×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox Can't See Your Dat– Er, Never Mind

timothy posted about 3 years ago | from the get-marketing-legal-and-the-engineers-in-here dept.

Cloud 333

bizwriter writes "Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. But a change in terms, noting that Dropbox will give up data to law enforcement under a legal request, showed that the company's security claims couldn't be possible. It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files, but in another says that they're only 'prohibited' from doing so."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

333 comments

the love of cloud (5, Insightful)

alphatel (1450715) | about 3 years ago | (#35878932)

Everyday I get a corporate client asking me why they can't just do all their work on the cloud. Here's the perfect reason why.

Re:the love of cloud (2, Insightful)

danbuter (2019760) | about 3 years ago | (#35879022)

I agree. The only people really pushing the cloud are the companies who want to supply the servers.

Re:the love of cloud (1)

MichaelSmith (789609) | about 3 years ago | (#35879102)

But if I put my data in the cloud I can encrypt it to the point where it is next to impossible for anybody else to read it. If dropbox encrypt the data on write and decrypt on read then it is of course trivial for them to decrypt it on demand.

Re:the love of cloud (1)

LordAndrewSama (1216602) | about 3 years ago | (#35879256)

I'm curious though, how does the law view their access. I mean, they don't keep copies on their servers, so if I use dropbox to transfer dodgy_file.jpeg to another machine, then after the fact the scary law enforcement peoples make a legal request of dropbox, does dropbox have the file on their server, or do they have to access my machines with the file on it? One of those is Dropbox behaving legally and handing over potential evidence. The other is Dropbox going onto my machine and taking it to hand it over, which could be argued as stealing and invalidate the evidence. It all depends though, does dropbox keep a copy of every file?

Re:the love of cloud (1)

egamma (572162) | about 3 years ago | (#35879384)

It all depends though, does dropbox keep a copy of every file?

Dropbox is a cloud storage service, that syncs a folder between your computer(s) and a cloud location. So yes, they do have a copy of every file.

You could have answered your own question in about a minute.

Re:the love of cloud (1)

digitig (1056110) | about 3 years ago | (#35879388)

Dropbox has to keep a copy somewhere. The file remains available even when the originating machine is turned off.

Re:the love of cloud (1)

spectrum- (158197) | about 3 years ago | (#35879504)

What is also interesting is a file may alter as it is amended. So really they're keeping all states of all files for an indefinite period. Wow thats a lot of version storage. I presume it's incremental file states to save space but still, that's a lot of overhead for the service. And presumably all cloud storage providers like dropbox, amazon, sugarsync, microsoft etc are all doing much the same. Just dropbox's name is synonymous with personal cloud storage so it's more newsworthy.

Re:the love of cloud (2)

pmontra (738736) | about 3 years ago | (#35879498)

They do. They even have undelete.

They'll probably use a symmetric key cryptography because I don't remember having setup an asymmetric key pair when I subscribed their service.

I'm not using Dropbox to sync my computers, I'm using it for backups and I encrypt all the data before I move it into the Dropbox folder. I don't even live into their country. So long for their access to my stuff.

Re:the love of cloud (2)

Jawnn (445279) | about 3 years ago | (#35879438)

I agree. The only people really pushing the cloud are the companies who want to supply the servers.

On the contrary, I push it all the time because it's a great tool... when it's the right tool for the job. If that job involves manipulating and/or storing sensitive data, it's somewhat less so in many cases.

Re:the love of cloud (-1)

Anonymous Coward | about 3 years ago | (#35879032)

So that law enforcement can't access his data? What is his "business" area to be exact?

Re:the love of cloud (0)

Anonymous Coward | about 3 years ago | (#35879060)

If it is possible to access the data, what is preventing others from doing the same ? If someone has access to the data, and if that person is corruptible, then you can't trust the system.

Re:the love of cloud (4, Insightful)

gkuz (706134) | about 3 years ago | (#35879086)

So that law enforcement can't access his data? What is his "business" area to be exact?

I love the irony of this comment being posted by an AC. Tell you what, post using your real name, address and phone number, and I'll tell you a dozen reasons why privacy, even from law enforcement, can be a legitimate business need.

Re:the love of cloud (0)

Anonymous Coward | about 3 years ago | (#35879226)

(different AC)

You know, there's a lot of us who have simply not cared enough to establish accounts on here, since we can post comments anyway.

It's not always due to privacy concerns.

Re:the love of cloud (1)

Nikker (749551) | about 3 years ago | (#35879336)

So where is the name and contact info?

Re:the love of cloud (0)

Anonymous Coward | about 3 years ago | (#35879556)

(yet another AC)

Not like the two are mutually exclusive. Just because the reason someone hasn't created an account is they are too lazy to create an account since they can post comments anyway, doesn't mean they are otherwise willing to share their name and address.

Re:the love of cloud (1)

alphatel (1450715) | about 3 years ago | (#35879124)

Let's see, multiple clients from Real Estate, Banking, Brokerage, Legal, Publishing and Internet. I can't imagine ANY of them, or ANY one else, would want such easy access to their data. Most especially since it is employees who are likely to save stupid things in the wrong places. One fubar and your business is buh-bye.

Oh and not to mention, one of the clients is a big Cloud vendor. Guess where their real data is? Not on the cloud that's for sure. Fun little projects and laughable gifs, yes. But anything of importance is inside a very secure internal network of hundreds of servers and it's not moving from there anytime this century.

Re:the love of cloud (1)

TheRaven64 (641858) | about 3 years ago | (#35879314)

Law enforcement can't access the data. Law enforcement can ask the hosting provider to access the data on their behalf (and, in most jurisdictions, compel them to do so). The hosting provider is not an amorphous entity, it is a collection of people. Some of them have access to the data. For a large company, this can be hundreds or thousands of people.

Do you trust all of them not to access your data because they're bored? What about if one of your competitors offers them $1,000? $10,000? $100,000? What about if someone threatens their families (not necessarily specifically to get at you, just so that some organised crime syndicate gets a few TB of data in the hope that some of it can be turned into money)?

Re:the love of cloud (0)

Skarecrow77 (1714214) | about 3 years ago | (#35879180)

This being slashdot, which loves itself some cloud, I'm amazed you haven't been modded down to -1 hatehatehatedielalalaimnotlistening yet.

When did we suddenly start trusting other people with our important shit?

It's probably because most people, including a lot of the IT industry apparently, still think computers are magic.

Re:the love of cloud (1)

afex (693734) | about 3 years ago | (#35879356)

erm...slashdot is heavily anti-cloud. maybe you are thinking of lifehacker?

that said, i use dropbox the same way i used to use my .edu webspace when i was in college - put shit in there, but assume that anyone who wants to will see it. I do have a truecrypt volume on my dropbox space with some stuff in it though - i wonder what sort of implications that has?

Re:the love of cloud (1)

Golddess (1361003) | about 3 years ago | (#35879586)

As I understand it, a plain old Truecrypt encrypted container cannot be determined to be a Truecrypt encrypted container. So unless they have some other way to prove that is what it is, it should have no implications.

A Truecrypt encrypted system partition however...

Re:the love of cloud (3, Interesting)

DrXym (126579) | about 3 years ago | (#35879322)

Everyday I get a corporate client asking me why they can't just do all their work on the cloud. Here's the perfect reason why.

Well it's not a perfect reason. Many companies traditionally send their backup tapes or their shred bins or boxes of old files to an operator like Iron Mountain to store / destroy them. I expect Iron Mountain would comply with a court order just as readily as a cloud operator. I suppose with cloud operators the jurisdictions are more likely to differ which could be considered an advantage or not depending on why the court order is being served.

It's certainly an important consideration though. I think in either case if you're paranoid about your data you encrypt it first.

Re:the love of cloud (1)

blowdart (31458) | about 3 years ago | (#35879554)

My employer uses Iron Mountain and their onsite shredding servers. What happens is a truck comes out with what looks like a huge vacuum cleaner pipe and hooks it up to the bins. The paper gets sucked up and is shredded at that point on premises (each bin takes about 10 minutes to process) before making it into the general container in the truck, and then is taken back and shredded some more. So, for paper, the authorities would need to get the materials before it's collected.

Re:the love of cloud (1)

quintus_horatius (1119995) | about 3 years ago | (#35879560)

You're forgetting that any sysadmin worth his/her salt encrypts any backup going off-site (and hopefully any backup staying onsite too). Someone else may have possession of the physical media but accessing it won't simply be a matter of finding matching hardware to read the backup.

Re:the love of cloud (1)

DUdsen (545226) | about 3 years ago | (#35879442)

In some parts of Europe we are beginning to see data protection agencies(yes normally an oxymoron) banning the use of clouds, where parts of the infrastructure is outside of their jurisdiction, for anyone licensed to store sensitive information. because they assume that the authorities of that place will always have access to back doors in the platform. Something that have caused the usual cloudvangalists to accuse them of being anti progress and all the lot.

This is causing some ruckus as school districts want to use google docs and hospitals want to move their IT into the cloud where the unicorns roam and IT is free and easy.

It is not impossible (1)

zero.kalvin (1231372) | about 3 years ago | (#35878938)

it just depends on the encryption and all. And wether there is a backdoor or not. They are lying, the question is to whom ?

Re:It is not impossible (3, Insightful)

gkuz (706134) | about 3 years ago | (#35878994)

Of course it can be impossible. Encrypt the data yourself, using a well-known, open-source, trusted and verified program, and keep the keys yourself. Dropbox can't decrypt anything then. Why anyone would trust them in the first place, especially a smart guy like Miguel, is beyond me.

Re:It is not impossible (2, Informative)

gpuk (712102) | about 3 years ago | (#35879222)

I think the problem is that if you use a Truecrypt container and back that up to Dropbox, the Dropbox client is not always able to tell if any data has changed as changing the contents of the container does not always change the containers binary size on the disk. This means you can't do an incremental backup and instead have to force a full backup every time you alter what is inside the container, which isn't funny if your container is larger than a few hundred MBs.

Re:It is not impossible (1)

moronoxyd (1000371) | about 3 years ago | (#35879286)

You do not know how Dropbox works, right?

Dropbox doesn't just look for the size of a file or the access time.

Re:It is not impossible (3, Informative)

LoudNoiseElitist (1016584) | about 3 years ago | (#35879428)

That's the point. It looks for changes in the file. With encryption, the file usually *completely* changes, thus giving Dropbox no choice but to upload/download the whole thing.

Re:It is not impossible (5, Informative)

Anonymous Coward | about 3 years ago | (#35879570)

With encryption, the file usually *completely* changes, thus giving Dropbox no choice but to upload/download the whole thing.

I've never used truecrypt, but from what I know, I suspect the chances of the entire encrypted volume changing when you make any change is close to zero. It would kill performance to have to rewrite the entire volume every time. It has to only update portions. So then the possible solution to this would be to treat it like bittorrent does, where it breaks it into chunks and checksums each chunk. When only a small portion of the file changes, it then know which chunks to reupload. Whether or not dropbox can or does operate this way, I have no idea, but in general, it is feasible to implement into a service.

Re:It is not impossible (1)

Anonymous Coward | about 3 years ago | (#35879294)

You could always send incremental backups in new truecrypt containers. Yes this creates a lot of work if you have to put all the piece back together, but it is an option.

Re:It is not impossible (1)

gpuk (712102) | about 3 years ago | (#35879380)

Looks like things have moved on since I last tried Dropbox with Truecrypt:

http://forums.dropbox.com/topic.php?id=14332 [dropbox.com]

It does appear to be possible providing you tell Truecrypt not to preserve file modification timestamps

Re:It is not impossible (4, Informative)

TheRaven64 (641858) | about 3 years ago | (#35879404)

This is the point of tarsnap [tarsnap.com] . Open source client, you can verify it and the encryption that it uses. It encrypts everything before uploading and can't be decrypted on the server without access to a key that's only stored in the client.

Re:It is not impossible (0)

Anonymous Coward | about 3 years ago | (#35879452)

You could split your files between containers. If you wanted to, you could even put each file in its own container. It depends on how much information you don't want Dropbox to have. They'll have the names and sizes of your containers, and the dates they were uploaded. If that's important to you, you'd pretty much have to upload something massive and completely new at the byte level every couple of days, even if there were no substantial changes in the underlying files, just to mask your actual upload requirements and underlying amounts of change in the information.

If it's really that important to have uncrackable encryption, cloud storage, AND low per-month bandwidth requirements, you'd be better off storing encrypted backups locally and only dumping a copy to the cloud once a week or so. If you're paranoid about losing access to your cloud data, of course, you'll use multiple cloud storage providers who don't answer to the same national governments or international agreements, and possibly use multiple methods of getting the data onto the cloud from different sources.

Question for the super-paranoid: Assume you have 1G of encrypted data to upload to the cloud. You think a shadowy government agency or backroom big business ops team has r00ted your personal PC, has fingers in all the WiFi providers in the local area, and is reading your outgoing mail via the local post office and courier services. How do you get the data out in a way you can independently confirm?

Re:It is not impossible (0)

Anonymous Coward | about 3 years ago | (#35879532)

Hmm well I don't think there is a problem with using TrueCrypt, Dropbox knows when the files have changed by some filesystem event daemon. (You could also use normal encrypted Disk images if on Mac OS X, or similar loop-back encryption if on Linux).

Besides that, for most documents, you could just use OpenOffice's encryption, which is quite strong enough for most purposes.

There are also other programs like KeePassX, etc. which normally encrypt their data.

I actually do all of the above.

Re:It is not impossible (1)

DarkOx (621550) | about 3 years ago | (#35879576)

Why would they use the size of the file to determine if its changed, there are these things called hashes or checksums which would be a reliable way to verify the blob has been modified. If they wanted to be really lazy they could just look at the mtime on the container file too. If they are using file size to detect when data has changed, then I would not consider letting any of my data near them for reasons having nothing to do with privacy.

Re:It is not impossible (2)

gfilion (80497) | about 3 years ago | (#35879632)

Well, files put in DropBox are available on their website; it's pretty obvious that they can decrypt them. The encryption part is about the SSL connection between my client and the dropbox server, me thinks.

No problem (1)

Anonymous Coward | about 3 years ago | (#35878940)

Just Encrypt it

Re:No problem (1)

Dupple (1016592) | about 3 years ago | (#35878960)

Exactly. Anything critical or sensitive should be put in an encrypted Disk Image or similar, whatever cloud service you use.

Android etc? (1)

Jeppe Salvesen (101622) | about 3 years ago | (#35879036)

How do you mount an encrypted disk image on Android? And what if it's updated through Dropbox?

Re:Android etc? (1)

Dupple (1016592) | about 3 years ago | (#35879098)

Dunno, don't have Android. If you require immediate access to those files then it's probably better to carry a memory stick. I carry both. For storage encryption is fine. Modify the image and upload again. Depends what you're using the service for and how you need to access the files. What I do works for me, though it is a bit of a compromise

Re:Android etc? (1)

shawn(at)fsu (447153) | about 3 years ago | (#35879302)

I think if you are that concerned with security you shouldn't be relying on android and drop box for your security concerns.The more COTS products (free or otherwise) that you use the more you are held hostage to their business practices. If the data is that important to you then you shouldn't be placing it all over creating because you want easy access while relaying on someone else to keep it safe.

Security is your primary concern, for a free service like drop box you'r lucky if it's even a secondary concern.

Just as easy, an encrypted sd card and a netbook.

Re:No problem (1, Interesting)

flappinbooger (574405) | about 3 years ago | (#35879026)

Just Encrypt it

The parent comment is underrated. Dropbox is a very good service, and I don't see why this new revelation of theirs couldn't be properly handled by just encrypting everything you put on it - yourself.

So if you become a person of interest, and the powers that be make DB cough up your filez, they still won't see anything because YOU encrypted it too.

Anyone have any suggestions on a quick and painless encryption product or approach to apply to your dropbox folders? I use DB extensively, have a lot of extra free space, and I don't fancy a 5 GB truecrypt file. I imagine a bunch of small truecrypt files would be a pain as well.

Re:No problem (1)

gpuk (712102) | about 3 years ago | (#35879246)

Dump Dropbox and use something like rsync.net + duplicity. You lose the ability to remotely browse backed up files via a web interface but that's the price you pay if you don't want your backup provider to be able to browse your files.

Re:No problem (1)

geminidomino (614729) | about 3 years ago | (#35879486)

rsync.net has no free option, Dropbox does.
duplicity doesn't, apparently, work for Windows[0].

AND you're still doing the encryption on your side. Which is a "fix" to the same issue with Dropbox. So...uh... what, exactly, would be the use?

[0] Based on the duplicity web page: requires POSIX OS. Windows resembles a POSIX OS in much the way that an anole resembles the USS Nimitz

Re:No problem (1)

gpuk (712102) | about 3 years ago | (#35879578)

Incremental backups that work 100% of the time for a start. Also, duplicati is a windows port of duplicity (or you can use the free windows client from rsync.net).

Admittedly, there is no free option with rsync.net but you can't do much with 2GB...

Who "owns" the data? (2)

sohmc (595388) | about 3 years ago | (#35878946)

This is a common question, which I'm sure has come up in legal battles. When you upload data to someone else's server, does the data belong to you or does it belong to the person/company that actually owns the hardware? I'm sure for law enforcement folks, they want it both ways.

Consider if the data service in question is raided because an employee had child pornography. They raid the company because he employee used hardware to hid his stash. Now everyone's data is available for search.

IANAL but it seems like if you insist on using these services, you have to give up certain rights. Or you can just encrypt all of your data before uploading. But then, if the hardware is ceased, you no longer have a backup.

Re:Who "owns" the data? (3, Interesting)

Spad (470073) | about 3 years ago | (#35878970)

When you put you belongings in a safety deposit box, do they belong to you or to the person/company that actually owns the safety deposit box?

Re:Who "owns" the data? (2)

gcnaddict (841664) | about 3 years ago | (#35879008)

When you send a physical note through a fax machine and tell the person on the other end of the line to hold onto it, does it belong to you or to the person/company that actually owns the safety deposit box?

It could be argued that while the concept you submitted to the person/company is yours, it's using that entity's toner, paper, etc. and that if he's asked for that specific sheet of paper, it's up to him what he does with it.

Re:Who "owns" the data? (1)

Spad (470073) | about 3 years ago | (#35879042)

it's using that entity's toner, paper, etc

As opposed to using their box/vault/building/security systems/staff/etc?

Ultimately, of course, it depends on the terms you agreed to when you arranged to use the service (subject to irrevocable rights and so forth).

Re:Who "owns" the data? (0)

Anonymous Coward | about 3 years ago | (#35879292)

Is the person at the other fax machine a representative of a company who says that they will store faxes for you? Continuing the analogy does the company state that employees can't (not won't, can't) access the faxes they receive only view the header?

Dropbox specifically says:
"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)"

Where in reality it seems that they mean that Dropbox support personnel do not have access but someone up the chain does have access if they really need to. Since the files are encrypted with AES I suppose it depends on how the AES key is generated and stored.

Re:Who "owns" the data? (1)

SniperJoe (1984152) | about 3 years ago | (#35879018)

When you use a safety deposit box, you get a key and the bank gets a key. Both keys are required to open the box (barring a warrant and locksmith). Besides, you can't really easily make a duplicate (that's yours) of the physical items in a safety deposit box such as money or a diamond ring.

Re:Who "owns" the data? (0)

Anonymous Coward | about 3 years ago | (#35879156)

I've never understood this idea that seems to float around here a lot that if an item is easily duplicated it somehow changes the rights of ownership. I see you've hinted at this concept too and I'd really like to see why you think it comes in to play here and what it really means. AFAIC, ownership is ownership regardless of the value, worth or ability to replace/reproduce the item in question.

Re:Who "owns" the data? (2)

afex (693734) | about 3 years ago | (#35879386)

the idea stems from the 'you wouldn't steal a car' argument against piracy.

essentially - most of us wouldn't steal a nice beamer that's out on the street. However, if you had a machine that could make an exact copy of said beamer, while leaving the original PERFECTLY intact, would you do that? of course!.

as for who owns the copy, i have no idea - but that dude that made the beamer duplication machine better get some sort of kickback, that guy kicks ass!

Safe deposit box? (1)

Primitive Pete (1703346) | about 3 years ago | (#35879202)

...but it's not a safe deposit box. It may actually be more like a storage unit or a bus station rental locker. In both cases, the owner of the container and the police can search at will, and you have no expectations of privacy from them. The only reasonable expectation is that the the owners of other lockers won't get your old sweat sox.

Re:Who "owns" the data? (1)

ciderbrew (1860166) | about 3 years ago | (#35879248)

I think items would always belong to you. If the bank goes tits up you'll need to apply to get you stuff back from the receivers. If the police want to open the box to have a look, they will. Under the Patriot Act in the US I don't think they give a toss any more. I'm not too sure about uk law. I'd expect the police to get the VAT man in. He'd seize what he wants, then break out the angle grinder and have at it. If you didn't pay the VAT on the child porn you're fucked. I'm sure the child porn charge will seem secondary to tax evasion charge. /rant (sorry)

Hmmm... (1, Insightful)

boarder8925 (714555) | about 3 years ago | (#35878968)

From Dropbox's new terms of service:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropboxâ(TM)s encryption from the files before providing them to law enforcement.

How does Dropbox define "valid legal process"? Do they mean something like, I don't know, receiving an actual search warrant? Or do they mean rolling over when the police say, "Hey, um, we'd just like to look at all these users' files. We have no warrant or real reason to do so, but we think someone might potentially be doing something illegal and we promise we're only working to 'protect' people and all that jazz."

Re:Hmmm... (1)

Anonymous Coward | about 3 years ago | (#35879146)

"Dropbox's encryption". Hmmm.
Don't be surprised if, soon, they change their terms of service to prohibit you from uploading pre-encrypted files!
I'm not paranoid. I'm just no longer naive.

Re:Hmmm... (1)

MichaelSmith (789609) | about 3 years ago | (#35879394)

Don't be surprised if, soon, they change their terms of service to prohibit you from uploading pre-encrypted files!

I won't encrypt my files. I will just compress them using my own algorithm. Hilarity ensues.

Re:Hmmm... (1)

Voyager529 (1363959) | about 3 years ago | (#35879304)

Well, my guess is that it'd be a bit of both. Dropbox is a business, albeit one that gives away the first tier of their service. My expectation is that if a cop showed up and said 'pretty please' regarding a user on their free plan, they'd most likely oblige. There's nothing in it for them if they argue the cop on the customer's behalf, but I'm certain the officer, if determined, could make Dropbox's life miserable, spin it to the press, tip off the BSA to cause a software audit, etc. etc.

By contrast, if the officer was inquiring about a corporate customer that has several Pro100 accounts for their users, THEN dropbox is in a position where they could potentially lose a valuable account to a competitor. At that point, they'd be more likely to ask for a subpoena.

If you (and I mean the general, collective 'you', not necessarily the parent poster) are that worried about stuff being seized by law enforcement, either host your own storage server (while frowned upon, most residential ISPs won't block FTP, or only block it on port 21), only upload encrypted RARs, or use an offshore provider that the cops can't touch.

Re:Hmmm... (1)

abulafia (7826) | about 3 years ago | (#35879334)

How does Dropbox define "valid legal process"?

Well, you'd have to ask Dropbox about their definitions. And I am not a lawyer. But in terms of various things to answer your questions, you might want to read up on National Security Letters [wikipedia.org] , which allow demands for metadata pretty much on nothing more than the FBI thinking they want to see it. (Yeah, I know that's not what the law says, but read up on how NSLs have actually been used.) Of course, metadata in this context doesn't require decrypting the documents - it likely is going to refer to file names, IP addresses and times of connection, etc.. Also of note is the Stored Communications Act [wikipedia.org] . The rules are complex and are being contested in various ways, but among other things documents held in storage for over six months can be grabbed simply on a court order, no warrant or subpoena required. It isn't clear to me if "held in storage" would mean unmodified since uploaded - the rules were written primarily to cover email, which it typically not modified after reciept, other than changes to metadata.

Wuala (1)

moonbender (547943) | about 3 years ago | (#35879088)

Wuala [wuala.com] uses end-to-end encryption, ie. the data is encrypted and decrypted on the client. The employees can't access your data since they don't have the encryption key. This means you lose your data if you lose the key. It also means you can't access all your data in a convenient web interface -- though you can mark individual folders as being shared on the web (which obviously means trusting the server operators with the encryption key for that folder). I think it's a much more trustworthy model than Dropbox, and the Linux integration works well for me. Too bad it's not open source; IMO they should at least open-source the client component, for security and trust reasons if nothing else.

Re:Wuala (1)

quintus_horatius (1119995) | about 3 years ago | (#35879610)

You *hope* that the data is encrypted. How do you know that it isn't simply tunneled over SSH but stored unencrypted on the host servers? You don't, you're taking their word for it. You're putting an awful lot of faith in other people if you're not managing your encryption yourself.

Easy fix...Truecrypt. (2)

geekmux (1040042) | about 3 years ago | (#35879094)

....AFAIK, Dropbox has full support for Truecrypt volumes. Simple solution to this delimma? Take the encryption "problem" away from Dropbox and use your own.

This changes everything. (1)

seinman (463076) | about 3 years ago | (#35879144)

Uh oh... I keep my 4chan folder on Dropbox. Better go delete some things...

Re:This changes everything. (0)

Anonymous Coward | about 3 years ago | (#35879260)

You mean the stuff they have in backups already incase they needed to restore your account?

Re:This changes everything. (0)

Anonymous Coward | about 3 years ago | (#35879412)

You jest of course, but if you delete something from the cloud, there is no guarantee it is gone everywhere. If I delete an email from my gmail account, I have no idea if there isn't a copy being retained by Google somewhere - and likely there will be backups of the data in any case.

They Lied (3, Insightful)

jarich (733129) | about 3 years ago | (#35879148)

The old policy said our files were encrypted with mil-spec encryption, etc etc. Now they're telling us they'll turn our files over if asked.

Dropbox lied. No two ways about it. But this why you never store anything sensitive in "the cloud" anyway.

Re:They Lied (2)

Anonymous Coward | about 3 years ago | (#35879330)

To be fair, from the very start, to anyone who cared to ask, they said that:
1. The files were encrypted and stored on Amazon servers
and
2. They had the keys

Of course they said they wouldn't use the keys to decrypt your data without your permission, and of course if the government asks them to they will because they don't like federal-pound-me-in-the-ass jail.

Who is to blame (2)

antifoidulus (807088) | about 3 years ago | (#35879150)

Is this really dropbox or Amazon that is behind this policy? While people rant and rave about dropbox, in the end it's really just a fancy front end onto Amazon's S3 service. Your data is actually stored on Amazon's servers and my guess is that it's ultimately Amazon that dictates policies such as this.

The only cloudservice I trust. (0)

Anonymous Coward | about 3 years ago | (#35879154)

Is SFTP, mounted with SSHFS, where I create a Truecrypt volume which is finally mounted as an encrypted disc. Open source, well proven, reliable technology. Another benefit is that I can choose between the millions of different SFTP clients, so I can use software specialized for my needs!

Re:The only cloudservice I trust. (1)

peragrin (659227) | about 3 years ago | (#35879516)

The only downside is that it is extremely limited, can't be easily accessed by mobile phones, or tablets.

what I want is an easy to host on my own version of dropbox, mobile sync, etc. why should google, apple, or microsoft host my contacts, calendars, files, etc.

The cloud is never secure ... (5, Insightful)

Blade (1720) | about 3 years ago | (#35879168)

Maybe it comes from working in IT, but I always assume that if someone else is holding my data, they can access it. It doesn't interest me what they say - that's my basic starting assumption. So I always assumed that Dropbox could get to my data, and if I cared about the privacy of that data I just encrypted the files myself first.

It's my data, I'm in control of it. Giving it up to someone else and hoping they keep it safe is silly.

I'm surprised so many people are surprised (and I wonder if the people are are surprised haven't been in IT long?)

Never trust Cloud Storage (1)

binarymaster (267279) | about 3 years ago | (#35879188)

If you have sensitive [or embarrassing] data, just do not store it on the cloud. Period. Do not trust Encryption. Do not trust what the cloud storage companies may claim. The terms may change on ce it is too late to remove your files.

YOU encrypt it first (1)

drumcat (1659893) | about 3 years ago | (#35879210)

This is simple. If you use a service like dropbox, simply house an encrypted "disk" on the site. You can put anything you want in it, but dropbox doesn't have the key. Sure, if you put a naked file up there, and they encrypt it for you, *they* have the key. If you're that worried about your files, it's probably not a good place for them.

Seriously, you didn't see this coming? (3, Insightful)

Thumper_SVX (239525) | about 3 years ago | (#35879220)

Seriously, is anyone really surprised by this? I use DropBox, and not once have I considered that my data in DropBox is completely private. Sure, I use it for transferring some documents that are potentially sensitive (a lot of documentation on a lawsuit I'm involved in for example) but where there's sensitive data I always encrypt the documents myself with TrueCrypt.

This is precisely why I think the "cloud" is a bad idea for corporations. Until there are guarantees and safeguards against data theft or loss there is no way that I would entrust my company's critical data to a third party provider. Yes, the costs of managing that data myself are higher but the risk of that data getting out of our control and management is greatly mitigated.

And what about a data breach? Loss of data due to crackers? Seriously... all it's going to take is for one of these cloud providers to become big enough that the majority of corporations using their services are completely without options when a breach occurs. The big provider can simply turn around and say "Well, crap happens but who else are you going to turn to?" and there's nothing the average corporation can do about it. There may be financial guarantees in place, but simply put the cat is already out of the bag at that point.

Re:Seriously, you didn't see this coming? (0)

Anonymous Coward | about 3 years ago | (#35879274)

Could you create encrypted folder with Truecrypt and set Dropbox to there?

If you put (1)

joh (27088) | about 3 years ago | (#35879234)

valuable/confidential data on servers you don't personally fully control, you're deserving whatever you get.

And by this I don't mean you shouldn't use things like DropBox. DropBox is great and cheap and easy to use for what it does. Just don't use it for things you don't want to get into the wrong hands or at least encrypt your data beforehand. What's so hard to understand here? And this of course is not limited to DropBox. If you have a rented server out there it may be "yours" but what do you think will the company you're renting it from do when push comes to shove?

Are we getting fewer mod points? (1, Interesting)

Nimey (114278) | about 3 years ago | (#35879282)

Seems like in the past few days I've seen fewer and fewer posts modded up or down.

Re:Are we getting fewer mod points? (1)

MichaelSmith (789609) | about 3 years ago | (#35879424)

In the last three months or so I have been getting at least five points per week. But I do think that the new software shows moderations differently so maybe you aren't as aware of moderation going on.

problem with encryption (1)

lechiffre5555 (1939278) | about 3 years ago | (#35879318)

Encrypting your files before drop-box gets hold of them is fine EXCEPT you are trusting the drop box client you installed on your machine to: 1) Not watch you encrypting those files, and sniff the password. 2) Not make other files on your computer available to law enforcement There used to be a 3) Encrypt your files in the cloud and not give anyone access. But your trust in number 3) has already shown to be wrong. Tell me why you still have faith in 1) and 2) again?

What's the purpose of Dropbox (1)

SuseLover (996311) | about 3 years ago | (#35879348)

I still don't get what the big deal is. What does dropbox do that can't be done with a simple sftp site (other than some free online storage)?

Re:What's the purpose of Dropbox (2)

dingen (958134) | about 3 years ago | (#35879490)

The big deal is Dropbox' super simple interface, which integrates into your file system so even computer-illiterate people will have no problem using it, combined with the appeal of a pyramid scheme to get more free storage for every person you lure into using it. This makes every Dropbox user an advocate of Dropbox.

Ummm... BFD? (1)

Sounder40 (243087) | about 3 years ago | (#35879484)

Dropbox, like any and every other internet entity, is subject to the laws of their land, and therefore must provide data when requested by valid court order. As for Dropbox having access to my data, again, this is not a surprise considering my first point.

Personally, the utility of Dropbox is worth the risk. However, it is incumbent on me to be careful what data I put on Dropbox, and in what format. When I put sensitive data on Dropbox, it has been encrypted. Since I am sharing files on multiple computers I really don't want this data accessible anyway.

I recommend Dropbox, Mozy, Carbonite and all the others to family and friends because it is painless file backup. I also warn them that data backed up to the cloud is accessible by people we hope are moral and altruistic. I warn them that they may not be.

So pardon me for saying big effin' deal...

Truecrypt (1)

strayant (789108) | about 3 years ago | (#35879488)

Simple solution: Use a Truecrypt volume for your private files and loose Dropbox for anything non-private. If you want something better than that, roll your own solution on your own servers. If you don't know how something works, don't trust it outright.

AGGGG you're missing the point with encryption!!!! (1)

lechiffre5555 (1939278) | about 3 years ago | (#35879530)

Most posters in comments say âoeencrypt your data before putting it in the dropbox folderâ as a solution. They blithely ignore that the drop box closed source client with unknown capabilities sits on the computer running all the time. And itâ(TM)s safe to encrypt your data on a computer running a program that already been shown to have have deliberately violated your trust? It could sniff passwords during encryption, it could make available ANY files on your computer not just the ones you want, it could do anything. The point is we donâ(TM)t know what it can/canâ(TM)t/could do, and we trust the rest of the computer it sits on? Not having a go at drop box, Iâ(TM)m still going to keep using it, but astonished by the lunacy being displayed by users of a techie site. Encrypting your data on a computer running a program that has already shown to abuse/not respect trust is just crazy!!!!

Re:AGGGG you're missing the point with encryption! (0)

Anonymous Coward | about 3 years ago | (#35879654)

Either by cockup or design, your entire (Windows PC) hard disk's contents can be compromised by dropbox because of shoddy authentication method... http://www.theregister.co.uk/2011/04/12/dropbox_security/

Time to (1)

Anonymous Coward | about 3 years ago | (#35879536)

Drop it like a Box of rocks

http://www.fullmalls.com (0)

xiaojiekyk (2050908) | about 3 years ago | (#35879594)

Click on our website: ( http://www.fullmalls.com/ [fullmalls.com] ) Website wholesale various fashion shoes, such as Nike, Jordan, prada, also includes the jeans, shirt, bags, hats and decoration. Personality manufacturing execution systems (Mes) clothing, Grab an eye bag coat + tide bag Air jordan(1-24)shoes $30 Handbags(Coach l v f e n d i d&g) $35 Tshirts (Polo ,ed hardy,lacoste) $15Jean(True Religion,ed hardy,coogi) $30Sunglasses(Oakey,coach,gucci,A r m a i n i) $15 New era cap $12 Bikini (Ed hardy,polo) $20accept paypal and free shipping ( http://www.fullmalls.com/ [fullmalls.com] )

encryption... (1)

sxpert (139117) | about 3 years ago | (#35879606)

just encrypt the file *prior* to uploading it... problem solved

Re:encryption... (1)

lechiffre5555 (1939278) | about 3 years ago | (#35879644)

no no no not solved at all terrible solution you don't know what the drop box client running on your machine can or can't do, they have already violated your trust and now you want to encrypt your files whilst the drop box client is running?

Dropbox encryption (1)

vviljo (143799) | about 3 years ago | (#35879620)

Sure the users data can be encrypted with whatever algorithm but it is obvious they have the keys too and can unencrypt at will. To access files user only needs to provide a password which can be recovered via email. Duh.

What the fuss?!? (2)

A nonymous Coward (7548) | about 3 years ago | (#35879648)

I have a dropbox account and don't remember seeing that section where they claimed they couldn't read my files. I'm certain I read it, but I never would have believed it to mean they were truly unable to read my files -- if they encrypted them before storing them, they'd have to be able to decrypt them to send them back to me, or to track changes. Did someone actually think they had an irreversible encryption process which could somehow be reversed by the magic between them and me? A one time pad which somehow evaporated while sending files back to me? It might be reasonable to think they have some sort of access controls so ordinary people there can't browser customer data, but I never would have put any ironclad faith in such policies. That's wy it was common knowledge, near as I could tell, all round the web that you needed to encrypt backups and such yourself before sending them to dropbox.

I don't understand why anyone would expect otherwise. This is a tempest in a teapot.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...