Main Area and Open Discussion > Living Room
Dropbox Left User Accounts Unlocked for 4 Hours Sunday
J-Mac:
Oh well, so much for my Dropbox account. I was looking hard at Spider Oak recently; no question now as to what I will do. Here's a link:
http://www.wired.com/threatlevel/2011/06/dropbox/
And here is a link to some comments by security researcher Christopher Soghoian at Pastebin, though I haven't been able to get to the site all day; too much traffic.
http://pastebin.com/yBKwDY6T
Might just be the end of good times for Dropbox...
Jim
Dirhael:
This incident was bad enough for me to delete my Dropbox account, and dropping them a message stating why. I'm just hoping enough people do the same, so that they'll actually care. Will they improve in the future? I'm sure they eventually will, but this incident coupled with their lack of ssl-encrypted logins in their mobile client...well, enough is enough.
Armando:
:down:
kyrathaba:
SpiderOak is the way to go (at present, at least). If you decide to try it, there are several of us here on DC who have referrer-links and would benefit by your using them. Mine is here, but to be honest I don't really need more space (could use, but don't need). Someone else feel free to post their link.
Renegade:
The Cloud is going to change everything... Instead of you screwing up, you'll be able to scream at other people! Join the party!
From the article there:
The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s computers. This allows Dropbox to open files because it, not the user, holds the encryption key. That architecture adds to ease of use and lets people recover their files — even if they forgot their password. In a system where a user unlocks their cloud files with their own encryption key, the data would be lost forever if a user forgets their encryption key, and a complicated encryption key has to be entered into every client device that wants to sync via the locker.
However, Christopher Soghoian argues that Dropbox’s model introduces too many security vulnerabilities and that Dropbox overstated how secure file storage was, leading him to file an FTC complaint against the company.
--- End quote ---
Which is exactly why client-side encryption was chosen for ALPass Online back when I worked at ESTsoft. Because it's secure that way. (ALPass only made you remember 1 password for everything.)
The more and more I see of what is happening in "the cloud", the more I want as little to do with it as possible.
My wife is currently having nightmares with her new Windows 7 laptop (same hardware, just upgraded from XP to Win 7) as the university is moving to the cloud. Oh joy. Now accessing files and things is problematic, etc. etc. Joy. Fun.
Why don't I use Dropbox? I already pay for servers, and FTP and HTTP work just fine for uploading and downloading. I never allow directory listings, etc. etc., so I really have no worries. Even if I upload a sensitive file that is publicly accessible, it's harder to guess the path for it than it is to guess a user name and password.
With the rampant destruction going on out there, I can't find any compelling reason to shift anything to "the cloud", whereas I can find many reasons not to.
"But it's easier..." Not really. If I have to sign up for something, it's harder. I can do everything I need to do better, faster, easier, cheaper than I can by putting things into the cloud. I use a paid Flickr account, but it's not really crucially important stuff. If it were, I'd probably be better off doing it myself. I'm already paying for infrastructure...
I think "mini-clouds" for individuals could work well. Get your own mini-cloud site with your own domain name, have it setup with all the typical sharing features that you might want/need (photos, music, files, etc.), and use OpenID to login to different people's sites to download/share/collaborate.
A decentralized system like that would be virtually impossible to a significant amount of damage to as you'd need to target each one individually, which would be a logistical nightmare for hackers. Right now we've got massive repositories of users just waiting to get p0wned. Yay. Fun.
All it takes is for 1 person on a site to have materials that someone desperately wants... hacking a million is no harder than hacking 1 (at the site level).
I was leaning towards the cloud somewhat before... I'm swaying back to my skepticism again...
Navigation
[0] Message Index
[#] Next page
Go to full version