17 November 2013

A Dropboxless Dropbox for extra-secure file sync

Dropbox is great for sharing
files between your machines.
I've used and enthusiastically recommended Dropbox for years: as a costless "virtual thumb drive" for ferrying files between my machines, for sharing files too big to email, and even to host web content.  Great stuff.  I also make a habit of using my Dropbox folder for my current work, so every document I'm working on gets backed-up in real time, in versioned form so I can even return to a previous revision if I whoops something.  I love Dropbox.  It's just an awesome service: sign up at http://db.tt/Me4yRjt and I get a small storage bonus.  

But I have harbored no illusions about the privacy implications of storing stuff in any third-party's cloud, even before the Snowden revelations.  So one of my first blog posts centered on a Mac-centric workaround: use the Mac's magnificent ability to create bandwidth-friendly, encrypted sparsebundle disk images, storing the image in my Dropbox instead of the individual sensitive files.  There's evidently a demand for doing such things, as that post quickly racked up many thousands of hits, has remained at or near the top of Google searches regarding Dropbox security since it was published, and was featured by influential tech commentator Shawn Blanc.

Over time I've kept an eye on the Dropbox market, signing up for (but, frankly, rarely using) alternatives ranging from SugarSync to SkyDrive to SpiderOak.  All are fine services with generous free storage offerings to get you started.  SpiderOak in particular has excellent privacy engineering.  None, however, are both free and open-source (FOSS).  There's SparkleShare, which is FOSS, but it lacks a mobile client, especially for iOS (which I'd need).  Tarsnap and Unison are others, but they're not seamlessly cross-platform and lack a mobile client.  OwnCloud is FOSS but requires a central server-- great for enterprises but overkill for my sync-centric individual's usage.  

All told, I probably have more than 100GB of free storage I don't use, on top of the Dropbox storage that I do use.  

But now there's an alternative that's going to pull at least some of my usage away from Dropbox.  It's Bittorrent Sync, a peer-to-peer implementation of Dropbox-like functionality that syncs stuff between your machines and mobile devices.  It's costless but not yet open-source, though the developers have adopted a never-say-never posture towards FOSS.  

Bittorrent Sync is from the folks who make the excellent uTorrent torrent-management client, and it extends the serverless torrent concept to syncing one's files between machines.  Security seems good (though without open-sourcing, that's a statement of faith) and performance is excellent.  Free clients are offered for Windows, Mac OS X and Linux, and for iOS and Android.  Setup is incredibly straightforward: start with your desktop machines, pasting the automatically-generated key from one client to the other to establish encrypted syncing between them; then for your mobile devices, just scan the QR code your desktop installation will present for you, and setup is complete.  Couldn't be easier, and bonus points to the Bittorrent folks for finally finding a good use for QR codes!

Then it just works.  Put a file in a folder on one machine and it will automagically appear on all the others as long as one remains powered-up.  Just like Dropbox, only there's no third-party central server involved.  (And, no web access-- which may be a plus or a minus, depending on your intended usage).  
Sharing is achieved by providing a key code to those with whom you want to share; they plug this into their own Bittorrent Sync client.  Sharing key codes for read/write and read-only are easy to generate, as are one-time keys that expire after 24 hours.  And files are versioned!

Bittorrent Sync shares some attributes with other file-syncing services: Storage folders on your clients are not encrypted, though the transmission of files is.  Syncing across hotel and a few other public networks may be problematic depending on how they're set up (my Mac client set itself to listen on TCP port 26085, which some networks might block).  And there's the pervasive risk of potentially instilling a sense of false confidence that can contribute to oversights of fundamental security and privacy practices, such as 
  • Failing to set up whole-device encryption, 
  • Failing to establish a long passcode on your mobile devices, 
  • Failing to physically secure your devices or lock their screen when you turn away...
As a useful tool for privacy or just plain easy-peasy syncing, color me impressed about Bittorrent Sync.  It works nicely and is as polished as you'd expect from the folks who gave us uTorrent.

UPDATE: Here's an especially informative review.