actorartathleteauthorbizcrimecrosspostcustomerservicedirectoredufoodgaminghealthjournalistmedicalmilmodpostmunimusicnewsworthynonprofitotherphilpolretailscispecialisedspecializedtechtourismtravelunique

Customer ServiceI am Shaun Murphy, cybersecurity expert for 20 years, right now solving the security flaws of cloud storage and content sharing with sndrBlock. AMA!

Jan 24th 2017 by shoonmcgregor • 30 Questions • 995 Points

Edit: This concludes our AMA. We really enjoyed engaging with you guys. If you still have questions, feel free to pop by our slack (invites at slackin.sia.tech). Who We Are:

David Vorick (/u/Taek42) - Cofounder + Lead Dev
Luke Champine (/u/sia_nemo) - Cofounder + Dev
Johnathan Howell (/u/fighterjet-biceps) - First Employee + Dev

What is Sia?

Sia is a fully open source cloud storage platform that is user-focused and completely decentralized. Sia exists through a blockchain-based marketplace that allows users to discover and connect to storage providers to store their data. Instead of giving data to just a single provider, the data is split up, encrypted, and then redundantly stored across dozens of storage providers. This means that no individual storage provider has any amount of control over the data. From day 1, the user has the power. A blockchain also means that there is no central company controlling the prices, and no terms-of-service or unfriendly privacy policies. It's a revolutionary way to put your data in the cloud.

Proof:

http://i.imgur.com/uOWaX8W.jpg

Learn more about Sia:

Website: https://sia.tech
Twitter: https://twitter.com/siatechhq

Upload your Files to Sia: https://medium.com/sia-tech/getting-started-with-private-decentralized-cloud-storage-c9565dc8c854
Get paid to be a Sia Host: https://blog.sia.tech/2016/05/26/how-to-run-a-host-on-sia/
Integrate Sia into your Applications: https://blog.sia.tech/2016/10/20/api-quickstart-guide/

Learn more about Sia: http://forum.sia.tech/topic/107/interesting-threads

Q:

If a packet hits a pocket on a socket on a port,

And the bus is interrupted as a very last resort,

And the address of the memory makes your floppy disk abort,

Then does socket packet pocket have an error to report?

[Edit: This poem is not mine. It originates from Usenet back in the 80s. For more, google: Dr. Seuss on computers]

On a more serious note, what are your thoughts about MIT's Riffle?

A:

What was the hardest thing to get working on the first version of RealVNC?


Q:

is your company named after the singer Sia Furler ?

A:

Thank you for that, we'll have to incorporate that style into our whitepapers soon.

I like the idea of anonymous exchange of content and communication - some people really need that and something better/faster than Tor is always a plus.

I haven't seen any group take off with yet, perhaps there's an opportunity there.


Q:

programming the network interface is always the hardest thing to get absolutely right!

A:

Funny story. We picked the name expressly because there were no search results, other than some obscure javascript stuff and some singer who had relatively little popularity.

Then, like 3 weeks after we had committed to Sia, sure enough the word 'Sia' is trending and generating massive buzz because of her new music video. The one with an 11yo in a nude suit.

Sia the singer has of course done very well since then, and it's been annoying for us. But we chose to keep the name anyway, and we continue to be happy with it.


Q:

Makes one wonder if a system could be developed that's smaller than tor (faster), all nodes controlled by a single entity (the company)(so again faster, but also increased deployability), but where a user could exchange data with that entity with proof of anonymity...

A:

My partner has used your application to stream her Masters work from her home desktop to her iPad in the classroom more than once when USB sticks have failed her.

What uses have you heard of for your application that have surprised you?


Q:

Sia has been making music for more than a decade, under that name and with other groups, like Zero 7.

A:

Perhaps but that sounds like a VPN - what if that single entity is your adversary?


Q:

there are so many great stories. we've heard that satellites can't launch without it, and it's been used to monitor tracking equipment and cameras looking at polar bears in the arctic!

A:

This is true however she was not really a searchable name until her Chandelier video, at least as far as I remember.


Q:

What do you mean by lab?

A:

There's an urban IT myth that Microsoft said that there was no way to remotely manage Windows servers and you guys came along and proved them wrong in a executable that was only about 150KB (iirc). Care to comment?


Q:

For sites like YouTube, we can also set up a cookie-based payment.

"can" as in "could theoretically implement this in the future" or "currently are capable of this?"

A:

These days there are many excellent degrees and certifications paths you can take, it is a bit overwhelming. I didn't have that many options when I when through my undergrad so I took a computer engineering approach - one that mixed software and hardware study.

Most systems you'll use in practice these days are controlled strictly by software systems but there are some systems that do have hardware components that are mysterious black boxes for most people.

I recommend checking out some relevant clubs at the university as well like Cyber defense clubs and the sort. I always like the approach of learning how to breach a system in depth before you consider how to secure one.


Q:

Not heard that, but VNC is the smallest footprint remote access application, and can certainly be used on Windows servers. And we gave it to the world :)

A:

We have the designs needed to implement this in the future. If we put it as the next thing in our pipeline, I'm estimating it'd take 3-5 weeks to implement. We would have to extend the host-renter protocol, which means it wouldn't be usable until enough hosts had upgraded, which would probably take an extra 2-4 weeks.

You can't do it using today's software. I'm expecting us to have it implemented by the end of the year, though before we get that far we have other priorities.


Q:

In a lecture titled "Cyberphobia: identity, trust, security and the internet" Edward Lucas made the argument that the internet was inherently built to not be secured. "The internet was designed by a small group of computer scientists looking for a way to share information quickly. In the last twenty years it has expanded rapidly to become a global information superhighway, available to all comers, but also wide open to those seeking invisibility. This potential for anonymity means neither privacy nor secrecy are really possible for law-abiding corporations or citizens."

Do you agree that the way the internet was built and the dramatic expansion of HOW we use it means we may never actually be secure in our Data?

A:

For me personally VNC has never been fast or light enough to be used over slower networks, mobile for example. I've had much better reliability and speed with RDP. But I don't use Windows servers anymore, so no more RDP. With the improvements that gaming IE: steam and others has brought to streaming and remote inputs, will VNC ever get these improvements? Even if it breaks compatibility with old servers I would love to see a new faster better VNC that takes advantage of the newer technology.


Q:

How exactly would YouTube be able to identify malicious behavior?

A:

Privacy and security doesn't have to be just about being anonymous or invisible. The sheer number of apps, services and devices connected to the internet that have no security is staggering and the damage done after a major breach goes on for a lifetime.

I think the internet does have some fundamental flaws - the recent massive take down of major DNS servers from IoT devices was a rude reminder of that... but it's mostly the applications and services we use that have let us down. Sure, perhaps people share too much personal information online... the's not much you can do to stop that user behavior.

What you can do is protect the other huge percentage of users that want to share content with friends using public key cryptography technology we've known about for centuries (or more.) Web browsers should've had this several generations ago, social media should've had this from the very start, and every messaging/email system out there should have this built in as a default.

The common saying is "encryption is hard" - so was streaming video, tracking users across services and selling that data but that's working pretty well these days for the tech giants.


Q:

H.264 could give us the kind of frame rate needed for remote gaming especially if we can tap into hardware acceleration. This is high on our agenda, and we can implement this without breaking compatibility.

A:

The same way that they identify it today. YouTube already has to pay for all the bandwidth that they consume to funnel content to users. Sia would actually be able to do that for them for much cheaper than what their current costs are.


Q:

What is your opinion on the Snowden event ?

A:

H264 would be huge, nearly everything can hardware encode/decode it. Can't wait, thanks!!


Q:

"What does Sia offer? What makes it unique and worth investing? Elevator pitch... I never read up on it and obviously didn't invest. Juuuust curious."

Someone in a crypto-investing slack asked these questions^

A:

It's a tough call for me, personally... The fact that more people are talking about security and privacy and more companies are starting up to develop solutions to truly protect their customers is great - but it should never have gotten this bad.

We were all made so vulnerable by the tech giants and other entities capturing and correlating data on everything we do and every data breach moves us closer to a total collapse of any authenticity of the internet making our lives miserable as we try to recover from identity or financial theft, are devastated that our intimate conversations and content were leaked, or simply we have no idea what or who is real online anymore.


Q:

We've already done it for some products, just thinking how to fit in across the board

A:

Our website I hope does a good job of explaining Sia. If not, we'd love some feedback.

Generally, our targets are not speculators/investors - our focus is users. Siacoin the cryptocurrency is a necessary component of the Sia network - it's how we penalize hosts if they don't store your data as promised. Without that, I feel that Sia would be vulnerable to a large number of attacks. Happy to expand on this in another top-level question.

But essentially, the siacoin itself is designed as a security component to the network, and while it's also a speculation instrument by side-effect, increasing the siacoin price is not a primary goal of ours. That said, I do expect it to go up substantially if Sia usage goes up substantially - you need siacoins to use the network, and there is a fixed supply.


Q:

Interesting product. What does it offer that isn't already out there? Or is it just the fact that it brings all of those features into one unified platform?

A:

What's the most creative way you've seen or heard of VNC being used?


Q:

Have you got any corporate clients?

A:

There are a lot of apps out there, there are a lot of hard drives connected to the internet, and there are a lot of cloud services to choose from. All of these have their different limitations and security problems.

Unifying these all into one platform makes it much easier to dramatically improve your security posture and it also lets their strengths support new levels of efficient content sharing and communication.

Combining a local device and the cloud, for example - you get the speeds of local transfers so you get content off of your devices fast and your recipients get the speed of the cloud where ever they may be around the world.


Q:

augmented reality - someone was using VNC to overlay choreography directions to dancers wearing google glass during a live performance... :)

A:

Nothing we are able to announce yet, however having corporate clients is both a short term goal and a long term business strategy for us. We are in the process of forming relationships with several corporations, and hope to have some big announcements in the next few months.


Q:

So, how does this compare to Fakeblock?

A:

In the newest release, RealVNC made the switch to cloud. I actually prefer the old server-client method. Do you have plans to keep this old method instead of the cloud?


Q:

When you get corporate clients are they going to be paying in dollars or siacoin?

A:

So watery and yet there's a smack of ham to it.


Q:

We support both, its a customer choice

A:

Depends on the corporation, and the specific deal, and also depends on what are lawyers say is safe for us to do.

If corporate clients are willing to pay in siacoin, it's very simple for them to use the network. They can hire us on support contracts if desired, or if they aren't having any trouble they can just use it themselves and not even notify us that they've begun using Sia.

If siacoins are not compatible with their internal policies, we will be able to work with them anyway to get them operating on the Sia network, though the specific process will probably vary by customer.


Q:

I'm sure you've had job opportunities with government agencies. Is there a specific reason you chose not to go that route? Cyber Security student here.

A:

What's the best basic tip to troubleshoot your computer and other devices?


Q:

Btw, you guys talked about a surprise.. Care to share it?

A:

I've worked both in both private industry and as contractor for certain agencies. The best part of private industry is you can talk about what you've worked on, sometimes!

No matter where you end up, you have an enormous responsibility to your user base and right now almost every industry is in need of new talent.


Q:

you can't beat turning it off and on again

A:

Next week we will be announcing an opt-in leaderboard for storage. Users can compare how much they've uploaded and compete to rank on the ladder. The top new users each month will get prizes like T-shirts.

This leaderboard is completely opt-in, and the only information you provide to the leaderboard will be evidence of how much data you have stored with each host. The leaderboard won't know anything about how many files you've stored, their names, etc, and again it is fully optional that you participate.


Q:

Why do all my nude selfies keep going straight to the public cloud?

A:

Yeah but what about when I've already done that and my isp tells me to do it again and after I do it when they tell me to it works. Care to explain?


Q:

Is there any stats on how much data is stored on the network as a whole? I saw something on your slack that it was only around 10-15 TB, but I can't really find any authoritative sources.

A:

Because


Q:

The idea for the business came much later in 2002, after we had made the software freely available under an open source license in 1998. We founded the company with cash from merchandising and donations - we pioneered the crowdfunding idea before it was even called that, which didn't happen until 2006!

A:

There's really not any good way to measure that, as it were. Sia does everything over payment channels, including uploads.

Payment channels are both a scalability and a privacy upgrade. It allows many uploads and downloads and payments to happen in a single blockchain transaction. A downside of this though is that, on the blockchain, the amount pretty much always reads '0'. So when you upload 50 TB of data to our network, there's actually no way for us to reliably track that.

It's one of the disadvantages of private, decentralized systems.

We do however have the ability to monitor how much money people have allocated in total for storage. And as of this morning, that was more than 35 million siacoins.

edit: the leaderboard of course will give us a better idea, but users have to choose to share this information with us. So at best, it gives us a lower bound on how much data the network is storing. I'm guessing that most of our business clients will refrain from using the leaderboard, though they will probably be a massive percentage of the total data consumed.


Q:

Does this include the "hybrid cloud storage"... and who pays for it?

A:

What are some of the popular names using this technology and what do you think is the next big thing in your field?

Bonus question: Does 'taking over' devices shown in movies come remotely close to what real-life hackers can do? If so, how?

Thank you.


Q:

How do you see minebox.io impacting your business?

A:

The hybrid is two fold:

  • local device you buy and attach to your network (the sndrBlock)
  • cloud provider where we stick encrypted blobs - free for many users with in app upgrades so you can pay for a small temporary upgrade (we call them stamps) or subscription plans to upgrade the base storage for heavier use.

Q:

Bonus answer: no, not really. the real world is always far more complex than the few minutes that filmmakers have to depict a scene.

A:

We are very excited about Minebox, as Minebox users will both be utilizing the network to store their data and also increasing the quantity and diversity of hosts on the Sia network. This is a huge benefit for the network's health.

We're also excited in general about the product, and believe that Minebox is a natural evolution to the traditional NAS.


Q:

How'd you start?
Are you happy with your job?
Are you payed enough? Any tips for someone interested in security?

A:

What are some of the popular names using this technology and what do you think is the next big thing in your field?

Bonus question: Does 'taking over' devices shown in movies come remotely close to what real-life hackers can do? If so, how?

Thank you.


Q:

What’s the timeline (and technical roadmap, if you can share any of that without compromising state secrets) for recovering both coins AND files with one’s wallet seed?

Until then, Sia is simply remote data storage. (Albeit one with nifty bells/whistles.) Because users must still backup important data in some other way/shape/form, e.g. on a local hard drive, Dropbox, etc.

A:

I started working on intelligent payphones back in the day. Towards their end of existence, payphones were actually computers inside the big metal case that held all of the logic for billing, alarms, etc. And there was a lot of consideration for the security of the payphone owner (phreaking) as well as the privacy of the phone users.

That led into my deep interest in the crypto wars in the 90s with PGP and such and so I studied computer engineering for my undergrad and graduate degrees.

The job is useful - there are how many users on the internet RIGHT NOW, how many of them are going to lose a job because of something posted, how many are going to have financial distress during the next big system breach? It's almost a never ending stream of opportunity to help real people and I love that.

Pay can quite good depending on the area you go in. I suspect with the happenings in the United States right now, you're going to see more demand for professionals in this area.


Q:

The next big thing is IoT. If you think that VNC is the universal interconnect between screens of all different kinds, and that IoT will have billions of embedded screens, there's probably something for us to do in that space... and our protocols and cloud connectivity can even be useful for devices that don't have screens to share real time data streams

A:

Less than a year, though you aren't going to see it in the next 3 months. We've spec'd out everything that needs to be done to make it happen, but the implementation is expected to take a few weeks and we have a few other problems we need to solve first.

We understand that this is a significant issue though, and it's very much on the roadmap.


Q:

Say, what do you think about Kali?
The tools it offers and such.

A:

Is copying and pasting images and other files ever going to be a possibility and if not, why?


Q:

It's all open source, I don't believe anything is proprietary.

A:

Kali is fantastic - I have a bootable usb stick on my keychain at all times


Q:

It's not possible to do it in a cross-platform way, which breaks our philosophy. We have supported an integrated cross-platform file transfer function for a number of years, which might not be the most convenient, but is at least possible.

A:

That's correct. All of the code is open source. We have a github repo for both our daemon and our graphical client, from which you can build the latest releases yourself.


Q:

What is your opinion on hardware based secret system such as AWS CloudHMS? Who do they protect against? If a government wants to get your data they can surely get the private keys from the hardware storage, right? And the security in AWS facilities surely are hard enough that no ordinary attacker could get access to your data anyways by walking in and taking a hard disk. So whats the point? Just to be complaint against some security standard?

A:

Did you patent the technology?


Q:

Just you. Your client encrypts and uploads the data. From there it's distributed across hosts who your client agreed to contract with.

The default behavior is 5 copies of your data. If one node goes down, you get part of your contract fee back. I'm going to assume the client looks for another host to upload data too.

A:

I really like the concept of HSM but for something that important you need to have extremely good physical security and solid knowledge of who has authenticated access.

There have been some HSM vulnerabilities where private keys could be extracted under certain scenarios but they required some level of authenticated access.

Compliance is a big piece of HSM, most normal use cases can't afford to use such an appliance. There is a movement to include HSN technologies in phones (Apple's secure enclave, for example) and this is a great use of the technology.


Q:

The core protocol is open, published and unpatented. There are elements of RealVNC applications, including some proprietary encoding algorithms that are patented.

A:

Sia uses Reed-Solomon coding to achieve the same properties. The most recent release has an 8-of-32 redundancy scheme, though as we continue to iterate on the software we expect to eventually reach numbers closer to 30-of-50 without sacrificing data security.

Doing it this way gives you massive geographic redundancy as well as a high tolerance to disk failure, host failure, trust failure, earthquakes, nuclear warfar, etc. In terms of reliability, there's really no comparison (modulo potential bugs in the software).

This also means that we can have hosts focusing on achieving 95% reliability instead of 99.99999% reliability. This will likely result in cheaper drives, cheaper setups, etc, and overall stronger customization for the end-user.

Napkin math suggests that the long term cost of Sia at scale (assuming drive prices don't decrease ever again) is around $2 / TB / Month. This accounts for power, servers, rent, etc.

Time will prove or disprove that math.


Q:

What are your opinions on The Internet of Things, and how we should handle securing such networks?

A:

Since many vendor-specific implementations of VNC have H.264 as one of the compression standards they support, are there any plans to make this part of the standard?


Q:

Hey guys,

Great what you guys are doing! I was wondering, Kim Dotcom is launching MU2.0 soon. Will he be (solely) using Sia? Did you guys have any contact over the last few months?

Edit: is it one of the 3 announcements? :) "We have 3 announcements / events coming over the next 3 weeks."


Q:

We support H.264 (audio/video mpeg 4 standard for those who aren't sure what it means!) in some of our SDK products aimed at markets where there is hardware encode/decode. We're considering the wider application of it more generally across our product offerings for the 2017 roadmap.

A:

The first was the release yesterday, the second is the AMA today, and the third is the leaderboard coming next week.

We have not been in contact with Kim Dotcom despite our best efforts. We're not really sure what he's building, but I suspect that it's not actually decentralized, merely instead it is bitcoin based.

I guess we will see though.


Q:

What do you think of BlackBerry phones? Are they actually secure in the way that they are advertised and presented?

A:

Will that be part of an upcoming update to the RFB protocol specification?


Q:

Sia's pricing for storage right now is very low relative to its competitors, but not many users are actually storing files on the network. Looking at SiaPulse there's 931 TB available but only 0.82% of that is in use. Without anyone to purchase storage, the hosts have no incentive to continue participating.

What do you think is limiting the number of storage buyers on the network and how do you plan to address it?

A:

I think it's interesting the work that Samsung and Blackberry have done to secure Android. The Android landscape as a whole is very challenging, one phone might be really secure and the next one may have malware calling back home - wherever that might be.

In terms of evaluating Blackberry's claims, I have not. Samsung Knox has shown to be a very complement security complement to Android however.


Q:

We're still thinking about this. It can, and has been, done in a way which doesn't require protocol changes. There may be arguments for something more tightly coupled.

A:

I believe that the 0.82% number is actually incorrect. There are hosts on the network with as much as 50% utilization today, and most non-new hosts have at least 10% utilization.

That said, you are correct that as of today there is a windfall of supply compared to the demand, and we are working hard to correct that. The biggest reason for this up until today I feel was that the software was very slow for uploading and downloading files. Until our release yesterday, it would take more than a week to upload a single 20GB file. The release that is out now can do that at much faster speeds.

I also think that general awareness among consumers is very low. We are working to introduce Sia to the world and to get people excited about it.


Q:

What does the future of information technology and cybersecurity look like?

A:

you're behind "hallo world" ? :O


Q:

What do you think of Swarm, Filecoin, Maidsafe, etc?

A:

In the United States: Busy


Q:

is "hello world?" an application? #philosophy :)

A:

I try not to talk too much about our competitors, because there's is some very obvious bias here. But generally, I feel that Sia is the only platform that has a really strong grasp of the security implications of decentralized systems, and similarly I feel that Sia is the only platform that was designed from the ground up with performance in mind.

To the best of my knowledge, Sia today is the ONLY platform where you can actually upload an encrypted 200 GB file to a decentralized network and expect it to still be there next week. All of the other platforms either require some sort of central server to coordinate things, or otherwise just doesn't have the scale or incentivization.

My favorite thing about Sia is its independence. If right now Nebulous were to shut down all of its servers, users would not experience problems. The forum, the website, and the blog would disappear, meaning you might have problems getting help, however your files would keep uploading, would stay online, and you could keep using the application itself just the same, as though nothing was wrong.


Q:

Do you ever feel like that no matter what you do, your security measures will always fail? It seems like everything online is subject to being stolen, no matter how tight the security.

A:

What are you most excited about for Sia in 2017?


Q:

I don't... there are certainly things out of your control unless you stay hidden in a cave all the time - things like credit card skimmers at gas stations, etc. but you build up a defense around that (don't use a debit card, use a credit card instead, etc.)

The same is true with information stored online - put a defense around it (encrypt it) and make it part of your workflow or adopt tools and services that do it for you.

A:

Oh man where to start.

I'm excited about the enterprise deals that we are working on. I'm excited by the thought of having true decentralized storage for my data (this is already available, but it's so new and it still excites me a lot). I am looking forward to being able to backup my entire life with a single seed, in a decentralized way. I am excited for the filesharing capabilities that we are working on.

We are expecting 2017 to be a big year for Sia, and for decentralized storage as a whole.


Q:

What measures are in place to prevent corporate acquisition of privately uploaded data to personal storage 'clouds' ? My concerns are that privately uploaded memories will eventually become subscription access data or privately owned/sold by the physical datacontent holders (like, i upload a photo album from my wedding and later when im old they charge me to access seeing it) What stops this from happening? (I will NEVER put my data into the cloud)

A:

Thanks!


Q:

Make sure the data they have is useless - encrypt everything and adopt tools and services that view you as a customer not a product.

A:

I am not quite sure what you mean by health, however there are a lots of hosts on the network spread across approx 3 major geographical locations. There is far more supply than demand, which I think is not fantastic, though it means that prices are insanely low. At one point it was only like $0.25 cents to store what would cost a full $25 on Amazon.

We have not seen any security events nor do we have any reason to believe that there's something dangerous on the horizon. If you put files on the Sia network, you're almost certain to be able to re-download them.


Q:

How have the revelations of mass surveillance affected your work?

A:

Obliviously improving the Tech. is always on your mind but as a company what are you priorities in the near future?


Q:

Events like those are bittersweet just like when a massive data breach happens - it's in the news and people talk about it but it's sad that the cybersec community works so hard to protect people and there's always an element trying to subvert that work.

A:

Our top priority right now is the usability of the network. The current release has a few warts from the early days, for example it takes about 15 minutes to unlock the wallet and about 45 minutes to form file contracts. We've got an improvement in the pipeline to make unlocking the wallet almost instant.

Up until our release yesterday, files were also very slow to upload and download. Now, downloads are fast and uploads are extremely fast. We're really pleased to have accomplished that.

We're also aiming heavily at scalability. The blockchain protocol has been designed to support millions of TBs per person, which is necessary for some enterprises. While the protocol can do that just fine, today the user software really can't keep up with that much volume. For the most part, we just need traditional engineering to get more scale, and that's something we'll be focusing on.

Finally, we've started adding more adversarial conditions to our testing framework. We're adding active attackers and giving them lots of money and storage, and trying to set up situations where people are willing to throw away tons of cash in an attempt to disrupt the network. Sia is already very strong against most forms of attack, but we will be taking it that extra mile over the next 3 months or so.

In the more middle term, we will be adding support for filesharing and content distribution. The Sia of today can't really be a backend for YouTube, however the Sia of 12 months from now will be able to do that.


Q:

So, can sndrblock be a more secure replacement for services such as Dropbox/Google Drive/OneDrive and other cloud storage?

I mean, if I lose ALL of my hardware...everything. Will I be able to just go out and get a new computer and access all my data again? Or is this more of a local storage thing with cloud-ish features?

Does it have an https interface at all? Or does it need to run on the OS as an application? For instance, guest login from a Chromebook to access my files on the fly?

A:

Sure:

The consensus verification logic is here.

It's verifying a type of transaction called a "Storage Proof." The storage proof type is defined here. The comments should hopefully explain everything well.


Q:

Yes and it's more than just than just storage.

Yes you will be able to replace all of your hardware with the secure default configuration of the sndrBlock. If you lose just one device, use another device on your account (tablet/desktop) to remotely revoke and logout that lost device. If you lose absolutely all of your devices, you can restore your access using a few methods we've developed to securely back up your keypair (we never will have it.)

It's a local cache - it only is storing what you're working on now, things you're uploading and things people recently sent to you. You can grow that cache by plugging in a fast storage in the back but it's not necessary. You can use the cloud to stash files or you can choose to only keep things local.

The system is configured and used via an app - web browsers are just not set up for end to end cryptography.

We do run on Chromebooks that can run Android apps - we also have an "Arc Welded" version for other chromebooks that do not run Android apps.

A:

Sia has a whiltepaper which dives into this pretty well. https://sia.tech/sia.pdf


Q:

I don't know if you're still asking question, but I was a cyber security major at a tiny community college. I feel so defeated, my professor wasn't the best and all but 3 dropped out until the very end. I stayed until the end of my computer classes, but I ended up failing.

I had to change majors, i feel so defeated. I'm looking into building computers, I like making websites, I love messing around with computers...

How do I bounce back from this? What can I do alternatively to become in the computer field?

A:

How large do you see the Sia storage network getting in 2017 in terms of storage capacity?


Q:

I'm still here, I'll answers as long as questions come in.

I know some really good software developers that don't have a formal engineering or computer science degree. The one thing they did have was curiosity and the drive to learn new things without ever giving up.

See if you can find local internships with companies that do this type of work. Even if you're not sitting down and pen testing / coding / etc you'll make good contacts, hear the conversations they have, see the resources they use - this is the real training.

By all means, get a degree if you can but don't give up. We need thinkers and doers that aren't all cut from the same cookie cutter.

A:

Well, I believe that the storage capacity of the network is already really high, well over 10,000 TB. Most of that capacity is simply not plugged in because the demand is not there - it'd be consuming electricity and headaches, and not providing any revenue.

A better question would be to ask where demand will be at the end of 2017, and I really don't know, but I'm hoping that we can push the growth of our network. At this point, we've crossed the biggest usability hurdles for most users.

I think my personal target would be 100,000 TB total in use on our network by the end of the year.


Q:

I am generally concerned when hardware is introduced as a "security" mechanism so here are my questions to that end.

What type of cryptographic algorithm do you use? Do you utilise a TPM for storing the encryption/decryption keys/key generation? Do you use a statically loaded key/is it identical in every device? Are you planning to go through any type of common criteria approvals process or will you rely on consumer trust?

A:

How much data does Sia have stored on the network right now?


Q:

There e2e security is part of the app ecosystem, the hardware device works with the app.

Our first cipher suite:

Asymmetric - ECC safe curve with keylen 255

Symmetric - AES 256 CTR

Hashing - SHA2

HMAC - HMAC-SHA256

We do not use TPM. We have 2 kepairs - one for the user keypair and one unique per device that is used for device to device/server authentication and peer to peer asymmetric operations. The user keyPair does not exist on disk on the hardware device, it is transferred over the device to device encrypted link only when needed (when you're remotely commanding it or using it as a LAN accelerator to send/stash)

Yes we have gone through 2 audit so far and our development timeline has a final report audit for system and local items.

A:

It's difficult to measure, but I'd estimate we are close to 100 TB at this point.


Q:

I want my NAS to be encrypted but being able decrypt the filesystem on boot if it's connected to my AD domain. How should I implement this?

Send a "hey give me the decrypt-password!" to the domain controller encrypted with the DC's public key and then reply with a message encrypted with the file server public key?

A:

Do you guys have a plan to increase open source contribution?


Q:

What type of NAS do you have? This might be the job for an HSM

A:

We do!

Up until now, Sia has largely been it's own community. Our last AMA was on the siacoin subreddit. Largely this was because we felt that the software was not ready for us to show off to the rest of the world.

Sia as of our most recent release is very usable, has a thriving community, and we think it's time to start spreading the word to other communities who are interested in decentralization. We have a plan for reaching out and getting people excited, especially among related open source projects such as Tox, Beaker, and even projects like Tor.


Q:

What are your security habits for normal computing? What computer/OS do you usually run? Phone? Programs and apps?

A:

Nope, that isn't the secret :)

A price reward is an interesting idea. Currently we rely on the local host database to weight hosts according to various factors. For example, a host with 90% uptime should be weighted much higher than a host with 70% uptime. Higher weight == higher probability that the renter will form a contract with that host. So there is already a soft guarantee that higher uptime results in more profits. And of course, more uptime means the host is more likely to be online when an upload/download is requested; otherwise they miss out on that revenue.


Q:

I run and test everything. For daily driving I use linux mint but I also extensively test on OSX and Windows 10. Phone - I use samsung android devices for the Knox capability, tablets I switch between iPad and the samsung tabs.

Programs and apps - things that are cross platform mostly. I'll run multiple web browsers per system depending on what I'm connecting to.

A:

I've run over the math a few times, and really 98% is the upper limit of where hosts are useful. If you are above 95%, you are doing about as much for the network as possible. 99.99% uptime of course is still useful, it's just that it's barely more useful than 95%.

That said, we really need hosts to be above 90% uptime for them to be useful to the network.

And, we actually do have penalties today for hosts with low uptime. They aren't as strong or as formal as we would like, but that's one of our primary goals for v1.2.0.


Q:

Dude - your KickStarter only ships the the USA? Why no love for Canada?!

A:

I have a Java library too: https://github.com/javajared/Sia-Java


Q:

We're looking into it, we didn't know how to estimate out of US shipping rates, kickstarter just has a static field for that - we'll eat the cost in the US but international might get costly

A:

Wow, I had no idea that this existed, thanks for sharing!


Q:

What do you think of distributed cloud storage and content delivery such as ipfs and swarm? Do you think these sorts of projects make file storage safer or less secure?

And what about security from the businesses that run the services we use?

A:

Can I use it for porno? Legal porn tho.


Q:

Love it - we actually tried to use IPFS with the sndr ecosystem and we may very well at some point. It turned out that large file support was really problematic.

Security from the businesses? Don't trust them with data that is not encrypted.

A:

It wouldn't be a very private cloud storage platform if we had some way to detect and ban porn.

In short, everything is encrypted and done from your own computer. You can think of us sort of like selling a hard drive. What you put on it is your business, and it's not even possible for us to snoop, let alone take action about it.


Q:

Are we paying enough attention to and, in turn, money in encryption? I've had cyber experts in the past say that hacking isn't an "if" it's a "when", so the answer isn't protection from invasive attacks, but instead should be focused on encryption.

A:

Does Sia protect against targeted attacks, where a malicious actor reads my contracts and DoSes all of my individual storage providers? (Or even worse, wipes their hard drives!)


Q:

I think it would be hard to find someone who hasn't been hacked. Government agencies, popular social sites, retail stores, etc. all have leaked data that was stored in the clear. End to end cryptography needs to be the standard across all tools and services.

A:

If that is something you are paranoid about, you can use anonymity software such as Tor to disguise your contracts and make it difficult for an attacker to tell which hosts have your data. And even better, the attacker won't even know that you are who they want to target.

Data contracts also typically last 12 weeks, and are renewed every 6 weeks. To execute the DOS attack you describe, the attack would need to persist for 6 weeks straight, which is a long time, especially if some of your hosts are major hosts or have decent DDoS protections (some do).


Q:

hi shaun. I am a little bit late to the party, but whats your take on bitcoin? If you have an opinion on it, where do you think it's headed?

A:

Are you guys hiring for a sales team?


Q:

I'm excited about some of the new cryptocurrencies that are tied to resources - renting out unused storage, etc.

A:

you can send applications to [email protected]


Q:

Is it a good idea to build my own general storage and email server at my house instead of using gmail?

A:

What kind of speeds/bandwidth can we except? and will there be provisions to allow for different levels of speed.

For example if I want a cdn style storage for images, can I make sure my files are stored on fast connections with SSD drives?


Q:

I think it's great to experiment with these but email is somewhat of a mess - the big emails servers generally don't trust email servers you run at home. Having your own home storage is great though, just make sure you have a backup plan

A:

On the release that's out today, you can expect speeds between 70 and 150mbps when uploading, and between 20 and 50mbps when downloading. Startup time is about a second I think.

In the future, upload speeds and download speeds will both be able to saturate any consumer connection, including gigabit connections. You will be able to easily select hosts that are faster or ping-time closer to you, with startup times being under 100ms.

SSD drives should not matter in this case, disk drives will be fast enough for any sort of content fetching and distribution. If you can find a measurable difference though, it would be simple enough to use that measurement when selecting hosts to figure out who is using drives that are fast enough for whatever application you have in mind.


Q:

Hi Shaun,

I'm a network engineer that's been transitioning into a security role for the past year. I still feel like my knowledge is very shallow, I know it'll be like this for a while until I gain some real world experience but what can I do to help in the meantime? Do you recommend any literature or security-focused site that can help me become more aware of the current state of affairs?

A:

thanks, and what about linear ordering for streaming buffered video?


Q:

It's very quick to set upvirtual machines with older / unpatched guests and then hitting them hard with pentesting tools - metasploit, etc. It shows the adversary's viewpoint which is essential to protecting against them.

For current material I really like Schneier On Security, Krebs On Security, SANS and of course reddit/hackernews

A:

Files should already be downloading in linear order, as long as you wait long enough before opening the file you can probably get away with watching a video while it downloads already today.


Q:

Confused about net neutrality. Isn't network throttling just ISPs responding to market demand? Shouldn't they be allowed to charge a higher price in order to meet demand?

A:

Every day we use our smart phones, tablets, and other devices to try out new apps and services that just might make our lives better - it's terrifying to think that that innovation will be destroyed because the startups of the world are throttled down because they can't pay for faster access or we're stuck with the existing services with all their limitations because they simply have the most money.

It's also an insult to the US taxpayers that spent so much money building up this infrastructure only to get horrible upload speeds with the threat of even worse access in the upcoming year because they have almost no choice on ISPs.