topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:47 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Dropbox Left User Accounts Unlocked for 4 Hours Sunday  (Read 10096 times)

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« on: June 20, 2011, 11:20 PM »
Oh well, so much for my Dropbox account. I was looking hard at Spider Oak recently; no question now as to what I will do. Here's  a link:

http://www.wired.com/threatlevel/2011/06/dropbox/

And here is a link to some comments by security researcher Christopher Soghoian at Pastebin, though I haven't been able to get to the site all day; too much traffic.

http://pastebin.com/yBKwDY6T

Might just be the end of good times for Dropbox...

Jim

Dirhael

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 387
    • View Profile
    • defreitas.no
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #1 on: June 21, 2011, 01:16 AM »
This incident was bad enough for me to delete my Dropbox account, and dropping them a message stating why. I'm just hoping enough people do the same, so that they'll actually care. Will they improve in the future? I'm sure they eventually will, but this incident coupled with their lack of ssl-encrypted logins in their mobile client...well, enough is enough.
Registered nurse by day, hobby programmer by night.

Armando

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,727
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #2 on: June 21, 2011, 12:58 PM »
 :down:

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #3 on: June 21, 2011, 08:05 PM »
SpiderOak is the way to go (at present, at least).  If you decide to try it, there are several of us here on DC who have referrer-links and would benefit by your using them.  Mine is here, but to be honest I don't really need more space (could use, but don't need).  Someone else feel free to post their link.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #4 on: June 21, 2011, 09:09 PM »
The Cloud is going to change everything... Instead of you screwing up, you'll be able to scream at other people! Join the party!

From the article there:

The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s computers. This allows Dropbox to open files because it, not the user, holds the encryption key. That architecture adds to ease of use and lets people recover their files — even if they forgot their password. In a system where a user unlocks their cloud files with their own encryption key, the data would be lost forever if a user forgets their encryption key, and a complicated encryption key has to be entered into every client device that wants to sync via the locker.

However, Christopher Soghoian argues that Dropbox’s model introduces too many security vulnerabilities and that Dropbox overstated how secure file storage was, leading him to file an FTC complaint against the company.

Which is exactly why client-side encryption was chosen for ALPass Online back when I worked at ESTsoft. Because it's secure that way. (ALPass only made you remember 1 password for everything.)

The more and more I see of what is happening in "the cloud", the more I want as little to do with it as possible.

My wife is currently having nightmares with her new Windows 7 laptop (same hardware, just upgraded from XP to Win 7) as the university is moving to the cloud. Oh joy. Now accessing files and things is problematic, etc. etc. Joy. Fun.

Why don't I use Dropbox? I already pay for servers, and FTP and HTTP work just fine for uploading and downloading. I never allow directory listings, etc. etc., so I really have no worries. Even if I upload a sensitive file that is publicly accessible, it's harder to guess the path for it than it is to guess a user name and password.

With the rampant destruction going on out there, I can't find any compelling reason to shift anything to "the cloud", whereas I can find many reasons not to.

"But it's easier..." Not really. If I have to sign up for something, it's harder. I can do everything I need to do better, faster, easier, cheaper than I can by putting things into the cloud. I use a paid Flickr account, but it's not really crucially important stuff. If it were, I'd probably be better off doing it myself. I'm already paying for infrastructure...

I think "mini-clouds" for individuals could work well. Get your own mini-cloud site with your own domain name, have it setup with all the typical sharing features that you might want/need (photos, music, files, etc.), and use OpenID to login to different people's sites to download/share/collaborate.

A decentralized system like that would be virtually impossible to a significant amount of damage to as you'd need to target each one individually, which would be a logistical nightmare for hackers. Right now we've got massive repositories of users just waiting to get p0wned. Yay. Fun.

All it takes is for 1 person on a site to have materials that someone desperately wants... hacking a million is no harder than hacking 1 (at the site level).

I was leaning towards the cloud somewhat before... I'm swaying back to my skepticism again...
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #5 on: June 21, 2011, 09:24 PM »
Renegade,

For sensitive or critical data I agree completely. But for the non-sensitive, non-critical stuff, it's a nice way for someone without their own server to store loads of that data. I don’t keep any financial or private data online; just the stuff I have gathered over many years, information that I don’t really care if anyone else sees, that would take way too many external drives. Still I don’t like to think that it is all just publicly available if I am paying for the storage.

Jim

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #6 on: June 21, 2011, 09:31 PM »
Renegade,

For sensitive or critical data I agree completely. But for the non-sensitive, non-critical stuff, it's a nice way for someone without their own server to store loads of that data. I don’t keep any financial or private data online; just the stuff I have gathered over many years, information that I don’t really care if anyone else sees, that would take way too many external drives. Still I don’t like to think that it is all just publicly available if I am paying for the storage.

Jim

Can't disagree with that. :)

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #7 on: June 21, 2011, 09:34 PM »
In a related way:

http://www.theregist...pe_aus_web_and_data/

Thousands of Australian websites have irretrievably lost their data and email files following a malicious security hack on Australian domain registrar and web host Distribute.IT.

The company has been scrambling to save data and get customers back online or moved to safe servers since the security breach occurred over a week ago, but has largely failed to recover data from the affected server’s shared servers.

http://www.distributeit.com.au/

Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers. At this time, We regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable.

Ouch...

This is really getting out of hand. The number of high-profile hacks going on is just through the roof.

An interesting thing to ponder... I've not heard any reports about the stack these sites are on... Microsoft? LAMP? Solaris?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #8 on: June 21, 2011, 09:38 PM »
LulzSec claims to be reporting all their major hacks so publicly to force companies to get real regarding their online security measures. Might be true, might be bull; either way they sure are bringing a lot of heat to the subject.

Jim

justice

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,898
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #9 on: June 29, 2011, 03:49 AM »
What's the very easiest way to encrypt certain folders on dropbox? Something that is more userfriendly then having to unmount a truecrypt volume in order for it to be synced. On Mac OS X you can also create an encrypted Disk Image (.dmg) using Disk Utility (normally found in /Applications/Utilities).

What about us windows users?

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #10 on: June 29, 2011, 03:58 AM »
saw this app - Boxcryptor featured on how-to-geek (HTG), is it any good?

http://www.howtogeek...ive-with-boxcryptor/

justice

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,898
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #11 on: June 29, 2011, 04:19 AM »
Thanks seems very simple and transparent to operate. The free version encrypts up to 2GB which is perfect for my personal documents.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #12 on: June 29, 2011, 04:25 AM »
For encrypting stuff onto Dropbox, there was also SecretSync.

But having just looked at BoxCryptor, that one might be more user-friendly than SecretSync.
« Last Edit: June 29, 2011, 04:29 AM by Deozaan »

justice

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,898
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #13 on: June 29, 2011, 04:39 AM »
Yes there are a variety of programs described at http://wiki.dropbox....easePrivacyAndSafety but the descriptions were very unclear and the platforms were mixed up. In case you are looking for an alternative you could start there.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #14 on: June 29, 2011, 09:07 AM »
Using your dropbox to host a Truecrypt container is a pretty smart idea. But I'm happy enough with SpiderOak myself.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #15 on: June 29, 2011, 09:24 AM »
Using your dropbox to host a Truecrypt container is a pretty smart idea. But I'm happy enough with SpiderOak myself.

I heard somewhere that it's possible for others to to find out your data in Dropbox even when using Truecrypt because of the way it does delta copying or something. I'm not a security expert, so I might be wrong on some or all of the details, but I was under the impression that even Truecrypt wasn't safe on Dropbox.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #16 on: June 29, 2011, 09:27 AM »
Interesting, I've no idea about that myself. Computer security is not for the faint hearted.

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #17 on: June 29, 2011, 12:23 PM »
Another happy SpiderOak user here. Got my kids and mother-in-law to sign up, so now I have 5 GB of free storage. Plenty for my meager needs.

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Dropbox Left User Accounts Unlocked for 4 Hours Sunday
« Reply #18 on: June 29, 2011, 02:39 PM »
Whoa!  Dunno who my benefactors are, but since my previous post earlier today in this thread, I've gained another two GB for referrals.  Thanks, whoever, you are: I'm up to 7 GB :)