Dropbox passwords optional for four hours

Dropbox passwords optional for four hours(techcrunch.com)

81 points by andjones 14 years ago | 43 comments

ohyes 14 years ago |

I use any online service with the assumption that the things I put up there could likely become public, no longer anonymous, or what have you. I don't think this is overly paranoid, given how difficult computer security is.

To me; it would make sense if Dropbox stored everything encrypted (as in, encrypted pre-transfer), and you needed the private key to decrypt stuff, unless you specifically state that it is to be public. It just makes sense from a liability statement. That said, you can do this anyway as recomended in this article. (http://lifehacker.com/5813873/how-to-add-a-second-layer-of-e...)

VMG 14 years ago | |

The thing is that you can't do email then.

You can say that google might leak your emails, but the same is true if you use your private email server.

masterzora 14 years ago | | |

That's not exactly true. You just need to be super-paranoid and make sure that everything of importance is sent (on both ends) encrypted.

That's still wholly untenable for the real world, but not all paranoid people live in the real world per se.

gst 14 years ago | | |

The security of my private mailserver is nearly the same as the security of my laptop. For security reasons I don't use a VPS for email, but a small server that sits in my basement: There are some security measures that will lead to an automatic shutdown in case someone tries to physically access the server and the whole harddisk is encrypted. (Yes - you can call me paranoid.)

gst 14 years ago | |

Depends on the online-service. E.g., I trust tarsnap (client-side encryption, not under an open-source license but you can compile it yourself) with very sensitive data. I also trust Wuala (also client-side encryption) with semi-sensitive data, although it somewhat worries me that Wuala's source is not publicly available for reviews. I don't trust Dropbox due to the lack of encryption - that's why I don't really use it, even though I currently have a free account with 20 GB available.

icebraining 14 years ago | | |

I just mount encfs over the Dropbox folder, it's perfectly transparent. It does need Fuse, so no Windows support, but I don't really need it.

grandalf 14 years ago |

Anyone who had any confidential data in Dropbox (medical research data, credit card transaction data) must now file a data breach report.

abofh 14 years ago | |

And anyone who stored that sort of data in dropbox more or less had it coming. HIPAA & finance laws are very clear about the security they require -- dropbox has always been hand-wavey in their explanation of their security.

tptacek 14 years ago | | |

What's your point? The IT guys can't catch a break, can they? If they say "no you can't install stuff on your machine", message board geeks are up in arms. But when normal people, for whom these computer systems are designed in the first place, make (layperson-) reasonable decisions about what folders to put files in, there's the message board geek again, harassing them for not understanding how transparent cloud file sync works under the covers and interacts with regulated data.

pavel_lishin 14 years ago | |

Do people really store confidential business data like that in dropbox?

tptacek 14 years ago | | |

Very yes (we don't allow Dropbox† on our machines, but we know of companies that rely on it).

Grandalf's point is extremely well taken. It's actually true. Not only that, but regulated companies (in health care and finance) that have a reasonable belief that any of their systems might have had Dropbox on them technically need to audit now.

I point this out not to bag on Dropbox, but as an illustration of how sane some unreasonable-sounding IT policies (like, "you don't get to install random software on your desktop") turn out to be.

† (Or Tarsnap or SpiderOak, for what it's worth.)

Erwin 14 years ago |

This joke PAM "happy hour" module became reality: http://www.brendangregg.com/specials.html#pam_happy_hour

ern 14 years ago |

I hope they add login activity to their "Recent Events" feed ASAP.

gcr 14 years ago | |

How would that work? Dropbox doesn't require login most of the time; do you want them to log every time a computer viewed a file or just the web interface, which isn't the primary use interaction?

SkyMarshal 14 years ago |

Anyone using SpiderOak? They're the only other versioning diff-based backup service I know of that supports Linux (with a free tier; there's also Tarsnap). They also claim 'zero-knowledge' encryption. Anyone have any opinions?

tincansandtwine 14 years ago | |

There's also ownCloud (http://owncloud.org/index.php/Main_Page), if you're into that whole home server thing. It definitely supports Linux.

eropple 14 years ago | | |

It supports Linux poorly, and supports nothing else at all.

(WebDAV isn't "support," when you look at the Dropbox/SpiderOak feature set.)

cypherpunks01 14 years ago |

Hoping this convinced someone at dropbox to write a three-line release-blocking test to ensure that you can't login with a wrong password... Crosses fingers

tptacek 14 years ago | |

If you're disquieted by the idea that a single broken boolean expression could allow arbitrary users to access a web site, one way to mitigate the concern is indeed to write fiddly little tests to catch every point at which a broken boolean expression could short-circuit authentication.

Another thing to do would be to change the design of the authentication process so that it is more inherently fail-closed. For instance, you could encrypt/decrypt the database ID of the user with a key derived securely and deterministically from the user's password, perhaps (just to keep the code simple) after verifying the password against a secure password hash.

Bud 14 years ago |

They're probably rather distracted over at Dropbox, since iCloud is about to eat their business model. That would kinda tend to suck.

DenisM 14 years ago | |

That's only assuming Apple does a competent job. Cloud is a new thing for them, they can easily screw up.

redtwo 14 years ago |

It's media like this that great minds are trying to fight, you just want to make stories, create a buzz, even if it's by communicating misleading information that, when interpreted by people would not show the truth of what happens but just make them go nuts.

illustrated example: billgates twitter account: " Do you want me to give you all my money or what lolz" techcrunch : "OH MY GOD, BILLGATES PLANING TO GIVE A WAY ALL OF HIS MONEY" and later : "OH MY GOD, HERE'S THE GUY BILLGATES WAS TALKING ABOUT" I mean seriously, I just hate buzz seeking journalists.

redtwo 14 years ago | |

I can smell all the journalists down voting

redtwo 14 years ago | | |

hilarious, but you all know that journalists in the tech world are seen as the "I-dont-know-nothing-but-I'll-just-pretend__with-a-smile-like-if-i-understood."

cjoh 14 years ago |

Dropbox's security is twitter's downtime. While much more is at stake than not being able to tweet, I can't imagine that this isn't their number one growth challenge -- something that, if they conquer it, will give them a much higher market valuation.

If this happens, let's look forward to a trove of blogposts about "how to make dropbox secure" from armchair CTOs, just like we saw with Twitter and the string of posts around "How I'd scale twitter" Sharding! Webscale!

tptacek 14 years ago | |

I don't think this is a reasonable comparison. Twitter was at least 80% as useful when its uptime was erratic as it is now, when it's uptime is reasonably good. But Dropbox security flaws potentially cough up your data to criminals; when Dropbox security fails, its utility is negative, not slightly diminished.