ZumoDrive rolls a hard six
I haven't had much time for blogging recently, but sometimes things come
up which just beg for a response; case in point: A recent post to
the ZumoDrive blog entitled
"Sometimes
you have to roll a hard six" about the security of the ZumoDrive
cloud storage / backup service. I have to give credit to ZumoDrive
for one thing: Unlike most online backup services, they published the
reasons why they think their service is secure. Sadly, the credit goes
no further.
[EDIT 2010-03-11 18:00 I mention this below, but to place my conflict
up front: I'm the author of the Tarsnap
secure online backup service, which is in some ways a competitor to
ZumoDrive.]
Supporting FreeBSD
As a FreeBSD user and developer, I obviously care about the success of
FreeBSD. I make a small contribution towards this success via my role
as Security Officer; but the time I spend working on my
Tarsnap online backup service
prevents me from making as much of a direct contribution as I would
like. Fortunately the
FreeBSD Foundation
does an excellent job of supporting FreeBSD development; but like most
such organizations, they are funded entirely by donations and are always
in need of more. In light of this, I am pleased to announce that I
will be donating all of the profits made by
Tarsnap for the month of December
to the FreeBSD Foundation.
Looking back at 100 blog posts
I found recently, somewhat to my surprise, that as of my last post I had
written exactly 100 of these dispatches. Spread over 49 months, this
is not a very high posting rate; but I promised myself when I started
that I would limit myself to writing when I felt that I had something
worth saying, and would not indulge in the common trend towards
excessive introspection (or, in the words I used back in 2005,
"adolescent gutspill"), and I believe I've done a good job of holding
myself to this standard. Nevertheless, I think this is a good time to
look back at four years and a hundred posts and say a few words about
this blog.
Securing an HTTPS server
In response to numerous comments about "excessive minimalism", I
recently put together a new website for my
Tarsnap online backup service;
and since I was reworking things anyway, I decided that it was a good
time to move to a new web server and generally clean up the system
configuration. Among the things I cleaned up was how I handle HTTPS:
I need it because people enter passwords when creating tarsnap accounts
and when logging in to the tarsnap account management interface, but
I wasn't satisfied with the (in)security of running Apache with SSL
enabled.
Complexity is insecurity
As I've been writing code for my
Tarsnap online backup service over
the past three years, I've gone out of my way to make it as secure as
possible. I've written previously about the importance of
carefully designing
security systems before writing any code,
thinking about
mathematical proofs-of-correctness while writing code,
cryptographic
research concerning key derivation functions, and
recommendations
for using cryptography, all of which have informed my work on tarsnap;
and I've made the tarsnap client source code available for public
review -- after all, I refer to tarsnap as being "Online backups for
the truly paranoid", and nobody who is truly paranoid would
want to download and run code without inspecting the source code and
compiling it themselves. However, there is a very important aspect
of tarsnap's security which I haven't discussed previously: Complexity
-- or rather, a lack thereof.
Interesting tarsnap statistics
I admit it: I'm a numbers junkie. I like taking streams of numbers and
looking for patterns; and I like trying to figure out the reasons behind
those patterns. Running my tarsnap
online backup service has provided me with a great source of numbers: I
keep extensive logs, and there are enough tarsnap users now that the
randomness of individual users is starting to get washed away. In the
interest of science, then -- or if not science, at very least curiosity
-- here's some statistics I've gathered.
Tarsnap mailing lists
If you Google for
tarsnap, you can find a lot of
tarsnap users doing interesting
things. For example, Tim Bishop wrote a shell script for
automating
tarsnap backups; Mads Jorgensen wrote
a
similar shell script for organizing his backups; Justin Haynes created a
SlackBuild
for tarsnap; Aaron Schaefer create an Arch Linux
PKGBUILD
for tarsnap; any many tarsnap users have blogged about their
experiences. Until now, however, there hasn't been any good way for
tarsnap users to connect with each other.
A call for schwag
Two things happened this morning which started me thinking.
First, I read
Zed Shaw's rant
about how he thinks he deserves more recognition and money from his
Open Source work; and second, I looked at my pile of t-shirts, and
realized that while I have 4 Google t-shirts (one from August 2006,
when I interviewed there; and three from Google Summer of Code),
I don't have a single t-shirt from any company which is using code
I've written.
FreeBSD Update to 8.0-BETA1
In the early days of the FreeBSD 7.0 release cycle I posted here with some
instructions on
performing a major version upgrade of FreeBSD using FreeBSD Update;
now that we're in to the 8.0 release cycle, I think it's time to post some
updated instructions. For a number of reasons this post is coming almost
a week late -- Ken Smith announced 8.0-BETA1 on Monday -- but I expect
that I'll have FreeBSD Update bits in place when future BETAs and RCs
are announced.
BSD em Geral 
