Yay Cloud!
Another massive win for the cloud...
Storage and file-sharing vendor Dropbox made a huge cock-up during last weekend's upgrade leaving all of its user accounts unlocked. Encryption is not performed by the cloud provider's client, meaning that all customer information was there for the taking on Sunday between 1.54pm and 5.46pm. Dropbox issued no official comment …
I've used Dropbox for a few years and love the free service, but I have never trusted them enough to put my most private and important files into my dropbox. It's tempting to use it as an off-site backup of critical files (in case you house burns down or a burglar steals your PC and backup DVDs) but I don't totally trust the competence of these services where encryption is not done at the client and the customer doesn't exclusively hold the key.
Communication is critical if there's a problem. Failing to talk to customers quickly enough always ends with angry customers. Yeah, I know it's a free service for most people. Glad I didn't upgrade.
Unacceptable, but typical... Cloud providers who offer free services or even cheap budget services statistically WILL screw up at some point.
The important thing is for users to be aware of this and not treat the cloud as secure storage for sensitive data. Honestly anyone who trusts dropbox, mobileme, box.net or any other such service who their sensitive data is a fool...
On the other hand if people managed to access some photos that I wanted to share with my mum, or an mp3 that I wanted to sync to my phone, no big deal. And that's the kind of thing these services are only good for really.
Paris, because only she would trust her private data to the cloud e.g. her sex tapes ;-)
Sugarsync, Wuala, SpiderOak are all viable alternatives, some (all?) of which properly encrypt user data. There is no reason for a service as popular as Dropbox to protect its customers by implementing client-side encryption. If they did, this would not have been an issue.
1% is a dimensionless number and is utterly worthless and meaningless. Being *nearly* right isn't ever *good enough*.
If I wrote code that was only 99% accurate then it would, to me and my customers, be completely useless.
Similarly, if a typist is only 99% accurate in her work, she'll soon get fired.
The devil is in the detail, not the stats.
If 99% of the programs I write compile and work correctly the first time, that's pretty good. If my typist has a 1% chance of making a mistake on any given day, that's outstanding. If my engine blows up once every 10 million rotations, that's still better than six-sigma performance.
Check your context before you start spouting nonsense.
If you intended your engine example to also be an example of good performance, then it is way out. 10 million rotations of an engine = 85 hours (assuming a very conservative average 2000 RPM), which for a 1 hour a day commuter would be a shade over 4 months. In any case, six sigma relates to defect-free products and has nothing to do with expected failure rate.
And here we we why the penetration of "Free and Open" software, such as Open Office./Office Libre have such corporate pushback.
No-one wants to be standing on the CEO's carpet saying "well, what do you expect, It's *free*".
I keep telling people that this is not an excuse and not an explanation, but I keep hearing it from people who don't understand the negative payload of that viewpoint in the long run.
Either it's a free alternative, or it's just free. That should be clear when the service is offered. Don't act surprised when people don't want to use "Just Free" instead of the Big Boy alternatives, even if they cost money up front.
The issue isn't that the accounts were thrown open to anyone who cared to ask to come in for a read (well, it is but that apparently is beyond the "talents" of the people working at this mickey mouse operation), it's that the owners of those now compromised accounts were kept out of the information loop once the problem was discovered.
Clearly, then, it matters from *someone's* point of view that this not get about, and the only reason for that - given that the EULA undoubtedly offers no suggestion that security will be a given - must be that Dropbox do *NOT* want their customers flying the coop.
Any miscreants could have got hold of a list of my son's choir practice dates and a complete database of all my passwords.
Fortunately, one of these was encrypted.
The lack of client-side encryption is precisely why I don't trust Dropbox with anything sensitive. I also have a full backup of most of my family's data (>1.5TB) on Crashplan's servers. Crashplan (which, BTW, I strongly recommend) implements client-side encryption with the option of a user generated key.
One of these companies got my money, the other didn't. Guess which was which?
I use dropbox but would never entertain dropping anything of any importance or sensitivity in there. That just seemed like asking for trouble. I'm just waiting for the BBC report about some civil servant who's been sharing confidential excel spreadsheets with colleagues via drop box. It'll be the new "USB-stick-lost-on-a-train" story template.
However given this latest performance I'm ditching it. Who knows what other little "flaw" is awaiting users such as whole machine pwning through some undocumented backdoor they've been asked to secretly add by the security services.
That's me grabbing my tin foil hat and jacket.
I had just signed up and started using Dropbox. I didn't know anything about this. Now I'm worried about whether I should continue using it or not.
For a company that's handling millions of peoples files, how could they allow such a huge security problem to slip through?
For those saying "encrypt your files before uploading to dropbox" - that's easy to say but slightly impractical and difficult to actually do.
a few weeks ago when I discovered that they had changed "can't access user data" to "not permitted to access user data".
I went to Wuala which uses client side encryption. Not quite a classy on the client software user interface but it works, is cheaper and I'm much more comfortable about its security.
I really like Dropbox for various reasons (great Mac/Linux support, seamless mirroring of files, multiple backups of important stuff, etc.), but have always used a Truecrypt container for anything sensitive - just as well, it would seem.
Think it's time I looked seriously at an EncFS folder in my Dropbox - I'd rather not go to a competing service, though I'll be considering it seriously if this carries on (Wuala looks interesting).
You just have to accept that ANY data you store off site on a 3rd party service may be exposed to the entire web.
Once you have accepted that then decide what data you feel comfortable with that the world and his wife plus dog & goldfish can possibly have access to.
the thing is, for some people you need data storing off site and it has to be secure. As a photographer, I have a massive archive of photographs that includes the very fist photographs I ever took. the negatives long since lost. I need this to be safe and at no risk of loss. My sister is also a photographer and needs a very safe off-site backup.. we decided the best way is to run identical servers and at the end of each day my data is backed up on her servers and her data is backed up on my servers via VPN tunnelling. both of our servers have plenty of levels of redundancy...
if you want secure data, don't trust anyone but yourself with that security...
I use dropbox, its a very convenient way to share data between my mobile phone and my pc, but i wouldn't use it for anything that i consider to be confidential.
I would also imagine out of the 1% or 250,000 users that its only a very small % of those that actually have data that needs to be uber secure and when you consider how many of those actually had data accessed then your probably looking at a handful... and shame on them for using a web based service for sensitive data and not encrypting it first.... and that goes for the rest of the people complaining about data exposure....