back to article Dropbox 'insecure and misleading' – crypto researcher

Popular cloud storage service Dropbox is misleading users into thinking it is more secure than it really is, says a security researcher and academic, who has asked for the FTC to investigate. Dropbox has around 25 million users. It's often used as an escape hatch by owners of Apple's iPhone and iPad: the iOS slabs don't expose …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    Security? Privacy?

    I think in ten years nobody will remember what the words security or privacy even mean. I hope many users will follow Jon Callas' idea and delete their dropbox account as well.

    I deleted it when it turned out all you need is the host key and that that is stored unencrypted on disc, instead of securely in the gnome keyring (or their counterparts on other OSes).

    1. ArmanX

      But why?

      When I store things in my Dropbox account, it's usually just to transfer between my home and work computers. It's things like artwork I use for backgrounds, grocery lists, a short story I wrote, wishlists... basically, things I don't care if anyone sees.

      I do store some sensitive stuff there, too... but it's encrypted. think of it like email; anyone between the sender and the receiver can read the email, if they wanted. That's what PGP is for, right? Encrypt your email, and no one else will read it. All you need to do is encrypt your data. Oh, sure, someone might be able to crack it, but if it's something that is that important... don't put it in Dropbox.

      I understand the concern - Dropbox should make sure that user files are already encrypted - but for goodness sake, people. If you're concerned about security, shouldn't you already be encrypting any files that aren't chained to your wrist?

      1. Anonymous Coward
        Anonymous Coward

        Home - work

        Dont you think of your work files as important? Is your artwork available to all to use as they see fit and if you are happy for me to read your other files please post a link to them so I can. Why use drop-box, why not leave it on an open webserver for all to see?

        Likewise, there is a risk that once people can view your files, they can change them. Then all of a sudden you are bringing dangerous material onto your work machine - I am sure that will go down well.

        I totally agree with you over the fact people should be encrypting them but the problem is services like Dropbox allow people to come to the conclusion it is a "safe" place to store files.

        It isnt.

        And everyone should be concerned with their privacy and the privacy of their files. Sadly they arent.

  2. Danny 14
    Jobs Halo

    oh well

    I seem to remember seeing a webdav client. Just host your own webdav server.

  3. Chris Miller
    Happy

    No surprise

    Any commercial offering is likely to want such a backdoor, in an attempt to restrict use of their service by kiddy fiddlers, the late OBL, or (horror of horrors) copyright material. I would never even think about using Dropbox for anything remotely sensitive or anything at all to do with business. But it's great for sharing stuff with myself/friends/family/world.

    If I did have a business need to share confidential information using Dropbox, I'd simply encrypt it first. There, that wasn't too painful, was it?

    1. Anonymous Coward
      Anonymous Coward

      Cui bono

      Actually, there are good reasons for NOT wanting a backdoor as a commercial enterprise. The very first is that if you can't read your user's data, neither can a hacker that breaks into your servers. The second ist, that if you can't know what your users are storing, you can't be forced to reveal it, even if presented with a court order or the likes.

      Note that preventing yourself from being able to eavesdrop on your users might be illegal in the first place, depending on the jurisdiction (like the trouble RIM had with Blackberry encryption in India, I believe).

      If you want to know what a company is likely to do, you must look at what is in their best commercial interest. Anything else must be assumed to be bullshit ("don't be evil, etc.").

      1. Peter Gathercole Silver badge
        Alert

        Backdoor

        I can't remember what dropbox state as their business continuity model, but if they offer any form of backup at all, then they have to have some means of reading the data to replicate or copy to backup media. Even if they offer encryption, then unless it is client side (i.e. on your system) before being sent over the wire, someone would have the opportunity to capture whatever is needed to prime the encryption.

        Let's face it, if you use somebody else's service to store your data, do you ever have anything other than their assurance for the security of that data? The only thing you can be sure of is what you do yourself, so either don't trust them with sensitive data, or encrypt it, just as everyone else is saying.

        It's a no-brainer, really.

  4. Anonymous Coward
    Black Helicopters

    Yes, but,

    What can Uncle Sam see?

  5. Patrick O'Reilly

    It's as secure as you make it.

    Putting a large Truecrypt partition in the Dropbox folder makes it way more secure.

    Their transport is encrypted but the files are not encrypted on the server, hence being able to access them from a web interface.

  6. Andrew Waite
    FAIL

    No Problem

    Only file in my dropbox account is a TrueCrypt container.

    Encrypt/protect it yourself and it doesn't matter if other (free) services don't protect your data as well as you would like.

    1. DrXym

      Easier again

      Truecrypt is fine but even easier is just install 7-zip and create an encrypted 7z file. Drag and drop stuff into that. Problem with Truecrypt volumes is they change so much that the dropbox client would be forever trying to upload the file everytime it changed.

      It also wouldn't hurt if the client offered an optional client side crypto where a user could create a key, associate it with a particular folder and everything put in that folder is scrambled with the key. There would be absolutely no way server side to read the data because the key remains on the client (unless the user is stupid enough to drop their key in dropbox). Of course the user would be responsible for distributing the key to their various machines and it might disable web access, but it would still be a useful option for people who want security without the hassle of Truecrypt

      1. Glen 1

        both truecrypt and dropbox split things up on the block level.

        Dropbox only uploads the parts of the file that have changed, and if a file in a truecrypt container is edited, only the block containing the file is re-encrypted.

        That said, if you have a large container, and edit its contents a lot, you have the overhead of dropbox constantly recalculating the hashes...

  7. The Alpha Klutz

    boo hoo

    You don't always have to do everything Apple says.

    You wouldn't buy a chocolate teapot, so why would you buy a, quote-unquote, computer, that doesn't have a file system or any USB ports?

    How long have we had USB flash drives? Like 10 years? Everyone has them, everyone that is, except for Steve Jobs, who plainly looks as if he spends 14 hours a day sleeping in an Oxygen deprivation tent on the moon.

    Actually, his face resembles the moon more closely with each passing day. Grey, dispiriting, probably had people walking on it in the 60s.

    Is that who you want to get your computing insight from? Well maybe if you are 92 years old going on 103.

    1. Andrew Waite
      Stop

      RE: boo hoo

      I might be missing something, but Apples 'quote unquote computer's do have USB ports. It's their tablets and phones that don't.

      Or did I miss something in the latest iMac launch?

      1. The Alpha Klutz

        "It's their tablets and phones that don't."

        Otherwise known as a tablet.........? Computer?

        1. maclovinz
          Happy

          @TAK: "Otherwise known as a tablet.........? Computer?"

          Really? Uh....okay. I'm NOT going to go into how many things you can do with iPads over Android tablets. OR, how locking things down promotes proper functionality of a device. OR, how many people using the iPad don't give a shit about FULL functionality in such a device.

          Nope, none of that at all.

          Cheers, from a fanboi....yet realist.

    2. mark 63 Silver badge
      Headmaster

      dont qoute me

      " why would you buy a, quote-unquote, computer, that doesn't have a file system or any USB ports?"

      FYI When writing as opposed to talking you can use actual "quote" symbols :)

    3. Apocalypse Later

      "You wouldn't buy a chocolate teapot"

      Yes, I would. I wouldn't make tea in it though. Millions of people have just had an orgy on chocolate bunnies and chocolate eggs, which are no use whatever for the usual purposes to which rabbits and eggs are put.

      I have a chocolate watch, in my watch collection. It is right twice a day.

      1. The Alpha Klutz

        The point is

        that many of the people who purchased iPads did so under the false assumption that they would be able to easily move files around. They can't, and the device is therefore not fit for purpose (the purpose for which they bought it that evidently requires them to move files around). That's a failing on somebodies part, but not mine.

        1. Anonymous Coward
          FAIL

          RE: The point is

          The only failing is on your inability to adequately troll.

          "that many of the people who purchased iPads did so under the false assumption that they would be able to easily move files around. They can't, and the device is therefore not fit for purpose (the purpose for which they bought it that evidently requires them to move files around)."

          Bollocks. Let's have some citations an sources bucko.

        2. SharkNose

          ermmm....

          Try FTPOnTheGo...brilliant little app that lets you download and store files on your iOS device. That said, apart from myself, I've never talked to anyone who complained about not being able to store files on their iPhone or iPad, most people are happy to install apps that use, store, and manager whatever data they need, rather than having to worry about files and directories like it's a PC...

    4. Magnus Ramage

      What goes around comes around...

      I agree that I wouldn't want to buy a computer that can't easily get files on and off. Ironically, IIRC it was Apple who started the whole USB flash drive thing. The first iMacs had no floppy drive. People were scandalised. How were you meant to quickly backup files, or take them between work and home, or share them with colleagues? (This before home broadband, natch, when using the Net from home was slow and expensive if you could do it at all.)

      So a whole new market opened up to satisfy Apple's lack of support for floppies. Except that quickly everyone realised how much better USB drives were than floppies, and after not too long PC manufacturers largely dropped floppy support too.

      And so to 2011. I don't have a tablet device, but I do have an Android phone. It has excellent USB support for uploading files to a PC (though it can't take USB drives). I never use it - if I want to get a file to and fro, I use Dropbox. It's simply easier, even if sitting next to the PC.

      I wouldn't put secure stuff on my Dropbox account, but then it's free and on the Internet - I wouldn't do the same thing with Gmail.

  8. whats the point of kenny lynch?
    Unhappy

    copyrighted material?

    so how do they know which of their 25 million users has 'copyrighted' material then?

    do they just run a massive search for mp3/mpeg etc files?

  9. Juan Inamillion
    Troll

    @The Alpha Klutz

    Just in case anyone missed the troll alert.

  10. Joe Montana
    WTF?

    Nothing new...

    In other news: COMPANIES LIE

    There are countless examples of companies that intentionally mislead or blatantly lie to (potential) customers in order to make them think the products are better than they really are.

    1. maclovinz
      Thumb Up

      Yeah....

      ....it's called "Sales".

      The people are called "Salespeople".

      i.e. Crap Peddlers

      Thank you Simon. XD

  11. a53

    Er....

    So is my 1Password's agilekeychain secure?

  12. Anonymous Coward
    Black Helicopters

    Careful now

    I've been using Dropbox for a couple of years, but for much of that time I've made a point of placing anything private in an encrypted container, on the assumption that SOMEONE might get (or have) access to my Dropbox space without encryption at their end. (They must have sysadmins, surely?)

    To be honest, I'm more concerned about this scenario: what if someone gained access to the Dropbox filesystem, and just hit "delete" on the lot? Would all the users' computers assume that the USER had intentionally deleted all files on the server, and simply remove the local copies accordingly?

    Think it's about time I set up an automated backup of my Dropbox files to my NAS box (with no connection to Dropbox itself). I suspect I've been trusting DB more with my important files than is sensible...

    1. Anonymous Coward
      Badgers

      ... horses for courses

      Undoubtedly Dropbox is a great file sync tool but it's not a backup or secure vault solution. Any company can go into liquidation overnight and if their Amazon S3 bill wasn't paid over the weekend your laptop fell in the bath you'd feel foolish.

    2. Grommet
      FAIL

      Doh!!!!

      I don't use dropbox for anything important or confidential on the basis that nothing connected to the internet is secure.

      However I hadn't thought about the possibility of someone deleting files from my dropbox account and it suddenly being lost on all computers. It wouldn't be serious but it would be a pain. Setting up alternate backup system now. Thanks AC.

      Fail: because I should know better.

  13. McVirtual
    Flame

    DropBox - ConBox!

    The main problem with DropyourpantsstorageBox is that as soon as somebody shares a folder with you, THAT capacity is then added to YOUR capacity utilisation....

    Sod security!!

    Give me value for money you foooookers!

  14. Tom Reg
    FAIL

    They don't seem to care about privacy

    They ran Dropbox as a public 'map' mapping SHA256 codes to the actual file you want. So if you knew the file's hash you could download the file. And at the very least, even using their own tools, if you had a copy of the file, you could determine if it was up there.

    Tons of exploits with this:

    If you know that a password is stored in a file:

    login:Bill Clinton

    password:?????

    You can just make up 200,000 files and hit their servers - they will tell you when you find the file already up there.

    They knew about this bug for at least 8 months - and left it in because it increased performance and saved them and their customers money. So to me that shows where they sit on security. This client side de-duplication is turned off now.

  15. Anonymous Coward
    Megaphone

    Bottom line

    To address topics brought up above:

    1. iPad is crippled. It is reasonable to expect USB. storage expansion and a file system on a general-purpose computing device.

    2. Use reliable encryption for sensitive data stored on systems that you do not control.

  16. Jacqui

    its a postcard service

    similar to email. I still have fun trying to explain why email between staff members is safe but email redirected to home btinternet or ntlworl accounts is not. Customers just dont get the idea that email has value to third parties.

    It has been proven that US mail and ISP's have disclosed net traffic "contents" to the US government who have passed said data to US companies tendering for large projects. Ditto for UK net snoops and certain UK based interests.

  17. Anonymous Coward
    Boffin

    We believe this complaint is without merit...

    Standard 3rd rate lawyer boiler plate.

  18. MichaelFindlay
    Boffin

    If you are really that concerned

    Most people do not store blackmail material on their Dropbox, it is a method of syncing files between your machines and a useful tool. If you really are that concerned I am sure you can get much slower, more expensive enterprise product to do this job for you.

    It is inevitable that the service offering you the storage solution is going to have engineers with access to your data, I am sure Microsoft and Google cannot access your online documents?

  19. ZenCoder
    Thumb Down

    Minor thing to complain about.

    Its a fact of modern life that when you do business with a company, there are people at that company that your are going to have to trust with your personal data.

    I don't have much private information that I could put on drop, that is not already to some trusted employee somewhere. I have to trust employee's at every bank I have an account with, the IRS, the library, hospitals, Dr offices, phone companies ...

    I'm happy as long as random strangers can't access my data. If I am storing something mildly sensitive I'll password protect it with my office suit. Maybe throw it in a password protected zip file.

This topic is closed for new posts.

Other stories you might like