Cloud Security

The Cloud Computing Doghouse: Nirvanix (aka Streamload aka MediaMax aka The Linkup)

Although Dell have been denied the ill-fated cloud computing trademark (that’s lowercase please. hold the ™) and moved on to more interesting things, they’re yet to concede defeat and withdraw their application. Even though the double decker bus has disappeared from the moon, that leaves us with 6 months of uncertainty before USPTO consider it abandoned, during which time they can appeal the decision. Although it is generally accepted that they would have a snowball’s chance in hell of succeeding, I would have preferred they take it out the back and put it out of its misery, and they can stay in the doghouse until they do (or it expires).

On the other hand there’s a backlog of crass acts of stupidity in the cloud computing space so they’re going to have so shove over and make room in the doghouse for someone (or something) new; the inaugurating member can’t monopolise it forever. And who better than a ‘new’ company associated with “the meltdown of an online storage service that will leave about 20,000 paying subscribers without their digital music, video, and photo files”: Nirvanix.

First and foremost (given they have apparently threatened to sue one of their own founders) this is an opinion piece based on what little information I have been able to scratch together from various online sources – draw your own conclusions and do your own research before you rely on anything here. It is more a commentary on one of the inherent but easily mitigated risks of cloud computing – unreliable providers – than on Nirvanix itself.

Let’s start with some background and basic maths:

Today you can buy a terabyte (1Tb) hard drive with a 5 year (60 month) warranty for $150 retail single unit quantities. Meanwhile the going rate for cloud storage is about $0.15/Gb/month. Ignoring complications like formatting losses, servers (which are cheap and can host many drives), bandwidth, etc., simply by wiring these up to the cloud one could get a return on investment in a month ($0.15 x 1000Gb/m = $150) and over the life of the $150 drive you can make a whopping $9,000.

Admittedly a gross simplification, but to remote users looking down relatively narrow pipes it can be very difficult to tell the difference between a cheap desktop hard drive and an expensive enterprise SAN (that run at about $20/Gb/year, over an order of magnitude more expensive than cloud storage). At least it is until the thing loses their precious 1’s and 0’s, in which case you hope it was run (or at least backed) by a large storage vendor from redundant datacenters rather than a long haired 16 year old from his basement. Herein lies the problem; presumably Nirvanix/Streamload/MediaMax/The Linkup (or whatever they’re calling themselves today) fall somewhere between the two extremes (hopefully the former rather than the latter), but it’s hard to tell where.

If the various articles (especially this one) are to be believed, the whole sorry saga goes something like this:

  • Steve Iverson (a uni student at the time) develops “adaptive data compression algorithms” for his thesis in 1998
  • Shortly after graduation he founded Streamload to “easily and securely send, store, move, receive and access their digital files
  • By 2005 Streamload was hosting about half a petabyte (425Tb) of data for “well over 20,000 users
  • Streamload was rebadged (after receiving some investment) to Streamload MediaMax™ (as distinct from MediaMax, Inc. which did not exist at the time) on the DEMOfall 05 stage as “a suite of ultra-high capacity online services that helps you manage, share, and access all the files and digital media in your life.
  • However by December 2006 it was losing money and Patrick Harr (current Nirvanix CEO) replaced Steve (with his blessing) as CEO and Steve became CTO. After 60 days assessment the new CEO “advocated letting it ‘gracefully die’ and creating a new company selling ‘cloud’ storage to paying enterprise customers“.
  • Disaster struck on June 15 2007 when “a Streamload system administrator’s script accidently misidentified and deleted ‘good data’ along with the ‘dead data’ of some 3.5 million former user accounts and files
  • Two weeks later Streamload’s board of directors pressed on with Harr’s strategy and “split the company into two independent businesses. Streamload changed its name to Nirvanix. It kept many of the former company’s physical assets [including all the servers and data] and employees, and secured $12$18 million in initial venture funding.
  • Meanwhile “The MediaMax consumer product and its disgruntled customers went to Iverson as CEO of a ‘new’ business” along with “only about $500,000 in working capital” while Nirvanix managed to scratch together a cool $18m from the likes of Intel.
  • After a botched upgrade to MediaMax v5 (which by Steve’s own admission introduced a bunch of features users didn’t want) they changed their name again to The Linkup which was marketed as “a social networking site based around storage“, only to also botch the migration to 20% more expensive (at $5.95/$11.95 per month) paid-only services.
  • Users of the free service were given three weeks (which was extended due to problems with the ‘mover’ script) to upgrade or permanently lose their data. Curiously the data was the whole time stored on Nirvanix servers and was being migrated to their new enterprise Storage Delivery Network.
  • Late July Nirvanix Clarifies False Information in Blogosphere in a blog post buried in their developer site.
  • MediaMax/The Linkup closed its doors on 8/8/08, having given users 30 days notice to retrieve their (remaining) data.

As at today the various angry masses are waiting for Nirvanix to give them access to (what remains, apparently about half of) their data, which Nirvanix assures us “remain[s] secure in the old Streamload/MediaMax storage system” (although it is not clear whether the files migrated to The Linkup were not deleted 8 days after the 8/8/8 closure). They also claim “access to those files requires the MediaMax application front-end and database” (roping SAVVIS, who apparently maintained the frontend, into the fray) but MediaMax claim to have offered it to them, noting that “if they could have got the files back, they would have”. Steve goes on to say:

Fundamentally, MediaMax is responsible because you are our customer, and the biggest mistake we made was to trust Nirvanix to manage our customer data – yes, it was on the “old Streamload system”, and not their new Nirvanix SDN, but I believe the care and attention that was required was not there and was beyond unprofessional.

Here’s where it gets really interesting. In Nirvanix’s own words:

Are Nirvanix Inc. and MediaMax Inc. the same company?

No. Nirvanix and MediaMax split out of the same company, Streamload, Inc. in July 2007. Each company would be independently formed with separate ownership, oversight and investors. The companies were subsequently split off in July 2007 and have been separate and distinct entities since that time.

Did Nirvanix delete user data?

No, Nirvanix has not deleted any customer data.

Did a storage problem occur at Streamload?

As documented on the MediaMax blog in July 2007, a storage problem did occur at Streamload on the Streamload/MediaMax storage system in June 2007. This occurred prior to the formation of Nirvanix Inc. and was completely independent of the Nirvanix Storage Delivery Network which was not launched until October 2007.

The problem with these denials, and in particular the claim that the mass deletions at the start of the death spiral “occurred prior to the formation of Nirvanix Inc.”, is that it conflicts not only with what investors, ex-partners, users, etc. say but also with the California Secretary of State, who list Nirvanix, Inc. as a “merged out” California corporation (C2111900) filed on 15 June 1998 (conveniently the exact same month Streamload was founded; almost a decade before they claim it came into existence) and as a Delaware corporation (C3051094) filed on 16 October 2007. Incidentally MediaMax, Inc. (C2998020) was filed earlier, on 16 May 2007. In case you’re wondering what “merged out” means (despite having to learn all this as CAcert‘s Organisation Assurance Officer I had to look it up too), here’s the definition:

The limited partnership or limited liability company has merged out of existence in California into another business entity. The name of the surviving entity can be obtained by requesting a status report.

Thus it appears that Streamload, Inc. changed its name to Nirvanix, Inc. which then “merged out” of existence in California, “into” Nirvanix, Inc. (Delaware)… the corporate equivalent of moving house (it would be good if someone in the US could get a status report to confirm).

A murderer changing her name after the crime and then claiming immunity on the grounds that it happened before she existed would spend the rest of her life in jail.

Even if they were a different legal entity as claimed they still appparently have the same staff, same 525 B Street, San Diego address, even the same CEO (which I’ll bet a judge would find interesting). If they are one and the same then is it not actually Nirvanix, Inc. who still has a binding contract with all those customers (at the very least least the ones who didn’t migrate to The Linkup)? Did the original Streamload terms allow for a transfer from StreamloadNirvanix to MediaMax? Did the customers agree? Indeed, was it not then a StreamloadNirvanix system administrator who ordered the deletion of the data? (Update: According to a comment MediaMax claim it was, which reconciles with the dates above.)

So why have Nirvanix thus far managed to escape culpability in the form of public (PR) execution and class action lawsuits? This appears to be no accident, rather the result of a sustained [dis]information campaign. For example, most of this information is from the Nirvanix article in Wikipedia which was recently nominated for deletion, apparently by Matthew Harvey at JPR Communications (Nirvanix’s PR firm) who already blanked it twice before being blocked for doing it a third time as a sock puppet. Jonathan Buckley (Nirvanix’s Chief Marketing Officer) also weighed in with a Strong Delete vote (that was largely ignored as a conflict of interest) and the article was unsurprisingly kept and remains to give a voice to the disenfranchised masses. They have also apparently been fairly active with the bloggers, calling their posts “inaccurate and libelous”, a post by an investor “suspect and untrue”, again claiming “Nirvanix was not even incorporated in June of 2007”, and you can bet there’s plenty more going on that we don’t hear about (Update: including press censorship, astroturfing and blaming the victims, claiming they “are all software pirates and porn addicts”).

The more cynical reader could be forgiven for believing that this was planned (but I think it was more a case of incompetence and gross negligence):

  • Develop interesting technology
  • Build reputation by servicing users for free
  • Get millions in investment
  • Float said users off on a leaky liferaft with $1 in $37 ($500k for MediaMax vs $18m for Nirvanix), and the inventor himself
  • $$$Profit$$$

Why do I care? I don’t particularly (at least not about this specific situation) but like the rest of the fledgling cloud computing industry I do find articles that could have been easily avoided (like “Storms in the cloud leave users up creek without a paddle“) difficult to swallow. I’ve never used their services and I don’t compete with them; if anything I may end up recommending them to my consulting clients if they are the best fit for a problem. I do however feel for the 20,000 or so people who lost irreplacible photographs, video, music and other data through acts that can only be described as gross negligence; as a long time professional system administrator I find occurances like the June 2007 accidental deletion extremely hard to accept. The story of a disenfranchised inventor having been parted with his invention is oh-so-common too. Finally, I just don’t like coverups:

Trust is (for now) an essential component in cloud computing infrastructure and victims of outages, data loss, privacy breaches, breakins, etc. have every right to full transparency.

Were this another storage provider (eg Amazon S3) there would have been a clear demarcation point (the APIs) and it would have been possible to demonstrate that the client either called for the destruction of data or did not. Accordingly, immutable audit logs should be maintained and made available to cloud computing users (this is not always the case today – often they are kept but not accessible). There should also be protection against accidental deletions (in that they should not be immediately committed unless purging is required and requested, eg to satisfy a privacy policy or other legal requirement). Nirvanix notes that (for the SDN at least) “at any point during this eight-day [deletion] process, the file can be fully recovered” and other providers have similar checks and balances (this is almost certainly why you can’t recreate a Google Apps user for 5 days, for example).

So where to from here? If Nirvanix do have the data as they claim, then they should stop the ‘internal’ bickering and do everything within their power to get as much of the property (data) as possible back to its rightful owners, or give a full and transparent explanation for why this is impossible. If they are in fact the same legal entity the users contracted with initially (Streamload, Inc., as appears to be the case) then they should take responsibility for their [in]actions, apologise and offer a refund. That being the case, customers should hold them to this, both directly ( or 619.764.5650) and with the help of organisations like, Better Business Bureau or if necessary, the courts.

In the mean time they can stay in the doghouse, with Dell…

By Sam Johnston

Sam Johnston CMgr FIML GAICD MACS Snr CP is an Australian technology executive and serial entrepreneur with over 20 years experience founding and advising startups, and in leadership roles at top global technology companies including Citrix, Google, and Equinix.

Sam is currently the director of labs at DXC Technology, whose mission is to ensure the company is fully equipped with the emerging digital technologies it needs to lead clients through accelerating change, including drones, robotics & humanoids, 3D printing, computer vision & voice, augmented & virtual reality, artificial intelligence & machine learning, blockchain, chatbots, and quantum computing.

Sam has a bachelor of computer science degree from the University of New South Wales, and is based in Singapore, having worked in Australia, Asia, Europe, and the USA.