All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anyone using/tried Filen.io?
Looks like a new cloud storage service, a child of the pandemic (founded 2020). Just found it today. Anyone using it for a while already?
10 GBs free with unlimited bandwidth (need someone to take them up on this ) and can get more by referring others.
They have some lifetime offers too but I'd be skeptical about these (they might go away sooner than your roi).
Here is how public shared link looks like: https://filen.io/d/d1d22040-f345-423b-81dc-c7105d2fb146#!jnKpMivbKRfBpp0TmClcHM0eNcY5Oh0U
Not sure why they are putting their .exe inside a zip file for the desktop app for Windows but VT says clean https://www.virustotal.com/gui/url/5f9bdf8efccd46f0ba9fd4a3da4e0d79dda5bb993c40abb49d4b20683168785d?nocache=1
Not all folders sync on desktop app, only the Filen Sync folder, the Default folder won't sync anything to local install.
You can control how the sync goes (bi or either direction) which could be useful.
The desktop app should login like we login to Nextcloud but I guess it's because of being a new service.
Now give me more storage by using my referral link (you get 10 more GBs as usual with these links): https://filen.io/r/146389f11f0e76cbc28ca267a34353a7 or plain link https://filen.io
Comments
Why do I feel like I've seen this website and graphics before, but somewhere else? Those graphics look very familiar.
Anyway, cool service I guess. I don't have a need for cloud based storage synced to my desktop but others might.
https://undraw.co/illustrations
Avoid cloud storage that offers lifetime plans.
As long as google is alive my foot will never step on any such platform
Thank you, I guess we got +10G each. Pretty clean UI, will serve my purpose.
You don't use Dropbox or Nextcloud or OneDrive or Mega or X with your Google Drive? Just one service?
Well yeah I'm not saying to actually use this to be the only place you put your stuff in it or put your stuff unencrypted (even though they say it is encrypted).
I have 30 GBs now. Thanks!
Koofr and pCloud are actually good though, even though they have lifetime plans.
Of course, don't use any cloud service for the sole storage of your files. I'm using both of those to store a second offsite copy of backups.
Looking through their JavaScript code, it seems pretty rushed / rough around the edges.
There's some very obvious security issues like XSS holes:
(trying to figure out if they even have a security contact)
Their JavaScript is using some pretty old libraries
There's a mix of older style and newer style JavaScript (some code uses
var
, some useslet
Some code uses npm modules, other code uses Bower modules)
No bundler
They have
.min.js
scripts that aren't actually minified (like this thing with a bunch of global variables in it: https://filen.io/assets/js/app.min.js)Their site has over 250 global variables and functions (not a good practice to have that much global state)
There's code that's clearly supposed to be debugging code on their production site, for example this retry code that ignores the
maxRetries
and instead tries 9007199254740991 times:They have no custom 404 handler for .php files: https://filen.io/a.php
I wonder if their backend code is better, but given the immature state of their frontend code, they might not even be doing proper checksumming and bit rot protection on the server-side.
Unfortunately all their servers are routed through Cloudflare so I'm not sure where they're hosting with - Some of these types of file hosts just use a cluster of very large Hetzner storage boxes.
I'm actually wondering if it's some off-the-shelf software they've purchased, rather than something they've created themselves.
google apps (play store) have such so-called cloud storage apps which offer 10 to 100 GB free storage and premium plans.
with few exception like 4 or 5 popular services, rest of them can wind-up anytime by removing their app/closing site and all users' files will be gone. Can't find them legit for uploading serious files/docs to them. They only good for storing timepass stuff that if gets deleted is not much headache for the user.
and NO. surely NO to any lifetime plans.
[email protected] seems the only email.
They should appreciate this feedback.
That would be disappointing. You took a look at their public code here? https://github.com/FilenCloudDienste
Would also be disappointing and it is somewhat inline with the use of old libraries (why use old libraries when you are building from scratch).
Their cryptographic choices (seemingly RSA-OAEP with SHA512 and AES-CBC) are not the worst I've seen, but also definitely nowhere near 'best practice'. They seem to be encrypting metadata directly using RSA, which is an absolute no-no. Their cryptography very clearly wasn't designed or implemented by an experienced cryptographer. I would not trust it.
Surprisingly, they seem to have one!.
Doesn't seem like their backend is public.
It's also possible that the entire team are backend developers with very little JavaScript experience, and they're using a mixture of very old and newer code snippets as examples.
I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )
If you really think that is a major issue, try to ask him about it, maybe he has a reasoning for it etc. Or maybe he doesn't know better, and you could tell him, you know. I think just talking about it here and not contactin the Dev(s) is kinda pointless. Then nothing will get better or changed or explained.
greets zaq
I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )
If you really think that is a major issue, try to ask him about it, maybe he has a reasoning for it etc. Or maybe he doesn't know better, and you could tell him, you know. I think just talking about it here and not contactin the Dev(s) is kinda pointless. Then nothing will get better or changed or explained.
greets zaq
Congrats on your first post. Are you affiliated with Filen?
That Discord invite doesn't work for me.
I contacted them via their ticketing system about the XSS issue I found, and they said that they do offer small security bounties for reporting vulnerabilities, so I'm going to take a closer look at some point. I've got some other ideas but need to verify them first.
Hmm weird. Try these: https://discord.gg/uwgM9jKg ; https://discord.gg/wWaUTxmK ; https://discord.gg/NGMGwUkw ; https://discord.gg/NGMGwUkw
No I am just a normal guy that is caring for open source and encryption and all that stuff. The Filen main Dev is a really good/nice guy. And I think this project has a bright future if he keeps being on the right track, I guess.
So, I just copied those invite links from their Discord server. Not sure how it works. I just followed some link some months ago, too. Worked for me back then.
Hope I could help somehow.
greets zaq
Edit:
Thanks!
I don't use Discord. And if I had to chase down every developer of every poorly-secured piece of software, I'd never eat or sleep again. Feel free to pass on my comments, though.
As far as I can tell, Filen is not actually open-source beyond the clients at all.
Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?
Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .
Fun ! From their FAQ
Oh yeah!!
And thats wrong in general. You assume that everybody knows everything and that everything should be perfect? That is not how the world works honey...
Don't you do mistakes, do you know everything? Ofc not... and when (hint: WHEN not IF) you make mistakes or could do something better, wouldn't you want somebody that knows it better to tell you? If not then you are just a self centered ignorant fool, simple.
And you did check on mistakes made on a service and then post about it and brag about how you found something and talk shit about people you don't even know.
You already invested time to do that and your though process was to invest that time for this instead of giving that information (and maybe also get some money out of it) to the developer so that they can make a better product which would help others. What did you achieve the way you did invest your precious time?
Every asshat can shit talk about anybody on forums. But when it comes to do something good, it seems like self entitled people have a broom up their ass. Just sad.
btw:
What kind of argument is that? Are you just here to troll or do you have a clue about anything? When your client has proper E2EE it doesn't matter what the server is or does. That is the whole point of E2EE actually.
Even if it were open source, how do you know its exactly that what is run on their infrastructur? You can't tell... so why does it matter? As I said, thats why using E2EE client side is there in the first place. Wtf...
In case you wanna self host. So you are interested in open source and get your hands on self hostable source code from a project. So you wanna take stuff but not give back when finding bugs etc? Ok. Tells much about your character I guess.
Feel free to pass on my comment, though.
I didn't ask anybody to use twitter. I just gave a hint that they could contact the dev there if they couldn't contact them otherwise.
It was an option I gave, I didn't ask anybody to do anything. But as you can see, people here seem to can talk shit but if somebody tells them to contact the dev they talk shit about, all that comes up are excuses why they won't do that. And how they don't care and whatnot (yeh you care so much to at least invest time to talk shit on forums about it instead of doing something good and productive).
Also about this forum here:
Bullshit like this statement here:
Shill post and shill defenders. Asking LE users to use discord…
shows me what kind of people are here. Agressive arrogant people it SEEMS like. I didn't even do anything harmful or wrong, still people act like assholes because I fucking linked a discord where somebody COULD ask the devs.
Yeh jesus, forgive me I asked a holy member of your holy forum to use a discord link. I mean... wtf is wrong with such people? I get it, all you do is using open source software. I get it. Do you use emails? Yes? So....
I am outta here, I made myself a promise many years ago to not invest my time on these kind of forums like this one here, with such people. Waste of time, toxic enviroment. Have a nice day.
Congratulations on your PMS.
Some prefer to use carrier pigeons.
Now Which of the two “Jan” mentioned on the filen site may you be?
The end is nigh.
What? I am not affiliated in any way with Filen... throw your paranoia and conspiracy theory somehwere elese at.
If I were someone of Filen I would tell you.... I can assure you. Btw. nice 2nd troll attempt derailing eveyrthing and coming up with something else instead. Great job, did you learn that here on this particular forum or somehwere else?
You say you are out of here and 11 minutes later you come back.
Quite a short lived exit.
nice stealth edit. Misswording maybe. Fact of the matter is, almost everything is running better on Chromium/Blink nowadays. Nothing that is exclusive to this particular service.
Not quite, it is on the filen website. Posting a screenshot here since you seem to be readingly challenged. You are welcome to edit it, Jan - and then say I lied. Don't care.
So Jan, are you defending your and the developers' stand, or making allegations on me (stealth edit) or admitting to the way of the world?
And wtf is Blink?
Nope.
Good web developers know how to make a site that works cross-browser (they also know to not have 300 global variables). I really don't think a cloud hosting provider needs any brand new APIs that only work in Chrome, so there's no need for it.
Also, sometimes other browsers are better. For example, WebAssembly is still better in Firefox than Chrome (faster, with fewer issues).
I would be surprised if Jan comes back. He got some visibility, some backlinks, job done.
@zaq Unless you are paying me for my work, you are in no position to tell me where or how I am supposed to report issues.
I don't know why you seem to believe I have some kind of obligation to sign up for a proprietary service that I intentionally do not use, in order to report security issues for another proprietary service that doesn't seem to have bothered hiring a cryptographer, and all of this for free.
I'm posting my review comments here primarily for the benefit of those looking at this thread and wondering whether it's a trustworthy service (it's not). The developers are free to use this feedback to improve their thing, but the job of actually doing so is theirs, not mine.