Author Topic: Deduplication, encryption, security and... Dropbox (Read 49321 times)

nudone · « **Reply #25 on:** April 16, 2011, 02:36 AM »

Let the great Dropbox Diaspora begin!

CleverCat · « **Reply #26 on:** April 16, 2011, 04:16 AM »

phitsc - check your messages for invite...

f0dder · « **Reply #27 on:** April 16, 2011, 08:48 AM »

... and encryption really shouldn't slow anything down unless you've got an insane-speed internet connection
-f0dder (April 15, 2011, 05:25 PM)

Wouldn't the act of encryption slow things down? i.e. step 1 encrypt, step 2 upload instead of just step 1 upload?
-wraith808 (April 15, 2011, 07:24 PM)

A fast consumer internet connection has 100kb/s upload rate. A 3 year old dualcore laptop can do ~140mb/s AES encryption

I've asked Dropbox support if their FAQ statement that says that "Dropbox employees aren't able to access user files" were really true. Their response:

Yes. Dropbox employees can't access the file's contents. They can see the file names, move, delete or even restore files, but can't view them. The only exceptions are the executive staff who have a vested interest the company.

I have to admit that I am shocked about their slack interpretation of the word "employee". To be honest, I feel cheated by that FAQ statement. Already the fact that any employee could actually delete my files is unbelievable.
-phitsc (April 16, 2011, 12:19 AM)

W...T...F?

Armando · « **Reply #28 on:** April 16, 2011, 10:25 AM »

Yes. Dropbox employees can't access the file's contents. They can see the file names, move, delete or even restore files, but can't view them. The only exceptions are the executive staff who have a vested interest the company.

Thanks for sharing that, phitsc.
It seems very wrong. Even if their definition of employee wasn't slack...

AndyM · « **Reply #29 on:** April 16, 2011, 01:45 PM »

This:

Yes. Dropbox employees can't access the file's contents. .... The only exceptions are the executive staff who have a vested interest the company.

makes this:

"Dropbox employees aren't able to access user files"

a lie.

Try telling the IRS that any executive staff, whether or not they are officers of the corporation, whether or not they own stock or have any other vested interest, are not employees of the corporation.

Eóin · « **Reply #30 on:** April 16, 2011, 02:46 PM »

Executive staff aren't employees, they're gods!

Armando · « **Reply #31 on:** April 16, 2011, 03:34 PM »

And gods easily turn into dogs.

phitsc · « **Reply #32 on:** April 16, 2011, 04:57 PM »

And gods easily turn into dogs.
-Armando (April 16, 2011, 03:34 PM)

Damn, it took me about 10 seconds to see that. And it's only 4 letters

Armando · « **Reply #33 on:** April 16, 2011, 09:52 PM »

...there's more in the blog article the quote is from.
-f0dder (April 13, 2011, 12:51 PM)

Thanks for the link [Edit : Dropbox's lawyers should study it too]. And I'm also going to study that spideroak thing a bit more though before I Drop or prod the box.... which is definitely something I'll do. Just a matter of time.

Armando · « **Reply #34 on:** April 16, 2011, 11:46 PM »

This is a pretty good and balanced general article : http://web.appstorm....ak-file-sync-battle/

It mentions security, but isn't focused on it.

And the website is also not bad at all... first time I see it.

f0dder · « **Reply #35 on:** April 17, 2011, 07:59 AM »

More on Dropbox security.
-Cloq (April 14, 2011, 09:21 PM)

In addition to those security concerns, also keep this in mind:

...in other words, if somebody gets access to your hostid, changing you password isn't going to matter the tiniest bit in the world.

And then we've got this:

Business Transfers. Dropbox may sell, transfer
   or otherwise share some or all of its assets,
   including your Personal Information, in connection
   with a merger, acquisition, reorganization or
   sale of assets or in the event of bankruptcy.
-http://news.ycombinator.com/item?id=389304

...all your data are belong to us. Might be standard business practice, but is it particularly confidence-inspiring?

Really, start the DropBox exodus already.

Armando · « **Reply #36 on:** April 17, 2011, 11:17 AM »

Thanks for the links -- am having problems with the first one though. Installed spideroak last night and will experiment with it today.

Even if I don't have much sensitive stuff in my dropbox account, it's a question of principle: companies offering "cloud" storage should take privacy more seriously. With all that, Dropbook is starting to look like Facebox.

Armando · « **Reply #37 on:** April 17, 2011, 01:12 PM »

Would it be unethical to ask SpiderOak for a special donationcoder discount ? I read quite a bit about it and I think they really have a good product. IMO, it's the perfect alternative to DropBox. Especially if the later doesn't put its act together.

Carol Haynes · « **Reply #38 on:** April 17, 2011, 03:34 PM »

Who are the 'executive staff' andc how do they bypass their own security system?

Armando · « **Reply #39 on:** April 17, 2011, 03:46 PM »

Well, they said :

Yes. Dropbox employees can't access the file's contents. They can see the file names, move, delete or even restore files, but can't view them. The only exceptions are the executive staff who have a vested interest the company.
-phitsc (April 16, 2011, 12:19 AM)

... but, to know how they do it... they'd have to tell us exactly.

f0dder · « **Reply #40 on:** April 17, 2011, 04:15 PM »

Given what we've heard about DropBox, the "how do the executives bypass security" is probably as simple as "grantAccess = (user.isExecutive == true);"

Carol Haynes · « **Reply #41 on:** April 17, 2011, 05:10 PM »

But if the data is supposed to be encrypted by a private key ...

Armando · « **Reply #42 on:** April 17, 2011, 06:23 PM »

[slightly off-topic] hmmmm... I'm having problems with spideroak's deduplication... Maybe because my some of my data is already encrypted? see https://www.donation....msg245855#msg245855 [/slightly off-topic]

phitsc · « **Reply #43 on:** April 18, 2011, 02:07 AM »

Who are the 'executive staff' andc how do they bypass their own security system?
-Carol Haynes (April 17, 2011, 03:34 PM)

I would assume that it means executive staff have access to the private keys they use for encryption.

Even if I would trust these executive staff (whoever and however many that are), the problem is that if they have access to my data, then a not properly fixed or yet to be discovered security problem on their servers could possibly make my data available to hackers as well.

phitsc · « **Reply #44 on:** April 18, 2011, 02:11 AM »

I like it how SpiderOak tries to be very clear about where possible security problems in using their service could be, e.g. here about accessing one's data over the web interface:

https://spideroak.co...tters#instant_access

phitsc · « **Reply #45 on:** May 06, 2011, 10:38 AM »

And here comes the "workaround":

http://lifehacker.co...eve-got-beta-invites

Armando · « **Reply #46 on:** May 06, 2011, 12:08 PM »

Thanks or the heads up ! Will have a look at it later.

phitsc · « **Reply #47 on:** May 16, 2011, 02:12 AM »

And the tale goes on:

http://www.wired.com...2011/05/dropbox-ftc/

Stoic Joker · « **Reply #48 on:** May 16, 2011, 07:02 AM »

Zoiks! ...So apparently, at this point, it's safer to have your head in the sand, than in the cloud(s).

Armando · « **Reply #49 on:** May 16, 2011, 10:41 AM »

Wonder what DropBox is going to do now. There might be lawsuits coming.