Welcome Guest.   Make a donation to an author on the site July 26, 2014, 08:11:03 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 3 4 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Deduplication, encryption, security and... Dropbox  (Read 15802 times)
Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« on: April 13, 2011, 10:51:10 AM »

Dropbox sacrifices user privacy for cost savings ?

That's what this article is trying to demonstrate.
Interesting read and, while I'm no security expert, it seems to me that the implications go beyond this :

Quote
As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox's servers. If the file isn't already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: April 13, 2011, 12:51:46 PM »

On a related note:

Why SpiderOak doesn't de-duplicate data across users (and why it should worry you if we did)

One of the features of SpiderOak is that if you backup the same file twice, on the same computer or different computers within your account, the 2nd copy doesn't take up any additional space. This also applies if you have several versions of a file as it evolves over time -- we only need to save the new data blocks.

Some storage companies take this de-duplication to a second level, and do a similar form of de-duplication across all the data from all their customers. It's a great deal for the company. They can sell the bytes of storage to every user at full price while incurring zero additional cost. In some ways its helpful to the user too -- uploads are certainly faster when you don't have to transfer the data!

...there's more in the blog article the quote is from.
Logged

- carpe noctem
Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #2 on: April 13, 2011, 01:27:11 PM »

Thanks f0dder. SpiderOak implements it the right way it seems.
I saw that you were already aware of that when I checked that post in that SpiderOak thread.  smiley
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: April 13, 2011, 01:28:31 PM »

Yup, thought it was worth mentioning here as well smiley
Logged

- carpe noctem
tomos
Charter Member
***
Posts: 8,348



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #4 on: April 13, 2011, 05:10:23 PM »

another one = amazon cloud:

Food for thought... No privacy on Amazon's cloud drive.

Less so than other cloud storage?

I'll just throw this out there:
Does it really bother you though ? smiley


[edit] on rereading the article, and thinking about it a bit, you dont have to answer that question ;-) I guess I'm sort of relaxed about it myself, cause the important stuff I have on Dropbox is encrypted (locally) [/edit]
« Last Edit: April 13, 2011, 05:19:00 PM by tomos » Logged

Tom
phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: April 14, 2011, 02:19:17 AM »

[edit] on rereading the article, and thinking about it a bit, you dont have to answer that question ;-) I guess I'm sort of relaxed about it myself, cause the important stuff I have on Dropbox is encrypted (locally) [/edit]

Mine is not (locally encrypted). I totally relied on Dropbox's claims of total security (which as it seems might be naive). So yes, it does bother me.
Logged

Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: April 14, 2011, 11:54:43 AM »

I actually bothers me too, even though I don't have too much sensitive info... Because that's not really the point : what bothers me are the false claims. It's almost impossible that "they" didn't know about the actual storage security/encryption flaws. So they most probably... lied.

I'm going to try to find an alternative, if possible.
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
nudone
Cody's Creator
Columnist
***
Posts: 4,116



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: April 14, 2011, 01:02:20 PM »

How is Dropbox detecting duplicate files - not by name, surely? By some hash? It must be unique - how does it know it's safe to duplicate otherwise.

Which, to me, means I don't quite get the security concerns. If you've got a file that you don't want duplicating because of sensitive content, isn't that going to be a file you've created yourself, therefore with a unique hash. So, it won't be duplicated.

The only things duplicated are common files. Ones that won't have been edited from their original source.

(I use Dropbox so I may just be kidding myself and not seeing the bigger picture.)
Logged
Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #8 on: April 14, 2011, 01:56:21 PM »

If it can hash the files, then it can also read them before it's encrypted or after, by using the encryption key (which they shouldn't have access to in the first place)... So it means that they have access to content. (If you encrypt files before sending, that doesn't apply of course).
« Last Edit: April 14, 2011, 01:59:16 PM by Armando » Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: April 14, 2011, 01:56:50 PM »

This is what's making me nervous:

Quote
Dropbox is likely calculating hashes of users' files before they are transmitted to the company's servers. While it is not clear if the company is using a single encryption key for all of the files users' have stored with the service, or multiple encryption keys, it doesn't really matter (from a privacy and security standpoint), because Dropbox knows the keys. If the company didn't have access to the encryption keys, it wouldn't be able to detect duplicate files.

I see that it's only speculation. But if it is true, then that is a very serious problem.
Logged

phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: April 14, 2011, 01:59:30 PM »

To be honest, I assumed that my files were somehow encrypted with my login credentials. Now that I think of it, that wouldn't make sense though. Every time I'd change my password the files would probably have to be re-encrypted.
Logged

Cloq
Charter Member
***
Posts: 250

View Profile Give some DonationCredits to this forum member
« Reply #11 on: April 14, 2011, 09:21:27 PM »

More on Dropbox security.
Logged
Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #12 on: April 15, 2011, 10:12:44 AM »

Thanks Cloq. More stuff to consider...  smiley
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
wraith808
Supporting Member
**
Posts: 6,085



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: April 15, 2011, 10:38:06 AM »

I'll just throw this out there:
Does it really bother you though ? smiley


[edit] on rereading the article, and thinking about it a bit, you dont have to answer that question ;-) I guess I'm sort of relaxed about it myself, cause the important stuff I have on Dropbox is encrypted (locally) [/edit]

Encrypted how?  I just saw this comment on that Dropbox Security link...

Quote
A warning about using TrueCrypt with dropbox — because of way drop-box works, only syncing the bits of a TC container that have changed, a person may be able to guess your TC secret key by capturing this changed data several times.

I guess I'm not really too upset about it because I don't really have any sensitive stuff to sync. smiley
Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: April 15, 2011, 11:33:15 AM »

I don't see how they can handle cross-user deduplication if they aren't able to decrypt (if encrypted at all!) files at a whim. If you upload a file that's applicable for deduplication, upload is instant.

As for the dedupe not being a problem because only "unique" files are sensitive? Well, what about something like the weaked likipedia cables? I'm also concerned about it at a general honesty level, though. Oh, and the fact that dropbox is generally holed like a sieve smiley
Logged

- carpe noctem
Stoic Joker
Honorary Member
**
Posts: 5,104



View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: April 15, 2011, 12:31:33 PM »

Just add periodic blocks of completely random machine code to you sensative documents. That way even if somebody does manage to successfully decrypt it, they'll still be left scratching their heads trying to figure out what they missed.


(jk - don't shoot me...smiley)
Logged
Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #16 on: April 15, 2011, 02:16:12 PM »

I'm also concerned about it at a general honesty level, though.

Me too. Really, I don't see why I should trust them more than others.

Private data should be treated as such. And if "they" make it sound like nobody can access it apart from the user, it should be because it's impossible for them to do so. Not because they're nice people and we should trust them not to do so.
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #17 on: April 15, 2011, 03:46:37 PM »

I raised my concerns directly with Dropbox and got the following response:

Quote
That article is both misleading and alarmist.

Please read our response to this. Thanks! http://forums.dropbox.com....php?id=36365#post-310198

If you would like client-side encryption you'll need to use something like True Crypt. With server-side encryption it doesn't matter if we use your key our ours. Also, if you expect the files themselves to be encrypted using your actual password as the key then we'd have to re-encrypt all of your files every time you change your password. I don't believe any service offers that feature.

Please let me know if there is anything else I can do for you.
Logged

Armando
Charter Member
***
Posts: 2,673



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #18 on: April 15, 2011, 04:04:48 PM »

I don't find that their answers explains much... unfortunately.
Logged

"I suppose it can be said that I'm an absent-minded driver. It's true that I've driven through a number of red lights on occasion, but on the other hand, I've stopped at a lot of green ones but never gotten credit for it."
Glenn Gould
phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #19 on: April 15, 2011, 04:06:49 PM »

I don't find that their answers explains much... unfortunately.

And I don't find it in the least comforting.
Logged

wraith808
Supporting Member
**
Posts: 6,085



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: April 15, 2011, 04:22:22 PM »

I don't find that their answers explains much... unfortunately.

And I don't find it in the least comforting.

And I found it actually made me more concerned, rather than less.  Because it shows (1) PR backpedaling and (2) a basic lack of awareness about the competition.  I *know* that Jungle Disk does offer encryption (though I don't use it, because it slows down the sync, and I don't really store anything that I care about using the sync service) and I'm pretty sure that others do also.

Quote
Encryption (Bucket Password)

Jungle Disk makes it easy to protect your remotely stored data with encryption. Encryption ensures that no one can access your data as it is transmitted over the Internet or stored on remote servers.
Note that regardless of whether you enable encryption using a custom key, your data is always encrypted while transmitted over the Internet by using SSL (like your bank web site). Choosing a custom encryption key means that your files will be encrypted while stored on Amazon's servers as well.
Be careful when enabling encryption. If you forget the encryption key you select you will not be able to retrieve your files in the future. You should write down a copy of your key and keep it in a safe place. If you lose your key neither Jungle Disk nor Amazon can help you retrieve it.
To enable Encryption, select the “Encrypt files using a custom key” option and type an encryption key (password) into the Custom Encryption Key box.
There is also a box where you can enter a list of "Decryption Keys". This is only required if you want to change your custom encryption key from time to time. When you change your encryption key, existing files stored on Amazon.com servers are still encrypted with the original key. In order to be able to access them in the future, you need to keep your previous keys in the decryption keys list. If you want to re-encrypt your files with a new key you will need to re-upload them. If you attempt to download a file that was encrypted with a key that is not on your decryption keys list, Jungle Disk will display an error message.

Quote
Here are a few details on how Jungle Disk encrypts your files:
Jungle Disk encrypts files that are stored prior to uploading them using 256-bit AES. AES is an industry (and government) standard and is one of the most well studied and most secure encryption algorithms available. Jungle Disk uses a unique key for each file, and constructs the key using a HMAC that helps protect against certain attacks. Code that demonstrates how data is encrypted/decrypted is available for download on the software download page under the GPL license.

The Jungle Disk Desktop Edition adds a special metadata header to each file when it is uploaded. The header identifies the type of encryption used and contains a salt value and a one-way hash of the salted key. This allows Jungle Disk to determine the correct key to use to decrypt the file. Note that without the decryption keys the header is of no use, and you cannot even tell which files are encrypted with which keys unless you possess the keys.
Logged

phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #21 on: April 15, 2011, 04:33:29 PM »

And I found it actually made me more concerned, rather than less.  Because it shows (1) PR backpedaling and (2) a basic lack of awareness about the competition.  I *know* that Jungle Disk does offer encryption (though I don't use it, because it slows down the sync, and I don't really store anything that I care about using the sync service) and I'm pretty sure that others do also.

Yep, I agree. Same for SpiderOak (which I'm not personally using (yet)). At least their FAQ about their "zero knowledge" indicates as much.
Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #22 on: April 15, 2011, 05:25:02 PM »

For SpiderOak, they can't even intercept your data at server-side before encryption, because it's done client-side... and encryption really shouldn't slow anything down unless you've got an insane-speed internet connection smiley

Quote
Also, if you expect the files themselves to be encrypted using your actual password as the key then we'd have to re-encrypt all of your files every time you change your password.
Doesn't really need to be "encrypted using your actual password" - generate a random encryption key, encrypt that encryption key using the password. Lets you change the passphrase without re-encrypting all the content...

After that reply of theirs, and the recent exploits against it, I don't think I'd touch dropbox with a 42 foot pole.
Logged

- carpe noctem
wraith808
Supporting Member
**
Posts: 6,085



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #23 on: April 15, 2011, 07:24:57 PM »

... and encryption really shouldn't slow anything down unless you've got an insane-speed internet connection smiley

Wouldn't the act of encryption slow things down?  i.e. step 1 encrypt, step 2 upload instead of just step 1 upload?
Logged

phitsc
Honorary Member
**
Posts: 977



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #24 on: April 16, 2011, 12:19:58 AM »

I've asked Dropbox support if their FAQ statement that says that "Dropbox employees aren't able to access user files" were really true. Their response:

Quote
Yes. Dropbox employees can't access the file's contents. They can see the file names, move, delete or even restore files, but can't view them. The only exceptions are the executive staff who have a vested interest the company.

I have to admit that I am shocked about their slack interpretation of the word "employee". To be honest, I feel cheated by that FAQ statement. Already the fact that any employee could actually delete my files is unbelievable.

Anyone who's already a SpiderOak user wants to send me an invitation? I think they have a referral program.
Logged

Pages: [1] 2 3 4 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.046s | Server load: 0.04 ]