Slashdot Mirror
File-hosting Sites Not a Safe Haven For Private Data
An anonymous reader tips a story at the Register, according to which "Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user."
Why would you upload private data to some file hosting site? These (e.g. RapidShare) aren't the kind of services where you can modify files after uploading (such as Dropbox), so encryption is not much of a hassle. You have no reason not to encrypt the files before uploading them.
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
This is the kick-off to Slashdot's "No Shit Week"
“These services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs,” the researchers wrote in a paper presented at the most recent USENIX Workshop on Large-Scale Exploits and Emergent Threats.
Hey, guess how passwords work? They're hard to guess. How do biometrics work? Your fingerprints are hard to replicate. How do keycards work? It's hard to guess whatever code is stored in it. All security ultimately comes down to some token that is "obscure."
All security is through obscurity. If these sites are being accessed when they shouldn't, it means that there's an information leak, that is, the owners think (or claim) that it is far more obscure than it really is.
It is on a remote site, out of your control, so it's not secure. End of story.
Encrypt before it leaves your system if you want to keep it secure. Or only store data on such sites that you really don't care if it becomes public.
And even if there really are no remote security holes, anyone with admin/root access to the servers can access your data. Without you knowing.