Dropbox Accused of Lying About Security 265
lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."
Good (Score:5, Insightful)
Seconded (Score:2)
Re: (Score:3)
Not all of them. Anyone accessing my 'Projects' Folders wouldn't find anything that wasn't on my Git Hub. Nor would they get much out of my "Spring 2011" homework folder.
Good luck getting at my "Taxes.tc" file.
Re: (Score:2)
I'm sort of both of those. And I have and would've made a better service than that.
Re: (Score:3)
But you didn't. It's much easier to *say* how you'd do something than it is to actually do it.
If you really could do so much better, why haven't you done so? Seems like a good way to make a few million, if it's so simple...
Re: (Score:2)
Parent never said (s)he would come up with the idea (nor that it was simple), just that (s)he would implement it better.
Re: (Score:3)
And I never said he said he came up with the idea.
Everybody's a backseat nerd here on Slashdot. "Oh, I could've done that better." Yeah, right. It's far easier to criticize someone else's work than it is to do the work yourself.
Re: (Score:2)
Well, I have the knowledge, and I have designed systems that use cryptography in the past. You're right though, until I've actually done it, it's all just hot air. :-)
Though, if I were DropBox, I would've just used Tahoe [tahoe-lafs.org]. Of course, as someone else mentioned, that doesn't really effectively do de-duplication. So perhaps the hypothetical service I designed that way couldn't have worked as well.
Re: (Score:2)
"Eighth-grader logic" is thinking that having an idea about how you'd do something, and actually doing something, is the same thing. For all the inevitable posts on Slashdot by people who seem to think they are so capable, you'd think these super-geniuses would be out there making all sorts of amazing things. When the actual truth is that it's far easier to *CLAIM* you can do something better than it is to *ACTUALLY* do something better.
Re:Seconded (Score:4, Insightful)
In order to be able to do deduplication across their subscriber base, rather than per-user or none at all(likely making for considerable disk and bandwidth savings across a service of their size), Dropbox failed to (usefully) encrypt user files and introduced a fun side-channel attack where anybody can determine whether somebody else has a file stored, just by attempting to upload it and then sniffing the wire to see if it takes the expected upload time, or just a tiny amount of hash comparing to "upload".
Technologically, they didn't exactly advance the state of the art in crypto to power their service; but the issues at question appear to be technologically competent enough, deduplication across the largest set of files possible is a perfectly sensible way of reducing storage and bandwidth costs, it's just that they then proceeded to sharply oversell the amount of actual privacy they were providing.
Given that education doesn't seem to have much effect on honesty(unless you count the courses of study that probably make you worse...) I'd be inclined to say that it is irrelevant to the problem at hand.
Re: (Score:3, Insightful)
It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation. The more de-regulation, the more damage they will do.
Corporations are golems, with the single imperative to profit at any cost.
Re: (Score:2)
It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation
The what, now? Big companies never push deregulation. They want as much regulation as possible, the better to punish anyone else trying to enter the same market. It's called "rent seeking".
Re: (Score:3)
Re:Seconded (Score:4, Informative)
O rly?
AT&T seeks more phone deregulation in Alabama [al.com]
AT&T and Deutsche Telekom push for deregulation of wireless markets [eweek.com]
Time Warner seeks Manhattan deregulation [multichannel.com]
It's trivially easy to find other examples.
Re: (Score:2, Insightful)
Regulatory capture has proven to be a much bigger problem than deregulation, I think. It seems better not to give the government so much power in the first place.
Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.
Re:Seconded (Score:5, Insightful)
If you trust Exxon and the MPAA more than the government with all its faults, then you have not been paying attention for the past 30 years.
Re: (Score:3, Insightful)
Hey, remember when the police and the teachers' unions crashed the stock market, raided everyone's pension funds, and shipped all the jobs to India?
Yeah, neither do I.
Re: (Score:2)
Why do you think people in corporations or government are any different than you or me?
Do you really think any CEO wakes up every morning and says "Today, I'm going to screw over the little guy!"?
Re: (Score:3)
Re: (Score:2)
Forget the encryption part for a moment. Their own privacy policy stated that they reserved the right to sell your information if they ever go bankrupt. One of the other online backup places, Carbonite, has no such statement in their privacy policy. Personally, I'd rather pay for a service that isn't going to sell my info.
Re: (Score:2)
Do you really believe that the lack of such a statement in Carbonite's privacy policy would prevent them, or their creditors, from selling your information?
Re: (Score:2)
Re: (Score:2)
Regulation means "market barriers." As long as there are established entities in a market, those entities LOVE regulation. It prevents them from having to play on a level playing field. I don't know if you're being ironic, or just ignorant of basic economics. Either way, Dropbox's lies have nothing to do with the word "Free."
Re: (Score:2)
We're using "regulations" to mean different things. You're referring to the regulations that are written by industry lobbyists. I'm referring to regulations like the EPA regulations that cleaned up the Great Lakes.
Of course, I guess those regulations are a thing of the past. Especially after Citizens United. Now you've got corporations on government welfare, and they're the ones electing the government.
Re: (Score:3, Funny)
"I enjoy intercourse with small domestic fauna."
Thanks for qualifying that. Heaven forbid you having conjugal relations with foreign animals. That would be just perverse.
Security is NOT an issue with The Cloud. (Score:5, Funny)
Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.
The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.
And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.
My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.
Re:Security is NOT an issue with The Cloud. (Score:4, Funny)
Shhhh! (Score:2)
A blank page is even more secure than an encrypted one because the enemy will never be certain they aren't just missing something.
Hey, don't give the security consulting game away!!!
Re: (Score:2)
The good ol' "let's mock the victim here for not being as smart as me" routine.
Re:Security is NOT an issue with The Cloud. (Score:5, Insightful)
The good ol' "let's mock the victim here for not being as smart as me" routine.
No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
I only mock for "not being as smart as me but thinking to be way smarter than me".
Re: (Score:3)
It is acceptable to mock fools who claim they are wise.
Re:Security is NOT an issue with The Cloud. (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What should have happened : the same, 5 years ago.
the problem with the cloud in simple terms (Score:3)
What Happens When it RAINS??
Call me back... (Score:4, Insightful)
Re:Call me back... (Score:5, Informative)
Re: (Score:3)
Point is, he has exposed their lies and it made the rounds on all tech news sites. His researched compelled an FTC investigation.
What have you done?
Re: (Score:2)
I'm thinking the poster has likely shilled for some companies that have been exposed.
Where's Al Gore and his "Lock Box"? (Score:3, Insightful)
Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.
Re:Where's Al Gore and his "Lock Box"? (Score:5, Insightful)
The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.
Re: (Score:2)
Re: (Score:2)
As to how I got that way, fuck if I know. I haven't actually done much besides a few small mods, and chatted a lot. All I know is that if I say "Steam just ripped me off, those fuckers", I'd start a small riot. Torches and pitchforks would be wielded; Gabe Newell would be burned in effigy.
Re: (Score:3)
Re: (Score:2)
That's all true but there's two issues in this particular case.
-- We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.
-- They're lying to get ahead in the market. That's something we need to discourage.
Re: (Score:2)
We've heard stories about computer repair technicians stealing everything up to and including porn off the computers they're servicing. There's a pretty low threshold for important when the data's sitting right there for the taking.
You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)
Re: (Score:2)
That depends, is it home made stuff?
Re: (Score:2)
It's an example of something no-one would give a damn about that people take anyway; because it's there.
Re: (Score:2)
And you seem to be assuming that the GP doesn't have midget furry gangbang pedo porn on his computer. That shit'll get you sent up for years.
Re: (Score:2)
Probably because that never occurred to any of us... except for you. ;)
Re: (Score:2)
For the purposes of this exercise, let's assume that no one stores their credit card numbers on their computer in plaintext; even though we all know that's not true.
The porn thing is one thing I never understood, why would anyone bother? It's like they've never heard of the internet. I figure that some people will take anything not nailed down, a pretty solid reason that Dropbox should not give it's employees access to the user's stuff at all.
Re: (Score:2)
You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc...
Depending on the porn . . . . yes.
Re: (Score:2)
You seem to be saying that stealing the porn on someone's PC is more egregious than stealing financial information/credit card numbers etc... ;)
A Hong Kong singer/actor who liked to take photos of girls spreading their legs and having having sex with him, several of whom were popular actresses/singers with "nice girl " images, sent his laptop in for repair....
See http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal [wikipedia.org]
Re:Where's Al Gore and his "Lock Box"? (Score:5, Interesting)
First, you are wrong. The data in your account is interesting to a whole host of people, regardless of how insignificant you are. Maybe there's a credit card number in there. Maybe there's clues to your password. Maybe your social graph is interesting to a marketer. In this age, even an insignificant person's data is of interest to someone.
Secondly, DropBox lied. Plain and simple. They made a security claim that wasn't true and sold their service based on it. If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well.
Did they really lie to most people? (Score:2, Interesting)
Re: (Score:2)
They're still lying. From https://www.dropbox.com/features>https://www.dropbox.com/features [dropbox.com]:
Dropbox protects your files without you needing to think about it.
Re: (Score:2)
Re: (Score:2, Insightful)
"All files stored on Dropbox are encrypted (AES-256)."
Well, the op states, "...but in fact, as the encryption keys are in their possession...". As such, the statement can easily be true. The files *are* stored in an encrypted format.
In fact, if you think about the "shared" features of their service, folders and files, they would HAVE to be able to access them and decrypt them, otherwise they could not be shared.
Re: (Score:3)
Meh.
Pretend, for a moment, that I am not well-versed in encryption concepts.
Dropbox says that they will protect my files, and that they can also share them with others at my choosing.
I, being ignorant of encryption concepts (as most folks certainly are), do not see the two concepts as being mutually exclusive, even though they plainly are to those with more clue.
Therefore, I (the ignorant layperson) am mislead.
This might not seem important to the Slashdot crowd, but Dropbox is being marketed at common folk,
Re: (Score:2)
Those claims are not lies, they are simply misleading...
Saying they "protect" your files may refer to the undeletion and history feature.
Similarly, they do encrypt your files with AES256, what they neglect to tell you is where the key to that encryption is stored.
There are all kinds of security standards out there which require encryption too, but don't make any constraints about how the keys should be handled etc.
Re:Where's Al Gore and his "Lock Box"? (Score:4, Interesting)
I can understand the concerns about credit cards and bank info, but I don't really get why people are so freaked out about marketers learning a bit of generic info about their lives:
Person 1 -- Oh no! An advertising firm got hold of my semi-private information!
Person 2 -- That's terrible. What did they do with it?
Person 1 -- Well, they started showing me ads for things I might actually buy.
Person 2 -- Gods! Have these men no shame?
Re:Where's Al Gore and his "Lock Box"? (Score:5, Informative)
Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.
It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.
Re: (Score:2)
"If you really want to live in a world where it's perfectly acceptable for people to lie about their services in order to get your business, I wish you well."
I'm sorry to be the one to inform you of this, but we already live in a world like that.
i think i see the problem (Score:3, Insightful)
"the encryption keys are in their possession"
Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?
If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.
Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"
Re: (Score:3)
It doesn't matter.
If they claim to do X when in fact they do not do X, or claim not to do X when in fact they do do X then you have deceptive trade practices.
It doesn't matter if they obviously lying, and anyone who knows anything about what they do can tell that.
Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.
Re: (Score:2)
Coca Cola also can't claim that drinking coke cures cancer, even though anyone with two brain cells to rub together knows it doesn't.
It may not cure cancer, but it used to calm the nerves, cure headaches, and put a smile on your face -- well, back when it was laced with cocaine.
Today, the only things it cures is low blood sugar and headaches due to caffeine addiction withdrawals.
It's really too bad, if we had allowed pharmaceuticals to stay in colas perhaps their massive global revenue reserves would have been available to advance cancer research and discover a cure; Thus, drinking coke would cure cancer.
P.S. To all against legalizi
Re: (Score:2)
No, it's not obvious that they have them, there's definitely ways in which they could do it which would prevent them from being able to access that data without your permission. Otherwise no provider of services could ever promise that level of protection without the FTC investigating. The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.
Re: (Score:2)
No, it's not obvious that they have them
Then who would you think has them? You know you don't and you're assuming they don't, so who does?
The fact that the FTC is investigating this now rather than any number of other companies previously is a pretty good indication that it's a reasonable expectation to have.
I think it's clear you either don't know enough about this story or don't know what a 'fact' is. A complaint to the FTC is not an FTC investigation.
Re: (Score:2)
I do have one key - the password; that could be used to encrypt the file before syncing them.
LastPass seems decent in that regard.
Re: (Score:2)
I do have one key - the password; that could be used to encrypt the file before syncing them.
LastPass seems decent in that regard.
You mean the password that can be reset if you forget it? Great idea.
Re: (Score:2)
Then who would you think has them? You know you don't and you're assuming they don't, so who does?
The Encryption Key Fairy?
she can't be trusted.
Re: (Score:2)
Nope. Diet coke is what you want, those articial sweeteners are medical cure-alls.
Re: (Score:2)
I'm with you *except* the last line.
I doubt I'll ever trust a service providers storage encryption rather than applying a local, independent layer of encryption they can't circumvent, *however*, it isn't entirely unreasonable to believe a cloud solution could include meaningful encryption that would preclude even their administrators from access, *even* in the dropbox case with files being shared. Granted, doing so and doing it conveniently means they probably have an exposure (I wager that the client soft
Re: (Score:2)
I wager that the client software submits the password to server for authentication and therefore a modified server could capture password and use that to decrypt keys, which is the most straightforward thing to expect
Well, the client could send an hash instead; it's what some other services do.
I closed my dropbox account. (Score:2)
Re: (Score:2)
Re: (Score:2)
How is that even possible when it doesn't run as root?
The package manager has root.
More reason to build your own (Score:4, Interesting)
Re: (Score:2)
rsync based solutions are a dime a dozen, however they don't really replace a full Dropbox implementation.
One of the key features of Dropbox is versioning (the ability to restore deleted files, and roll back files to previous iterations). There are very few solutions out there that do this at all, yet alone as well as dropbox does
Re: (Score:2)
Re: (Score:2)
Spideroak lies as well (Score:2)
Quote: "SpiderOak was designed and implemented by Engineers with a background in fault tolerant systems with a margin of error of 0.0000%." This is either a bald-faced lie, or the background of those "Engineers" is that they failed the statistics exam.
Re: (Score:2)
Not at all. If all digits are zero, then it is zero all the way, _unless_ a precision is specified. Even then giving such a number would be a lie, if a more sophisticated one.
Individual File Encryption? (Score:2)
Would using password protected .RAR or .ZIP files be relatively secure?
Re: (Score:2)
A TrueCrypt volume is secure and reasonably portable.
Re: (Score:2)
A TrueCrypt volume is secure and reasonably portable.
For me, sure. But one of the things I use DropBox for is to send files to a coworker who isn't as computer saavy. I can get him to enter passwords but my fear is, and maybe you can help me figure out that it's unfounded, that I'll show him how to use TrueCrypt then after 6 months of not using it he'll forget how to do it.
Supplier Beware (Score:2)
Hard to see how they could do it any other way (Score:3)
It's a security tradeoff - convenience over encryption. Anyway if they publicly said it was impossible to see the data they need to get a bit of a slap. I hope what they meant is their employee's roles are separated in a way which means it's difficult for any one person to obtain all the pieces they need to view the data and even if they did they'd be detected by numerous database / network triggers and thrown out the door. Even so I think most technically or criminally minded people could just implement their own security on top, e.g. a very simple way is to store stuff in an encrypted zip or 7-zip file. I reckon most people don't bother though and that's where the problem lies.
Perhaps the answer for Dropbox is to implement a second level security where users can generate their own keys to secure certain folders. The keys remain in the user's possession on the client side. Data including file names & folder structure would be seamlessly scrambled / descrambled on the fly. It might preclude that folder from being accessible over the web interface and the user would be responsible for figuring out how to get the key onto every device they use, but it would allow Dropbox to say they support fully encrypted data that their staff really cannot see.
Re:Employees have access? (Score:4, Insightful)
Which would be fine if they said "Our employees have access to your data through key escrow in the event you forget your passphrase". If what you're storing is random pictures or some such that's quite likely good enough.
Some companies don't want that and give their business to companies that say "Key escrow is your problem, it is physically impossible for our employees to read your data". They tend to pay more for that service.
Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.
Re:Employees have access? (Score:5, Informative)
Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:
"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"
I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.
Re: (Score:2)
Except of course that the level of security they claimed was completely implausible, given that you can download arbitrary files from the web interface, meaning the key could at best be encrypted by the password, and they also have a "forgot your password" service, meaning the key could not even be encrypted by your password.
Therefore, at best, they may have a policy that for normal support purposes the keys are off limits, and only the non-encrypted metadata is accessible. But obviously access to the files
Re: (Score:2)
Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.
Oh come on, you're telling me you believed the key was your responsibility even though you had no key? You didn't even have any non-volatile private data that could be used as an encryption key, the only private data is your password, which can be reset, so obviously you can't use that.
Re: (Score:2)
http://dictionary.reference.com/browse/lier [reference.com]
The phantom tracking software is just waiting to get you.
Re:Spideroak is a good alternative (Score:5, Informative)
SpiderOak has some serious security issues of its own.
1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.
2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.
Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.
The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.
Re: (Score:2)
I noticed that, I haven't actually given it any files yet, but I did notice that it didn't ask for my old password in order to change it. I'm probably going to uninstall it if that's how that works. But, considering that I'm more interested in it for syncing than for storing, it's not quite a done deal.
Re:Spideroak is a good alternative (Score:4, Interesting)
Give Wuala a go. It supports client side encryption, and is much more polished then Spideroak.
Re: (Score:3)
It was definitely Spideroak.
They didn't reset the password, they reset the account. (Essentially they deleted the account and allowed me to sign back up again under the same email address).
Naturally none of the data was been recoverable, however they happily deleted the account without verifying I was the owner.
Re: (Score:2)
Err.. TrueCrypt has always been OpenSource (http://www.truecrypt.org/downloads2), so if that's what you're basing your idea of a "better track record" off, that makes them - equal. In actual USAGE, TrueCrypt has a more extensive and better "track record". Perhaps you were thinking of DriveCrypt.
Re: (Score:2)
Um, spider oak does that as well. Granted spider oak has its own security problems, Dropbox is hardly the only option. Plus, if you really want to be secure, you can always roll your own solution.