Jump to content

(Archived) Looks like Dropbox have had some security issues...


Recommended Posts

  • Level 5*

http://arstechnica.c... - All content)

Just a reminder that in the end you are responsible for the security of your own data...

It was the error last year that really bothered me. I remember at the time thinking that I must have read the reports incorrectly, because it seemed impossible to imagine that my backup service had just opened up my account to the entire world, along with everyone else's accounts. It's like the cars that supposedly catch on fire spontaneously (we are one of the unfortunate many who have one of those going to the shop soon for yet another recall) or certain social network services that go into your account, erase your email address, give you a new one, and then promptly lose emails (ironically, anti-social). How do such things happen?

I suppose we could criticize Dropbox for this or that, and I am sure they deserve some of it, but in the end, I think Metrodon is right: take responsibility for your stuff, because bad stuff happens. I couldn't be happier with Evernote's service, and I trust them with my stuff, but I still carry around my own copies (it is very cool that Evernote built this into the service from the ground up).

Link to comment

http://arstechnica.c... - All content)

Just a reminder that in the end you are responsible for the security of your own data...

It was the error last year that really bothered me. I remember at the time thinking that I must have read the reports incorrectly, because it seemed impossible to imagine that my backup service had just opened up my account to the entire world, along with everyone else's accounts. It's like the cars that supposedly catch on fire spontaneously (we are one of the unfortunate many who have one of those going to the shop soon for yet another recall) or certain social network services that go into your account, erase your email address, give you a new one, and then promptly lose emails (ironically, anti-social). How do such things happen?

I suppose we could criticize Dropbox for this or that, and I am sure they deserve some of it, but in the end, I think Metrodon is right: take responsibility for your stuff, because bad stuff happens. I couldn't be happier with Evernote's service, and I trust them with my stuff, but I still carry around my own copies (it is very cool that Evernote built this into the service from the ground up).

I agree that it's often surprising when a big company gets hacked. But we've all heard about the major banks that get hacked & have to issue new credit card numbers. I've even had it happen to me three times, in the past ~10 years. New credit card with different number arrives in the mail with a letter explaining they are covering their butts by changing my account number. (Not in those words, mind you. :P ) So if they can have breaches, then surely any company can have them.

Although I use Dropbox pretty much every day & even have a paid account with them, one thing really, really annoys me about them. (Unless they've changed something in the past 18 months.) IMO, they try to make users think their data is safe b/c it's encrypted. But...it's encrypted with your account password. I think many people think this means their data is safe. But it's pretty much like locking your house & putting the key under the door mat. So when I store sensitive data in Dropbox, it's in a Truecrypted container or an encrypted PDF. Here's a thread I started over a year & a half ago on this topic.

Link to comment

Looks like Dropbox still doen't allow you to use separate encryption keys. From this page:

"To ensure everyone has the ability to view and share files on the web painlessly, Dropbox currently does not support the creation of your own private keys. However, allowing user control over this is something we might consider adding in the future. Meanwhile, please know that Dropbox takes the security of your files seriously. All files stored on Dropbox servers are encrypted"

Link to comment
  • Level 5*

With regard to the most recent DropBox security failure, DropBox is adding additional security:

Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.

It was the error last year that really bothered me. I remember at the time thinking that I must have read the reports incorrectly, because it seemed impossible to imagine that my backup service had just opened up my account to the entire world, along with everyone else's accounts.

GM, to put this in context, it was not a bad as you make it sound.

From Wired.com's report:

At a time when hackers are on a tear looting information willy-nilly from insecure sites on the Web, Dropbox did the unthinkable Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password.

Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time Sunday when a programming change introduced a bug. The company closed the hole a little less than 4 hours later.

Dropbox says fewer than 1% of accounts were opened during that time and it force-closed all of those sessions to cut off access to anyone who authenticated with false credentials during that time

So, in order for someone else to have accessed your DropBox account, they would have to know:

  1. That within a 4-hour window any password would work
  2. Your DropBox email account

While this is not good, it could have been much worse. As far as I can tell no one lost any data, nor was there any unauthorized access.

IMO, we should have a two-fold front:

  1. Demand that our vendors (banks, cloud services, etc) provide a very high-level security for all of our stuff, and hold them accountable when they fail.
  2. We should be smart buyers and do our due diligence to ensure that the security offered by the vendor is acceptable to us.

Since most companies generally respond to customer demand (remember supply and demand?), there is nothing wrong with each of us asking for increased security when we feel it is needed. If they choose not to provide the security we want, there will another company that does provide the product/service AND the security we require.

Finally, we always need a backup plan. If a bank fails, the FDIC will eventually refund our cash deposits, but it might take a while. In the meantime, we need backup cash to survive. If a cloud service fails, we need our own backup of critical documents and data.

Link to comment
  • Level 5*
Since most companies generally respond to customer demand (remember supply and demand?), there is nothing wrong with each of us asking for increased security when we feel it is needed. If they choose not to provide the security we want, there will another company that does provide the product/service AND the security we require.

Here is a perfect example of this:

For those who are seeking a service similiar to Dropbox, but with more security, Wuala and SpiderOak encrypt data on users’ devices, not on a central server.

I'm not familiar with either of these services. Anyone used them?

Link to comment
  • Level 5*

@JM

It was every bit as bad as I claimed: Dropbox exposed the accounts of every single person using their service. The company would agree with every word in that statement. I did not exaggerate. And, I am still shocked that something like that could happen.

As I said, what bothered me was the lapse of security. What if they hadn't caught it in four hours? My email is public knowledge, widely known, and anyone who heard about the hack could have pranced in and wiped out all of my data (years of research, photos, important records, etc.) in a matter of seconds.

I made no claims, though, that I lost data, or that it was improperly accessed. The fact that it could have been, despite stringent security measures like an encrypted database, is the issue I am emphasizing here. To spell it out more plainly -- human error (just as we saw in the Apple case) undermined all of the security. This is not just a Dropbox problem, but the risk you take when you place your data in the hands of a third party, and that is why I was advocating that users take control of their data, encrypt it themselves, and be vigilant. Beyond that, the best you can do is make it clear to companies that you consider robust security to be a crucial feature they need to take seriously. I like Evernote's attitude towards security, and as I have said elsewhere, I expected Dropbox to be more proactive in educating its users about options.

SpiderOak? I haven't been able to work it into my everyday routine, because no one seems to have integrations with it. That is part of what makes Dropbox so appealing. However, I am really keen on their system, and I am going to keep trying to figure out how I can make use of it. To my amateur eyes, the security they provide is really impressive, and exactly the kind of thing I want.

Link to comment

With regard to the most recent DropBox security failure, DropBox is adding additional security:

Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.

It was the error last year that really bothered me. I remember at the time thinking that I must have read the reports incorrectly, because it seemed impossible to imagine that my backup service had just opened up my account to the entire world, along with everyone else's accounts.

GM, to put this in context, it was not a bad as you make it sound.

From Wired.com's report:

At a time when hackers are on a tear looting information willy-nilly from insecure sites on the Web, Dropbox did the unthinkable Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password.

Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time Sunday when a programming change introduced a bug. The company closed the hole a little less than 4 hours later.

Dropbox says fewer than 1% of accounts were opened during that time and it force-closed all of those sessions to cut off access to anyone who authenticated with false credentials during that time

So, in order for someone else to have accessed your DropBox account, they would have to know:

  1. That within a 4-hour window any password would work
  2. Your DropBox email account

While this is not good, it could have been much worse. As far as I can tell no one lost any data, nor was there any unauthorized access.

IMO, we should have a two-fold front:

  1. Demand that our vendors (banks, cloud services, etc) provide a very high-level security for all of our stuff, and hold them accountable when they fail.
  2. We should be smart buyers and do our due diligence to ensure that the security offered by the vendor is acceptable to us.

Since most companies generally respond to customer demand (remember supply and demand?), there is nothing wrong with each of us asking for increased security when we feel it is needed. If they choose not to provide the security we want, there will another company that does provide the product/service AND the security we require.

Finally, we always need a backup plan. If a bank fails, the FDIC will eventually refund our cash deposits, but it might take a while. In the meantime, we need backup cash to survive. If a cloud service fails, we need our own backup of critical documents and data.

Part of the issue is that we also want it to be easy. For example, Charles Schwab sent me a USB keycard which allows me to access my accounts with them. This provides a very high level of security but it also means that if I don't happen to have the USB keycard handy, then I can't access my account. I now use Lastpass on all my websites but the passwords are so complex that I couldn't possibly remember any of them unless I use Lastpass (my wife is constantly confused about how to find the passwords for Amazon and other sites that she used to visit). I am now looking into google double authentication and technology such as TrueCrypt to further safeguard my info. All of this will make life more complicated and cumbersome, but I don't really see the alternatives right now.

BurgernFries recently pointed out that if you're dealing with a website or institution which has a "forgot your password?" capability, then you're already sacrificing security.

Link to comment
  • Level 5

Apple is an example of the "forgot your password" problem. The latest TWIT podcast #365 had a discussion of the social hacking done on a reporter's account (Mat Honan) and how Apple released the password to the hackers. After Honan published the problem, Apple made some corrections to their internal procedures. I wonder if it happened to a normal customer whether Apple would have reacted as quickly.

Link to comment
  • Level 5*

No. Pobably not. Good on Mat for publicizing it, warts and all, so that we can learn from it and improve. I've alady made a number of major changes for myself. Admittedly, I had been contemplating them for some time (extra security = extra time and effort), but his experience gave me more incentive.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...