Archive for the ‘Security’ Category

How Tonido can protect Jennifer Lawrence and Kate Upton from future Cyber Hacks?

If you are following the news, the internet is currently abuzz with the massive celebrity photo hacking incident. Hundreds of celebrities are affected by this leak  including Academic Award winner Jennifer Lawrence  and super model Kate Upton.  According to news sources, hackers hacked either celebrities Apple iCloud or Dropbox accounts. The exact details of how the hacking happened is not completely clear yet . One can read more about this story in  NPR here. Here is the editorial piece from NYTimes on the same topic.

800px-Jennifer_Lawrence_by_Gage_Skidmore

Jennifer Lawrence at the 2013 San Diego Comic Con – By Gage Skidmore

The primary reason we founded Tonido is to provide a safe alternative to public online services where the users have complete control and ownership of the data.  We have reiterated many times  that the  public cloud online services are inherently unsafe to store personal photos. When  hundreds of millions users use a centralized cloud like iCloud (300 M+ accounts) or Dropbox (300 M accounts) or Google Drive to store personal documents and photos, the potential reward of hacking such systems are quite high. These centralized online services are waiting to be hacked every second of a day, 365 days a year. One successful hacking attempt can inadvertently expose many users private data.  Even if these companies employ world’s leading computer security experts, there will never be a guarantee that these systems are completely safe.

There is also a genuine concern that individuals hand over their personal data to corporate entities without fully understanding the consequences. There is always a risk that your personal data will be data mined for profit motives.  If you use iPhone or Android Phone, you are automatically opt-in to backup your photos/videos to their respective cloud services.  Opting out from automatic backup is a not an intuitive process. These systems are primarily designed to suck the personal data rather than safe guarding it. Even if you delete the photos from your device there is no guarantee that it will be deleted from the cloud server. Further, once your personal data enters the public cloud, the data is at the mercy of those who administer it. In short, Don’t put private files in the cloud if you don’t want it to get out

But users have choices though. Privacy doesn’t has to be a privilege. A little commonsense can go long way. A distributed system like Tonido will always be order of magnitude more secure than Dropbox or Google Drive.  Tonido is probably one of the best system to safeguard  your personal data because of its  anonymity, zero knowledge of user password and storage of data in the user device rather than the cloud.

For instance, let us go through the Tonido account creation process. Users can choose any name as their account name. We don’t have real name policy like public clouds. User passwords are neither  transmitted to us or stored in our servers.  If somebody wants to hack the system, hacking our servers is not going to help. They have to individually hack every device that is running Tonido.  if you choose a sufficiently hard user name and the password then hackers need to hack both the username and the password.  Users can choose a secondary question and answer to further protect thier accounts. Since your unique username is part of the device URL (https://yourname.tonidoid.com), phishing attempts can be quickly discovered by the users.

 

anonymous user name

 

 

q&a

 

 Here are 10 Reasons Why you should consider Tonido over Public online services for storing private data?

  1.     No Real Name Policy – Unlike Facebook or Google, we don’t require a real name to create Tonido account. You can choose any name.
  2.     Completely Independent –  To facilitate ease of use, we provide dynamic dns and relay server to access your Tonido device from anywhere. You are free to use your own.
  3.     Complete Control – Turn it On or Turn it Off any time.
  4.     Private and anonymous shares– Tonido allows you to create private and anonymous file shares
  5.     Ephemeral Shares – Tonido allows you to create time limited, ephemeral file shares that you can use to share content with friends and family
  6.     Guest user support – Create user accounts for your  family members and friends in your own Personal Cloud
  7.     Works without internet – The application and data is always local. You can access your Tonido device from your home network even if there is no internet
  8.     Password Security – We don’t store your passwords in our system.
  9.     Cross Platform and works on any device – Tonido is available for Windows, Mac OS X and Linux.  Just a Raspberry Pi is enough to run Tonido.
  10.     Powerful Alternative to Online Services – Out of the Box, Tonido can replace Google Drive, Dropbox, Picassa, Flickr, Facebook and Spotify (If you own your music).

In addition to the security benefits,  Tonido is extremely simple to use.  It will take less than 5 minutes to set it up.  One can also automatically backup photos/videos from iPhones/Android Phones to their own Personal Cloud without worrying about security and privacy.

We invite Jeniffer, Kate and other individuals, who would like to safeguard their private data to try out Tonido Personal Cloud. We promise you will not be disappointed.

 

How Tonido Personal Cloud brings Data Ownership, Privacy and Anonymity to your Digital Life?

When we started up Tonido, our goal was to provide a compelling alternative to public online services. We figured that a few companies controlling everyone’s information is not good for a equitable society. After 4 years, if we look at the current status of the Internet, all of our worst fears have come true. There is zero privacy and zero anonymity. The web is not open and the ecosystem is controlled by a few companies. One needs to set the expectation that everything that happens on the public internet gets tracked, aggregated, diced, profiled and sold to the highest bidder. Don’t do anything on the internet that you will not do in a public place. People’s memories fade, but the Internet never forgets.

The music you access, the emails you send, the photos you share, the comments you post and pretty much anything you put on public online services serve as one more data point to create your online persona . With a few clicks anybody can buy that data for a cost.

 

Scott

As always, the individual liberty and protection of privacy is the responsibility of users. Nobody is going to do that for you. If you have young kids or newborns many of them will outlive the current set of hot internet companies. But, by the time your kids become adults, the data that you entrust with these companies can change many hands and come back to haunt them in many ways. Even if the current management is benevolent (‘do no evil’) there is no guarantee that the future management will be benevolent.  Hard times and bad economies can change the way companies will treat your personal data.

With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about  Eric Schmidt, Executive Chairman of Google

This quote pretty much summarizes the power that we voluntarily give out to internet companies. The new internet monopolies are not much different from the 19th century robber barons. The railroad magnates used their control over rail road distribution to create monopolies. In similar ways, the large internet firms use network effects, control over personal data and monopolies over desktop and mobile Operating Systems to serve their profit goals. It is not illegal. It is business as usual. But as users we need to think twice about the information we freely offer. What kind of control are we forsaking?

3f6

Many of the popular internet companies (Google, Facebook and others) enforce real name policy, thereby ensuring they are able to identify track and aggregate you and your data anytime you use their services. We are not advocating that you should not use their services. But do expect that anything you do and share on these services is up for sale. The “I have nothing to hide” argument is not really valid  here. The data you put or share in these services can have profound practical implications in your job search, getting insurance or getting a financial loan. It is not really about hiding stuff any more. The basics of life are at stake here.

Smart people now understand this predicament and indiscriminate sharing on social networks is changing slowly. If you want to have real control over your personal data then you need to have complete control over the system.

Tonido provides such a system. If you want to share your kids photos or share your thoughts with family and friends without any fear, Tonido can do that for you. Using Tonido, you can create this private, safe space  that runs on your device behind your home router. You will have 100% control over this private little space.

Here are the 10 things that Tonido can do  to safeguard ownership,  privacy and anonymity

  1. No Real Name Policy – Unlike Facebook or Google, we don’t require a real name to create Tonido account. You can choose any name.
  2. Completely Independent –  To facilitate ease of use, we provide dynamic dns and relay server capabilities to access your Tonido device from anywhere. You are free to use our dynamic DNS and relay servers or your own. Here are the instructions.
  3. Complete Control – Turn it On or Turn it Off any time.
  4. Private and anonymous shares- Tonido allows you to create private and anonymous file shares
  5. Ephemeral Shares – Tonido allows you to create time limited, ephemeral file shares that you can use to share content with friends and family
  6. Guest user support – Create user accounts for your  family members and friends in your own Personal Cloud
  7. Works without internet – The application and data is always local. You can access your Tonido device from your home network even if there is no internet
  8. Password Security – We store only your user name. We don’t store your passwords in our system. It will give you completely secure access to your data. Any centralized hack will not compromise your data.
  9. Cross Platform and works on any device – Tonido is available for Windows, Mac OS X and Linux. You don’t need  expensive hardware to run Tonido – Any old computer will do.
  10. Powerful Alternative to Online Services –Out of the Box, Tonido can replace Google Drive, Dropbox, Picassa, Flickr, Facebook and Spotify (If you own your music). It is extremely simple to use and comes with native mobile apps for iPhone, Android, Windows Phone and Blackberry.

In a nutshell, Tonido allows one to  access, share, sync and organize personal data from anywhere without losing control over the personal data.

We are committed in our vision to make Tonido  the #1 Personal Cloud that safeguards  privacy and online freedom.  We are happy that our years of effort  creating Tonido is making the world a better place. We don’t have billions of Tonido users. But we make a positive difference in the lives of the million or so users that currently take advantage of our systems. An active Tonido user puts order of magnitude less data in the popular online services than an average internet user. Every user that Tonido attracts is one less user for a Public cloud service. That is good enough for us. 

Tonido’s 10 Rules of Personal Cloud

Personal Cloud is probably the most misused term in the internet now. Every sundry public cloud storage offerings like Dropbox, Google Drive and others are masquerading themselves as Personal Clouds. Remember. It is their Personal Cloud. Not Yours. They can kick out, block or shutdown anybody at anytime. They determine how much storage you can use and have complete right to track and catalog your data.

We are one of the earliest companies who have used the term -“Personal Cloud” back in 2009 to put forth our vision. We cannot sit idle and watch the misappropriation of term and vision that we have fought for over many years.

In real sense, the word personal means “of, affecting, or belonging to a particular person rather than to anyone else”. So Personal Cloud means a cloud that is owned by you. not by others.

Like Codd’s 12 rules of database, which he put together  to prevent his vision of the relational database being diluted by vendors, We are putting together our 10 rules of Personal Cloud.

Rule 1: The Personal Cloud system should run on the device owned or fully controlled by the end user.

Rule 2: The Owner of Personal Cloud system should have complete ownership, rights of content he/she can put in the Personal Cloud System

Rule 3: The Owner of Personal Cloud system should have complete independence of content he/she can put in the Personal Cloud System

Rule 4: The Personal Cloud System (the app and the data) should be completely Local. The system should be accessible even if there is no internet.

Rule 5: The Personal Cloud System should not snoop or alter the end user content either manually or in an automated fashion

Rule 6: The Personal Cloud System should not pose any storage limits and should be accessible from anywhere.

Rule 7: The owner should be able to stop or shutdown the Personal Cloud system anytime.

Rule 8: The Personal Cloud System should be cross platform and run on all the popular desktop (Windows, Mac and Linux) OSes.

Rule 9:  The Personal Cloud System  should have clients or be accessible from all the popular mobile OSes (iOS, Android, Blackberry, Windows and others).

Rule 10: The Personal Cloud System  should run on from low to high end computing devices (Routers, NAS to PCs and Servers) and varied chipset platforms (ARM, MIPS, X86 and others).

 

If you are a user check whether your beloved service checks all of the rules here and if you are a vendor make sure you comply to all of the rules here before calling yourself as Personal Cloud.

Beginners Guide to Internet Security and Privacy

With the boost in internet connectivity and free wifi-spots popping up at every nook and corner, the vast world wide web has become your playground. Increased connectivity means that you spend most of your time connected to the internet. But, have you ever wondered how safe you are, especially if you are connected to a public network like a WiFi Hotspot?

Although the general idea is to install a good anti-virus software, set up a firewall and make sure you stay away from any malware, new threats are coming up every day and you need to keep up with latest technologies to combat them!

As everyone related to this world would say, it is never possible to ensure total security and there are always chances of vulnerabilities. We should, however, try to consciously stay one step ahead of the malicious activities. Here are a few ways which ensure that at least no one is able to snoop on you. (more…)

Web Scraping and Legal Issues

Web Scraping is the process of extracting data from websites, preferably using a program which simulates human exploration by sending simple HTTP requests or emulating a full web browser. Web Scraping, Content Scraping, Screen Scraping, Web Harvesting or Web Data Extraction are all analogous terms. In general, anything that you can see on the internet can be extracted and the process made automated.

There is a close resemblance between web scraping and web indexing. However, one stark difference is that web scraping is focussed on gathering a particular type of data like contact information, whereas the objective of content scraping is to gather all the data that is present. Web scraping has been used effectively in many fields like online price comparison (BuyHatke) and web mashup (Frrole). (more…)

VPN Connections Bring Cost & Productivity Advantages for Businesses

Virtual Private Networks (VPNs) allow businesses the ability to allow remote employees and vendors access into their private network when outside of its physical boundaries. Utilizing the Internet for leverage, VPNs connect a remote client into the private network as if they are physically connected to an internal switch. Once connected, the client workstation receives an internal private address and can access applications, file shares, and printers normally restricted to local access networks. Many different types of VPN connectivity solutions exist today that offer a range of features and security, but why would a business considering a VPN solution?

Connecting Remote Sites

VPN tunnels not only allow individual workstations to connect into the network, they can also allow entire remote locations to access the LAN. In doing so, a VPN connection between two sites essentially creates a WAN to allow two networks, in two separate physical locations, to communicate.

For example, assume a small business is opening a new location across the street. The owners want the primary customer database server to stay at the original location, yet be accessible by its new location as well. One option would be to have a physical cable connection run across the street from one building to the next. This option is costly and could prove to be insecure or unreliable. A solution utilizing a VPN tunnel would be more cost effective, more secure, and more reliable. Each location would most likely already have a connection to the Internet. Utilizing a VPN connectivity device, such as a firewall or software solution, the two buildings can be connected via a VPN tunnel that communicated via these Internet connections. Doing so will create a logical connection between the two location, over the Internet, and allow devices within the two buildings to communicate as if they are physically connected. Imagine this same solution being used on a larger scale by nationwide or even global companies, and you can see how VPN tunnels allow large corporations to interlink their local connections together into a single private network.

Less Overhead

The physical workplace may be common to many workers today but the number of remote workers is growing. These employees are working from home (or any Internet enabled location) utilizing VPN connections into a central database. Instead of entire buildings being interconnected, these employees are connecting directly from a VPN client on their laptop or smartphone into the company’s private network. In doing so, the employee gains the benefit of working from home while still having access to every aspect of the network as if working inside the physical company building. In return, businesses are seeing a reduction in the cost of overhead. No longer must office space be purchased or leased to house workers during business hours. This also reduces their electrical, heating, and office supply bills.

Emergencies

Similarly, VPNs allow companies to create a broader disaster recovery plan by deploying VPN client enabled laptops to their employees if a disaster occurs. Essentially, if a company experiences a disaster where a location offline or companies cannot report for a length of time, a VPN connection can be utilized to replace their physical reliance of the workplace. A VPN tunnel connection could also a lifesaver when vendor access is needed. If a vendor must be onsite to simply control or view the screen of a computer or server, a VPN tunnel could be utilized instead to allow the vendor to connect remotely. This could bring the company a quicker solution and save the cost of vendors traveling to an on-site location.

VPN connections offer a secure method to companies who must connect remote locations or wish to reduce the overhead of a physical workplace. As the technology progresses and more benefits are found, VPN tunnels could become the primary method employees utilize to connect into a private WAN.

VPN Connection Options

Two primary technologies exist today to connect to a remote network utilizing: SSL and IPSEC.  Both over a secure means to accessing internal networks remotely; however, they differ on how the connection is established. IPSEC establishes a secure connection utilizing software installed on the client PC. The client software establishes the connection to the remote VPN server. This authentication can be through Active Directory credentials or through a shared passphrase. Unlike the client-based IPSEC, SSL connection can be established through an Internet browser. This makes the VPN connection more manageable as a user does not need to install any software to connect. Utilizing the web- based client, a remote user can access the SSL VPN server device over any compatible browser.

VLANs Offer Security & Network Segregation Without the Cost

VLANs (Virtual Local Area Networks) are two or more LAN subnets that exist on the same networking equipment, such as a switch or firewall. Given that ports on a switch function independently, this creates the ability to treat each port as if it is its own network. Grouping these ports together creates a VLAN, essentially creating subsets of logical networks on a physical switch.

For example, assume you are using an eight port switch. If no VLANs existed, assume the entire switch operated on the 10.81.44.X network. Any devices attached to the switch could communite to one another as long as their IP address fall between 10.81.44.1 and 10.81.44.254. Now assume we have implemented VLANs on the switch. The first four ports are still associated with the 10.81.44.X network; however, we have configured the last four ports to act on the 192.168.1.X network. Doing so, we have essentially created two logical networks on one physical network switch. Only devices on the first four ports can now communicate with each other and the same goes for devices attached to the last four ports.

So what benefits do VLANs give us?

Broadcast Domain

Each network has its own broadcast domain. Whenever a broadcast packet is sent out, this packet gets sent to every device on the network. As the number of devices attached to the network grow, so do the amount of broadcast packets being sent throughout the network. As the amount of traffic grows, these broadcast packets can congest the network and could potentially slow things down. Splitting the traffic into two networks created by VLANs can greatly reduce the broadcast traffic and reduce congestion on the network.

Security

VLANs offer the ability to keep data packets from multiple networks separated. Organizations who wish to utilize wireless Internet in their workspace, yet still wish to maintain a private and secure network can utilize VLANs to achieve this goal. Take the example used earlier where two networks exist: 10.81.44.X and 192.168.1.X. The 10.81.44.X network is a private network that contains critical file servers, e-mail servers, and potentially private data that should only be accessed by internal employees. If the company simply attached a wireless router to this network, anyone with some computer knowledge could easily hack into the router from within the wireless range and access this private data network. This is where VLANs and the 192.168.1.X network come into play. On the company’s switch, a VLAN can be created specifically for the new wireless network of 192.168.1.X. These ports on the switch associated with the wireless VLAN would communicate only to the Internet and traffic would never pass between the two networks. A router would need to be placed in the middle of these two networks in order for the two to communicate. As a switch does not function as a router, the packets pass only to those ports associated with the same VLAN and function as if there are two physical networks in place.

Dividing Critical Network Traffic

Often, networks will have some sort of device or system that requires a large amount of network bandwidth. One example are VOIP phones which require voice packets to travel at a higher priority compared to file or email packets. VLANs offer a chance to segregate this higher priority traffic to their own network to avoid voice traffic from clogging network bandwidth. Similar to the example explained above, a new network could be created without purchasing any more switching hardware utilizing VLANs. The 10.81.44.X network would remain as the primary data network and a new network, 192.168.1.X, created for the VOIP traffic. The way this differs is that the same ports can be utilized for both voice and data VLANs, meaning a single port can function on two VLANs at once. Doing so still divides the traffic, as the data packets from each network will be tagged with a specific ID number correlating to each VLAN. Assume the data VLAN has a VLAN ID of 1 and the voice VLAN has a VLAN ID of 200. When a packet travels to a switch port with both a computer and VOIP phone attached, the port looks at the VLAN ID and knows which device to pass the packet to. Devices also check this VLAN and discard any packets that do not match the same network as their own. Through the use of VLANs and unique VLAN IDs, devices can reside on the same physical switch port yet still function on two logical networks.

Configuring a VLAN on a network brings multiple benefits to the security and functionality of a network, without the need to purchase more hardware. If bandwidth issues or the need for a separate wireless network arises, first turn to VLANs to save the day. You’ll save yourself some money and learn a lot about how networks functions along the way.

HIPAA compliant audit trail in FileCloud

Health Insurance Portability and Accountability Act (HIPAA) mandates security and privacy standards for health information. Everyday employees within your organization end up accessing and working on multiple files and folders within your network. HIPAA requires that you provide an audit control to record and examine their activity.

Did you know when you use FileCloud as your enterprise File Storage and Access solution you automatically get HIPAA compliant audit trail?

Yes, FileCloud monitors and records each operation on data stored in FileCloud.

FileCloud audit support identifies and records who (Username) did what (access, modify, delete, add etc) to what data (Files, Folders, User List etc), when (date and timestamp) and how (Web, mobile,  Sync Client, Drive etc).

Additionally, FileCloud admin website facilitates administrator to access the audit trail.

How to enable audit trail?

TONIDOCLOUD_AUDIT_LOG_LEVEL parameter in the FileCloud General Configuration can be set as follows to suit your requirement.

OFF – No activity is logged.
REQUEST – Incoming requests are logged.
FULL – Both incoming requests and outgoing response are logged.

How to view audit trail?

In the admin website, click the Audit link on the left menu to view the audit screen.  The audit log can be filtered by date range, username and operation.  The common operations include: create account, login, upload, getfilelist (browse), create folder, delete,  download file, share file or folder. However, you can view audit of all operations by choosing all.  The audit log results can be exported to a CSV file. The audit log will provide username, IP address, user agent, log date and time stamp, how the resource was accessed, complete request and response in JSON format.

 

The request and response data stored in JSON format in FileCloud can be viewed easily in any json parser such as http://json.parser.online.fr/

For more information on audit support in FileCloud you can review our support site

Personal Cloud Security – Tonido VS PogoPlug

Recently TWiT.TV did a great episode on Roll your Personal Cloud featuring Tonido, PogoPlug and Opera Unite. If you have not heard of TWiT.TV– take our word and please do yourself a favor by checking it out. TWiT.TV is probably the number one, unbiased technical netcasts in the internet and it is primarily supported by the viewers rather than advertisers.

During the show, It became apparent that the show host was unsure about the security architecture of Personal Cloud services like Tonido and PogoPlug. We feel it is our duty to explain it to our customers and media.

Let me say it: Security is the first class citizen in Tonido platform.

  • With Tonido, all apps are local to your device.
  • The authentication happens directly between your browser and the Tonido device.
  • We don’t store your credentials in our servers.

Tonido’s unique architecture design offers many security advantages over the PogoPlug or any other personal cloud services implementations in the market.

Compared to Tonido, other Personal Cloud Services store their user credentials in their servers and the user interface is also served by a central server. This approach has 2 drawbacks:

  1. If somebody hacks into their servers, they can get access to all the devices that are connected to the service
  2. If your internet is down, you cannot access your device even if stands next to your couch
  3. (Not directly related to security, but this is HUGE): Tonido’s smart LAN switching allows you to access your device directly over your LAN without having to go over the internet. So you get BLAZING performance.

Tonido doesn’t have these drawbacks. Even if there is no internet, you can still access your Tonido device inside your LAN using the IP address. The user credentials are not stored in our servers which minimizes the security risks to greater extent. One can also run Tonido in stand alone mode completely without using our relay servers. (Please see: http://www.tonido.com/blog/index.php/2012/06/28/how-to-run-tonido-in-stand-alone-mode-without-relay/)

Tonido offers advanced security controls like IP filters that allows you to configure access permission based on IP addresses and also implements two-factor authentication using a secondary question and answer.

No digital product can claim it is 100% hacker proof. We always recommend our users to use strong passwords and set remote Q&A to their Tonido run devices.

In the marketplace, as a customer you have an option to choose competing products and services. Depending on your budget, functionality and security needs choose the product that fits your requirements. But if you are looking for a powerful, full-featured and secure personal cloud – TonidoPlug is the way to go.

Dropbox Security Breach

Yet another security breach in Dropbox. Please see the news coverage from media below:

Beyond Dropbox: Security is only part of the cloud’s problem

Dropbox Security Breach: Who’s Guarding Your Secrets In The Cloud?

Dropbox users get spammed via personal e-mail accounts

Let us face it. There is nothing secure about Public Cloud online services. It is just a huge honeypot waiting to be hacked.

It is one more reason why Tonido is better than Public Online Cloud Storage/Sync services like Dropbox. Public cloud services often claim that they are better equipped to protect the users data than the user itself. It is nothing but a Myth and pure Baloney.