Lima, crowdfunded multi-device storage management:
When we designed Lima, privacy was one of our main concerns.
Lima stores your files at Home. So you can be sure you own your storage. Nobody in the world can access your data, but you. And you don’t need to pay monthly fees for that. The storage technology inside Lima was designed so you can get your data back anytime, even if your Lima device is broken.
The security of your Lima device is our first priority. Like a private datacenter, your Lima is far more difficult to hack than your computer. Our team works continuously with security experts to make sure it remains so. Like high security servers, your Lima will be frequently updated with security patches to keep it unaccessible from badly intentioned governments and individuals.
Comment from backer Suraj:
This looks like very great idea. I am definately a backer. I would like to know if there is any plan to open source the code (may be some kind of stretch goal) ? Whatever described as Tech FAQ’s looks great. But without open sourcing how one could be assured that there are no backdoors in the software. This is not matter of trust but it would be great if community can review the code and find out any security risks.
That’s a friendly way to ask, but it is a matter of trust: verify instead. Commenter Markus:
Suraj, you are absolutely right. If I would be the NSA I would also create a kickstarter project and try to convince everybody that this project is the perfect anti-PRISM-tool and implement lots of backdoors and route traffic directly to the NSA. So, open source software is basically a must. But I don’t think that they can afford to make the SW open source because then you could use basically any similar device and don’t have to buy plug.
The fundee responds:
@Suraj: Markus nailed it. We are too fragile as a startup to open source our code, at least now. All the innovation in Plug is software based. However, you’ll still be able to analyze Plug in/out traffic: that’s also a good way to make sure we don’t do bad things with your data.
That’s a stunning answer. Given that this device is managing your local files with remote-updated, non-auditable software, the attack surface is huge. Now remote update of non-auditable software is commonplace, but most purveyors of such don’t market themselves as anti-PRISM solutions, like this image on the fundee’s page:
Contrast with a recent announcement from Least Authority:
We don’t even handle the source code of the client! We tell you to go download that from Debian, Ubuntu, or https://Tahoe-LAFS.org.
We can never see your data, and you can always see our code.
Least Authority’s storage product is very different from Lima’s; but the above is excerpt ought be applicable to both as privacy-protecting products.
Of course open source is no panacea for NSA compromise or any other security threat, rather a good practice that should be demanded for anything related to security.
Apologies for the long prelude about something I’m unqualified to speculate about (security), comments about which were the first thing when I went looking for discussion of the fundee’s other answer about open source, which is also not very credible:
The only thing we manage on our side of the equations are updates of our app and the web interface of Lima. In case of company crash, we’ll do our best to open source at least the most critical parts of our code, so the community continues improving the solution every night.
Cheap talk if there ever was.
But I don’t blame the fundee, the company behind Lima; they are responding to what they see as business conditions, including lack of demand for software freedom (or open source, however you wish to characterize it) as a product feature that will change funding/purchase decisions.
Similarly, it is a bit odd, and a bit of trivia, that today’s crowdfunding services are in part descendants of ideas focused on provisioning works without copyrestrictions, but it seems that with minor exceptions, if a project produces works that are both transparent (eg revealed source or design files) and not legally restricted, it is merely a happy coincidence. Again, I don’t blame the platforms or the fundees. I (perhaps with some hubris) assign blame to people who want there to be demand for freedom for failing to stoke it, and failing to organize what exists.
Concentrated funders are very slowly making and coordinating their demands of fundees, eg Open Access mandates. How can crowdfunders/democratic patrons make analogous progress?