Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws

Posted by timothy on from the your-privacy-is-very-important-to-us dept.

deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

122 comments

  1. Doesn't matter by hedwards · · Score: 2

    Yes, businesses that need PCI, HIPAA or SarbOx compliance ought to be directly asking, that's no excuse for not posting it in a prominent place.

    I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

    1. Re:Doesn't matter by gg1 · · Score: 1

      Just encrypt sensitive files before sending then will never have a match.

    2. Re:Doesn't matter by Sancho · · Score: 2

      So you're advocating not being compliant?

      Payment card data is still payment card data, even if it's encrypted. Ask any QSA. If it's at rest on a machine, there are certain requirements for that machine which encryption does not (solely) satisfy.

    3. Re:Doesn't matter by deroby · · Score: 2

      Care to explain how that would be ?

      AFAIK a hash is just a (smallish) number calculated on a (largish) set of data. By sheer definition a single hash will match multiple distinct sets.
      How does encrypting a data-set affect the possibility of match with a different set ?

      --
      If there is one thing to be learned on slashdot, it has to be sarcasm.
    4. Re:Doesn't matter by zoloto · · Score: 1

      care to elaborate?

    5. Re:Doesn't matter by Sancho · · Score: 4, Informative

      It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)

    6. Re:Doesn't matter by M0j0_j0j0 · · Score: 1

      wrong!

    7. Re:Doesn't matter by hedwards · · Score: 1

      Exactly, I can encrypt my data, but all that means is that if there is a match, which is definitely possible, I end up losing the entire volume rather than just a portion of it. Neither possibility is acceptable for a service of this type. The likelihood increases substantially when you start matching everybody's blocks to everybody elses blocks. It's unlikely that you'd have two such blocks within a particular customers data, but when you deal with all the customers' data...

    8. Re:Doesn't matter by Anonymous Coward · · Score: 0

      !exhaustive
           

    9. Re:Doesn't matter by fuzzyfuzzyfungus · · Score: 1

      Encryption isn't going to change the fact that there are fewer hashes available than there are inputs; but it might actually reduce the chances of a collision in practice...

      Since most users are uninterested in storing random length-n chunks, but are interested in storing office documents and pictures and things, the expected set of inputs will probably be pretty strongly skewed in the direction of slightly-shorter-than-n-chunks with boilerplate file format required headers and/or footers. If your files are properly encrypted, they presumably won't have the same skew...(If true, of course, this would mean that collisions in general are more likely than a simple input length vs. hash length comparison would suggest.)

    10. Re:Doesn't matter by Anonymous+Brave+Guy · · Score: 1

      All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security. Leaving aside that some of the standard security policies are dubious anyway, if businesses really complied with the level of control you mentioned... well, most small businesses simply can't (in the sense that either they literally can't or they couldn't operate in any commercially viable way under such constraints).

      Given that the constraints on taking card payments in person in a store are vastly easier to game, and that nothing in PCI-DSS is going to stop a fraudster setting up a fake shop and taking whatever card details his "customers" volunteer, and that contrary to what the doom-sayers keep telling us most on-line businesses don't really handle a bazillion times the number of transactions of off-line businesses anyway, the overkill for small companies that want to trade on-line is crazy.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    11. Re:Doesn't matter by Anonymous Coward · · Score: 1

      Of course PCI-DSS is about covering your ass legally. That's the entire point, to legally cover your ass by being compliant with that standards set by the payment card industry. If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

      PCI-DSS compliance for a small company using a payment gateway is very simple - on the order of not storing and credit card data except the responses from the payment gateway you use. you don't even need encryption because you don't need to even transport the credit card data.

    12. Re:Doesn't matter by Sancho · · Score: 2, Informative

      All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security

      For the merchant, it's primarily about legal ass-covering. The merchant doesn't care about his customer's credit cards. Why should he? He care much more that a fake card isn't used in his shop. Because the merchant doesn't care about the customer's credit cards, the payment card industry has to make them care by imposing regulations and penalties.

      It forces small companies to buy products which do most of that for them. It's a cost of doing business. There's an entire industry of payment processors (think Paypal) that a small web merchant could use to avoid ever having credit cards touch their systems. The processors take a percentage (much like the bank) and the merchant raises the cost of their products accordingly.

      some of the standard security policies are dubious anyway,

      Absolutely. You'll get no argument from me. But most of them are good security practices that most businesses wouldn't even know are good practices. They absolutely should be doing them if they're going to store my credit card information.

    13. Re:Doesn't matter by Anonymous Coward · · Score: 0

      Encrypting the data will NOT reduce the chances of a collision.
      A single changed bit will dramatically alter the output of a decent hash function. Common file format headers will make no difference.

    14. Re:Doesn't matter by s_javinder · · Score: 1

      i dont trust them

    15. Re:Doesn't matter by jbolden · · Score: 1

      A dropbox hash is about 256 bits. There are ballpark about as many dropbox hashes as their atoms in the universe. You are unlikely to hit one by chance.

    16. Re:Doesn't matter by Anonymous Coward · · Score: 0

      A dropbox hash is about 256 bits. There are ballpark about as many dropbox hashes as their atoms in the universe.

      There are also (presumably) as many dropbox hashes as there are different possible 32-byte files. That 33 byte file will match one of those (as well as a 31 byte file, 12921912421 byte file, etc). If it's a good evenly distributed hash, then it may very well be that your file will probably not match someone else's file, and building a complete rainbow table to collide intentionally would be impossible. If the hash clumps, though, all bets are off.

    17. Re:Doesn't matter by blueg3 · · Score: 1

      Oh, sure, there are tons of theoretical collisions. But nobody will generate even a tiny fraction of those possible 32-byte files, so the practical risk of collision is near zero.

      It's SHA-256, so it's well-distributed.

    18. Re:Doesn't matter by Anonymous Coward · · Score: 0

      No kidding. Legal ass-covering is important.

      For anyone who was wondering, Dropbox is also not FERPA compliant... which ought to scare the shit out of every legal counsel anywhere near a university right now, since tenured faculty tend to insist on adding new software to their desktop without paying a bit of attention to the ramifications of what they're doing.

      I can't decide if it's more of an "ooh what's this button do" thing a la Dexter/DeeDee, or a "but I want my new toy" 4-year-old thing.

    19. Re:Doesn't matter by Anonymous+Brave+Guy · · Score: 1

      It forces small companies to buy products which do most of that for them. It's a cost of doing business.

      The trouble is (and I'm writing this as a guy who runs small companies, some of which need to do card processing) that most of those services suck. They are expensive, of course, but worse than that, they are horribly limited in what functionality they offer compared to a direct integration with a payment gateway. Moreover, as I mentioned in another post, they tend to come with contracts so one-sided they actually make dealing directly with the banks an appealing prospect. If you're responsible for a small business and you care even slightly about running it in a professional manner and complying with actual legal requirements (not just whatever the card industry want you to do, but what the law requires) then it's difficult to use those services even in the US where most of them are based, and next to impossible in many places with more stringent rules.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    20. Re:Doesn't matter by Anonymous+Brave+Guy · · Score: 1

      If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

      And if the card industry were responsible for writing the laws, that might be true. Fortunately, even they aren't yet granted the power to legislate. In my country (England), if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook. Moreover, if you suffer from credit card fraud, no amount of complaining to the card companies about how you followed their recommended procedures is going to force them to pay you back when they point at the small print that makes it your problem anyway.

      Basically, PCI-DSS is such a poor proposition in terms of benefits that it's no surprise many small businesses make no attempt to bother complying. Sure, if they find out you aren't compliant then your business is toast, but the reality is that if they have found out then you were probably already toast because of whatever brought it to their attention anyway.

      This isn't to say that businesses shouldn't provide good security, of course, and in doing so many would be most of the way to PCI-DSS compliance anyway and the extra audits etc. aren't the end of the world. We are planning this sort of system for one of my companies right now, not only because of the legal requirements in our jurisdiction but because it's simply the responsible thing to do and the right way to treat customers. I'm just observing that the card industry offer us little or nothing of real value in return for complying with PCI-DSS, which is hardly the way to encourage less responsible (or simply less technically knowledgable) management to do the right thing.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    21. Re:Doesn't matter by Anonymous Coward · · Score: 1

      I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

      Trust me, you have better things to be worried about than hash collisions on Dropbox. :)

      Based on my quick research, Dropbox uses the SHA-256 algorithm with 4 Mbytes chunks. Let's assume for the sake of argument that the total amount of data Dropbox stores for its users is (pinky finger!) 1 million terabytes of data.

      That would mean there are 262,144,000,000 chunks. A SHA-256 hash is 256 bits long.

      Applying the Birthday Paradox, the probability of a collision is thus:

      P = 1-EXP((-(262144000000^2))/(2*(2^256)))

      That evaluates to a 0.00000000000000000000000000000000000000000000000000002967% probability of even just one collision existing in the entire data set. Put another way, there is a 1 in 3.369 million trillion trillion trillion trillion chance of there being a collision.

      Put another way... I'd say it's slightly more likely that Zeus is going to appear before you tomorrow to anally rape you with his lightning bolt before destroying the Earth.

      You can take a trip to Wolfram Alpha to verify my math.

    22. Re:Doesn't matter by Anonymous Coward · · Score: 0

      HIPPA is a farce. Any government agency can go in under the guise of being a matter of national security or intelligence activities and access anybody's medical information with the patient never knowing it happened. The only difference is they can go directly to Dropbox instead of the healthcare provider to get what they want.

    23. Re:Doesn't matter by jimicus · · Score: 1

      I did some digging on this myself - either I've grossly misunderstood something or the entire payment card industry is more than a little hypocritical.

      On the one hand they'll freely advertise you can have a virtual terminal (which is a website into which you can punch people's card numbers much like a proper card machine), how it's much more convenient because you can access it from your laptop wherever you are - you're not obliged to be sitting in your office to process card payments.

      Then they'll ask you to sign the PCI-DSS agreement which states you'll only access the system from a PC which dedicated wholly and exclusively for virtual terminal usage - won't even have other software installed and you'll set up a separate segment of your network firewalled from everything else to put this PC on.

    24. Re:Doesn't matter by theolein · · Score: 1

      It doesn't matter until their are legal complications. Then it matters a lot.

    25. Re:Doesn't matter by Sancho · · Score: 1

      I didn't know that they advertised it like that. Yeah, that's pretty crappy.

    26. Re:Doesn't matter by allo · · Score: 1

      for 33 byte files, you will have 2^8 collisions per hash. now assume we have a 100MB file ...

    27. Re:Doesn't matter by blueg3 · · Score: 1

      2^(100*1024*1024*8-256) theoretical collisions per hash. But it's not relevant, because the number of 100 MB files is enormous: 2^(100*1024*1024*8). For any two actually-existing 100 MB files, the likelihood they have the same hash is 1 in 2^256. That's unfairly optimistic, though. You need to consider how big a pool of N files you would need before it was likely that there exists one hash collision within your pool of files. That is N = 2^128.

      So in order to have a reasonable chance of collision, you'd need 2^128 100-MB files. That's a problem, though, because there are only about 10^80 ~= 2^240 atoms in the universe.

      Dropbox doesn't actually hash whole files, it hashes 4-MB blocks. But it doesn't really matter. You can't even store a reasonable fraction of all 33-byte files, nor do you have enough computational time to ever compute an appreciable fraction of the possible SHA-256 hashes that could, in theory, exist.

    28. Re:Doesn't matter by allo · · Score: 1

      for any two its of course 2^256, but now apply the birthday problem to a set of 100mb files ... and the collision propability of 4 mb blocks is even higher.

    29. Re:Doesn't matter by blueg3 · · Score: 1

      I just told you what that was. If you have N possible values for your hash (N=2^256), you need, on average, sqrt(N) = 2^128 objects for there to be a reasonable probability of a collision between some pair of objects. That's the solution to the birthday paradox (for large N).

      You'll note that the file or block size doesn't actually show up in that calculation, only the hash size, because the size of the object turns out to be irrelevant. You are just as likely to have hash collisions with 4 MB blocks as you are with 100 MB files. Technically you can store 25 times as many 4 MB blocks as you can 100 MB files, but you can only ever generate or store so very few of them compared to the number you need (2^128) that it doesn't matter.

  2. Call me old fashioned by Dunbal · · Score: 2, Insightful

    But with computers and storage being relatively cheap, and with internet access being ubiquitous, why exactly should I trust a 3rd party with my data anyway?

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Call me old fashioned by Anonymous Coward · · Score: 1

      Because when your (small or home) office burns down along with your storage (and, your offsite storage also destroyed because of the earthquake that started the fire that burned down your office), it'd be nice to have your data backed up in the cloud somewhere.

      That said, if they're not PCI compliant, there's no fucking way I'm trusting them with my credit card details.

    2. Re:Call me old fashioned by assantisz · · Score: 2

      Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

    3. Re:Call me old fashioned by Anonymous Coward · · Score: 0

      Yes, that's the question for the home user! I think the business should not even think about this question. Even a small company could afford own server for the sensitive data. RAID1/RAID10 for redundancy, Bacula for keeping older versions in case of user error, Samba or NFS support for accessing it, OpenVPN for remote connection.

    4. Re:Call me old fashioned by MatthiasF · · Score: 2

      Cheaper in the short run or long run?

      Are you factoring in legal costs from your employees suing you for having personal information spread across the Internet?

      Or possible damage to business revenue from your company's work falling into competitor's hands?

      Or almost complete loss of business when the Internet goes out?

      Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

    5. Re:Call me old fashioned by siddesu · · Score: 2

      Don't ask slashdot, ask the shareholders.

    6. Re:Call me old fashioned by 93+Escort+Wagon · · Score: 2

      Yes, that's the question for the home user! I think the business should not even think about this question. Even a small company could afford own server for the sensitive data. RAID1/RAID10 for redundancy, Bacula for keeping older versions in case of user error, Samba or NFS support for accessing it, OpenVPN for remote connection.

      You're assuming, then, that "even a small company" should have a full time sysadmin on the payroll. Sounds like that self-hosted setup just got a lot more expensive...

      --
      #DeleteChrome
    7. Re:Call me old fashioned by black6host · · Score: 2

      Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

      Or, perhaps more likely, the scenario is: "We need this, without it we're left wide open." Management response: "It's not in the budget and what are the chances.....?"

      I've been there....

    8. Re:Call me old fashioned by hedwards · · Score: 1

      Except that most of the time when data is stored it's not been through the cloud, it's because a laptop has been lost, or there was a burglary. The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

    9. Re:Call me old fashioned by artor3 · · Score: 1

      Because you probably don't know what you're doing. Not you, specifically, but the average person who asks that question.

    10. Re:Call me old fashioned by 0123456 · · Score: 1

      The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

      Let's suppose you upload personal data to 'The Cloud' and 'The Cloud' just happens to turn out to be a server in the EU. Suddenly you risking violating the EU data protection laws if you access that data.

    11. Re:Call me old fashioned by fuzzyfuzzyfungus · · Score: 1

      At least in my limited experience, the set of people who will happily put sensitive information on Dropbox because it is simple and easy and the set of people who are implementing appropriate encryption and access control measures do not overlap very much...

    12. Re:Call me old fashioned by kcbnac · · Score: 1

      Or have the system on-site, and contract with a local IT guy to be part-time admin. (Figure out what regular maintenance is needed, pay him for that - with the option of an hourly rate after that for any 'extra' time needed)

      Many small companies work this way - I know several folks that do this kind of work.

    13. Re:Call me old fashioned by Anonymous+Brave+Guy · · Score: 2

      Cheaper in the short run or long run?

      It's not about long term vs. short term, it's about scale.

      Organising IT infrastructure always incurs some level of overhead, but you can see great economies of scale when you reach a certain size. On the other hand, at a very small scale, you still need to deal with at least the basics, and that still requires a certain level of expertise and incurs a certain drain on your staff's time.

      I'm not a huge fan of outsourcing IT infrastructure. I think a lot of services you can outsource to tend to do 75% of the job for 50% of the cost, but you need at least 95% of the job before it's worth anything at all.

      Moreover, a lot of them have terms and conditions so one-sided I would describe them as abusive. For example, as far as I could tell without paying my lawyer real money, one prominent back-up service we looked at offers all sorts of ways to retrieve your data under normal circumstances, but they can decide to shut down their service without notice. In the event that they do so, they only guarantee to provide 72 hours' download time via the Internet to get any data you need back. That isn't even close to enough to download the volume of data their plans suggest they want you to trust them with, even assuming you can hold a solid connection to their servers at a time when your systems have crashed enough that you need to retrieve a back-up and every customer they've ever had is hitting their network at the same time. Many of the on-line billing services that are trendy right now have contracts you'd be crazy to sign, providing basically no guarantees of anything, while effectively locking your entire ability to take money from customers into their systems.

      That all said, given adequate security safeguards and binding robustness/reliability guarantees, I don't see a problem with off-site backups to third party services, and there are clear advantages to having that happen automatically on a regular schedule rather than relying on one of your staff to run a manual process and physically transport media to some off-site location (which you still need to find, trust, and potentially pay for, just like the on-line back-up services).

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    14. Re:Call me old fashioned by Anonymous Coward · · Score: 0

      You said "cloud". That nullifies any point you made. ;)

    15. Re:Call me old fashioned by Oligonicella · · Score: 1

      Seriously? My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....

      And you think somehow, that I will give a shit about my data.

      Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead. Your scenario merely indicates the reach you have to use to "justify" the cloud.

    16. Re:Call me old fashioned by Anonymous Coward · · Score: 0

      Of course, no need for full time sysadmin for that kind of setup. But as the previous readers said the right IT guy would be perfect. And the good thing is that he hadn't to be a local IT guy to do that work!
      I'm actually working for small companies on hourly basis too and like that job.

    17. Re:Call me old fashioned by afabbro · · Score: 1

      Seriously?

      Yes. And quit being an ass and think a minute.

      My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....And you think somehow, that I will give a shit about my data. Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead.

      Sure, for the first month. But what happens a year later when you're audited by the IRS and want a copy of your tax returns, or twenty years later when you want to show some pictures to your grandchildren? Yes, there are more important things than your data - the well-being of those you care about, your own personal shelter, income, and survival, etc. But that doesn't mean your data is unimportant.

      Your scenario merely indicates the reach you have to use to "justify" the cloud.

      Did the cloud rape your grandmother or something? It's not like there is a galactic mandate that you have to use it. So why are you so pissed off?

      --
      Advice: on VPS providers
    18. Re:Call me old fashioned by turbidostato · · Score: 1

      "Seriously?"

      Yes.

      "And you think somehow, that I will give a shit about my data."

      Yes. It was at 4AM and it was just a big damn fire, so nobody is injured. The first week is a nightmare, yes, but then, you recall your insurance and hire a new office and then, what? Where's your customers data, your financial records... your everything?

      Small business tend to undervaluate how dependant they are on their data (except for the from-time-to-time cry for help from somebody "please, how can I recover my hard disk? If I can't do it, I'll have to close my business -no, I don't have any backup, of course").

    19. Re:Call me old fashioned by raydobbs · · Score: 1

      Odds are, if there is a disaster large enough to wipe out your office, all of your storage, all of your backups, all of the off-site backups and defeat all of your CBO plans - your out of business. Time to call the insurance agent, notify any surviving employees, set up a mailing for your remaining clients, and see what you might be able to salvage. The IRS doesn't generally bust asses of people who have survived massive disasters like that... but if they do, they can talk to your accountant and insurance agent (you -do- have an accountant who keeps a duplicate of your records, right?).

      Putting your confidential information into the hands of some almighty 'cloud' is really irresponsible; especially if that provider has a track records of handling that data in an irresponsible fashion.

    20. Re:Call me old fashioned by mark_elf · · Score: 3, Informative

      Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!

      The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.

      After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.

      So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.

      If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.

      If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".

      So to answer your question, you should trust them because they make sharing your files easier.

    21. Re:Call me old fashioned by zippthorne · · Score: 1

      Unfortunately, however, both groups intersect the set of people who have access to sensitive information.....

      --
      Can you be Even More Awesome?!
    22. Re:Call me old fashioned by davide+marney · · Score: 2

      I believe that this is exactly the kind of scenario that the new "team" version of Dropbox is aimed at fixing.

      --
      "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    23. Re:Call me old fashioned by Richard_at_work · · Score: 1

      No, Dropbox Teams only differs from normal accounts in one real way - shared folders only count once against the team storage. It has no permissions etc.

      Oh, and Teams accounts have been available for the past 18 months, they were just recently take out of (a very silent) beta...

    24. Re:Call me old fashioned by Anonymous Coward · · Score: 0

      Interesting that you see this as a risk. In the EU we tend to think the lack of adequate pricacy protection in the US is a risk.

    25. Re:Call me old fashioned by teg · · Score: 1

      Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

      Also, a lot less risky. Small outfits are far more likely to do things wrong, not keep things updated and are certainly not doing sophisticated intrusion detection, network monitoring etc.

      Most small companies thinking that e.g. Google Apps is a security risk run a much higher risk if they do it all themselves.

    26. Re:Call me old fashioned by antdude · · Score: 1

      People are lazy to set them up and rely on others to provide the services.

      If people want to use them, then have them encrypt their stuff BEFORE putting on them!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    27. Re:Call me old fashioned by Anonymous Coward · · Score: 0

      Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

      Your perspective is wrong. Doing anything other than what your boss tells you to, and making your own life easier against their whim *is* risk aversion. Confrontation (and even principled disagreement) with your boss is risky.

    28. Re:Call me old fashioned by ironjaw33 · · Score: 1

      This about sums up my group sharing experience as well. We also considered using a wiki, but dropbox won out. Either way, the group has to agree on some kind of standard for what kinds of files are shared, directory structures, and who has write access. Otherwise, it's a huge mess.

    29. Re:Call me old fashioned by hedwards · · Score: 1

      That's not just going to happen if you're doing some research. Plus, European data protection laws don't apply to people that are living in the US. The EU can't enforce a judgment against a company with no presence in the EU, no matter how much they might want to. They would have to file suit in the US, where their data protection laws don't apply. Otherwise they would end up in a situation where they have a judgment that they can't collect on, assuming that the court rules they have jurisdiction in the first place.

    30. Re:Call me old fashioned by jgtg32a · · Score: 1

      Get a dropbox account and then drop a 2GB true-crypt volume in it, you're all good

  3. Compliance == Smart Business by ohnocitizen · · Score: 3, Insightful

    If they are smart they will be compliant, and advertise that highly. How long until a competitor springs up who is compliant? When it comes to business needs, security is rightly a key focus. Not catering to that is ignoring the very market they want to serve.

    1. Re:Compliance == Smart Business by antifoidulus · · Score: 1

      Yeah but since DropBox is essentially just a front end bolted on to Amazon's S3 service, they actually do not have all that much control over the terms of service, if Amazon's is different or they change their terms of service afterward then Dropbox is screwed.

      --
      Monstar L
    2. Re:Compliance == Smart Business by Alan+Shutko · · Score: 1

      I'm going to guess that participating in regular audits alone would cost Dropbox more than $795 per client, making compliance a loss.

    3. Re:Compliance == Smart Business by Ritchie70 · · Score: 1

      I am only tangentially involved with the compliance matters where I work, but it is my general impression that it is not possible for a vendor to say they are PCI-DSS compliant.

      They can be part of a PCI-DSS compliant solution but only the entire architecture/solution can be compliant.

      I was involved with the design and implementation of our current credit/debit processing solution, and as I recall the primary software vendor was very clear that they were not saying that they were or were not PCI compliant, but merely that it was possible to create a PCI compliant solution involving their product.

      --
      The preferred solution is to not have a problem.
    4. Re:Compliance == Smart Business by stephanruby · · Score: 1

      DropBox is pursuing convenience, not compliance.

      After all, would you trust them for important data even if they did have those certifications? Hell no! I personally wouldn't. At least, not after what happened a couple of months ago. I don't think I will ever trust them for that kind of security. And I don't think anyone should trust me as a business if I started trusting them for keeping that kind of data.

      And in that sense, their recent decision is the right one. They shouldn't pretend they're something they're not. As a business owner, I would still trust them with data I really didn't care about (and fellow geeks, please do not pretend this kind of data doesn't exist, it does even for businesses). Sometimes, I just need the convenience, and I need it quickly. For that, there is nothing better than DropBox (it doesn't happen often, but it does happen).

      And when I need something more secure, I just use another solution. For those of you that think that business users are too stupid to know the difference, do not think that disclaimers will actually help stupid users. Disclaimers may change stupid people's behavior in the short term, but then once they become common enough, they become just like background noise and no one pays attention to them anymore.

    5. Re:Compliance == Smart Business by LurkerXXX · · Score: 1

      Amazon's S3/AWS services can have apps compatible with HIPAA/PCI if the application writer wants to go through the effort, so yes, they do have that much control.

      http://aws.amazon.com/security/

      http://aws.amazon.com/s3/

    6. Re:Compliance == Smart Business by Shoten · · Score: 2

      Actually, no. Being compliant with PCI is tremendously expensive, and I can't imagine many business cases that would give cause for a customer to need it. So it would be incredibly stupid to spend all of that money on PCI compliance for very little return. Furthermore, you're using the word "compliant" like it means "secure," which it absolutely does not. Hannaford was compliant, and still suffered a major breach. As far as they knew, TJX was compliant; they didn't know that many of the products sold to them for POS processing cached the information in the clear, nor could they have. And in terms of other forms of compliance, there's DIACAP in the military, but nonetheless those systems get hacked fairly regularly anyways.

      And, given your argument, where do you draw the line? Why stop at PCI, HIPAA, and SOX? Why not include NERC CIP? BASEL II? FIPS? NEI? FISMA? FOIPPA? You seem to think that it's easy or cheap to just "be compliant" with each standard...it is not. It's a massive undertaking, and if you decide you want to be compliant with all of them, guess what? You're basically hamstrung as to your architecture, personnel and business model...and it sure as hell can't be hosted in a cloud by Amazon.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    7. Re:Compliance == Smart Business by TooMuchToDo · · Score: 1

      It's not cost effective for Dropbox. They break files into 2MB chunks, stored in S3 (and at last count, had between 22-24 billion objects stored). Their efficiency is due to being able to charge several people for storing the collective chunks of data once. If they have to start saving different chunks in different locations to deal with compliance, the whole business model goes to hell.

    8. Re:Compliance == Smart Business by Anonymous Coward · · Score: 0

      That's a different question entirely than the one the grandparent brought up saying PCI compliance was out of dropbox's hands because they relied on Amazon's security policies.

    9. Re:Compliance == Smart Business by KDR_11k · · Score: 1

      To me it sounds like a weakest-link type of deal and Dropbox is a very weak link when it comes to compliance.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    10. Re:Compliance == Smart Business by Ritchie70 · · Score: 1

      It's really the architecture.

      For example, if a credit processing system uses Dropbox for certain types of storage, but no cardholder data is contained in that storage, and there is no way for Dropbox to be used to compromise the non-Dropbox parts of the system, then Dropbox can be used now in a PCI compliant solution.

      On the other hand, it is extremely unlikely, no matter how good the security and audit-ability of Dropbox, that a solution that involves storing cardholder data in Dropbox could ever be PCI compliant.

      --
      The preferred solution is to not have a problem.
    11. Re:Compliance == Smart Business by rjstanford · · Score: 1

      And for what its worth, full expensive compliance certification is rare as well. Last time I checked, the threshold for needing level one compliance (at least in the service provider segment) was ~600,000 transactions per year. We go through it every year, and its a headache, but 95% of the requirements are actually reasonable - and the other 5% aren't that big of a deal to meet, as long as your systems were designed for it. But (again, IIRC) there are only around three thousand level one service providers globally, so its not a terrible industry requirement.

      --
      You're special forces then? That's great! I just love your olympics!
  4. LOL !!! by Weezul · · Score: 1

    There are no cloud storage solutions that provide any measurable degree of security, except perhaps Wuala but even that's funky.

    --
    The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
    1. Re:LOL !!! by icebike · · Score: 1

      Depends on what you mean by security.

      Granted you have no control over the reliability of the physical plant thr cloud operator uses.
      But as an offsite backup and transfer mechanism clouds are really quite good.

      Services like SpiderOak, https://spideroak.com/ where the coud operator couldn't decrypt your data even with a court order provide as much protection as you can realistically expect when asking someone else to hold your data.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:LOL !!! by Weezul · · Score: 1

      I hadn't heard about SpiderOak. They're equivalent to Wuala though, reasonable sounding, but : (a) you should avoid closed source crypto software for anything important, even if you otherwise use a closed source OS like Windows or Mac OS X, and (b) their de-duplication trick might weaken their encryption and lets users verify content exists on your cloud drive, which might leave individuals open to lawsuits from the MafIAA.

      SpiderOak looks vulnerable to U.S. NSLs and maybe European subpoenas. Wuala is Swiss. SpiderOak's distributed nature might prevent them from complying silently with either however. I donno.

      --
      The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
    3. Re:LOL !!! by icebike · · Score: 1

      SUBPOENA nets them nothing when Spideroak does not have the decryption keys.
      The encryption methodology is clearly specified on the website. 2048 bit RSA and 256 bit AES.

      The de-duplication in only between your own files not other people's files.

      --
      Sig Battery depleted. Reverting to safe mode.
    4. Re:LOL !!! by Weezul · · Score: 1

      Umm, they could definitely be ordered to roll out a fake update using a national security letter.

      It sounds like Spideroak uses better cryptography than Wuala thought, that's nice. Are you sure the deduplication is only among your own files? Why would anyone bother implementing deduplication for individuals? Or do you mean it does some version packing? If that's true, that's noticeably better than Wuala though. Thanks!

      Btw, there is a pure open source system called Tahoe-LAFS that's kinda overkill for most people, but does basically everything you'd want.

      --
      The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
  5. Just read the fine print by Alwin+Henseler · · Score: 2

    A business should know what it's doing and therefore not assume anything. So it should have people going over the fine print (and of course as provider, put out fine print to read).

    But depending on type of agreement & exact conditions, some of that fine print may not even be legally binding. So if it's important enough: consult a lawyer. And consider consequences of privacy breaches, regardless of legal implications.

  6. A warning? by drolli · · Score: 1

    no, they should just not claim to be compliant. there are so many regulations in the world to which you can be compliant that a company who needs to be compliant just needs to *verify* that all services used are as compliant as its needed.

  7. They don't need warnings. by flimflammer · · Score: 4, Insightful

    Companies should assume they are not compliant unless the company tells them they are. I don't think Dropbox should need to put they are not compliant on their webpage, but they should be able to answer questions regarding their compliance if asked by a prospective business client.

    1. Re:They don't need warnings. by Fjandr · · Score: 1

      Exactly. If a business needs them to be compliant, it's a question they are obligated to ask when signing up for the service.

      Anyone who needs compliance with one of those standards should be asking, and if you don't ask you should assume they're not.

      This isn't rocket science, it's common bloody sense. People who don't have it and then do stupid things as a result deserve exactly what they get.

  8. Just ask by dnewt · · Score: 1

    If a company requires compliance with certain information security standards, then they should be checking these things prior to signing up. If it's not clear on their website, then a quick question sent to their sales staff should clear it up. If that doesn't clear it up, then I'd be concerned just because I'm not getting decent answers from their sales staff. I tend to contact sales staff and fire a bunch of questions at them anyway, just to get an initial idea of whether their service will be any good. If their sales staff know their stuff, then there's a chance the support staff might too. A good pre-sales experience doesn't necessarily mean post-purchase service will be up to scratch, but if they're poor at answering my pre-sales questions, then that usually means they're crossed off my list.

  9. HIPAA yes... but SARBOX? by sgent · · Score: 1

    This is targeted at small and mid-sized businesses....

    SARBOX only applies to publicly traded companies, of which very few in this market are, and even those few will be big enough to have professional IT resources.

    1. Re:HIPAA yes... but SARBOX? by deadeyefred · · Score: 1

      Small businesses that are third-party providers to publicly traded companies must comply with Sarbanes-Oxley as well.

  10. Dropped Dropbox by Bieeanda · · Score: 2, Insightful
    Seriously, if a company is going to shrug and blame something like this on a lack of beta tester vigilance, don't bother with them because you can be sure they'll pass the buck on anything that happens to your data too.

    Hell, don't deal with this particular outfit, period. I mean, how could people forget them basically turning passwords off for four hours in June?!

    1. Re:Dropped Dropbox by artor3 · · Score: 2

      They aren't "blaming this on a lack of beta tester vigilance". They're saying that in their beta tests, people didn't particularly care about these compliances, and thus they don't think that their customers will care either. They are being completely open and honest about the level of security they're providing. If it's insufficient for you, don't use their service. But don't say that nobody should use something simply because it doesn't meet your needs.

    2. Re:Dropped Dropbox by adolf · · Score: 1

      *shrug*

      I own a small business, and I keep my stuff on Dropbox just because it's an easy way to access it no matter where I'm at, or what computer(s) I happen to have with me.

      I keep backups of the stuff I put on Dropbox (using rsync and hard links to be somewhat space-efficient about having multiple generations of them stored locally). Anything which is even slightly sensitive is encrypted.

      I could care less if the entire contents of my Dropbox account were published freely, maliciously deleted/massaged, or if the company were to go away tomorrow (except for being a bit bummed about the hassle).

      Pro-Tip: If you put sensitive data on Teh Interweb without taking your own steps to properly secure it, you've got nobody to blame but yourself if/when it leaks out somehow...

      --
      Kid-proof tablet..
  11. clear warnings are needed to cover IT ass by Joe_Dragon · · Score: 1

    Are they can point out to the VP or other higher ups that NO YOU CAN'T USE IT for your work and point to a clear warning so the VP can take the fall and IT can say there was a clear warning and the VP did not read it and used it anyways.

  12. Non-starter by Anonymous Coward · · Score: 0

    No serious business would use Dropbox for security reasons.

  13. Try SparkleShare by SpzToid · · Score: 1

    SparkleShare is a free open-source Dropbox-like GUI for GIT repos. Once setup using passwordless PGP keys, non-technical users see and use SparkleShare exactly as they would DropBox. While under the hood is tried-and-true GIT source code version control. You can even set it up as PCI DSS since it only uses your own infrastructure.

    On Ubuntu I also installed Rabbit VCS which gave me a range of right-click GIT options (like check-in, merge, etc.) Seriously, I failed earlier attempts setting up either Bazaar or GIT, whereas trying to get SparkleShare setup I finally succeeded and wow, this is a seriously cool project.

    http://sparkleshare.org/
    http://www.webupd8.org/2011/03/set-up-sparkleshare-with-your-own.html
    http://www.moosechips.com/2011/02/sparkleshare-testing-ubuntu/#comments
    https://github.com/hbons/SparkleShare/wiki/How-to-set-up-your-own-server
    http://is101507.students.fhstp.ac.at/?p=33
    http://www.instructables.com/id/SparkleShare-for-OSX-a-Dropbox-alternative/

    [Note: To 'remove' a SparkleShare client from the infrastructure pool, revoke the PGP keys at the server-level.]

    --
    You can't be ahead of the curve, if you're stuck in a loop.
    1. Re:Try SparkleShare by creepynut · · Score: 1

      Sparkleshare looks like a really slick application but it still needs to mature. Most importantly, it doesn't run on Windows!

      So let me try at least give it a shot:
      My Debian box - nope, not in the repositories yet. Wasn't able to get it running manually
      My Windows 7 machine - nope, no Windows version
      My Macbook Pro - nope, doesn't run on Mac OS Lion

      I'm sure these issues will be resolved in time but until they at least run on Windows they aren't going anywhere.

    2. Re:Try SparkleShare by SpzToid · · Score: 1

      TFA discusses PCI DSS, etc. and I proposed an open-source DropBox alternative on /. SparkleShare might not yet work on Mac OSX Lion, but it does work on Mac OSX Snow Leopard (not the latest OSX version I'll grant you but still).

      Since when does being PCI DSS compliant and mass-market user-acceptance become a mutual requirement? Frankly, I find avoiding mass-market OSs and software to be strategically more secure and thus desirable for PCI DSS infrastructures. Spear-phishing is less likely to function 'technically', by not using common-denominator stuff.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
    3. Re:Try SparkleShare by TooMuchToDo · · Score: 1

      I'll use SparkShare as soon as it uses an object storage system like Openstack's Swift on the backend (http://openstack.org/projects/storage/). Using GIT is a hack, when they should be using something like Swift (which is meant to be API compliant with Amazon S3).

  14. PCI compliance by King_TJ · · Score: 1

    The thing with PCI compliance is, some of the businesses having to wrestle with it AREN'T storing the credit card information in any way, shape or them on their systems. If they use a web based card processor and don't ever keep any paper copies of anything with the card info printed on it, I fail to see why it's much of an issue for them to comply with PCI regulations at all? The ways the card info might get compromised from their side of the equation, at that point, come down to things like a 3rd. party intercepting the data (say, with a key-logger they installed on the PC they sign into the web to enter the cards on?), or employees stealing the info they're entrusted with when they accept a customer's card in the first place.

    Yet as I understand it, they still DO have to maintain a certain class of PCI compliance in these scenarios. Seems like it really is there just to serve as a threat, hanging over their heads.

    1. Re:PCI compliance by Kalriath · · Score: 1

      Correct. If you don't process the card yourself (instead running it via a third party processor and you never see the card number) you qualify for the lowest level of compliance. That level of compliance is basically "don't do stupid shit". Hell, I don't even have to fill in the SAQ-A.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    2. Re:PCI compliance by Sancho · · Score: 1

      If their website became compromised, they could redirect to a fake payment processor to steal credit cards.

    3. Re:PCI compliance by Anonymous+Brave+Guy · · Score: 1

      On the other hand, there is nothing to stop a fraudster from setting up a completely fake web site in the first place without anyone from any legitimate merchant or card service provider even knowing about it, so any protection PCI-DSS supposedly offers against that particular kind of attack is dubious at best.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    4. Re:PCI compliance by Sancho · · Score: 1

      This actually seems to be an argument against any protection whatsoever.

      Security is about layers. You protect as much as you can, and acknowledge that you can never get 100% protection. Silently hijacking a known good server gets around a lot of things--DNS, SSL, etc. Lots of warning flags that might go up with a wholly fake server won't exist.

    5. Re:PCI compliance by Anonymous+Brave+Guy · · Score: 1

      I certainly wouldn't argue for no protection whatsoever. However, security is a means to an end, and it only worth anything if there is something valuable to secure. If you impose such a burden on whatever that valuable thing might be that it becomes impractical, you've already lost. That goes for everything from inane security policies for office networks that stop staff actually doing their jobs right through to disproportionate obligations on someone running an e-commerce site such that running the web site at all is no longer commercially viable.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  15. It's not just the SMB's by Anonymous Coward · · Score: 0

    I can tell you right now, there's a groundswell in my organisation towards "consumerisation", and it's really frustrating. On one hand, I can build them a secure, backed up, accessible system that the business actually owns, in our own country. However, there's no budget. OTOH, there's Internet at all their workstations, and more importantly, they already have their own personal iPad. So why not simply change what they used to do (email it to gmail) by uploading it to dropbox, and then they too can show everyone their iPad and pertinent documents...

    Not denying the usefulness of a form factor that's instant on, and fast enough to do what they want. But consider a device with a swipe unlock, access to a bunch of information that would interest media people, and I have no visibility of any of this in Operations. All I know is my internet traffic is up, and if I block dropbox tomorrow it'll be another service they find via google in 5 seconds.

    Talk to your business, help find the balance between what they need/want from the technology, and help channel that enthusiasm into the best solution you can find. If you have compliance to worry about too, then that'll help the job. Classification of information and what devices/locations can access it will go a long way to making it clearer for everyone :)

    1. Re:It's not just the SMB's by afabbro · · Score: 1

      Bob Lewis, why are you posting anonymously on Slashdot?

      --
      Advice: on VPS providers
  16. get a clue by Tom · · Score: 4, Informative

    Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

    Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.

    So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.

    Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:get a clue by Anonymous Coward · · Score: 0

      That's not really a disclaimer. That's a claimer.

    2. Re:get a clue by Tom · · Score: 1

      :-)

      True.

      --
      Assorted stuff I do sometimes: Lemuria.org
  17. They should assume they're not by Kjella · · Score: 1

    Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?

    Seriously, no matter what Dropbox does or doesn't comply with these companies should - and must, I would hope - assume they're not. How would this work for anything? Backups? SLAs? Oh, we just assumed a seven 9's uptime and continuous multiple off-site backups in secured facilities, since the company didn't prominently say anything else. If it's not in the terms, you should never assume it is part of the package. Why, pray tell, should this be anything different for regulatory compliance? I don't need regulatory compliance, neither does many others. If your needs are special, make sure they're being met. And if you haven't done that, the blame falls squarely on your shoulders IMO.

    --
    Live today, because you never know what tomorrow brings
  18. Oh, this isn't going far enough by a long shot! by Anonymous Coward · · Score: 1

    State-owned enterprises in New Zealand also have to abide by a few regulations that Dropbox Teams doesn't address. I think its imperative that we all boycot Dropbox until all possible warnings are made prominent.

    Sarbanes-Oxley, HIPPA and PCI apply to a *tiny* subset of shareable business content globally. Welcome to the cloud. It's a big world - get used to it.

  19. I'm amazed that they are still in business by dbIII · · Score: 1

    Their service has been shown to be less secure than normal FTP which is something that could be provided by any web service provider on the planet, so how's that for an epic fail? All that is required is for somebody to supply a similar front end to one of many secure back ends and you've got a superior service by any measure.
    Remember these are the guys that had a problem where anybody could log into anyone else's account without a password? Then they had the long standing security flaw where once you gave somebody access to your account they had it forever, but users didn't know that because they could change their password to give the illusion of locking people out. That's not all, there are others that made it to stories here and other .

  20. Repeat after me: Dropbox is NOT about "security" by davide+marney · · Score: 1

    Dropbox is about backups and disaster recovery. It's a terrific service for SMBs who are worried that important files might get damaged, corrupted, lost, or stolen. They do NOT claim to securely store, they only claim to securely communicate. You want secure storage, you have to encrypt the file that gets backed-up on Dropbox yourself.

    So, no, Dropbox is not your solution to PCI, SOX, or HIPPA. All of those standards require a whole heckuva lot more that just using a great online backup solution. The real question ought to be why anyone even remotely would think that Dropbox is providing solutions in this space. They're either trying to cast some good ol' FUD because they work for the competition, or they're just plain incompetent.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
  21. mod up by davide+marney · · Score: 1

    This is the key point. Compliance is a "systematic solution" -- a process that leverages IT architecture, coding practices, and human behavior to meet a set of standards.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
  22. I have several law firms as clients that used... by FlyingGuy · · Score: 1

    to use DropBox. Ffter the last SNAFU with their TOS they don't use them anymore. DropBox is simply not to be trusted.

    They now have several terabytes of storage on their servers and some screaming fast LTO4 tape drives in three tape changers that back up everything every night, and those are shipped off site every night.

    --
    Hey KID! Yeah you, get the fuck off my lawn!
  23. Why ... just why by fnj · · Score: 1

    Why would anyone use DropBox when there is SpiderOak? Hmmm?

  24. PCI data shouldn't reach DropBox by Animats · · Score: 1

    Most businesses shouldn't be retaining payment card data. Just pass it to the bank, do the transaction, and keep the last 4 digits of the credit card number for checking purposes. If you operate that way, PCI data never reaches DropBox.

    If the business does retain credit card data, usually for recurring billing, much higher levels of security are required. Those are the most vulnerable systems, the ones that are worth breaking into. Merchants that do that have to comply with a long list of tough requirements. They also face big penalties if they screw up. None of that data should ever enter DropBox.

    Remember when Sony screwed up? Their ability to take credit cards was shut down for weeks by Visa International and MasterCard. Visa sent in outside auditors. Sony had to pay for all that, plus a big penalty.

    And that's the good case. A small merchant who violates the PCI standards and has a data leak may have their merchant account cancelled and won't be able to get another one.

    The PCI standards are quite straightforward. There are only a few data items that have to be protected. They really do have to be protected; organized crime is constantly trying to get hold of that data to turn it into money.

  25. Actually pci does make a difference by OeLeWaPpErKe · · Score: 1

    Actually, while PCI-DSS may not be law, it's so deeply ingrained in the industry that it might as well be. I mean as far as international law exists, PCI-DSS holds the distinction of actually being adhered to outside of the US. Hell, even Iran's government follows this system.

    if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook.

    The law, unless I'm very mistaken, simply requires that you implement "reasonable" security measures and register with the authorities. I believe there's also a requirement that you tell the police as soon as you find out that something's happened. Other than that, there's no legal requirement. However, the state is never going to reimburse damages to you, so really, this hardly matters at all.

    Where PCI-DSS gets you of the hook is with insurance companies. If you accept payments, and you screw up while adhering to PCI-DSS, they will cover most of your losses. One of the ways to screw up within PCI-DSS is to have 2 saboteurs cooperating inside your organisation, which has happened.

    Here's the big difference : if you screw up and lose other people's credit card numbers, there's 2 options :
    1) you did not implement PCI-DSS : you will get sued and you're responsible for all damage done with the stolen credit cards. This can, obviously be a lot
    2) you did implement PCI-DSS : you will not get money for fraudulent transactions. VISA or the issuing bank assumes responsibility for further fraudulent transactions made on other sites.

    In both cases you're "fucked" in that you lose money (which is a good thing imho, after all, you screwed up), but if you implement PCI-DSS you're significantly less screwed.

    Also, in many places (the US being one of the major exceptions) the banks will simply refuse to accept transactions from any non-PCI-compliant source. Anyone who's attempted to implement payments on a website will (should) know this.

    What bothers most people about this system is that there is no way to get a definitive answer on a transaction, either for a card holder or a business, given that you don't know it's fraudulent or not. The banks, paypal, credit card processors, even ATM centrals may give you the "OK" on a transaction, and register it, and *still* refuse to pay you the money afterwards, claiming fraudulent use of the card. There's no way to protect yourself 100% against this. It is a very American system : it protects the innocent, but not 100%. You can be fucked even in the case where you did not (knowingly) did anything wrong, and where it was not a case of negligence either. On average it works really well, but in the almost-never-happens cases there is no clear procedure to follow and there's lots of uncertainties.

    1. Re:Actually pci does make a difference by Anonymous+Brave+Guy · · Score: 1

      The law, unless I'm very mistaken, simply requires that you implement "reasonable" security measures and register with the authorities.

      The law in which jurisdiction? Although, having said that, most of the major ones are similar in this respect these days.

      The problem is what happens if "reasonable" security measures from a technical and commercial point of view conflict with the measures indicated by PCI-DSS.

      The banks, paypal, credit card processors, even ATM centrals may give you the "OK" on a transaction, and register it, and *still* refuse to pay you the money afterwards, claiming fraudulent use of the card. There's no way to protect yourself 100% against this.

      Actually, these days there seems to be, at least with the providers we're looking at here: on-line transactions that have been verified using 3-D Secure are considered fraud-proof and immune to chargebacks on that basis.

      This is the thing that really gets me about the whole industry: they know very well that the most effective single way to combat card fraud is two-factor authentication of the cardholder, hence Chip & Pin (or whatever you call it where you are) and 3-D Secure (for cardholder not present transactions over the Internet). The latter causes a certain amount of hassle during on-line payments, which is why some big retailers like Amazon don't require you to do it and prefer to "self-insure" against fraud, but if the card companies mandated it universally then they could solve their own fraud problem to a large extent and customers would get used to the fact that it's a normal way of making a card payment on-line even if they don't like the hassle of doing it.

      However, they haven't done this, and instead they continue to dump the fraud problem on retailers, even after confirming a card payment has been authorised. IMNSHO, the only time the retailer should be responsible for having a payment withdrawn after the fact is if they have failed to properly provide the product/service that was being paid for, which of course is fair enough whatever the method of payment.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:Actually pci does make a difference by OeLeWaPpErKe · · Score: 1

      I'm confused :

      The problem is what happens if "reasonable" security measures from a technical and commercial point of view conflict with the measures indicated by PCI-DSS.

      This is pretty much exactly the problem most payment processors face. The obvious way out "a compromise" is a big no-no because compromise, law and lots of money don't mix.

      This is the thing that really gets me about the whole industry: they know very well that the most effective single way to combat card fraud is two-factor authentication of the cardholder, hence Chip & Pin (or whatever you call it where you are) and 3-D Secure (for cardholder not present transactions over the Internet).

      And this is a theoretical view you find a lot within academia. It doesn't work in practice (it's been tried). 3-D Secure has the problem that it's vulnerable to replay attacks. In the US there's just a softer target available, which is why this hardly ever gets attacked. In Euro the simplest attacks are replay attacks, and what you're saying isn't true.

      The general problem with 2-factor auth is twofold. First, banks' customers are idiots. Large groups of idiots + even mild complexity in authentication = millions in support costs, mountains of complains and customers running away. Large groups of idiots versus good intentions ... an explosive mix.

      Second there is no such thing as a simple and secure machine-human challenge-response authentication scheme. In other words, the human part of the equation is vulnerable to replay attacks. PINs are easily copied, or given up under threat. Just ask Euro banks, who require PINs on pretty much all transactions.

      In theory Euro banks have a fix for this. Euro bank cards have 2 PINs that will work. A normal PIN and a "panic" PIN : which will authorize transactions, but also call the police. Brilliant idea if you ask me. There's just one tiny issue : nobody knows about this (the banks do, of course, customers don't). Except for 2 ATM programmers I was working with (who had to implement the "call the police" behavior) I've never met anyone who knew. Just so you know : it's "usually" your pin + 1 (if your code is 1234, try 1235. Keep in mind that if you enter the panic code, your card *will* end up blocked, just not immediately).

      The smartest production human-computer authentication scheme I've ever seen is this : the bank would issue you a paper, containing a long series of numbers. Like so :

      098435-82482398-82394823489-982383

      Then, come challenge time, they present you with a string like this :

      ***X**-**X*****-***X*******-*X****

      And a four-digit input field. I'm sure you can figure out what to do. The problem is of course, that everybody keeps the paper with the full key. The number of unique 4 digit combinations they can present is huge, and with a creative permutation scheme, "nearby" authentication attempts do not share any information.

    3. Re:Actually pci does make a difference by Anonymous+Brave+Guy · · Score: 1

      So let me get this straight.

      Firstly, you think Chip and PIN -- a technology widely reported to reduce in-person card fraud by up to 80% around the time of its adoption in my country -- is a theoretical benefit drummed up by academics.

      Secondly, you believe that 3-D Secure doesn't work either, despite the fact that the card industry (whose only interest here is in effectively reducing fraud) have been pushing it heavily for several years, so much that in some cases they will accept responsibility for fraudulent transactions themselves instead of dumping it on the merchant if 3D-Secure verification is used.

      And finally, you believe that not only do panic PINs exist, but that they are set up to result in the police being called any time someone mistypes their PIN by a digit, even though the people they are supposed to protect don't even know about them.

      I can only assume that you're deliberately trolling at this point. The last one in particular is an old wives' tale that has been debunked numerous times over the years. I imagine Snopes has it if you really do believe it.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  26. Security is a process - not a product by rbadgirl · · Score: 1

    .. and all the security providers are facing uphill battles. Yes - it is inconvenient to use high security systems instead of email. Yes, it's easy to store files on drop box or Microsoft 365. Remember how long it took to convince people that virus scanners are important? And it's not only the regulated data. Whenever a business transfers or stores customer data, it should act very responsibly. But it is the sad truth, that most businesses don't know (or don't want to know) anything about secure storage or transfer services. I am working with a company called 'closedXchange' and we are providing high security data storage and -transfer solutions. We are working hard every day trying to explain our customers, that they should never store or transfer confidential data out of their environment unless they can be 100% sure that it is safe. But how can one be sure that the data is not messed with? The only solution is point-to-point encryption: The data must be encrypted on one's own computer before it is sent or stored. We will see a lot more break-ins, data theft and privacy violations. Tons of data will be lost to international competitors, be used in blackmailing and to clear people's accounts. As I am deeply involved within this environment, I am _very_ careful whenever it comes to my personal data. Believe me, I know that plenty of companies are losing data every day. That companies are being blackmailed and forced to buy their own data back from specialized black hats in eastern Europe and Asia. And - don't forget our very own agencies who are very interested in data too. Yes - dropbox is all about convenience. But if they don't inform their customers about potential problems, they should be held liable. My two cents, m.

    1. Re:Security is a process - not a product by MysteriousPreacher · · Score: 1

      They should definitely be liable if they set incorrect expectations with regard to their services. If however Joe's Web Design uses a service that, for the sake of argument, is clearly being sold for non-commercial use, they should only be liable to deliver that which they promised to do. Blizzard should not be held liable if Joe eschews WebEx in favour of WoW for online meetings with his clients, and complains that server downtime lost him an important client.

      --
      -- Using the preview button since 2005
  27. Fixing this silliness by Anonymous Coward · · Score: 0

    This silly use of dropbox is easy to fix. Just dump some huge files there every day. Such as a handful of dvd images. Watch their computers do nothing by syncing - syncing - syncing. Do it from some other computer. When there are enough complaints, tell them that dropbox is the problem. You don't suffer because you don't bother with it. "Yeah, it was *easy*, but it kills performance." Then offer them the proper solution, which is a file server. No stupid syncing, and working directly on the server folder is ok. And later you can add backup and such - if necessary.

  28. laptop by Anonymous Coward · · Score: 0

    Laptop accessories[/URL] like have been sole online as well as usually with discreet investigate you can find a befitting cover stand