Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox Accused of Lying About Security

samzenpus posted more than 3 years ago | from the e-pants-on-fire dept.

Cloud 265

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

cancel ×

265 comments

Sorry! There are no comments related to the filter you selected.

Good (5, Insightful)

gadzook33 (740455) | more than 3 years ago | (#36136090)

As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.

Seconded (2)

Niobe (941496) | more than 3 years ago | (#36136112)

Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?

Re:Seconded (1)

CTU (1844100) | more than 3 years ago | (#36136132)

The only thing I have on dropbox is a few backups from FEBE, so not really a big deal if they can see my plug ins and bookmarks...all of them are outdated anyways

Re:Seconded (1)

x*yy*x (2058140) | more than 3 years ago | (#36136168)

I mostly just use it for image hosting for forums or to quickly give something to a friend, which it's just fine for.

Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company. If your bank told you that your money would be safe with armed guards and you would not be responsible for someone robbing them, but it turns out the bank stored all their money in an insecure normal office and someone casually broke in and took the money, you would blame that one bank, not the whole banking system.

Re:Seconded (2, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#36136254)

Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company.

It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation. The more de-regulation, the more damage they will do.

Corporations are golems, with the single imperative to profit at any cost. The potential for profit increasingly outweighs any risk involved in negative behavior. And when you get big enough, say Exxon big, there's no risk at all.

And it is a little bit the fault of "the cloud". I can go down to my bank and look at the vault. I can read the government-backed FDIC insurance on my deposits and the FDIC has never, ever failed. All we can do is hope that what the cloud companies tell us about security is true. How could we possibly verify?

Re:Seconded (2)

zephvark (1812804) | more than 3 years ago | (#36136580)

It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation

The what, now? Big companies never push deregulation. They want as much regulation as possible, the better to punish anyone else trying to enter the same market. It's called "rent seeking".

Re:Seconded (3)

captain_sweatpants (1997280) | more than 3 years ago | (#36136694)

Bullshit! Big companies are in favour of regulation that increases their profit and against regulation that decreases it. Overall they are against it because they can always abuse their dominant position to keep standards low, prices high and competitors out. In the absence of sensible regulation, they can throw their money around, abuse their influence with suppliers and customers, or just flat out abuse those that have no one else to buy from or sell to.

Re:Seconded (3, Insightful)

Linux Torvalds (647197) | more than 3 years ago | (#36136696)

Regulatory capture has proven to be a much bigger problem than deregulation, I think. It seems better not to give the government so much power in the first place.

Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

Re:Seconded (-1)

Anonymous Coward | more than 3 years ago | (#36136140)

What do expect from a tool made by a pair of high-school and university drop-outs?

Re:Seconded (1)

Anonymous Coward | more than 3 years ago | (#36136196)

pronouns?

Re:Seconded (1)

Omnifarious (11933) | more than 3 years ago | (#36136240)

I'm sort of both of those. And I have and would've made a better service than that.

Re:Seconded (2)

node 3 (115640) | more than 3 years ago | (#36136444)

But you didn't. It's much easier to *say* how you'd do something than it is to actually do it.

If you really could do so much better, why haven't you done so? Seems like a good way to make a few million, if it's so simple...

Re:Seconded (1)

icebraining (1313345) | more than 3 years ago | (#36136568)

Parent never said (s)he would come up with the idea (nor that it was simple), just that (s)he would implement it better.

Re:Seconded (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36136570)

According to TFA's description of the problem, the issue wasn't one of technical acumen at all.

In order to be able to do deduplication across their subscriber base, rather than per-user or none at all(likely making for considerable disk and bandwidth savings across a service of their size), Dropbox failed to (usefully) encrypt user files and introduced a fun side-channel attack where anybody can determine whether somebody else has a file stored, just by attempting to upload it and then sniffing the wire to see if it takes the expected upload time, or just a tiny amount of hash comparing to "upload".

Technologically, they didn't exactly advance the state of the art in crypto to power their service; but the issues at question appear to be technologically competent enough, deduplication across the largest set of files possible is a perfectly sensible way of reducing storage and bandwidth costs, it's just that they then proceeded to sharply oversell the amount of actual privacy they were providing.

Given that education doesn't seem to have much effect on honesty(unless you count the courses of study that probably make you worse...) I'd be inclined to say that it is irrelevant to the problem at hand.

Re:Seconded (0)

Anonymous Coward | more than 3 years ago | (#36136650)

Tahoe fs successfully solves these so called "advance crypto" problems using techniques from the 80s. There's nothing difficult here, you just need competent people. There was a video of these guys at work on techcrunch a while back(http://techcrunch.com/2011/02/10/inside-the-psychobox-a-tour-of-dropboxs-bumping-office/) once you see what they've wasted their seed money on, you get a true understanding of why their "product" is so incompetently designed.

Thats just the crypto side of things, wait until bandwidth usage issues hit the headlines, its like as if these guys have never heard of rsync.

Re:Seconded (2)

0100010001010011 (652467) | more than 3 years ago | (#36136146)

Not all of them. Anyone accessing my 'Projects' Folders wouldn't find anything that wasn't on my Git Hub. Nor would they get much out of my "Spring 2011" homework folder.

Good luck getting at my "Taxes.tc" file.

Re:Seconded (0)

Anonymous Coward | more than 3 years ago | (#36136162)

Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?

I use DropBox. Does "TrueCrypt" sync my files between windows, mac, iPhone, Blackberry and Android
automatically before I can stop using my Mac and look on my iPhone?

People who put "I murdered my first wife" on a computer get what they deserve and I don't care.
People who entrust their credit card info and banking info on a computer without a PIN
to access it
(that if guessed 10 times w failure locks the person out) are wishing for magic potions.

Not sure DropBox does any of this, so I don't put that kind of info into DB.
Ed Bradford
Pflugerville,TX

Re:Seconded (0)

Anonymous Coward | more than 3 years ago | (#36136216)

"I enjoy intercourse with small domestic fauna."

Ed Bradford
Pflugerville, TX

Re:Seconded (2, Funny)

ColdWetDog (752185) | more than 3 years ago | (#36136634)

"I enjoy intercourse with small domestic fauna."

Thanks for qualifying that. Heaven forbid you having conjugal relations with foreign animals. That would be just perverse.

Re:Seconded (0)

Anonymous Coward | more than 3 years ago | (#36136354)

How well does Dropbox handle Truecrypt? I've seen contradictory info about whether they take a diff of the container or re-upload the whole thing after changes. And I'm guessing the whole container gets duplicated if there are conflicting changes? How does it handle the filesize of non-fixed size volume containers? As in, which counts against your storage capacity: reported or actual size of the container?

Security is NOT an issue with The Cloud. (5, Funny)

Anonymous Coward | more than 3 years ago | (#36136252)

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud. (3, Funny)

RightwingNutjob (1302813) | more than 3 years ago | (#36136416)

My guess is all your documents are encrypted with ExecuSpeak already. So you're good.

Re:Security is NOT an issue with The Cloud. (1)

node 3 (115640) | more than 3 years ago | (#36136456)

The good ol' "let's mock the victim here for not being as smart as me" routine.

Re:Security is NOT an issue with The Cloud. (1)

e9th (652576) | more than 3 years ago | (#36136624)

That's what I thought reading yesterday's Confessions of a Computer Repairman [slashdot.org] thread.

Re:Security is NOT an issue with The Cloud. (4, Insightful)

formfeed (703859) | more than 3 years ago | (#36136700)

The good ol' "let's mock the victim here for not being as smart as me" routine.

No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
I only mock for "not being as smart as me but thinking to be way smarter than me".

Re:Security is NOT an issue with The Cloud. (4, Funny)

jonamous++ (1687704) | more than 3 years ago | (#36136654)

I'm both amused and concerned that I've heard statements similar to the ones that you have made at my own workplace. *sigh*

Re:Security is NOT an issue with The Cloud. (1)

Stumbles (602007) | more than 3 years ago | (#36136730)

Great analysis there but I think you need to throw in a few more acronyms. Other than that, spoken like a true manager that has no clue.

Re:Good (1)

Yvanhoe (564877) | more than 3 years ago | (#36136502)

What I hope will happen : that "cloud" will soon become synonym for "pixie dust" or "snake oil" when it comes to computer security.

What should have happened : the same, 5 years ago.

the problem with the cloud in simple terms (2)

RobertLTux (260313) | more than 3 years ago | (#36136632)

What Happens When it RAINS??

Call me back... (4, Insightful)

bannable (1605677) | more than 3 years ago | (#36136096)

...when there's an actual investigation. Why the hell is it news that someone made a complaint?

Re:Call me back... (5, Informative)

inpher (1788434) | more than 3 years ago | (#36136144)

One reason is that the person making the complaint is Christopher Soghoian [wikipedia.org] , a heavyweight when it comes to computer security.

Re:Call me back... (-1)

Anonymous Coward | more than 3 years ago | (#36136630)

I tend to disagree here. He's no heavyweight and his blog post really didn't reflect anything other than the fact that these so-called 'big-guns' in the inner circles really don't live up to their PHD. Check out my write-up on Soghoian [silicon-vision.com] .

Re:Call me back... (2)

Renderer of Evil (604742) | more than 3 years ago | (#36136750)

Point is, he has exposed their lies and it made the rounds on all tech news sites. His researched compelled an FTC investigation.

What have you done?

Where's Al Gore and his "Lock Box"? (3, Insightful)

retroworks (652802) | more than 3 years ago | (#36136114)

Here I was feeling all certain that my data was secure, and it just turns out my information just isn't important or interesting enough to purloin.

Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.

Re:Where's Al Gore and his "Lock Box"? (5, Insightful)

chill (34294) | more than 3 years ago | (#36136126)

The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

Re:Where's Al Gore and his "Lock Box"? (1)

gman003 (1693318) | more than 3 years ago | (#36136310)

I just automatically assume that anything online is insecure until proven otherwise. My Dropbox contains backups of some open-source programs I'm making, and a bunch of photos I wanted to put online. My GMail contains no information more private than my third-tier passwords (ones for forums/newslists where someone hijacking my account would be harmless). My Facebook contains nothing more than my name and high school. My Twitter has no information at all - just my username. The only online service I keep anything valuable in is my Steam account - and that's mainly because I'm big enough in their community that I could cause enough bad press to harm them (not much, but enough), and because I have enough stored there that a lawsuit would be plausible (should they go out of business without releasing a DRM stripper as promised). And even Steam has the bare minimum of extraneous info - one credit card, a phone contact, and the aforementioned GMail address.

Re:Where's Al Gore and his "Lock Box"? (0)

Anonymous Coward | more than 3 years ago | (#36136414)

So, uhh, what exactly makes you "big enough" within the Steam community?

Re:Where's Al Gore and his "Lock Box"? (1)

gman003 (1693318) | more than 3 years ago | (#36136526)

Let me put it this way: I have a fan club. Didn't ask for it - it just happened. I've got enough people who admire me that I could probably start a cult. I have had multiple people express a desire to bear my children.

As to how I got that way, fuck if I know. I haven't actually done much besides a few small mods, and chatted a lot. All I know is that if I say "Steam just ripped me off, those fuckers", I'd start a small riot. Torches and pitchforks would be wielded; Gabe Newell would be burned in effigy.

Re:Where's Al Gore and his "Lock Box"? (-1)

Anonymous Coward | more than 3 years ago | (#36136738)

Good job. No one gives a shit. Go back to hiding under a rock in your mom's basement.

Re:Where's Al Gore and his "Lock Box"? (1)

namgge (777284) | more than 3 years ago | (#36136740)

... and because I have enough stored there that a lawsuit would be plausible (should they go out of business without releasing a DRM stripper as promised).

So, you are planning to protect youself by suing the company after it has gone out of business? I have a bridge you might like to buy... Namgge

Re:Where's Al Gore and his "Lock Box"? (1)

rastilin (752802) | more than 3 years ago | (#36136150)

That's all true but there's two issues in this particular case.

-- We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

-- They're lying to get ahead in the market. That's something we need to discourage.

Re:Where's Al Gore and his "Lock Box"? (1)

adamofgreyskull (640712) | more than 3 years ago | (#36136326)

We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)

Re:Where's Al Gore and his "Lock Box"? (1)

Haedrian (1676506) | more than 3 years ago | (#36136404)

That depends, is it home made stuff?

Re:Where's Al Gore and his "Lock Box"? (1)

rastilin (752802) | more than 3 years ago | (#36136558)

It's an example of something no-one would give a damn about that people take anyway; because it's there.

Re:Where's Al Gore and his "Lock Box"? (1)

hedwards (940851) | more than 3 years ago | (#36136410)

And you seem to be assuming that the GP doesn't have midget furry gangbang pedo porn on his computer. That shit'll get you sent up for years.

Re:Where's Al Gore and his "Lock Box"? (1)

rastilin (752802) | more than 3 years ago | (#36136566)

Probably because that never occurred to any of us... except for you. ;)

Re:Where's Al Gore and his "Lock Box"? (1)

rastilin (752802) | more than 3 years ago | (#36136472)

For the purposes of this exercise, let's assume that no one stores their credit card numbers on their computer in plaintext; even though we all know that's not true.

The porn thing is one thing I never understood, why would anyone bother? It's like they've never heard of the internet. I figure that some people will take anything not nailed down, a pretty solid reason that Dropbox should not give it's employees access to the user's stuff at all.

Re:Where's Al Gore and his "Lock Box"? (1)

rudy_wayne (414635) | more than 3 years ago | (#36136584)

You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc...

Depending on the porn . . . . yes.

Re:Where's Al Gore and his "Lock Box"? (0)

Anonymous Coward | more than 3 years ago | (#36136154)

While security should be talked about in "risk vs cost" it has nothing to do with this. The company committed fraud and should be prosecuted. This is no different then selling someone the "Brooklyn Bridge" only it involves data.

Re:Where's Al Gore and his "Lock Box"? (4, Interesting)

Omnifarious (11933) | more than 3 years ago | (#36136156)

First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.

Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.

Did they really lie to most people? (1, Interesting)

eleuthero (812560) | more than 3 years ago | (#36136206)

I ask the above question because I didn't start using Dropbox because I thought it was secure--I have class notes for teaching and notes for my personal studies in my account and these are for the most part publicly available anyway. I signed up because I was tired of having to fish out my backup CDs when my hard drives died on me (I still do a local backup though) and this part of their service is visibly not a lie and has saved me on at least two occasions in addition to the ease of sharing said notes with students when the file size is too large for our school's hosting service.

Did they lie to me about securing my data? Technically, yes, they did. Was this a factor in signing up with a cloud-based data storage service? Absolutely not. It never even occurred to me that they would actually secure my data to my level of satisfaction even with the claim that it was secure. It was in the cloud and accessible by whichever script kiddy wanted it. Since this was my operating assumption going in, I can't say I'm surprised that Dropbox has been caught in a lie, nor am I concerned (lying seems to be endemic in our society, unfortunately, but I've grown enured to it). On the other hand, now that they've been caught, I am interested in how they will respond--this could impact my use of their service.

Re:Did they really lie to most people? (1)

adolf (21054) | more than 3 years ago | (#36136294)

Did they really lie to most people?

They're still lying. From https://www.dropbox.com/features>https://www.dropbox.com/features [dropbox.com] :

Dropbox protects your files without you needing to think about it.
                       


  •                                
  • Dropbox keeps a one-month history of your work.
  •                                

  • Any changes can be undone, and files can be undeleted.
  •                                

  • All transmission of file data occurs over an encrypted channel (SSL)./li>
                                   
  • All files stored on Dropbox are encrypted (AES-256).
  •                        

I maintain that I, myself, am boring enough to not be bothered with folks potentially perusing the stuff I store on Dropbox. But it's still a lie -- it has been shown to be hardly protected at all.

Re:Did they really lie to most people? (1)

Ash-Fox (726320) | more than 3 years ago | (#36136520)

All transmission of file data occurs over an encrypted channel (SSL)

Other than that one, not seeing any other lies.

Re:Where's Al Gore and his "Lock Box"? (3, Interesting)

pushing-robot (1037830) | more than 3 years ago | (#36136316)

I can understand the concerns about credit cards and bank info, but I don't really get why people are so freaked out about marketers learning a bit of generic info about their lives:

Person 1 -- Oh no! An advertising firm got hold of my semi-private information!

Person 2 -- That's terrible. What did they do with it?

Person 1 -- Well, they started showing me ads for things I might actually buy.

Person 2 -- Gods! Have these men no shame?

Re:Where's Al Gore and his "Lock Box"? (4, Informative)

hedwards (940851) | more than 3 years ago | (#36136428)

Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

Re:Where's Al Gore and his "Lock Box"? (1)

digitallife (805599) | more than 3 years ago | (#36136426)

"If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well."

I'm sorry to be the one to inform you of this, but we already live in a world like that.

Thinking boolean (0)

Anonymous Coward | more than 3 years ago | (#36136560)

True, security isn't a yes/no, but telling the truth, for the most part, IS. Either their staff could access the files in unencrypted form, or they couldn't. They said they couldn't but in fact, they could. Using asymmetric cryptography for uses like this is rather pointless. You use dual key to get messages from Jack to Alice without letting Bob see. In this case, you only need to get the message back to yourself. Lost your crypto key? By design, if you don't want somebody else to see, they can't, because you hold the secret! Gee... sucks to be you!

BTW: your example of the missile launching laptop is itself a joke. Turns out the "secret launch code" was 123456 for some 30 years! (FSM, I wish I could find the original article...)

i think i see the problem (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36136124)

"the encryption keys are in their possession"

Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?

If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.

Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"

Re:i think i see the problem (2)

nedlohs (1335013) | more than 3 years ago | (#36136160)

It doesn't matter.

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

Re:i think i see the problem (0)

Anonymous Coward | more than 3 years ago | (#36136210)

It doesn't matter.

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

Coca Cola doesn't cure cancer?

Re:i think i see the problem (0)

exomondo (1725132) | more than 3 years ago | (#36136262)

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

But they already addressed the issues in the language describing their services over a month ago. I'll admit their old language may have been a bit confusing but it's obvious that if you haven't been given the encryption keys then dropbox has them.

Personally i wouldn't trust the security of any 'cloud' provider with sensitive data, if you're going to use such a service encrypt it yourself and then upload it.

Re:i think i see the problem (1)

hedwards (940851) | more than 3 years ago | (#36136442)

No, it's not obvious that they have them, there's definitely ways in which they could do it which would prevent them from being able to access that data without your permission. Otherwise no provider of services could ever promise that level of protection without the FTC investigating. The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.

Re:i think i see the problem (1)

exomondo (1725132) | more than 3 years ago | (#36136504)

No, it's not obvious that they have them

Then who would you think has them? You know you don't and you're assuming they don't, so who does?

The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.

I think it's clear you either don't know enough about this story or don't know what a 'fact' is. A complaint to the FTC is not an FTC investigation.

Re:i think i see the problem (1)

icebraining (1313345) | more than 3 years ago | (#36136652)

I do have one key - the password; that could be used to encrypt the file before syncing them.

LastPass seems decent in that regard.

Re:i think i see the problem (1)

exomondo (1725132) | more than 3 years ago | (#36136708)

I do have one key - the password; that could be used to encrypt the file before syncing them.

LastPass seems decent in that regard.

You mean the password that can be reset if you forget it? Great idea.

Re:i think i see the problem (-1)

Anonymous Coward | more than 3 years ago | (#36136438)

It doesn't matter.

If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

You said "do do" huhuhuhuh

Re:i think i see the problem (1)

VortexCortex (1117377) | more than 3 years ago | (#36136756)

Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

It may not cure cancer, but it used to calm the nerves, cure headaches, and put a smile on your face -- well, back when it was laced with cocaine.

Today, the only things it cures is low blood sugar and headaches due to caffeine addiction withdrawals.

It's really too bad, if we had allowed pharmaceuticals to stay in colas perhaps their massive global revenue reserves would have been available to advance cancer research and discover a cure; Thus, drinking coke would cure cancer.

P.S. To all against legalizing recreational drugs: I expect you to be pushing for the outlawing of caffeine and alcohol or shutting the hell up.

Re:i think i see the problem (1)

Junta (36770) | more than 3 years ago | (#36136374)

I'm with you *except* the last line.

I doubt I'll ever trust a service providers storage encryption rather than applying a local, independent layer of encryption they can't circumvent, *however*, it isn't entirely unreasonable to believe a cloud solution could include meaningful encryption that would preclude even their administrators from access, *even* in the dropbox case with files being shared. Granted, doing so and doing it conveniently means they probably have an exposure (I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect), but doing it privately is not impossible (e.g. shift auth to send down a prospective client the private key, protected by passpharse encryption, and the ability to answer a challenge serving as proof of password with the server retaining nor ever receiving at any time neither password or the key in the clear).

All that said, I'll continue to use local GPG keys on any data I host anyware that I remotely care about. If I need to share, then I'll employ the public keys of those I need to share with. Taking security into your own hands *as well* as any protections offered by the storage provider is always your best bet.

Re:i think i see the problem (1)

icebraining (1313345) | more than 3 years ago | (#36136682)

I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect

Well, the client could send an hash instead; it's what some other services do.

Employees have access? (0)

artor3 (1344997) | more than 3 years ago | (#36136200)

Do they keep the keys in a filing cabinet next to the breakroom? No? Then why is this a big deal?

If they keep enough data on their side to unlock my account if I forget my password, then that's a feature, not a bug. Anything that I want to be secure, I'll encrypt myself. As long as there isn't some horrible bug that allows any employee to go snooping about, I really don't see an issue here.

Re:Employees have access? (3, Insightful)

belthize (990217) | more than 3 years ago | (#36136234)

Which would be fine if they said "Our employees have access to your data through key escrow in the event you forget your passphrase". If what you're storing is random pictures or some such that's quite likely good enough.

Some companies don't want that and give their business to companies that say "Key escrow is your problem, it is physically impossible for our employees to read your data". They tend to pay more for that service.

Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.

Re:Employees have access? (4, Informative)

artor3 (1344997) | more than 3 years ago | (#36136286)

Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:

"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"

I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.

Re:Employees have access? (1)

Tacvek (948259) | more than 3 years ago | (#36136296)

Except of course that the level of security they claimed was completely implausible, given that you can download arbitrary files from the web interface, meaning the key could at best be encrypted by the password, and they also have a "forgot your password" service, meaning the key could not even be encrypted by your password.

Therefore, at best, they may have a policy that for normal support purposes the keys are off limits, and only the non-encrypted metadata is accessible. But obviously access to the files by their employees is quite possible.

Re:Employees have access? (1)

Ectospheno (724239) | more than 3 years ago | (#36136308)

Wow. You either didn't read the complaint or you are retarded.

We'll have to watch this one (1)

ALeader71 (687693) | more than 3 years ago | (#36136212)

Who knows, this may be a case of "lier lier" like the phantom tracking software story from last month.

Samsung Laptop Keylogger [tinyurl.com]

Re:We'll have to watch this one (0)

Anonymous Coward | more than 3 years ago | (#36136246)

That's "liar liar", retard.

I closed my dropbox account. (2)

mustard5 (962587) | more than 3 years ago | (#36136224)

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update, without any significant notice to me that they had done so. At the time I considered this extremely rude behaviour on the part of the company. I am glad they are getting some bad press, as there are much better alternatives out there that could do with some business. Wuala, for example, is the alternative I chose. It encrypts everything on the client side before its uploaded. I don't think it's acceptable for dropbox to lie about security of my data, nor is it acceptable for them to make alterations to my configuration files without first asking me.

Re:I closed my dropbox account. (1)

Ash-Fox (726320) | more than 3 years ago | (#36136458)

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

Re:I closed my dropbox account. (0)

Anonymous Coward | more than 3 years ago | (#36136530)

A rpm or deb package could do that at installation or upgrade

Re:I closed my dropbox account. (0)

Anonymous Coward | more than 3 years ago | (#36136546)

The package manager has root.

Re:I closed my dropbox account. (2)

mustard5 (962587) | more than 3 years ago | (#36136598)

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

The package manager has root.

Re:I closed my dropbox account. (1)

mustard5 (962587) | more than 3 years ago | (#36136626)

I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

How is that even possible when it doesn't run as root?

Please refer to this Dropbox forum thread, regarding alterations made to /etc/fstab http://forums.dropbox.com/topic.php?id=29809 [dropbox.com]

Re:I closed my dropbox account. (1)

LoudNoiseElitist (1016584) | more than 3 years ago | (#36136622)

Wuala is making the same claims that Dropbox made. How do we know they aren't lying? In addition, 1gb of space for free unless I "trade space on my drive" (i.e. my bandwidth) or pay. I'll pass and stick to my 10gb for free, even if I do have to encrypt it myself. It's not like I'm dumb enough to upload sensitive documents to the cloud in the first place. Did they lie? Sure, although I think it was more just bad wording, and they fixed it when it was brought up. Is it still a badass service? Yes, and it's still kicking the shit out of other similar services. Also, lock your system down a bit more. Quit running things as root.

Re:I closed my dropbox account. (1)

mustard5 (962587) | more than 3 years ago | (#36136676)

Actually if you get a referral from a current user of Wuala you get an extra 1GB for free. The trading of space is an innovative feature for two reasons. 1. It uses distributed storage 2. You can get more online space for free Do you share bandwidth when you use a torrent? It's the same concept. I can say from personal experience that the bandwidth used is minimal.

Re:I closed my dropbox account. (1)

LoudNoiseElitist (1016584) | more than 3 years ago | (#36136712)

Right, but I'm not continually sharing that torrent bandwidth forever. With most major ISPs in the US switching to bandwidth caps, that's not something I want to deal with. Ideally, I'd end up rolling my own solution, but for now, Dropbox works fine.

More reason to build your own (3, Interesting)

fak3r (917687) | more than 3 years ago | (#36136274)

I hope this makes more people consider running their own system to handle this, lipsync is trying to provide that, it's on github https://github.com/philcryer/lipsync [github.com]

Re:More reason to build your own (0)

Anonymous Coward | more than 3 years ago | (#36136782)

Looks like a cool project, do you plan on integrating anything to do with encrypted file systems?

Spideroak is a good alternative (1, Informative)

akamad (1308139) | more than 3 years ago | (#36136278)

Spideroak is a better choice. All data is encrypted on the client side and sent to the server. The Spideroak servers do not store your passphrase, thus it is impossible for them to access your data . The obvious downside is you can't afford to forget your password as you cannot reset it.

Re:Spideroak is a good alternative (5, Informative)

SlightOverdose (689181) | more than 3 years ago | (#36136508)

SpiderOak has some serious security issues of its own.

1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.

2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.

Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.

The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.

Naive (0)

Anonymous Coward | more than 3 years ago | (#36136280)

I call naive anyone who trusts just-anybody with his valuables.

I make sure that I encrypt my sensitive data that I store in dropbox since day one.

I don't expect everyone to be able to do this, but surely people that are IT-literate enough to read slashdot know how to do this easily. So I would suggest to stop moaning and be proactive when it comes to your safety/security.

Spideroak lies as well (1)

gweihir (88907) | more than 3 years ago | (#36136328)

Quote: "SpiderOak was designed and implemented by Engineers with a background in fault tolerant systems with a margin of error of 0.0000%." This is either a bald-faced lie, or the background of those "Engineers" is that they failed the statistics exam.

Also the complaint is based on a lie (1)

Anonymous Coward | more than 3 years ago | (#36136398)

The advantage of Dropbox is that is the only service to sync files on the cloud that is multi-platform, the competition is Windows, or MacOSX. No one is Linux, windows, MacOSX, Android and IOS at the same time as Dropbox.
In my particular use I do not need security, but I have to access to my data in very different environments.

My vision is that security in the cloud is an oxymoron.....

Re:Also the complaint is based on a lie (1)

mysidia (191772) | more than 3 years ago | (#36136574)

The advantage of Dropbox is that is the only service to sync files on the cloud that is multi-platform, the competition is Windows, or MacOSX.

That advantage exists, because the competition did not have resources to devote to multiplatform development. Perhaps they were devoting those resources towards developing the cryptosystem that would meet the standards advertised by Dropbox, instead?

Provide your own encryption! (0)

Anonymous Coward | more than 3 years ago | (#36136494)

I don't get why people complain about the obvious security risks, when if they are concerned they can just do the encryption work with true-crypt themselves. Why would anyone who is concerned about security on the cloud not take the encryption into their own hands?

Alternatives? (0)

Anonymous Coward | more than 3 years ago | (#36136544)

Ok maybe I'm just lazy but I've looked at box.net, jungledisk, spideroak etc. and I have yet to find an online share/sync program that gives me folder-level access control. I have a shmozzle of road warriors to support and dropbox has been a godsend except for the frickin lack of access controls and most importantly complete lack of admin control over sending out join invites. One of our guys joined his girlfriend's laptop to the pool to get access to some files when his laptop died; I didnt even notice the new person until a few months later, and all the while she's been syncing all the updated field reports, financials etc. I mean, WHAT THE HELL DROPBOX?!? Is a "creator" user account really so hard to fathom?

If someone can point me in the direction of a competitor that has these simple but security critical features, I am there tomorrow.

Re:Alternatives? (0)

Anonymous Coward | more than 3 years ago | (#36136670)

I hate to say it, but Sharepoint works wonders for this type of stuff, except you need office enterprise/groove to do sync. Office 365 may include something along this line when it's final.

Not really a surprise here. (1)

KevC1973 (2160614) | more than 3 years ago | (#36136754)

It's taken this long for a PHD and highly regarded security person from the FTC to figure this out? I knew this two years ago when I spent a few minutes reading the Dropbox featureset and noticed that you could share files with other users. Point-blank, this was a sure sign that they had encryption keys. The only surprise here was that people actually take Soghoian's complaint in high regard because of his PHD and that he was the FTC's first real cyber-ninja. I say they (the FTC) need to raise the bar on their hiring standards if this is the best they have. Oh yeah, I don't agree with what Dropbox is doing, but hey if you want security you need to look to business grade services and not the consumer level crap. http://www.silicon-vision.com/wp/why-the-ftc-need-to-raise-the-bar-on-their-hiring-standards/ [silicon-vision.com] kc/
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?