Tarsnap advisory provides a few lessons
Posted Jan 21, 2011 7:22 UTC (Fri) by zooko
Parent article: Tarsnap advisory provides a few lessons
The author of the software and owner of the company, Colin Percival, posted to twitter that he has had a sharp increase in new sign-ups since this news went out!
@cperciva Colin Percival
Tarsnap signups since I announced the CTR nonce missing-increment bug are 500% above normal. Crazy.
I think this is funny! But also it means something -- I'm not sure what.
I must say that as a contributor to Tahoe-LAFS -- an open source project that is vaguely competitive (but also, as is often the case, sort of not competitive) -- I'm a bit jealous. When we accidentally expose our users to security failures we don't get a flood of new users! Maybe our security advisories are not as well-written:
Also our security failures have never been this bad yet. I have committed one or two defects this bad to our source code over the last few years, but in each case our automated tests or my brilliant coding partners caught it before we published it in a new release.
Hm. http://www.tarsnap.com/ says he charges $0.30/GB-month. That's roughly three times what Amazon Web Services is charging him. This really makes me wonder if I could go into business doing this. I could use Tahoe-LAFS, charge the same rates that tarsnap charges, and my marketing pitch could be "charges the same as tarsnap, uses the same backend, has similar or better security properties, and is all Free/Open Source Software". Yeah, that would be fun! And then tarsnap and Tahoe-LAFS would be actually competitive.
Oh well -- I have too many other things going on right now. But somebody should consider this! Those look like healthy margins to me.
By the way, I have been following Colin Percival's work and writings on tarsnap since long before this incident and I respect the way he does security engineering and the way he deals forthrightly with customers. And I greatly appreciate that his entire business model is focussed on the use case that nobody, not even tarsnap itself, gets access to the user's files. It is too bad about this defect that violated that intention, but the fact that he is selling that and (apparently) prospering from it is great!
to post comments)