Forgot your password?
typodupeerror
Security Software

Adeona Warns of Instability; OpenDHT Mothballed 82

Posted by kdawson
from the here's-to-you-my-rambling-laptop dept.
gbickford writes "Adeona, the first open source system for tracking the location of your lost or stolen laptop, was featured on Slashdot last year. I was stoked when I read about how it worked and I installed it immediately. I just went to look for updates on the site and was greeted with a giant warning message stating, 'Adeona is currently not working.' It seems that OpenDHT, the distributed hash table that stores the location information and photos, has been fairly unstable lately. The developers claim that this is "largely because the back-end OpenDHT system is not able to tolerate the load imposed by Adeona. OpenDHT removed the need for a centralized database with tracking information, which in effect prevents a 3rd party from tracking a user's whereabouts. OpenDHT was Sean Rhea's Ph.D. project back in 2005 and he has decided to officially bow out of maintaining it as of July 1st, which has left the developers of Adeona looking for another back end to store location information and photos. The source code for Adeona is available and they are actively seeking developer contributions on the developer's list. Do any developers have ideas on where to put scads of information in a free, reliable, anonymous, and secure manner?"
This discussion has been archived. No new comments can be posted.

Adeona Warns of Instability; OpenDHT Mothballed

Comments Filter:
  • by Anonymous Coward on Sunday May 24, 2009 @10:54PM (#28079675)

    Post the information in anonymous Slashdot comments!

    • by kdemetter (965669) on Monday May 25, 2009 @12:52AM (#28080175)

      Actually , that could be done , however , the problem is that someone visiting slashdot with a browser , and posting on it, would be able to corrupt the data.

      So we need to way to ensure that only the program can post , and nothing else.

      Perhaps it can be done by storing the data in first posts : The program would be fast enough to put a post first , and if not , we know what 90% of the first posts will look like , so we can filter those out.

      • Actually, it wouldn't be such a horrible idea*.

        Just come up with an RSA keypair and store it on all your machines. Encrypt and sign all data you want to store "in the cloud", and find someone who will store it for you.

        * Slashdot might object to this and delete your post. I recommend using Reed-Solomon coding (or some other error-correcting code) and storing your data redundantly on several sites.

        You could also do mirrored RAIF (Redudant Array of Indepedent Forums), though it might be rife for puns. And RAIP, where P=Posts, would be ripe for them. (Someone's gonna RAIP my karma for that, but the puns and anagrams form such a FAIR PAIR...)

    • by RuBLed (995686) on Monday May 25, 2009 @01:03AM (#28080217)
      I save my files in 127.0.0.1 and that site is fast. It's also secure btw, I asked my friend to access 127.0.0.1 and he cannot see my files. Also whenever I try to access 127.0.0.1, it's reliable and always there. I never leave my basement though.
      • Safe huh? (Score:3, Funny)

        by benjymouse (756774)
        Let's see about that. I'll just fire up my custom metasploit and we'll see about that. Ok. Now its probing 127.0.0.1. We'll see ho
  • scads of information

    free, reliable, anonymous, and secure

    Why do you assume there is such a thing? The only way I can think of is a distributed network, which as the summary says, runs into serious scaling issues.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      BitTorrent to the rescue?

    • Re:Realistic? (Score:4, Informative)

      by Daengbo (523424) <daengbo@nospaM.gmail.com> on Sunday May 24, 2009 @11:27PM (#28079871) Homepage Journal

      "Distributed hashing tables are a class of decentralized distributed systems that provide a lookup service similar to a hash table: (key, value) pairs are stored in the DHT, and any participating node can efficiently retrieve the value associated with a given key." [1] [wikipedia.org]

      They should look at Bamboo DHT [bamboo-dht.org].

    • In this case you store the data in the other clients. If you want to use the software you have to agree to store a gig or so of encrypted data. Your laptop connects to the grid periodically and uploads your data and downloads someone else's. Cooperative cloud computing at its finest, and the developers don't have to ask for help from anybody.
      • by kdemetter (965669)

        Not only that , the storage wouldn't be an entire waste : it would be encrypted , so not directly accesible , but the part that is already stored on your pc , could be retrieved locally, as they are actually already available.

        Only problem is that in this case you sharing doesn't grow exponentially, like it does with bittorrent : every user would share 1 gb of information , regardless of whether they downloaded 20gb , or 10mb .

      • I'm sure the Russian Mafia" would be willing to host the database for free!
  • First time I've heard of this software: it sounds interesting.

    I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.

    Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?

    • by navyjeff (900138)

      I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.

      There is nothing to stop a thief from removing the software once they either have root access to your machine or have wiped the OS. If you need something that integrated, you might just have to put it in the BIOS or EFI or some kind of firmware. If I ever stole a laptop, I would surely keep it isolated from any networks until I had a chance to replace the OS.

      Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?

      That's the issue I've run into. I've been using Adeona for almost 6 months now. I've never been able to retrieve *any* pictures the software has suppos

    • Re:Adeona (Score:5, Interesting)

      by davester666 (731373) on Monday May 25, 2009 @12:27AM (#28080095) Journal

      There's two types of thieves for laptops/small electronic devices.

      One type (drug users, thieves with little technical knowledge, people who just want very quick cash) generally just try to pawn the device ASAP and get less than 10% of the retail value. The person who purchases the device from the pawn shop may or may not be that knowledgeable or have install disks to wipe the installed system.

      The other type will try to maximize the money they get from the system. These people tend to be more technically knowledgeable and are more likely to wipe the computer and install a new system on it and then ebay or craigslist it, or they may even try to ransom it back to the original owner.

      The devices stolen by those of the first type of thief generally will get booted up and plugged into the internet with tracking software intact and ready to report.

      Now, it's not enough just to get a report, like an IP address and possibly a photo of the person using the device, because the police may not be interested in tracking down the device. Recently, I read a story about a stolen Mac with tracking software installed, where the owner went to the police with the info, and they were brushing him off except a member of their drug enforcement department happened to see the picture and recognized a drug dealer they were looking for, so they did track down the location and arrested the guy/returned the computer intact.

      • by mysidia (191772)

        With a boot order of Hard-Drive first and a passworded BIOS, with boot-from-CD disabled, they won't easily be using install media to wipe the OS install.

        Esp. on laptops that don't allow a password BIOS reset.

        They'd literally have to pull the hard drive and use another system to format and install an OS on the drive.

        This becomes even harder if ATA security was setup in the BIOS. The hard drive is a brick without it being plugged into THAT laptop or without knowing the ATA password to unlock the hard dr

        • by sy5t3m (1349857)
          You're overlooking something just a little bit obvious.
          All the bios passwords in the world wont prevent anything when the battery can just be pulled.

          So the correction should read:

          They'd literally have to pull the battery before doing anything they want with your system.

          • by Terrasque (796014)

            Except that most laptop BIOS'es cannot be casually reset. To reset the BIOS password for those, you'll have to send them to the manufacturer..

            So I think your briliant plan for world domination won't work quite as you expect.

      • Re: (Score:3, Informative)

        by indiechild (541156)

        Something similar happened to my friend last year in London. Some scumbags got a copy of the key to his apartment -- most likely during an apartment inspection with the real estate agent. They swiped all 4 laptops in the apartment plus a few hundred in cash, but strangely enough left a bunch of digital cameras etc untouched.

        My friend had Adeona installed on his MBP and managed to get a couple of good webcam captures of a suspect and IP address, which he sent to the cops. The cops weren't interested in recov

        • by mysidia (191772)

          I think it helps that if in addition to an IP, you have a built-in GPS transceiver, and you can track (literally) the precise location of the laptop, not just the network it's plugged into.

          • by autocracy (192714)

            But how often do you have a laptop running with a clear view of the sky?

            • But how often do you have a laptop running with a clear view of the sky?

              You only need it once. Hmm. I'd need to replace my USB-charged Bluetooth GPS with one with solar recharging, and I haven't seen one where the computer could control whether the GPS is running. A GPS unit takes more power than a solar panel can supply, so the computer would have to turn on GPS briefly (mapping software would, of course, keep it on). Another possibility is to also do WiFi sniffing, and report all detected devices in

              • by mysidia (191772)

                I would also suggest optionally transmitting a 'beacon' when connected to a WAP. Essentially a packet disguised as normal windows traffic, but meaningful to any other Adeona clients that might be connected to the same AP or on the same network.

                The Adeona clients can report on (in their tracking info) beacons received, as well.

                And any GPS info the owner of other Adeona clients chooses to publish.. essentially "cooperative assistance" to tracking.

                Other laptop owners running Adeona might opt-in to ano

  • scads of information in a free, reliable, anonymous, and secure manner?"

    there's 4 criteria there. take away free, and you can get the other 3 criteria. leave in the word "free," and you can only have 1 of the other 3 criteria

    • Re: (Score:3, Insightful)

      by MichaelSmith (789609)
      Encrypt it and post it literally anywhere. Only the owner will have the decryption key.
      • by rs79 (71822)

        Exactly. But if you post cryptographically signed data to usenet it'll both be available quickly and will be stored forever (through google).

        Or use TXT records in the dns to do the decentralized db part. Of course I'd suggest using a new tld for this but of course this sort of thing is blocked by the government and scientologists.

        Either way it's easy to store cryptographically signed data in "archived public streams".

        "Cryptographically signed" is the key though.

        And yes I worked damn hard to get that pun in.

    • You could upload the information to Freenet.

      Might be a little weak on the "reliable" criteria, though.

    • Re: (Score:3, Funny)

      by SEWilco (27983)
      How many Libraries of Congress are there in a scads?
    • Legal. Leave that one off and the other four are easy. I'm sure there are far more highly scaled secure apps running in the top five botnets.

      But I answered this above. I don't even know why they had to ask such an obvious question. Even legal it's a no brainer.

    • by tar (2527)

      I'm curious: how do you propose to have "anonymous" without "free"?

    • NSA. I'm sure they'd do it. They would probably pay to get their hands on all that data.

  • Freenet? (Score:3, Informative)

    by evanbd (210358) on Sunday May 24, 2009 @11:15PM (#28079803)

    Freenet [freenetproject.org] is an option that *might* meet your needs. Unfortunately, it won't work well unless you're willing to run a node a large fraction of the time (might be hard for a laptop). And that implies a nontrivial bandwidth and disk commitment.

    Whether it's reliable enough is another matter. Data that isn't accessed at all will become unavailable after a week or three; shorter term than that, or for data that's accessed at least occasionally, reliability is quite good. Speed isn't exciting, but a few seconds (maybe 15-30 if you don't access at all, maybe a lot longer if it's almost but not quite completely gone) latency and a few kB/s should be plenty here.

    On the plus side, it is Free, anonymous, and secure. Of course, all of Adeona switching to it might represent a rather larger load than it's ever seen before -- and would probably be disastrous if those nodes didn't have a decent uptime percentage.

  • by Anonymous Coward

    I always thought it was strange that Adeona worked on the back of an academic project to store its data. OpenDHT was actually pretty cool- I hadnt heard of it until I started reading how Adeona worked.

    openDHT was a kind of anonymous, communal hard drive... seems someone could just modify OpenDHT to use FTP, WebDAV, or even CalDAV on their own web server to do the same basic thing. Since Adeona already encrypts everything on openDHT (which was the point-- anyone could grab the info anyway), so you could ba

    • Re: (Score:3, Informative)

      by asavage (548758)
      What I was thinking was just create a spreadsheet with Google docs. Google docs lets you create a webform to let anyone submit data to your spreadsheet. You could have your tracking software fill out the form with the IP address. The spreadsheet by default can only be viewed by your google account but it you want additional security, encrypt the entries.
      • Google Base [google.com] Free Database... specifically setup for storing this type of information (you'll definitely need to encrypt it). Not sure if the TOS restrict this type of usage though...

    • by maxume (22995)

      Adeona was an academic project. That makes using an academic project a little less surprising.

  • Over-reaching (Score:5, Interesting)

    by Bruce Perens (3872) * <bruce@perens.com> on Sunday May 24, 2009 @11:37PM (#28079911) Homepage Journal

    The reason for using OpenDHT, I think, was that Adeona didn't want it to be possible to trace user's movements using their system until the laptop was reported as stolen. Not that I am entirely clear on this. Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.

    Yes, this is dangerous, in that it centralizes in one place the call-in data regarding some large number of laptops. And it makes it tempting for some government to subpoena the data, use it for eavesdropping, etc. So it should not be allowed to stand forever. But it seems kind of silly to just fold up tents until some reasonably blue-sky software meets production goals.

    Bruce

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      They're not saying that their folding up tents. Just that they are actively seeking contributions to help resolve this technical issue. Seems to me, a post on Slashdot is the perfect place to make this plea.

    • Or, let people specify their own sFTP or other hosted storage for themselves. Shared hosting is very cheap or free these days, so I suggest letting users set where data is stored. No need to rely one a central database in this case, let people use their own storage. Make sense?http://slashdot.org/comments.pl?sid=1243923# - Dan Lundmark
    • by Morgaine (4316) on Monday May 25, 2009 @01:04AM (#28080221)

      But it seems kind of silly to just fold up tents until some reasonably blue-sky software meets production goals.

      That's pragmatic advice to safeguard Adeona (I agree), but most of the responses here seem to have interpreted your advice to also mean dropping any interest in OpenDHT, because you called it "blue-sky"(which possibly suggests that "it's not gonna happen").

      I think that a working Distributed Hash Table that is also scalable would be an immensely valuable resource to the community, and would end up underpinning many other projects besides Adeona. The legions of FOSS comprise not only coders but also many visionary designers and competent researchers as well, so I think we can do better than just leave OpenDHT to sink or swim without help.

      How about fostering some more research-oriented work on OpenDHT (if the current design isn't a viable one) instead of abandoning it as the mood seems to be at the moment?

      • Re: (Score:3, Insightful)

        by Bruce Perens (3872) *

        OK, I should state clearly that OpenDHT's capability should not be abandoned.

        But IMO it's sort of a big job to make this scale. It takes people with a pretty strong mathematical computer science background, and a lot of testing, and long-term support. Hopefully the right folks will step up (and don't look at me, I don't have the math).

        • This is going to sound like fangeek adoration because it is. You intuit better math than most of the math geeks I've ever known, and I've known a good number.

          But... I disagree. We can do this if we try, and if you think about how to solve this problem the answer will become obvious to you.

        • by debatem1 (1087307)
          Not really- bamboo, the actual software that opendht ran, works fine- the question is having the resources to actually build and maintain the network. You have some serious connections- if you want to get something started, let me know.
    • Break the unbreakable security commitment? NO!

      Bruce, I repectfully disagree.

      It would be wiser to accept 1-3 days latency from reported theft to recovery data. With that much lag and the requirement that the clients themselves store some redundant multiple of the data they send in encrypted format the problem becomes trivial.

      Surrendering privacy or security is NEVER a valid option in a distributed application.

      • "symbolset" wrote:

        It would be wiser to accept 1-3 days latency from reported theft to recovery data.

        Sure, if that's the cost. But you are assuming a 1-3 day fixed backlog length, rather than a forever increasing one. I'm not yet clear this is a justified assumption.

        • by symbolset (646467)

          With 4-6 multiples per client of storage this is a good metric. With 10x and VI distribution it's safe at 5 9's. The backlog length and intelligence of distribution are implementation details. It's all about Recovery Time Objective and those metrics are well established. My post implied fixed backlog lengths, it's true, but that was for a different audience than you and that paradigm isn't required to solve this problem.

          It's their client and they're well equipped to implement our discussion so we've do

          • wtf? We're you trying to win buzzword bingo? zomg, try again.

            Yeah yeah yeah, I understood what you wrote, but now my brain hurts... time to go read the poll and let it recover...

      • Surrendering privacy or security is NEVER a valid option in a distributed application.

        If you have more than one computer, have your stolen laptop talk to your home server via an encrypted channel. Then you get both.

        • by symbolset (646467)
          This is another grand option. Many of the folk who use this service will have a server with fixed IP address. They might also offer a service like dynamic dns for the people who suffer with dynamic IP address.
    • by ShakaUVM (157947)

      >>Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.

      Yeah, it seems to me that having heat-entropy-death-of-the-universe encryption on a frail system - that is apparently so dependent on a central server that even before it becomes well known by people on the internet it dies under the load - seems to be rather silly.

      A system is no better than its weakest link, and having a distribu

  • by Anonymous Coward

    in the eternity network the data was stored in NNTP postings that were encrypted and posted via anonymous remailer.. other temp storage schemes have used DNS caches to great effect. DNS would get my vote plenty of built in caches and infrastructure

          re adam back (eternity network)

  • If it is that useful charge a small subscription fee and use the money to get the resources required to run the project. If you cannot raise funds that way then people must not really see the benifit of the service.
  • The subject line pretty much says it all, but - why continue to expect something for nothing? Storage costs money, whether it's in one place or distributed. So does the bandwidth, no matter how small it is. So why not be willing to pay at least the cost of providing the service?

    If you eliminate the demand that it be without cost, could you come up with a solution to the rest - reliable, anonymous, and secure?

    • Re: (Score:2, Insightful)

      by mysidia (191772)

      Let users specify a server of their own, and either FTP the data or send it to them with a HTTP post form.

      HTTP post forms are perhaps the most reliable way to transfer data.

      Other methods that involve different TCP/UDP ports, or custom protocols like RPC are prone to failure when firewalls on a foreign network block the traffic in the name of security.

      It would be very difficult to accidentally block Adeona if its outbound traffic looked like ordinary web traffic and wasn't to a small list of servers (

    • by Meshach (578918)
      I agree. While free is good and is often the preferred method of distribution it is not always plausible, especially if your project has a limited scope or audience and free will not put food on your table.

      Many companies change and are still well respective members of the software and, yes even the open source industries.
  • 1) Use math. Store only X number of connections. Distribute enough copies that statistically speaking all parts (with parity data) are always available. Distribute it on Adeona installs, where the storage requirements would be # of copies * size of entries * redunancy. If you only keep say the last 30 entries, that shouldn't be much of a table. The data should just be encrypted to a pgp key. users can either keep a copy of the key or pay to have adeona create a key pair and store it for them.

    2) Use the c

  • Projects like this have to make a choice. It can scale hugely and be 99.9999 (nothing is 100) percent reliable, or it can be free. It can't be both, unless you have a really supportive multimillionaire as part of your project. Its a basic fact of life that large amounts of bandwidth and large amounts of storage cost real money.

    This is, in my opinion, the basic stumbling block of free projects that require lots of resources of one form or another. I don't know that a serious study has actually been done,

  • Google AppEngine (Score:4, Interesting)

    by cerberusss (660701) on Monday May 25, 2009 @02:41AM (#28080631) Homepage Journal

    Google's AppEngine is massively distributed. Be sure to encrypt the information written there, and you'll be done.

    • Re: (Score:3, Informative)

      by CrashandDie (1114135)
      Yup, exactly my thoughts. I've been using the AppEngine's Data Store for some time and can't complain. 1Gig of data isn't a lot, but it's cheap to get more. Just get people to donate and you'll have all the storage you need. Just write a simple class that will convert stored objects to XML and it's a done deal. For upload? Simple POST to one of the servlets

      Oh, and for people who don't see how they could encrypt the data from Google: PKI.

      If nobody needs to be able to access the data excepted for one p
  • The functionality depends upon the thief being unaware that information from the laptop is being transmitted somewhere and thus could give away information revealing the theft. If the thief knew about the client then they would of course find a way to disable it before attaching to a network.

    With the current state of technology it's credible that a thief would steal the laptop, connect to the internet, then hopefully get caught. But what if laptops routinely had a GPS receiver onboard, and possibly also a G

    • by davmoo (63521)

      But what if laptops routinely had a GPS receiver onboard

      The tinfoil hat crowd would cry privacy invasion.

      and possibly also a GSM/UMTS modem?

      The cost of the laptop would increase, and we'd all have to buy monthly data packages from a cellular provider.

    • It should be widely known by the dumbest thieves (at least in the UK) that stolen mobile phones don't work because their IMEI gets blacklisted as soon as they're reported stolen.

      This doesn't appear to have reduced mobile phone thefts to zero.

  • http://www.flud.org [flud.org] ...but it seems to have been sleeping since March 2008. :(

APL hackers do it in the quad.

Working...