Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend
from the hacktastic dept
Dropbox's security has been under increased scrutiny lately, after some security researchers claimed that some of its security practices were questionable. So, it was probably the worst time possible for the company to have a "programmer's error," leaving all Dropbox accounts completely wide open to anyone for four hours on Sunday. Apparently, during that period of time, you could log into anyone's account with any password. Just type in a random string of gibberish and you're in. Not surprisingly, the company is apologizing and investigating how this happened. At the very least, it seems like a good reason to explore alternatives if you're doing remote storage.Of course, this also raises interesting points concerning the big question of "cloud" security. Many people have suggested that relying on some third party -- such as Dropbox -- is inherently insecure. However, that assumes that an individual who goes a different route would be able to create a more secure system on their own. I'm sure that's true for some people, but it might not be the case for the everyday user. In the long run, you would hope that these remote service providers can implement stronger security, so that individuals don't have to. But, in the short run, I wouldn't be surprised to see more such stories of less-than-optimal security being exposed at these kinds of service providers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cloud, passwords, privacy, security
Companies: dropbox
Reader Comments
Subscribe: RSS
View by: Time | Thread
How about TrueCrypt
In the long term what these companies need to do is tie the password into some decent encryption so you cannot access the data without having the password. Like how LastPass does things.
[ link to this | view in chronology ]
Re: How about TrueCrypt
What Twisted said about the password thing is how I was going to do my bittorrent idea, if only I could convince a programer to write it. Sounds like there would be one hell of a market for it.
[ link to this | view in chronology ]
Re: How about TrueCrypt
[ link to this | view in chronology ]
Re: How about TrueCrypt
[ link to this | view in chronology ]
Re: How about TrueCrypt
[ link to this | view in chronology ]
People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!
Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run "python -m SimpleHTTPServer" if I'm feeling stupid), but I'm sure there are more robust and user-friendly ways of doing it (apache?).
[ link to this | view in chronology ]
Re:
People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!
Neither of these is true. The reality is that even experts make mistakes. A large provider (constantly under attack) can have better security than anything you can dream up yourself - even if you are a security expert. If you are a security expert you will know this already.
The proper thing to do with your expertise is to use it to choose a provider. Providers should be open about the mechanisms they use. If they aren't then don't use them.
[ link to this | view in chronology ]
Re: Re:
lol-wut? ... What are they providing and for whom.
If all one needs is a backup of their data, a couple of usb hard drives are much less expensive and apparently much more secure. In case of fire, keep one off site. The average person does not create the quantities of data which would make an online storage mechanism feasible.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Do automobile experts drive around in cars they knocked up in their own garages?
Do aircraft designers fly around on homebuilt aeroplanes?
Actually the answer to all these questions is yes - for the fun of doing it - but a definite NO for practical applications. It's the same with security.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I can do a vastly superior job with security measures than any of these companies, primarily because I have vastly more experience and knowledge than they do -- and because, unlike them, I have no motivation to cut corners for profit. Dropbox doesn't give a DAMN about security and privacy, other than as bullet points for their marketing department: they care about profit, profit, profit. If they can make twice as much money by accepting half as much security, they will do it without a second thought AND they will lie about it.
In this respect, they're no different from any other corporation: it's all about the bottom line.
I have no such issues. When I'm setting up security for my own systems, I can spend time and money as I deem fit...and that's exactly what I do. Moreover, in operating that setup (once designed and implemented) I can be as careful as I think necessary -- which is "very". So I don't have to worry about some inferior person plugging in a Windows box, or some junior employee bypassing a step, or any of that: these problems simply do not exist for me, which means *I don't have to solve them*.
"Cloud security" is an oxymoron.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Yes - but the odds against your data (out of all the millions) being attacked before the problem is fixed are very low.
[ link to this | view in chronology ]
Re: Re:
I'm sure that's true for some people, but it might not be the case for the everyday user.
I'm pretty sure no single-end user would be stupid enough to pull something like this on their home system, even accidentally.
[ link to this | view in chronology ]
Re:
Your 10TB raid got corrupted. What's your plan to restore?
Basic stuff any server admin handles.
You're at a friend's house and want to download some stuff. Your friend has a 20mb pipe and your home connection has only 2mb upload. How do you get your data to him at full speed?
I'm not sure 98% of the users are ready for these questions.
[ link to this | view in chronology ]
Re: Re:
1) I'm sure 98% of the users do not have 10T of data.
2) What would one need to d/l "at their friends house"?
3) I'm sure you are full of shit
[ link to this | view in chronology ]
Re: Re:
The whole idea of "cloud" is flawed. It's just there to seduce you out of your money. Plus, I have over 40TB of data at home, no way in hell my ISP would let me transfer this anywhere without major fees. And imagine that data plans I would need to get on the "cloud". And then the "cloud" has tons of security issues and everyone has access to my data? No thanks. I'll keep my data in my house, where there's been no tornado, floods, or natural disasters for over 50 years.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
For example, I have three independent sets of off-site backups: all encrypted and none in the cloud. It's quite easy to maintain them and keep them refreshed so that they're kept up-to-date (within a week) of the live systems. They're all in different locations, and any disaster that would take out all of them would also very likely take out me as well, so I do not need to worry about their survivability beyond such an event.
Now, I'm sure this is well beyond the capabitilies of the point-and-drool crowd, but we have no evidence to date which demonstrates (for example) that Dropbox isn't part of that crowd.
[ link to this | view in chronology ]
Re: Re: Re:
That being said, there might be safe and good alternatives out there. It doesn't remove the security issues from the process though. It the past few months, "clouds" have been in the news numerous times because they failed to do what they were supposed to; not only amazon.
This is yet another wake up call for people who are security conscious. And since most of them are US-based, and the US has (and is trying to add more) draconian laws about data, then it's an obvious answer. Don't even think about touching it with a 1000 foot pole.
[ link to this | view in chronology ]
Re:
Yeah! I bet you do your won dental work too! Anyone who goes to a third party for anything is a fool!!! Don't buy food at the grocery store! Grow it yourself! And don't use a computer someone else designed! Make your own you twit! It's easy! Any engineer could do it! But wait! Don't take classes! That's just using someone else's knowledge! Teach yourself you fool!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So could i, but would it be secure as something a multi-million/billon dollar company, whose main business is providing those services? Not even close
And that’s before costs come into play, power, connection, time spent keeping it patched, so forth, in majority of cases for individuals/small business a cloud provider will be cheaper and more secure once all factors are taken into consideration due to the economies of scale, thus making it the right choice for them
Now for medium or large business/enterprise... that's a whole different kettle of fish and companies of that size considering the move to an external cloud provider need to have their IT management head’s examined
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not excusable. Period.
For a company that must have consumer confidence to succeed, this is inexcusable, and it's the CEO's fault.
[ link to this | view in chronology ]
Re: Not excusable. Period.
[ link to this | view in chronology ]
Alternatives to Dropbox
- Spideroak: https://spideroak.com/
- SugarSync: https://www.sugarsync.com/
- Windows Live mesh: http://explore.live.com/windows-live-mesh-sync-p2p-using
- Zumodrive: http://www.zumodrive.com/
- Wuala: http://www.wuala.com/
To name a few.
[ link to this | view in chronology ]
The cloud is not ready for prime time
http ://www.dailymail.co.uk/sciencetech/article-1380050/Sony-admits-Weve-hacked-PlayStation-Network-outag e.html
http://www.techjournalsouth.com/2011/06/digiday-citigroup-credit-card-info-hacked-social-mar keting-rivals-email-benefits/
http://www.securityfocus.com/news/10271
http://www.webguild.org/2009 0510/160000-social-security-numbers-hacked-from-uc-berkeley
http://www.teamshatter.com/topics/datab ase-security/maines-kennebec-savings-hacked-no-funds-card-data-or-social-security-numbers-compromise d/
http://online-identity-theft.net/online-identity-theft/60000-university-of-wisconsin-madison-soc ial-security-numbers-hacked
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR20050 61701031.html
http://www.msnbc.msn.com/id/40841273/ns/technology_and_science-security/t/honda-onlin e-database-hacked/
http://datalossdb.org/incidents/3196-hacked-server-exposes-106-884-names-social- security-numbers-and-dates-of-birth
http://abcnews.go.com/Politics/story?id=2601085&page=1
htt p://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected .html
http://consumerist.com/2007/09/td-ameritrade-hacked-customer-data-compromised.html
http://ww w.theinquirer.net/inquirer/news/1050908/faa-hacked
http://gadgetwise.blogs.nytimes.com/2010/12/13/g awker-passwords-hacked-what-you-should-do/
http://www.pcmag.com/article2/0,2817,2376049,00.asp
htt p://www.dailymail.co.uk/news/article-1218272/Microsoft-Hotmail-accounts-hacked-posted-online.html
h ttp://securitycertificate.net/2011/06/google-gmail-account-passwords-hacked-from-china-hackers/
htt p://www.freakgeeks.com/2011/2768/ios-devices-passwords-hacked-in-6-minutes/
http://www.msnbc.msn.co m/id/41059570/ns/technology_and_science-security/t/pentagons-credit-union-hacked/
http://mashable.c om/2011/01/22/lushs-uk-website-hacked-credit-card-numbers-used/
[ link to this | view in chronology ]
Best alternative: SugarSync
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.
Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!
https://www.sugarsync.com/referral?rf=tbtp0asbw9pt
Hope it helps someone.
[ link to this | view in chronology ]
I'm sure its all been said, but,
ANY ANY ANY cloud service you intend to use, pre-encrypt anything you put there. Expect NSA (and, hopefully, Cryptome) to get it anyway. And don't expect it to be there when you need it.
"The Cloud" is as ephemeral and fickle as, well, a real cloud. Sometimes, they look like choo choos.
[ link to this | view in chronology ]
[ link to this | view in chronology ]