Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Anyone using/tried Filen.io?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone using/tried Filen.io?

Looks like a new cloud storage service, a child of the pandemic (founded 2020). Just found it today. Anyone using it for a while already?

10 GBs free with unlimited bandwidth (need someone to take them up on this :)) and can get more by referring others.

They have some lifetime offers too but I'd be skeptical about these (they might go away sooner than your roi).

Here is how public shared link looks like: https://filen.io/d/d1d22040-f345-423b-81dc-c7105d2fb146#!jnKpMivbKRfBpp0TmClcHM0eNcY5Oh0U

Not sure why they are putting their .exe inside a zip file for the desktop app for Windows but VT says clean https://www.virustotal.com/gui/url/5f9bdf8efccd46f0ba9fd4a3da4e0d79dda5bb993c40abb49d4b20683168785d?nocache=1

Not all folders sync on desktop app, only the Filen Sync folder, the Default folder won't sync anything to local install.

You can control how the sync goes (bi or either direction) which could be useful.

The desktop app should login like we login to Nextcloud but I guess it's because of being a new service.

Now give me more storage by using my referral link (you get 10 more GBs as usual with these links): https://filen.io/r/146389f11f0e76cbc28ca267a34353a7 or plain link https://filen.io

Thanked by 1NobodyInteresting

Comments

  • MannDudeMannDude Host Rep, Veteran
    edited October 2021

    Why do I feel like I've seen this website and graphics before, but somewhere else? Those graphics look very familiar.

    Anyway, cool service I guess. I don't have a need for cloud based storage synced to my desktop but others might.

  • @MannDude said: Why do I feel like I've seen this website and graphics before, but somewhere else? Those graphics look very familiar.

    https://undraw.co/illustrations

    Thanked by 1o_be_one
  • Avoid cloud storage that offers lifetime plans.

    Thanked by 2Erisa dystopia
  • GhtGht Member

    As long as google is alive my foot will never step on any such platform

  • @Kassem said:

    Now give me more storage by using my referral link (you get 10 more GBs as usual with these links): https://filen.io/r/146389f11f0e76cbc28ca267a34353a7 or plain link https://filen.io

    Thank you, I guess we got +10G each. Pretty clean UI, will serve my purpose.

  • @Ght said: As long as google is alive my foot will never step on any such platform

    You don't use Dropbox or Nextcloud or OneDrive or Mega or X with your Google Drive? Just one service?

    @srvjap said: Avoid cloud storage that offers lifetime plans.

    Well yeah I'm not saying to actually use this to be the only place you put your stuff in it or put your stuff unencrypted (even though they say it is encrypted).

    @mikei said: Thank you, I guess we got +10G each. Pretty clean UI, will serve my purpose.

    I have 30 GBs now. Thanks!

  • @srvjap said:
    Avoid cloud storage that offers lifetime plans.

    Koofr and pCloud are actually good though, even though they have lifetime plans.

    Of course, don't use any cloud service for the sole storage of your files. I'm using both of those to store a second offsite copy of backups.

    Thanked by 2mrTom o_be_one
  • Daniel15Daniel15 Veteran
    edited October 2021

    Looking through their JavaScript code, it seems pretty rushed / rough around the edges.

    There's some very obvious security issues like XSS holes:

    (trying to figure out if they even have a security contact)

    Their JavaScript is using some pretty old libraries
    There's a mix of older style and newer style JavaScript (some code uses var, some uses let
    Some code uses npm modules, other code uses Bower modules)
    No bundler
    They have .min.js scripts that aren't actually minified (like this thing with a bunch of global variables in it: https://filen.io/assets/js/app.min.js)
    Their site has over 250 global variables and functions (not a good practice to have that much global state)
    There's code that's clearly supposed to be debugging code on their production site, for example this retry code that ignores the maxRetries and instead tries 9007199254740991 times:

    They have no custom 404 handler for .php files: https://filen.io/a.php

    I wonder if their backend code is better, but given the immature state of their frontend code, they might not even be doing proper checksumming and bit rot protection on the server-side.

    Unfortunately all their servers are routed through Cloudflare so I'm not sure where they're hosting with - Some of these types of file hosts just use a cluster of very large Hetzner storage boxes.

    I'm actually wondering if it's some off-the-shelf software they've purchased, rather than something they've created themselves.

  • JasonMJasonM Member
    edited October 2021

    google apps (play store) have such so-called cloud storage apps which offer 10 to 100 GB free storage and premium plans.

    with few exception like 4 or 5 popular services, rest of them can wind-up anytime by removing their app/closing site and all users' files will be gone. Can't find them legit for uploading serious files/docs to them. They only good for storing timepass stuff that if gets deleted is not much headache for the user.

    and NO. surely NO to any lifetime plans.

    Thanked by 1Alireza
  • @Daniel15 said: (trying to figure out if they even have a security contact)

    [email protected] seems the only email.

    They should appreciate this feedback.

    @Daniel15 said: I wonder if their backend code is better, but given the immature state of their frontend code, they might not even be doing proper checksumming and bit rot protection on the server-side.

    That would be disappointing. You took a look at their public code here? https://github.com/FilenCloudDienste

    @Daniel15 said: I'm actually wondering if it's some off-the-shelf software they've purchased, rather than something they've created themselves.

    Would also be disappointing and it is somewhat inline with the use of old libraries (why use old libraries when you are building from scratch).

  • joepie91joepie91 Member, Patron Provider

    Their cryptographic choices (seemingly RSA-OAEP with SHA512 and AES-CBC) are not the worst I've seen, but also definitely nowhere near 'best practice'. They seem to be encrypting metadata directly using RSA, which is an absolute no-no. Their cryptography very clearly wasn't designed or implemented by an experienced cryptographer. I would not trust it.

    @Daniel15 said: (trying to figure out if they even have a security contact)

    Surprisingly, they seem to have one!.

    @Kassem said: You took a look at their public code here? https://github.com/FilenCloudDienste

    Doesn't seem like their backend is public.

    Thanked by 2Kassem o_be_one
  • @Kassem said: Would also be disappointing and it is somewhat inline with the use of old libraries (why use old libraries when you are building from scratch).

    It's also possible that the entire team are backend developers with very little JavaScript experience, and they're using a mixture of very old and newer code snippets as examples.

  • zaqzaq Member

    @joepie91 said:
    Their cryptographic choices (seemingly RSA-OAEP with SHA512 and AES-CBC) are not the worst I've seen, but also definitely nowhere near 'best practice'. They seem to be encrypting metadata directly using RSA, which is an absolute no-no. Their cryptography very clearly wasn't designed or implemented by an experienced cryptographer. I would not trust it.

    @Daniel15 said: (trying to figure out if they even have a security contact)

    Surprisingly, they seem to have one!.

    @Kassem said: You took a look at their public code here? https://github.com/FilenCloudDienste

    Doesn't seem like their backend is public.

    I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    If you really think that is a major issue, try to ask him about it, maybe he has a reasoning for it etc. Or maybe he doesn't know better, and you could tell him, you know. I think just talking about it here and not contactin the Dev(s) is kinda pointless. Then nothing will get better or changed or explained.

    greets zaq

    Thanked by 1mrTom
  • zaqzaq Member

    @Daniel15 said:
    Looking through their JavaScript code, it seems pretty rushed / rough around the edges.

    There's some very obvious security issues like XSS holes:

    (trying to figure out if they even have a security contact)

    Their JavaScript is using some pretty old libraries
    There's a mix of older style and newer style JavaScript (some code uses var, some uses let
    Some code uses npm modules, other code uses Bower modules)
    No bundler
    They have .min.js scripts that aren't actually minified (like this thing with a bunch of global variables in it: https://filen.io/assets/js/app.min.js)
    Their site has over 250 global variables and functions (not a good practice to have that much global state)
    There's code that's clearly supposed to be debugging code on their production site, for example this retry code that ignores the maxRetries and instead tries 9007199254740991 times:

    They have no custom 404 handler for .php files: https://filen.io/a.php

    I wonder if their backend code is better, but given the immature state of their frontend code, they might not even be doing proper checksumming and bit rot protection on the server-side.

    Unfortunately all their servers are routed through Cloudflare so I'm not sure where they're hosting with - Some of these types of file hosts just use a cluster of very large Hetzner storage boxes.

    I'm actually wondering if it's some off-the-shelf software they've purchased, rather than something they've created themselves.

    I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    If you really think that is a major issue, try to ask him about it, maybe he has a reasoning for it etc. Or maybe he doesn't know better, and you could tell him, you know. I think just talking about it here and not contactin the Dev(s) is kinda pointless. Then nothing will get better or changed or explained.

    greets zaq

  • Daniel15Daniel15 Veteran
    edited October 2021

    @zaq said: I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    Congrats on your first post. Are you affiliated with Filen?

    That Discord invite doesn't work for me.

    I contacted them via their ticketing system about the XSS issue I found, and they said that they do offer small security bounties for reporting vulnerabilities, so I'm going to take a closer look at some point. I've got some other ideas but need to verify them first. :)

    Thanked by 1o_be_one
  • zaqzaq Member
    edited October 2021

    @Daniel15 said:

    @zaq said: I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    Congrats on your first post. Are you affiliated with Filen?

    That Discord invite doesn't work for me.

    Hmm weird. Try these: https://discord.gg/uwgM9jKg ; https://discord.gg/wWaUTxmK ; https://discord.gg/NGMGwUkw ; https://discord.gg/NGMGwUkw

    No I am just a normal guy that is caring for open source and encryption and all that stuff. The Filen main Dev is a really good/nice guy. And I think this project has a bright future if he keeps being on the right track, I guess.

    So, I just copied those invite links from their Discord server. Not sure how it works. I just followed some link some months ago, too. Worked for me back then.

    Hope I could help somehow.

    greets zaq

    Edit:

    Congrats on your first post.

    Thanks!

  • joepie91joepie91 Member, Patron Provider
    edited October 2021

    @zaq said: I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    I don't use Discord. And if I had to chase down every developer of every poorly-secured piece of software, I'd never eat or sleep again. Feel free to pass on my comments, though.

    @zaq said: No I am just a normal guy that is caring for open source and encryption and all that stuff.

    As far as I can tell, Filen is not actually open-source beyond the clients at all.

    Thanked by 1dystopia
  • vyas11vyas11 Member
    edited October 2021

    Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?

    Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .

    Fun ! From their FAQ

    The best browser to use for Filen currently is Chrome.

    Oh yeah!!

    Thanked by 1dystopia
  • zaqzaq Member
    edited October 2021

    @joepie91 said:

    @zaq said: I mean, you could just contact the main dev on discord ( https://discord.gg/9AFWqX6b )

    I don't use Discord. And if I had to chase down every developer of every poorly-secured piece of software, I'd never eat or sleep again. Feel free to pass on my comments, though.

    @zaq said: No I am just a normal guy that is caring for open source and encryption and all that stuff.

    As far as I can tell, Filen is not actually open-source beyond the clients at all.

    And thats wrong in general. You assume that everybody knows everything and that everything should be perfect? That is not how the world works honey...

    Don't you do mistakes, do you know everything? Ofc not... and when (hint: WHEN not IF) you make mistakes or could do something better, wouldn't you want somebody that knows it better to tell you? If not then you are just a self centered ignorant fool, simple.

    And you did check on mistakes made on a service and then post about it and brag about how you found something and talk shit about people you don't even know.

    You already invested time to do that and your though process was to invest that time for this instead of giving that information (and maybe also get some money out of it) to the developer so that they can make a better product which would help others. What did you achieve the way you did invest your precious time?

    Every asshat can shit talk about anybody on forums. But when it comes to do something good, it seems like self entitled people have a broom up their ass. Just sad.

    btw:

    As far as I can tell, Filen is not actually open-source beyond the clients at all.

    What kind of argument is that? Are you just here to troll or do you have a clue about anything? When your client has proper E2EE it doesn't matter what the server is or does. That is the whole point of E2EE actually.

    Even if it were open source, how do you know its exactly that what is run on their infrastructur? You can't tell... so why does it matter? As I said, thats why using E2EE client side is there in the first place. Wtf...

    In case you wanna self host. So you are interested in open source and get your hands on self hostable source code from a project. So you wanna take stuff but not give back when finding bugs etc? Ok. Tells much about your character I guess.
    Feel free to pass on my comment, though.

  • zaqzaq Member

    @vyas11 said:
    Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?

    Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .

    Fun ! From their FAQ

    The best browser to use for Filen currently is Chrome.

    Oh yeah!!

    I didn't ask anybody to use twitter. I just gave a hint that they could contact the dev there if they couldn't contact them otherwise.

    It was an option I gave, I didn't ask anybody to do anything. But as you can see, people here seem to can talk shit but if somebody tells them to contact the dev they talk shit about, all that comes up are excuses why they won't do that. And how they don't care and whatnot (yeh you care so much to at least invest time to talk shit on forums about it instead of doing something good and productive).

    Also about this forum here:

    Bullshit like this statement here:
    Shill post and shill defenders. Asking LE users to use discord…

    shows me what kind of people are here. Agressive arrogant people it SEEMS like. I didn't even do anything harmful or wrong, still people act like assholes because I fucking linked a discord where somebody COULD ask the devs.

    Yeh jesus, forgive me I asked a holy member of your holy forum to use a discord link. I mean... wtf is wrong with such people? I get it, all you do is using open source software. I get it. Do you use emails? Yes? So....

  • zaqzaq Member

    I am outta here, I made myself a promise many years ago to not invest my time on these kind of forums like this one here, with such people. Waste of time, toxic enviroment. Have a nice day.

  • vyas11vyas11 Member
    edited October 2021

    @zaq said:

    @vyas11 said:
    Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?

    Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .

    Fun ! From their FAQ

    The best browser to use for Filen currently is Chrome.

    Oh yeah!!

    I didn't ask anybody to use twitter. I just gave a hint that they could contact the dev there if they couldn't contact them otherwise.

    It was an option I gave, I didn't ask anybody to do anything. But as you can see, people here seem to can talk shit but if somebody tells them to contact the dev they talk shit about, all that comes up are excuses why they won't do that. And how they don't care and whatnot (yeh you care so much to at least invest time to talk shit on forums about it instead of doing something good and productive).

    Also about this forum here:

    Bullshit like this statement here:
    Shill post and shill defenders. Asking LE users to use discord…

    shows me what kind of people are here. Agressive arrogant people it SEEMS like. I didn't even do anything harmful or wrong, still people act like assholes because I fucking linked a discord where somebody COULD ask the devs.

    Yeh jesus, forgive me I asked a holy member of your holy forum to use a discord link. I mean... wtf is wrong with such people? I get it, all you do is using open source software. I get it. Do you use emails? Yes? So....

    Congratulations on your PMS.

    Do you use emails? Yes?

    Some prefer to use carrier pigeons.

    Now Which of the two “Jan” mentioned on the filen site may you be?

    Thanked by 2dystopia o_be_one
  • deankdeank Member, Troll

    The end is nigh.

  • zaqzaq Member

    @vyas11 said:

    @zaq said:

    @vyas11 said:
    Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?

    Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .

    Fun ! From their FAQ

    The best browser to use for Filen currently is Chrome.

    Oh yeah!!

    I didn't ask anybody to use twitter. I just gave a hint that they could contact the dev there if they couldn't contact them otherwise.

    It was an option I gave, I didn't ask anybody to do anything. But as you can see, people here seem to can talk shit but if somebody tells them to contact the dev they talk shit about, all that comes up are excuses why they won't do that. And how they don't care and whatnot (yeh you care so much to at least invest time to talk shit on forums about it instead of doing something good and productive).

    Also about this forum here:

    Bullshit like this statement here:
    Shill post and shill defenders. Asking LE users to use discord…

    shows me what kind of people are here. Agressive arrogant people it SEEMS like. I didn't even do anything harmful or wrong, still people act like assholes because I fucking linked a discord where somebody COULD ask the devs.

    Yeh jesus, forgive me I asked a holy member of your holy forum to use a discord link. I mean... wtf is wrong with such people? I get it, all you do is using open source software. I get it. Do you use emails? Yes? So....

    Congratulations on your PMS.

    Do you use emails? Yes?

    Some prefer to use carrier pigeons.

    Now Which of the two “Jan” mentioned on the filen site may you be?

    What? I am not affiliated in any way with Filen... throw your paranoia and conspiracy theory somehwere elese at.

    If I were someone of Filen I would tell you.... I can assure you. Btw. nice 2nd troll attempt derailing eveyrthing and coming up with something else instead. Great job, did you learn that here on this particular forum or somehwere else?

  • vyas11vyas11 Member
    edited October 2021

    You say you are out of here and 11 minutes later you come back.
    Quite a short lived exit.

  • zaqzaq Member

    @vyas11 said:
    Shill post and shill defenders. The storage and developers might be awesome, but Asking LE users to use discord…. what is the real reason here?

    Plenty of options available in the market, why care about one that appears broken? If I make one or two more posts here and log on to Facebook I might see the ad for Treasure offering 30 gb encrypted storage. 35 other saas options the last time I checked .

    Fun ! From their FAQ

    The best browser to use for Filen currently is Chrome.

    Oh yeah!!

    nice stealth edit. Misswording maybe. Fact of the matter is, almost everything is running better on Chromium/Blink nowadays. Nothing that is exclusive to this particular service.

  • vyas11vyas11 Member
    edited October 2021

    @zaq said:

    nice stealth edit.

    Not quite, it is on the filen website. Posting a screenshot here since you seem to be readingly challenged. You are welcome to edit it, Jan - and then say I lied. Don't care.
    filen-faq

    Misswording maybe. Fact of the matter is, almost everything is running better on Chromium/Blink nowadays. Nothing that is exclusive to this particular service.

    So Jan, are you defending your and the developers' stand, or making allegations on me (stealth edit) or admitting to the way of the world?

    almost everything is running better on Chromium/Blink nowadays

    And wtf is Blink?

  • Daniel15Daniel15 Veteran
    edited October 2021

    @zaq said: Fact of the matter is, almost everything is running better on Chromium/Blink nowadays. Nothing that is exclusive to this particular service

    Nope.

    Good web developers know how to make a site that works cross-browser (they also know to not have 300 global variables). I really don't think a cloud hosting provider needs any brand new APIs that only work in Chrome, so there's no need for it.

    Also, sometimes other browsers are better. For example, WebAssembly is still better in Firefox than Chrome (faster, with fewer issues).

  • I would be surprised if Jan comes back. He got some visibility, some backlinks, job done.

  • joepie91joepie91 Member, Patron Provider

    @zaq Unless you are paying me for my work, you are in no position to tell me where or how I am supposed to report issues.

    I don't know why you seem to believe I have some kind of obligation to sign up for a proprietary service that I intentionally do not use, in order to report security issues for another proprietary service that doesn't seem to have bothered hiring a cryptographer, and all of this for free.

    I'm posting my review comments here primarily for the benefit of those looking at this thread and wondering whether it's a trustworthy service (it's not). The developers are free to use this feedback to improve their thing, but the job of actually doing so is theirs, not mine.

    Thanked by 2o_be_one _MS_
Sign In or Register to comment.