Dropbox Accused of Lying About Security

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

Good

[gadzook33]

As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.

Re:Good

[Yvanhoe]

What I hope will happen : that "cloud" will soon become synonym for "pixie dust" or "snake oil" when it comes to computer security.

What should have happened : the same, 5 years ago.

Call me back...

[bannable]

...when there's an actual investigation. Why the hell is it news that someone made a complaint?

Re:Call me back...

[inpher]

One reason is that the person making the complaint is Christopher Soghoian, a heavyweight when it comes to computer security.

Re:Call me back...

[Renderer+of+Evil]

Point is, he has exposed their lies and it made the rounds on all tech news sites. His researched compelled an FTC investigation.

What have you done?

Re:Call me back...

[MightyMartian]

I'm thinking the poster has likely shilled for some companies that have been exposed.

Re:Call me back...

[jopsen]

Why the hell is it news that someone made a complaint?

Because actively lying to your customers isn't okay... Don't you have customer protection agencies ?

Re:Call me back...

[dzfoo]

Perhaps he stayed at a Holiday Inn last night?

            -dZ.

Seconded

[Niobe]

Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?

Re:Seconded

[0100010001010011]

Not all of them. Anyone accessing my 'Projects' Folders wouldn't find anything that wasn't on my Git Hub. Nor would they get much out of my "Spring 2011" homework folder.

Good luck getting at my "Taxes.tc" file.

Re:Seconded

[x*yy*x]

I mostly just use it for image hosting for forums or to quickly give something to a friend, which it's just fine for.

Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company. If your bank told you that your money would be safe with armed guards and you would not be responsible for someone robbing them, but it turns out the bank stored all their money in an insecure normal office and someone casually broke in and took the money, you would blame that one bank, not the whole banking system.

Re:Seconded

pronouns?

Re:Seconded

[Omnifarious]

I'm sort of both of those. And I have and would've made a better service than that.

Re:Seconded

[PopeRatzo]

Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company.

It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation. The more de-regulation, the more damage they will do.

Corporations are golems, with the single imperative to profit at any cost. The potential for profit increasingly outweighs any risk involved in negative behavior. And when you get big enough, say Exxon big, there's no risk at all.

And it is a little bit the fault of "the cloud". I can go down to my bank and look at the vault. I can read the government-backed FDIC insurance on my deposits and the FDIC has never, ever failed. All we can do is hope that what the cloud companies tell us about security is true. How could we possibly verify?

Re:Seconded

[node+3]

But you didn't. It's much easier to *say* how you'd do something than it is to actually do it.

If you really could do so much better, why haven't you done so? Seems like a good way to make a few million, if it's so simple...

Re:Seconded

[icebraining]

Parent never said (s)he would come up with the idea (nor that it was simple), just that (s)he would implement it better.

Re:Seconded

[fuzzyfuzzyfungus]

According to TFA's description of the problem, the issue wasn't one of technical acumen at all.

In order to be able to do deduplication across their subscriber base, rather than per-user or none at all(likely making for considerable disk and bandwidth savings across a service of their size), Dropbox failed to (usefully) encrypt user files and introduced a fun side-channel attack where anybody can determine whether somebody else has a file stored, just by attempting to upload it and then sniffing the wire to see if it takes the expected upload time, or just a tiny amount of hash comparing to "upload".

Technologically, they didn't exactly advance the state of the art in crypto to power their service; but the issues at question appear to be technologically competent enough, deduplication across the largest set of files possible is a perfectly sensible way of reducing storage and bandwidth costs, it's just that they then proceeded to sharply oversell the amount of actual privacy they were providing.

Given that education doesn't seem to have much effect on honesty(unless you count the courses of study that probably make you worse...) I'd be inclined to say that it is irrelevant to the problem at hand.

Re:Seconded

[zephvark]

It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation

The what, now? Big companies never push deregulation. They want as much regulation as possible, the better to punish anyone else trying to enter the same market. It's called "rent seeking".

Re:Seconded

[ColdWetDog]

"I enjoy intercourse with small domestic fauna."

Thanks for qualifying that. Heaven forbid you having conjugal relations with foreign animals. That would be just perverse.

Re:Seconded

[captain_sweatpants]

Bullshit! Big companies are in favour of regulation that increases their profit and against regulation that decreases it. Overall they are against it because they can always abuse their dominant position to keep standards low, prices high and competitors out. In the absence of sensible regulation, they can throw their money around, abuse their influence with suppliers and customers, or just flat out abuse those that have no one else to buy from or sell to.

Re:Seconded

[Linux+Torvalds]

Regulatory capture has proven to be a much bigger problem than deregulation, I think. It seems better not to give the government so much power in the first place.

Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

Re:Seconded

[Lunix+Nutcase]

O rly?

AT&T seeks more phone deregulation in Alabama
AT&T and Deutsche Telekom push for deregulation of wireless markets
Time Warner seeks Manhattan deregulation

It's trivially easy to find other examples.

Re:Seconded

[L0rdJedi]

Forget the encryption part for a moment. Their own privacy policy stated that they reserved the right to sell your information if they ever go bankrupt. One of the other online backup places, Carbonite, has no such statement in their privacy policy. Personally, I'd rather pay for a service that isn't going to sell my info.

Re:Seconded

[Doctor_Jest]

Regulation means "market barriers." As long as there are established entities in a market, those entities LOVE regulation. It prevents them from having to play on a level playing field. I don't know if you're being ironic, or just ignorant of basic economics. Either way, Dropbox's lies have nothing to do with the word "Free."

Re:Seconded

[PopeRatzo]

As long as there are established entities in a market, those entities LOVE regulation.

We're using "regulations" to mean different things. You're referring to the regulations that are written by industry lobbyists. I'm referring to regulations like the EPA regulations that cleaned up the Great Lakes.

Of course, I guess those regulations are a thing of the past. Especially after Citizens United. Now you've got corporations on government welfare, and they're the ones electing the government.

Re:Seconded

[PopeRatzo]

Personally, I'd rather pay for a service that isn't going to sell my info.

Do you really believe that the lack of such a statement in Carbonite's privacy policy would prevent them, or their creditors, from selling your information?

Re:Seconded

[PopeRatzo]

Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

If you trust Exxon and the MPAA more than the government with all its faults, then you have not been paying attention for the past 30 years.

Re:Seconded

[node+3]

And I never said he said he came up with the idea.

Everybody's a backseat nerd here on Slashdot. "Oh, I could've done that better." Yeah, right. It's far easier to criticize someone else's work than it is to do the work yourself.

Re:Seconded

[Moryath]

Hey, remember when the police and the teachers' unions crashed the stock market, raided everyone's pension funds, and shipped all the jobs to India?

Yeah, neither do I.

Re:Seconded

[bugs2squash]

If your information truly were encrypted then having them sell it when they go bankrupt to a company that would continue to store it for you may not be such a bad idea. After all, at least you could then continue to purchase the storage. I know a lot can go wrong (and from the looks of it already has), but there is at least one benign potential interpretation of this clause.

Re:Seconded

[node+3]

"Eighth-grader logic" is thinking that having an idea about how you'd do something, and actually doing something, is the same thing. For all the inevitable posts on Slashdot by people who seem to think they are so capable, you'd think these super-geniuses would be out there making all sorts of amazing things. When the actual truth is that it's far easier to *CLAIM* you can do something better than it is to *ACTUALLY* do something better.

Re:Seconded

I do remember when teacher's unions lied about Meg Whitman, when auto unions contributed to the competitiveness of US auto companies, and when politicians have been convicted of bribes, misuse of funds, and just about every other thing corporations have been accused of. Why on earth do you think people in government are _ANY_ different than people in corporations? What fantasy world do you live in?

Re:Seconded

[Omnifarious]

Well, I have the knowledge, and I have designed systems that use cryptography in the past. You're right though, until I've actually done it, it's all just hot air. :-)

Though, if I were DropBox, I would've just used Tahoe. Of course, as someone else mentioned, that doesn't really effectively do de-duplication. So perhaps the hypothetical service I designed that way couldn't have worked as well.

Re:Seconded

[Sarten-X]

Why do you think people in corporations or government are any different than you or me?

Do you really think any CEO wakes up every morning and says "Today, I'm going to screw over the little guy!"?

Re:Seconded

[sFurbo]

It's not really a question of trusting, but of consequences. Ideally, if you don't like the way a company treats you, you can choose not to do business with them, that is much harder with the government. That means that the government can get away with things that would drive a company to bankruptcy. Of course, monopolies (which comes both from to little regulation (Exxon and MPAA) and to much regulation (MPAA and, as far as I understand, local ISPs)), collusion and regulatory capture means that this ideal is far from the world we live in.

Re:Seconded

[sFurbo]

Do you remember the PATRIOT ACT, DMCA and being fondled in the airport? What about innocents being tasered to death, or warrantless wire-taps? I think my take on the last 30 years is about equal disgust over government and industry, but they are really hard to compare, as their respective evils are so different.

Re:Seconded

[delinear]

Ultimately it comes down to accountability and being able to distance yourself from the consequences of your actions, but it still takes a certain mindset to follow that through. If there was a little button you could press, and when you pressed it there was a chance somewhere in the world someone would be harmed but you'd get a reward, most people probably still wouldn't do it - the few that would are the CEOs that are crashing the stock market and skimming off the pension funds.

Re:Seconded

[delinear]

You've gone straight to the obvious, though. It's obvious that you shouldn't trust that kind of data to a service in the cloud, even if you are sure that it's all encrypted. Where people will be caught out are in the grey areas - companies uploading assets or accounting data that their competitors can potentially get hold of and use to gain an advantage, for instance. Those people thought they were getting a service that would protect them and yet enable them to be more flexible in how they do business, I find it difficult to hold anyone but the company who lied about the service accountable for the failures here.

Re:Seconded

[DJProtoss]

close. encfs. Yeah it leaks some intel regarding #files and dir structure, but its much more sync friendly

Re:Seconded

[ammorais]

It’s not a matter of waking in the morning and say "Today, I'm going to screw over the little guy!"
It's a matter of waking in the morning and saying: "today, if I don't screw the little guy I'm screwed, because everybody does it, and I can't compete if I don't!!!"
It's the hole system that is broken.

Re:Seconded

[snemarch]

Why would you do such an ass-backward thing instead of using a decent zero-knowledge service like SpiderOak?

Re:Seconded

[PopeRatzo]

You can go look at the vault?

I only use small, locally-owned banks. And yes, you can look at the vault. You can talk to the bank's president and CEO. They are not "opaque".

When I bought my house, I only took the mortgage because they promised to keep the paper at the bank and not sell it on the secondary market. When I paid the house off 8 years later, they sent me a bottle of champagne and a handwritten note.

You don't have to eat shit because corporations tell you to eat shit, you know. There are often, not always, choices regarding with whom you do business.

Re:Seconded

[PopeRatzo]

Ideally, if you don't like the way a company treats you, you can choose not to do business with them, that is much harder with the government.

Very very often, you don't really have much of a choice of the companies you do business with. With the government, you can vote the people out of office. What can you do about the CEO of Exxon? You can organize, you can even run for office yourself.

All business is increasingly monopolistic.

Re:Seconded

[PopeRatzo]

I can't tell if you're serious or a parody account.

How would someone who's only been here two weeks know anything about a "parody account"?

Didn't they teach you anything during the orientation when you went to work for the "social media strategies" outfit? Or was it one of the FreedomWorks social media astroturfing seminars for teabaggers?

It's suspicious when a new account is created and it jumps right into the deep end of right-wing trolling.

Re:Seconded

[nabsltd]

It's trivially easy to find other examples.

These are all cases where regulation is in some way keeping the company from being "large". Once the company gains the extra market share, it will then push for more regulation to help stay at the top.

Essentially, only "small" companies favor deregulation (where "small" means "not the largest in the specific business area in which they support deregulation").

Re:Seconded

[nabsltd]

When I bought my house, I only took the mortgage because they promised to keep the paper at the bank and not sell it on the secondary market.

Why does it matter who you write the check to, if the terms stay the same (which they must for a mortgage)?

When I paid the house off 8 years later, they sent me a bottle of champagne and a handwritten note.

Unless you had problems with paying your loan and the local bank was more willing to work with you than some "large" company, you likely paid hundreds of dollars for that bottle of champagne. Being able to sell your loan if necessary will often enable a lender to give you a better rate, and even 0.25% less would amount to a lot of money.

Re:Seconded

[geminidomino]

Part of the reason may be that something seems to be wonky with spideroak's username/password handling...

Seriously, I could never get the same password to work twice. Not between different computers and not even to log into the website. Even when I set it to frigging "password" just to make sure I wasn't mistyping it.

After dicking with it for too many hours, I decided "fuck it" and set up a truecrypt file on dropbox after all. Ass-backward, maybe, but at least it functions.

Re:Seconded

[snemarch]

Sounds like you should have contacted SpiderOak technical support? They're pretty responsive on their forums.

Also, are you certain that DB + TC actually does work properly? Can it (reliably) sync a container that's in use, or does it only update one the container is dismounted? And does it always detect a container dismount and sync the file?

Re:Seconded

[geminidomino]

I couldn't GET to their forums without the password, even read-only access, and since I didn't have the computer with the client handy (since I was trying to set it up on the second box in another location), that was a non-option, not to mention kind of obnoxious.

As for DB+TC, it works well enough for my uses. It's never failed to sync up my container after dismounting, and I've honestly never checked if it did so while it was in use, though I'd almost prefer it didn't. When I'm working in the container, I'm usually writing, which means the container is updating every third sentence (yes, I'm a compulsive Ctrl-S'er).

Re:Seconded

[snemarch]

Good point wrt. the forums, I had forgotten you don't even get read-only access to them without a login/pass - that is rather obnoxious.

When I'm working in the container, I'm usually writing, which means the container is updating every third sentence (yes, I'm a compulsive Ctrl-S'er).

I got into that habit back in the amiga days, and it's saved me quite a few times :)

Re:Seconded

[PopeRatzo]

Why does it matter who you write the check to, if the terms stay the same (which they must for a mortgage)?

It matters enormously to me. If there were any problems, I'd want to be able to walk down and speak to a person. Have you ever tried to get information or straighten out a problem with Bank of America? Have you really missed the hundreds of stories in the media since the housing mess started in '07 about peoples' horror stories with BOA and other big banks?

you likely paid hundreds of dollars for that bottle of champagne. Being able to sell your loan if necessary will often enable a lender to give you a better rate, and even 0.25% less would amount to a lot of money.

Absolutely not. I paid exactly the same rate with my local bank as JP Morgan Chase offered me. I may indeed have paid "hundreds of dollars" for the champagne, but I'd have paid the same hundreds if I'd gone with Chase and I wouldn't have gotten the champagne, and I wouldn't have had the peace of mind of dealing with actual people.

If you're unfamiliar with incredible disaster that has been the secondary and tertiary mortgage market, let me know and I'll provide some links for you. Or you could use google to find them for yourself. Things like people who had paid off their house completely being foreclosed and having to spend tens of thousands protecting the house they owned. Having two or even three different servicing companies coming after people for the same payment. Things like that are the least of the problems. You've got people whose loans are entirely up to date coming home and finding thugs from the bank changing the locks on their front door. You've got servicing agencies at odds with the investors who bought the credit default swaps and lying to the borrowers just to up fees. And much much worse. These things happened thousands of times.

By having my local bank hold the paper on my loan, I can guarantee that my loan will never become part of some "bundle" with CDOs betting against me. I don't want to have some wealthy investors who have a great incentive to see me default.

But that's all in the past. My mortgage-burning party was back in the last century. I still do business with my local bank, though. When I started a small business, they didn't hesitate to give me a loan, even during a time when few banks were lending. I get all the online bells and whistles as Chase, without dealing with those bastards. Plus, my little local bank never needed a taxpayer bailout because they never lost money betting on some exotic derivatives. They were a bank, not some high-flying investment outfit.

I highly recommend people support local business for everything, not just banking. It just makes a lot of sense.

Re:Seconded

[geminidomino]

It's really irritating when I do it during web-posts. :)

Yay Lazarus, though.

Where's Al Gore and his "Lock Box"?

[retroworks]

Here I was feeling all certain that my data was secure, and it just turns out my information just isn't important or interesting enough to purloin.

Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.

Re:Where's Al Gore and his "Lock Box"?

[chill]

The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

Re:Where's Al Gore and his "Lock Box"?

[rastilin]

That's all true but there's two issues in this particular case.

-- We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

-- They're lying to get ahead in the market. That's something we need to discourage.

Re:Where's Al Gore and his "Lock Box"?

[Omnifarious]

First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.

Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.

Re:Where's Al Gore and his "Lock Box"?

[gman003]

I just automatically assume that anything online is insecure until proven otherwise. My Dropbox contains backups of some open-source programs I'm making, and a bunch of photos I wanted to put online. My GMail contains no information more private than my third-tier passwords (ones for forums/newslists where someone hijacking my account would be harmless). My Facebook contains nothing more than my name and high school. My Twitter has no information at all - just my username. The only online service I keep anything valuable in is my Steam account - and that's mainly because I'm big enough in their community that I could cause enough bad press to harm them (not much, but enough), and because I have enough stored there that a lawsuit would be plausible (should they go out of business without releasing a DRM stripper as promised). And even Steam has the bare minimum of extraneous info - one credit card, a phone contact, and the aforementioned GMail address.

Re:Where's Al Gore and his "Lock Box"?

[pushing-robot]

I can understand the concerns about credit cards and bank info, but I don't really get why people are so freaked out about marketers learning a bit of generic info about their lives:

Person 1 -- Oh no! An advertising firm got hold of my semi-private information!

Person 2 -- That's terrible. What did they do with it?

Person 1 -- Well, they started showing me ads for things I might actually buy.

Person 2 -- Gods! Have these men no shame?

Re:Where's Al Gore and his "Lock Box"?

[adamofgreyskull]

We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)

Re:Where's Al Gore and his "Lock Box"?

[Haedrian]

That depends, is it home made stuff?

Re:Where's Al Gore and his "Lock Box"?

[hedwards]

And you seem to be assuming that the GP doesn't have midget furry gangbang pedo porn on his computer. That shit'll get you sent up for years.

Re:Where's Al Gore and his "Lock Box"?

[digitallife]

"If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well."

I'm sorry to be the one to inform you of this, but we already live in a world like that.

Re:Where's Al Gore and his "Lock Box"?

[hedwards]

Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

Re:Where's Al Gore and his "Lock Box"?

[rastilin]

For the purposes of this exercise, let's assume that no one stores their credit card numbers on their computer in plaintext; even though we all know that's not true.

The porn thing is one thing I never understood, why would anyone bother? It's like they've never heard of the internet. I figure that some people will take anything not nailed down, a pretty solid reason that Dropbox should not give it's employees access to the user's stuff at all.

Re:Where's Al Gore and his "Lock Box"?

[gman003]

Let me put it this way: I have a fan club. Didn't ask for it - it just happened. I've got enough people who admire me that I could probably start a cult. I have had multiple people express a desire to bear my children.

As to how I got that way, fuck if I know. I haven't actually done much besides a few small mods, and chatted a lot. All I know is that if I say "Steam just ripped me off, those fuckers", I'd start a small riot. Torches and pitchforks would be wielded; Gabe Newell would be burned in effigy.

Re:Where's Al Gore and his "Lock Box"?

[rastilin]

It's an example of something no-one would give a damn about that people take anyway; because it's there.

Re:Where's Al Gore and his "Lock Box"?

[rastilin]

Probably because that never occurred to any of us... except for you. ;)

Re:Where's Al Gore and his "Lock Box"?

[rudy_wayne]

You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc...

Depending on the porn . . . . yes.

Re:Where's Al Gore and his "Lock Box"?

[namgge]

... and because I have enough stored there that a lawsuit would be plausible (should they go out of business without releasing a DRM stripper as promised).

So, you are planning to protect youself by suing the company after it has gone out of business? I have a bridge you might like to buy... Namgge

Re:Where's Al Gore and his "Lock Box"?

[retroworks]

Well, yes, they are lying and that is one point of the story, but most comments and most public alarm is off point. Assessing cloud security is like checking my mom's virginity. I assume everyone in the cloud lies about my security, and that anything I put in the cloud is at risk. As for "credit card" info, the credit card companies are NUMERO UNO in sharing personal info from credit card use. Everyone who says cloud data, or credit card data, is secure is lying. As for "porn", ha ha ha ha ha ha ha. All porn comes off the cloud, putting it back into the cloud is like passing a marked bill.

The issue is risk. The number one source of credit card number theft is waiters on drugs. USING a credit card is probably a greater risk than entering the credit card number onto a cloud database. Yes, people should not mislead about security, but they are led to mislead by the crazy "lock box" talk about any cloud information being secure, and this discussion proves the point.

Re:Where's Al Gore and his "Lock Box"?

[1u3hr]

You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)

A Hong Kong singer/actor who liked to take photos of girls spreading their legs and having having sex with him, several of whom were popular actresses/singers with "nice girl " images, sent his laptop in for repair....

See http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal

Re:Where's Al Gore and his "Lock Box"?

[delinear]

Yeah, I can't see any issue with someone knowing where I live, what expensive gadgets I like to buy and when I'm planning to be away on holiday - I mean if that data fell into the wrong hands, what's the worst that could happen?

Re:Where's Al Gore and his "Lock Box"?

[AmiMoJo]

Dropbox were claiming to be something quite different to most cloud storage providers. If you read the TOS for Google Picasaweb it says that they can use any photos you upload in advertising royalty free. That is pretty much par for the course for free cloud services. One would hope that Google sticks to its "don't be evil" motto and only looks as publicly shared photos but in theory even your private ones are fair game to them.

There is a handy Firefox extension for encrypting your Google Docs at your end so Google cannot read them: http://www.mightbeevil.com/securedocs/

Dropbox is supposed to make you feel safe when uploading sensitive data because it is encrypted and they don't have the key. Turns out that in fact they do have the key, at least for some files. People use Dropbox for off-site backups of personal data which is why they are upset, especially the ones who paid for it.

Re:Where's Al Gore and his "Lock Box"?

[AmiMoJo]

Even this seemingly innocent example could have negative consequences. Shared computers are the most obvious example, but advertisers also track by IP address so it can actually happen on a shared internet connection now. It might be as little as giving your partner a big hint as to what you are getting them for their birthday, or it might be as much as outing a gay person.

Browsing habits are a window into a person's mind that goes way beyond things like store cards that help shops track what you are buying.

Re:Where's Al Gore and his "Lock Box"?

[TheRaven64]

People use Dropbox for off-site backups of personal data which is why they are upset, especially the ones who paid for it.

Think companies, more than people. A lot will have contractual, if not legal, requirements not to share their customers' data with a third party. They look at DropBox, see that uploading there means that the data is still not accessible to anyone except them, and think that looks fine. Then they find that now they're liable for large amounts for violating contracts or regulations.

Re:Where's Al Gore and his "Lock Box"?

[Larryish]

Keep an eye on lowendbox.com and you might be able to fish yourself a $2/month non-US VPS server that has the necessary resources for Privoxy and a caching DNS server.

Re:Where's Al Gore and his "Lock Box"?

[Haedrian]

You wouldn't want some balding, hairy tech guy laughing at your 'secret method' do you?

Re:Where's Al Gore and his "Lock Box"?

[gutnor]

Work Agent are also Marketer. They are supposed to market you resume to prospective company. They like to do screening "on the cheap". The same (automated) tools used by carpet marketer could be used by work marketer. eg: they could find out that you are looking to buy a flat in a foreign country as a vacation residence. So you will receive ads for foreign mortgage, good thing I suppose. But your resume won't get forwarded to prospective company because you could be planning to move in a short while.

But well, back in reality, I doubt there are any tool in existence that can process the random content of a dropbox and extract some consistent / non-trivial result that may interest a marketer. The only useful info could be contact numbers, email addresses, various accounts, ... that is mostly interesting for spammer, phisher and government bureaucrat/contractors.

Re:Where's Al Gore and his "Lock Box"?

[heathen_01]

Is there any way of disagreeing with you without implicating myself?

Re:Where's Al Gore and his "Lock Box"?

[dwightk]

not to me

Re:Where's Al Gore and his "Lock Box"?

[LWATCDR]

The problem becomes one of usability vs security for things like dropbox.
If any service like Drobbox has a "recover password function" then they have access to the keys.
Unless someone knows a way to do it that I am over looking there is no way to have that cake and eat it too.
So if they say "Yes you data can be read by our system" people will not trust it.
If the loss of their password means the data is loss people will hate it and sue them for loosing their data. They don't have to win to make the case expensive and painful.
So they put in rules that their staff are forbidden to read the data and say that they can not read the data.
Sort of like how you are not allowed to come to work naked. It may be physically possible but their are rules to punish it.
Dropbox is good enough for my uses so I have no problems with it. It matches my expectations. If I want more security I well just encrypt the data on dropbox.

Re:Where's Al Gore and his "Lock Box"?

[gfreeman]

No, that would be me

i think i see the problem

"the encryption keys are in their possession"

Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?

If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.

Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"

Re:i think i see the problem

[nedlohs]

It doesn't matter.

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

Re:i think i see the problem

[Junta]

I'm with you *except* the last line.

I doubt I'll ever trust a service providers storage encryption rather than applying a local, independent layer of encryption they can't circumvent, *however*, it isn't entirely unreasonable to believe a cloud solution could include meaningful encryption that would preclude even their administrators from access, *even* in the dropbox case with files being shared. Granted, doing so and doing it conveniently means they probably have an exposure (I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect), but doing it privately is not impossible (e.g. shift auth to send down a prospective client the private key, protected by passpharse encryption, and the ability to answer a challenge serving as proof of password with the server retaining nor ever receiving at any time neither password or the key in the clear).

All that said, I'll continue to use local GPG keys on any data I host anyware that I remotely care about. If I need to share, then I'll employ the public keys of those I need to share with. Taking security into your own hands *as well* as any protections offered by the storage provider is always your best bet.

Re:i think i see the problem

[hedwards]

No, it's not obvious that they have them, there's definitely ways in which they could do it which would prevent them from being able to access that data without your permission. Otherwise no provider of services could ever promise that level of protection without the FTC investigating. The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.

Re:i think i see the problem

[exomondo]

No, it's not obvious that they have them

Then who would you think has them? You know you don't and you're assuming they don't, so who does?

The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.

I think it's clear you either don't know enough about this story or don't know what a 'fact' is. A complaint to the FTC is not an FTC investigation.

Re:i think i see the problem

[icebraining]

I do have one key - the password; that could be used to encrypt the file before syncing them.

LastPass seems decent in that regard.

Re:i think i see the problem

[icebraining]

I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect

Well, the client could send an hash instead; it's what some other services do.

Re:i think i see the problem

[exomondo]

I do have one key - the password; that could be used to encrypt the file before syncing them.

LastPass seems decent in that regard.

You mean the password that can be reset if you forget it? Great idea.

Re:i think i see the problem

[VortexCortex]

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

It may not cure cancer, but it used to calm the nerves, cure headaches, and put a smile on your face -- well, back when it was laced with cocaine.

Today, the only things it cures is low blood sugar and headaches due to caffeine addiction withdrawals.

It's really too bad, if we had allowed pharmaceuticals to stay in colas perhaps their massive global revenue reserves would have been available to advance cancer research and discover a cure; Thus, drinking coke would cure cancer.

P.S. To all against legalizing recreational drugs: I expect you to be pushing for the outlawing of caffeine and alcohol or shutting the hell up.

Re:i think i see the problem

[guybrush3pwood]

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

Plato, is that you?

Re:i think i see the problem

[nedlohs]

Nope. Diet coke is what you want, those articial sweeteners are medical cure-alls.

Re:i think i see the problem

[exomondo]

Then who would you think has them? You know you don't and you're assuming they don't, so who does?

The Encryption Key Fairy?

she can't be trusted.

Re:i think i see the problem

[Kalriath]

LastPass? The service that got breached and had their password database stolen?

Re:i think i see the problem

[icebraining]

They had the database stolen, but since it was encrypted with the users' master password which LastPass didn't know, they are secure as long as the user used a decent password.

If anything the recent attack confirms the security of LastPass versus a system that knows your keys, like Dropbox.

Re:i think i see the problem

[snemarch]

Have a look at SpiderOak - a very nice thing about them is that, apart from applying zero-knowledge encryption, they have decent (techy!) explanation of how the stuff works. Pretty nice blog as well, with some interesting developer tidbits here and there. Disclaimer: I'm a SpiderOak user myself :)

Re:i think i see the problem

[Junta]

The problem here is that generally means knowing the hash is just as good as knowing the password. This is the point most of the people employing that strategy miss. It may prevent an attacker from sitting at a keyboard using to blessed interface, but their own client modded to send the hash without even prompting for a password would be no better.

Did they really lie to most people?

[eleuthero]

I ask the above question because I didn't start using Dropbox because I thought it was secure--I have class notes for teaching and notes for my personal studies in my account and these are for the most part publicly available anyway. I signed up because I was tired of having to fish out my backup CDs when my hard drives died on me (I still do a local backup though) and this part of their service is visibly not a lie and has saved me on at least two occasions in addition to the ease of sharing said notes with students when the file size is too large for our school's hosting service.

Did they lie to me about securing my data? Technically, yes, they did. Was this a factor in signing up with a cloud-based data storage service? Absolutely not. It never even occurred to me that they would actually secure my data to my level of satisfaction even with the claim that it was secure. It was in the cloud and accessible by whichever script kiddy wanted it. Since this was my operating assumption going in, I can't say I'm surprised that Dropbox has been caught in a lie, nor am I concerned (lying seems to be endemic in our society, unfortunately, but I've grown enured to it). On the other hand, now that they've been caught, I am interested in how they will respond--this could impact my use of their service.

Re:Did they really lie to most people?

[adolf]

Did they really lie to most people?

They're still lying. From https://www.dropbox.com/features>https://www.dropbox.com/features:

Dropbox protects your files without you needing to think about it.
                       

• 
                                 
• Dropbox keeps a one-month history of your work.

•                                

• Any changes can be undone, and files can be undeleted.

•                                

• All transmission of file data occurs over an encrypted channel (SSL)./li>
                                 
• All files stored on Dropbox are encrypted (AES-256).

•                        

I maintain that I, myself, am boring enough to not be bothered with folks potentially perusing the stuff I store on Dropbox. But it's still a lie -- it has been shown to be hardly protected at all.

Re:Did they really lie to most people?

[Ash-Fox]

All transmission of file data occurs over an encrypted channel (SSL)

Other than that one, not seeing any other lies.

Re:Did they really lie to most people?

[shmlco]

"All files stored on Dropbox are encrypted (AES-256)."

Well, the op states, "...but in fact, as the encryption keys are in their possession...". As such, the statement can easily be true. The files *are* stored in an encrypted format.

In fact, if you think about the "shared" features of their service, folders and files, they would HAVE to be able to access them and decrypt them, otherwise they could not be shared.

Re:Did they really lie to most people?

[Bert64]

Those claims are not lies, they are simply misleading...

Saying they "protect" your files may refer to the undeletion and history feature.

Similarly, they do encrypt your files with AES256, what they neglect to tell you is where the key to that encryption is stored.
There are all kinds of security standards out there which require encryption too, but don't make any constraints about how the keys should be handled etc.

Re:Did they really lie to most people?

[adolf]

Meh.

Pretend, for a moment, that I am not well-versed in encryption concepts.

Dropbox says that they will protect my files, and that they can also share them with others at my choosing.

I, being ignorant of encryption concepts (as most folks certainly are), do not see the two concepts as being mutually exclusive, even though they plainly are to those with more clue.

Therefore, I (the ignorant layperson) am mislead.

This might not seem important to the Slashdot crowd, but Dropbox is being marketed at common folk, not just those who have any sort of technical prowess.

And it seems to me that the general populace is still being mislead...which, of course, is just a different term for being lied to.

"Dropbox protects your files without you needing to think about it."

Re:Did they really lie to most people?

[delinear]

It depends on the context. When you say someone's data is "protected" and you're talking about a cloud service, it's inherent that you're talking about making it difficult for others to access that data, not making it difficult for you to accidentally delete it. That's pretty much a fraudulent statemen. It's not marketing fluff, it's not a misunderstanding, it's saying a specific thing that you know people will interpret a specific way (even if you have a CYA "but I actually meant it this way..." excuse lined up) while knowing it to be untrue.

Re:Did they really lie to most people?

[xnpu]

This happens all the time though. In our manufacturing we're often asked to treat our products with chemicals that could add certain benefits. Customers make it quite clear though that we should only treat it to the extend required by the claim, e.g. "treated with XYZ, an ABC-purpose agent". They're not actually interested in having XYZ work to the point where it gets to ABC.

Re:Did they really lie to most people?

[snemarch]

Eloquently put, and I hope people will realize the importance of this - even if it's something DropBox can legally get away with.

Re:Did they really lie to most people?

[david_thornley]

It is difficult for others to access the data. It's well encrypted, and as long as DropBox does good key management it's going to be difficult to get the key. I find it plausible that most DropBox employees have no access to the key storage.

We'll have to watch this one

[ALeader71]

Who knows, this may be a case of "lier lier" like the phantom tracking software story from last month.

Samsung Laptop Keylogger

Re:We'll have to watch this one

[belthize]

http://dictionary.reference.com/browse/lier

The phantom tracking software is just waiting to get you.

I closed my dropbox account.

[mustard5]

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update, without any significant notice to me that they had done so. At the time I considered this extremely rude behaviour on the part of the company. I am glad they are getting some bad press, as there are much better alternatives out there that could do with some business. Wuala, for example, is the alternative I chose. It encrypts everything on the client side before its uploaded. I don't think it's acceptable for dropbox to lie about security of my data, nor is it acceptable for them to make alterations to my configuration files without first asking me.

Re:I closed my dropbox account.

[Ash-Fox]

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

Re:I closed my dropbox account.

[mustard5]

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

The package manager has root.

Re:I closed my dropbox account.

[LoudNoiseElitist]

Wuala is making the same claims that Dropbox made. How do we know they aren't lying? In addition, 1gb of space for free unless I "trade space on my drive" (i.e. my bandwidth) or pay. I'll pass and stick to my 10gb for free, even if I do have to encrypt it myself. It's not like I'm dumb enough to upload sensitive documents to the cloud in the first place. Did they lie? Sure, although I think it was more just bad wording, and they fixed it when it was brought up. Is it still a badass service? Yes, and it's still kicking the shit out of other similar services. Also, lock your system down a bit more. Quit running things as root.

Re:I closed my dropbox account.

[mustard5]

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

Please refer to this Dropbox forum thread, regarding alterations made to /etc/fstab http://forums.dropbox.com/topic.php?id=29809

Re:I closed my dropbox account.

[mustard5]

Actually if you get a referral from a current user of Wuala you get an extra 1GB for free. The trading of space is an innovative feature for two reasons. 1. It uses distributed storage 2. You can get more online space for free Do you share bandwidth when you use a torrent? It's the same concept. I can say from personal experience that the bandwidth used is minimal.

Re:I closed my dropbox account.

[LoudNoiseElitist]

Right, but I'm not continually sharing that torrent bandwidth forever. With most major ISPs in the US switching to bandwidth caps, that's not something I want to deal with. Ideally, I'd end up rolling my own solution, but for now, Dropbox works fine.

Re:Employees have access?

[belthize]

Which would be fine if they said "Our employees have access to your data through key escrow in the event you forget your passphrase". If what you're storing is random pictures or some such that's quite likely good enough.

Some companies don't want that and give their business to companies that say "Key escrow is your problem, it is physically impossible for our employees to read your data". They tend to pay more for that service.

Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.

Security is NOT an issue with The Cloud.

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud.

[RightwingNutjob]

My guess is all your documents are encrypted with ExecuSpeak already. So you're good.

Re:Security is NOT an issue with The Cloud.

[node+3]

The good ol' "let's mock the victim here for not being as smart as me" routine.

Re:Security is NOT an issue with The Cloud.

[e9th]

That's what I thought reading yesterday's Confessions of a Computer Repairman thread.

Re:Security is NOT an issue with The Cloud.

[jonamous++]

I'm both amused and concerned that I've heard statements similar to the ones that you have made at my own workplace. *sigh*

Re:Security is NOT an issue with The Cloud.

[formfeed]

The good ol' "let's mock the victim here for not being as smart as me" routine.

No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
I only mock for "not being as smart as me but thinking to be way smarter than me".

Re:Security is NOT an issue with The Cloud.

[Stumbles]

Great analysis there but I think you need to throw in a few more acronyms. Other than that, spoken like a true manager that has no clue.

Re:Security is NOT an issue with The Cloud.

[Darinbob]

It is acceptable to mock fools who claim they are wise.

Re:Security is NOT an issue with The Cloud.

[cultiv8]

You forgot to trademark "The Ultimate Platform".

Re:Security is NOT an issue with The Cloud.

[Neil+Boekend]

I think I am a fool, but then again, you haven't really met me (I'd guess).

Re:Security is NOT an issue with The Cloud.

[digit1001]

You forgot to mention that so long as it's available in your dashboard, you're comfortable with it.

Re:Security is NOT an issue with The Cloud.

[TheRaven64]

We've no learning, and most people say we're twp. But we're not so twp as to not know that we're twp

More reason to build your own

[fak3r]

I hope this makes more people consider running their own system to handle this, lipsync is trying to provide that, it's on github https://github.com/philcryer/lipsync

Re:More reason to build your own

[fak3r]

Actually yes, first of all it handles communication and data transfer over SSH, so that part is covered, but right now it just mirrors the files, I want to look into using something like Truecrypt and have it mirror that to provide a true encrypted space that can be shared like Dr0pbox... need to write it up as an issue, they're piling up!

Re:More reason to build your own

[obi]

How about encrypting the data on the client-side before sending and/or storing it. Then you wouldn't have to rely on any server side encrypting, and the users wouldn't need to worry about whether the server gets hacked or goes rogue.

Re:More reason to build your own

[SlightOverdose]

rsync based solutions are a dime a dozen, however they don't really replace a full Dropbox implementation.

One of the key features of Dropbox is versioning (the ability to restore deleted files, and roll back files to previous iterations). There are very few solutions out there that do this at all, yet alone as well as dropbox does

Re:More reason to build your own

[m95lah]

Well, I've set up my rsync-based solution with incremental backups, using the link-dest functionality (just google for rsync and link-dest and you'll get to the same info I got).

Basically it allows me to have directories on my server which has complete snapshots of my data. But rsync works it out so that files that are the same (and have not moved) are really the same file, using hard links.

So it can be done with rsync.

Re:More reason to build your own

[Pascal+Sartoretti]

Or put encrypted files in DropBox.

Re:More reason to build your own

[inkydoo]

While that would be awesome, lipsync is a looong way away from being like dropbox.

Spideroak is a good alternative

[akamad]

Spideroak is a better choice. All data is encrypted on the client side and sent to the server. The Spideroak servers do not store your passphrase, thus it is impossible for them to access your data . The obvious downside is you can't afford to forget your password as you cannot reset it.

Re:Spideroak is a good alternative

[SlightOverdose]

SpiderOak has some serious security issues of its own.

1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.

2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.

Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.

The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.

Re:Spideroak is a good alternative

[hedwards]

I noticed that, I haven't actually given it any files yet, but I did notice that it didn't ask for my old password in order to change it. I'm probably going to uninstall it if that's how that works. But, considering that I'm more interested in it for syncing than for storing, it's not quite a done deal.

Re:Spideroak is a good alternative

[SlightOverdose]

Give Wuala a go. It supports client side encryption, and is much more polished then Spideroak.

Re:Spideroak is a good alternative

[SlightOverdose]

It was definitely Spideroak.

They didn't reset the password, they reset the account. (Essentially they deleted the account and allowed me to sign back up again under the same email address).

Naturally none of the data was been recoverable, however they happily deleted the account without verifying I was the owner.

Re:Spideroak is a good alternative

[MikeOttawa]

Wuala is great. The client is getting better all the time, and it encrypts/decrypts on the client side. As long as you keep supplying disk space (and obviously bandwidth to access it) they will up your storage. You can even merge multiple PC's together to beef up the storage on your account.

Re:Employees have access?

[artor3]

Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:

"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"

I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.

Re:Employees have access?

[Tacvek]

Except of course that the level of security they claimed was completely implausible, given that you can download arbitrary files from the web interface, meaning the key could at best be encrypted by the password, and they also have a "forgot your password" service, meaning the key could not even be encrypted by your password.

Therefore, at best, they may have a policy that for normal support purposes the keys are off limits, and only the non-encrypted metadata is accessible. But obviously access to the files by their employees is quite possible.

Re:Employees have access?

[Ectospheno]

Wow. You either didn't read the complaint or you are retarded.

Spideroak lies as well

[gweihir]

Quote: "SpiderOak was designed and implemented by Engineers with a background in fault tolerant systems with a margin of error of 0.0000%." This is either a bald-faced lie, or the background of those "Engineers" is that they failed the statistics exam.

Re:Spideroak lies as well

[dwightk]

doesn't 0.0000% equal 0.000049999999999999999%?

Re:Spideroak lies as well

[gweihir]

Not at all. If all digits are zero, then it is zero all the way, _unless_ a precision is specified. Even then giving such a number would be a lie, if a more sophisticated one.

Re:Spideroak lies as well

[dwightk]

that makes sense

Re:Spideroak lies as well

[LWATCDR]

Not to an engineer it doesn't, you never round to all zeros.

Also the complaint is based on a lie

The advantage of Dropbox is that is the only service to sync files on the cloud that is multi-platform, the competition is Windows, or MacOSX. No one is Linux, windows, MacOSX, Android and IOS at the same time as Dropbox.
In my particular use I do not need security, but I have to access to my data in very different environments.

My vision is that security in the cloud is an oxymoron.....

Re:Also the complaint is based on a lie

[mysidia]

The advantage of Dropbox is that is the only service to sync files on the cloud that is multi-platform, the competition is Windows, or MacOSX.

That advantage exists, because the competition did not have resources to devote to multiplatform development. Perhaps they were devoting those resources towards developing the cryptosystem that would meet the standards advertised by Dropbox, instead?

Re:Also the complaint is based on a lie

[hedwards]

Um, spider oak does that as well. Granted spider oak has its own security problems, Dropbox is hardly the only option. Plus, if you really want to be secure, you can always roll your own solution.

Re:Also the complaint is based on a lie

[llwang]

I just checked, Wuala can also be used from Windows, Mac, Linux, Android, and IOS at the same time.

Re:Also the complaint is based on a lie

[david_thornley]

There is no possible cryptosystem that can allow server-side key management and allow the resetting of passwords, without allowing any server-side employee to access the key. There are possible organizations that will prevent anybody from accessing the data under normal conditions, and for all I know DropBox has those, but they can't be perfect. Whether that counts as "our employees can't access your data" or not is questionable.

Re:Also the complaint is based on a lie

[mysidia]

There is no possible cryptosystem that can allow server-side key management and allow the resetting of passwords, without allowing any server-side employee to access the key.

Sure there is... allow reset of the password through answering a secret question. The secret answer is used to compute a hash which can be used along with a system key to decrypt an "account recovery key", which the user chooses to store the primary key encrypted so that the account recovery key can decrypt the backup.

Re:Also the complaint is based on a lie

[david_thornley]

In other words, a second strong password. A question like my mother's maiden name or the name of my first pet will yield fairly predictable results, hence a brute-force attack is likely to work.

Re:Also the complaint is based on a lie

[mysidia]

In other words, a second strong password. A question like my mother's maiden name or the name of my first pet will yield fairly predictable results, hence a brute-force attack is likely to work.

Yes, an answer could be guessed for a question like that. Being strong, and an employee having access to it, are two different topics, however. It can be weak without an employee having access to it (to the extent an employee cannot gain access to the paired key and make a brute-force guessing attempt).

the problem with the cloud in simple terms

[RobertLTux]

What Happens When it RAINS??

Re:the problem with the cloud in simple terms

[Yvanhoe]

I should do a poster with that slogan.

Not really a surprise here.

[KevC1973]

It's taken this long for a PHD and highly regarded security person from the FTC to figure this out? I knew this two years ago when I spent a few minutes reading the Dropbox featureset and noticed that you could share files with other users. Point-blank, this was a sure sign that they had encryption keys. The only surprise here was that people actually take Soghoian's complaint in high regard because of his PHD and that he was the FTC's first real cyber-ninja. I say they (the FTC) need to raise the bar on their hiring standards if this is the best they have. Oh yeah, I don't agree with what Dropbox is doing, but hey if you want security you need to look to business grade services and not the consumer level crap. http://www.silicon-vision.com/wp/why-the-ftc-need-to-raise-the-bar-on-their-hiring-standards/ kc/

Encrypt it yourself prior to upload like I do.

[elucido]

Just encrypt your files before uploading them to dropbox. Use GNUPG, or a Truecrypt container.

GNUPG

[elucido]

I'd say has a better track record than TrueCrypt only because GNUPG is open source and you can see the code.
Basically the encryption is just fine, just create a soldier, encrypt it, then sync it. It might be possible to set the folder to auto-encrypt on the client side and upload encrypted via sync.

Re:GNUPG

[black3d]

Err.. TrueCrypt has always been OpenSource (http://www.truecrypt.org/downloads2), so if that's what you're basing your idea of a "better track record" off, that makes them - equal. In actual USAGE, TrueCrypt has a more extensive and better "track record". Perhaps you were thinking of DriveCrypt.

Individual File Encryption?

[MobileTatsu-NJG]

Would using password protected .RAR or .ZIP files be relatively secure?

Re:Individual File Encryption?

[blueg3]

A TrueCrypt volume is secure and reasonably portable.

Re:Individual File Encryption?

[MobileTatsu-NJG]

A TrueCrypt volume is secure and reasonably portable.

For me, sure. But one of the things I use DropBox for is to send files to a coworker who isn't as computer saavy. I can get him to enter passwords but my fear is, and maybe you can help me figure out that it's unfounded, that I'll show him how to use TrueCrypt then after 6 months of not using it he'll forget how to do it.

Re:Individual File Encryption?

[snemarch]

For .zip, it depends on the .zip version your compression tools support. Old-style zip password protection is definitely insecure, but more recent versions have AES support; haven't checked if the implementation is decent, though.

Also, RAR might be a proprietary system, but decompressor source code is available so the implementation can be checked. It supports encryption of file data as well as metadata (at least the file names).

Supplier Beware

[retroworks]

Spideroak, Googledocs, Dropbox, Credit Card users... "buyer beware" is now "supplier beware".

Re:Supplier Beware

[snemarch]

How does "supplier, don't lie" sound to you?

"Lied" is a strong word.

[ThomasBHardy]

"Lied" is a strong word. I more readily believe that there is a disconnect between the techs at Dropbox and the marketing guys than believe that it was done intentionally. Being incorrect makes them dumb, or out of touch, not necessarily malicious.

Re:"Lied" is a strong word.

[chill]

"Lie" doesn't imply maliciousness, it implies knowledge. It means they KNOWINGLY stated something that is false, as opposed to simply stating it in erroneous belief or assumption.

I don't buy the whole "disconnect" between the techs and marketing. Too often marketing fosters the disconnect to give them plausible deniability.

Besides, the Terms of Service were written by the lawyers, not the marketers, and it is their job to make sure it is correct.

Re:"Lied" is a strong word.

[dzfoo]

You seemed to have missed the point. Read the article from Wired to get an idea.

There are other services that actually provide what DropBox was claiming, and they necessarily have a higher cost of doing business due to the additional technical measures that need to be implemented. Moreover, such measures limit the extent to which the organization can use cost-saving techniques such as "hashing."

These additional costs may translate into increase prices for consumers. However, irrespective of this, since DropBox only claimed to offer such security measures, they incurred none of the costs associated with them. Therefore, they clearly and artificially gained a competitive advantage through the use of false advertisements.

The fact that stood to--and did--gain substantial advantages in trade by making misleading claims, suggests that there was intent, and thus unmasks an organization that has no respect for the law, no qualms about lying to its customers, and no interest in the actual security of their services.

That is the point.

          -dZ.

Re:"Lied" is a strong word.

[wastedlife]

"Lied" is the correct word, even if it was not done with malicious intent. I am a user of Dropbox, and from the start realized the claim that nobody can access my files without the password was incorrect or at least poorly worded. For one, the client does not appear to store the user's password. Secondly, you can access the files via a web interface and can share files publicly or with other Dropbox users. Lastly, it would be impossible to perform deduplication if each user's data was encrypted separately. Sure, there may be policies and separation of information preventing employees from accessing files, but there has to be a single key in order for that infrastructure to work. The bottom line is, if you are storing sensitive data, make sure it is encrypted locally first. Dropbox synchronizes only changed blocks, so Truecrypt volumes work well. You do have to disable the security feature that prevents the file system from updating the modification timestamp, though.

Re:Employees have access?

[exomondo]

Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.

Oh come on, you're telling me you believed the key was your responsibility even though you had no key? You didn't even have any non-volatile private data that could be used as an encryption key, the only private data is your password, which can be reset, so obviously you can't use that.

Shhhh!

[AliasMarlowe]

A blank page is even more secure than an encrypted one because the enemy will never be certain they aren't just missing something.

Hey, don't give the security consulting game away!!!

Secure virgin

[AliasMarlowe]

Assessing cloud security is like checking my mom's virginity.

Well, Oedipus, I doubt if she'd let you... especially if she really was a restored virgin.

Could I still join any class action?

[oDDmON+oUT]

Since I believe that accepting any company's claims about a free service will get you... well ... what you pay for; I tend to be proactive.

The first thing I did after creating my Dropbox account was create a 1.9Gb read/write sparse disc image with AES 256 encryption and a strong password, which is stored on in the keychain of each machine needing to access the data.

So even though Dropbox can access my account, they couldn't see what's in my image.

Would this obviate my ability to join any legal proceeding resulting from the complaint and investigation? Just askin'.

Re:What do you expect?

[delinear]

You're a system admin and your answer to security in the cloud is to obfuscate your filenames? Ye gods...

Hard to see how they could do it any other way

[DrXym]

The problem with Dropbox is the user id and password used to log into the service are also the credentials for obtaining the data. It's hard to see how they could implement server side encryption with the current model. After all, all they need to do is reset the password on the login id or extract whatever key is used to store the data on their servers.

It's a security tradeoff - convenience over encryption. Anyway if they publicly said it was impossible to see the data they need to get a bit of a slap. I hope what they meant is their employee's roles are separated in a way which means it's difficult for any one person to obtain all the pieces they need to view the data and even if they did they'd be detected by numerous database / network triggers and thrown out the door. Even so I think most technically or criminally minded people could just implement their own security on top, e.g. a very simple way is to store stuff in an encrypted zip or 7-zip file. I reckon most people don't bother though and that's where the problem lies.

Perhaps the answer for Dropbox is to implement a second level security where users can generate their own keys to secure certain folders. The keys remain in the user's possession on the client side. Data including file names & folder structure would be seamlessly scrambled / descrambled on the fly. It might preclude that folder from being accessible over the web interface and the user would be responsible for figuring out how to get the key onto every device they use, but it would allow Dropbox to say they support fully encrypted data that their staff really cannot see.

Re:Hard to see how they could do it any other way

[davide+marney]

Mod parent up -- we should look at this from a security/convenience angle. Dropbox offers many conveniences such as automatic versioning, backups, synchronization, cross-platform etc., and at a price that just about anyone can afford. For 99.9% of my files, I'm content with my files being encrypted by Dropbox, and de-duped as needed. It's the equivalent of locking my car -- not enough protection against a pro, but enough to make someone else an easier target. All my truly private files are locally encrypted before being stored in Dropbox. Best of both worlds: security and convenience.

Re:Hard to see how they could do it any other way

[snemarch]

I personally don't have a problem with how the DropBox service works, there's definite advantages to it in terms of convenience. What I have a problem with is that they lied about the security; it's obvious to the technically minded of us that cross-account deduplication can't happen with DB having access to your files, but that's not obvious to your regular Joe Enduser - and that's who DB is marketed to.

Even with the privacy statement update that means DB aren't technically lying anymore, it's still a very small and innocent-looking part, and they're still plastering terms like "secure", "SSL" and "AES 256 encrypted" all over the place. Misleading much? Yeah.

Re:Hard to see how they could do it any other way

[Ash-Fox]

and at a price that just about anyone can afford.

Sadly I fall into the category where my storage needs are quite expensive for dropbox to be really useful to me. That said, I use it for limited collaborations still, I have yet to find a better alternative.

Re:Hard to see how they could do it any other way

[DrXym]

Even with the privacy statement update that means DB aren't technically lying anymore, it's still a very small and innocent-looking part, and they're still plastering terms like "secure", "SSL" and "AES 256 encrypted" all over the place. Misleading much? Yeah.

Well at the end of the day all my transactions to my bank are secure, encrypted etc. If I worked in the bank I can still look up someone's accounts and it's probably trivial to empty their account if I wished to. Of course if I did that I'd get sacked and then sent to jail. The punishment for looking at files in dropbox is likely less severe under law but I'd still get sacked and possibly sued if I harmed the company's reputation.

I think at a minimum Dropbox should encrypt their data on the backend and split out the roles so they're balanced and with oversight so that no one person gets to know enough to do serious harm to the service. That's the usual way to make a secure system.

Ideally however they should encrypt data stored in the backend with a key unique to the person. The only exception might be public content. It means someone in their db or production group can't idly snoop the files looking for porno pics, financial statements or anything else of personal value. Better yet would be to allow the user to control the key if they wished (but at the expense of inconvenience) so it's not even stored on the Dropbox servers.

Re:Hard to see how they could do it any other way

[snemarch]

Well at the end of the day all my transactions to my bank are secure, encrypted etc. If I worked in the bank I can still look up someone's accounts and it's probably trivial to empty their account if I wished to.

• 1) your bank has probably never denied that employees have this kind of access.
• 2) I'm much more likely to trust a bank to have proper access control and audit trails than DropBox, especially because of the previous lies.
• 3) IANAL, but I expect there's some pretty heavy regulatory stuff in the case of banks.

Ideally however they should encrypt data stored in the backend with a key unique to the person.

That what other services do, but I don't think DropBox is going to - cross-account deduplication saves them a fair amount of storage space and bandwidth. It's fine they do this, as long as they're not trying to hide it... and IMHO they're still not being very open about this, even with the privacy info update and all.

Re:Employees have access?

[belthize]

I'm not telling you any such thing. I have no data on dropbox and would never give them any anyway.

While I agree the end user/corporation has a responsibility at some level to understand the technology Dropbox has a responsibility to be honest about their product and not make claims about data availability that are untrue.

Re:Naive

[herojig]

Exactly. Dropbox is one of many "Facebooks" of cloud storage. I wonder what Evernote is doing... but not that I really care. I would not put sensitive data in the cloud without providing my own security first. I've used Dropbox, and kudos to the drop-outs for designing something so drop-dead simple to use, as compared to say iDisk in Mobileme, which I assume was designed by folks with advanced degrees.

PSN data leak / outage

[vlm]

Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files.

Finally, some coverage of the root cause of the Sony Play Station network outage / data leak. Thanks /. !

Slightly off topic, but...

[Tuan121]

I saw someone mention lipsync as a dropbox alternative. Sorry to be a bit offtopic, but I was hoping someone had a recommendation for a 1-directional real-time file syncing software for Windows (bi-directional would be fine too of course, but that isn't a requirement. And if it was just a linux one but worked amazing I would be glad to know about that as well). I have just not been able to find any good real-time syncing that will do updates after each change.

I know there are plenty of syncing where you just put in the source & dest folder and sync away, however those are never meant for real-time syncing and have serious downsides. And furthermore, I need one built with syncing over the internet in mind where upload speeds may be sub-par.

For this type of setup, what I would see as being necessary is having both server and client software communicating and sending the appropriate file modification messages to each other to know when and what to sync, thus giving it the ability to be very light on the data transfer and quick on the updates.

The setup I always see in programs is the program only running on one side, meaning to do any regular syncs it needs to constantly re-download/re-create the source and/or destinations entire file structure each time to do comparisons. Even if it prestores some XML files with the current data and just does updates, it still ends up needing to send say 30-40megabytes of data in my case each time. This is obviously not very efficient, and when syncing large file systems with so-so upload speeds, it's simply impossible to do anywhere near real-time backups.

Any recommendations would be great.. I'm sure there have to be programs out there I just can't find any. All i want is:
A) Local computer for drive/folders to be monitored when changes are being made "server"
B) Remote computer, "client"
A starts up, needs to do a full sync with client B at first to make sure everything is up to date. Then A continuously monitors folder/drive, any modifications/new files are sent to B. B confirms the new changes are done before new updating occurs. B always contains data from A.

Simple as that. Thanks for any help!

Re:Employees have access?

[Just+Some+Guy]

I read "Dropbox employees aren't able to access user files" as "Dropbox employees aren't able to access user files", not "...unless they really want to."

Re:What do you expect?

[rjstanford]

You're a system admin and your answer to security in the cloud is to obfuscate your filenames? Ye gods...

Its like locking your car doors. There are so many juicy targets out there that all you have to do is not be the low-hanging-fruit. Will obfuscating filenames stop a dedicated inspection of your data? Of course not. Will it stop a bored sysadmin looking for porn (the original example)? Probably, because there will be thousands of obvious targets to go after instead of yours. He's not interested in your porn, but rather some illicit customer porn.

Not everywhere needs to be Fort Knox to be reasonably safe from casual penetration.

Re:Employees have access?

[exomondo]

I'm not telling you any such thing. I have no data on dropbox and would never give them any anyway.

Then how can you say they were claiming to do something that they so obviously weren't doing? They weren't specific about how it works so it isn't safe to assume anything and obviously if they didn't give you an encryption key then they must have it.

Pre-encrypt the data

[Compaqt]

Does anybody know if you can just pre-encrypt data, and set that as your "backup directory" before you send it off to Dropbox, Carbonite, or whatever?

Truecrypt is not open source.

[elucido]

It has not been approved by OSI.

Re:Truecrypt is not open source.

[black3d]

Software doesn't have to be approved by the OSI in order to be open source. In fact, end-products are not, by definition, "approved by the OSI". Licenses are. http://www.opensource.org/licenses/index.html

For your review, here is OSI's own definition of what Open Source means: http://www.opensource.org/docs/osd. Truecrypt meets every one of these criteria. According to OSI, software which meets these criteria is open source. However, of course, it's not licensed to carry the OSI "logo" as their license hasn't been scrutinized by the OSI.

Again, trying to be helpful in my correction. Let's review. You state "Truecrypt is not open source", whereas it is open source by OSIs own definition. You state "it has not been approved by OSI", but products are never approved by OSI. OSI examines licenses, not products. So, the closest to a correct statement you could get, would be:

"Truecrypt is open source, however its license has not been approved by the OSI, therefore I choose not to use it."