How Tonido Personal Cloud brings Data Ownership, Privacy and Anonymity to your Digital Life?

When we started up Tonido, our goal was to provide a compelling alternative to public online services. We figured that a few companies controlling everyone’s information is not good for a equitable society. After 4 years, if we look at the current status of the Internet, all of our worst fears have come true. There is zero privacy and zero anonymity. The web is not open and the ecosystem is controlled by a few companies. One needs to set the expectation that everything that happens on the public internet gets tracked, aggregated, diced, profiled and sold to the highest bidder. Don’t do anything on the internet that you will not do in a public place. People’s memories fade, but the Internet never forgets.

The music you access, the emails you send, the photos you share, the comments you post and pretty much anything you put on public online services serve as one more data point to create your online persona . With a few clicks anybody can buy that data for a cost.

 

Scott

As always, the individual liberty and protection of privacy is the responsibility of users. Nobody is going to do that for you. If you have young kids or newborns many of them will outlive the current set of hot internet companies. But, by the time your kids become adults, the data that you entrust with these companies can change many hands and come back to haunt them in many ways. Even if the current management is benevolent (‘do no evil’) there is no guarantee that the future management will be benevolent.  Hard times and bad economies can change the way companies will treat your personal data.

With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about -  Eric Schmidt, Executive Chairman of Google

This quote pretty much summarizes the power that we voluntarily give out to internet companies. The new internet monopolies are not much different from the 19th century robber barons. The railroad magnates used their control over rail road distribution to create monopolies. In similar ways, the large internet firms use network effects, control over personal data and monopolies over desktop and mobile Operating Systems to serve their profit goals. It is not illegal. It is business as usual. But as users we need to think twice about the information we freely offer. What kind of control are we forsaking?

3f6

Many of the popular internet companies (Google, Facebook and others) enforce real name policy, thereby ensuring they are able to identify track and aggregate you and your data anytime you use their services. We are not advocating that you should not use their services. But do expect that anything you do and share on these services is up for sale. The “I have nothing to hide” argument is not really valid  here. The data you put or share in these services can have profound practical implications in your job search, getting insurance or getting a financial loan. It is not really about hiding stuff any more. The basics of life are at stake here.

Smart people now understand this predicament and indiscriminate sharing on social networks is changing slowly. If you want to have real control over your personal data then you need to have complete control over the system.

Tonido provides such a system. If you want to share your kids photos or share your thoughts with family and friends without any fear, Tonido can do that for you. Using Tonido, you can create this private, safe space  that runs on your device behind your home router. You will have 100% control over this private little space.

Here are the 10 things that Tonido can do  to safeguard ownership,  privacy and anonymity

  1. No Real Name Policy – Unlike Facebook or Google, we don’t require a real name to create Tonido account. You can choose any name.
  2. Completely Independent -  To facilitate ease of use, we provide dynamic dns and relay server capabilities to access your Tonido device from anywhere. You are free to use our dynamic DNS and relay servers or your own. Here are the instructions.
  3. Complete Control - Turn it On or Turn it Off any time.
  4. Private and anonymous shares- Tonido allows you to create private and anonymous file shares
  5. Ephemeral Shares - Tonido allows you to create time limited, ephemeral file shares that you can use to share content with friends and family
  6. Guest user support - Create user accounts for your  family members and friends in your own Personal Cloud
  7. Works without internet - The application and data is always local. You can access your Tonido device from your home network even if there is no internet
  8. Password Security - We store only your user name. We don’t store your passwords in our system. It will give you completely secure access to your data. Any centralized hack will not compromise your data.
  9. Cross Platform and works on any device - Tonido is available for Windows, Mac OS X and Linux. You don’t need  expensive hardware to run Tonido – Any old computer will do.
  10. Powerful Alternative to Online Services -Out of the Box, Tonido can replace Google Drive, Dropbox, Picassa, Flickr, Facebook and Spotify (If you own your music). It is extremely simple to use and comes with native mobile apps for iPhone, Android, Windows Phone and Blackberry.

In a nutshell, Tonido allows one to  access, share, sync and organize personal data from anywhere without losing control over the personal data.

We are committed in our vision to make Tonido  the #1 Personal Cloud that safeguards  privacy and online freedom.  We are happy that our years of effort  creating Tonido is making the world a better place. We don’t have billions of Tonido users. But we make a positive difference in the lives of the million or so users that currently take advantage of our systems. An active Tonido user puts order of magnitude less data in the popular online services than an average internet user. Every user that Tonido attracts is one less user for a Public cloud service. That is good enough for us. 

One Response

Tech Tip:- How to Switch to Different Account in Tonido

Step 1: Go to Settings and then to Accounts Tab.

Step 2: Scroll Down and click on Switch Account. 2014-05-30_105418

Step 3: You will see the Tonido Login Screen. From the login screen, you can either login with a different account name or create a new account using the New Account button.

2014-05-30_114354

*Note: Switch Account  allows you to change the name associated with that computer or TonidoPlug either by switching to different account or by creating a new account

No Responses

Add, Edit or Remove Guest User from Tonido

All that you need to do is,

1. Click on Shared Files from the left navigation panel

2. Go to Guests tab

3. Click on “Add Guest” Button to add a guest

1

2

 

4. Type in the guest username and password and click on create. Guest user will be create

5.  To update the existing guest :Click on the edit button and type in the new username and password

 

3

6.  Click on Update button to save the changes

7.  To Remove a guest account : Click on the remove button that appears  straight to the guest

4

8. Click on “OK  button to delete a guest permanently

No Responses

Change the Port on which Tonido is running

To achieve this ,

1. Go to Settings->Network

2. Click on Http Port under the section “Web Settings”.

3. Type in the port on which you need to run tonido.

4. Click Submit.

Restart the tonido server for the changes to take effect.

Your tonido will be now running on the port you specified .For  Example : You can open your tonido using http://127.0.0.1:2558

No Responses

How do you store passwords securely?

Whenever you make an application which requires a login, you need to store the passwords of the users. Passwords are important because they have the ability to give someone full access to a user account. Hence, it is very important how you manage passwords- sending them through requests, storing them and retrieving them. In this post, we will talk about the different techniques of storing passwords. (more…)

No Responses

Using JSONP for cross domain requests

It is often seen that developers are not confined to the limits of their own domains. When you make requests through JavaScript across domains, the browser prevents the request from going through citing the absence of an ‘Access-Control-Allow-Origin’ header. This is termed as the ‘Same Origin Policy’ of browsers which allows scripts running on a domain to make requests to resources on the same domain only, comprising the same URI scheme, domain and host number. There are many ways around the same origin policy- ranging from routing the request through a web proxy to using CORS (Cross Origin Resource Sharing), but the most popular method is using JSONP.

What is JSONP?

JSONP simply refers to “JSON with padding”. It is essentially a JSON response wrapped around a callback function that is specified in the URL. For instance, the following a JSON response.

{ “username”: “sdaityari”, “name”: “Shaumik Daityari”}

The same response with a callback function specified as processData is as follows.

 processData({ “username”: “sdaityari”, “name”: “Shaumik Daityari”})

How does JSONP help in working around the same origin policy?

As browsers don’t allow requests to other domains, how then do we add external files to CDNs (Content Delivery Networks) to speed up page loading and still get them to work? The hidden agenda is here is the fact that these files are present under the src attribute of <script> tags. This leads to a conclusion that anything under the <script> tags is executed by the browser under the context of the current domain!

Using the same idea, we supply a callback function, generally as a GET variable, to the src in the <script> tag, and we get a response of a JSON wrapped with the callback function. That essentially means that the callback function is executed with the JSON response as arguments. That helps in working around applications just like we did in the case of AJAX.

In the JSONP example provided, we would execute the function like the following-

 <script src=”http://www.example.com/json_data?callback=processData“></script>

By doing so, processData would be executed with the given arguments.

Why would this not work if it was returning just JSON?

In place of a JSON response padded within a function, if the server just returned a JSON, the data would not get executed, instead raising a Syntax Error. You could emulate a response by pasting some JSON into your JavaScript console.

When can it go wrong?

In the example above, the data that was returned through JSON was not so sensitive. It just contained the username and name. However, imagine an ecommerce site which stores credit card details as a part of your profile. Let’s assume the following request being made-

<script src=”http://api.myecommercesite.com/profile?callback=processData”></script>

The website api.myecommercesite.com would return the following response irrecpective of the website that requested the information.

 processData({

   “name”: “Shaumik Daityari”,

   “card_no”: “xxxx xxxx xxxx xxxx”,

   “expiry_date”: “xx-xxxx”

 });

How does an attacker use it to get your data?

In the ideal case, this data is received by the intended website and used accordingly. However, let’s say that a malicious site, www.attacker.com, gets wind of the information and tricks you into redirecting you to their server.

Basically, you are browsing www.attacker.com and you are asked to click on something. Their server then sends the same response and since you are logged into the ecommerce site, data containing your information is returned. (There are other non-JSONP related security checks which can prevent this from happening, but let’s assume there were no other security measures to prevent this from happening.)

Once a malicious site gets hold of the sensitive data, it can process the data on the context of the site, and therefore do whatsoever it wishes with the data, most probably storing it in their own servers for later use. Not only this, a malicious site can also get hold of your cookies which contain vital information that a website uses to track your progress on its site.

Using JSONP safely

The reason JSONP got so popular is the ease of use and implementation. All you need is a callback and you are done. Therefore, there are many security concerns which need to be taken care of while using this technique.

Sanitize callback

This is one little thing that can lead to dangerous consequences. In fact, many tutorials talking about the security in the JSONP method fail to get this one right. In PHP, you would generally execute the following.

 echo $_GET[“callback”] . “(“ . json_encode($my_data) . “);”;

In addition to that, vulnerabilities in JSONP have also been identified through a term called flash injection.

The right way, as explained by Dylan Tack on his blog, is to use appropriate headers to manipulate the output in case the callback is being used for an XSS attack. He uses the following code-

function generate_jsonp($data) {

 if (preg_match(‘/\W/’, $_GET['callback'])) {

   // if $_GET['callback'] contains a non-word character,

   // this could be an XSS attack.

   header(‘HTTP/1.1 400 Bad Request’);

   exit();

 }

 header(‘Content-type: application/javascript; charset=utf-8′);

 print sprintf(‘%s(%s);’, $_GET['callback'], json_encode($data));

}

Full trust on a different domain

Using the JSONP requires that you trust the remote domain fully. This essentially means that if, for some reason, the functionality remote domain breaks, your service breaks too. It remains your decision, however, whether you want to depend on a third party service.

Moreover, as we are using it under script tags, it is difficult to catch errors within it and error handling changes from browser to browser, making it difficult to manage a proper structure.

User Authentication

For argument’s sake, a possible way to login a user into a remote site using only JSONP would involve sending the username and password as GET variables (since that is the only way HTTP requests can get you the data in a script tag). It is an unsafe method of authentication and therefore, should be avoided.

For the purpose of user authentication, it’s favourable that you follow the general workflow of OAuth- redirect to parent website, authenticate the user and on successful authentication, generate and share a token.

Using CSRF tokens for write operations

In case you are using the JSONP technique to write data to your server (whether it’s create or update), you must know that JSONP uses GET, which is not secure. In order to make sure that everything goes according to plan, you could issue a token within the headers of every request. A token needs to be generated for every user who is authenticated using the step above.

That being said, there are far better options considering security during writes, updates or deletes and you should follow them rather than finding workarounds with JSONP, which should ideally be used for reads only.

Looking forward- using CORS (Cross Origin Resource Sharing)

We have seen a few use cases of JSONP and all of them can be achieved by the web proxy method too. Although the JSONP technique remains popular, the vulnerabilities in it make it a headache to implement in complex situations. CORS has been gaining popularity steadily as its support in major browsers continues to grow, and it’s taking over the uses of JSONP.

   request = new XDomainRequest();

   request.open(method, url);

   request.onload = function() {

     callback(req.responseText);

   };

   request.send(data);

How does CORS work?

The CORS process adds new HTTP headers to the request, which allows the server to serve resources, but only to requests from known and trusted domains. This means that if www.attacker.com tries to access information from api.myecommercesite.com, it would not be possible because api.myecommercesite.com would not recognize www.attacker.com! For further information on CORS, you could head over the Mozilla Developer Network.

The only drawback of CORS is the lack of support from older browsers and if you don’t care about users with those old browsers, you should definitely go ahead and give CORS a try.

No Responses

Tech Tip : Share access history in Tonido.

1. Go to Shared Files, and then to History.

2. This history tab contains information about the shared file access by guests and/or anonymous users.

No Responses

Tonido’s 10 Rules of Personal Cloud

Personal Cloud is probably the most misused term in the internet now. Every sundry public cloud storage offerings like Dropbox, Google Drive and others are masquerading themselves as Personal Clouds. Remember. It is their Personal Cloud. Not Yours. They can kick out, block or shutdown anybody at anytime. They determine how much storage you can use and have complete right to track and catalog your data.

We are one of the earliest companies who have used the term -”Personal Cloud” back in 2009 to put forth our vision. We cannot sit idle and watch the misappropriation of term and vision that we have fought for over many years.

In real sense, the word personal means “of, affecting, or belonging to a particular person rather than to anyone else”. So Personal Cloud means a cloud that is owned by you. not by others.

Like Codd’s 12 rules of database, which he put together  to prevent his vision of the relational database being diluted by vendors, We are putting together our 10 rules of Personal Cloud.

Rule 1: The Personal Cloud system should run on the device owned or fully controlled by the end user.

Rule 2: The Owner of Personal Cloud system should have complete ownership, rights of content he/she can put in the Personal Cloud System

Rule 3: The Owner of Personal Cloud system should have complete independence of content he/she can put in the Personal Cloud System

Rule 4: The Personal Cloud System (the app and the data) should be completely Local. The system should be accessible even if there is no internet.

Rule 5: The Personal Cloud System should not snoop or alter the end user content either manually or in an automated fashion

Rule 6: The Personal Cloud System should not pose any storage limits and should be accessible from anywhere.

Rule 7: The owner should be able to stop or shutdown the Personal Cloud system anytime.

Rule 8: The Personal Cloud System should be cross platform and run on all the popular desktop (Windows, Mac and Linux) OSes.

Rule 9:  The Personal Cloud System  should have clients or be accessible from all the popular mobile OSes (iOS, Android, Blackberry, Windows and others).

Rule 10: The Personal Cloud System  should run on from low to high end computing devices (Routers, NAS to PCs and Servers) and varied chipset platforms (ARM, MIPS, X86 and others).

 

If you are a user check whether your beloved service checks all of the rules here and if you are a vendor make sure you comply to all of the rules here before calling yourself as Personal Cloud.

3 Responses

Tech Tip: Setting Remote Login / Answer for More Security in Tonido

1. Click on Settings, and then on Accounts.

2. Click on Remote Login / Answer to set the Question and answer.

 

3.Enter the Remote Question and Remote Answer and Submit.

 

4. Now, when you login Tonido drive / Tonido Sync / Tonido Mobile App you have to enter Remote Answer to complete the credentials properly.

*Note: Once you have set the Remote Answer, and you fail to enter it while Login. Your Login will not be successful.

 

No Responses

Personal Cloud Tonido Launches New Windows Phone App

Secure, limitless Personal Cloud brings anywhere content access to Windows Phones

AUSTIN, Texas, Apr 24, 2014 — CodeLathe, the leader in personal cloud, today launched a new Windows Phone app for its Tonido personal cloud product. With this new release, Codelathe solidifying its leadership position in offering the best in class mobile apps across all major platforms. The new app is part of its private file sync, sharing and mobile access solution that enables data access anytime and anywhere, from any device.

“As Tonido reaches mainstream – crossing over million users, our users expect our solution to provide the best experience in all major platforms,” said Madhan Kanagavel, CEO of CodeLathe “ With this new Windows Phone app,  we are one of the very few companies that truly support all major mobile platforms. “

The fully redesigned app uses Windows modern UI to improve user experience and takes advantage of all the powerful features of Windows Phone. The app allows users to remotely access files on computer running Tonido using their Windows Phone. Tonido does more than just provide access, it also streams compatible video and misc files from computer to Windows Phones. This release includes some major features similar to the Tonido’s iOS and Android apps. Here are some of the key features of the new Windows Phone 8 app

  • Access all remote files
  • Share files with friends and colleagues
  • Download and upload files from phone
  • Automatically organize your photos, music and video collection
  • Create and Manage music playlists for your music
  • Stream video and music

“We believe in providing a great user experience through a native app that takes advantage of the underlying platform,”   said Anis Abdul, CTO of CodeLathe “Our Windows Phone app is designed ground-up for Windows, using all of its capabilities and modern UI.”

The Tonido server app is available for free download at http://www.tonido.com.

The Tonido Windows Phone app is available for free on the Windows Store at http://www.windowsphone.com/en-us/store/app/tonido/4eeacbe9-7405-47cc-acd0-f418471f992a

 

2 Responses