Slashdot Mirror
Dropbox Accused of Lying About Security
lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."
As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.
...when there's an actual investigation. Why the hell is it news that someone made a complaint?
"If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?
Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.
Gently reply
"the encryption keys are in their possession"
Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?
If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.
Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"
Do they keep the keys in a filing cabinet next to the breakroom? No? Then why is this a big deal?
If they keep enough data on their side to unlock my account if I forget my password, then that's a feature, not a bug. Anything that I want to be secure, I'll encrypt myself. As long as there isn't some horrible bug that allows any employee to go snooping about, I really don't see an issue here.
I ask the above question because I didn't start using Dropbox because I thought it was secure--I have class notes for teaching and notes for my personal studies in my account and these are for the most part publicly available anyway. I signed up because I was tired of having to fish out my backup CDs when my hard drives died on me (I still do a local backup though) and this part of their service is visibly not a lie and has saved me on at least two occasions in addition to the ease of sharing said notes with students when the file size is too large for our school's hosting service.
Did they lie to me about securing my data? Technically, yes, they did. Was this a factor in signing up with a cloud-based data storage service? Absolutely not. It never even occurred to me that they would actually secure my data to my level of satisfaction even with the claim that it was secure. It was in the cloud and accessible by whichever script kiddy wanted it. Since this was my operating assumption going in, I can't say I'm surprised that Dropbox has been caught in a lie, nor am I concerned (lying seems to be endemic in our society, unfortunately, but I've grown enured to it). On the other hand, now that they've been caught, I am interested in how they will respond--this could impact my use of their service.
Who knows, this may be a case of "lier lier" like the phantom tracking software story from last month.
Samsung Laptop Keylogger
Only the dead have seen the end of War. - Plato
I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update, without any significant notice to me that they had done so. At the time I considered this extremely rude behaviour on the part of the company. I am glad they are getting some bad press, as there are much better alternatives out there that could do with some business. Wuala, for example, is the alternative I chose. It encrypts everything on the client side before its uploaded.
I don't think it's acceptable for dropbox to lie about security of my data, nor is it acceptable for them to make alterations to my configuration files without first asking me.
Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.
The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.
And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.
My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.
I hope this makes more people consider running their own system to handle this, lipsync is trying to provide that, it's on github https://github.com/philcryer/lipsync
fak3r.com
Spideroak is a better choice. All data is encrypted on the client side and sent to the server. The Spideroak servers do not store your passphrase, thus it is impossible for them to access your data . The obvious downside is you can't afford to forget your password as you cannot reset it.
I call naive anyone who trusts just-anybody with his valuables.
I make sure that I encrypt my sensitive data that I store in dropbox since day one.
I don't expect everyone to be able to do this, but surely people that are IT-literate enough to read slashdot know how to do this easily. So I would suggest to stop moaning and be proactive when it comes to your safety/security.
Quote: "SpiderOak was designed and implemented by Engineers with a background in fault tolerant systems with a margin of error of 0.0000%." This is either a bald-faced lie, or the background of those "Engineers" is that they failed the statistics exam.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The advantage of Dropbox is that is the only service to sync files on the cloud that is multi-platform, the competition is Windows, or MacOSX. No one is Linux, windows, MacOSX, Android and IOS at the same time as Dropbox.
In my particular use I do not need security, but I have to access to my data in very different environments.
My vision is that security in the cloud is an oxymoron.....
I don't get why people complain about the obvious security risks, when if they are concerned they can just do the encryption work with true-crypt themselves. Why would anyone who is concerned about security on the cloud not take the encryption into their own hands?
Ok maybe I'm just lazy but I've looked at box.net, jungledisk, spideroak etc. and I have yet to find an online share/sync program that gives me folder-level access control. I have a shmozzle of road warriors to support and dropbox has been a godsend except for the frickin lack of access controls and most importantly complete lack of admin control over sending out join invites. One of our guys joined his girlfriend's laptop to the pool to get access to some files when his laptop died; I didnt even notice the new person until a few months later, and all the while she's been syncing all the updated field reports, financials etc. I mean, WHAT THE HELL DROPBOX?!? Is a "creator" user account really so hard to fathom?
If someone can point me in the direction of a competitor that has these simple but security critical features, I am there tomorrow.
dont you hate it when you Slashvertize something and then it comes to bite you in the ass... twice now.
Anons need not reply. Questions end with a question mark.
True, security isn't a yes/no, but telling the truth, for the most part, IS. Either their staff could access the files in unencrypted form, or they couldn't. They said they couldn't but in fact, they could. Using asymmetric cryptography for uses like this is rather pointless. You use dual key to get messages from Jack to Alice without letting Bob see. In this case, you only need to get the message back to yourself. Lost your crypto key? By design, if you don't want somebody else to see, they can't, because you hold the secret! Gee... sucks to be you!
BTW: your example of the missile launching laptop is itself a joke. Turns out the "secret launch code" was 123456 for some 30 years! (FSM, I wish I could find the original article...)
What Happens When it RAINS??
Any person using FTFY or editing my postings agrees to a US$50.00 charge
It's taken this long for a PHD and highly regarded security person from the FTC to figure this out? I knew this two years ago when I spent a few minutes reading the Dropbox featureset and noticed that you could share files with other users. Point-blank, this was a sure sign that they had encryption keys. The only surprise here was that people actually take Soghoian's complaint in high regard because of his PHD and that he was the FTC's first real cyber-ninja. I say they (the FTC) need to raise the bar on their hiring standards if this is the best they have. Oh yeah, I don't agree with what Dropbox is doing, but hey if you want security you need to look to business grade services and not the consumer level crap. http://www.silicon-vision.com/wp/why-the-ftc-need-to-raise-the-bar-on-their-hiring-standards/ kc/
Just encrypt your files before uploading them to dropbox. Use GNUPG, or a Truecrypt container.
I'd say has a better track record than TrueCrypt only because GNUPG is open source and you can see the code.
Basically the encryption is just fine, just create a soldier, encrypt it, then sync it. It might be possible to set the folder to auto-encrypt on the client side and upload encrypted via sync.
Would using password protected .RAR or .ZIP files be relatively secure?
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
To solely rely on any cloud storage provider for security is naive regardless of what they claim. I have a dropbox account, and I use a truecrypt volume located on an OS X spare bundle disk image (breaks the volume file into slices for incremental backup of encrypted volumes). Not sure if there are similar solutions for windows/linux, but that seems like the approach to take.
Spideroak, Googledocs, Dropbox, Credit Card users... "buyer beware" is now "supplier beware".
Gently reply
The paranoid crypto-geek guys at Lockbox actually have it right with a complete segregation of keys and encrypted data - they only store encrypted data in the cloud while the keys remain with the users.
I keep my encryption keys backed up and stored under my welcome mat along with my house key. That way, if I ever get locked out, I can get back in.
really, Slashdot? this story only broke last week.
Pixies are a LOT more secure than The Cloud.
"Lied" is a strong word. I more readily believe that there is a disconnect between the techs at Dropbox and the marketing guys than believe that it was done intentionally. Being incorrect makes them dumb, or out of touch, not necessarily malicious.
Warning: Teh poster of this messaeg is lysdexic
A blank page is even more secure than an encrypted one because the enemy will never be certain they aren't just missing something.
Hey, don't give the security consulting game away!!!
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Assessing cloud security is like checking my mom's virginity.
Well, Oedipus, I doubt if she'd let you... especially if she really was a restored virgin.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Oh c'mon. I can't have been the only one that can actually read. When they say their employees cannot access those files all they promise is that their software is written to prevent their employees from doing it. I don't have much doubt it is. When they say they encrypt your files (without mentioning anything about where the key is held) what they promise is to encrypt the data when it goes into their cloud and decrypt it when it comes out. I don't have much doubt it is. They never said it would be encrypted on your computer and that the keys would never leave it. Stop reading features into advertisement that are, plain and simple, not mentioned anywhere.
At the same time everyone on slashdot using Dropbox without exactly knowing that they'd store the keys (most probably not individual keys) for you should hand back his geek card. I mean deduplication of individually encrypted data? hello? How was that supposed to work? They also advertise a pure web frontend you (and others if allowed) can access the data from, also impossible without storing/transmitting the key material on/to their side in some form or shape.
Since I believe that accepting any company's claims about a free service will get you... well ... what you pay for; I tend to be proactive.
The first thing I did after creating my Dropbox account was create a 1.9Gb read/write sparse disc image with AES 256 encryption and a strong password, which is stored on in the keychain of each machine needing to access the data.
So even though Dropbox can access my account, they couldn't see what's in my image.
Would this obviate my ability to join any legal proceeding resulting from the complaint and investigation? Just askin'.
Some days it's just not worth
chewing through my restraints.
You're a system admin and your answer to security in the cloud is to obfuscate your filenames? Ye gods...
It's a security tradeoff - convenience over encryption. Anyway if they publicly said it was impossible to see the data they need to get a bit of a slap. I hope what they meant is their employee's roles are separated in a way which means it's difficult for any one person to obtain all the pieces they need to view the data and even if they did they'd be detected by numerous database / network triggers and thrown out the door. Even so I think most technically or criminally minded people could just implement their own security on top, e.g. a very simple way is to store stuff in an encrypted zip or 7-zip file. I reckon most people don't bother though and that's where the problem lies.
Perhaps the answer for Dropbox is to implement a second level security where users can generate their own keys to secure certain folders. The keys remain in the user's possession on the client side. Data including file names & folder structure would be seamlessly scrambled / descrambled on the fly. It might preclude that folder from being accessible over the web interface and the user would be responsible for figuring out how to get the key onto every device they use, but it would allow Dropbox to say they support fully encrypted data that their staff really cannot see.
Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files.
Finally, some coverage of the root cause of the Sony Play Station network outage / data leak. Thanks /. !
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I saw someone mention lipsync as a dropbox alternative. Sorry to be a bit offtopic, but I was hoping someone had a recommendation for a 1-directional real-time file syncing software for Windows (bi-directional would be fine too of course, but that isn't a requirement. And if it was just a linux one but worked amazing I would be glad to know about that as well). I have just not been able to find any good real-time syncing that will do updates after each change.
I know there are plenty of syncing where you just put in the source & dest folder and sync away, however those are never meant for real-time syncing and have serious downsides. And furthermore, I need one built with syncing over the internet in mind where upload speeds may be sub-par.
For this type of setup, what I would see as being necessary is having both server and client software communicating and sending the appropriate file modification messages to each other to know when and what to sync, thus giving it the ability to be very light on the data transfer and quick on the updates.
The setup I always see in programs is the program only running on one side, meaning to do any regular syncs it needs to constantly re-download/re-create the source and/or destinations entire file structure each time to do comparisons. Even if it prestores some XML files with the current data and just does updates, it still ends up needing to send say 30-40megabytes of data in my case each time. This is obviously not very efficient, and when syncing large file systems with so-so upload speeds, it's simply impossible to do anywhere near real-time backups.
Any recommendations would be great.. I'm sure there have to be programs out there I just can't find any. All i want is:
A) Local computer for drive/folders to be monitored when changes are being made "server"
B) Remote computer, "client"
A starts up, needs to do a full sync with client B at first to make sure everything is up to date. Then A continuously monitors folder/drive, any modifications/new files are sent to B. B confirms the new changes are done before new updating occurs. B always contains data from A.
Simple as that. Thanks for any help!
You're a system admin and your answer to security in the cloud is to obfuscate your filenames? Ye gods...
Its like locking your car doors. There are so many juicy targets out there that all you have to do is not be the low-hanging-fruit. Will obfuscating filenames stop a dedicated inspection of your data? Of course not. Will it stop a bored sysadmin looking for porn (the original example)? Probably, because there will be thousands of obvious targets to go after instead of yours. He's not interested in your porn, but rather some illicit customer porn.
Not everywhere needs to be Fort Knox to be reasonably safe from casual penetration.
You're special forces then? That's great! I just love your olympics!
I win, whats the prize? Money? House? Car? A 1995 pamphlet on how to leverage our synergies to do something or the other?
If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.
If you buy this shiny new geek toy, other geeks will be envious of you.
If you apply this aftershave women who would normally never give you the time of day will flock to you.
Does anybody know if you can just pre-encrypt data, and set that as your "backup directory" before you send it off to Dropbox, Carbonite, or whatever?
I'm not a lawyer, but I play one on the Internet. Blog
It has not been approved by OSI.