Goodbye Dropbox!

There is one fact with humans: once they took some habits (in this case – bad habits), it’s very difficult to ask them change their behavior! It’s even true in information security. Today, we have access to plenty of awesome online applications which help us in our day-to-day activities. Thank to the “web 2.0” and the “cloud“, we don’t need to deploy local resources. For a while, the cloud left its “aura” and people realize that it introduced nasty side effects, mainly about their privacy. The recent stories around the NSA have opened eyes of many people but… it’s not easy to leave the confort of our beloved cloud services. I’m not ashamed to say that I’m also an intensive cloud user. Amongst many others, I’ve a Google mail account, my presentations are stored on slideshare.net and… I’m also a Dropbox user! But I dediced to take some actions. The first one was to get rid of dropbox!

I’m  a big fan of files synchronization service and changing my habits is not easy. My dropbox contained different types of files:

• Files that I need all the time and available on all my devices (logos, avatars, everything related to “profiles” on computers)
• Tools & scripts
• Documentation that I often consult (“RTFM”)
• Temporary files for projects I’m working on
• Temporary files I’m sharing with other parties (customers, friends, etc)

To be eligible as a potential Dropbox alternative, the solution must at least have the following features:

• Must be private (read: runs on MY infrastructure)
• Must be open (full open source)
• Must be easy to deploy & maintain (Even if I like to play, I don’t have enough time)
• Must provide extensive sharing features
• Must be compatible with most OS/devices (in my case, Linux, Windows, OSX, IOS)

For a while, I’m adding an extra security layer  by encrypting sensitive data before uploading them to Dropbox but it’s not convenient. I never found the right application or procedure to achieve this in a smooth way. So, I decided to go away and to deploy an ownCloud server in my basement. On its website, ownCloud is described as:

“an universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web. Installation has minimal server requirements, doesn’t need special permissions and is quick. ownCloud is extendable via a simple but powerful API for applications and plugins.“

The application is running in a standard LAMP (“Linux – Apache – MySQL – PHP“) environment so very easy to install. There are also binary packages available for most of the Linux distributions. My choice was to deploy everything at home to keep files as close as possible, the keyword being “control my data“. The resources were not an issue, I already have a big virtualization environment in place. The only small problem is my home ADSL: It uses a dynamic IP address but with the help of a dynDNS service, it’s easily solved. I also generated a SSL certificate (StartSSL offers free certificates). The system is open and, with the help of small apps, extra feactures can be added to build a good sharing platform. I enabled the following features:

• Google authenticator support (OTP)
• Generation of hashes (MD5/SHA1)
• Versioning
• Logging of all users activities

So what? I’m now running this environment for one week and installed the client on all my devices. Except the limitation related to my Internet connectivity (restricted upstream bandwidth), it works lile a charm… But I don’t share huge files! To be fully transparent, compared to a service like Dropbox (not the Business version!), what are the pro & con?

To conclude the experience was successful and my Dropbox account is now empty (do they really delete files?) but I’ll keep the account idle (we never know). Leaving the cloud and protecting your privacy is not a piece of cake for everybody:You need to find a right balance between features, privacy and costs (time, CPU, storage, bandwidth, etc). Leaving Dropbox does not mean that I have files to hide from the NSA, it was just an good exercise to prove that “yes, we can change!“.