ExpanDrive

As you’ve already heard, ExpanDrive has bought Strongspace and BingoDisk from Joyent and is going to be deploying a new and improved service. First, we’d like to provide a bit of info about ourselves for those of you who are on this blog for the first time.

ExpanDrive is a software company based in Boston, MA and is in the business of making awesome software that enables ridiculously simple and secure access to remote storage. Our main product is a SFTP/FTP/S3 client for Mac and Windows [previously known as SftpDrive] which allows you to turn your remote storage into a network drive. Many Strongspace customers are owners of the ExpanDrive and use it daily. ExpanDrive’s software provides an unsurpassed experience in connecting to online storage which we’re tightly integrating into Strongspace. BingoDisk users will be treated to drive-based access to their storage that works reliably on both Mac and Windows when they transition to Strongspace.

We have big plans for Strongspace and will be actively supporting and developing the service. Strongspace still runs on top of hardened Joyent Accelerators with ZFS. With the help of Joyent’s expert team we’ve heavily audited the security of every aspect of Strongspace to ensure the continued safety of your data.

Strongspace’s web application has been rebuilt from the ground up and deployed onto a much speedier infrastructure. In addition, you can continue expect to a deep commitment to customer support and experience going forward. ExpanDrive is making Strongspace a disk in the cloud that you’ll love to use – connecting you to your storage like a USB drive plugged into your laptop.

We’re excited to be taking over these services from Joyent and wanted to provide you with some details of our plans. Currently we’re finishing up private testing of the new Strongspace service and will be soon emailing Joyent’s lifetime customers with instructions on how they can migrate their data over to ExpanDrive. Following the initial migration of the lifetime customers we will be sending emails to the rest of the Strongspace account holders with instructions on how to set up new accounts.

Follow @strongspace and @expandrive on Twitter and this blog for continuing updates. Feel free to email us with any questions you have. Thanks!

Hot on the heels of ExpanDrive v2.0.3 comes ExpanDrive v2.0.4 [release notes].

ExpanDrive v2.0.4 provides two major enhancements. First – it allows you to set file permissions within Finder’s standard “Get Info” panel on Tiger and Snow Leopard. Unfortunately Leopard will not play nicely with this feature.

It also provides a “fix” for problem that a we’ve had reported with CSSEdit. In some rare circumstances, CSSEdit report that a file could not be saved (due to a server bug), but then delete the original file. With help from our very dedicated users, we have isolated this issue to a bug in older versions of the OpenSSH server. These servers cannot correctly perform a rename when the filename contains path components which do not all reside on the same filesystem – such as nested ZFS/NFS mounts inside your home directory. However, this problem was fixed ages ago and is therefore rarely seen. Most people don’t use the 4.5 line of of OpenSSH, with the big exception being SunSSH – still based off OpenSSH v3.5p1. Ugh.

ExpanDrive v2.0.4 provides a safety mechanism which ensures the original data is preserved, even if the rename incorrectly fails. If you see CSSEdit fail to save please lobby your admin to upgrade to a modern SSH server.

There’s an amazing thread on Stack Overflow titled “What is your best programmer joke?” The whole first page is full of good ones that I hadn’t heard before, but the top post is really priceless:

A man flying in a hot air balloon suddenly realizes he’s lost. He reduces height and spots a man down below. He lowers the balloon further and shouts to get directions, “Excuse me, can you tell me where I am?”

The man below says: “Yes, you’re in a hot air balloon, hovering 30 feet above this field.”

“You must work in Information Technology,” says the balloonist.

“I do” replies the man. “How did you know?”

“Well,” says the balloonist, “everything you have told me is technically correct, but It’s of no use to anyone.”

The man below replies, “You must work in management.”

“I do” replies the balloonist, “But how’d you know?”

“Well”, says the man, “you don’t know where you are, or where you’re going, you expect me to be able to help. You’re in the same position you were before we met, but now it’s my fault.”

One of the most common questions we get at ExpanDrive headquarters is “How much space do I get when I buy ExpanDrive?” This is an awkward question for us for a couple reasons. First, it shows that we haven’t done a great job at getting people to understand what ExpanDrive actually does (take files from your own server and puts them on your desktop).

Second, that question told us that there were a lot of users out there that want something that ExpanDrive can almost give to them. They want to use ExpanDrive, and we want them to use it, but we didn’t have a server for them to us. We think that ExpanDrive is the best file transfer client in the world, but if you don’t have access to an SFTP server of your own then it doesn’t do you a whole lot of good.

That’s why I’m thrilled to announce today that ExpanDrive has acquired Strongspace and BingoDisk from Joyent. With this acquisition ExpanDrive will provide an online storage service with unsurpassed quality of service and user experience.

Strongspace was originally launched by Joyent in 2005 as an online storage service which allows users to securely store and access data using industry standard protocols such as SFTP and rsync. We are taking StrongSpace to the next level. While still built on the same Solaris and ZFS technology that Joyent pioneered, Strongspace has been completely re-written and re-architected to be faster, more reliable, and more powerful.

In addition, the Strongspace service has been designed from the ground up to be the perfect companion to the ExpanDrive client. We’ve been working hard to couple the two with great extensions built into both the client and the server.

Strongspace is currently invitation only while we transition existing customers and will be available to everyone shortly.

The Deer Island Waste Water Treatment Plant is the second largest sewage treatment plant in the US. It was built in the 90s as part of a $4 billion effort to clean up Boston Harbor. The treated water is pumped through a 9.5 mile long tunnel under the Atlantic ocean, and diffused away from shore through 55 vents space out over the last mile.

There’s an amazing story in the Boston Globe Magazine this weekend about the final steps in building the tunnel. After construction was completed the lighting and ventilation were taken out of the tunnel. A team then had to drive 9 miles down the unlighted, oxygen-less tunnel, and remove backup safety plugs from each of the 55 vents. It’s a terrifying lesson about how even a billion dollar project can paint itself into a corner.

PS: During Jeff’s bachelor party last weekend I made fun of him for claiming that the giant egg shaped containers on Deer Island were for water treatment, when they obviously contained some kind of pressurized gas. In fact, he was right and I was wrong. The 150 ft tall containers are sludge digesters.

ExpanDrive 2.0.3 for Mac is now available for download and via the auto updater. It fixes a variety of issues such as PowerPC support on SFTP and a inconsistency that could crop up with our internal data cache. It also adds a few small features such as listing the drive type in the menu bar drop down.

ExpanDrive v2.0.3 also adds preliminary Snow Leopard support, which we’d love some feedback on.

Due to the nature of the fixes we highly recommend you upgrade.

I love the “Automata” series they’ve been working on at Penny Arcade. Gabe’s art is gorgeous, the world is imaginative, and the story is fascinating. I don’t want it to end.

Jeff posted about the SSL vulnerability described at Black Hat this year. And he’s right: It is scary.

But rather than calling this an SSL bug, even though it sort of is, I would call this another new application of the same persistent and recurring security problems that exist in most low-level libraries and applications, due to reliance on the C language and its standard libraries. The assumption that anything string-like can be treated as a zero-terminated array of characters is pervasive not just because it’s simple, but because C is more or less the only language environment that is universally supported on every platform, from 8-bit microcontrollers up to highly-concurrent multiprocessor systems, and it supports only three basic data types (four, if you squint).

This bug, like most of the other important security threats of the past thirty years, boils down to that: Lacking a strong and expressive type system, C not only permits but encourages its programmers to sacrifice correctness, safety, robustness, testability, and maintainability in favor of some highly underdeveloped and ill-measured ideas about “performance”. Much of the infrastructure of the Internet is built out of this garbage. Robert T. Morris, Jr.’s SMTP worm in 1988 was only the first in a long series of large-scale exploits, yet even today, the same practices that made that worm possible are being deployed in new software.

It is absolutely possible to write correct, safe, robust, testable, maintainable, and high-performance code in C. But to do so requires an enormous amount of discipline and attention to detail on the part of programmers, and most of us (myself included) simply do not have the discipline, the knowledge, or the attention to detail that it requires. As a result, most of the C code you encounter in the wild is unmentionable dreck. The fact that it compiles at all is more a testament to the inhuman patience of compiler writers, than to its status as working or worthwhile code. And, to paraphrase an old saying, anybody who considers C for high-level application development at this point in history, is in a grievous state of sin.

In a sense, C is a kind of technological land mine: Easy to deploy, very powerful, and highly effective for solving certain kinds of problems. However, once it’s buried in the ground underneath your project, it can be very dangerous to those who walk in your footsteps. There’s a good reason the United Nations has a convention banning land mines; perhaps it’s time software developers considered a similar approach.

I’m kind of shocked there isn’t more news on this Major SSL vulnerability:

Certificates for authenticating SSL communications are obtained through Certificate Authorities (CAs) such as VeriSign and Thawte and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL.

The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “\0″ in the name.

This is rather scary and has big ramifications for the security of most websites. There is now no easy way to for an average user to feel confident they are actually securely communicating with the service they intend to.

SSL is important for two primary reasons. First and foremost, it provides a secure channel for communication. But secondly, it makes a pretty reasonable guarantee that you’re securely communicating with the server that is listed in your browser’s address bar. With this vulnerability, it’s possible [although difficult, still], for somebody to masquerade as the server in your address bar and allow you to securely communicate with them. Yikes.