Cloud Storage – Brian.Carnell.Com

OwnCloud is an open source software package that lets you store, access and sync data across the Internet on a server that you control rather than having to rely on Google, Dropbox or any number of other cloud-based services.

OwnCloud’s server software requires PHP5 and MySQL, which means it will run on many web hosting services out there. Lifehacker has a nice walkthrough of the installation process.

OwnCloud appears to be actively updated and has a community that has added a number of apps and plugins that allow it to be used for task management, as a media streaming service, etc.

The one thing that OwnCloud is still missing is file encryption. OwnCloud can be configured to use SSL to encrypt data that is being transferred back and forth between the server and clients, but the files stored within OwnCloud itself are not encrypted. This means if someone hacked your server, they would have access to your files.

Almost all cloud-based systems, including Google Drive and Dropbox, also store your files without encrypting them, but it would be nice to see encryption as an option here. This still leaves something like Spider Oak as the best alternative for cloud-based syncing and storage that also encrypts files.

Before you went all-in on something like OwnCloud, you would also want to ensure you understand your web host provider’s limits and policies on monthly bandwidth very well. For example, this blog is run on a dedicated server and the contract I have with my provider allows me to transfer up to 3 terabytes of data per month. Typically the actual amount of data I use falls somewhere between 25gb to 100gb per month. If I started using something like OwnCloud, that would usage rise dramatically and I’d need to monitor my usage to make sure I don’t that cap and risk being charged extra fees.

Given how companies like Google, Microsoft and Dropbox rarely have their users’ best interests in mind, however, it is good to see that there are open source alternatives that can still route around them if needed.

Colin Percival has an in-depth look at some security issues with Jungle Disk.

A lot of people, including me, have recommended Jungle Disk to people because the cloud-based backup system encrypts your files before it uploads them to Amazon’s S3 service (as opposed to something like Dropbox which encrypts them after the files are uploaded — meaning Dropbox has the key to unencrypt your files if it wants to or is ordered to by a legal authority).

The problem that Percival points out is that they way Jungle Disk handles that client-side encryption is weak to the point where there is a clear path for attackers to follow in either corrupting data stored on the system; replacing data stored on the system; or, ultimately, cracking your password and having free reign.

I used Jungle Disk for a couple years to as a cloud-based backup of my main data hard drive. I used a 20 character passphrase. As Percival notes in a handy chart he provides, a 10 character strong password would take about 95,000 years to crack using current techniques and a $1,000 off-the-shelf laptop. A $10,000 GPU-based password cracking box is going to reduce that to 95 years, and the CIA’s going to be able to put together a system that could rip through that in 2 years. Given that, why not emulate Alfred E. Neuman — what, me worry? But, as Percival writes,

Now, maybe you don’t have any data stored which Joe Cracker would be willing to spend 10 hours decrypting. Maybe you trust Amazon and Rackspace’s internal procedures and security measures to ensure that nobody — either breaking in from outside, or working for those companies — will have access to your “encrypted” data. Depending on who you are and what data you have stored (your credit card numbers? bank statements? how about last year’s income tax return, complete with your national tax ID number?) you might be justified in such trust. But I would say that this is profoundly missing the point: With good cryptography, you wouldn’t need to trust them.

Anyone who doubts the level of computing resources that an individual or small group of people would be willing to throw at a complex problem based entirely on speculation about the value of doing so need only take a look at some of the crazy rigs and setups being built to do nothing but mine Bitcoins. And, of course, the cost of cracking passwords is only declining with every day that passes.

Again, the best solution with cloud backup or sync in general is for the user to encrypt the files before uploading them. Unfortunately, this increases security but at the cost of convenience (and maximizing convenience is apparently why Jungle Disk has these potential issues in the first place).