 My talk is called taking your ball going home, building your own secure storage space that mirrors Dropbox's functionality. Alright, so I'm Phil Crier. I'm also known as Faker on Twitter and my blog Faker.com. Sure, thanks. A quick background on me. And why I may or may not be qualified to speak here at DEF CON. When I was a kid I started learning different programming languages. I loved learning and playing around with Apple and basic logos, Pascal. And then things changed a bit when I got to high school. It wasn't quite as cool back in the time to be in the computer club. So I actually changed focus a little bit. I eventually graduated from college with an art degree. And after working a number of different jobs I just found myself getting back into more of a technical roles. And even though I was just self-taught I really enjoyed it and thought I'd fit in. So I started doing desktop support as an IT technician, fixing servers, networking printers. And it was that time that I came across Linux. And that pretty much changed everything. I had kind of the same freedom and the same sense of adventure that I had back in the days when I was banging away at the Apple TV. And all of a sudden we could solve problems without having to buy solutions and could run a Unix-like environment at home too. And being an IT contractor I worked in a lot of different jobs in the industry. Jumped around a lot, start-ups, large corporations, as well as nonprofits. And it was a good way to learn a lot of different things and being able to think up new ways to approach ideas. And partially because of events of the day I became more aware and interested in civil liberties. And while they were important at the time to review, I think it's much more important to think about for the future too. So I got involved with a variety of different groups and learning more about them and how can I help them succeed. So currently I'm working in a non-profit using Linux and open source to distribute biodiversity data globally. And we've got a lot of partners we work with and again it's just an opportunity to use different tools and open source to really benefit a lot of people. And outside of work continuously exploring open source and finding ways to increase online privacy and security. So that's enough about me, now the talk. How many people here use Dropbox? And how many people here trust it with their personal private data? So Dropbox always has your stuff. And it does, it's a great little app and it just works. It really can't fault the design or the idea of it and it works really well. And for a long time I thought it was just the killer app, very fun, easy to use. And quickly some background on Dropbox. They're a very well funded startup company and they offer two gigs of free storage. With annual membership to increase the space. Now let's just sync data across many different devices, any device you want. So really easy to sync, they do ad hoc backups with it and social sharing. And it's cross-platform, which is always nice to Mac, Linux and Windows as well as mobile devices. And they've seen a really quick growth over the past two years. TechCrunch had an article recently that they said Dropbox has 25 million users. And those users use, sorry, they save 200 million files daily in more than 1 million every 5 minutes. Which I couldn't believe. So to point that out, on average about 4 million files will be saved on Dropbox during this talk. So for a company has a free app with free data storage and what's to worry about. What do we know about Dropbox's service? Dropbox, we know Dropbox is secure because Dropbox has so. They use, the files are always available from the website. All the transmission of the files are over SSL. Files are stored at Dropbox and encrypted in ADS 256. So that's all good. Last two lines were a little less convincing. Protect yourself without needing to think about it. I think that's probably not something people at Defconn are going to go for. And the last point, your stuff is safe. But that last one made me say, oh really? So meanwhile, security researchers have termed that evidence otherwise. Christopher Siegoyan has a blog, Slight Paranoia. And he discovered ways the way the files are detected by Dropbox and uploaded. And basically the hash files are compared with what Dropbox might already have in stock or have in storage on servers. And if a hash matches, it won't actually upload that file. It will just upload the metadata about the file. So they were able to watch traffic to determine that they only uploaded a little bit instead of the whole file. So the idea of data duplication makes a lot of sense. Definitely with concerns to bandwidth and storage. But probably not the best idea for privacy and security. Christopher's work led to an FTC complaint that Dropbox was using to set the statements to their consumers regarding the extent to which they protected and encrypted the data. They said it was a deceptive case of deceptive trade practice. Another researcher found the authentication that was done with a SQLite file. And it's just a simple SQLite file that you can look at. And the problem with that is if you get a hold of that config.db file or host ID, you can gain access to the person's Dropbox. And when you sign up for Dropbox, you have to actually give rights to, you know, you can accept this laptop can access my stuff. This server can access my stuff. So the problem here is if somebody gets a hold of that file and they have access to your stuff and you don't know it, they have access until you actually revoke that access from that box. And Technology Liberation Front, they called Dropbox a privacy black box. And basically the idea of the third party doctrine in the fourth amendment is putting the cloud user privacy in question and Dropbox's policies don't do anything to make this safer for consumers. So another good point they made was cloud exposes data to risk that local storage doesn't. So Dropbox has some privacy considerations to address, at least safe and secure. They had an issue where a new update was updated and it basically made authentication optional for four hours. So you could log into basically anybody's Dropbox using any password. So again, this was obviously an accident, but it kind of again shows that authentication is not part of your control since it's in the cloud and clearly an epic fail. So Dropbox confirmed the security glitch and basically pointed out that it was just a code update and there was a bug and that's cool. I mean accidents happen certainly. But again, it kind of highlights the fact again that things in the cloud are relying on somebody else to secure your stuff. So Dropbox knows what you have. It may or may not be more secure than the next cloud provider, but at least it protects the information about your personal data usage except for Dropbox Reader. Dropbox Reader is a set of Python scripts that you can use to basically interrogate that config file and get all sorts of information about syncing activity, including directories that you have shared. And earlier this year Dropbox changed their terms of service and all their files stored on Dropbox are encrypted and inaccessible without your account password to all files on Dropbox servers are encrypted. So that's definitely a change. So Dropbox is a free app with privacy and security concerns that you can use to freely back up your stuff and share files with people. But knowing what I know about open source, I know we can do better if you want to keep all the control yourself. So I thought about how to build this and start out and I wanted to start out really simply of course. So what can sync files remotely? That's pretty easy. R-Sync, it's been around forever. And also Unison, which is a really interesting option and it really specializes in two-way synchronization. So then we wanted to know what we could use to trigger to kick off a sync like when a file changes or is updated. I know if I've been part of the Linux kernel since 2.6 and basically watches for changes to the file system, it's very fast. And I know that's up to the task of monitoring many files because it's exactly what Dropbox uses to monitor your Dropbox folder. So this is an error kicked out to syslog just when you're running Dropbox with the default max user watches setting. And it's a great error also because again it shows you exactly how to fix it. So that's great. There's another project called L-Sync D and it basically combines the file or the file watching with R-Sync. Basically it watches for any file changes from iNotify and then you can have a kick off different commands by default R-Sync but it could do all sorts of other stuff too. And how to securely transfer the data, that's pretty much a no brainer and go over open SSH, it sees it a tunnel over and it'll work for Unison also and other syncing things that might try in the future. It also keeps the keys client side by default. So if something goes wrong, you have the keys with the client. So when it starts simple, use L-Sync D to monitor a directory and then when it sees a change, you have a kick off sync to the remote server over SSH. I wanted to try that, add more features later on once the prefect concept was working and I got some feedback from the community. So September 2009, I put a post on my blog about how to build your own open source Dropbox clone and basically just talking about these ideas and kind of a little how-to about you can basically make this work. I thought it was just kind of a really simple way of describing it, but the responses is tremendous. People just posted non-stop and everybody seemed really excited about the idea. It was cool because they actually brought up a lot of different similar projects that were already kind of doing the same thing. But the article got picked up and posted to sites like Reddit, Lifehacker, Slashdot and IT World. And then at the end of last year, there was a print magazine called Hacker Monthly which was actually a pretty nice magazine if you haven't seen it. I haven't heard about it in the time they approached me and it's well done. Okay, so I had announced my idea and I've gotten feedback and compared this to some other methods and ideas but I still had some things that I thought I could do with mine that would keep it a little more open and yeah, so I decided to press on and it was time to build a project around this idea. So I put it up on GitHub, they called it Lipsync and it includes just a bash script that's an installer that sets up the environment for you. It's BSD licensed and it's set up to be the project's set up to be transparent and open because it's on GitHub and I just wanted to get as much community involvement around it as possible. So currently, just pretty basic but Lipsync runs on Linux, watches files for changes, kicks off R-Sync over SSH to sync the data. It's got basic like growl like desktop notifications but again, great response for the community. Users are forking the project, making pull requests, helping me fix bugs, writing, you know, issues. And there's a pretty active mailing list now too. This is just kind of a basic idea of how it works. Again, client has a new file and it gets synced to the server. Another client gets another file. It syncs to the server. Also notices that there's a new file for it to grab. And then if a client's not making any changes, there's, right now we just use Cron, which just kicks off and checks with the server every now and then to see if there's any files it needs. And future things coming up. Contributor has it running on OSX. I think it's using FS events instead of iNotify. So there's some changes and things to look at there. But it should be ready soon. We want to make things more secure and private, cool, whatever. We want to figure out the best way to do like encrypted file systems and then looking at other ways to sync. Like over P2P, FreeNet, BitTorrent. See if we can use Tor or another kind of proxy. And we really want to make it cross-platform. Linux is obviously the easiest Mac. We have some ideas on Windows how it can work within SIGWIN. I don't know if I want to have that requirement or not, but I don't do much work in Windows anymore so I don't know how hard that'll be. That's another one. And there's more ideas for the community. People are still coming up with questions and suggestions for more functionality. Got a basic website up. Easy to remember in URL. Thanks to Anthony. And again, just links to the GitHub page and all the issues in the mailing list. So, conclusions. It's possible to create a secure file distribution app that protects users privacy and security. But it probably won't be built by a for-profit third party. It'll be built by the community. And we should probably look at all cloud or app store software with the same kind of skepticism. I think probably everybody here does. So if you're interested in lipstick at all and get involved, try it out. You can join the mailing list. Submit an issue. Discuss ideas. And continue to ask questions and just explore privacy and security and software. And always bring a talent. And that's what I have. I want to thank my sponsors, SBS Creatix and also DAFKON, EFF, Nikita and the great job they did this year and my family. And there's my contact info. Thank you.