just file listings, and I presume that they are copied to/from their server to display the file listings.
The fourth one contains all the personal information. Here's its (redacted) content:
="1.0"="utf-8"
<Config>
<EmailID value="" />
<UserID value="[redacted]" />
<ComputerID value="[redacted]" />
<UserRegistrationStatus value="[redacted]" />
<BaseFolderPath value="[redacted]" />
<Upgraded value="0" />
<VersionNo value="1.9.02" />
</Config>
Note that I didn't have to redact the e-mail address, because it wasn't there, and the user and computer IDs were numeric.
I have yet to find anything at all on "client" machines -- I've accessed files from Windows, Android, and iOS machines. Nothing is installed on them, I've found nothing copied into them, other than the files I copied, and everything is done exclusively through the web-app, in a browser window.
And, just like the "server", all the web-app asks for is an e-mail address and a user name/password combo.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Mark_Wallace wrote: Three of the config file are just file listings, and I presume that they are copied to/from their server to display the file listings.
That was what I was getting at. Depending on what they are, your file names/directory structure in and of themselves could be an information disclosure; so if they upload/store the list is a potential concern. From the other direction, if you have a lot of files (especially if in a flat structure) pulling a full listing from your home PC to the remote one if not cached on their server could add noticeable latency over a slow connection.
One that didn't occur to me earlier is that when you get a file off your home PC from a remote one, are you establishing a direct connection between your two PCs for the transfer; or is their server man-in-the-middling the transfer.
The fact that they didn't realize that some privacy conscious people would care about these things enough to put them in their faq makes me worry that they only gave lip service to privacy in their implementation and six months from now we'll be reading about a presentation in a major security conference that pwned the platform a dozen ways over.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Dan Neely wrote: Depending on what they are, your file names/directory structure in and of themselves could be an information disclosure Sure, but -- I can't speak for you, obviously -- not many of us run Bloomberg, and the kind of "information disclosure" someone could get from the filename "Nipper's fourth birthday.mpg" ain't gonna ruin your life.
Dan Neely wrote: From the other direction, if you have a lot of files (especially if in a flat structure) pulling a full listing from your home PC to the remote one if not cached on their server could add noticeable latency over a slow connection. Um, I don't see that as something to lose sleep worrying about. I sometimes have to wait 10-15 seconds for CP pages to load. C'est l'Interwebs.
Looking into the sync executable on the "server", I'm seeing a lot of soap statements (which you'd expect, since it's a web service), but I really don't have the desire to spend energy digging harder to find what transfer protocols or routing they're calling.
On the "clients", you just get an aspx file in the browser, so there's not much to see.
I don't have full network tracking on this (relatively new) machine, but when I download a file I don't see a new connection coming from basefolder.com, so it's very possible that it's a direct connection (and the speed is really high, too).
AFAIK, DropBox et al route everything through their servers, when synching.
Dan Neely wrote: The fact that they didn't realize that some privacy conscious people would care about these things enough to put them in their faq makes me worry that they only gave lip service to privacy in their implementation and six months from now we'll be reading about a presentation in a major security conference that pwned the platform a dozen ways over. Oh, come on; that's just daft.
It's a minimalist web-site, with a product for "the common man".
They ain't gonna go into huge levels of technical detail in an FAQ, because their consumer base won't Ask such Questions Frequently, and, as I imagine you know, getting too techie on mere mortals frightens them away.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
And what's the difference between installing this and setting up an FTP service on your machine?
It sounds to me as if basefolder is just a (much) simplified FTP service.
|
|
|
|
|
d.shapiro wrote: And what's the difference between installing this and setting up an FTP service on your machine?
I would imagine that the FTP server is under your own control and not reliant on a third party website.
|
|
|
|
|
That's the point I was alluding to. If this thing works like an FTP, I'd rather install an FTP that I have full control over.
|
|
|
|
|
d.shapiro wrote: It sounds to me as if basefolder is just a (much) simplified FTP service.
And not even SFTP.
|
|
|
|
|
d.shapiro wrote: And what's the difference between installing this and setting up an FTP service on your machine? The difference? All your files don't go through a third party's servers on the way to your computer, where they can be conveniently snooped or duplicated without your knowledge. They go though the ftp server, but you control that and the machine it runs on. Also, there's no convenient third party that somebody can coerce into providing them access to your files without your knowledge.
From a security perspective, there's a big difference between the two.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
|
|
|
|
|
Another option: Any one use BitTorrent Sync? (I do.) Cloudless, fast, secure (as if there were such a thing), mobile clients, sharing. What's not to love (i.e. why is BitTorrent Sync evil too)?
-Man of Code
|
|
|
|
|
This looks like a snoopers dream. Get access to several computers with the full assistance of the user. No need to set up an expensive cloud storage system to lure them in. What's to say they aren't renting out space on your machine as cloud storage.
I like to keep my stuff private thank you very much. Can't beat an air gap.
I may not last forever but the mess I leave behind certainly will.
|
|
|
|
|
OK. So it's just as evil as every other solution out there. Guess there is no reason to change then.
|
|
|
|
|
And then this happens. Maybe I'll be changing services anyway. One thing for sure, nothing is permanent.
|
|
|
|
|
y agreeing to our terms of service, you hereby grant basefolder the license:
To use, copy, transmit, distribute, store and cache files that you choose to store and/or share.
To copy, transmit, publish, and distribute to others the files as you designate, whether through the sharing or public linking features of the Service, in each case solely to provide the Service to you
I am not sure about this part of the agreement...
|
|
|
|
|
Attn:
- "Files that you choose"
- "As you designate".
They can't send your files to your other machines if you don't give them permission to send your files.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
To quote:
"Using basefolder.com you can access your files from anywhere
Your files, photos, music etc are not stored in the cloud
They are all stored in your private computer.
It is safe, secure and PRIVATE!"
Umm, if you're using their website to access your files, how is it safe and secure again?
|
|
|
|
|
Well, when their servers are hacked (which seems to be a common occurrence with all this cloudy stuff), the hackers won't find your naked selfies, because they're not there.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
They might if it's cached for efficiency. However, I'm fine with that because I'm trying to post my naked selfies on all the clouds.
|
|
|
|
|
Well, if that doesn't make the hackers think twice about what they're doing, nothing will.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
That's my newd business security model.
|
|
|
|
|
|
I don't need a bunch of too-bluddy-useless-to-get-a-real-job pratts to tell me that Bacon's good; it's bleedin' obvious!
I eat bacon, I feel good.
The more I feel good, the longer I live.
Ipso fact, I rest my case.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
OMG! Last line started with the absolute final words though Quote: Live to eat bacon 'nuff said
|
|
|
|
|
Wow, at an absurd study. Just because bacon contains niacin doesn't mean bacon is good for you. In fact, I doubt much of that niacin survives the frying process. And to boot, they fed niacin, not bacon, to the roundworms. And WTF do roundworms have to do with human beings? And the study doesn't even mention bacon!
My god, this is science in today's world:
class Worm {}
class Human : inherit Worm {}
class Media : inherit Idiots {}
class Study : inherit Media, Human
{WormFood = Bacon; }
{GoodForHuman = WormFood; }
Marc
|
|
|
|
|
I think you've revealed a plot!
The worms are fattening us up for when we're buried, using bacon as a tool in their master plan!
We have to escape, but...
THERE'S NO ESCAPING THE WORMS!
Coming soon to a graveyard near you...
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|