[OpenAFS] Linux OpenAFS & EncFS?

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 17 Feb 2014 18:42:41 -0500

On Mon, 2014-02-17 at 13:11 -0600, Troy Benjegerdes wrote:

> So $10k for design, and $100k for implementation sufficient to protect a 
> small business's data worth between $250k, and $1M.

No, that's not what Jeff said.  What he said was that doing the design
and analysis work required to come up with an estimate could cost $10k.
I happen to think that's a bit high, but then, I'm not volunteering to
do it.

The cost of actually doing the work will be much higher, and will depend
on the design goals, including the threat model, and on how fast you
want it and what bells and whistles you want.

> Does that sound reasonable? Do you think a 10X scaling factor for data 
> protection is reasonable, as in $100K will protect data worth $1 million?

It doesn't work this way.  That's a reasonable way of estimating how
much you're willing to pay for some sort of protection, but not of
estimating how much it's actually going to cost.  If $100k is what
you're willing to pay, and you can find someone willing to do the work,
then you'll get $100k worth of protection.  I can't begin to guess what
that would look like, but whether it is sufficient to protect your $1M
asset is something you have to figure out for yourself.  I recommend
making sure your $100k contract includes a clear statement of work.

> If it's going to take a year, I should have plenty of time to figure out 
> how big of a mining farm I need to make the money to pay for it :P

Lest someone become confused... It doesn't work that way, either.
Software developers need to eat more than once a year, so on a project
this size, they'll expect a payment schedule that allows them to do so.

-- Jeff