The Cloud is going to change everything... Instead of you screwing up, you'll be able to scream at other people! Join the party!
From the article there:
The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s computers. This allows Dropbox to open files because it, not the user, holds the encryption key. That architecture adds to ease of use and lets people recover their files — even if they forgot their password. In a system where a user unlocks their cloud files with their own encryption key, the data would be lost forever if a user forgets their encryption key, and a complicated encryption key has to be entered into every client device that wants to sync via the locker.
However, Christopher Soghoian argues that Dropbox’s model introduces too many security vulnerabilities and that Dropbox overstated how secure file storage was, leading him to file an FTC complaint against the company.
Which is exactly why client-side encryption was chosen for ALPass Online back when I worked at ESTsoft. Because it's secure that way. (ALPass only made you remember 1 password for everything.)
The more and more I see of what is happening in "the cloud", the more I want as little to do with it as possible.
My wife is currently having nightmares with her new Windows 7 laptop (same hardware, just upgraded from XP to Win 7) as the university is moving to the cloud. Oh joy. Now accessing files and things is problematic, etc. etc. Joy. Fun.
Why don't I use Dropbox? I already pay for servers, and FTP and HTTP work just fine for uploading and downloading. I never allow directory listings, etc. etc., so I really have no worries. Even if I upload a sensitive file that is publicly accessible, it's harder to guess the path for it than it is to guess a user name and password.
With the rampant destruction going on out there, I can't find any compelling reason to shift anything to "the cloud", whereas I can find many reasons not to.
"But it's easier..." Not really. If I have to sign up for something, it's harder. I can do everything I need to do better, faster, easier, cheaper than I can by putting things into the cloud. I use a paid Flickr account, but it's not really crucially important stuff. If it were, I'd probably be better off doing it myself. I'm already paying for infrastructure...
I think "mini-clouds" for individuals could work well. Get your own mini-cloud site with your own domain name, have it setup with all the typical sharing features that you might want/need (photos, music, files, etc.), and use OpenID to login to different people's sites to download/share/collaborate.
A decentralized system like that would be virtually impossible to a significant amount of damage to as you'd need to target each one individually, which would be a logistical nightmare for hackers. Right now we've got massive repositories of users just waiting to get p0wned. Yay. Fun.
All it takes is for 1 person on a site to have materials that someone desperately wants... hacking a million is no harder than hacking 1 (at the site level).
I was leaning towards the cloud somewhat before... I'm swaying back to my skepticism again...
