Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend

from the hacktastic dept

Tue, Jun 21st 2011 3:39am — Mike Masnick

Dropbox's security has been under increased scrutiny lately, after some security researchers claimed that some of its security practices were questionable. So, it was probably the worst time possible for the company to have a "programmer's error," leaving all Dropbox accounts completely wide open to anyone for four hours on Sunday. Apparently, during that period of time, you could log into anyone's account with any password. Just type in a random string of gibberish and you're in. Not surprisingly, the company is apologizing and investigating how this happened. At the very least, it seems like a good reason to explore alternatives if you're doing remote storage.

Of course, this also raises interesting points concerning the big question of "cloud" security. Many people have suggested that relying on some third party -- such as Dropbox -- is inherently insecure. However, that assumes that an individual who goes a different route would be able to create a more secure system on their own. I'm sure that's true for some people, but it might not be the case for the everyday user. In the long run, you would hope that these remote service providers can implement stronger security, so that individuals don't have to. But, in the short run, I wouldn't be surprised to see more such stories of less-than-optimal security being exposed at these kinds of service providers.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cloud, passwords, privacy, security
Companies: dropbox

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

twistedmentat (profile), 21 Jun 2011 @ 4:01am

How about TrueCrypt
One thing you can do is put an encrypted volume up as a file and then wherever you go use something like TrueCrypt to access it. Thus if someone gets access to the cloud storage they can't get easily access to the data.

In the long term what these companies need to do is tie the password into some decent encryption so you cannot access the data without having the password. Like how LastPass does things.
[ link to this | view in chronology ]
- Chronno S. Trigger (profile), 21 Jun 2011 @ 4:54am
  
  Re: How about TrueCrypt
  What TwistedMentat said. I never fully trusted Dropbox. It's stored on their servers so what would stop them from looking into it. I encrypt everything that I put in there that I don't want them to see.
  
  What Twisted said about the password thing is how I was going to do my bittorrent idea, if only I could convince a programer to write it. Sounds like there would be one hell of a market for it.
  [ link to this | view in chronology ]
- halley (profile), 21 Jun 2011 @ 6:38am
  
  Re: How about TrueCrypt
  One problem with tying password to encryption is that every password change requires decryption and re-encryption under the new key. You can make it indirect: password used to encrypt an "inner key," and the inner key used to encrypt the data. The inner key is small and can be decrypted/re-encrypted easily, while the inner key itself doesn't change value so often.
  [ link to this | view in chronology ]
- aldestrawk (profile), 21 Jun 2011 @ 7:16am
  
  Re: How about TrueCrypt
  Whoa, wait a minute! If you encrypt all your files separately before uploading them, then Dropbox cannot do de-duplication of files on their servers. That would mean they would not only have to charge more to survive but they might as well change their system to have encryption/decryption happen on the clients computer without them knowing the key.
  [ link to this | view in chronology ]
- Jim, 21 Jun 2011 @ 7:57am
  
  Re: How about TrueCrypt
  thank you sir! i love dropbox and i've been using it for years to sync an aes 256 disk image that my macs can then mount natively. i store all my most important files there. it's not hard at all to do, and what dropbox needs to do is put instructions on their website about how to use these encrypted file storage mechanisms for any person that is using the internet illegally without a license.
  [ link to this | view in chronology ]
Anonymous Coward, 21 Jun 2011 @ 4:25am

"I'm sure that's true for some people, but it might not be the case for the everyday user."

People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!

Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run "python -m SimpleHTTPServer" if I'm feeling stupid), but I'm sure there are more robust and user-friendly ways of doing it (apache?).
[ link to this | view in chronology ]
- Richard (profile), 21 Jun 2011 @ 4:39am
  
  Re:
  "I'm sure that's true for some people, but it might not be the case for the everyday user."
  
  People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!
  
  Neither of these is true. The reality is that even experts make mistakes. A large provider (constantly under attack) can have better security than anything you can dream up yourself - even if you are a security expert. If you are a security expert you will know this already.
  
  The proper thing to do with your expertise is to use it to choose a provider. Providers should be open about the mechanisms they use. If they aren't then don't use them.
  [ link to this | view in chronology ]
  - abc gum, 21 Jun 2011 @ 4:49am
    
    Re: Re:
    "The proper thing to do with your expertise is to use it to choose a provider."
    
    lol-wut? ... What are they providing and for whom.
    
    If all one needs is a backup of their data, a couple of usb hard drives are much less expensive and apparently much more secure. In case of fire, keep one off site. The average person does not create the quantities of data which would make an online storage mechanism feasible.
    [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jun 2011 @ 5:16am
    
    Re: Re:
    This is specious nonsense, of course: my security measures are far better than any provider on the planet. That's (a) because I'm a security uber-expert and (b) because I'm a paranoid, picky bastard who doesn't cut corners to save a few bucks.
    [ link to this | view in chronology ]
    - Richard (profile), 21 Jun 2011 @ 9:06am
      
      Re: Re: Re:
      Do hardware experts manufacture their own processors in a backroom?
      
      Do automobile experts drive around in cars they knocked up in their own garages?
      
      Do aircraft designers fly around on homebuilt aeroplanes?
      
      Actually the answer to all these questions is yes - for the fun of doing it - but a definite NO for practical applications. It's the same with security.
      [ link to this | view in chronology ]
      - Anonymous Coward, 21 Jun 2011 @ 9:17am
        
        Re: Re: Re: Re:
        No, it's not.
        
        I can do a vastly superior job with security measures than any of these companies, primarily because I have vastly more experience and knowledge than they do -- and because, unlike them, I have no motivation to cut corners for profit. Dropbox doesn't give a DAMN about security and privacy, other than as bullet points for their marketing department: they care about profit, profit, profit. If they can make twice as much money by accepting half as much security, they will do it without a second thought AND they will lie about it.
        
        In this respect, they're no different from any other corporation: it's all about the bottom line.
        
        I have no such issues. When I'm setting up security for my own systems, I can spend time and money as I deem fit...and that's exactly what I do. Moreover, in operating that setup (once designed and implemented) I can be as careful as I think necessary -- which is "very". So I don't have to worry about some inferior person plugging in a Windows box, or some junior employee bypassing a step, or any of that: these problems simply do not exist for me, which means *I don't have to solve them*.
        
        "Cloud security" is an oxymoron.
        [ link to this | view in chronology ]
  - Mike P (profile), 21 Jun 2011 @ 6:09am
    
    Re: Re:
    I think Richard hit the issue on the head when he said that these large providers are often constantly under attack. No matter who you are, you are eventually going to make a mistake. When you have such a large user-base out there, not only are more and more people going to try to break in (because if they do they've hit gold), but with so many users it's more likely someone will NOTICE the issue. If my home Web server has a bug that lets you authenticate with any password, it may take months before you even notice it yourself. When it's a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it.
    [ link to this | view in chronology ]
    - Richard (profile), 21 Jun 2011 @ 8:57am
      
      Re: Re: Re:
      hen it's a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it
      Yes - but the odds against your data (out of all the millions) being attacked before the problem is fixed are very low.
      [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jun 2011 @ 4:18pm
    
    Re: Re:
    Experts that make mistakes such as these are not experts. You need to review your definition of expert. Where I work, something like this means automatic boot to the head. Don't expect your key card to work in the morning. And don't expect references, you're toast.
    
    I'm sure that's true for some people, but it might not be the case for the everyday user.
    
    I'm pretty sure no single-end user would be stupid enough to pull something like this on their home system, even accidentally.
    [ link to this | view in chronology ]
- Bengie, 21 Jun 2011 @ 5:04am
  
  Re:
  Your house gets hit by a tornado and the rain floods your basement, everything is lost. What's your data contingency plan?
  
  Your 10TB raid got corrupted. What's your plan to restore?
  
  Basic stuff any server admin handles.
  
  You're at a friend's house and want to download some stuff. Your friend has a 20mb pipe and your home connection has only 2mb upload. How do you get your data to him at full speed?
  
  I'm not sure 98% of the users are ready for these questions.
  [ link to this | view in chronology ]
  - abc gum, 21 Jun 2011 @ 5:28am
    
    Re: Re:
    "I'm not sure 98% of the users are ready for these questions."
    
    1) I'm sure 98% of the users do not have 10T of data.
    2) What would one need to d/l "at their friends house"?
    3) I'm sure you are full of shit
    [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jun 2011 @ 4:21pm
    
    Re: Re:
    Datacenter gets hit by a tornado. Total loss. What's your contingency plan? I hope you have accounts on a few "clouds" and sync them daily.
    
    The whole idea of "cloud" is flawed. It's just there to seduce you out of your money. Plus, I have over 40TB of data at home, no way in hell my ISP would let me transfer this anywhere without major fees. And imagine that data plans I would need to get on the "cloud". And then the "cloud" has tons of security issues and everyone has access to my data? No thanks. I'll keep my data in my house, where there's been no tornado, floods, or natural disasters for over 50 years.
    [ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2011 @ 5:21am
  
  Re:
  OK, so you think people who barely know how to navigate around a Windows GUI are going to be able to setup a file server using Python or Apache?!!!!!! You ARE an idiot.
  [ link to this | view in chronology ]
- Gus Jenkins, 21 Jun 2011 @ 5:34am
  
  Re:
  Good luck with deciding whether getting your family out safely or grabbing your home made file server is more important if your house ever catches on fire. At least with a commercial "cloud" solution, my data can be safe and I can help get my family out of the house.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jun 2011 @ 10:58am
    
    Re: Re:
    Of course, any minimally competent person designing and building such a setup will have off-site backups. You are making a strawman argument by presuming that the implementor is an idiot and then criticizing him/her for being so.
    
    For example, I have three independent sets of off-site backups: all encrypted and none in the cloud. It's quite easy to maintain them and keep them refreshed so that they're kept up-to-date (within a week) of the live systems. They're all in different locations, and any disaster that would take out all of them would also very likely take out me as well, so I do not need to worry about their survivability beyond such an event.
    
    Now, I'm sure this is well beyond the capabitilies of the point-and-drool crowd, but we have no evidence to date which demonstrates (for example) that Dropbox isn't part of that crowd.
    [ link to this | view in chronology ]
    - Anonymous Coward, 21 Jun 2011 @ 8:39pm
      
      Re: Re: Re:
      Dropbox have proved, twice, that they cannot handle your files securely. It should be evident enough to anyone reading the news, or able to google.
      
      That being said, there might be safe and good alternatives out there. It doesn't remove the security issues from the process though. It the past few months, "clouds" have been in the news numerous times because they failed to do what they were supposed to; not only amazon.
      
      This is yet another wake up call for people who are security conscious. And since most of them are US-based, and the US has (and is trying to add more) draconian laws about data, then it's an obvious answer. Don't even think about touching it with a 1000 foot pole.
      [ link to this | view in chronology ]
- Robert Doyle (profile), 21 Jun 2011 @ 6:56am
  
  Re:
  "People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!"
  
  Yeah! I bet you do your won dental work too! Anyone who goes to a third party for anything is a fool!!! Don't buy food at the grocery store! Grow it yourself! And don't use a computer someone else designed! Make your own you twit! It's easy! Any engineer could do it! But wait! Don't take classes! That's just using someone else's knowledge! Teach yourself you fool!
  [ link to this | view in chronology ]
milrtime83 (profile), 21 Jun 2011 @ 4:52am

Sounds like they need a gmail type feature that shows what IP's accessed your account and when so people can tell if they were affected.
[ link to this | view in chronology ]
JackSombra (profile), 21 Jun 2011 @ 5:09am

Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run "python -m SimpleHTTPServer" if I'm feeling stupid), but I'm sure there are more robust and user-friendly ways of doing it (apache?).
So could i, but would it be secure as something a multi-million/billon dollar company, whose main business is providing those services? Not even close

And that�s before costs come into play, power, connection, time spent keeping it patched, so forth, in majority of cases for individuals/small business a cloud provider will be cheaper and more secure once all factors are taken into consideration due to the economies of scale, thus making it the right choice for them

Now for medium or large business/enterprise... that's a whole different kettle of fish and companies of that size considering the move to an external cloud provider need to have their IT management head�s examined
[ link to this | view in chronology ]
- sheenyglass (profile), 21 Jun 2011 @ 6:48am
  
  Re:
  I don't think dropbox is that big - my understanding is that they use Amazon S3 for their cloud capabilities, so the majority of what they do seems to be designing the interface and syncing features. If that's the case, just getting an S3 account puts you fairly close to dropbox functionality.
  [ link to this | view in chronology ]
Dallas IT Guy, 21 Jun 2011 @ 5:23am

Not excusable. Period.
This isn't the kind of error that occurs because one programmer made a mistake. It's what happens when the programmer makes a mistake, the QA department makes a mistake, and the deployment isn't validated or the migration process isn't properly managed. And that many mistakes are the fault of management for not knowing the right things to do and ensuring that they're done.

For a company that must have consumer confidence to succeed, this is inexcusable, and it's the CEO's fault.
[ link to this | view in chronology ]
- aldestrawk (profile), 21 Jun 2011 @ 7:29am
  
  Re: Not excusable. Period.
  Isn't QA what those old slow software companies used? Modern, web 2.0 companies can't be tied down by that crap. Take a cue from Facebook's motto, "Move fast, break stuff".
  [ link to this | view in chronology ]
Marcel de Jong (profile), 21 Jun 2011 @ 5:26am

Alternatives to Dropbox
- Host your own;
- Spideroak: https://spideroak.com/
- SugarSync: https://www.sugarsync.com/
- Windows Live mesh: http://explore.live.com/windows-live-mesh-sync-p2p-using
- Zumodrive: http://www.zumodrive.com/
- Wuala: http://www.wuala.com/

To name a few.
[ link to this | view in chronology ]
Boomhouser, 21 Jun 2011 @ 5:46am

The cloud is not ready for prime time
http://www.engadget.com/2011/06/20/segas-online-pass-hacked-1-3-million-user-passwords-stolen/
http ://www.dailymail.co.uk/sciencetech/article-1380050/Sony-admits-Weve-hacked-PlayStation-Network-outag e.html
http://www.techjournalsouth.com/2011/06/digiday-citigroup-credit-card-info-hacked-social-mar keting-rivals-email-benefits/
http://www.securityfocus.com/news/10271
http://www.webguild.org/2009 0510/160000-social-security-numbers-hacked-from-uc-berkeley
http://www.teamshatter.com/topics/datab ase-security/maines-kennebec-savings-hacked-no-funds-card-data-or-social-security-numbers-compromise d/
http://online-identity-theft.net/online-identity-theft/60000-university-of-wisconsin-madison-soc ial-security-numbers-hacked
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR20050 61701031.html
http://www.msnbc.msn.com/id/40841273/ns/technology_and_science-security/t/honda-onlin e-database-hacked/
http://datalossdb.org/incidents/3196-hacked-server-exposes-106-884-names-social- security-numbers-and-dates-of-birth
http://abcnews.go.com/Politics/story?id=2601085&page=1
htt p://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected .html
http://consumerist.com/2007/09/td-ameritrade-hacked-customer-data-compromised.html
http://ww w.theinquirer.net/inquirer/news/1050908/faa-hacked
http://gadgetwise.blogs.nytimes.com/2010/12/13/g awker-passwords-hacked-what-you-should-do/
http://www.pcmag.com/article2/0,2817,2376049,00.asp
htt p://www.dailymail.co.uk/news/article-1218272/Microsoft-Hotmail-accounts-hacked-posted-online.html
h ttp://securitycertificate.net/2011/06/google-gmail-account-passwords-hacked-from-china-hackers/
htt p://www.freakgeeks.com/2011/2768/ios-devices-passwords-hacked-in-6-minutes/
http://www.msnbc.msn.co m/id/41059570/ns/technology_and_science-security/t/pentagons-credit-union-hacked/
http://mashable.c om/2011/01/22/lushs-uk-website-hacked-credit-card-numbers-used/
[ link to this | view in chronology ]
w0qj, 21 Jun 2011 @ 11:29am

Best alternative: SugarSync
Good article � here is another cloud storage solution that is fully encrypted:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.

Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

https://www.sugarsync.com/referral?rf=tbtp0asbw9pt

Hope it helps someone.
[ link to this | view in chronology ]
Parkway Cozy, 21 Jun 2011 @ 6:33pm

I'm sure its all been said, but,
"The Cloud" offers virtually no benefit to the individual user. It offers MANY benefits to the companies that want you to use it. Otherwise, why would they push you to use it so much?

ANY ANY ANY cloud service you intend to use, pre-encrypt anything you put there. Expect NSA (and, hopefully, Cryptome) to get it anyway. And don't expect it to be there when you need it.

"The Cloud" is as ephemeral and fickle as, well, a real cloud. Sometimes, they look like choo choos.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jun 2011 @ 6:21am

All they need to do is add a mult-factor authentication method. Gmail has that and its great. Dropbox is still awesome. Still safer than on my local PC, this their files are encrypted.
[ link to this | view in chronology ]