Forgot your password?
typodupeerror
Cloud Data Storage Security The Internet

Dropbox Accused of Lying About Security 265

Posted by samzenpus
from the e-pants-on-fire dept.
lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."
This discussion has been archived. No new comments can be posted.

Dropbox Accused of Lying About Security

Comments Filter:
  • Good (Score:5, Insightful)

    by gadzook33 (740455) on Sunday May 15, 2011 @07:26PM (#36136090)
    As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.
    • Absolutely right. Couldn't believe the laughable security system when it came out. Has anyone else converted all their dropbox folders to truecrypt volumes?
      • Not all of them. Anyone accessing my 'Projects' Folders wouldn't find anything that wasn't on my Git Hub. Nor would they get much out of my "Spring 2011" homework folder.

        Good luck getting at my "Taxes.tc" file.

    • by Anonymous Coward on Sunday May 15, 2011 @08:03PM (#36136252)

      Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

      The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

      And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

      My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

    • by Yvanhoe (564877)
      What I hope will happen : that "cloud" will soon become synonym for "pixie dust" or "snake oil" when it comes to computer security.

      What should have happened : the same, 5 years ago.
  • Call me back... (Score:4, Insightful)

    by bannable (1605677) on Sunday May 15, 2011 @07:27PM (#36136096)
    ...when there's an actual investigation. Why the hell is it news that someone made a complaint?
  • by retroworks (652802) on Sunday May 15, 2011 @07:33PM (#36136114) Homepage Journal
    Here I was feeling all certain that my data was secure, and it just turns out my information just isn't important or interesting enough to purloin.

    Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.

    • by chill (34294) on Sunday May 15, 2011 @07:36PM (#36136126) Journal

      The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

      • by gman003 (1693318)
        I just automatically assume that anything online is insecure until proven otherwise. My Dropbox contains backups of some open-source programs I'm making, and a bunch of photos I wanted to put online. My GMail contains no information more private than my third-tier passwords (ones for forums/newslists where someone hijacking my account would be harmless). My Facebook contains nothing more than my name and high school. My Twitter has no information at all - just my username. The only online service I keep any
      • Well, yes, they are lying and that is one point of the story, but most comments and most public alarm is off point. Assessing cloud security is like checking my mom's virginity. I assume everyone in the cloud lies about my security, and that anything I put in the cloud is at risk. As for "credit card" info, the credit card companies are NUMERO UNO in sharing personal info from credit card use. Everyone who says cloud data, or credit card data, is secure is lying. As for "porn", ha ha ha ha ha ha ha.
    • by rastilin (752802)

      That's all true but there's two issues in this particular case.

      -- We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

      -- They're lying to get ahead in the market. That's something we need to discourage.

      • We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.

        You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)

        • by Haedrian (1676506)

          That depends, is it home made stuff?

          • by rastilin (752802)

            It's an example of something no-one would give a damn about that people take anyway; because it's there.

        • by hedwards (940851)

          And you seem to be assuming that the GP doesn't have midget furry gangbang pedo porn on his computer. That shit'll get you sent up for years.

        • by rastilin (752802)

          For the purposes of this exercise, let's assume that no one stores their credit card numbers on their computer in plaintext; even though we all know that's not true.

          The porn thing is one thing I never understood, why would anyone bother? It's like they've never heard of the internet. I figure that some people will take anything not nailed down, a pretty solid reason that Dropbox should not give it's employees access to the user's stuff at all.

        • You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc...

          Depending on the porn . . . . yes.

        • by 1u3hr (530656)

          You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)

          A Hong Kong singer/actor who liked to take photos of girls spreading their legs and having having sex with him, several of whom were popular actresses/singers with "nice girl " images, sent his laptop in for repair....

          See http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal [wikipedia.org]

    • First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.

      Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.

      • I ask the above question because I didn't start using Dropbox because I thought it was secure--I have class notes for teaching and notes for my personal studies in my account and these are for the most part publicly available anyway. I signed up because I was tired of having to fish out my backup CDs when my hard drives died on me (I still do a local backup though) and this part of their service is visibly not a lie and has saved me on at least two occasions in addition to the ease of sharing said notes wit
        • by adolf (21054)

          Did they really lie to most people?

          They're still lying. From https://www.dropbox.com/features>https://www.dropbox.com/features [dropbox.com]:

          Dropbox protects your files without you needing to think about it.

          • Dropbox keeps a one-month history of your work.
          • by Ash-Fox (726320)

            All transmission of file data occurs over an encrypted channel (SSL)

            Other than that one, not seeing any other lies.

          • Re: (Score:2, Insightful)

            by shmlco (594907)

            "All files stored on Dropbox are encrypted (AES-256)."

            Well, the op states, "...but in fact, as the encryption keys are in their possession...". As such, the statement can easily be true. The files *are* stored in an encrypted format.

            In fact, if you think about the "shared" features of their service, folders and files, they would HAVE to be able to access them and decrypt them, otherwise they could not be shared.

            • by adolf (21054)

              Meh.

              Pretend, for a moment, that I am not well-versed in encryption concepts.

              Dropbox says that they will protect my files, and that they can also share them with others at my choosing.

              I, being ignorant of encryption concepts (as most folks certainly are), do not see the two concepts as being mutually exclusive, even though they plainly are to those with more clue.

              Therefore, I (the ignorant layperson) am mislead.

              This might not seem important to the Slashdot crowd, but Dropbox is being marketed at common folk,

          • by Bert64 (520050)

            Those claims are not lies, they are simply misleading...

            Saying they "protect" your files may refer to the undeletion and history feature.

            Similarly, they do encrypt your files with AES256, what they neglect to tell you is where the key to that encryption is stored.
            There are all kinds of security standards out there which require encryption too, but don't make any constraints about how the keys should be handled etc.

      • by pushing-robot (1037830) on Sunday May 15, 2011 @08:17PM (#36136316)

        I can understand the concerns about credit cards and bank info, but I don't really get why people are so freaked out about marketers learning a bit of generic info about their lives:

        Person 1 -- Oh no! An advertising firm got hold of my semi-private information!

        Person 2 -- That's terrible. What did they do with it?

        Person 1 -- Well, they started showing me ads for things I might actually buy.

        Person 2 -- Gods! Have these men no shame?

        • by hedwards (940851) on Sunday May 15, 2011 @08:35PM (#36136428)

          Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

          It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

      • "If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well."

        I'm sorry to be the one to inform you of this, but we already live in a world like that.

  • by Anonymous Coward on Sunday May 15, 2011 @07:35PM (#36136124)

    "the encryption keys are in their possession"

    Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?

    If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.

    Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"

    • by nedlohs (1335013)

      It doesn't matter.

      If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.

      It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.

      Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

      • Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.

        It may not cure cancer, but it used to calm the nerves, cure headaches, and put a smile on your face -- well, back when it was laced with cocaine.

        Today, the only things it cures is low blood sugar and headaches due to caffeine addiction withdrawals.

        It's really too bad, if we had allowed pharmaceuticals to stay in colas perhaps their massive global revenue reserves would have been available to advance cancer research and discover a cure; Thus, drinking coke would cure cancer.

        P.S. To all against legalizi

    • by Junta (36770)

      I'm with you *except* the last line.

      I doubt I'll ever trust a service providers storage encryption rather than applying a local, independent layer of encryption they can't circumvent, *however*, it isn't entirely unreasonable to believe a cloud solution could include meaningful encryption that would preclude even their administrators from access, *even* in the dropbox case with files being shared. Granted, doing so and doing it conveniently means they probably have an exposure (I wager that the client soft

      • I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect

        Well, the client could send an hash instead; it's what some other services do.

  • I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update, without any significant notice to me that they had done so. At the time I considered this extremely rude behaviour on the part of the company. I am glad they are getting some bad press, as there are much better alternatives out there that could do with some business. Wuala, for example, is the alternative I chose. It encrypts everything o
    • by Ash-Fox (726320)

      I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

      How is that even possible when it doesn't run as root?

      • by mustard5 (962587)

        I closed my dropbox account for two reasons, firstly their admission as to who had access to my data and then they made alterations to my /etc/fstab, during an update

        How is that even possible when it doesn't run as root?

        The package manager has root.

  • by fak3r (917687) on Sunday May 15, 2011 @08:08PM (#36136274) Homepage
    I hope this makes more people consider running their own system to handle this, lipsync is trying to provide that, it's on github https://github.com/philcryer/lipsync [github.com]
    • rsync based solutions are a dime a dozen, however they don't really replace a full Dropbox implementation.

      One of the key features of Dropbox is versioning (the ability to restore deleted files, and roll back files to previous iterations). There are very few solutions out there that do this at all, yet alone as well as dropbox does

  • Quote: "SpiderOak was designed and implemented by Engineers with a background in fault tolerant systems with a margin of error of 0.0000%." This is either a bald-faced lie, or the background of those "Engineers" is that they failed the statistics exam.

  • Would using password protected .RAR or .ZIP files be relatively secure?

    • by blueg3 (192743)

      A TrueCrypt volume is secure and reasonably portable.

      • A TrueCrypt volume is secure and reasonably portable.

        For me, sure. But one of the things I use DropBox for is to send files to a coworker who isn't as computer saavy. I can get him to enter passwords but my fear is, and maybe you can help me figure out that it's unfounded, that I'll show him how to use TrueCrypt then after 6 months of not using it he'll forget how to do it.

  • Spideroak, Googledocs, Dropbox, Credit Card users... "buyer beware" is now "supplier beware".
  • by DrXym (126579) on Monday May 16, 2011 @06:25AM (#36138656)
    The problem with Dropbox is the user id and password used to log into the service are also the credentials for obtaining the data. It's hard to see how they could implement server side encryption with the current model. After all, all they need to do is reset the password on the login id or extract whatever key is used to store the data on their servers.

    It's a security tradeoff - convenience over encryption. Anyway if they publicly said it was impossible to see the data they need to get a bit of a slap. I hope what they meant is their employee's roles are separated in a way which means it's difficult for any one person to obtain all the pieces they need to view the data and even if they did they'd be detected by numerous database / network triggers and thrown out the door. Even so I think most technically or criminally minded people could just implement their own security on top, e.g. a very simple way is to store stuff in an encrypted zip or 7-zip file. I reckon most people don't bother though and that's where the problem lies.

    Perhaps the answer for Dropbox is to implement a second level security where users can generate their own keys to secure certain folders. The keys remain in the user's possession on the client side. Data including file names & folder structure would be seamlessly scrambled / descrambled on the fly. It might preclude that folder from being accessible over the web interface and the user would be responsible for figuring out how to get the key onto every device they use, but it would allow Dropbox to say they support fully encrypted data that their staff really cannot see.

Passwords are implemented as a result of insecurity.

Working...