Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Accused of Lying About Security

Posted by samzenpus on from the e-pants-on-fire dept.

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

44 of 265 comments (clear)

  1. Good by gadzook33 · · Score: 5, Insightful

    As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.

  2. Call me back... by bannable · · Score: 4, Insightful

    ...when there's an actual investigation. Why the hell is it news that someone made a complaint?

    --
    "If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
    1. Re:Call me back... by inpher · · Score: 5, Informative

      One reason is that the person making the complaint is Christopher Soghoian, a heavyweight when it comes to computer security.

    2. Re:Call me back... by Renderer+of+Evil · · Score: 2

      Point is, he has exposed their lies and it made the rounds on all tech news sites. His researched compelled an FTC investigation.

      What have you done?

  3. Seconded by Niobe · · Score: 2

    Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?

    1. Re:Seconded by 0100010001010011 · · Score: 2

      Not all of them. Anyone accessing my 'Projects' Folders wouldn't find anything that wasn't on my Git Hub. Nor would they get much out of my "Spring 2011" homework folder.

      Good luck getting at my "Taxes.tc" file.

    2. Re:Seconded by PopeRatzo · · Score: 2, Insightful

      Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company.

      It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation. The more de-regulation, the more damage they will do.

      Corporations are golems, with the single imperative to profit at any cost. The potential for profit increasingly outweighs any risk involved in negative behavior. And when you get big enough, say Exxon big, there's no risk at all.

      And it is a little bit the fault of "the cloud". I can go down to my bank and look at the vault. I can read the government-backed FDIC insurance on my deposits and the FDIC has never, ever failed. All we can do is hope that what the cloud companies tell us about security is true. How could we possibly verify?

      --
      You are welcome on my lawn.
    3. Re:Seconded by node+3 · · Score: 2

      But you didn't. It's much easier to *say* how you'd do something than it is to actually do it.

      If you really could do so much better, why haven't you done so? Seems like a good way to make a few million, if it's so simple...

    4. Re:Seconded by fuzzyfuzzyfungus · · Score: 3, Insightful

      According to TFA's description of the problem, the issue wasn't one of technical acumen at all.

      In order to be able to do deduplication across their subscriber base, rather than per-user or none at all(likely making for considerable disk and bandwidth savings across a service of their size), Dropbox failed to (usefully) encrypt user files and introduced a fun side-channel attack where anybody can determine whether somebody else has a file stored, just by attempting to upload it and then sniffing the wire to see if it takes the expected upload time, or just a tiny amount of hash comparing to "upload".

      Technologically, they didn't exactly advance the state of the art in crypto to power their service; but the issues at question appear to be technologically competent enough, deduplication across the largest set of files possible is a perfectly sensible way of reducing storage and bandwidth costs, it's just that they then proceeded to sharply oversell the amount of actual privacy they were providing.

      Given that education doesn't seem to have much effect on honesty(unless you count the courses of study that probably make you worse...) I'd be inclined to say that it is irrelevant to the problem at hand.

    5. Re:Seconded by zephvark · · Score: 2

      It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation

      The what, now? Big companies never push deregulation. They want as much regulation as possible, the better to punish anyone else trying to enter the same market. It's called "rent seeking".

    6. Re:Seconded by ColdWetDog · · Score: 2, Funny

      "I enjoy intercourse with small domestic fauna."

      Thanks for qualifying that. Heaven forbid you having conjugal relations with foreign animals. That would be just perverse.

      --
      Faster! Faster! Faster would be better!
    7. Re:Seconded by captain_sweatpants · · Score: 3

      Bullshit! Big companies are in favour of regulation that increases their profit and against regulation that decreases it. Overall they are against it because they can always abuse their dominant position to keep standards low, prices high and competitors out. In the absence of sensible regulation, they can throw their money around, abuse their influence with suppliers and customers, or just flat out abuse those that have no one else to buy from or sell to.

    8. Re:Seconded by Linux+Torvalds · · Score: 2, Insightful

      Regulatory capture has proven to be a much bigger problem than deregulation, I think. It seems better not to give the government so much power in the first place.

      Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

    9. Re:Seconded by Lunix+Nutcase · · Score: 3, Informative

      O rly?

      AT&T seeks more phone deregulation in Alabama
      AT&T and Deutsche Telekom push for deregulation of wireless markets
      Time Warner seeks Manhattan deregulation

      It's trivially easy to find other examples.

    10. Re:Seconded by PopeRatzo · · Score: 4, Insightful

      Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

      If you trust Exxon and the MPAA more than the government with all its faults, then you have not been paying attention for the past 30 years.

      --
      You are welcome on my lawn.
    11. Re:Seconded by node+3 · · Score: 2

      And I never said he said he came up with the idea.

      Everybody's a backseat nerd here on Slashdot. "Oh, I could've done that better." Yeah, right. It's far easier to criticize someone else's work than it is to do the work yourself.

    12. Re:Seconded by Moryath · · Score: 2, Insightful

      Hey, remember when the police and the teachers' unions crashed the stock market, raided everyone's pension funds, and shipped all the jobs to India?

      Yeah, neither do I.

    13. Re:Seconded by delinear · · Score: 2

      Ultimately it comes down to accountability and being able to distance yourself from the consequences of your actions, but it still takes a certain mindset to follow that through. If there was a little button you could press, and when you pressed it there was a chance somewhere in the world someone would be harmed but you'd get a reward, most people probably still wouldn't do it - the few that would are the CEOs that are crashing the stock market and skimming off the pension funds.

    14. Re:Seconded by ammorais · · Score: 2

      It’s not a matter of waking in the morning and say "Today, I'm going to screw over the little guy!"
      It's a matter of waking in the morning and saying: "today, if I don't screw the little guy I'm screwed, because everybody does it, and I can't compete if I don't!!!"
      It's the hole system that is broken.

  4. Where's Al Gore and his "Lock Box"? by retroworks · · Score: 3, Insightful
    Here I was feeling all certain that my data was secure, and it just turns out my information just isn't important or interesting enough to purloin.

    Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.

    --
    Gently reply
    1. Re:Where's Al Gore and his "Lock Box"? by chill · · Score: 5, Insightful

      The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Where's Al Gore and his "Lock Box"? by Omnifarious · · Score: 4, Interesting

      First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.

      Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.

      --
      Need a Python, C++, Unix, Linux develop
    3. Re:Where's Al Gore and his "Lock Box"? by pushing-robot · · Score: 3, Interesting

      I can understand the concerns about credit cards and bank info, but I don't really get why people are so freaked out about marketers learning a bit of generic info about their lives:

      Person 1 -- Oh no! An advertising firm got hold of my semi-private information!

      Person 2 -- That's terrible. What did they do with it?

      Person 1 -- Well, they started showing me ads for things I might actually buy.

      Person 2 -- Gods! Have these men no shame?

      --
      How can I believe you when you tell me what I don't want to hear?
    4. Re:Where's Al Gore and his "Lock Box"? by hedwards · · Score: 4, Informative

      Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

      It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

    5. Re:Where's Al Gore and his "Lock Box"? by retroworks · · Score: 2
      Well, yes, they are lying and that is one point of the story, but most comments and most public alarm is off point. Assessing cloud security is like checking my mom's virginity. I assume everyone in the cloud lies about my security, and that anything I put in the cloud is at risk. As for "credit card" info, the credit card companies are NUMERO UNO in sharing personal info from credit card use. Everyone who says cloud data, or credit card data, is secure is lying. As for "porn", ha ha ha ha ha ha ha. All porn comes off the cloud, putting it back into the cloud is like passing a marked bill.

      The issue is risk. The number one source of credit card number theft is waiters on drugs. USING a credit card is probably a greater risk than entering the credit card number onto a cloud database. Yes, people should not mislead about security, but they are led to mislead by the crazy "lock box" talk about any cloud information being secure, and this discussion proves the point.

      --
      Gently reply
  5. i think i see the problem by Anonymous Coward · · Score: 3, Insightful

    "the encryption keys are in their possession"

    Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?

    If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.

    Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"

    1. Re:i think i see the problem by nedlohs · · Score: 2

      It doesn't matter.

      If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

      It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

      Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

  6. I closed my dropbox account. by mustard5 · · Score: 2

    I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update, without any significant notice to me that they had done so. At the time I considered this extremely rude behaviour on the part of the company. I am glad they are getting some bad press, as there are much better alternatives out there that could do with some business. Wuala, for example, is the alternative I chose. It encrypts everything on the client side before its uploaded. I don't think it's acceptable for dropbox to lie about security of my data, nor is it acceptable for them to make alterations to my configuration files without first asking me.

    1. Re:I closed my dropbox account. by mustard5 · · Score: 2

      I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

      How is that even possible when it doesn't run as root?

      The package manager has root.

  7. Re:Employees have access? by belthize · · Score: 3, Insightful

    Which would be fine if they said "Our employees have access to your data through key escrow in the event you forget your passphrase". If what you're storing is random pictures or some such that's quite likely good enough.

    Some companies don't want that and give their business to companies that say "Key escrow is your problem, it is physically impossible for our employees to read your data". They tend to pay more for that service.

    Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.

  8. Security is NOT an issue with The Cloud. by Anonymous Coward · · Score: 5, Funny

    Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

    The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

    And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

    My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

    1. Re:Security is NOT an issue with The Cloud. by RightwingNutjob · · Score: 3, Funny

      My guess is all your documents are encrypted with ExecuSpeak already. So you're good.

    2. Re:Security is NOT an issue with The Cloud. by jonamous++ · · Score: 4, Funny

      I'm both amused and concerned that I've heard statements similar to the ones that you have made at my own workplace. *sigh*

    3. Re:Security is NOT an issue with The Cloud. by formfeed · · Score: 4, Insightful

      The good ol' "let's mock the victim here for not being as smart as me" routine.

      No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
      I only mock for "not being as smart as me but thinking to be way smarter than me".

    4. Re:Security is NOT an issue with The Cloud. by Darinbob · · Score: 2

      It is acceptable to mock fools who claim they are wise.

  9. More reason to build your own by fak3r · · Score: 3, Interesting

    I hope this makes more people consider running their own system to handle this, lipsync is trying to provide that, it's on github https://github.com/philcryer/lipsync

    --
    fak3r.com
  10. Re:Employees have access? by artor3 · · Score: 4, Informative

    Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:

    "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"

    I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.

  11. Re:Spideroak is a good alternative by SlightOverdose · · Score: 5, Informative

    SpiderOak has some serious security issues of its own.

    1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.

    2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.

    Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.

    The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.

  12. the problem with the cloud in simple terms by RobertLTux · · Score: 2

    What Happens When it RAINS??

    --
    Any person using FTFY or editing my postings agrees to a US$50.00 charge
  13. Re:Spideroak is a good alternative by SlightOverdose · · Score: 3, Interesting

    Give Wuala a go. It supports client side encryption, and is much more polished then Spideroak.

  14. Re:Spideroak is a good alternative by SlightOverdose · · Score: 2

    It was definitely Spideroak.

    They didn't reset the password, they reset the account. (Essentially they deleted the account and allowed me to sign back up again under the same email address).

    Naturally none of the data was been recoverable, however they happily deleted the account without verifying I was the owner.

  15. Re:Did they really lie to most people? by adolf · · Score: 2

    Meh.

    Pretend, for a moment, that I am not well-versed in encryption concepts.

    Dropbox says that they will protect my files, and that they can also share them with others at my choosing.

    I, being ignorant of encryption concepts (as most folks certainly are), do not see the two concepts as being mutually exclusive, even though they plainly are to those with more clue.

    Therefore, I (the ignorant layperson) am mislead.

    This might not seem important to the Slashdot crowd, but Dropbox is being marketed at common folk, not just those who have any sort of technical prowess.

    And it seems to me that the general populace is still being mislead...which, of course, is just a different term for being lied to.

    "Dropbox protects your files without you needing to think about it."

    --
    Kid-proof tablet..
  16. Hard to see how they could do it any other way by DrXym · · Score: 2
    The problem with Dropbox is the user id and password used to log into the service are also the credentials for obtaining the data. It's hard to see how they could implement server side encryption with the current model. After all, all they need to do is reset the password on the login id or extract whatever key is used to store the data on their servers.

    It's a security tradeoff - convenience over encryption. Anyway if they publicly said it was impossible to see the data they need to get a bit of a slap. I hope what they meant is their employee's roles are separated in a way which means it's difficult for any one person to obtain all the pieces they need to view the data and even if they did they'd be detected by numerous database / network triggers and thrown out the door. Even so I think most technically or criminally minded people could just implement their own security on top, e.g. a very simple way is to store stuff in an encrypted zip or 7-zip file. I reckon most people don't bother though and that's where the problem lies.

    Perhaps the answer for Dropbox is to implement a second level security where users can generate their own keys to secure certain folders. The keys remain in the user's possession on the client side. Data including file names & folder structure would be seamlessly scrambled / descrambled on the fly. It might preclude that folder from being accessible over the web interface and the user would be responsible for figuring out how to get the key onto every device they use, but it would allow Dropbox to say they support fully encrypted data that their staff really cannot see.

  17. Re:Spideroak is a good alternative by MikeOttawa · · Score: 2

    Wuala is great. The client is getting better all the time, and it encrypts/decrypts on the client side. As long as you keep supplying disk space (and obviously bandwidth to access it) they will up your storage. You can even merge multiple PC's together to beef up the storage on your account.