Security culture, the Dropbox way (opens in new tab)

(blogs.dropbox.com)

21 pointsapu7y ago13 comments

13 comments

pvg7y ago

I'm sure Dropbox takes security seriously and works hard at it but this piece doesn't tell me a lot more than that except in much longer form. You can find/replace 'trust' (and 'security') with 'truck' and come away as informed and potentially slightly more amused.

tlb7y ago

Some informative parts that keep their meaning under s/trust/truck/g include:

"... daylong social engineering workshop designed and led by internal experts that immersed them in a hypothetical scenario involving a malicious insider."

"... a hands-on workshop where Dropbox employees researched, crafted, and presented their own phishing schemes."

"... our annual Capture the Flag"

It's interesting the emphasis on social attacks. You only have to get the cryptography right once, but every employee needs to defend against social engineering.

pvg7y ago

You forgot the really important ones, I think. Trucktober and tailgating. It does raise the interesting question of why Dropbox does not celebrate Trarch.

dokem7y ago

The harder a company tries to sell their philosophy the less I'm inclined to believe them. Words are cheap.

java-man7y ago

a better approach would be implementing a zero-knowledge storage infrastructure, like tarsnap.

mehrdada7y ago

which prevents issues like https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...

java-man7y ago

as well as https://techcrunch.com/2014/10/11/edward-snowden-new-yorker-...

1 more reply

pvg7y ago

These sorts of hills grow to mountains with the bones of hopeful pedants who die on them. But I think there's still a chance to hold this one. That's not what 'zero knowledge' means, it's a technical term for a different thing.

java-man7y ago

you are technically correct (the best kind of correct). but it's a commonly understood concept:

https://www.google.com/search?q=zero+knowledge+storage

1 more reply

myWindoonn7y ago

We call this "provider-independent security" in capability theory; the idea is that a security guarantee, like privacy or confidentiality, is inherent in the construction regardless of who is providing the service.

j / k navigate · click thread line to collapse

13 comments

pvg7y ago

tlb7y ago

Some informative parts that keep their meaning under s/trust/truck/g include:

"... daylong social engineering workshop designed and led by internal experts that immersed them in a hypothetical scenario involving a malicious insider."

"... a hands-on workshop where Dropbox employees researched, crafted, and presented their own phishing schemes."

"... our annual Capture the Flag"

It's interesting the emphasis on social attacks. You only have to get the cryptography right once, but every employee needs to defend against social engineering.

pvg7y ago

You forgot the really important ones, I think. Trucktober and tailgating. It does raise the interesting question of why Dropbox does not celebrate Trarch.

dokem7y ago

The harder a company tries to sell their philosophy the less I'm inclined to believe them. Words are cheap.

java-man7y ago

a better approach would be implementing a zero-knowledge storage infrastructure, like tarsnap.

mehrdada7y ago

which prevents issues like https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...

java-man7y ago

as well as https://techcrunch.com/2014/10/11/edward-snowden-new-yorker-...

1 more reply

pvg7y ago

java-man7y ago

you are technically correct (the best kind of correct). but it's a commonly understood concept:

https://www.google.com/search?q=zero+knowledge+storage

1 more reply

myWindoonn7y ago

j / k navigate · click thread line to collapse