Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws

timothy posted more than 2 years ago | from the your-privacy-is-very-important-to-us dept.

Cloud 122

deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

Doesn't matter (2)

hedwards (940851) | more than 2 years ago | (#37961584)

Yes, businesses that need PCI, HIPAA or SarbOx compliance ought to be directly asking, that's no excuse for not posting it in a prominent place.

I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

Re:Doesn't matter (1)

gg1 (1921860) | more than 2 years ago | (#37961636)

Just encrypt sensitive files before sending then will never have a match.

Re:Doesn't matter (2)

Sancho (17056) | more than 2 years ago | (#37961666)

So you're advocating not being compliant?

Payment card data is still payment card data, even if it's encrypted. Ask any QSA. If it's at rest on a machine, there are certain requirements for that machine which encryption does not (solely) satisfy.

Re:Doesn't matter (1)

zoloto (586738) | more than 2 years ago | (#37961754)

care to elaborate?

Re:Doesn't matter (4, Informative)

Sancho (17056) | more than 2 years ago | (#37961806)

It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)

Re:Doesn't matter (1)

Anonymous Brave Guy (457657) | more than 2 years ago | (#37962364)

All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security. Leaving aside that some of the standard security policies are dubious anyway, if businesses really complied with the level of control you mentioned... well, most small businesses simply can't (in the sense that either they literally can't or they couldn't operate in any commercially viable way under such constraints).

Given that the constraints on taking card payments in person in a store are vastly easier to game, and that nothing in PCI-DSS is going to stop a fraudster setting up a fake shop and taking whatever card details his "customers" volunteer, and that contrary to what the doom-sayers keep telling us most on-line businesses don't really handle a bazillion times the number of transactions of off-line businesses anyway, the overkill for small companies that want to trade on-line is crazy.

Re:Doesn't matter (1)

Anonymous Coward | more than 2 years ago | (#37962436)

Of course PCI-DSS is about covering your ass legally. That's the entire point, to legally cover your ass by being compliant with that standards set by the payment card industry. If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

PCI-DSS compliance for a small company using a payment gateway is very simple - on the order of not storing and credit card data except the responses from the payment gateway you use. you don't even need encryption because you don't need to even transport the credit card data.

Re:Doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#37963374)

No kidding. Legal ass-covering is important.

For anyone who was wondering, Dropbox is also not FERPA compliant... which ought to scare the shit out of every legal counsel anywhere near a university right now, since tenured faculty tend to insist on adding new software to their desktop without paying a bit of attention to the ramifications of what they're doing.

I can't decide if it's more of an "ooh what's this button do" thing a la Dexter/DeeDee, or a "but I want my new toy" 4-year-old thing.

Re:Doesn't matter (1)

Anonymous Brave Guy (457657) | more than 2 years ago | (#37963512)

If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

And if the card industry were responsible for writing the laws, that might be true. Fortunately, even they aren't yet granted the power to legislate. In my country (England), if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook. Moreover, if you suffer from credit card fraud, no amount of complaining to the card companies about how you followed their recommended procedures is going to force them to pay you back when they point at the small print that makes it your problem anyway.

Basically, PCI-DSS is such a poor proposition in terms of benefits that it's no surprise many small businesses make no attempt to bother complying. Sure, if they find out you aren't compliant then your business is toast, but the reality is that if they have found out then you were probably already toast because of whatever brought it to their attention anyway.

This isn't to say that businesses shouldn't provide good security, of course, and in doing so many would be most of the way to PCI-DSS compliance anyway and the extra audits etc. aren't the end of the world. We are planning this sort of system for one of my companies right now, not only because of the legal requirements in our jurisdiction but because it's simply the responsible thing to do and the right way to treat customers. I'm just observing that the card industry offer us little or nothing of real value in return for complying with PCI-DSS, which is hardly the way to encourage less responsible (or simply less technically knowledgable) management to do the right thing.

Actually pci does make a difference (1)

OeLeWaPpErKe (412765) | more than 2 years ago | (#37963982)

Actually, while PCI-DSS may not be law, it's so deeply ingrained in the industry that it might as well be. I mean as far as international law exists, PCI-DSS holds the distinction of actually being adhered to outside of the US. Hell, even Iran's government follows this system.

if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook.

The law, unless I'm very mistaken, simply requires that you implement "reasonable" security measures and register with the authorities. I believe there's also a requirement that you tell the police as soon as you find out that something's happened. Other than that, there's no legal requirement. However, the state is never going to reimburse damages to you, so really, this hardly matters at all.

Where PCI-DSS gets you of the hook is with insurance companies. If you accept payments, and you screw up while adhering to PCI-DSS, they will cover most of your losses. One of the ways to screw up within PCI-DSS is to have 2 saboteurs cooperating inside your organisation, which has happened.

Here's the big difference : if you screw up and lose other people's credit card numbers, there's 2 options :
1) you did not implement PCI-DSS : you will get sued and you're responsible for all damage done with the stolen credit cards. This can, obviously be a lot
2) you did implement PCI-DSS : you will not get money for fraudulent transactions. VISA or the issuing bank assumes responsibility for further fraudulent transactions made on other sites.

In both cases you're "fucked" in that you lose money (which is a good thing imho, after all, you screwed up), but if you implement PCI-DSS you're significantly less screwed.

Also, in many places (the US being one of the major exceptions) the banks will simply refuse to accept transactions from any non-PCI-compliant source. Anyone who's attempted to implement payments on a website will (should) know this.

What bothers most people about this system is that there is no way to get a definitive answer on a transaction, either for a card holder or a business, given that you don't know it's fraudulent or not. The banks, paypal, credit card processors, even ATM centrals may give you the "OK" on a transaction, and register it, and *still* refuse to pay you the money afterwards, claiming fraudulent use of the card. There's no way to protect yourself 100% against this. It is a very American system : it protects the innocent, but not 100%. You can be fucked even in the case where you did not (knowingly) did anything wrong, and where it was not a case of negligence either. On average it works really well, but in the almost-never-happens cases there is no clear procedure to follow and there's lots of uncertainties.

Re:Doesn't matter (2, Informative)

Sancho (17056) | more than 2 years ago | (#37962454)

All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security

For the merchant, it's primarily about legal ass-covering. The merchant doesn't care about his customer's credit cards. Why should he? He care much more that a fake card isn't used in his shop. Because the merchant doesn't care about the customer's credit cards, the payment card industry has to make them care by imposing regulations and penalties.

It forces small companies to buy products which do most of that for them. It's a cost of doing business. There's an entire industry of payment processors (think Paypal) that a small web merchant could use to avoid ever having credit cards touch their systems. The processors take a percentage (much like the bank) and the merchant raises the cost of their products accordingly.

some of the standard security policies are dubious anyway,

Absolutely. You'll get no argument from me. But most of them are good security practices that most businesses wouldn't even know are good practices. They absolutely should be doing them if they're going to store my credit card information.

PCI compliance (1)

King_TJ (85913) | more than 2 years ago | (#37962540)

The thing with PCI compliance is, some of the businesses having to wrestle with it AREN'T storing the credit card information in any way, shape or them on their systems. If they use a web based card processor and don't ever keep any paper copies of anything with the card info printed on it, I fail to see why it's much of an issue for them to comply with PCI regulations at all? The ways the card info might get compromised from their side of the equation, at that point, come down to things like a 3rd. party intercepting the data (say, with a key-logger they installed on the PC they sign into the web to enter the cards on?), or employees stealing the info they're entrusted with when they accept a customer's card in the first place.

Yet as I understand it, they still DO have to maintain a certain class of PCI compliance in these scenarios. Seems like it really is there just to serve as a threat, hanging over their heads.

Re:PCI compliance (1)

Kalriath (849904) | more than 2 years ago | (#37963908)

Correct. If you don't process the card yourself (instead running it via a third party processor and you never see the card number) you qualify for the lowest level of compliance. That level of compliance is basically "don't do stupid shit". Hell, I don't even have to fill in the SAQ-A.

Re:Doesn't matter (1)

Anonymous Brave Guy (457657) | more than 2 years ago | (#37963468)

It forces small companies to buy products which do most of that for them. It's a cost of doing business.

The trouble is (and I'm writing this as a guy who runs small companies, some of which need to do card processing) that most of those services suck. They are expensive, of course, but worse than that, they are horribly limited in what functionality they offer compared to a direct integration with a payment gateway. Moreover, as I mentioned in another post, they tend to come with contracts so one-sided they actually make dealing directly with the banks an appealing prospect. If you're responsible for a small business and you care even slightly about running it in a professional manner and complying with actual legal requirements (not just whatever the card industry want you to do, but what the law requires) then it's difficult to use those services even in the US where most of them are based, and next to impossible in many places with more stringent rules.

Re:Doesn't matter (2)

deroby (568773) | more than 2 years ago | (#37961690)

Care to explain how that would be ?

AFAIK a hash is just a (smallish) number calculated on a (largish) set of data. By sheer definition a single hash will match multiple distinct sets.
How does encrypting a data-set affect the possibility of match with a different set ?

Re:Doesn't matter (1)

hedwards (940851) | more than 2 years ago | (#37962044)

Exactly, I can encrypt my data, but all that means is that if there is a match, which is definitely possible, I end up losing the entire volume rather than just a portion of it. Neither possibility is acceptable for a service of this type. The likelihood increases substantially when you start matching everybody's blocks to everybody elses blocks. It's unlikely that you'd have two such blocks within a particular customers data, but when you deal with all the customers' data...

Re:Doesn't matter (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37962350)

Encryption isn't going to change the fact that there are fewer hashes available than there are inputs; but it might actually reduce the chances of a collision in practice...

Since most users are uninterested in storing random length-n chunks, but are interested in storing office documents and pictures and things, the expected set of inputs will probably be pretty strongly skewed in the direction of slightly-shorter-than-n-chunks with boilerplate file format required headers and/or footers. If your files are properly encrypted, they presumably won't have the same skew...(If true, of course, this would mean that collisions in general are more likely than a simple input length vs. hash length comparison would suggest.)

Re:Doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#37962476)

Encrypting the data will NOT reduce the chances of a collision.
A single changed bit will dramatically alter the output of a decent hash function. Common file format headers will make no difference.

Re:Doesn't matter (1)

jbolden (176878) | more than 2 years ago | (#37962614)

A dropbox hash is about 256 bits. There are ballpark about as many dropbox hashes as their atoms in the universe. You are unlikely to hit one by chance.

Re:Doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#37962928)

A dropbox hash is about 256 bits. There are ballpark about as many dropbox hashes as their atoms in the universe.

There are also (presumably) as many dropbox hashes as there are different possible 32-byte files. That 33 byte file will match one of those (as well as a 31 byte file, 12921912421 byte file, etc). If it's a good evenly distributed hash, then it may very well be that your file will probably not match someone else's file, and building a complete rainbow table to collide intentionally would be impossible. If the hash clumps, though, all bets are off.

Re:Doesn't matter (1)

blueg3 (192743) | more than 2 years ago | (#37963044)

Oh, sure, there are tons of theoretical collisions. But nobody will generate even a tiny fraction of those possible 32-byte files, so the practical risk of collision is near zero.

It's SHA-256, so it's well-distributed.

Re:Doesn't matter (1)

M0j0_j0j0 (1250800) | more than 2 years ago | (#37961930)

wrong!

Re:Doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#37962160)

!exhaustive
     

Re:Doesn't matter (1)

s_javinder (2501570) | more than 2 years ago | (#37962478)

i dont trust them

Re:Doesn't matter (1)

Anonymous Coward | more than 2 years ago | (#37963924)

I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

Trust me, you have better things to be worried about than hash collisions on Dropbox. :)

Based on my quick research, Dropbox uses the SHA-256 algorithm with 4 Mbytes chunks. Let's assume for the sake of argument that the total amount of data Dropbox stores for its users is (pinky finger!) 1 million terabytes of data.

That would mean there are 262,144,000,000 chunks. A SHA-256 hash is 256 bits long.

Applying the Birthday Paradox, the probability of a collision is thus:

P = 1-EXP((-(262144000000^2))/(2*(2^256)))

That evaluates to a 0.00000000000000000000000000000000000000000000000000002967% probability of even just one collision existing in the entire data set. Put another way, there is a 1 in 3.369 million trillion trillion trillion trillion chance of there being a collision.

Put another way... I'd say it's slightly more likely that Zeus is going to appear before you tomorrow to anally rape you with his lightning bolt before destroying the Earth.

You can take a trip to Wolfram Alpha [wolframalpha.com] to verify my math.

Re:Doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#37964150)

HIPPA is a farce. Any government agency can go in under the guise of being a matter of national security or intelligence activities and access anybody's medical information with the patient never knowing it happened. The only difference is they can go directly to Dropbox instead of the healthcare provider to get what they want.

Call me old fashioned (2, Insightful)

Dunbal (464142) | more than 2 years ago | (#37961620)

But with computers and storage being relatively cheap, and with internet access being ubiquitous, why exactly should I trust a 3rd party with my data anyway?

Re:Call me old fashioned (1)

Anonymous Coward | more than 2 years ago | (#37961638)

Because when your (small or home) office burns down along with your storage (and, your offsite storage also destroyed because of the earthquake that started the fire that burned down your office), it'd be nice to have your data backed up in the cloud somewhere.

That said, if they're not PCI compliant, there's no fucking way I'm trusting them with my credit card details.

Re:Call me old fashioned (0)

Anonymous Coward | more than 2 years ago | (#37962466)

You said "cloud". That nullifies any point you made. ;)

Re:Call me old fashioned (1)

Oligonicella (659917) | more than 2 years ago | (#37962562)

Seriously? My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....

And you think somehow, that I will give a shit about my data.

Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead. Your scenario merely indicates the reach you have to use to "justify" the cloud.

Re:Call me old fashioned (1)

afabbro (33948) | more than 2 years ago | (#37962710)

Seriously?

Yes. And quit being an ass and think a minute.

My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....And you think somehow, that I will give a shit about my data. Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead.

Sure, for the first month. But what happens a year later when you're audited by the IRS and want a copy of your tax returns, or twenty years later when you want to show some pictures to your grandchildren? Yes, there are more important things than your data - the well-being of those you care about, your own personal shelter, income, and survival, etc. But that doesn't mean your data is unimportant.

Your scenario merely indicates the reach you have to use to "justify" the cloud.

Did the cloud rape your grandmother or something? It's not like there is a galactic mandate that you have to use it. So why are you so pissed off?

Re:Call me old fashioned (1)

raydobbs (99133) | more than 2 years ago | (#37962978)

Odds are, if there is a disaster large enough to wipe out your office, all of your storage, all of your backups, all of the off-site backups and defeat all of your CBO plans - your out of business. Time to call the insurance agent, notify any surviving employees, set up a mailing for your remaining clients, and see what you might be able to salvage. The IRS doesn't generally bust asses of people who have survived massive disasters like that... but if they do, they can talk to your accountant and insurance agent (you -do- have an accountant who keeps a duplicate of your records, right?).

Putting your confidential information into the hands of some almighty 'cloud' is really irresponsible; especially if that provider has a track records of handling that data in an irresponsible fashion.

Re:Call me old fashioned (1)

turbidostato (878842) | more than 2 years ago | (#37962782)

"Seriously?"

Yes.

"And you think somehow, that I will give a shit about my data."

Yes. It was at 4AM and it was just a big damn fire, so nobody is injured. The first week is a nightmare, yes, but then, you recall your insurance and hire a new office and then, what? Where's your customers data, your financial records... your everything?

Small business tend to undervaluate how dependant they are on their data (except for the from-time-to-time cry for help from somebody "please, how can I recover my hard disk? If I can't do it, I'll have to close my business -no, I don't have any backup, of course").

Re:Call me old fashioned (2)

assantisz (881107) | more than 2 years ago | (#37961658)

Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

Re:Call me old fashioned (2)

MatthiasF (1853064) | more than 2 years ago | (#37961834)

Cheaper in the short run or long run?

Are you factoring in legal costs from your employees suing you for having personal information spread across the Internet?

Or possible damage to business revenue from your company's work falling into competitor's hands?

Or almost complete loss of business when the Internet goes out?

Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

Re:Call me old fashioned (2)

black6host (469985) | more than 2 years ago | (#37962048)

Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

Or, perhaps more likely, the scenario is: "We need this, without it we're left wide open." Management response: "It's not in the budget and what are the chances.....?"

I've been there....

Re:Call me old fashioned (1)

hedwards (940851) | more than 2 years ago | (#37962062)

Except that most of the time when data is stored it's not been through the cloud, it's because a laptop has been lost, or there was a burglary. The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

Re:Call me old fashioned (1)

0123456 (636235) | more than 2 years ago | (#37962338)

The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

Let's suppose you upload personal data to 'The Cloud' and 'The Cloud' just happens to turn out to be a server in the EU. Suddenly you risking violating the EU data protection laws if you access that data.

Re:Call me old fashioned (0)

Anonymous Coward | more than 2 years ago | (#37964102)

Interesting that you see this as a risk. In the EU we tend to think the lack of adequate pricacy protection in the US is a risk.

Re:Call me old fashioned (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37962376)

At least in my limited experience, the set of people who will happily put sensitive information on Dropbox because it is simple and easy and the set of people who are implementing appropriate encryption and access control measures do not overlap very much...

Re:Call me old fashioned (1)

zippthorne (748122) | more than 2 years ago | (#37963176)

Unfortunately, however, both groups intersect the set of people who have access to sensitive information.....

Re:Call me old fashioned (2)

Anonymous Brave Guy (457657) | more than 2 years ago | (#37962442)

Cheaper in the short run or long run?

It's not about long term vs. short term, it's about scale.

Organising IT infrastructure always incurs some level of overhead, but you can see great economies of scale when you reach a certain size. On the other hand, at a very small scale, you still need to deal with at least the basics, and that still requires a certain level of expertise and incurs a certain drain on your staff's time.

I'm not a huge fan of outsourcing IT infrastructure. I think a lot of services you can outsource to tend to do 75% of the job for 50% of the cost, but you need at least 95% of the job before it's worth anything at all.

Moreover, a lot of them have terms and conditions so one-sided I would describe them as abusive. For example, as far as I could tell without paying my lawyer real money, one prominent back-up service we looked at offers all sorts of ways to retrieve your data under normal circumstances, but they can decide to shut down their service without notice. In the event that they do so, they only guarantee to provide 72 hours' download time via the Internet to get any data you need back. That isn't even close to enough to download the volume of data their plans suggest they want you to trust them with, even assuming you can hold a solid connection to their servers at a time when your systems have crashed enough that you need to retrieve a back-up and every customer they've ever had is hitting their network at the same time. Many of the on-line billing services that are trendy right now have contracts you'd be crazy to sign, providing basically no guarantees of anything, while effectively locking your entire ability to take money from customers into their systems.

That all said, given adequate security safeguards and binding robustness/reliability guarantees, I don't see a problem with off-site backups to third party services, and there are clear advantages to having that happen automatically on a regular schedule rather than relying on one of your staff to run a manual process and physically transport media to some off-site location (which you still need to find, trust, and potentially pay for, just like the on-line back-up services).

Re:Call me old fashioned (0)

Anonymous Coward | more than 2 years ago | (#37964500)

Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

Your perspective is wrong. Doing anything other than what your boss tells you to, and making your own life easier against their whim *is* risk aversion. Confrontation (and even principled disagreement) with your boss is risky.

Re:Call me old fashioned (1)

teg (97890) | more than 2 years ago | (#37964302)

Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

Also, a lot less risky. Small outfits are far more likely to do things wrong, not keep things updated and are certainly not doing sophisticated intrusion detection, network monitoring etc.

Most small companies thinking that e.g. Google Apps is a security risk run a much higher risk if they do it all themselves.

Re:Call me old fashioned (0)

Anonymous Coward | more than 2 years ago | (#37961702)

Yes, that's the question for the home user! I think the business should not even think about this question. Even a small company could afford own server for the sensitive data. RAID1/RAID10 for redundancy, Bacula for keeping older versions in case of user error, Samba or NFS support for accessing it, OpenVPN for remote connection.

Re:Call me old fashioned (2)

93 Escort Wagon (326346) | more than 2 years ago | (#37961856)

Yes, that's the question for the home user! I think the business should not even think about this question. Even a small company could afford own server for the sensitive data. RAID1/RAID10 for redundancy, Bacula for keeping older versions in case of user error, Samba or NFS support for accessing it, OpenVPN for remote connection.

You're assuming, then, that "even a small company" should have a full time sysadmin on the payroll. Sounds like that self-hosted setup just got a lot more expensive...

Re:Call me old fashioned (1)

kcbnac (854015) | more than 2 years ago | (#37962398)

Or have the system on-site, and contract with a local IT guy to be part-time admin. (Figure out what regular maintenance is needed, pay him for that - with the option of an hourly rate after that for any 'extra' time needed)

Many small companies work this way - I know several folks that do this kind of work.

Re:Call me old fashioned (0)

Anonymous Coward | more than 2 years ago | (#37962576)

Of course, no need for full time sysadmin for that kind of setup. But as the previous readers said the right IT guy would be perfect. And the good thing is that he hadn't to be a local IT guy to do that work!
I'm actually working for small companies on hourly basis too and like that job.

Re:Call me old fashioned (2)

siddesu (698447) | more than 2 years ago | (#37961844)

Don't ask slashdot, ask the shareholders.

Re:Call me old fashioned (1)

artor3 (1344997) | more than 2 years ago | (#37962234)

Because you probably don't know what you're doing. Not you, specifically, but the average person who asks that question.

Re:Call me old fashioned (3, Informative)

mark_elf (2009518) | more than 2 years ago | (#37963156)

Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!

The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.

After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.

So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.

If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.

If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".

So to answer your question, you should trust them because they make sharing your files easier.

Re:Call me old fashioned (2)

davide marney (231845) | more than 2 years ago | (#37963296)

I believe that this is exactly the kind of scenario that the new "team" version of Dropbox is aimed at fixing.

Re:Call me old fashioned (1)

Richard_at_work (517087) | more than 2 years ago | (#37963888)

No, Dropbox Teams only differs from normal accounts in one real way - shared folders only count once against the team storage. It has no permissions etc.

Oh, and Teams accounts have been available for the past 18 months, they were just recently take out of (a very silent) beta...

Fixing this silliness (0)

Anonymous Coward | more than 2 years ago | (#37964368)

This silly use of dropbox is easy to fix. Just dump some huge files there every day. Such as a handful of dvd images. Watch their computers do nothing by syncing - syncing - syncing. Do it from some other computer. When there are enough complaints, tell them that dropbox is the problem. You don't suffer because you don't bother with it. "Yeah, it was *easy*, but it kills performance." Then offer them the proper solution, which is a file server. No stupid syncing, and working directly on the server folder is ok. And later you can add backup and such - if necessary.

Re:Call me old fashioned (1)

antdude (79039) | more than 2 years ago | (#37964340)

People are lazy to set them up and rely on others to provide the services.

If people want to use them, then have them encrypt their stuff BEFORE putting on them!

Compliance == Smart Business (3, Insightful)

ohnocitizen (1951674) | more than 2 years ago | (#37961670)

If they are smart they will be compliant, and advertise that highly. How long until a competitor springs up who is compliant? When it comes to business needs, security is rightly a key focus. Not catering to that is ignoring the very market they want to serve.

Re:Compliance == Smart Business (1)

antifoidulus (807088) | more than 2 years ago | (#37961720)

Yeah but since DropBox is essentially just a front end bolted on to Amazon's S3 service, they actually do not have all that much control over the terms of service, if Amazon's is different or they change their terms of service afterward then Dropbox is screwed.

Re:Compliance == Smart Business (1)

LurkerXXX (667952) | more than 2 years ago | (#37963032)

Amazon's S3/AWS services can have apps compatible with HIPAA/PCI if the application writer wants to go through the effort, so yes, they do have that much control.

http://aws.amazon.com/security/ [amazon.com]

http://aws.amazon.com/s3/ [amazon.com]

Re:Compliance == Smart Business (1)

TooMuchToDo (882796) | more than 2 years ago | (#37963282)

It's not cost effective for Dropbox. They break files into 2MB chunks, stored in S3 (and at last count, had between 22-24 billion objects stored). Their efficiency is due to being able to charge several people for storing the collective chunks of data once. If they have to start saving different chunks in different locations to deal with compliance, the whole business model goes to hell.

Re:Compliance == Smart Business (0)

Anonymous Coward | more than 2 years ago | (#37963360)

That's a different question entirely than the one the grandparent brought up saying PCI compliance was out of dropbox's hands because they relied on Amazon's security policies.

Re:Compliance == Smart Business (1)

Alan Shutko (5101) | more than 2 years ago | (#37962042)

I'm going to guess that participating in regular audits alone would cost Dropbox more than $795 per client, making compliance a loss.

Re:Compliance == Smart Business (1)

Ritchie70 (860516) | more than 2 years ago | (#37962340)

I am only tangentially involved with the compliance matters where I work, but it is my general impression that it is not possible for a vendor to say they are PCI-DSS compliant.

They can be part of a PCI-DSS compliant solution but only the entire architecture/solution can be compliant.

I was involved with the design and implementation of our current credit/debit processing solution, and as I recall the primary software vendor was very clear that they were not saying that they were or were not PCI compliant, but merely that it was possible to create a PCI compliant solution involving their product.

mod up (1)

davide marney (231845) | more than 2 years ago | (#37963324)

This is the key point. Compliance is a "systematic solution" -- a process that leverages IT architecture, coding practices, and human behavior to meet a set of standards.

Re:Compliance == Smart Business (1)

KDR_11k (778916) | more than 2 years ago | (#37964096)

To me it sounds like a weakest-link type of deal and Dropbox is a very weak link when it comes to compliance.

Re:Compliance == Smart Business (1)

stephanruby (542433) | more than 2 years ago | (#37962882)

DropBox is pursuing convenience, not compliance.

After all, would you trust them for important data even if they did have those certifications? Hell no! I personally wouldn't. At least, not after what happened a couple of months ago. I don't think I will ever trust them for that kind of security. And I don't think anyone should trust me as a business if I started trusting them for keeping that kind of data.

And in that sense, their recent decision is the right one. They shouldn't pretend they're something they're not. As a business owner, I would still trust them with data I really didn't care about (and fellow geeks, please do not pretend this kind of data doesn't exist, it does even for businesses). Sometimes, I just need the convenience, and I need it quickly. For that, there is nothing better than DropBox (it doesn't happen often, but it does happen).

And when I need something more secure, I just use another solution. For those of you that think that business users are too stupid to know the difference, do not think that disclaimers will actually help stupid users. Disclaimers may change stupid people's behavior in the short term, but then once they become common enough, they become just like background noise and no one pays attention to them anymore.

Re:Compliance == Smart Business (2)

Shoten (260439) | more than 2 years ago | (#37963068)

Actually, no. Being compliant with PCI is tremendously expensive, and I can't imagine many business cases that would give cause for a customer to need it. So it would be incredibly stupid to spend all of that money on PCI compliance for very little return. Furthermore, you're using the word "compliant" like it means "secure," which it absolutely does not. Hannaford was compliant, and still suffered a major breach. As far as they knew, TJX was compliant; they didn't know that many of the products sold to them for POS processing cached the information in the clear, nor could they have. And in terms of other forms of compliance, there's DIACAP in the military, but nonetheless those systems get hacked fairly regularly anyways.

And, given your argument, where do you draw the line? Why stop at PCI, HIPAA, and SOX? Why not include NERC CIP? BASEL II? FIPS? NEI? FISMA? FOIPPA? You seem to think that it's easy or cheap to just "be compliant" with each standard...it is not. It's a massive undertaking, and if you decide you want to be compliant with all of them, guess what? You're basically hamstrung as to your architecture, personnel and business model...and it sure as hell can't be hosted in a cloud by Amazon.

LOL !!! (1)

Weezul (52464) | more than 2 years ago | (#37961684)

There are no cloud storage solutions that provide any measurable degree of security, except perhaps Wuala but even that's funky.

Re:LOL !!! (1)

icebike (68054) | more than 2 years ago | (#37962282)

Depends on what you mean by security.

Granted you have no control over the reliability of the physical plant thr cloud operator uses.
But as an offsite backup and transfer mechanism clouds are really quite good.

Services like SpiderOak, https://spideroak.com/ [spideroak.com] where the coud operator couldn't decrypt your data even with a court order provide as much protection as you can realistically expect when asking someone else to hold your data.

Re:LOL !!! (1)

Weezul (52464) | more than 2 years ago | (#37962844)

I hadn't heard about SpiderOak. They're equivalent to Wuala though, reasonable sounding, but : (a) you should avoid closed source crypto software for anything important, even if you otherwise use a closed source OS like Windows or Mac OS X, and (b) their de-duplication trick might weaken their encryption and lets users verify content exists on your cloud drive, which might leave individuals open to lawsuits from the MafIAA.

SpiderOak looks vulnerable to U.S. NSLs and maybe European subpoenas. Wuala is Swiss. SpiderOak's distributed nature might prevent them from complying silently with either however. I donno.

Re:LOL !!! (1)

icebike (68054) | more than 2 years ago | (#37962938)

SUBPOENA nets them nothing when Spideroak does not have the decryption keys.
The encryption methodology is clearly specified on the website. 2048 bit RSA and 256 bit AES.

The de-duplication in only between your own files not other people's files.

Re:LOL !!! (1)

Weezul (52464) | more than 2 years ago | (#37962998)

Umm, they could definitely be ordered to roll out a fake update using a national security letter.

It sounds like Spideroak uses better cryptography than Wuala thought, that's nice. Are you sure the deduplication is only among your own files? Why would anyone bother implementing deduplication for individuals? Or do you mean it does some version packing? If that's true, that's noticeably better than Wuala though. Thanks!

Btw, there is a pure open source system called Tahoe-LAFS that's kinda overkill for most people, but does basically everything you'd want.

Just read the fine print (2)

Alwin Henseler (640539) | more than 2 years ago | (#37961700)

A business should know what it's doing and therefore not assume anything. So it should have people going over the fine print (and of course as provider, put out fine print to read).

But depending on type of agreement & exact conditions, some of that fine print may not even be legally binding. So if it's important enough: consult a lawyer. And consider consequences of privacy breaches, regardless of legal implications.

A warning? (1)

drolli (522659) | more than 2 years ago | (#37961850)

no, they should just not claim to be compliant. there are so many regulations in the world to which you can be compliant that a company who needs to be compliant just needs to *verify* that all services used are as compliant as its needed.

They don't need warnings. (4, Insightful)

flimflammer (956759) | more than 2 years ago | (#37961884)

Companies should assume they are not compliant unless the company tells them they are. I don't think Dropbox should need to put they are not compliant on their webpage, but they should be able to answer questions regarding their compliance if asked by a prospective business client.

Re:They don't need warnings. (1)

Fjandr (66656) | more than 2 years ago | (#37962404)

Exactly. If a business needs them to be compliant, it's a question they are obligated to ask when signing up for the service.

Anyone who needs compliance with one of those standards should be asking, and if you don't ask you should assume they're not.

This isn't rocket science, it's common bloody sense. People who don't have it and then do stupid things as a result deserve exactly what they get.

Just ask (1)

dnewt (2457806) | more than 2 years ago | (#37961980)

If a company requires compliance with certain information security standards, then they should be checking these things prior to signing up. If it's not clear on their website, then a quick question sent to their sales staff should clear it up. If that doesn't clear it up, then I'd be concerned just because I'm not getting decent answers from their sales staff. I tend to contact sales staff and fire a bunch of questions at them anyway, just to get an initial idea of whether their service will be any good. If their sales staff know their stuff, then there's a chance the support staff might too. A good pre-sales experience doesn't necessarily mean post-purchase service will be up to scratch, but if they're poor at answering my pre-sales questions, then that usually means they're crossed off my list.

HIPAA yes... but SARBOX? (1)

sgent (874402) | more than 2 years ago | (#37962020)

This is targeted at small and mid-sized businesses....

SARBOX only applies to publicly traded companies, of which very few in this market are, and even those few will be big enough to have professional IT resources.

Dropped Dropbox (2, Insightful)

Bieeanda (961632) | more than 2 years ago | (#37962028)

Seriously, if a company is going to shrug and blame something like this on a lack of beta tester vigilance, don't bother with them because you can be sure they'll pass the buck on anything that happens to your data too.

Hell, don't deal with this particular outfit, period. I mean, how could people forget them basically turning passwords off for four hours [geek.com] in June?!

Re:Dropped Dropbox (2)

artor3 (1344997) | more than 2 years ago | (#37962250)

They aren't "blaming this on a lack of beta tester vigilance". They're saying that in their beta tests, people didn't particularly care about these compliances, and thus they don't think that their customers will care either. They are being completely open and honest about the level of security they're providing. If it's insufficient for you, don't use their service. But don't say that nobody should use something simply because it doesn't meet your needs.

Re:Dropped Dropbox (1)

adolf (21054) | more than 2 years ago | (#37963142)

*shrug*

I own a small business, and I keep my stuff on Dropbox just because it's an easy way to access it no matter where I'm at, or what computer(s) I happen to have with me.

I keep backups of the stuff I put on Dropbox (using rsync and hard links to be somewhat space-efficient about having multiple generations of them stored locally). Anything which is even slightly sensitive is encrypted.

I could care less if the entire contents of my Dropbox account were published freely, maliciously deleted/massaged, or if the company were to go away tomorrow (except for being a bit bummed about the hassle).

Pro-Tip: If you put sensitive data on Teh Interweb without taking your own steps to properly secure it, you've got nobody to blame but yourself if/when it leaks out somehow...

clear warnings are needed to cover IT ass (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37962196)

Are they can point out to the VP or other higher ups that NO YOU CAN'T USE IT for your work and point to a clear warning so the VP can take the fall and IT can say there was a clear warning and the VP did not read it and used it anyways.

Non-starter (0)

Anonymous Coward | more than 2 years ago | (#37962480)

No serious business would use Dropbox for security reasons.

Try SparkleShare (1)

SpzToid (869795) | more than 2 years ago | (#37962534)

SparkleShare is a free open-source Dropbox-like GUI for GIT repos. Once setup using passwordless PGP keys, non-technical users see and use SparkleShare exactly as they would DropBox. While under the hood is tried-and-true GIT source code version control. You can even set it up as PCI DSS since it only uses your own infrastructure.

On Ubuntu I also installed Rabbit VCS which gave me a range of right-click GIT options (like check-in, merge, etc.) Seriously, I failed earlier attempts setting up either Bazaar or GIT, whereas trying to get SparkleShare setup I finally succeeded and wow, this is a seriously cool project.

http://sparkleshare.org/ [sparkleshare.org]
http://www.webupd8.org/2011/03/set-up-sparkleshare-with-your-own.html [webupd8.org]
http://www.moosechips.com/2011/02/sparkleshare-testing-ubuntu/#comments [moosechips.com]
https://github.com/hbons/SparkleShare/wiki/How-to-set-up-your-own-server [github.com]
http://is101507.students.fhstp.ac.at/?p=33 [fhstp.ac.at]
http://www.instructables.com/id/SparkleShare-for-OSX-a-Dropbox-alternative/ [instructables.com]

[Note: To 'remove' a SparkleShare client from the infrastructure pool, revoke the PGP keys at the server-level.]

Re:Try SparkleShare (1)

creepynut (933825) | more than 2 years ago | (#37962792)

Sparkleshare looks like a really slick application but it still needs to mature. Most importantly, it doesn't run on Windows!

So let me try at least give it a shot:
My Debian box - nope, not in the repositories yet. Wasn't able to get it running manually
My Windows 7 machine - nope, no Windows version
My Macbook Pro - nope, doesn't run on Mac OS Lion

I'm sure these issues will be resolved in time but until they at least run on Windows they aren't going anywhere.

Re:Try SparkleShare (1)

SpzToid (869795) | more than 2 years ago | (#37962868)

TFA discusses PCI DSS, etc. and I proposed an open-source DropBox alternative on /. SparkleShare might not yet work on Mac OSX Lion, but it does work on Mac OSX Snow Leopard (not the latest OSX version I'll grant you but still).

Since when does being PCI DSS compliant and mass-market user-acceptance become a mutual requirement? Frankly, I find avoiding mass-market OSs and software to be strategically more secure and thus desirable for PCI DSS infrastructures. Spear-phishing is less likely to function 'technically', by not using common-denominator stuff.

Re:Try SparkleShare (1)

TooMuchToDo (882796) | more than 2 years ago | (#37963294)

I'll use SparkShare as soon as it uses an object storage system like Openstack's Swift on the backend (http://openstack.org/projects/storage/). Using GIT is a hack, when they should be using something like Swift (which is meant to be API compliant with Amazon S3).

It's not just the SMB's (0)

Anonymous Coward | more than 2 years ago | (#37962692)

I can tell you right now, there's a groundswell in my organisation towards "consumerisation", and it's really frustrating. On one hand, I can build them a secure, backed up, accessible system that the business actually owns, in our own country. However, there's no budget. OTOH, there's Internet at all their workstations, and more importantly, they already have their own personal iPad. So why not simply change what they used to do (email it to gmail) by uploading it to dropbox, and then they too can show everyone their iPad and pertinent documents...

Not denying the usefulness of a form factor that's instant on, and fast enough to do what they want. But consider a device with a swipe unlock, access to a bunch of information that would interest media people, and I have no visibility of any of this in Operations. All I know is my internet traffic is up, and if I block dropbox tomorrow it'll be another service they find via google in 5 seconds.

Talk to your business, help find the balance between what they need/want from the technology, and help channel that enthusiasm into the best solution you can find. If you have compliance to worry about too, then that'll help the job. Classification of information and what devices/locations can access it will go a long way to making it clearer for everyone :)

Re:It's not just the SMB's (1)

afabbro (33948) | more than 2 years ago | (#37962726)

Bob Lewis [slashdot.org] , why are you posting anonymously on Slashdot?

$Failzors (-1)

Anonymous Coward | more than 2 years ago | (#37962696)

least of which is list of o7her towel under tIhe

get a clue (4, Informative)

Tom (822) | more than 2 years ago | (#37962756)

Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.

So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.

Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.

Re:get a clue (0)

Anonymous Coward | more than 2 years ago | (#37963346)

That's not really a disclaimer. That's a claimer.

Re:get a clue (1)

Tom (822) | more than 2 years ago | (#37964194)

:-)

True.

They should assume they're not (1)

Kjella (173770) | more than 2 years ago | (#37962800)

Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?

Seriously, no matter what Dropbox does or doesn't comply with these companies should - and must, I would hope - assume they're not. How would this work for anything? Backups? SLAs? Oh, we just assumed a seven 9's uptime and continuous multiple off-site backups in secured facilities, since the company didn't prominently say anything else. If it's not in the terms, you should never assume it is part of the package. Why, pray tell, should this be anything different for regulatory compliance? I don't need regulatory compliance, neither does many others. If your needs are special, make sure they're being met. And if you haven't done that, the blame falls squarely on your shoulders IMO.

Oh, this isn't going far enough by a long shot! (1)

Anonymous Coward | more than 2 years ago | (#37962816)

State-owned enterprises in New Zealand also have to abide by a few regulations that Dropbox Teams doesn't address. I think its imperative that we all boycot Dropbox until all possible warnings are made prominent.

Sarbanes-Oxley, HIPPA and PCI apply to a *tiny* subset of shareable business content globally. Welcome to the cloud. It's a big world - get used to it.

I'm amazed that they are still in business (1)

dbIII (701233) | more than 2 years ago | (#37962914)

Their service has been shown to be less secure than normal FTP which is something that could be provided by any web service provider on the planet, so how's that for an epic fail? All that is required is for somebody to supply a similar front end to one of many secure back ends and you've got a superior service by any measure.
Remember these are the guys that had a problem where anybody could log into anyone else's account without a password? Then they had the long standing security flaw where once you gave somebody access to your account they had it forever, but users didn't know that because they could change their password to give the illusion of locking people out. That's not all, there are others that made it to stories here and other .

Repeat after me: Dropbox is NOT about "security" (1)

davide marney (231845) | more than 2 years ago | (#37963246)

Dropbox is about backups and disaster recovery. It's a terrific service for SMBs who are worried that important files might get damaged, corrupted, lost, or stolen. They do NOT claim to securely store, they only claim to securely communicate. You want secure storage, you have to encrypt the file that gets backed-up on Dropbox yourself.

So, no, Dropbox is not your solution to PCI, SOX, or HIPPA. All of those standards require a whole heckuva lot more that just using a great online backup solution. The real question ought to be why anyone even remotely would think that Dropbox is providing solutions in this space. They're either trying to cast some good ol' FUD because they work for the competition, or they're just plain incompetent.

I have several law firms as clients that used... (1)

FlyingGuy (989135) | more than 2 years ago | (#37963332)

to use DropBox. Ffter the last SNAFU with their TOS they don't use them anymore. DropBox is simply not to be trusted.

They now have several terabytes of storage on their servers and some screaming fast LTO4 tape drives in three tape changers that back up everything every night, and those are shipped off site every night.

Why ... just why (1)

fnj (64210) | more than 2 years ago | (#37963620)

Why would anyone use DropBox when there is SpiderOak? Hmmm?

PCI data shouldn't reach DropBox (1)

Animats (122034) | more than 2 years ago | (#37963840)

Most businesses shouldn't be retaining payment card data. Just pass it to the bank, do the transaction, and keep the last 4 digits of the credit card number for checking purposes. If you operate that way, PCI data never reaches DropBox.

If the business does retain credit card data, usually for recurring billing, much higher levels of security are required. Those are the most vulnerable systems, the ones that are worth breaking into. Merchants that do that have to comply with a long list of tough requirements. They also face big penalties if they screw up. None of that data should ever enter DropBox.

Remember when Sony screwed up? Their ability to take credit cards was shut down for weeks by Visa International and MasterCard. Visa sent in outside auditors. Sony had to pay for all that, plus a big penalty.

And that's the good case. A small merchant who violates the PCI standards and has a data leak may have their merchant account cancelled and won't be able to get another one.

The PCI standards are quite straightforward. There are only a few data items that have to be protected. They really do have to be protected; organized crime is constantly trying to get hold of that data to turn it into money.

Security is a process - not a product (1)

rbadgirl (2480206) | more than 2 years ago | (#37964024)

.. and all the security providers are facing uphill battles. Yes - it is inconvenient to use high security systems instead of email. Yes, it's easy to store files on drop box or Microsoft 365. Remember how long it took to convince people that virus scanners are important? And it's not only the regulated data. Whenever a business transfers or stores customer data, it should act very responsibly. But it is the sad truth, that most businesses don't know (or don't want to know) anything about secure storage or transfer services. I am working with a company called 'closedXchange' and we are providing high security data storage and -transfer solutions. We are working hard every day trying to explain our customers, that they should never store or transfer confidential data out of their environment unless they can be 100% sure that it is safe. But how can one be sure that the data is not messed with? The only solution is point-to-point encryption: The data must be encrypted on one's own computer before it is sent or stored. We will see a lot more break-ins, data theft and privacy violations. Tons of data will be lost to international competitors, be used in blackmailing and to clear people's accounts. As I am deeply involved within this environment, I am _very_ careful whenever it comes to my personal data. Believe me, I know that plenty of companies are losing data every day. That companies are being blackmailed and forced to buy their own data back from specialized black hats in eastern Europe and Asia. And - don't forget our very own agencies who are very interested in data too. Yes - dropbox is all about convenience. But if they don't inform their customers about potential problems, they should be held liable. My two cents, m.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?