Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox Head Responds To Snowden Claims About Privacy

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 176

First time accepted submitter Carly Page writes When asked for its response to Edward Snowden's claims that "Dropbox is hostile to privacy", Dropbox told The INQUIRER that users concerned about privacy should add their own encryption. The firm warned however that if users do, not all of the service's features will work. Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."

Sorry! There are no comments related to the filter you selected.

umm duh? (3, Insightful)

Noah Haders (3621429) | about 3 months ago | (#47520085)

Search is also difficult, we can't index the content of files.

umm duh, that's the point? sucks when your customers can't trust you.

Re:umm duh? (5, Insightful)

AudioEfex (637163) | about 3 months ago | (#47520151)

Yeah, uh, because all "cloud" services aren't inherently ridiculous for anyone to consider secure or anything...

Re:umm duh? (3, Interesting)

Anonymous Coward | about 3 months ago | (#47520447)

Hehe, I have some clients from New Zealand and they were inquiring about some of my company's cloud service offerings. I talked a bit about them but mentioned that they would be better served by hardware that they owned. I asked if they had heard of Mega and what happened to them. They said it was on the news ALL THE TIME in New Zealand. So then I said "Well then you know that law enforcement raided Mega's servers, took them, and have since refused to give all of that data back to its owners. Would you trust your data when that is one of the consequences?" They bought new servers.

Re:umm duh? (0)

Anonymous Coward | about 3 months ago | (#47520485)

That's so funny. I was in that meeting. I was the guy in the checkered shirt.

Re:umm duh? (5, Funny)

Anonymous Coward | about 3 months ago | (#47520501)

me too. i was the guy who wasn't wearing pants.

Re:umm duh? (0)

Anonymous Coward | about 3 months ago | (#47521489)

they were inquiring about some of my company's cloud service offerings. I talked a bit about them but mentioned that they would be better served by hardware that they owned.

Sure you did. That would be grounds for termination by your employer. And if you own the company offering cloud services yet tell potential clients to buy their own servers if they want security, you won't be in business long unless your other company sells hardware.

Re:umm duh? (1)

Anonymous Coward | about 3 months ago | (#47521621)

Unless the company also sells the non-cloud offerings that were purchased. In which case it's a commendable upsell.

Re:umm duh? (0)

Anonymous Coward | about 3 months ago | (#47521771)

Sure you did. That would be grounds for termination by your employer.

Since you have no clue of where the company is located or what they do you have nothing to back that statement up.
Even if they offer cloud services, if they were hired as consultants to solve storage problems their customers have it would be fraudulent to trick them into a storage solution that isn't at all good for them.
Not every company has a business model that involves screwing over their customers at every opportunity, some actually wants long term customers that gets back because you take extra care to do what is best for the customer.

Re:umm duh? (0)

Anonymous Coward | about 3 months ago | (#47521933)

You have no idea of his instructions for his job or the realities of that company's revenue stream(s). So you are simply talking out of your ass, just to "hear" yourself. It is not entertaining for the rest of us, if you really want to make yourself look like an idiot, please do it in meatspace so the rest of us are not inconvenienced.

Re:umm duh? (1)

bill_mcgonigle (4333) | about 3 months ago | (#47521431)

Yeah, uh, because all "cloud" services aren't inherently ridiculous for anyone to consider secure or anything...

Trust the math, not the people.

Re:umm duh? (1)

Immerman (2627577) | about 3 months ago | (#47521897)

That can assure you that the providers can't access your data (Assuming you can also trust the software that implements the math), but it can't provide any assurance that *you* will still be able to access your data tomorrow. They could go out of business, their servers could be confiscated, etc,etc,etc. There's more to security than locking people out, otherwise instead of high-security door locks we'd simply fill the entire building with hardened concrete. Or burn it down. Much more reliable way of keeping people out.

Re:umm duh? (5, Insightful)

Charliemopps (1157495) | about 3 months ago | (#47521459)

Yea, we use a very expesnsive cloud service that per the contract is encrypted at rest and in transit. After 5yrs I happened to have a networking issue and did a packet capture on the stream... no encryption. So we approached them... "Encryption? No, we don't do that..." We explained that it was in the contract and they HAD to do that. So after 2 months they had to move us to a "Special" server and we were encrypted. I checked the packets again and we were at least encrypted in transit. A few months later we had another trouble ticket with them. One of their techs was working on it and explained how he logged in an edited the table raw to fix it. So I asked how he could do that if the data was encrypted. "Encryption? No, we don't do that..." ugh... so now we're supposedly "really" encrypted.

The problem with cloud services is they can lie cheat and steal with your data and there's nothing you can do about it. You can't verify it, you can't test it, and if anything happens to it you wouldn't have a clue. You're entirely at the mercy of the provider and as time goes on their internal staff can turn over, competence can wane, controls can get lax, and you'll have no idea any of that is happening.

Re:umm duh? (0)

Anonymous Coward | about 3 months ago | (#47521717)

very expesnsive cloud service

Which one?

I assume you've sued them for breach of contract? Or notified your customers their data was flying around on the internet in the clear?

Re:umm duh? (3, Informative)

hsmith (818216) | about 3 months ago | (#47521821)

You do realize there are several flavors of encryption, right? Microsoft SQL Server TDE is an example. You can login, perform queries, update data in any table, but all data is encrypted - it is - transparent as the name indicates.

That also ignores things like encrypted volumes, etc. Just because individual files aren't encrypted with unique keys, doesn't mean that encryption isn't there.

Re:umm duh? (4, Insightful)

Immerman (2627577) | about 3 months ago | (#47522011)

So, when you contracted with these folks did they issue you a kilobyte-long encryption key with a warning not to lose it or your data would be permanently inaccessible? And did you have to use that key every time you stored or retrieved data with them? If not, then that's your glaring red flag that any encryption they might offer is a sham. Even if it were stored encrypted on their servers, if you can access it without supplying the encryption key that means they're essentially storing the keys in the lock to the safe.

Which is why, honestly, I'm okay with folks like Dropbox being a bit lax about security, provided they're open about it. Encryption in transit is nice if you just want to keep idle prying eyes off your not-terribly-sensitive data, and SSH provides a convenient way to implement it. But if you want real security on the stored data the *only* way to get it is if you do just what they're suggesting and exercise total personal control over the encryption. That data should be securely encrypted before it ever leaves your computers, and you are the only one who should possess the keys to decrypt it. If you want people in your organization to have easy access without worrying about encryption then establish a local proxy that will transparently handle the encryption and decryption as data flows through it to your cloud provider.

Actually that could be a great internet appliance - it could even perform indexing of the data if you wanted it to, while providing near-perfect security for *any* remote data-server offering. If anyone decides to market such a thing I want 1% for the idea - we can make each other rich.

Re:umm duh? (5, Interesting)

TheRaven64 (641858) | about 3 months ago | (#47521437)

There are techniques that allow searching within encrypted files, but they rely on the client creating the index. You can then search the index for an encrypted search term and, if you know the keys, interpret the answer. Getting this right is quite tricky (there are several research papers about it), so he's right, but it's not impossible.

The main reason that I suspect DropBox discourages encryption is that they rely a lot on deduplication to reduce their costs. If everyone encrypted their files, then even two identical files would have different representations server-side if owned by different users, so their costs would go up a lot.

what's new (0)

Anonymous Coward | about 3 months ago | (#47520089)

Wasn't all of this already known?

Re:what's new (-1)

Anonymous Coward | about 3 months ago | (#47520457)

Reality Check: Dropbox admits business model is half-assed and broken; confuses making quality product for customers with being a first mover for the quick buck solution.

Re:what's new (0)

Anonymous Coward | about 3 months ago | (#47521257)

Reality Check: Dropbox admits business model is half-assed and broken; confuses making quality product for customers with being a first mover for the quick buck solution.

I don't understand this response. If it isn't for you, fine, but not having end-to-end encryption doesn't make it broken or half-assed, in fact having it would break very nice functionality they have today. So it is a user choice, and not all files require end-to-end encryption, just don't use it for things you want to keep secret, you control that yourself. I find services like dropbox (I use one of the clones) extremely convenient for easy multi-device and web access to files, including search and online viewing/editing of file content. How would you solve that in a non-half-assed and non-broken way?

Re:what's new (3, Funny)

Opportunist (166417) | about 3 months ago | (#47520703)

Try to convince a Manager hellbent on joining "The Cloud" and you know the answer is no.

For a chuckle, have him explain what "The Cloud" is before you do. At least it provides some entertainment before you try to convince him he's about to sink his business.

Re:what's new (1)

Anonymous Coward | about 3 months ago | (#47521547)

Sometimes you can't reason with folks who just want the ``supervised cloud migration'' or ``moved the company into the cloud'' etc., next to their accomplishments---especially if all the other managers are doing it too.

And yes, cloud is seen as this mythical thing that will fix all IT problems. Low on disk space? Cloud will fix it. Databases are slow? Cloud will fix it. Not enough hours in the day? Cloud will fix it.

Problem is that to an extent, some of these promises are actually true---but the effort of actually making them happen is often glossed over (e.g. taking stuff off Oracle and making it run "in the cloud" is quite easy to say, but making it happen is quite a challenge).

StateBox (-1)

Anonymous Coward | about 3 months ago | (#47520105)

Forced on basis of mounting circumstantial evidence to accept, Mr Fushman, that Israel's surveillance apparatus also has access to my Dropbox data. No? And by taking Condoleeza Rice on to your board you for sure further sabotage your business model. Is your ultimate allegiance to your customers or to the State?

Our stuff is encrypted!!!! (5, Insightful)

Y2K is bogus (7647) | about 3 months ago | (#47520107)

With the keys we readily hand over when warranted.... o_O

Re:Our stuff is encrypted!!!! (4, Interesting)

Anonymous Coward | about 3 months ago | (#47520193)

I wouldn't expect anything more than that from services that are aimed at businesses, and I think you've got to be an idiot if you view a free (or dirt cheap) storage service like Dropbox as anything other than temporary space some stranger's letting you use for a while. You've got to expect that you can't rely on the data to persist when you want it, and that it'll always be there if the government or hackers or anyone besides you wants it. I don't really have a problem with that. At zero dollars, it's been handy to have around and their API is probably the simplest and best of the cloud services I've used (even though their handling of file-type-based app permissions is bizarre).

Re:Our stuff is encrypted!!!! (1)

Gr8Apes (679165) | about 3 months ago | (#47520209)

With the keys we readily hand over when warranted.... o_O

Who needs a warrant? Just a couple of bucks for our "anonymized" (wink wink) data.

Re:Our stuff is encrypted!!!! (0, Redundant)

Anonymous Coward | about 3 months ago | (#47520337)

Who needs a warrant? They have Condoleezza Rice on their board. As if she couldn't obtain a copy of the private keys in that position? lol

Re:Our stuff is encrypted!!!! (-1)

Anonymous Coward | about 3 months ago | (#47520683)

I guess what they say is true as you seem to have proven, crack doesn't smoke itself.

Re:Our stuff is encrypted!!!! (0)

Anonymous Coward | about 3 months ago | (#47521981)

Wow, what are you, 10?

Here's the scoop... (0)

Anonymous Coward | about 3 months ago | (#47520395)

Look, I'm not a hateful person or anything, I believe we should all live and let live. But lately, I've been having a real problem with these homosexuals. You see, just about wherever I go these days, one of them approaches me and starts sucking my cock.

Take last Sunday, for instance, when I casually struck up a conversation with this guy in the health-club locker room. Nothing fruity, just a couple of fellas talking about their workout routines while enjoying a nice hot shower. The guy looked like a real man's man, tooÃ"big biceps, meaty thighs, thick neck. He didn't seem the least bit gay. At least not until he started sucking my cock, that is.

Where does this queer get the nerve to suck my cock? Did I look gay to him? Was I wearing a pink feather boa without realizing it? I don't recall the phrase, "Suck my cock" entering the conversation, and I don't have a sign around my neck that reads, "Please, You Homosexuals, Suck My Cock."

I've got nothing against homosexuals. Let them be free to do their gay thing in peace, I say. But when they start sucking my cock, then I've got a real problem.

Then there was the time I was hiking through the woods and came across a rugged-looking, blond-haired man in his early 30s. He seemed straight enough to me while we were bathing in that mountain stream, but, before you know it, he's sucking my cock!

What is it with these homos? Can't they control their sexual urges? Aren't there enough gay cocks out there for them to suck on without them having to target normal people like me?

Believe me, I have no interest in getting my cock sucked by some queer. But try telling that to the guy at the beach club. Or the one at the video store. Or the one who catered my wedding. Or any of the countless other homos who've come on to me recently. All of them sucked my cock, and there was nothing I could do to stop them.

I tell you, when a homosexual is sucking your cock, a lot of strange thoughts go through your head: How the hell did this happen? Where did this fairy ever get the idea that I was gay? And where did he get those fantastic boots?

It screws with your head at other times, too. Every time a man passes me on the street, I'm afraid he's going to grab me and drag me off to some bathroom to suck my cock. I've even started to visualize these repulsive cock-sucking episodes during the healthy, heterosexual marital relations I enjoy with my wife even some that haven't actually happened, like the sweaty, post-game locker-room tryst with Vancouver Canucks forward Mark Messier that I can't seem to stop thinking about.

Things could be worse, I suppose. It could be women trying to suck my cock, which would be adultery and would make me feel tremendously guilty. As it is, I'm just angry and sickened. But believe me, that's enough. I don't know what makes these homosexuals mistake me for a guy who wants his cock sucked, and, frankly, I don't want to know. I just wish there were some way to get them to stop.

I've tried all sorts of things to get them to stop, but it has all been to no avail. A few months back, I started wearing an intimidating-looking black leather thong with menacing metal studs in the hopes that it would frighten those faggots off, but it didn't work. In fact, it only seemed to encourage them. Then, I really started getting rough, slapping them around whenever they were sucking my cock, but that failed, too. Even pulling out of their mouths just before ejaculation and shooting sperm all over their face, neck, chest and hair seemed to have no effect. What do I have to do to get the message across to these swishes?

I swear, if these homosexuals don't take a hint and quit sucking my cock all the time, I'm going to have to resort to drastic measures like maybe pinning them down to the cement floor of the loading dock with my powerful forearms and working my cock all the way up their butt so they understand loud and clear just how much I disapprove of their unwelcome advances. I mean, you can't get much more direct than that.

Re:Our stuff is encrypted!!!! (0)

Anonymous Coward | about 3 months ago | (#47520913)

Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."

After reading a few users posts and your comment, I see why they made such a ridiculous statement. Anyone foolish enough to store anything on a "cloud" isn't very bright to begin with, and even more so when you find out that even if the stuff your storing isn't something you would consider "sensitive information" the powers-that-be can still get an accurate profile on you based on the stuff you do have stored. And its pretty apparent that these "big" companies cloud services are insecure, since they give out anything and everything on you with no refusal, on top of them perhaps selling it off to a third party, as well as forcing people that enjoy a certain (physical) software suite to switch to the cloud based and deal with the ridiculous fees they keep tagging on.

Of course I would have to recant, because using any "connected" device, smartphone, computer ect, pretty much does the same thing, so were all fools.

Re:Our stuff is encrypted!!!! (-1)

Anonymous Coward | about 3 months ago | (#47521921)

We're not fools. It's convenience vs privacy/security. Different people have different needs, different tasks have different needs. If you want absolute privacy of communication do this:
1. build a 10-layer Faraday cage
2. build your own computer from scratch (design chips n stuff, disk drive & its controllers, display, input devices; custom fab all of it yourself)
3. write software for the said computer
4. operate the said computer inside the cage
5. put your data on a thumb drive
6. wrap the drive in 15 layers of tin foil
7. deliver the drive in person

And I haven't even touched encryption yet.

Worst Response of all Time (0, Flamebait)

wisnoskij (1206448) | about 3 months ago | (#47520125)

This has to be one of the worse responses of all time. I have no idea how well Dropbox protects their users privacy, but the suggestion that if users do not trust them they can use their own encryption, but then none of their features will work is just stupid.

Re:Worst Response of all Time (5, Insightful)

Anonymous Coward | about 3 months ago | (#47520133)

It's not stupid; it's just a fact. Obviously they can't do any of that crap if they can't decrypt your data, but that's fine by me.

Re:Worst Response of all Time (5, Insightful)

AudioEfex (637163) | about 3 months ago | (#47520205)

It's not stupid; it's just a fact. Obviously they can't do any of that crap if they can't decrypt your data, but that's fine by me.

Exactly. Gotta love the knee-jerk, I can't have a logical thought because I'm just so ready to rant about "the man" bullshit. Especially since it sounds like it's coming from someone who doesn't even use or understand the service.

Dropbox is file storage, plain and simple. I use it to make a few music files and some reading material available across my devices. That's it's main function, to store/share files.

All that other shit he is talking about that encryption won't work with is all fluff and ancillary stuff - I name my files properly, for example, so I don't need them to search within them for me. The service works just fine with encrypted files - you just can't use the fancy doodads that you don't really need anyway.

I applaud him for being honest - if this was certain other companies they'd be telling you "oh trust us. It's secure!" He's being honest - it's a dumping spot for files, if you want encryption, BYO.

Christ some of the folks around these parts don't know their heads from their asses - use the words encryption or privacy and they don't even listen or understand wtf is being talked about they just automatically jump to tired fear mongering rhetoric. Just like the folks who take rifles strapped across their backs to Starbucks - I want to say, WTF are you so scared of? And if you do have something to be scared of - stay the fuck home, or in this case, don't be a complete retard and use a "cloud" service to begin with.

Re:Worst Response of all Time (1)

cold fjord (826450) | about 3 months ago | (#47520689)

Christ some of the folks around these parts don't know their heads from their asses - use the words encryption or privacy and they don't even listen or understand wtf is being talked about they just automatically jump to tired fear mongering rhetoric.

I hadn't noticed.

Re:Worst Response of all Time (-1)

Anonymous Coward | about 3 months ago | (#47520723)

I hadn't noticed.

It's your job to notice.

Re:Worst Response of all Time (-1)

Anonymous Coward | about 3 months ago | (#47520993)

But you're forgetting the government is bad at all its jobs.

Re:Worst Response of all Time (0)

Anonymous Coward | about 3 months ago | (#47521811)

I'm not scared, I'm the one with the rifle. What are you scared of?

Re:Worst Response of all Time (0)

gl4ss (559668) | about 3 months ago | (#47520531)

they could do that client side.

but wouldn't be such easy experience for everyone.

but if they provided tools to use the storage while doing the encryption on client side and have it still be visible as a drive/folder to the OS...

there might be a good market for that too. problem is that israel and usa could just coerce them to add backdoors even then.

Re:Worst Response of all Time (-1)

Anonymous Coward | about 3 months ago | (#47520539)

All of the software should be free software so that backdoors are less of a problem.

Re:Worst Response of all Time (0)

Dionysus (12737) | about 3 months ago | (#47520591)

All of the software should be free software so that backdoors are less of a problem.

How does free software insure that a service you access doesn't have backdoors? Is it really that difficult in your mind to branch off the codebase so that the code that is freely available is different from the code that is actually used, or are you one of those a*holes that thinks throwing out "free software" is the solution to everything?

Re:Worst Response of all Time (0)

Anonymous Coward | about 3 months ago | (#47520823)

How does free software insure that a service you access doesn't have backdoors?

If you can see what the actual software is doing and have verified that it doesn't have backdoors, and the encryption is happening clientside, then that matters less.

Re:Worst Response of all Time (-1)

Anonymous Coward | about 3 months ago | (#47520915)

"Flamebait"
"Overrated"

What is wrong with you people? Flamebait is especially absurd. And I wasn't even rated to begin with!

Re:Worst Response of all Time (1)

Anonymous Coward | about 3 months ago | (#47521109)

You've verified that the source _available_ doesn't have backdoors. How do you know that what's actually running on their servers doesn't?

If you don't want to have to trust someone, then you have to do everything yourself.

Otherwise you have to live with giving up some degree of certainty in exchange for a little trust.

Re:Worst Response of all Time (5, Insightful)

Kardos (1348077) | about 3 months ago | (#47520281)

So, you would have preferred a positive sounding statement indicating that they are aware that some users have privacy concerns and a vague reference to ongoing efforts to address these concerns?

I didn't find that response "worst of all time". It came across as lacking in the bullshit department, almost refreshingly so, actually.

Re:Worst Response of all Time (1)

Anonymous Coward | about 3 months ago | (#47520291)

This has to be one of the worse responses of all time. I have no idea how well Dropbox protects their users privacy, but the suggestion that if users do not trust them they can use their own encryption, but then none of their features will work is just stupid.

A lack of Indexing and searching of your encrypted containers is obvious, but not nearly as obvious as your lack of comprehension. TFA clearly said some of the features will not work when client-side encryption is used. No one claimed the service would break completely.

Duh (5, Insightful)

backslashdot (95548) | about 3 months ago | (#47520127)

Dropbox has Condoleeza Rice on its board of directors. If anyone remembers, she was Secretary of State and also the president's National Security Advisor during the Bush administration. She basically allowed torture, and is responsible for Guantanamo. She had no problem with torturing people without even doing a basic check to see if the person being tortured was guilty of the crime he was being tortured for. And you want to talk about spying? She was part of the administration that developed the PATRIOT Act. The justification being "it's ok to spy on foreigners" .. Oh and we can DECLARE you a foreigner without any due process by making you prove your Americanness. She was cool with torturing foreigners without giving them any sort of due process, so why would you assume that she wont torture citizens if she was scared into doing so? We already know she doesn't think people need privacy.

Re:Duh (-1, Troll)

Anonymous Coward | about 3 months ago | (#47520381)

Dropbox has Condoleeza Rice on its board of directors. If anyone remembers, she was Secretary of State and also the president's National Security Advisor during the Bush administration. She basically allowed torture, and is responsible for Guantanamo

and global warming and 9/11 and pluto being demoted from planetary status also she killed Christmas!

Re:Duh (1)

viperidaenz (2515578) | about 3 months ago | (#47520579)

It's ok Pluto, I'm not a planet either :(

Re:Duh (0)

Anonymous Coward | about 3 months ago | (#47521001)

Because your horseshit is of equal value to the GP post's truth.

Re:Duh (2)

rsborg (111459) | about 3 months ago | (#47521067)

Why is this comment rated so low? If anything, having such a politically invested person on the board of directors really does say something about Dropbox and their views on privacy and security (yes, I do think the same about Apple and Al Gore - his values did seem to align with the company's).

Ever since 1Password moved to iCloud sync, I've stopped using Dropbox for even stashing an encrypted file. For everything else there're more targeted cloud services.

Joe Biden for 2016 (-1)

Anonymous Coward | about 3 months ago | (#47521661)

Joe Biden is a square shooter. JOE BIDEN FOR 2016!

Re:Duh (3, Insightful)

operagost (62405) | about 3 months ago | (#47522021)

Good thing she's not a Democrat, or we'd all be calling you racist and sexist.

Out Of The Great Lebowski (-1)

Anonymous Coward | about 3 months ago | (#47520137)

The nihilist Ilya Fushman acts and talks like the German nihilist in The Great Lebowski:
[paraphrase German nihilist] Come ons lebowski ... giv us da monie lebowski. [Lebowski] Like hay Man, there is no money, there was no kidnapping of Bunny. It was all a ruse. Don't you understand that ... like Man.
[paraphrase German nihilist] We know u got da monie lebowski ... get us da monie labowski.

Cloudy, chance of rain (1, Insightful)

AndyCanfield (700565) | about 3 months ago | (#47520207)

Dropbox is cloud. Cloud is a remote hard disk. My hard disk has nothing to do with privacy; anyone who can SSH into my computer can read my hard disk. Put that hard disk on the Internet, in "the cloud", and the same thing applies, anybody logged in to the Internet can read your dropbox. Hey, I thought that was the PURPOSE of Drop box, to share files. If you want privacy, burn a DVD and hand it to the guy.

For me, my notebook has a 1TB hard disk. I have a web site I control. Yeah, my web site is hostile to privacy; that's the whole purpose of a PUBLIC web site. I had a "Dropbox" and dropped it.

Re:Cloudy, chance of rain (2, Insightful)

martin-boundary (547041) | about 3 months ago | (#47520757)

How is that insightful? You've completely missed the whole point of privacy laws. In law, your hard drive in your computer is yours, and it is not public unless you go out of your way to make it so. In particular, anyone who uses ssh to access your hard drive breaks the law, unless you've specifically authorized them to do so. Lots of people, some slashdot readers, have gone to jail for doing just that.

Also, your hard disk, in your computer, in your house isn't searcheable by law enforcement unless they have a warrant. So keep your stuff at home, and you'll be better off than leaving it on Dropbox (*).

(*) I can see you're unconvinced. Let me spell it out for you: if your file is on Dropbox, then a properly worded warrant needs to be served to Dropbox, and they'll allow searches and copies of anything their hard drives contain. Including your file, your neighbour's file, everybody's files. If everybody keeps their own files at home, then a warrant needs to be served to you, to see your files, but it won't work for your neighbour's files. Another warrant needs to be served to the neighbour to see his files. And it won't work for everybody else. A warrant needs to be served individually to everyone, just to get the same access that Dropbox can give with a single properly worded warrant.

Re:Cloudy, chance of rain (1)

HuguesT (84078) | about 3 months ago | (#47520875)

Exactly. Also the NSA doesn't even need warrants. How convenient for them that everyone is leaving these fine files in the same place for them to search...

Re:Cloudy, chance of rain (1)

Threni (635302) | about 3 months ago | (#47521019)

> Let me spell it out for you: if your file is on Dropbox, then a properly worded warrant
> needs to be served to Dropbox, and they'll allow searches and copies of anything
> their hard drives contain.

Let me spell it out for you. You're safe outside. If anyone attacks or robs you, they'll be breaking the law.

Hilarious (-1)

Anonymous Coward | about 3 months ago | (#47520211)

"We're not against encryption, but here's a big dose of FUD!"
If they were really pro-encryption, there would be no "but".

Just in time (0)

Anonymous Coward | about 3 months ago | (#47520217)

From the article:

I store my own most personal information on Dropbox, down to a scan of my social security card.

All this comes just when previously good files in Dropbox servers start to give virus warnings..

Just wow.. (-1)

rmdingler (1955220) | about 3 months ago | (#47520261)

That is the lamest explanation for a deficiency in service I have ever heard from a fellow fluent in the language du jour.

Re:Just wow.. (1)

Anonymous Coward | about 3 months ago | (#47520461)

You must not have much exposure to bullshit.

This is actually a genuine and honest statement that is frank and straightforward.

Re:Just wow.. (1)

Anonymous Coward | about 3 months ago | (#47520483)

That is the lamest explanation for a deficiency in service I have ever heard from a fellow fluent in the language du jour.

You misspelled layman. Sometimes you nerds often forget that services like Dropbox have gone mainstream, and therefore take an extra helping of "for dummies" ladled on top of the usual rhetoric. This isn't some *NIX SFTP server you download and configure manually in a VM. Dropbox is about as easy as Facebook to set up. Therefore, when coming forth with a form of CYA explanation regarding a deficiency, one must be able to speak to the entire audience.

That said, I promise 80% of Dropbox users reading the words "developer ecosystem" will respond with a stare more blanked out than a Kardashian at a cell phone kiosk. Even this explanation wasn't layman enough.

Computers 101 (0)

Anonymous Coward | about 3 months ago | (#47520277)

>> Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files.

Really, computer users do not know that?

Re:Computers 101 (1)

Anonymous Coward | about 3 months ago | (#47520315)

No, they don't. If they did they wouldn't expect a fucking cloud storage service with any sort of private information.

You have to necessarily be a braindead buttfuck retard to do that. I use Dropbox all the fucking time but I don't expect a damn bit of anything I put on it to be private. It's a way to move shit from Point A to Point B and nothing more. Storing private data on it is a sure sign that you should have been aborted.

Re:Computers 101 (-1)

Anonymous Coward | about 3 months ago | (#47520415)

No, they don't. If they did they wouldn't expect a fucking cloud storage service with any sort of private information.

You have to necessarily be a braindead buttfuck retard to do that. I use Dropbox all the fucking time but I don't expect a damn bit of anything I put on it to be private. It's a way to move shit from Point A to Point B and nothing more. Storing private data on it is a sure sign that you should have been aborted.

Come on, friend! Don't hold back. Tell us how you really feel!

own cloud (0)

Karmashock (2415832) | about 3 months ago | (#47520293)

people need to stop using these services and host it themselves. its not hard and its the only way to get control.

Re:own cloud (1)

davmoo (63521) | about 3 months ago | (#47521515)

Yep, that's exactly what I do. I know exactly what's going on with my data, and if its insecure, I know its my own dang fault.

Re:own cloud (1)

Karmashock (2415832) | about 3 months ago | (#47521597)

the only way you get hacked is if someone hacks YOU. Which is a lot less likely then someone hacking facebook or whatever. If the NSA etc wants to get access they have to penetrate you specifically. The big dragnet operations will largely pass you by if you host it yourself.

Trust No One = TNO (5, Insightful)

Streetlight (1102081) | about 3 months ago | (#47520311)

Steve Gibson's mantra: TNO. If the host has your encryption password/key, then they can't be trusted. If you don't believe that, ask Snowden's email provider, Lavabit's founder Ladar Levison: http://www.wired.com/2014/04/l... [wired.com]

Re:Trust No One = TNO (-1)

Anonymous Coward | about 3 months ago | (#47520541)

Gibson was an overrated hack. He hasn't been anywhere close to relevant in years.

No big deal (except the encryption part) (2, Insightful)

scottbomb (1290580) | about 3 months ago | (#47520319)

I don't need them to do "rich document rendering" (whatever the hell that is) nor do I need them (or anyone else to) index the contents of my files. All I want is for someone to STORE the shit and keep it synced between all my machines. Dropbox does this very well.

As for encryption, I don't have time for that nonsense. Anything sensative such as financials is kept locally on my own server or burned to a DVD and put in the closet. I couldn't care less if someone gets a hold of my vast collection of pictures and documents. It is private, but not going to hurt me if someone at the NSA starts snooping around.

Re:No big deal (except the encryption part) (0)

Anonymous Coward | about 3 months ago | (#47520379)

IF the NSA wants something on you, it will find something on you, they will charge you for breaking a law in korea that says the fish is illegal if not sold in a blue bag. Your pictures are FULL of things that the NSA could say "This could be enough to charge him over"

Re:No big deal (except the encryption part) (1)

SuluSulu (1039126) | about 3 months ago | (#47520467)

You might consider checking out Spideroak.com [spideroak.com] as they claim to not store your password on their servers so that it is impossible for them to decrypt your files without you. Also they have a decent synchronization client for all major OSs. Disclaimer: I am not affiliated with Spideroak, just a user.

Re:No big deal (except the encryption part) (0, Insightful)

Anonymous Coward | about 3 months ago | (#47520661)

You don't understand how it works, you are providing the raw materials they will use to construct the stuff to hurt you.

Re:No big deal (except the encryption part) (0)

Anonymous Coward | about 3 months ago | (#47520753)

So, you're going to trust Dropbox, who now has Pro-NSA spying and warmongering Condalisa Rice on the board? And you'll trust them enough to install a root-level file system driver into your operating system. Yeah, I don't need dropbox to give me "rich document rendering" I just need dropbox to fuck right off with theri Stasi-wet-dream nonsense.

Re:No big deal (except the encryption part) (0)

Anonymous Coward | about 3 months ago | (#47520781)

Huh, just HOW DID those child porn pictures get on your hard drive?

Re:No big deal (except the encryption part) (0)

Anonymous Coward | about 3 months ago | (#47521087)

You might not need it, but they do. Today's consumer world simply doesn't revolve around doing one thing and doing it well. They want to be able to some day say, "oh you heard of google docs. we have something even better and it's there for you to use right now" and see moneys falling from the skies. Or maybe it's something little less obvious, who knows, but the point is that they definitely have a financial incentive to go that route.

Re:No big deal (except the encryption part) (3, Interesting)

rioki (1328185) | about 3 months ago | (#47521263)

You know there is a web interface to Dropbox too? People expect to read their documents, like word or PDF right there online. To do this the service must index the files and read them. Obviously if you encrypt the files, this can not be done.

I use Dropbox as my offsite backup of sensitive information and I trust the information to be safe. Simple, I encrypt the tar-ball with symmetric GPG. But then again I can only download the file vie the web interface if I wish and not view the contents online... buhuhu

Rich document rendering (0)

Anonymous Coward | about 3 months ago | (#47520325)

What does it men by that ?
Some kind of git-hub-style document reports showing metadata* about documents . like line number or total number of words ?
For me at least, this is not the part I care about his service.

* again this noun I hate so much

iDrive has the same problem (4, Interesting)

Animats (122034) | about 3 months ago | (#47520455)

iDrive [idrive.com] , which is supposed to be a remote backup service, has a similar problem. They used to be a honest remote backup service, with client-side encryption. (They didn't protect the client password very well on the client machine, but at least the server didn't have it.) File contents were encrypted, but filenames were not, so you could look at logs and the directory tree on line. Then they came out with a "new version" of the service, one that is "web based" and offers "sharing".

For "sharing" to work, of course, they need to know your encryption key. They suggest using the "default encryption key". Even if you're not "sharing", when you want to recover a copy of a file, you're prompted to enter your encryption key onto a web page. The web page immediately sends the encryption key to the server as plain text, as can be seen from a browser log. Asked about this, they first denied the problem, then, when presented with a browser log, refused to answer further questions.

They try real hard to get their hands on your encryption key. After you log into their web site, a huge pop-up demands your encryption key. Without it, some of the menu items at the top of the page still work, and with some difficulty, you can actually find logs of what you backed up. You can't browse your directory tree, though.

It's possible to use the service securely (maybe), but you have to run only the application for recovery, and never use the web-based service. They don't tell you that.

This isn't a free service. I pay them $150 a year.

Re:iDrive has the same problem (1)

jhaar (23603) | about 3 months ago | (#47520619)

You're still paying money with those concerns?? Just move your money (and data) to SpiderOak and be happy: good client-side crypto can be done properly.

Re:iDrive has the same problem (3, Insightful)

Anonymous Coward | about 3 months ago | (#47521441)

And Spideroak gives you a closed binary to run on your endpoints, and you quite happily type your password into that. Uh-huh.

Spideroak are just another vendor saying 'trust us not to have been served an NSL' and trust us not to capture your key with the client software if served an NSL/warrant.

Once the spideroak client is open and audited, perhaps at that point their marketing about a secure server architecture makes a difference.

Syncplicity solves it! (1)

GWBasic (900357) | about 3 months ago | (#47520477)

Syncplicity [syncplicity.com] lets enterprises store files on their own servers, with an extra layer of authentication that prevents Syncplicity staff from getting to the files. It still allows for access to these files through a web browser. When enterprises use single-sign-on, users don't even realize that they're authenticating multiple times.

This is a very hard problem to solve for consumers, though. Most people don't have the time to set up their own cloud servers.

Re:Syncplicity solves it! (-1)

Anonymous Coward | about 3 months ago | (#47520555)

Poop. I pooped my pants. Poop shit poop poop poop poop poop shit poop poop poop poop poop poop dung poop poop shit poop poop poop poop poop shit poop poop dung poop dung poop poop poop poop shit poop poop dung poop poop poop shit poop poop poop poop poop poop dung poop poop shit poop poop poop poop poop shit poop poop poop poop poop dung poop poop poop fecal matter in my shoes

Re:Syncplicity solves it! (-1)

Anonymous Coward | about 3 months ago | (#47520791)

piss. I pissed my pants. piss pee piss piss piss piss piss pee piss piss piss piss piss piss dung piss piss pee piss piss piss piss piss pee piss piss dung piss dung piss piss piss piss pee piss piss dung piss piss piss pee piss piss piss piss piss piss dung piss piss pee piss piss piss piss piss pee piss piss piss piss piss dung piss piss piss urine in my shoes

I appreciate him saying that. (2)

ddt (14627) | about 3 months ago | (#47520805)

Perhaps "hostile" was unfair, but I appreciate that he said made it sound shocking. I am shocked when I learn people store secret docs unencrypted on Dropbox. Then they are then shocked when I tell them Dropbox is insecure. There should be a lot less shock all around.

Sensible response (2)

Craig Ringer (302899) | about 3 months ago | (#47520837)

That's an accurate and sensible response.

In fact, 3rd party client encryption tools might be better than built-in support by Dropbox. They can be produced outside the USA by companies or individuals unaffiliated with DropBox and potentially harder to pressure into backdooring the software in an update.

I'll stick to SpiderOak personally, despite the awful transfer speeds and somewhat clunky usability, because I just want a remote store that stores my gibberish bytes and gives me the same gibberish bytes back later.

Alternatives (2)

fuzzyf (1129635) | about 3 months ago | (#47520893)

I tried using SpiderOak, but it was a bit too slow for me atm. What I really needed was a off-site backup, so I ended up with Amazon Glacier with client side encryption. Can't beat the price :) I have dropbox too, and it's ok for it's use. Just have to realize that everything you upload to them is not private anymore. I wish more services did secure by default and option to reduce security for wanted features.

And deduplication will not work anymore (1)

greatpatton (1242300) | about 3 months ago | (#47520991)

There is also a strong argument for company like Dropbox to avoid or at least not encourage too much client side encryption: deduplication. If deduplication is no more working, it will considerably increase their storage cost, which the core of their business.

I think people are missing the point (1)

Anonymous Coward | about 3 months ago | (#47521013)

One of Dropbox's features is the ability to access your Dropbox files through your web browser. Which can be very convenient for some people.

Obviously they couldn't do that if your account was encrypted to an extent that even Dropbox couldn't decrypt it.

I don't understand people complaining about a service that is up front about offering more convenience than security (not that Dropbox is insecure, they just trade off some security for convenience).

If you want a service that offers more security than convenience, then don't use Dropbox. Duh.

Re:I think people are missing the point (2)

Captain Hook (923766) | about 3 months ago | (#47521963)

Use the web interface to download the file, then decrypt with a local copy of the encryption tool/key.

What they mean is they can't render a document on the web interface.

We should add our own encryption??? (2, Insightful)

DrXym (126579) | about 3 months ago | (#47521091)

Hi Dropbox, stop blaming users. You are in the strongest position possible to offer encryption in Dropbox because it's your software. You know the triggers that cause files to be exchanged. You know the optimal way to minimize network traffic. If you can send and receive files, then why can't you also encrypt / decrypt files in this step? This could be as simple as providing a settings screen where the user enters a passphrase and once enabled all files within a protected folder are encrypted before they leave the client. This encryption could also scramble file names and break up large files into parts to obfuscate their size.

Yes you'd have to warn the user that a protected folder means exactly that and there are restrictions on what you can do with it, e.g. access in some dropbox clients, web browsers, sharing to others. People will get it.

Even better, this encryption / decryption could be thrown open as a pluggable API so 3rd parties could write their own encryption protocols to whatever personal or corporate standard they desired. For transparency the aforementioned passphrase encryption could even be supplied for review.

Same goes for Skydrive, Google Drive etc. There is no excuse for not offering encryption. Not that I'm in the tinfoil hat camp to think this is to facilitate monitoring (although it does). More likely it's because these cloud storage servers use file hashing to spare themselves the bother of storing 1,000,000 copies of the same file. It still sucks though and even if the option is off by default, encryption of at least one folder should be provided.

Re:We should add our own encryption??? (4, Informative)

coofercat (719737) | about 3 months ago | (#47521801)

You realise dropbox is free, right? Why should they do something expensive like offer encryption on a service that is (a) free, and (b) for sharing files. Sharing's hard if your stuff is encrypted, and sharing is the source of most of Dropbox's value.

If you want encryption, then fine, do it yourself. You obviously know that your stuff won't be indexable or shareable so won't be calling for support or slagging Dropbox off online when you find indexing and sharing not working.

There's room to suggest Dropbox should offer a pay-for encrypted service. The thing is, no matter how well they do it, it'll always be vulnerable to government interference, and it'll never be fully trusted anyway. BYO means no government interference and trust *for the relatively small number of people who care* without raising the costs too much for the multitudes who don't.

owncloud? (1)

0xdeaddead (797696) | about 3 months ago | (#47521123)

why not roll your own? a VPS is too cheap these days...

Re:owncloud? (1)

AHuxley (892839) | about 3 months ago | (#47521571)

Yes get the OS to create its own files to move up everyday. All the good aspects of the cloud, nothing to see but encrypted files your OS understands and can recreate, search. Storage space is all you need.

People don't understand the sharing compromise (0)

Anonymous Coward | about 3 months ago | (#47521345)

I think its clear no matter if you talk Dropbox or Google Cloud, Microsoft cloud or Apple iCloud. You have a system of sharing that may not be so secure as to limit the ease at which you can use those services without causing problems. After all, many people have trouble using anything without a lot of help. All of these "sharing" service have to juggle making things easy with making things secure. The biggest security tool is encryption and yet that in itself is the most problematic
solution for security. Oh, if we only were a society that had no bad people trying to get our information sharing would be so much simpler and reliable.
Putting multiple layers of encryption on data just to protect that data is just a stop gap measure that it seems eventually gets cracked by people trying to get at it.
What does this continue to prove? That cloud storage is going to have to continually improve security in order to satisfy customers concerns. Otherwise cloud storage will go nowhere in attracting more customers. Myself, I already see the writing on the wall that cloud storage as it stands now will not find its way into critical storage solutions for sensitive data. Nobody seems willing to guarantee security when the bad guys are lurking just a click behind the security advances.

What idiocy (1)

johnlcallaway (165670) | about 3 months ago | (#47521761)

Anyone that posts anything on the Internet (i.e. on another person's computer and network) and demands privacy or security is a moron. You can ask .. but no one is obligated to give it to you. Becoming indignant or angry because they won't is just about the most self-centered and egotistical thing I can think of, thinking someone else owes you something. Why should they?? Because you demanded it?? What do you have to offer in return beyond shutting your mouth??

It's their decision and theirs alone. You want things private and secure, keep them on your own computer. Unplugged from any network.

Anything else is up for grabs.

It's Security verses Convienence (0)

Anonymous Coward | about 3 months ago | (#47521769)

The price of the features they supply is your data. If you want security, encrypt before it leaves your computer.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?