Dropbox passwords optional for four hours (opens in new tab)

(techcrunch.com)

81 pointsandjones14y ago43 comments

43 comments

I use any online service with the assumption that the things I put up there could likely become public, no longer anonymous, or what have you. I don't think this is overly paranoid, given how difficult computer security is.

To me; it would make sense if Dropbox stored everything encrypted (as in, encrypted pre-transfer), and you needed the private key to decrypt stuff, unless you specifically state that it is to be public. It just makes sense from a liability statement. That said, you can do this anyway as recomended in this article. (http://lifehacker.com/5813873/how-to-add-a-second-layer-of-e...)

VMG14y ago

The thing is that you can't do email then.

You can say that google might leak your emails, but the same is true if you use your private email server.

masterzora14y ago

That's not exactly true. You just need to be super-paranoid and make sure that everything of importance is sent (on both ends) encrypted.

That's still wholly untenable for the real world, but not all paranoid people live in the real world per se.

1 more reply

gst14y ago

The security of my private mailserver is nearly the same as the security of my laptop. For security reasons I don't use a VPS for email, but a small server that sits in my basement: There are some security measures that will lead to an automatic shutdown in case someone tries to physically access the server and the whole harddisk is encrypted. (Yes - you can call me paranoid.)

1 more reply

gst14y ago

Depends on the online-service. E.g., I trust tarsnap (client-side encryption, not under an open-source license but you can compile it yourself) with very sensitive data. I also trust Wuala (also client-side encryption) with semi-sensitive data, although it somewhat worries me that Wuala's source is not publicly available for reviews. I don't trust Dropbox due to the lack of encryption - that's why I don't really use it, even though I currently have a free account with 20 GB available.

icebraining14y ago

I just mount encfs over the Dropbox folder, it's perfectly transparent. It does need Fuse, so no Windows support, but I don't really need it.

grandalf14y ago

Anyone who had any confidential data in Dropbox (medical research data, credit card transaction data) must now file a data breach report.

abofh14y ago

And anyone who stored that sort of data in dropbox more or less had it coming. HIPAA & finance laws are very clear about the security they require -- dropbox has always been hand-wavey in their explanation of their security.

tptacek14y ago

What's your point? The IT guys can't catch a break, can they? If they say "no you can't install stuff on your machine", message board geeks are up in arms. But when normal people, for whom these computer systems are designed in the first place, make (layperson-) reasonable decisions about what folders to put files in, there's the message board geek again, harassing them for not understanding how transparent cloud file sync works under the covers and interacts with regulated data.

1 more reply

pavel_lishin14y ago

Do people really store confidential business data like that in dropbox?

tptacek14y ago

Very yes (we don't allow Dropbox† on our machines, but we know of companies that rely on it).

Grandalf's point is extremely well taken. It's actually true. Not only that, but regulated companies (in health care and finance) that have a reasonable belief that any of their systems might have had Dropbox on them technically need to audit now.

I point this out not to bag on Dropbox, but as an illustration of how sane some unreasonable-sounding IT policies (like, "you don't get to install random software on your desktop") turn out to be.

† (Or Tarsnap or SpiderOak, for what it's worth.)

1 more reply

Erwin14y ago

This joke PAM "happy hour" module became reality: http://www.brendangregg.com/specials.html#pam_happy_hour

ern14y ago

I hope they add login activity to their "Recent Events" feed ASAP.

gcr14y ago

How would that work? Dropbox doesn't require login most of the time; do you want them to log every time a computer viewed a file or just the web interface, which isn't the primary use interaction?

SkyMarshal14y ago

Anyone using SpiderOak? They're the only other versioning diff-based backup service I know of that supports Linux (with a free tier; there's also Tarsnap). They also claim 'zero-knowledge' encryption. Anyone have any opinions?

tincansandtwine14y ago

There's also ownCloud (http://owncloud.org/index.php/Main_Page), if you're into that whole home server thing. It definitely supports Linux.

eropple14y ago

It supports Linux poorly, and supports nothing else at all.

(WebDAV isn't "support," when you look at the Dropbox/SpiderOak feature set.)

cypherpunks0114y ago

Hoping this convinced someone at dropbox to write a three-line release-blocking test to ensure that you can't login with a wrong password... Crosses fingers

tptacek14y ago

If you're disquieted by the idea that a single broken boolean expression could allow arbitrary users to access a web site, one way to mitigate the concern is indeed to write fiddly little tests to catch every point at which a broken boolean expression could short-circuit authentication.

Another thing to do would be to change the design of the authentication process so that it is more inherently fail-closed. For instance, you could encrypt/decrypt the database ID of the user with a key derived securely and deterministically from the user's password, perhaps (just to keep the code simple) after verifying the password against a secure password hash.

Bud14y ago

They're probably rather distracted over at Dropbox, since iCloud is about to eat their business model. That would kinda tend to suck.

DenisM14y ago

That's only assuming Apple does a competent job. Cloud is a new thing for them, they can easily screw up.

redtwo14y ago

It's media like this that great minds are trying to fight, you just want to make stories, create a buzz, even if it's by communicating misleading information that, when interpreted by people would not show the truth of what happens but just make them go nuts.

illustrated example: billgates twitter account: " Do you want me to give you all my money or what lolz" techcrunch : "OH MY GOD, BILLGATES PLANING TO GIVE A WAY ALL OF HIS MONEY" and later : "OH MY GOD, HERE'S THE GUY BILLGATES WAS TALKING ABOUT" I mean seriously, I just hate buzz seeking journalists.

redtwo14y ago

I can smell all the journalists down voting

redtwo14y ago

hilarious, but you all know that journalists in the tech world are seen as the "I-dont-know-nothing-but-I'll-just-pretend__with-a-smile-like-if-i-understood."

1 more reply

cjoh14y ago

Dropbox's security is twitter's downtime. While much more is at stake than not being able to tweet, I can't imagine that this isn't their number one growth challenge -- something that, if they conquer it, will give them a much higher market valuation.

If this happens, let's look forward to a trove of blogposts about "how to make dropbox secure" from armchair CTOs, just like we saw with Twitter and the string of posts around "How I'd scale twitter" Sharding! Webscale!

tptacek14y ago

I don't think this is a reasonable comparison. Twitter was at least 80% as useful when its uptime was erratic as it is now, when it's uptime is reasonably good. But Dropbox security flaws potentially cough up your data to criminals; when Dropbox security fails, its utility is negative, not slightly diminished.

j / k navigate · click thread line to collapse

43 comments

ohyes14y ago

VMG14y ago

The thing is that you can't do email then.

You can say that google might leak your emails, but the same is true if you use your private email server.

masterzora14y ago

That's not exactly true. You just need to be super-paranoid and make sure that everything of importance is sent (on both ends) encrypted.

That's still wholly untenable for the real world, but not all paranoid people live in the real world per se.

1 more reply

gst14y ago

1 more reply

gst14y ago

icebraining14y ago

I just mount encfs over the Dropbox folder, it's perfectly transparent. It does need Fuse, so no Windows support, but I don't really need it.

grandalf14y ago

Anyone who had any confidential data in Dropbox (medical research data, credit card transaction data) must now file a data breach report.

abofh14y ago

tptacek14y ago

1 more reply

pavel_lishin14y ago

Do people really store confidential business data like that in dropbox?

tptacek14y ago

Very yes (we don't allow Dropbox† on our machines, but we know of companies that rely on it).

I point this out not to bag on Dropbox, but as an illustration of how sane some unreasonable-sounding IT policies (like, "you don't get to install random software on your desktop") turn out to be.

† (Or Tarsnap or SpiderOak, for what it's worth.)

1 more reply

Erwin14y ago

This joke PAM "happy hour" module became reality: http://www.brendangregg.com/specials.html#pam_happy_hour

ern14y ago

I hope they add login activity to their "Recent Events" feed ASAP.

gcr14y ago

How would that work? Dropbox doesn't require login most of the time; do you want them to log every time a computer viewed a file or just the web interface, which isn't the primary use interaction?

SkyMarshal14y ago

tincansandtwine14y ago

There's also ownCloud (http://owncloud.org/index.php/Main_Page), if you're into that whole home server thing. It definitely supports Linux.

eropple14y ago

It supports Linux poorly, and supports nothing else at all.

(WebDAV isn't "support," when you look at the Dropbox/SpiderOak feature set.)

cypherpunks0114y ago

Hoping this convinced someone at dropbox to write a three-line release-blocking test to ensure that you can't login with a wrong password... Crosses fingers

tptacek14y ago

Bud14y ago

They're probably rather distracted over at Dropbox, since iCloud is about to eat their business model. That would kinda tend to suck.

DenisM14y ago

That's only assuming Apple does a competent job. Cloud is a new thing for them, they can easily screw up.

redtwo14y ago

I can smell all the journalists down voting

redtwo14y ago

hilarious, but you all know that journalists in the tech world are seen as the "I-dont-know-nothing-but-I'll-just-pretend__with-a-smile-like-if-i-understood."

1 more reply

cjoh14y ago

tptacek14y ago

j / k navigate · click thread line to collapse