Adeona Warns of Instability; OpenDHT Mothballed 82
gbickford writes "Adeona, the first open source system for tracking the location of your lost or stolen laptop, was featured on Slashdot last year. I was stoked when I read about how it worked and I installed it immediately. I just went to look for updates on the site and was greeted with a giant warning message stating, 'Adeona is currently not working.' It seems that OpenDHT, the distributed hash table that stores the location information and photos, has been fairly unstable lately. The developers claim that this is "largely because the back-end OpenDHT system is not able to tolerate the load imposed by Adeona. OpenDHT removed the need for a centralized database with tracking information, which in effect prevents a 3rd party from tracking a user's whereabouts. OpenDHT was Sean Rhea's Ph.D. project back in 2005 and he has decided to officially bow out of maintaining it as of July 1st, which has left the developers of Adeona looking for another back end to store location information and photos. The source code for Adeona is available and they are actively seeking developer contributions on the developer's list. Do any developers have ideas on where to put scads of information in a free, reliable, anonymous, and secure manner?"
Here's an idea... (Score:4, Funny)
Post the information in anonymous Slashdot comments!
Re:Here's an idea... (Score:4, Funny)
Actually , that could be done , however , the problem is that someone visiting slashdot with a browser , and posting on it, would be able to corrupt the data.
So we need to way to ensure that only the program can post , and nothing else.
Perhaps it can be done by storing the data in first posts : The program would be fast enough to put a post first , and if not , we know what 90% of the first posts will look like , so we can filter those out.
Re:Here's an idea... (Score:5, Funny)
Actually, it wouldn't be such a horrible idea*.
Just come up with an RSA keypair and store it on all your machines. Encrypt and sign all data you want to store "in the cloud", and find someone who will store it for you.
* Slashdot might object to this and delete your post. I recommend using Reed-Solomon coding (or some other error-correcting code) and storing your data redundantly on several sites.
You could also do mirrored RAIF (Redudant Array of Indepedent Forums), though it might be rife for puns. And RAIP, where P=Posts, would be ripe for them. (Someone's gonna RAIP my karma for that, but the puns and anagrams form such a FAIR PAIR...)
Re: (Score:2)
You've been waiting a LOOOONG time for that haven't you?
Re: (Score:2)
Made it up on the spot :)
Re:Here's an idea... (Score:5, Funny)
Safe huh? (Score:3, Funny)
Realistic? (Score:2)
scads of information
free, reliable, anonymous, and secure
Why do you assume there is such a thing? The only way I can think of is a distributed network, which as the summary says, runs into serious scaling issues.
Re: (Score:2, Insightful)
BitTorrent to the rescue?
Re:Realistic? (Score:4, Informative)
"Distributed hashing tables are a class of decentralized distributed systems that provide a lookup service similar to a hash table: (key, value) pairs are stored in the DHT, and any participating node can efficiently retrieve the value associated with a given key." [1] [wikipedia.org]
They should look at Bamboo DHT [bamboo-dht.org].
Re: (Score:2)
Bamboo and OpenDHT are the same.
Bamboo is the software/algorithm/protocol and OpenDHT is a specific deployment of it on the PlanetLab research network.
Re: (Score:1)
You rock and I suck!
Because there is always an answer (Score:2, Interesting)
Re: (Score:2)
Not only that , the storage wouldn't be an entire waste : it would be encrypted , so not directly accesible , but the part that is already stored on your pc , could be retrieved locally, as they are actually already available.
Only problem is that in this case you sharing doesn't grow exponentially, like it does with bittorrent : every user would share 1 gb of information , regardless of whether they downloaded 20gb , or 10mb .
Re: (Score:2)
Adeona (Score:1)
First time I've heard of this software: it sounds interesting.
I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.
Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?
Re: (Score:1)
I'm curious about how it works: i.e why the attacker wouldn't either disable the networking interfaces or re-install the software (depending on their intent), but I suppose it would be quite useful in the case of casual theft.
There is nothing to stop a thief from removing the software once they either have root access to your machine or have wiped the OS. If you need something that integrated, you might just have to put it in the BIOS or EFI or some kind of firmware. If I ever stole a laptop, I would surely keep it isolated from any networks until I had a chance to replace the OS.
Surely it would be more useful for the service to send the location data directly to one of the owner's servers, rather than OpenDHT?
That's the issue I've run into. I've been using Adeona for almost 6 months now. I've never been able to retrieve *any* pictures the software has suppos
Re:Adeona (Score:5, Interesting)
There's two types of thieves for laptops/small electronic devices.
One type (drug users, thieves with little technical knowledge, people who just want very quick cash) generally just try to pawn the device ASAP and get less than 10% of the retail value. The person who purchases the device from the pawn shop may or may not be that knowledgeable or have install disks to wipe the installed system.
The other type will try to maximize the money they get from the system. These people tend to be more technically knowledgeable and are more likely to wipe the computer and install a new system on it and then ebay or craigslist it, or they may even try to ransom it back to the original owner.
The devices stolen by those of the first type of thief generally will get booted up and plugged into the internet with tracking software intact and ready to report.
Now, it's not enough just to get a report, like an IP address and possibly a photo of the person using the device, because the police may not be interested in tracking down the device. Recently, I read a story about a stolen Mac with tracking software installed, where the owner went to the police with the info, and they were brushing him off except a member of their drug enforcement department happened to see the picture and recognized a drug dealer they were looking for, so they did track down the location and arrested the guy/returned the computer intact.
Re: (Score:1)
With a boot order of Hard-Drive first and a passworded BIOS, with boot-from-CD disabled, they won't easily be using install media to wipe the OS install.
Esp. on laptops that don't allow a password BIOS reset.
They'd literally have to pull the hard drive and use another system to format and install an OS on the drive.
This becomes even harder if ATA security was setup in the BIOS. The hard drive is a brick without it being plugged into THAT laptop or without knowing the ATA password to unlock the hard dr
Re: (Score:1)
All the bios passwords in the world wont prevent anything when the battery can just be pulled.
So the correction should read:
They'd literally have to pull the battery before doing anything they want with your system.
Re: (Score:1)
Except that most laptop BIOS'es cannot be casually reset. To reset the BIOS password for those, you'll have to send them to the manufacturer..
So I think your briliant plan for world domination won't work quite as you expect.
Re: (Score:1, Informative)
Wrong. I tried this on a newer model Dell laptop and it did clear the BIOS settings, all EXCEPT the password.
Laptop BIOS passwords are no longer stored in volatile storage, as far as I know. Clearing them probably requires reprogramming the chip on specialized hardware, or just replacing the whole BIOS chip itself.
Re: (Score:2)
Re: (Score:3, Informative)
Something similar happened to my friend last year in London. Some scumbags got a copy of the key to his apartment -- most likely during an apartment inspection with the real estate agent. They swiped all 4 laptops in the apartment plus a few hundred in cash, but strangely enough left a bunch of digital cameras etc untouched.
My friend had Adeona installed on his MBP and managed to get a couple of good webcam captures of a suspect and IP address, which he sent to the cops. The cops weren't interested in recov
Re: (Score:1)
I think it helps that if in addition to an IP, you have a built-in GPS transceiver, and you can track (literally) the precise location of the laptop, not just the network it's plugged into.
Re: (Score:2)
But how often do you have a laptop running with a clear view of the sky?
GPS and WiFi sniffing (Score:2)
You only need it once. Hmm. I'd need to replace my USB-charged Bluetooth GPS with one with solar recharging, and I haven't seen one where the computer could control whether the GPS is running. A GPS unit takes more power than a solar panel can supply, so the computer would have to turn on GPS briefly (mapping software would, of course, keep it on). Another possibility is to also do WiFi sniffing, and report all detected devices in
Re: (Score:1)
I would also suggest optionally transmitting a 'beacon' when connected to a WAP. Essentially a packet disguised as normal windows traffic, but meaningful to any other Adeona clients that might be connected to the same AP or on the same network.
The Adeona clients can report on (in their tracking info) beacons received, as well.
And any GPS info the owner of other Adeona clients chooses to publish.. essentially "cooperative assistance" to tracking.
Other laptop owners running Adeona might opt-in to ano
"Do any developers have ideas on where to put (Score:4, Funny)
scads of information in a free, reliable, anonymous, and secure manner?"
there's 4 criteria there. take away free, and you can get the other 3 criteria. leave in the word "free," and you can only have 1 of the other 3 criteria
Re: (Score:3, Insightful)
Re: (Score:2)
Exactly. But if you post cryptographically signed data to usenet it'll both be available quickly and will be stored forever (through google).
Or use TXT records in the dns to do the decentralized db part. Of course I'd suggest using a new tld for this but of course this sort of thing is blocked by the government and scientologists.
Either way it's easy to store cryptographically signed data in "archived public streams".
"Cryptographically signed" is the key though.
And yes I worked damn hard to get that pun in.
Re: (Score:2)
You could upload the information to Freenet.
Might be a little weak on the "reliable" criteria, though.
Re: (Score:3, Funny)
Re: (Score:2)
~.00001
I'm just surprised nobody has yet said "ask google to host it"...
The assuumed fifth criterion is invisible (Score:1)
Legal. Leave that one off and the other four are easy. I'm sure there are far more highly scaled secure apps running in the top five botnets.
But I answered this above. I don't even know why they had to ask such an obvious question. Even legal it's a no brainer.
Re: (Score:1)
I'm curious: how do you propose to have "anonymous" without "free"?
Re: (Score:1)
NSA. I'm sure they'd do it. They would probably pay to get their hands on all that data.
Freenet? (Score:3, Informative)
Freenet [freenetproject.org] is an option that *might* meet your needs. Unfortunately, it won't work well unless you're willing to run a node a large fraction of the time (might be hard for a laptop). And that implies a nontrivial bandwidth and disk commitment.
Whether it's reliable enough is another matter. Data that isn't accessed at all will become unavailable after a week or three; shorter term than that, or for data that's accessed at least occasionally, reliability is quite good. Speed isn't exciting, but a few seconds (maybe 15-30 if you don't access at all, maybe a lot longer if it's almost but not quite completely gone) latency and a few kB/s should be plenty here.
On the plus side, it is Free, anonymous, and secure. Of course, all of Adeona switching to it might represent a rather larger load than it's ever seen before -- and would probably be disastrous if those nodes didn't have a decent uptime percentage.
I don't know what they were thinking... (Score:1, Interesting)
I always thought it was strange that Adeona worked on the back of an academic project to store its data. OpenDHT was actually pretty cool- I hadnt heard of it until I started reading how Adeona worked.
openDHT was a kind of anonymous, communal hard drive... seems someone could just modify OpenDHT to use FTP, WebDAV, or even CalDAV on their own web server to do the same basic thing. Since Adeona already encrypts everything on openDHT (which was the point-- anyone could grab the info anyway), so you could ba
Re: (Score:3, Informative)
Re: (Score:2)
Google Base [google.com] Free Database... specifically setup for storing this type of information (you'll definitely need to encrypt it). Not sure if the TOS restrict this type of usage though...
Re: (Score:1)
Adeona was an academic project. That makes using an academic project a little less surprising.
Over-reaching (Score:5, Interesting)
The reason for using OpenDHT, I think, was that Adeona didn't want it to be possible to trace user's movements using their system until the laptop was reported as stolen. Not that I am entirely clear on this. Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.
Yes, this is dangerous, in that it centralizes in one place the call-in data regarding some large number of laptops. And it makes it tempting for some government to subpoena the data, use it for eavesdropping, etc. So it should not be allowed to stand forever. But it seems kind of silly to just fold up tents until some reasonably blue-sky software meets production goals.
Bruce
Re: (Score:2, Insightful)
They're not saying that their folding up tents. Just that they are actively seeking contributions to help resolve this technical issue. Seems to me, a post on Slashdot is the perfect place to make this plea.
Re: (Score:1)
An open DHT is a highly valuable resource (Score:4, Interesting)
That's pragmatic advice to safeguard Adeona (I agree), but most of the responses here seem to have interpreted your advice to also mean dropping any interest in OpenDHT, because you called it "blue-sky"(which possibly suggests that "it's not gonna happen").
I think that a working Distributed Hash Table that is also scalable would be an immensely valuable resource to the community, and would end up underpinning many other projects besides Adeona. The legions of FOSS comprise not only coders but also many visionary designers and competent researchers as well, so I think we can do better than just leave OpenDHT to sink or swim without help.
How about fostering some more research-oriented work on OpenDHT (if the current design isn't a viable one) instead of abandoning it as the mood seems to be at the moment?
Re: (Score:3, Insightful)
OK, I should state clearly that OpenDHT's capability should not be abandoned.
But IMO it's sort of a big job to make this scale. It takes people with a pretty strong mathematical computer science background, and a lot of testing, and long-term support. Hopefully the right folks will step up (and don't look at me, I don't have the math).
Re:I don't have the math (Score:1)
This is going to sound like fangeek adoration because it is. You intuit better math than most of the math geeks I've ever known, and I've known a good number.
But... I disagree. We can do this if we try, and if you think about how to solve this problem the answer will become obvious to you.
Re: (Score:2)
This way lies madness (Score:1)
Break the unbreakable security commitment? NO!
Bruce, I repectfully disagree.
It would be wiser to accept 1-3 days latency from reported theft to recovery data. With that much lag and the requirement that the clients themselves store some redundant multiple of the data they send in encrypted format the problem becomes trivial.
Surrendering privacy or security is NEVER a valid option in a distributed application.
Re: (Score:2)
"symbolset" wrote:
Sure, if that's the cost. But you are assuming a 1-3 day fixed backlog length, rather than a forever increasing one. I'm not yet clear this is a justified assumption.
Re: (Score:1)
With 4-6 multiples per client of storage this is a good metric. With 10x and VI distribution it's safe at 5 9's. The backlog length and intelligence of distribution are implementation details. It's all about Recovery Time Objective and those metrics are well established. My post implied fixed backlog lengths, it's true, but that was for a different audience than you and that paradigm isn't required to solve this problem.
It's their client and they're well equipped to implement our discussion so we've do
Re: (Score:2)
wtf? We're you trying to win buzzword bingo? zomg, try again.
Yeah yeah yeah, I understood what you wrote, but now my brain hurts... time to go read the poll and let it recover...
Re: (Score:2)
Surrendering privacy or security is NEVER a valid option in a distributed application.
If you have more than one computer, have your stolen laptop talk to your home server via an encrypted channel. Then you get both.
Re: (Score:1)
Re: (Score:2)
>>Perhaps the best thing to do for the time being would be to back off on the unbreakable-privacy goal until a reliable system arises, and use a database like the rest of us.
Yeah, it seems to me that having heat-entropy-death-of-the-universe encryption on a frail system - that is apparently so dependent on a central server that even before it becomes well known by people on the internet it dies under the load - seems to be rather silly.
A system is no better than its weakest link, and having a distribu
Store it in DNS caches or NNTP posting(Eternity ne (Score:1, Interesting)
in the eternity network the data was stored in NNTP postings that were encrypted and posted via anonymous remailer.. other temp storage schemes have used DNS caches to great effect. DNS would get my vote plenty of built in caches and infrastructure
re adam back (eternity network)
You guys never give up, do you? (Score:1)
Simple Solution (Score:2)
Why does it have to be free? (Score:2)
The subject line pretty much says it all, but - why continue to expect something for nothing? Storage costs money, whether it's in one place or distributed. So does the bandwidth, no matter how small it is. So why not be willing to pay at least the cost of providing the service?
If you eliminate the demand that it be without cost, could you come up with a solution to the rest - reliable, anonymous, and secure?
Re: (Score:2, Insightful)
Let users specify a server of their own, and either FTP the data or send it to them with a HTTP post form.
HTTP post forms are perhaps the most reliable way to transfer data.
Other methods that involve different TCP/UDP ports, or custom protocols like RPC are prone to failure when firewalls on a foreign network block the traffic in the name of security.
It would be very difficult to accidentally block Adeona if its outbound traffic looked like ordinary web traffic and wasn't to a small list of servers (
Re: (Score:2)
Many companies change and are still well respective members of the software and, yes even the open source industries.
2 proposals (Score:1)
2) Use the c
You can't have both (Score:2)
Projects like this have to make a choice. It can scale hugely and be 99.9999 (nothing is 100) percent reliable, or it can be free. It can't be both, unless you have a really supportive multimillionaire as part of your project. Its a basic fact of life that large amounts of bandwidth and large amounts of storage cost real money.
This is, in my opinion, the basic stumbling block of free projects that require lots of resources of one form or another. I don't know that a serious study has actually been done,
Google AppEngine (Score:4, Interesting)
Google's AppEngine is massively distributed. Be sure to encrypt the information written there, and you'll be done.
Re: (Score:3, Informative)
Oh, and for people who don't see how they could encrypt the data from Google: PKI.
If nobody needs to be able to access the data excepted for one p
I'm not convinced about net-based tracking system (Score:2, Interesting)
The functionality depends upon the thief being unaware that information from the laptop is being transmitted somewhere and thus could give away information revealing the theft. If the thief knew about the client then they would of course find a way to disable it before attaching to a network.
With the current state of technology it's credible that a thief would steal the laptop, connect to the internet, then hopefully get caught. But what if laptops routinely had a GPS receiver onboard, and possibly also a G
Re: (Score:2)
But what if laptops routinely had a GPS receiver onboard
The tinfoil hat crowd would cry privacy invasion.
and possibly also a GSM/UMTS modem?
The cost of the laptop would increase, and we'd all have to buy monthly data packages from a cellular provider.
Re: (Score:1)
A bit of a digression but I don't know anyone anyone who owns a laptop without a USB 3G data gadget to go with it. These are quite cheap to run with no contract required.
Available free in UK
http://www.3dongle4free.co.uk/ [3dongle4free.co.uk]
also everything you need to unlock it for use in other countries
http://rapidshare.com/files/235523732/ZTE2.rar.html [rapidshare.com]
Re:I'm not convinced about net-based tracking syst (Score:2)
It should be widely known by the dumbest thieves (at least in the UK) that stolen mobile phones don't work because their IMEI gets blacklisted as soon as they're reported stolen.
This doesn't appear to have reduced mobile phone thefts to zero.
Flud looks good for this... (Score:1)
http://www.flud.org [flud.org] ...but it seems to have been sleeping since March 2008. :(