×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

134 comments

Bogus (0)

sauls (139605) | more than 2 years ago | (#36067200)

"They also used the sites to store private files that contained internet beacons, so they'd know if anyone opened them. Over a month's span, 80 unique IP addresses accessed the so-called honey files 275 times, indicating that the weakness is already being exploited in the wild to harvest data many users believe isn't available for general consumption." Um, what's an "internet beacon"?

Re:Bogus (4, Informative)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#36067236)

At a guess, an embedded URL that's loaded automatically when someone opens the document, for example an IMG tag.

Obama is strong on defense (-1)

Anonymous Coward | more than 2 years ago | (#36067766)

enough said...

http://thumbs.dreamstime.com/thumblarge_509/1275595073EFOj9i.jpg

Re:Bogus (0)

Runaway1956 (1322357) | more than 2 years ago | (#36067418)

It's rather similar to a trojan. It communicates with the outside world without your explicit approval. I think they are using the term 'beacon' to imply that the communication is one-way, and they hope to imply that no personal data is transmitted, etc ad nauseum.

Encrypt Everything Private (4, Insightful)

Deathlizard (115856) | more than 2 years ago | (#36067230)

Just another reason why you should be using file encryption such as Truecrypt to encrypt everything personal.

Even if it's on your own hard drive. You're only one rootkit away from giving it away to the world.

Re:Encrypt Everything Private (4, Insightful)

x*yy*x (2058140) | more than 2 years ago | (#36067318)

Crypting your data won't save it from rootkit...

Re:Encrypt Everything Private (1)

Gerzel (240421) | more than 2 years ago | (#36068074)

Unless the rootkit records the decryption keys, or changed the algorithm, yes it will.

Rootkit isn't some magical hack everything solution. It is low level access to a machine, bad enough, but not unstoppable.

Re:Encrypt Everything Private (1)

mattventura (1408229) | more than 2 years ago | (#36068496)

But in order to actually use encrypted data, it has to be decrypted at some point, so the rootkit just needs to wait for you to decrypt it. In the case of say, full disk encryption, this is rather easy.

Re:Encrypt Everything Private (4, Informative)

TheEyes (1686556) | more than 2 years ago | (#36069310)

But in order to actually use encrypted data, it has to be decrypted at some point, so the rootkit just needs to wait for you to decrypt it. In the case of say, full disk encryption, this is rather easy.

The idea is that you encrypt the file you send to the filesharing site, that way when the filesharing site is hacked all the attackers get is an encrypted file. In fact this is a "perfect" use for data encryption: the file is never decrypted on the remote machine, only on your local one, so stealing the data off the remote site can never give an attacker access to anything but cyphertext.

Re:Encrypt Everything Private (0)

gl4ss (559668) | more than 2 years ago | (#36069420)

that's just like using the filehosting site as email, or whatever.

if it would be just used as the block device for the encrypted filesystem, then it would be sort of good.
just taint your data with something illegal, hmm? everyone who copies it is fucked.

but the point of this article is that these hosting sites take shortcuts AND provide a shitty hosted server service, I mean, can't you rent your own virtual server for 10 bucks a month with access to files via ssh so wtf? it's considered a serious breach if your encrypted files even end up in wrong hands.

Re:Encrypt Everything Private (0)

Anonymous Coward | more than 2 years ago | (#36068964)

Rootkit isn't some magical hack everything solution.

Yes it is.

Re:Encrypt Everything Private (2)

Gaygirlie (1657131) | more than 2 years ago | (#36069714)

Unless the rootkit records the decryption keys, or changed the algorithm, yes it will.

Rootkit isn't some magical hack everything solution. It is low level access to a machine, bad enough, but not unstoppable.

I don't think you understand what a rootkit actually is. I mean, if your hdd is encrypted then sure, you're pretty safe if someone steals the drive, but the data must still be unencrypted on-the-fly when it's accessed. And gee, that's where the rootkit comes into play. It has access to everything you're doing on your PC so obviously it has access to the unencrypted data, too.

Re:Encrypt Everything Private (0)

Anonymous Coward | more than 2 years ago | (#36067358)

or at least some encryption that doesn't have an unreadable license.

Re:Encrypt Everything Private (1)

Anonymous Coward | more than 2 years ago | (#36067444)

Umm.. yes but what if the rootkit comes into action *after* you have applied the TrueCrypt key?

That makes it pretty worthless...

Re:Encrypt Everything Private (1)

jimmyhat3939 (931746) | more than 2 years ago | (#36069032)

Exactly. People seem to forget that in order for data to become useful, the user has to decrypt it at some point. That involves providing the key, and that's when a clever rootkit will spring into action.

You Have to Encrypt It Yourself (3, Insightful)

billstewart (78916) | more than 2 years ago | (#36068236)

The recent complaints about Dropbox and similar file storage sites violating users' privacy in return to lawsuits is because the site is doing the encryption, not the user.

  • The user uploads unencrypted data to the site across an encrypted SSL tunnel. W00t! We're R333713 S3kr1t Heer!
  • The site unpacks the tunnel and stores the data, possibly encrypted using a key they know, or possibly just with passwords to keep unauthorized users out.
  • The receiving user gives the site a password, and the site gives the user the again-unencrypted data over another R3333713 S3kr1t encrypted SSL tunnel. ,li>The FBI hands the Storage site a subpoena or warrant or National Security Letter or a note from their mom, and the site hands over the stored data and any keys they have, along with the transaction records from the upload.

If you want to protect your data, you can never hand the storage site unencrypted data, and this includes handing them encrypted data along with the keys. Ideally, depending on the kind of security you're looking for, you'd like their storage system not to store files in ways that are easily traced back to you (for instance, the file gets stored with a filename that's a random string, and the storage site forgets who it belongs to after storing the file, so that anybody who steals the disk drive only knows that there are files named "bunch of random digits", and has know way to know which ones belong to which users. Anybody who wants to recover the file needs to know the filename (so the service can retrieve it) and the decryption key (which the service doesn't know.)

Re:Encrypt Everything Private (2, Funny)

symbolset (646467) | more than 2 years ago | (#36068612)

For really private stuff you should upload it to a private photo album on Facebook.

Re:Encrypt Everything Private (1)

joeflies (529536) | more than 2 years ago | (#36069376)

Doesn't TrueCrypt only do disk encryption? When you're in the booted state and copy to the file share, it's in plaintext.

Re:Encrypt Everything Private (1)

MaskedSlacker (911878) | more than 2 years ago | (#36069482)

False. Truecrypt also (primarily?) does file container encryption. It's like an encrypted disk image. Granted, if the pc is nabbed while it's mounted your point is still valid, but I never leave my truecrypt container file (which primarily contains tax/financial data) mounted unless I am using it at that moment. I've never even used it for full disk encryption (which I leave to dmcrypt+luks).

So what you're telling me is... (1, Insightful)

Lose (1901896) | more than 2 years ago | (#36067232)

That link I posted to a rar full of my favorite pr0n pics on /b/ is easy pickings to thousands of other online users? No wai!

I mean, I had no idea most people who used quick upload services like imgur, rapidshare, and mediafire uploaded most of their files with any implied expectancy of privacy. But boy was I wrong!

Re:So what you're telling me is... (3, Interesting)

sco08y (615665) | more than 2 years ago | (#36067392)

That link I posted to a rar full of my favorite pr0n pics on /b/ is easy pickings to thousands of other online users? No wai!

I mean, I had no idea most people who used quick upload services like imgur, rapidshare, and mediafire uploaded most of their files with any implied expectancy of privacy. But boy was I wrong!

That was my initial reaction, but on second thought I think it is fairly newsworthy.

The Register's audience is regular users, who do stuff like put sensitive documents on a file sharing site. It's worth a few paragraphs to remind people not to do idiotic things.

It's also worth noting that these sites either a. have index pages turned on and don't know it, which would be so incompetent as to make me wonder how they keep a file server running or b. are allowing these pages to be crawled and telling their users that they aren't, which is unethical as hell and possibly illegal.

Re:So what you're telling me is... (1)

Lose (1901896) | more than 2 years ago | (#36067434)

Well I considered that at first, but the reason I consider it a moot point is simply because the average user (a) never makes an account on these sites, usually just uploading it for an undescribed group of people to view and access, and (b) by virtue of the first point, shouldn't expect any reasonable privacy from the service.

Hell, flags should be raised to an average user when you consider how many of them probably also use these rapidshare/megaupload/mediafire/et. al. search engines to dig up content from the muck and the mud at the same time. The warnings are there, and really it just comes down to common sense after that. I still see this as a non-story.

Re:So what you're telling me is... (0)

sco08y (615665) | more than 2 years ago | (#36068218)

I've set the bar pretty low... I mean, it's a British rag that's not talking abut their fucking wedding.

Re:So what you're telling me is... (0)

AliasMarlowe (1042386) | more than 2 years ago | (#36069224)

...not talking abut their fucking wedding.

Someone had an orgy at their wedding? Cool.
But there's no need to talk about it: word will get around (and the pictures are probably on megaupload or similar).

Re:So what you're telling me is... (3, Insightful)

billstewart (78916) | more than 2 years ago | (#36068278)

There are lots of services like Dropbox and Evernote and Pick-your-favorite-Online-Backup-Service that are focused on people storing their own data or on data they're only going to share with a small number of people (e.g. web upload/download instead of FTP, for people behind firewalls or with random DHCP addresses), and many of them give their users the idea that they're getting privacy. It's different from the Youtube-without-censorship file upload site market.

Re:So what you're telling me is... (2)

Nursie (632944) | more than 2 years ago | (#36068346)

"The Register's audience is regular users"

El Reg?

Hardly.

Gamers and tech heads, through IT folk, security researchers and software engineers. It's got articles for everyone. It's often more hardcore than slashdot these days, which says more about the decline of slashdot than anything else...

Re:So what you're telling me is... (1)

smash (1351) | more than 2 years ago | (#36068862)

It always has been more hardcore than slashdot, at least since 1997 or so when i joined.

Encryption (5, Informative)

igreaterthanu (1942456) | more than 2 years ago | (#36067234)

Why would you upload private data to some file hosting site? These (e.g. RapidShare) aren't the kind of services where you can modify files after uploading (such as Dropbox), so encryption is not much of a hassle. You have no reason not to encrypt the files before uploading them.

Re:Encryption (4, Insightful)

hairyfeet (841228) | more than 2 years ago | (#36067710)

Because you get some dumbass that can't be arsed to bring a flash stick to work and/or they aren't allowed to use a flash stick, so they just upload it to Rapidshit? Hell nobody reads anything or actually thinks anymore, even to this day you can look on any P2P site for the formats that taxes and other personal data are kept in (such as QuickBooks files) and literally find thousands upon thousands of morons sharing their entire C: drive because they don't bother to think.

To me that is the sad and/or scary part: Your security is only as strong as the biggest moron in the group and when it comes to computers the level of stupid out there is frankly mind boggling.

Re:Encryption (4, Insightful)

currently_awake (1248758) | more than 2 years ago | (#36067958)

Considering the cost of hard drives there is no good reason to keep anything in the cloud except for stuff you want to share (free hosting file server).

Re:Encryption (1)

adolf (21054) | more than 2 years ago | (#36068466)

Considering that the summed total of everything digital that I've ever actually created fits nicely on my free Dropbox account there is no good reason not to use them as a convenient, transparent, and immediate part of a complete backup solution.

It's nice having the same pile of stuff available to me, whether I'm at my desktop, using my laptop, or fiddling with my Droid, and the revision history is simply awesome.

I don't use Dropbox to share files with others -- that's what Apache is for. (YMMV.)

(And, no, I don't use any uber-seecret encryption on Dropbox. My data is far too uninteresting to bother with any of that.)

Re:Encryption (1)

smash (1351) | more than 2 years ago | (#36068874)

Uninteresting your data may be, but it still may be useful for identity theft related purposes.

Re:Encryption (1)

adolf (21054) | more than 2 years ago | (#36068908)

They can have my identity. It is just as uninteresting, and far more useless.

Re:Encryption (1)

Billlagr (931034) | more than 2 years ago | (#36069050)

Same here..I use DB to keep an image I found and want to have access to on another device, like the mentioned Droid or Blackberry, or other such trivial uses..it's perfectly fine for such, but I surely wouldn't keep anything even vaguely personal on it

Re:Encryption (3, Informative)

wvmarle (1070040) | more than 2 years ago | (#36068230)

Many people for some reason think it's safe because the site says they will protect your data.

Well maybe they can protect your data and will do some effort for it, the fact is you're putting your data on someone else's computer. The owner of that system (basically anyone with high enough privileges or physical access to the system) can access your data. They not necessarily will, but they can. And that little factoid is enough to make it insecure.

That such file hosting sites may have additional security holes allowing access to data one shouldn't have access too, is not important any more. When it's out of your controlled environment, the data is out of your control.

The only way to use remote hosting securely is to either own and directly control the remote hosting site by yourself, or to encrypt everything before it leaves your controlled environment, and keep the secret key to yourself. It's as simple as that. I'm wondering why this is even considered news here.

Like Shark Week? (5, Funny)

The Dawn Of Time (2115350) | more than 2 years ago | (#36067242)

This is the kick-off to Slashdot's "No Shit Week"

Re:Like Shark Week? (1)

clang_jangle (975789) | more than 2 years ago | (#36067294)

Oh come on, be serious now -- who would ever guess that self-styled "pirates" aren't security experts yet think they know enough, resulting in their sites being insecure and untrustworthy? Boy I sure never saw that one coming...

Re:Like Shark Week? (2, Funny)

Anonymous Coward | more than 2 years ago | (#36067344)

Then they could follow up with the quality bunch of Ask Slashdot articles of late:

  1. My mouse is at the right edge of the mousepad, but I need to move the cursor right some more. What do I do?
  2. Brown smelly stuff came out of my butt. What do I do?
  3. I'm running Windows and I install everything I download. Why's my computer so slow?
  4. I regularly scratch my balls in the presence of my bosses. Why am I always being fired?
  5. Why does code written in India always look like shit?

Re:Like Shark Week? (0)

Anonymous Coward | more than 2 years ago | (#36067790)

Also like shark week, it happens all the time.

Re:Like Shark Week? (0)

Anonymous Coward | more than 2 years ago | (#36068428)

This is the kick-off to Slashdot's "No Shit Week"

I would call that a week long constipation

Re:Like Shark Week? (0)

Anonymous Coward | more than 2 years ago | (#36069588)

No shit week seems to have started a few years ago and no one told them it was over

And is anyone surprised ? (0)

perpenso (1613749) | more than 2 years ago | (#36067250)

Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user.

And is anyone surprised?

And is anyone who has only uploaded *encrypted backups* terribly concerned? They may still change providers do to a loss of confidence but they are probably not losing a lot of sleep.

How about (2, Informative)

Dyinobal (1427207) | more than 2 years ago | (#36067266)

How about Mediafire? All those other sites seem like general file hosting sites, media fire always seemed to me to lean itself towards personal storage, and private if you choose not to share it. If I recall you have to choose to share each folder/item instead of it being shared automatically. They looked at the most popular sites but what makes those sites more popular is the public sharing aspect.

Re:How about (1)

Anonymous Coward | more than 2 years ago | (#36067870)

You can password entire folders/files on mediafire, so even if the link to the file somehow gets to the public, they need a password to be able to proceed and download it.

Re:How about (5, Insightful)

wvmarle (1070040) | more than 2 years ago | (#36068264)

It is on a remote site, out of your control, so it's not secure. End of story.

Encrypt before it leaves your system if you want to keep it secure. Or only store data on such sites that you really don't care if it becomes public.

And even if there really are no remote security holes, anyone with admin/root access to the servers can access your data. Without you knowing.

Re:How about (2)

gl4ss (559668) | more than 2 years ago | (#36069450)

do they provide docs about how they're done their stuff? are the access rights checked everytime someone uses a link to the file? because um some don't. eh heh. saves cpu and infra.

non-story (2)

Undead Waffle (1447615) | more than 2 years ago | (#36067332)

The services, which include sites such RapidShare, FileFactory, and Easyshare, allow users to upload large files and make them available to anyone who knows the unique URI (or Uniform Resource Identifier) that's bound to each one. Users may post the link on websites or forums available to the public or share it in a single email to prevent all but the recipient from downloading it. RapidShare, for instance, says it can be used to “share your data with your friends, colleagues or family.”

But according to academics in Belgium and France, a “significant percentage” of the 100 FHSs (or file hosting services) they studied made it trivial for outsiders to access the files simply by guessing the URLs that are bound to each uploaded file. What's more, they presented evidence that such attacks, far from being theoretical, are already happening in the wild.

Stopped reading right there. It's not private just because the URL is some randomly generated string. These sites are not designed to securely transfer files to only the recipient so this is not in any way a "weakness".

Re:non-story (2)

Kjella (173770) | more than 2 years ago | (#36067572)

Stopped reading right there. It's not private just because the URL is some randomly generated string. These sites are not designed to securely transfer files to only the recipient so this is not in any way a "weakness".

Neither is email, so I guess if you could read everyone's email that wouldn't be a weakness either. Get off your high horse, the URL is supposed to be the equivalent of an email account password, if you have it you can access the files otherwise not. You have to make sure only the right people have the URL, but anything that lets others grab the file anyway is obviously a goatse-class backdoor just as if gmail or hotmail was wide open.

Re:non-story (2)

blincoln (592401) | more than 2 years ago | (#36067832)

"Neither is email, so I guess if you could read everyone's email that wouldn't be a weakness either. Get off your high horse, the URL is supposed to be the equivalent of an email account password, if you have it you can access the files otherwise not. You have to make sure only the right people have the URL, but anything that lets others grab the file anyway is obviously a goatse-class backdoor just as if gmail or hotmail was wide open."

I've heard this argument before, and here's the reason I'm skeptical of it:

The password for an email account or website can be transmitted encrypted, so that even if someone intercepts the communication, they don't know the password. This may not *always* be the case, but its the intent of the systems design in most cases.

Treating the URL as "secret" is different because anything that captures it in-between the client and destination host can record it and use it for any purpose it likes, and it may not even be with malicious intent (because URLs aren't supposed to contain "secret" information).

For example, let's say your company runs both a search engine *and* a free-as-in-not-really-but-close-enough-for-most-people email service. Given all the other parsing of email that your service does to generate "relevant" ads, don't you think it would make sense to look for URLs in emails and add those to the indexer for your search engine? There is still plenty of content online that won't be found by simply spidering websites, because in order to get to it, the user has to submit a form or have javascript executing in an actual DOM or whatever, so doing that would be very likely to increase the amount of useful content indexed by your search engine. But all of a sudden, poof, that "secret" Flickr URL is no longer secret, and anyone uses that search engine can find it.

In terms of more malicious intent, consider that there's nothing stopping Google or Microsoft (or other search engine companies) from hosting a bunch of Tor exit nodes, and adding any URLs that pass through *those* to their search indexers, or paying major corporations to funnel URLs from corporate proxy logs to them for the same purpose. I'm not saying they do either of those things, just that there's no reason they couldn't, and I would have a hard time seeing it as truly "wrong", given that URLs aren't supposed to be treated as secret.

I think you missed his point... (1)

raehl (609729) | more than 2 years ago | (#36068156)

E-mail itself isn't encrypted and any email you send transmits through and may even reside, unencrypted, on several servers between the sender and the recipient. If someone were to gain physical access to whatever server your email is stored on, they can read all your email. Or gain physical access to any server that transmits email and read a lot of email going through that server.

An email provider is a bit like your doctor - they have several motivations for NOT disclosing your private information, but there is no physical restriction preventing them from doing so.

Re:I think you missed his point... (1)

wvmarle (1070040) | more than 2 years ago | (#36068304)

Poor analogy as in most jurisdictions a doctor is not allowed to disclose any patient information, and the judicial system can not even demand such disclosure. Same by the way accounts for priests.

Re:I think you missed his point... (1)

symbolset (646467) | more than 2 years ago | (#36068716)

There is a considerable difference between "is not allowed to" and "won't."

Re:I think you missed his point... (1)

wvmarle (1070040) | more than 2 years ago | (#36068850)

A priest or doctor giving testimony on a client is liable to prosecution - the have an obligation of secrecy. Such testimony (if given) will also not be allowed as proof for any wrongdoing. E-mail providers are in a totally different class - they are not allowed to keep things secret when formally asked for information.

Re:I think you missed his point... (1)

Undead Waffle (1447615) | more than 2 years ago | (#36068656)

Well e-mail security is poor but that isn't the point. A URL is not a password and should not be treated as one. It's fairly easy to guess random text strings until you get a hit on these URLs. You will eventually find *something*. With an account and password combination you have to try to crack each account individually and there can be mechanisms to lock the user out after a certain number of incorrect guesses.

Easy to guess?... (1)

js_sebastian (946118) | more than 2 years ago | (#36069958)

Well e-mail security is poor but that isn't the point. A URL is not a password and should not be treated as one. It's fairly easy to guess random text strings until you get a hit on these URLs. You will eventually find *something*.

Not really, the random string just needs to be random enough and long enough and it will take you longer than the life of the universe to "find something". Since no user needs to remember it, making it unguessable does not impact usability either. And if you want to make sure it does not become known to a MiTM, just do all the file downloading over HTTPs.

Yes, the web is a mess of technologies taped onto each other, but that doesn't mean there aren't right ways and wrong ways of using it from a security point of view.

Re:non-story (1)

WuphonsReach (684551) | more than 2 years ago | (#36068318)

The password for an email account or website can be transmitted encrypted, so that even if someone intercepts the communication, they don't know the password. This may not *always* be the case, but its the intent of the systems design in most cases.

It could be, but probably 95% of all mail servers out there still fail to do SSL because the admins can't figure out SSL certificates. Or they use a simple self-signed cert, which is fairly useless at preventing MiTM attacks (you end up talking over an encrypted channel to your attacker).

Re:non-story (0)

Anonymous Coward | more than 2 years ago | (#36067574)

At best it is a means of obscurity to prevent easy copyright enforcement. Why anybody would think they are secure or for doing anything beyond sharing with the masses or a niche group is beyond me. It certainly doesn't work well for keeping data private. The cloud nor these services are designed for that. If software developed to run on the client did the encrypting and stored it on the cloud then and only then are you going to have any kind of privacy.

All security is through obscurity (5, Insightful)

sco08y (615665) | more than 2 years ago | (#36067336)

“These services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs,” the researchers wrote in a paper presented at the most recent USENIX Workshop on Large-Scale Exploits and Emergent Threats.

Hey, guess how passwords work? They're hard to guess. How do biometrics work? Your fingerprints are hard to replicate. How do keycards work? It's hard to guess whatever code is stored in it. All security ultimately comes down to some token that is "obscure."

All security is through obscurity. If these sites are being accessed when they shouldn't, it means that there's an information leak, that is, the owners think (or claim) that it is far more obscure than it really is.

Re:All security is through obscurity (1)

Anonymous Coward | more than 2 years ago | (#36067372)

+1. This is how session ID's work for your online banking, email access etc too.

Re:All security is through obscurity (0, Insightful)

Anonymous Coward | more than 2 years ago | (#36067532)

The worst people are those who suggest that certificates or keys are somehow different and better than passwords.

They seem incapable of realizing that keys, like those often used to allow for SSH logins without using passwords, are merely lengthy passwords that are often stored in files. They don't understand that if the key is compromised, it's no different than a password being compromised.

Wrong. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36067660)

It is safer and better.

In a contest of brute force, SSH keys are exponentially superior to passwords. You're not going to get passwords to have the same resistance. Period.

Not to mention, keyed access removes a great deal of moronic IT bullshit regarding password policies - you know, the policies that lead to weak passwords, lead to users actively subverting those policies ("Fuck this monthly change shit, I'm using p4ssword02. And next month, I'll use p4ssword03.", et cetera.

No, sir. You are wrong. (0)

Anonymous Coward | more than 2 years ago | (#36067920)

Brute-force attacks should never be an issue, regardless of whether passwords or keys are being used. Even shitty authentication systems will lock accounts after a small number of failures, or will at least introduce an exponential delay between subsequent attempts. If you can only perform 20 failed logins per day, if not fewer, for a given account, then it will significantly reduce the potential of a successful brute-force attack.

One of the main problems with keys is that they're much too long for most users to remember, so they almost always end up stored in a file or database of some sort. This act alone reduces the overall security far, far more than the risk of a brute-force attack. Given that they're often stored in common locations, even on different installations of different operating systems, all it takes are slightly incorrect permissions on a user's home directory and their keys are easily accessible. It gets worse if the system or home directory is periodically backed up, with the key being propagated (perhaps unknowingly!) to other media and locations,.

It does no good if you have six deadlocks on your door, but then you leave all six keys sitting inside the house on a window sill next to the door, easily visible and protected only by a fragile pane of glass.

Re:No, sir. You are wrong. (2)

0123456 (636235) | more than 2 years ago | (#36067994)

One of the main problems with keys is that they're much too long for most users to remember, so they almost always end up stored in a file or database of some sort. This act alone reduces the overall security far, far more than the risk of a brute-force attack.

Uh, no it doesn't. You not only have to get into my machine to find the key file, you also have to break the passphrase on that key file.

So at worst it's no less secure than a password, and at best it's far more secure.

Re:No, sir. You are wrong. (2)

icebraining (1313345) | more than 2 years ago | (#36068014)

Brute-force attacks should never be an issue, regardless of whether passwords or keys are being used. Even shitty authentication systems will lock accounts after a small number of failures, or will at least introduce an exponential delay between subsequent attempts. If you can only perform 20 failed logins per day, if not fewer, for a given account, then it will significantly reduce the potential of a successful brute-force attack.

If that was implemented for SSH on a Internet facing machine, nobody could ever log on, the accounts would be always locked.
And if it's 20 failed logins per IP, then it's useless, since many attackers use botnets.

One of the main problems with keys is that they're much too long for most users to remember, so they almost always end up stored in a file or database of some sort. This act alone reduces the overall security far, far more than the risk of a brute-force attack. Given that they're often stored in common locations, even on different installations of different operating systems, all it takes are slightly incorrect permissions on a user's home directory and their keys are easily accessible. It gets worse if the system or home directory is periodically backed up, with the key being propagated (perhaps unknowingly!) to other media and locations,.

That's why keys have - wait for it - passphrases!

Re:All security is through obscurity (1)

Anonymous Coward | more than 2 years ago | (#36067836)

A private key is *much less likely* to be compromised. Because, since it's being used in public key crypto and not shared secret crypto, you don't pass it to another system (unless you're retarded).

Re:All security is through obscurity (3, Insightful)

Anonymous Coward | more than 2 years ago | (#36067860)

They are different and better than passwords, and they are not lengthy passwords that are stored in files. The entire mechanism of authentication using public-key cryptography is different. When you authenticate with a password, you send the password to the server, which compares it against some stored credential. When you authenticate using a key file or certificate, you take some set of values that usually includes something random from the server, generate a signature, and encrypt it using your private key. The server then decrypts it using your public key and makes sure the signature is correct. Your "lengthy password in a file" is never sent to the server, no representation of it is ever stored on the server, and the value you send for authentication cannot be intercepted and reused on the same server or any other.

I doubt there is anyone that thinks certificates or keys are less valuable than passwords if compromised, they just realize they are less likely to be compromised.

Re:All security is through obscurity (3, Insightful)

DoofusOfDeath (636671) | more than 2 years ago | (#36067726)

Hey, guess how passwords work? They're hard to guess.

But when you're using HTTPS, a password is usually passed along a pre-secured channel. Aren't these URI's visible to all routers in between you and the file site, as well as any computer monitoring traffic on your local LAN?

If so, that's somewhat less secure than passwords.

Re:All security is through obscurity (1)

icebraining (1313345) | more than 2 years ago | (#36068028)

Not when using HTTPS, supposedly. Without SNI not even the domain is known, which cause problems for shared hosts.

Re:All security is through obscurity (2)

sco08y (615665) | more than 2 years ago | (#36068206)

Hey, guess how passwords work? They're hard to guess.

But when you're using HTTPS, a password is usually passed along a pre-secured channel. Aren't these URI's visible to all routers in between you and the file site, as well as any computer monitoring traffic on your local LAN?

If so, that's somewhat less secure than passwords.

Right, so the normal usage of the terms "secure" and "obscure" is ambiguous. And pardon me if I'm explaining the obvious, but some people definitely don't get it, and the Internet has a desperate need for my opinion.

Obscurity is an intrinsic property of things. A Babe Ruth rookie card is obscure because there aren't many of them. It often, but not always, makes something valuable. Vogon poetry might make a great secret key, but no one would pay for it.

Security is something you impose upon a thing. I can secure the card by locking it in a vault. Security is often achieved through mechanisms, processes or algorithms.

Half of security is keeping others out of your stuff, the other half is letting you in. So the reason I say all security is achieved through obscurity is that the way you let yourself in is through an obscure token.

And some of the confusion comes about because that obscurity has to be secured. Your example of the password over HTTPS is great: if the password is sent by plaintext, it can be a great password, but once it's revealed it's no longer obscure, and the whole system is broken. That's an example of an information leak.

Re:All security is through obscurity (1)

neonsignal (890658) | more than 2 years ago | (#36069216)

While you have a point that many security methods such as passwords rely on 'obscurity', one can still make a distinction between methods which rely on poorly measured (and typically low) entropy and methods which rely on well defined entropy. Usually when people talk about the dangers of security through obscurity, they are talking of the former; the use of methods such as pass-phrases have well defined entropy, and the degree of difficulty ('obscurity') is controlled. Of course, pass-phrases are not a magic bullet if there are other ways to discover them (such as when they are sent plaintext over the network).

Security-by-obscurity (3, Informative)

js_sebastian (946118) | more than 2 years ago | (#36069984)

While you have a point that many security methods such as passwords rely on 'obscurity', one can still make a distinction between methods which rely on poorly measured (and typically low) entropy and methods which rely on well defined entropy. Usually when people talk about the dangers of security through obscurity, they are talking of the former;...

No. Security by obscurity means security achieved by keeping the details of your system secret (architecture, algorithms, etc), so people don't know how to break in. The accepted way to do security, on the other hand, is to build a system that is secure even against adversaries who know everything about your system, lacking only a well defined credential or set of credentials (a password, certificate, fingerprint, etc).

Using "secret" urls to provide access is not security by obscurity if there is enough randomness involved that urls are practically unguessable, though if it does not go over HTTPs it is certainly weak against certain threat models (Man-in-the-middle).

Re:All security is through obscurity (0)

Anonymous Coward | more than 2 years ago | (#36069006)

Hey, guess how SSL works?

Re:All security is through obscurity (0)

Anonymous Coward | more than 2 years ago | (#36068294)

Read the paper [usenix.org]. Some of the sites use sequential identifiers for files, and they used honeypots to verify that criminals would indeed grab files they placed on some of the sites without sharing the locations of those.

duh... (0)

Anonymous Coward | more than 2 years ago | (#36067360)

duhhhhhhh!! ?? why is this worthy of a story here??

But, but, but they promised me it was safe! (0)

Anonymous Coward | more than 2 years ago | (#36067432)

Holy moly, they assured me I could put "private" stuff up there and nobody but me would be able to look at it. I feel like I can't trust anyone's word now.

Duhh (0)

Anonymous Coward | more than 2 years ago | (#36067554)

Those site are really designed to host pirated material. If a user posts say a Photoshop file for another user do download, there is no reason for the recipient to pay for a premium download. (Presumably the primary source of revenue for these sites). No if a user is downloading seasons 5 6 and 7 of a tv series, then they might be willing to pay for the premium service.

Regarding the lost privacy aspect. If you are boneheaded enough to post anything sensitive on a site like that, then it is likely no amount of information would give you pause from doing it in the future.

File Hosting Not Safe For Private Data (0)

Anonymous Coward | more than 2 years ago | (#36067942)

This is very surprising given that this was never an issue? Oh, I think I'll just store this data here..LOL

When?? (0)

TheRecklessWanderer (929556) | more than 2 years ago | (#36067950)

When are people going to realize that putting anything on the cloud, unless it's uber encrypted, and maybe even then is not safe? It's not safe from prying eyes, and it's not safe from vanishing one day? Personally I will never trust the cloud, and the sooner everyone agrees with me the better off we will be. :)

www.happyshopping100.com (-1, Offtopic)

irisuuuu (2128688) | more than 2 years ago | (#36067970)

our website: http://www.happyshopping100.com/ [happyshopping100.com] watches price 75$ Air jordan(1-24)shoes $30 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Hndbags(Coach lv fendi d&g) $35 Tshirts (Polo ,ed hardy,lacoste) $16 Jean(True Religion,ed hardy,coogi) $30 Sunglasses(Oakey,coach,gucci,Armaini) $15 New era cap $10 Bikini (Ed hardy,polo) $25 FREE SHIPPING,accept paypal free shipping accept paypal credit card lower price fast shippment with higher quality BEST QUALITY GUARANTEE!! SAFTY & HONESTY GUARANTEE!! FAST & PROMPT DELIVERY GUARANTEE!! **** http://www.happyshopping100.com/ [happyshopping100.com] ***

earth no longer safe haven for unchosen neogods (-1)

Anonymous Coward | more than 2 years ago | (#36067992)

you call this 'weather'? what with real history racing up to correct itself, while the holycostal life0ciders continually attempt to rewrite it. fortunately, there's still only one version of the truth, & it's usually not a long story, or a confusing multiple choice fear raising event.

disarmament is taking place based on the pure intentions of the majority of the planet's chosen to be depopulated, population. as the biblical fiction based chosen ones have only one ability, which is destruction for personal gain, they just don't fit in with all the new life extending stuff that's we're being advised to ignore. life likes to continue, advance etc... deception & death appear to have similar ambitions. with malestromous monday on the horizon, wouldn't this be a great time to investigate the genuine native elders social & political leadership initiative, which includes genuine history as put forth in the teepeeleaks etchings. the natives still have no words in their language to describe the events following their 'discovery' by us, way back when. they do advise that it's happening again.

Compress, generate strong password, encrypt. (1)

danielpublic (1920630) | more than 2 years ago | (#36068692)

At least download peazip.com (crossplatform LGPL.), to encrypt your files.

Using the same password over and over again?
Install passwordmaker.org to generate all your passwords.
Exists for most browsers, as javascript, CLI, also Maemo (in development), android, iphone.

All the above is useless of course, if your OS is not up to date and depending on platform don't use the usual anti-malware/virus.

Re:Compress, generate strong password, encrypt. (1)

zombodotcom (1390303) | more than 2 years ago | (#36069086)

There are only a few options out there for transfering files securely. That's why we developed Rhinofile. *Self promotion warning* Rhinofile( http://www.rhinofile.com/ [rhinofile.com] is a PHP/MySQL application that pushes files onto an internet host, normally a CPANEL hosing provider or a host of your choosing. This could you your DMZ if you are very concious of your data. The application is built so that you choose where you data sits, integrates into your Windows AD authentication. The main difference compared to other applications, is the LAN vmware appliance pushes files onto an internet server. You can expire files after set periods of time, set credentials on the downloads and add policies. Rhinofile is free, the client is open source so you can review the code going onto the internet host. You just need Vmwware or Xen to boot the image. The image is ioncube encoded(centos). In regards to the above comments, the best thing an admin can do is provide a service to their staff and the end clients so that they don't have to use these free services. Staff go to the free services because their companies aren't giving them options. Rhinofile has a dropbox where customers can send you staff files as well with some varied options. It's all PHP/MySQL, cron, rsync over SSH etc. Nothing new or fancy. Any comments on the software would be apreciated as we're trying to find bugs and get more people using it. Bug and security reports will taken seriously but please document it enough so we can pick it up and run with it. The forum is http://forum.rhinofile.com./ [forum.rhinofile.com]

water also wet (0)

Anonymous Coward | more than 2 years ago | (#36068694)

sky may be blue. News at 11.

Well duh (1)

Apothem (1921856) | more than 2 years ago | (#36069578)

I always thought the whole point of those sites was to share it with the public to begin with. This really comes as no big surprise to find this out now. You're putting your data in the hands of a total stranger, of course it's not secure!

For those saying "Well, duh!" (2)

jimicus (737525) | more than 2 years ago | (#36069760)

Part of the issue is how these sites market themselves. Many sell themselves as "a fast, easy, secure way to send files to friends and colleagues without being hit by such bothersome things as email size limits or limits on sending executables".

The security they provide varies. Some allow you to password-protect the download (so nobody's getting it without entering the password first). Others don't do this, the security stems from the URL they give you to include in the email being apparently-random and not published anywhere. Security through obscurity, in other words. To you and me, this is a disaster waiting to happen, but these products aren't being used by you and me. They're being used by others in the business who are annoyed that the IT department is blocking them from sending out a particular attachment, and rather than ask the IT department to come up with a solution are instead using such a service. It's actually pretty common for these companies to offer corporate accounts so you can give your users a solution which is branded with your company name and logo and allows you to enforce rules regarding what options users may choose when they come to send a file. But corporate accounts cost money, getting the money means setting up a project and will take a minimum of a couple of months. This file needs to reach the recipient in a couple of hours.

These researchers have demonstrated that not only are the URLs generated not particularly random, they're easy to guess and people are already guessing them left and right.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...