Adeona Warns of Instability; OpenDHT Mothballed

gbickford writes "Adeona, the first open source system for tracking the location of your lost or stolen laptop, was featured on Slashdot last year. I was stoked when I read about how it worked and I installed it immediately. I just went to look for updates on the site and was greeted with a giant warning message stating, 'Adeona is currently not working.' It seems that OpenDHT, the distributed hash table that stores the location information and photos, has been fairly unstable lately. The developers claim that this is "largely because the back-end OpenDHT system is not able to tolerate the load imposed by Adeona. OpenDHT removed the need for a centralized database with tracking information, which in effect prevents a 3rd party from tracking a user's whereabouts. OpenDHT was Sean Rhea's Ph.D. project back in 2005 and he has decided to officially bow out of maintaining it as of July 1st, which has left the developers of Adeona looking for another back end to store location information and photos. The source code for Adeona is available and they are actively seeking developer contributions on the developer's list. Do any developers have ideas on where to put scads of information in a free, reliable, anonymous, and secure manner?"

Here's an idea...

[Anonymous Coward]

Post the information in anonymous Slashdot comments!

Re:Here's an idea...

[kdemetter (965669)]

Actually , that could be done , however , the problem is that someone visiting slashdot with a browser , and posting on it, would be able to corrupt the data.

So we need to way to ensure that only the program can post , and nothing else.

Perhaps it can be done by storing the data in first posts : The program would be fast enough to put a post first , and if not , we know what 90% of the first posts will look like , so we can filter those out.

Re:Here's an idea...

[jonaskoelker (922170)]

Actually, it wouldn't be such a horrible idea*.

Just come up with an RSA keypair and store it on all your machines. Encrypt and sign all data you want to store "in the cloud", and find someone who will store it for you.

* Slashdot might object to this and delete your post. I recommend using Reed-Solomon coding (or some other error-correcting code) and storing your data redundantly on several sites.

You could also do mirrored RAIF (Redudant Array of Indepedent Forums), though it might be rife for puns. And RAIP, where P=Posts, would be ripe for them. (Someone's gonna RAIP my karma for that, but the puns and anagrams form such a FAIR PAIR...)

Re:

[drachenstern (160456)]

You've been waiting a LOOOONG time for that haven't you?

Re:

[jonaskoelker (922170)]

Made it up on the spot :)

Re:Here's an idea...

[RuBLed (995686)]

I save my files in 127.0.0.1 and that site is fast. It's also secure btw, I asked my friend to access 127.0.0.1 and he cannot see my files. Also whenever I try to access 127.0.0.1, it's reliable and always there. I never leave my basement though.

Safe huh?

[benjymouse (756774)]

Let's see about that. I'll just fire up my custom metasploit and we'll see about that. Ok. Now its probing 127.0.0.1. We'll see ho

Realistic?

[Brian Gordon (987471)]

scads of information

free, reliable, anonymous, and secure

Why do you assume there is such a thing? The only way I can think of is a distributed network, which as the summary says, runs into serious scaling issues.

Re:

[Anonymous Coward]

BitTorrent to the rescue?

Re:Realistic?

[Daengbo (523424)]

"Distributed hashing tables are a class of decentralized distributed systems that provide a lookup service similar to a hash table: (key, value) pairs are stored in the DHT, and any participating node can efficiently retrieve the value associated with a given key." [1] [wikipedia.org]

They should look at Bamboo DHT [bamboo-dht.org].

Re:

[vegetasaiyajin (701824)]

Bamboo and OpenDHT are the same.
Bamboo is the software/algorithm/protocol and OpenDHT is a specific deployment of it on the PlanetLab research network.

Because there is always an answer

[symbolset (646467)]

In this case you store the data in the other clients. If you want to use the software you have to agree to store a gig or so of encrypted data. Your laptop connects to the grid periodically and uploads your data and downloads someone else's. Cooperative cloud computing at its finest, and the developers don't have to ask for help from anybody.

Re:

[kdemetter (965669)]

Not only that , the storage wouldn't be an entire waste : it would be encrypted , so not directly accesible , but the part that is already stored on your pc , could be retrieved locally, as they are actually already available.

Only problem is that in this case you sharing doesn't grow exponentially, like it does with bittorrent : every user would share 1 gb of information , regardless of whether they downloaded 20gb , or 10mb .

Re:

[SlashWombat (1227578)]

I'm sure the Russian Mafia" would be willing to host the database for free!

Adeona

[megrims (839585)]

First time I've heard of this software: it sounds interesting.

I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.

Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?

Re:

[navyjeff (900138)]

I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.

There is nothing to stop a thief from removing the software once they either have root access to your machine or have wiped the OS. If you need something that integrated, you might just have to put it in the BIOS or EFI or some kind of firmware. If I ever stole a laptop, I would surely keep it isolated from any networks until I had a chance to replace the OS.

Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?

That's the issue I've run into. I've been using Adeona for almost 6 months now. I've never been able to retrieve *any* pictures the software has suppos

Re:Adeona

[davester666 (731373)]

There's two types of thieves for laptops/small electronic devices.

One type (drug users, thieves with little technical knowledge, people who just want very quick cash) generally just try to pawn the device ASAP and get less than 10% of the retail value. The person who purchases the device from the pawn shop may or may not be that knowledgeable or have install disks to wipe the installed system.

The other type will try to maximize the money they get from the system. These people tend to be more technically knowledgeable and are more likely to wipe the computer and install a new system on it and then ebay or craigslist it, or they may even try to ransom it back to the original owner.

The devices stolen by those of the first type of thief generally will get booted up and plugged into the internet with tracking software intact and ready to report.

Now, it's not enough just to get a report, like an IP address and possibly a photo of the person using the device, because the police may not be interested in tracking down the device. Recently, I read a story about a stolen Mac with tracking software installed, where the owner went to the police with the info, and they were brushing him off except a member of their drug enforcement department happened to see the picture and recognized a drug dealer they were looking for, so they did track down the location and arrested the guy/returned the computer intact.

Re:

[indiechild (541156)]

Something similar happened to my friend last year in London. Some scumbags got a copy of the key to his apartment -- most likely during an apartment inspection with the real estate agent. They swiped all 4 laptops in the apartment plus a few hundred in cash, but strangely enough left a bunch of digital cameras etc untouched.

My friend had Adeona installed on his MBP and managed to get a couple of good webcam captures of a suspect and IP address, which he sent to the cops. The cops weren't interested in recov

Re:

[autocracy (192714)]

But how often do you have a laptop running with a clear view of the sky?

GPS and WiFi sniffing

[SEWilco (27983)]

But how often do you have a laptop running with a clear view of the sky?

You only need it once. Hmm. I'd need to replace my USB-charged Bluetooth GPS with one with solar recharging, and I haven't seen one where the computer could control whether the GPS is running. A GPS unit takes more power than a solar panel can supply, so the computer would have to turn on GPS briefly (mapping software would, of course, keep it on). Another possibility is to also do WiFi sniffing, and report all detected devices in

Re:

[DDLKermit007 (911046)]

Actually you just have to short the bios chip on the motherboard for a moment, and password goes away. I only know this because I get asked to fix this issue once a week, and wondered about other ways one day. None the less, at our shop, we turn down bios password issues on laptops and refer to the manufacturer no matter who brings it in. Stupidity has a cost, and thievery should not be aided.

"Do any developers have ideas on where to put

[circletimessquare (444983)]

scads of information in a free, reliable, anonymous, and secure manner?"

there's 4 criteria there. take away free, and you can get the other 3 criteria. leave in the word "free," and you can only have 1 of the other 3 criteria

Re:

[MichaelSmith (789609)]

Encrypt it and post it literally anywhere. Only the owner will have the decryption key.

Re:

[rs79 (71822)]

Exactly. But if you post cryptographically signed data to usenet it'll both be available quickly and will be stored forever (through google).

Or use TXT records in the dns to do the decentralized db part. Of course I'd suggest using a new tld for this but of course this sort of thing is blocked by the government and scientologists.

Either way it's easy to store cryptographically signed data in "archived public streams".

"Cryptographically signed" is the key though.

And yes I worked damn hard to get that pun in.

Re:

[Wonko the Sane (25252)]

You could upload the information to Freenet.

Might be a little weak on the "reliable" criteria, though.

Re:

[SEWilco (27983)]

How many Libraries of Congress are there in a scads?

Re:

[drachenstern (160456)]

~.00001

I'm just surprised nobody has yet said "ask google to host it"...

Freenet?

[evanbd (210358)]

Freenet [freenetproject.org] is an option that *might* meet your needs. Unfortunately, it won't work well unless you're willing to run a node a large fraction of the time (might be hard for a laptop). And that implies a nontrivial bandwidth and disk commitment.

Whether it's reliable enough is another matter. Data that isn't accessed at all will become unavailable after a week or three; shorter term than that, or for data that's accessed at least occasionally, reliability is quite good. Speed isn't exciting, but a few seconds (maybe 15-30 if you don't access at all, maybe a lot longer if it's almost but not quite completely gone) latency and a few kB/s should be plenty here.

On the plus side, it is Free, anonymous, and secure. Of course, all of Adeona switching to it might represent a rather larger load than it's ever seen before -- and would probably be disastrous if those nodes didn't have a decent uptime percentage.

I don't know what they were thinking...

[Anonymous Coward]

I always thought it was strange that Adeona worked on the back of an academic project to store its data. OpenDHT was actually pretty cool- I hadnt heard of it until I started reading how Adeona worked.

openDHT was a kind of anonymous, communal hard drive... seems someone could just modify OpenDHT to use FTP, WebDAV, or even CalDAV on their own web server to do the same basic thing. Since Adeona already encrypts everything on openDHT (which was the point-- anyone could grab the info anyway), so you could ba

Re:

[asavage (548758)]

What I was thinking was just create a spreadsheet with Google docs. Google docs lets you create a webform to let anyone submit data to your spreadsheet. You could have your tracking software fill out the form with the IP address. The spreadsheet by default can only be viewed by your google account but it you want additional security, encrypt the entries.

Re:

[foniksonik (573572)]

Google Base [google.com] Free Database... specifically setup for storing this type of information (you'll definitely need to encrypt it). Not sure if the TOS restrict this type of usage though...

Over-reaching

[Bruce Perens (3872)]

The reason for using OpenDHT, I think, was that Adeona didn't want it to be possible to trace user's movements using their system until the laptop was reported as stolen. Not that I am entirely clear on this. Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.

Yes, this is dangerous, in that it centralizes in one place the call-in data regarding some large number of laptops. And it makes it tempting for some government to subpoena the data, use it for eavesdropping, etc. So it should not be allowed to stand forever. But it seems kind of silly to just fold up tents until some reasonably blue-sky software meets production goals.

Bruce

Re:

[Anonymous Coward]

They're not saying that their folding up tents. Just that they are actively seeking contributions to help resolve this technical issue. Seems to me, a post on Slashdot is the perfect place to make this plea.

An open DHT is a highly valuable resource

[Morgaine (4316)]

But it seems kind of silly to just fold up tents until some reasonably blue-sky software meets production goals.

That's pragmatic advice to safeguard Adeona (I agree), but most of the responses here seem to have interpreted your advice to also mean dropping any interest in OpenDHT, because you called it "blue-sky"(which possibly suggests that "it's not gonna happen").

I think that a working Distributed Hash Table that is also scalable would be an immensely valuable resource to the community, and would end up underpinning many other projects besides Adeona. The legions of FOSS comprise not only coders but also many visionary designers and competent researchers as well, so I think we can do better than just leave OpenDHT to sink or swim without help.

How about fostering some more research-oriented work on OpenDHT (if the current design isn't a viable one) instead of abandoning it as the mood seems to be at the moment?

Re:

[Bruce Perens (3872)]

OK, I should state clearly that OpenDHT's capability should not be abandoned.

But IMO it's sort of a big job to make this scale. It takes people with a pretty strong mathematical computer science background, and a lot of testing, and long-term support. Hopefully the right folks will step up (and don't look at me, I don't have the math).

Re:

[debatem1 (1087307)]

Not really- bamboo, the actual software that opendht ran, works fine- the question is having the resources to actually build and maintain the network. You have some serious connections- if you want to get something started, let me know.

Re:

[ShakaUVM (157947)]

>>Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.

Yeah, it seems to me that having heat-entropy-death-of-the-universe encryption on a frail system - that is apparently so dependent on a central server that even before it becomes well known by people on the internet it dies under the load - seems to be rather silly.

A system is no better than its weakest link, and having a distribu

Re:

[Bruce Perens (3872)]

"symbolset" wrote:

It would be wiser to accept 1-3 days latency from reported theft to recovery data.

Sure, if that's the cost. But you are assuming a 1-3 day fixed backlog length, rather than a forever increasing one. I'm not yet clear this is a justified assumption.

Re:

[drachenstern (160456)]

wtf? We're you trying to win buzzword bingo? zomg, try again.

Yeah yeah yeah, I understood what you wrote, but now my brain hurts... time to go read the poll and let it recover...

Re:

[jonaskoelker (922170)]

Surrendering privacy or security is NEVER a valid option in a distributed application.

If you have more than one computer, have your stolen laptop talk to your home server via an encrypted channel. Then you get both.

Simple Solution

[arthurpaliden (939626)]

If it is that useful charge a small subscription fee and use the money to get the resources required to run the project. If you cannot raise funds that way then people must not really see the benifit of the service.

Why does it have to be free?

[93 Escort Wagon (326346)]

The subject line pretty much says it all, but - why continue to expect something for nothing? Storage costs money, whether it's in one place or distributed. So does the bandwidth, no matter how small it is. So why not be willing to pay at least the cost of providing the service?

If you eliminate the demand that it be without cost, could you come up with a solution to the rest - reliable, anonymous, and secure?

Re:

[mysidia (191772)]

Let users specify a server of their own, and either FTP the data or send it to them with a HTTP post form.

HTTP post forms are perhaps the most reliable way to transfer data.

Other methods that involve different TCP/UDP ports, or custom protocols like RPC are prone to failure when firewalls on a foreign network block the traffic in the name of security.

It would be very difficult to accidentally block Adeona if its outbound traffic looked like ordinary web traffic and wasn't to a small list of servers (

Re:

[Meshach (578918)]

I agree. While free is good and is often the preferred method of distribution it is not always plausible, especially if your project has a limited scope or audience and free will not put food on your table.

Many companies change and are still well respective members of the software and, yes even the open source industries.

You can't have both

[davmoo (63521)]

Projects like this have to make a choice. It can scale hugely and be 99.9999 (nothing is 100) percent reliable, or it can be free. It can't be both, unless you have a really supportive multimillionaire as part of your project. Its a basic fact of life that large amounts of bandwidth and large amounts of storage cost real money.

This is, in my opinion, the basic stumbling block of free projects that require lots of resources of one form or another. I don't know that a serious study has actually been done,

Google AppEngine

[cerberusss (660701)]

Google's AppEngine is massively distributed. Be sure to encrypt the information written there, and you'll be done.

Re:

[CrashandDie (1114135)]

Yup, exactly my thoughts. I've been using the AppEngine's Data Store for some time and can't complain. 1Gig of data isn't a lot, but it's cheap to get more. Just get people to donate and you'll have all the storage you need. Just write a simple class that will convert stored objects to XML and it's a done deal. For upload? Simple POST to one of the servlets

Oh, and for people who don't see how they could encrypt the data from Google: PKI.

If nobody needs to be able to access the data excepted for one p

I'm not convinced about net-based tracking system

[badzilla (50355)]

The functionality depends upon the thief being unaware that information from the laptop is being transmitted somewhere and thus could give away information revealing the theft. If the thief knew about the client then they would of course find a way to disable it before attaching to a network.

With the current state of technology it's credible that a thief would steal the laptop, connect to the internet, then hopefully get caught. But what if laptops routinely had a GPS receiver onboard, and possibly also a G

Re:

[davmoo (63521)]

But what if laptops routinely had a GPS receiver onboard

The tinfoil hat crowd would cry privacy invasion.

and possibly also a GSM/UMTS modem?

The cost of the laptop would increase, and we'd all have to buy monthly data packages from a cellular provider.

Re:I'm not convinced about net-based tracking syst

[jimicus (737525)]

It should be widely known by the dumbest thieves (at least in the UK) that stolen mobile phones don't work because their IMEI gets blacklisted as soon as they're reported stolen.

This doesn't appear to have reduced mobile phone thefts to zero.