Slashdot Mirror

Interesting point and I'd like to read that professor's work, but I don't believe online services are flourishing for security reasons, but rather that it's coincidental from the average user's perspective. The whole point of this story is that people are not aware and knowledgeable enough about technology and security, so I doubt they factor it in highly enough to use it in their decision to chose an online service.

Security is rarely mentioned in the list of features of these services: nothing in Flickr, Picasa, or DropBox other than to discuss how files you upload can be shared selectively rather than be public. DropBox doesn't turn up anything when you query for "virus" in the help section (and even suggests disabling your anti-virus to solve a connectivity problem). Even Google Docs which has drawn much concern on data security neglects to reassure you that documents you upload are properly safeguarded, and doesn't guarantee that downloading an MS-Office version of a document is devoid of malicious code which may have been uploaded by whoever shared it with you. There's far more concern assuring you that they perform backups and that your data won't be lost. Twitter mentions security only in the context of safeguarding your account from hijacking. Facebook's "privacy" aspects are obviously not worth mentioning and where they mention it it's due to bad publicity, not a way of attracting users away from MySpace by being a safer platform. It has taken major Twitter/EC2/PSN outages for people to even realize there's a risk in relying on online services, which still isn't being discussed in these feature sets- public understanding of availability is as meager as security.

There's certainly a risk and possibly even this hidden cost you're suggesting in using proprietary online services, but I don't see that they are being used to avoid downloading an executable file, or otherwise provide any such protection against browser-based attacks. To the contrary- all of the above popular services except for Google Docs actually encourage or even require (DropBox) users to download binaries (in the case of Facebook/Twitter mobile apps), and Facebook users are clicking random links to the same kinds of nonsense they had been getting in their email.

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

Please refer to this Dropbox forum thread, regarding alterations made to /etc/fstab http://forums.dropbox.com/topic.php?id=29809

Did they really lie to most people?

They're still lying. From https://www.dropbox.com/features>https://www.dropbox.com/features:

Dropbox protects your files without you needing to think about it.
                       

• 
                                 
• Dropbox keeps a one-month history of your work.

•                                

• Any changes can be undone, and files can be undeleted.

•                                

• All transmission of file data occurs over an encrypted channel (SSL)./li>
                                 
• All files stored on Dropbox are encrypted (AES-256).

•                        

I maintain that I, myself, am boring enough to not be bothered with folks potentially perusing the stuff I store on Dropbox. But it's still a lie -- it has been shown to be hardly protected at all.

Just so you know, we don’t get very many of those requests — about one a month over the past year for our more than 25 million users. That’s fewer than one in a million accounts.

But that's only for cases where the government requests data on their servers. We don't know how many requests they get because some stupid ass put the latest Lady Gaga CD in this /public/ folder and posted the link on 4chan. And I'm guessing it's a lot. In fact, I'm surprised that Dropbox hasn't been sued by the majors yet.

ribbons hide different tools behinds 6-8 separate ribbon sections that are usually clicked through where all the buttons have a similar background and 'icons' making it hard to search through as opposed to a File - menu - list with text that a person can scan through in about 2 seconds.

Let's take a look at Excel 2010's ribbon, and then at Excel 2000's menus. I can't believe an Excel user would find File/View/Data menus intuitive, yet File/View/Data tabs incomprehensible.

But, for the sake of argument, let's accept as a given that finding what you want in a menu (and its submenus) is easy because it's "text" you can scan in "about 2 seconds." Taking the "wouldn't recognize a stop sign if it wasn't labeled" demographic into account, they labeled every one of the icons.

This is why it's a major improvement over the toolbar, which was dozens of tiny (unlabeled) icons, almost entirely hidden behind chevrons so they wouldn't take up half your screen. It's also the only significant "improvement" they've made to the Office UI since 1994. It really shouldn't be incomprehensible.

ribbons hide different tools behinds 6-8 separate ribbon sections that are usually clicked through where all the buttons have a similar background and 'icons' making it hard to search through as opposed to a File - menu - list with text that a person can scan through in about 2 seconds.

Let's take a look at Excel 2010's ribbon, and then at Excel 2000's menus. I can't believe an Excel user would find File/View/Data menus intuitive, yet File/View/Data tabs incomprehensible.

But, for the sake of argument, let's accept as a given that finding what you want in a menu (and its submenus) is easy because it's "text" you can scan in "about 2 seconds." Taking the "wouldn't recognize a stop sign if it wasn't labeled" demographic into account, they labeled every one of the icons.

This is why it's a major improvement over the toolbar, which was dozens of tiny (unlabeled) icons, almost entirely hidden behind chevrons so they wouldn't take up half your screen. It's also the only significant "improvement" they've made to the Office UI since 1994. It really shouldn't be incomprehensible.

Dropbox states that all files on their servers are encrypted. I had assumed this meant the key was encrypted with your own password, but this exploit suggests that the files either are not encrypted, or encrypted with a freely accessible key.

From: https://www.dropbox.com/help/27
"All files stored on Dropbox servers are encrypted (AES-256)"

You're wrong; it makes a big difference:
http://dl.dropbox.com/u/3736224/misc/why_nintendo_why.png

Rendered FFCC: My Life as a King in Dolphin at 720p on my TV and I was blown away by the difference compared to 480p rendering on the Wii. I didn't even hanve anti-aliasing enabled, which would have looked exceptionally nicer had I done so.

In our help article we state that Dropbox employees aren't able to access user files. This is not an intentionally misleading statement -- it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user's permission. We can see, however, why people may have misinterpreted "Dropbox employees aren't able to access user files" as a statement about how Dropbox uses encryption, so we will change this article to use the clearer "Dropbox employees are prohibited from accessing user files".

Thread here : http://forums.dropbox.com/topic.php?id=36835

Poor choice of words indeed.

You may learn more if you do your own research but:

http://www.truecrypt.org/faq
[quote]The ciphertext block size used by TrueCrypt is 16 bytes (i.e., 128 bits)[/quote]

https://www.dropbox.com/help/8
[quote]Before transferring a file, we compare the new file to the previous version and only send the piece of the file that changed. This is called a "binary diff" and works on any file type. Dropbox compresses files before transferring them as well. This way, you also never have to worry about Dropbox re-uploading a file or wasting bandwidth.[/quote]

Yes, Truecrypt does block level encryption, so a big container wouldn't completely change when a small change is made. Only some blocks do, depending on the amount of data that is modified. Binary diff is a supported feature according to Dropbox. You would need to turn off the Preserve modification time of file containers option in Truecrypt (under settings and preferences), so that the time stamp changes when the container does. You will also need to unmount the container before sync. I was going to set this up after reading others success stories in getting Truecrypt and Dropbox to work, but ended up settling on a different solution.

Looks like things have moved on since I last tried Dropbox with Truecrypt:

http://forums.dropbox.com/topic.php?id=14332

It does appear to be possible providing you tell Truecrypt not to preserve file modification timestamps

http://dl.dropbox.com/u/11985484/IMAG0176.jpg

Login.

Go to https://www.dropbox.com/account#manage

Click 'unlink' computer.

The OP is bullshit. If you can't bother yourself to read the docs and understand that you need to unlink a computer to disconnect it, then it's user error.

Just because Dropbox doesn't conform to someone's ID that a "change of password" should inconveniently force the user to manually go to each of their computers and set it up all over again, does not mean that Dropbox is insecure.

Now, if the computers you set Dropbox up on are in secure, that's a whole different story, and not Dropbox's fault.

No kidding. It's very easy to unlink computers from your account - https://www.dropbox.com/account#manage (when you're logged in, of course). It even tells you the last activity from that system. However, it will not destroy the local copies of the file, which would be a good option to provide when unlinking systems - a remote wipe of sorts.

At least if an attacker starts modifying your files, it has file history to revert to an uncompromised version, if it helps. And OS X systems at least also let you use growl notifications when files are added, changed, or removed (not sure if Win/Linux have something similar).

They probably could do better with notifications overall though. When dealing with (potentially) sensitive data, it's a good idea to email users when that info has changed - email addresses or credit cards added to or deleted from account, new system added to sync rotation, etc. Password reset notifications should go out to all emails linked to the account just in case. It's infrequent enough that I'd tolerate the spam for the extra peace of mind.

If this is true, then the problem described in the article is a design flaw. Changing your credentials should block access by any box which does not have the new credentials.

Here'st he discusson in the Dropbox Support Forum http://forums.dropbox.com/topic.php?id=36146

Remedy for company owned computers/laptops:
Run Dropbox on an account that's not accessible by users. You can set it to run at startup via Scheduled Tasks or crontab. For added security, encrypt those db files containing the authentication keys with EFS (Windows only). The Dropbox folder will then be made accessible to authorized users via filesystem permissions. Unfortunately, this won't scale well for multiple Dropboxes per computer.

One should not use Dropbox for sensitive documents anyway, because:
1. Dropbox staff can read file names
2. They can obtain the decryption key if they really wanted. (If you can reset your password, they obviously can, too.)

From comments of original article:

kregg says:
March 22, 2011 at 9:44 pm

Just for those who don’t like or have trouble browsing through the images, I’ve made a PDF Version of the high-resolution image documents for convenience. All pages are in the right order.

Also, I don’t own any rights to these images, these still are of Copyright to Mike Dailly, I’ve just put the images together in a PDF format for easy reading.

lol! I came to the same conclusion and did exactly the same thing few minutes ago, totally owned the computer :D score: 8:8:2, here is the proof! http://dl.dropbox.com/u/5293445/Capture_735.png

Not looked very hard, have you?

Point it out to me, please.

On the right

Not looked very hard, have you?

Point it out to me, please.

"If you put this in your dropbox,"

What is a 'dropbox'?

Since the person to whom I was responding capitalized it (although I didn't), I'm pretty sure he's referring to this: Dropbox. Basically it's an online service that keeps the contents of a particular folder (called your "dropbox") in sync across an arbitrary number of computers.

So when he advocated saving the one-time pad as a file on a computer, basically it just becomes like any other file - accessible to anyone who might crack either his account on any computer, or his account with Dropbox. That's why I said it was no longer "something you have", because there's no unique copy at that point. Access to it just requires cracking another password.

I can't tell you have wonderful it is to be able to play a game like Puzzle Quest on my desktop and then continue my game right from where I left off on my laptop without having to hunt down the save game file and transport it myself.

If this is a big deal for you, why not just install something like Dropbox (referral link if you want extra storage for free) or Spideroak (Referral again if you want free stuff) and set it up to sync all of your saved games automatically without having to wait for Valve to do it for you?

It's simple, it's reasonably secure, and I have been using it to run the same games on my Windows workstation, Debian desktop and Ubuntu Notebook for quite a while without any troubles at all.

I don't use those controls, when I'm reading Slashdot - the comments are what matters to me the most.

I accidentally noticed that if I zoom in with Opera, the layout transforms into what I need: http://dl.dropbox.com/u/3258602/slashdot-opera-zoom.png
The bars become invisible, the entire screen is used to display the text.

Can we keep the old icons for story topics?

Does it matter at all? As long as it works?

It doesn't, hence the problem.

I'm guessing you're one of those ridiculous people that uses only software approved with the seal of RMS's beard.

I'm typing on a Windows 7 system right now (screenshot evidence) and I buy a lot of commercial software as well use a lot of free opensource software, I consider myself platform agnostic and use what is best for the job. h.264's support in video tags is lacking and not as widely supported both legally and in practical uses, to me it is quite clear it is not better for a web video in practical, philosophical and even legal.

For those of us living in the real world, the only thing this does at all is annoy the vast majority of the population.

Yes, I mean after all, the lack of proper plugins to support the content in your favorite browser, who wouldn't get pissed off? I'm serious about the lack of h.264 plugin video tag support while the opposite exists across pretty much all major browsers that don't have it built in.

I didn't respond to the rest because I didn't feel it was worth reading in the first place.

Whatever you say.

This paper (in submission; written by a statistics expert) explains why this 'evidence' does not prove a success in precognition research, but instead demonstrates a problem in psychology statistical analyses: http://dl.dropbox.com/u/1018886/Bem6.pdf disclaimer: though I'm not on the paper I am affiliated with the author.

I have been thinking about sticking all my photos in Dropbox, but if I do, it will be inside a large trucrypt volume, so that only I can view them. This will be a very large initial upload, but then as I add more photos to the volume, only the new photos will be uploaded (as a few hundred meg difference in the TC volume).

Crappy Dropbox info is here: https://www.dropbox.com/help/28

this thread made me hate slashdot. no really, what is this shit? are you stupid?

Did you (all) mis the features link on their website? Here's a link: https://www.dropbox.com/features/ It shows exactly what Dropbox has to offer.

2) The last time I checked, you could only sync one folder. The drop box folder. They cannot sync multiple folders:
http://forums.dropbox.com/topic.php?id=5088

Check again. I can do "selective sync", at least with OS X, and check the folders I want to sync online. That's actually one of the new features.
http://www.tuaw.com/2010/12/17/dropbox-1-0-available-with-performance-enhancements-selective-s/

Not horribly obvious is how to update for Linux users. You have to go to the blog to see that instead of downloading the .dropbox-dist update, you just need to:

1. Open a terminal.
2. $ dropbox stop
3. $ dropbox status # Should report "not running"
4. $ rm -r ~/.dropbox-dist/
5. $ dropbox start -i

Easy as pie. Don't have to be root either. Assumes you've already installed a previous version (with nautilus integration for Gnome, etc., etc.).

DT

I clicked on the Features link in the homepage to learn what it did, but I suppose that was a bit much to figure out...

1) Every piece of data you sync has to _also_ be synced online. So, then you're restricted to the amount of online storage you pay for.
What if you want to sync tonnes of storage between computer(s), and only sync a small amount of stuff online. This is not supported in dropbox, and I don't think ever will be because marketing won't want it to change. Today I use Windows live sync (or live mesh) for this purpose and it works.

2) The last time I checked, you could only sync one folder. The drop box folder. They cannot sync multiple folders: http://forums.dropbox.com/topic.php?id=5088
This is just lame. I don't think people would like to change their backup directory structure to comply with dropbox's basic/naive/bad design decisions.

Yeah, you actually have to click on download from the page linked in the article to find out what it does. Even on their main website, you're presented with is a big download button without any explanation. http://www.dropbox.com/ You can watch a video (I didn't) that may enlighten you. If you follow the link in the article to their download page you get...

"Dropbox allows you to sync your files online and across your computers automatically.

Put your files into your Dropbox folder on one computer, and they'll automatically appear on any of your other computers that also have Dropbox installed (Windows, Mac, and Linux). You can even download Dropbox apps for your smartphone or mobile device (iPhone, iPad, Android, and Blackberry). Everything in your Dropbox is available from the Dropbox website, too. "

Slashvertisement...what the hell is going on around here?

Must be your first day on the internet so here you go: http://www.dropbox.com/features

I also dislike the fact that they but a huge video on there. Instead of putting up bigger links to e.g. their guided tour https://www.dropbox.com/tour (which also contains a video, but one doesn't have to view it to follow the tour). Or the features page -- both links are the bottom.

So, while I agree that they should be a lot bigger and more prominent, I'd like to point out that these are not *that* hard to find ;)

Or, you could just take the guided tour https://www.dropbox.com/tour the DropBox site offers (which also contains a video, but one doesn't have to view it to follow the tour).

https://www.dropbox.com/plans

You need to be logged in to see it. *sigh*

You can do lots of things to get more than 2 GB for free. Like telling friends.

http://wiki.dropbox.com/DropboxAddons/DropboxFolderSync

AKA Symlinks.

I click on the link...

The new version comes with hundreds of bug fixes, including invalid file names on Windows, weird Unicode normalizations, Word and Excel file locking, abnormal symlinks hierarchies, and case sensitive file systems on Mac

Oh, so are invalid file names a bug or a feature? Why would I want to lock Word and Excel files? I know what they are but I don't use them. I don't use abnormal symlinks hierarchies or a Mac either.

So I click the first link 'Dropbox' which goes to (wait for it...) "The Dropbox blog"

Hey everyone! We’re super excited to announce the new hotness that we’ve been cooking up for the past few months: Dropbox 1.0! In addition to hundreds (yep, hundreds) of bug fixes, vastly reduced resource usage (think of it as the Prius model of Dropbox), Dropbox 1.0 (“Rainbow Shell”) also offers support for extended attributes, selective sync, and a shiny new installation wizard. Those are just the CliffsNotes though — here’s the true story behind Dropbox 1.0:

You get the idea. It goes on and on. How can these people talk so much and say so little?

The first link from this page: Dropbox Home. This looks promising, it goes to https://www.dropbox.com/

Here is the text of the page:

Suggestions, ideas, bug reports, and comments are always welcome. If you'd like to interact with other Dropbox users, check out our forums. Email Address (optional) There was a problem completing this request. Request completed successfully. Log in Email Password Remember me Create an account Dropbox - Secure backup, sync and sharing made easy. Watch a video about Dropbox. Watch a Video Sync your files online and across computers Download Dropbox Free for Windows, Mac, Linux, and Mobile Dropbox - Secure backup, sync and sharing made easy. Sync your files online and across computers Download Dropbox Free for Windows, Mac, Linux, and Mobile * Sync files of any size or type * Share large files and photos easily * Automatic online backup * Track and undo changes to files Take a tour of Dropbox © 2010 Dropbox * Dropbox * Home * Install * Mobile * Pricing * Features * Tour * Community * Referrals * Twitter * Facebook * Wiki * Developers * Partners * Support * Help Center * Forums * Votebox * Feedback * Contact Us * About Us * Dropbox Blog * Our Team * Press * Policies * Jobs

Oh, ok. So from this I gather that it's some sort of file sync application which needed a major rearchitecture before it could be released at version 1.0.

Almost all of the viewable area of the page is taken up by a giant video play button. Well, believe it or not I actually use my computer for computing and not as a television. I also like it to be halfway secure, so I don't have any Adobe products such as Flash installed. I do know how to read and it is several times faster. I'm not watching some video made by people who can't complete the sentence "Dropbox is ...".

I still don't get it, except that it syncs files and the people who made it should probably cut back on the Red Bull and talk to someone outside the office who hasn't been making and eating their own dog food for eighty hours a week for the last year.

Dropbox is a Web-based file hosting service operated by Dropbox, Inc. which uses cloud computing to enable users to store and share files and folders with others across the Internet using file synchronization

from wikipedia

Dropbox home page

You can still get the older version at http://dl.dropbox.com/u/2992929/KindleForPC-installer.exe

dekindling is the first thing I do when I get a book from amazon, though I look for a portable version first at fictionwise.com or baen.com.

Unfortunately, most people just don't care.

I say use Google Apps for email and Dropbox for Teams for file sharing Everyone can use their own clients and platforms (Mac, Linux, Windows) and can access their email and files whenever and wherever there is internet Google Apps: http://google.com/a/ Dropbox for Teams: https://dropbox.com/team_create Plus, a lot of people probably are familiar with GMail and they can use Outlook, and Dropbox is just easy to use Also, for a website, just use a host like GoDaddy or something, the cloud is the way to go (IMHO)

Like this? http://dl.dropbox.com/u/8129635/IMG_0084.jpg

You could look at public folders on dropbox, and if you do sign up (I know, shameless plug here), use the following link so my free storage and yours gets a boost of 250MB

http://www.dropbox.com/referrals/NTI4MTC3NZc5

It's very easy to reproduce these problems:
1. Download the Firefox installer for your platform from mozilla.org. This could be the latest 3.6 release, or the latest 4.0 beta.
2. Install it. Make sure you do not install any sort of plugins or extensions. We want a clean, default Firefox installation.
3. Browse the web for 30 minutes. Visit a variety of sites, including Slashdot, Facebook, and some of the popular news sites.
4. Use top or the Task Manager or whatever your system offers to see the memory usage of the Firefox-related processes. Notice that they'll be in the gigabytes.

I have had firefox running for over a week now. I've visited numerous sites, loads of tabs of Slashdot, had previously many open tabs on furaffunity and various sites but eventually closed them. There is one window with a god awful amount of tabs, infact all the monster.co.uk's jobs for Glasgow and that has been sitting there since Monday. So, you would think this would be a good candidate to observe you problem. Now, my system as a god awful amount of memory too, yet.. What is Firefox using?

According to http://dl.dropbox.com/u/58565/firefox-memory.jpg It's just over 300MB and I was expecting far more with the amount of tabs I have open. I doubt foxyproxy or firefox sync (the only addons I have) magically made the "memory leak" go away.

Can you explain why I am not seeing this issue please?

I don't recall having to configure anything to get sound working for KDE under Ubuntu 9.10 and 10.04. On Gentoo, you need to configure everything yourself, but it was just setting up the PA device and making it the default in .asoundrc, which worked for everything trying to use ALSA, until Phonon gained the option of direct PA output. Which happened before 4.5, since this is the setup dialog under 4.4 in Lucid. The new work in 4.5 is just better integration, so maybe you won't need padevchooser from now on to connect to network sinks.

Thanks for that! I was also looking for a regular, no-hoops-required link that just works.

Converting it to a clickable link for everyone's convenience: http://dl.dropbox.com/u/33127/35539144-pnp12pt.pdf

When OCR gets so good that recaptcha becomes pointless, my idea for the next step of harder-for-AI captchas is to stop using line art and start using gradients. That is, currently, they use text, which is line art, and then warp it, chop it up, and run miscellaneous clutter through it. It's getting harder and harder for people to read, and machines are still catching up.

I propose that if you start with a photograph, make a selection that's block text, feather the edges, than shift the colors in the selection (Hue, saturation, inversion, remapping, whatever) that it's going to be easier for humans and harder for computers than some of the stuff we've got now. But generating it can be automated just as easily, I scripted Photoshop to make these in a few minutes.

Here's an example

Another reason they're pushing GNOME 3 back is that Shell's design isn't quite usable yet. I would know because I frequently use daily builds of GNOME Shell for testing purposes. I mean, look at it. It's so... blah and thrown-together. The design team is working on the design, and the final design will look much different. If you clone the gnome-shell-design git repository, you'll get the most current mockups. Here's a link to those of you unable to use git including the latest mockups as of today. These mockups look amazing and make the shell much easier on the eyes as well as usable. Ever since they announced this new design, I've been looking forward to it much more than I already have.