Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Accused of Lying About Security

Posted by samzenpus on from the e-pants-on-fire dept.

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

12 of 265 comments (clear)

  1. Good by gadzook33 · · Score: 5, Insightful

    As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.

  2. Call me back... by bannable · · Score: 4, Insightful

    ...when there's an actual investigation. Why the hell is it news that someone made a complaint?

    --
    "If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
    1. Re:Call me back... by inpher · · Score: 5, Informative

      One reason is that the person making the complaint is Christopher Soghoian, a heavyweight when it comes to computer security.

  3. Re:Where's Al Gore and his "Lock Box"? by chill · · Score: 5, Insightful

    The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. Re:Where's Al Gore and his "Lock Box"? by Omnifarious · · Score: 4, Interesting

    First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.

    Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.

    --
    Need a Python, C++, Unix, Linux develop
  5. Security is NOT an issue with The Cloud. by Anonymous Coward · · Score: 5, Funny

    Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

    The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

    And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

    My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

    1. Re:Security is NOT an issue with The Cloud. by jonamous++ · · Score: 4, Funny

      I'm both amused and concerned that I've heard statements similar to the ones that you have made at my own workplace. *sigh*

    2. Re:Security is NOT an issue with The Cloud. by formfeed · · Score: 4, Insightful

      The good ol' "let's mock the victim here for not being as smart as me" routine.

      No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
      I only mock for "not being as smart as me but thinking to be way smarter than me".

  6. Re:Employees have access? by artor3 · · Score: 4, Informative

    Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:

    "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"

    I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.

  7. Re:Where's Al Gore and his "Lock Box"? by hedwards · · Score: 4, Informative

    Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

    It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

  8. Re:Spideroak is a good alternative by SlightOverdose · · Score: 5, Informative

    SpiderOak has some serious security issues of its own.

    1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.

    2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.

    Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.

    The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.

  9. Re:Seconded by PopeRatzo · · Score: 4, Insightful

    Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

    If you trust Exxon and the MPAA more than the government with all its faults, then you have not been paying attention for the past 30 years.

    --
    You are welcome on my lawn.