[Box Backup] Latest Boxi Win32 binary available for download

Mon Aug 3 22:43:59 BST 2009

--001517510c2c1ecbab047043acf7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Achim,
You understood me perfectly!  Thank you!  (This could easily have gotten
mis-understood!).

Re you putting in a backdoor, yes, that will always be an issue with any
software from anywhere, but I hope the human web of trust (not the digital
key signings) make that a very, very expensive option for you. :^)

Whatever is free, easy and portable for you to sign any binaries would be
great.  See what Chris has been doing with his.

Hmm, yes, maybe I should think about building my own binaries--are the tools
and instructions freely available out there?

Thanks again for all your hard work, Achim!
Pete

On Mon, Aug 3, 2009 at 5:21 PM, Achim
<achim+box at qustodium.net<achim%2Bbox at qustodium.net>
> wrote:

> Hello Peter:
>
> On Mon, 3 Aug 2009 15:12:26 -0400, "Peter Jalajas, GigaLock Backup
> Services"
> <pjalajas at gigalock.com> wrote:
> > Thank you so much for your time, effort, and talent in working with
> > Chris on Box Backup and Boxi!  I think I speak for many users that we
> > truly appreciate your efforts.
>
> Thanks. Box Backup and Boxi are certainly "unsung heroes", and pushing Boxi
> a bit further might lead to a whole new class of user interest!
>
> > I've worked with Chris on Box Backup for years and have developed a
> > trust in his Windows binaries.   But since you're so new to the
> > project, I need to figure out a way to quickly gain that trust in
> > _your_ binaries.  Sorry, no disrespect intended, of course,  and I
> > have absolutely no reason to _not_ trust you, but I'm just being
> > paranoid with respect to my customers' data.  I hope you understand.
>
> I absolutely understand. For our clients at Qustodium, I would expect
> nothing less. Together with Andy Grove (ex-Intel CEO) we are in good
> company: "Only the paranoid survive".
>
> > I'm thinking something along the line of building something like a
> > GnuPG web-of-trust around you, and then having you digitally sign your
> > releases in some way.  Does that make sense?  Overkill?  Suggestions
> > welcome!   Let's start with LinkedIn--is this you?:
> > http://www.linkedin.com/pub/achim-j-latz/0/209/828
>
> Yep, thanks for the public service announcement: c'est moi.
>
> About the GnuPG web of trust: I understand what you are saying, and I
> already have some public GPG keys floating around somewhere. However, I
> think technology can barely solve this trust issue.
>
> Imagine the following scenario: I build the lastest Boxi v1.0 (can't be too
> long away, right? ;) as a public service. I then sign the resulting binary
> either directly or sign the resulting MD5 or whatever secure hash function
> you would like. One problem remains: how do you know that I did not add a
> backdoor into Boxi or Box Backup?
>
> You can certainly establish that I am the source of the build, but you
> still would have to find the backdoor.
>
> On the other hand, the process I outlined for building Boxi is pretty
> straightforward (not to say: "Copy & Paste"), so building your own binaries
> is perhaps the ideal solution to this trust issue?
>
> Let me know what you think: I am happy to sign the binaries, if that is
> what is needed for a bigger Boxi audience.
>
> Best regards, Achim
> _______________________________________________
> boxbackup mailing list
> boxbackup at boxbackup.org
> http://lists.warhead.org.uk/mailman/listinfo/boxbackup
>

--001517510c2c1ecbab047043acf7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Achim,<div><br></div><div>You understood me perfectly! =A0Thank you! =A0=
(This could easily have gotten mis-understood!).</div><div><br></div><div>R=
e you putting in a backdoor, yes, that will always be an issue with any sof=
tware from anywhere, but I hope the human web of trust (not the digital key=
 signings) make that a very, very expensive option for you. :^)</div>

<div><br></div><div>Whatever is free, easy and portable for you to sign any=
 binaries would be great. =A0See what Chris has been doing with his. =A0</d=
iv><div><br>Hmm, yes, maybe I should think about building my own binaries--=
are the tools and instructions freely available out there? =A0</div>

<div><br></div><div>Thanks again for all your hard work, Achim!<br>Pete</di=
v><div><br><div class=3D"gmail_quote">On Mon, Aug 3, 2009 at 5:21 PM, Achim=
 <span dir=3D"ltr"><<a href=3D"mailto:achim%2Bbox at qustodium.net">achim+b=
ox at qustodium.net</a>></span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">Hello Peter:<br>
<br>
On Mon, 3 Aug 2009 15:12:26 -0400, "Peter Jalajas, GigaLock Backup<br>
Services"<br>
<div class=3D"im"><<a href=3D"mailto:pjalajas at gigalock.com">pjalajas at gig=
alock.com</a>> wrote:<br>
> Thank you so much for your time, effort, and talent in working with<br=
>
> Chris on Box Backup and Boxi! =A0I think I speak for many users that w=
e<br>
> truly appreciate your efforts.<br>
<br>
</div>Thanks. Box Backup and Boxi are certainly "unsung heroes", =
and pushing Boxi<br>
a bit further might lead to a whole new class of user interest!<br>
<div class=3D"im"><br>
> I've worked with Chris on Box Backup for years and have developed =
a<br>
> trust in his Windows binaries. =A0 But since you're so new to the<=
br>
> project, I need to figure out a way to quickly gain that trust in<br>
> _your_ binaries. =A0Sorry, no disrespect intended, of course, =A0and I=
<br>
> have absolutely no reason to _not_ trust you, but I'm just being<b=
r>
> paranoid with respect to my customers' data. =A0I hope you underst=
and.<br>
<br>
</div>I absolutely understand. For our clients at Qustodium, I would expect=
<br>
nothing less. Together with Andy Grove (ex-Intel CEO) we are in good<br>
company: "Only the paranoid survive".<br>
<div class=3D"im"><br>
> I'm thinking something along the line of building something like a=
<br>
> GnuPG web-of-trust around you, and then having you digitally sign your=
<br>
> releases in some way. =A0Does that make sense? =A0Overkill? =A0Suggest=
ions<br>
> welcome! =A0 Let's start with LinkedIn--is this you?:<br>
> <a href=3D"http://www.linkedin.com/pub/achim-j-latz/0/209/828" target=
=3D"_blank">http://www.linkedin.com/pub/achim-j-latz/0/209/828</a><br>
<br>
</div>Yep, thanks for the public service announcement: c'est moi.<br>
<br>
About the GnuPG web of trust: I understand what you are saying, and I<br>
already have some public GPG keys floating around somewhere. However, I<br>
think technology can barely solve this trust issue.<br>
<br>
Imagine the following scenario: I build the lastest Boxi v1.0 (can't be=
 too<br>
long away, right? ;) as a public service. I then sign the resulting binary<=
br>
either directly or sign the resulting MD5 or whatever secure hash function<=
br>
you would like. One problem remains: how do you know that I did not add a<b=
r>
backdoor into Boxi or Box Backup?<br>
<br>
You can certainly establish that I am the source of the build, but you<br>
still would have to find the backdoor.<br>
<br>
On the other hand, the process I outlined for building Boxi is pretty<br>
straightforward (not to say: "Copy & Paste"), so building you=
r own binaries<br>
is perhaps the ideal solution to this trust issue?<br>
<br>
Let me know what you think: I am happy to sign the binaries, if that is<br>
what is needed for a bigger Boxi audience.<br>
<br>
Best regards, Achim<br>
<div><div></div><div class=3D"h5">_________________________________________=
______<br>
boxbackup mailing list<br>
<a href=3D"mailto:boxbackup at boxbackup.org">boxbackup at boxbackup.org</a><br>
<a href=3D"http://lists.warhead.org.uk/mailman/listinfo/boxbackup" target=
=3D"_blank">http://lists.warhead.org.uk/mailman/listinfo/boxbackup</a><br>
</div></div></blockquote></div><br></div>

--001517510c2c1ecbab047043acf7--