Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox and Google Want To Make Open Source Security Tools Easy To Use

Posted by Soulskill on from the bang-your-head-on-the-screen-to-unlock-your-forehead-profile dept.

An anonymous reader writes: Dropbox, Google, and the Open Technology Fund have announced a new organization focused on making open source security tools easier to use. Called Simply Secure, the initiative brings together security researchers with experts in user interaction and design to boost adoption rates for consumer-facing security solutions. The companies point out that various security options already do exist, and are technically effective. Features like two-factor authentication remain useless, however, because users don't adopt them due to inconvenience or technical difficulty.

24 comments

  1. First by NotInHere · · Score: 5, Insightful

    Dropbox should open-source its desktop client to prove it does what it is supposed to.

    1. Re:First by Anonymous Coward · · Score: 0

      Well, now the commercial goal of Open Source software is mainly to benefit from the work of other people, not to share or perform real development yourself.

    2. Re:First by mlts · · Score: 1

      How about an open source cloud sync API, that allows machines to sync with the offsite provider, as well as each other. That way, each provider doesn't need to reinvent the wheel with this code.

      Even better, add hooks for encryption, either a symmetric key, or some faculty that uses public/private key encryption to allow files to be stored without a key, but would need the private key for retrieval.

      Best of all would be a way to have a low-cost, low-volume service like Amazon Glacier and an API for that. That way, files can be flagged to be sent to the low-cost storage service every so often.

    3. Re:First by Dagger2 · · Score: 1

      That's the general goal of the Free software movement. There's far, far more software out there than any one entity can produce, so 99% of the time you'll be benefiting from the work of other people.

    4. Re:First by Anonymous Coward · · Score: 0

      That's a good idea. It'll never catch on, because it would kill the current providers, who would no longer have lock-in: anyone would be able to set up a cloud of their own, rather than having to depend on one company's service in order to take advantage of their software. And, really, it's the software that wins customers for DropBox: their little app just works, works beautifully, and integrates perfectly.

      That said, the company to ask for an open cloud API is Apple. They have a huge userbase already via OSX and iOS, and they know how to make "just works" software. They have some cloud experience, and they've worked out a lot of bumps (compare with Microsoft, whose cloud software doesn't even support their own Outlook 365 for business). They also have experience with encryption, often in subtle ways that most people don't realize (Ever looked at how good their SMIME support in their mail clients is? It's practically invisible, but it works perfectly if you have a certificate installed, whether on mobile or the desktop.) Apple could do a lot for promoting an open cloud API by integrating it into their OSes and making it absurdly easy for the consumer to use, much like they've done with mail/calendaring/notes/etc for cloud services. They could also do it securely.

      My guess, though, is that they won't, on the precedent of refusing to put FTP/SFTP into the shell. They refused to do that (even though SFTP is installed and available through the command line) because they didn't want to step on Fetch and the other companies that were making FTP clients; they probably don't want to step on Dropbox and the cloud services either, which is why it's taken them so long to provide access to iCloud storage except through individual programs.

  2. How about buying PGP? by mlts · · Score: 4, Interesting

    If they are serious, they should buy Symantec Encryption Desktop (formerly PGP Desktop) from Symantec and open source the full version of that. It has a decent UI, works well with Outlook and Thunderbird, and does well on Windows, OS X, and Linux. That would give decent security on the hard disk level, file container, and individual file level. Even directories can be encrypted, CFS/EncFS like.

    1. Re:How about buying PGP? by swillden · · Score: 1

      It has a decent UI

      Really? Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Yeah, it was a while ago and some things have improved, but most of the issues remain and I doubt another focus group study would find significantly different results.

      The problem is that designing a UI that makes it easy for people who don't know anything about cryptography or security to achieve useful cryptographic security is really, really hard. Almost as hard as educating everyone about cryptography and security enough that they can achieve useful cryptographic security with PGP.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. Winnie the Pooh by Phoenixlol · · Score: 0

    I just realize "Honey Boo Boo" is probably a reference to Winnie the Pooh.

    1. Re:Winnie the Pooh by Anonymous Coward · · Score: 0

      +1 Off topic

  4. ping by Anonymous Coward · · Score: 0

      sterilze ping.

      worse than open ports... an nightmare all on it's sniffer own....
    sterilze ping.

      mickysoft will hate you for it, but what the hey...

    1. Re:ping by MightyMartian · · Score: 1

      Reading this post made me feel dirty.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  5. Pro Tip: by jsepeta · · Score: 1, Flamebait

    When performing maintenance on Sundays, don't turn off passwords for your entire userbase, DROPBOX.

    Bonus tip:
    Hiring Condoleeza Rice told me everything I need to know about you jackasses. If I want to use cloud storage, every other vendor in the world doesn't employ war criminals. So it's easy to choose a vendor who doesn't upset my conscious.

    assmonkeys

    --
    Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
    1. Re:Pro Tip: by bjwest · · Score: 1

      Holy shit! It's now racist to hate one black person, not for being black, but for any reason at all? Or is Condoleeza Rice the member of the Condoleeza Rice race?

      --

      --- Keep the choice with the user..
    2. Re:Pro Tip: by sumdumass · · Score: 0

      Holy shit! It's now racist to hate one black person, not for being black, but for any reason at all?

      Yup, it's been that way since 2008. Where have you been that you did not get the memo?

    3. Re:Pro Tip: by Anonymous Coward · · Score: 0

      Some American conservatives are /that/ stupid, yes.

    4. Re:Pro Tip: by aaaaaaargh! · · Score: 2

      Why is OP modded Flamebait? He's right!

      Dropbox is the last company on earth that should be trusted with anything related to security or encryption. They have proven to be incompetent regarding security (and programming in general, for what it's worth) and there are countless alternatives on the market that are better than Dropbox. And yes, hiring Condoleeza Rice does not make them more trustworthy either. Having her in the board is like appointing Dick Cheney as a human rights adviser.

      People who honestly believe Dropbox can keep their personal documents safe against hackers or, an even more ridiculous idea, against the NSA must be seriously misinformed or deluded.

  6. ROFL by Anonymous Coward · · Score: 0

    Dropbox, Google and security all in the same sentence ?!? When did slashdot become a comedy forum ?

  7. Easy to use, eh? by Anonymous Coward · · Score: 0

    Is that so Dropbox and Google employees will use it?

  8. How about buying PGP? by Anonymous Coward · · Score: 0

    yes, and make gpg usable.

  9. Don't get fooled again by moxsam · · Score: 1

    After the Snowden leaks, every tech company that wants to be taken serious needs to improve on their security, do some crypto on the user backend and generally be more open. Or at least pretend to.

    Remember that Google's goal is not to improve security but to win over more customers, in other words make you choose their service over another company's service, even over a much more secure one. This kind of campaign to improve is what might tip over many potential costumers and choose Google after all, contrary to all rational thinking. It's cheap to do for Google given their internal resources, it's simply necessary in order to keep a foot in the market and so it's nothing unexpected or generous, and therefore it's definitely nothing to get excited about as a potential customer.

    The question is: Is it good enough to keep the spooks from not looking? Answer: Probably not. So move along.

  10. webdav & encfs by MadMaverick9 · · Score: 1

    If dropbox and google would support webdav, then this would be a non-issue.

    Mount WebDAV resources with davfs2 and secure it with encfs:
    http://flux242.blogspot.com/20...

  11. Securing cloud data by Tool+Man · · Score: 2

    What they need to do is implement client-side encryption before it gets uploaded. Sure, we can use something like EncFS to let Dropbox host only files I've already encrypted, but other cloud-storage companies like SpiderOak have written themselves out of access to my file contents.

  12. How Secure? by Anonymous Coward · · Score: 0

    A data mining company like google wants to provide security tools?? Oh yeah, will I have to provide a phone number as well a my social security number, or do they already have that?