Results 1 to 25 of 25
  1. #1
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    467

    * Dropbox - Not As Secure As Believed

    Dropbox, a provider of cloud-based data storage services, is in hot water with the Federal Trade Commission over claims that it lied and intentionally deceived customers into believing that their data is more private and secure than it really is. Whether Dropbox was deliberately misleading, or just failed to clearly communicate policy changes, the complaint filed with the FTC illustrates concerns over online data security. At issue are Dropbox's terms of service. Previously, the company stated in its terms of service that "all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." But, Dropbox has continued to modify the terms of service, and backpedal on exactly how secure customer data is--sometimes putting its foot in its proverbial mouth. Dropbox has been at least confusing, if not misleading, about just how secure data really is.After a few amendments, the terms have been altered such that it now reads more to the effect that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement if it is compelled, but that employees are prohibited from abusing that power and viewing customer data.
    - Tony Bradley/PCWorld - http://goo.gl/V3BD6

  2. #2
    Join Date
    Aug 2004
    Location
    Dallas, TX
    Posts
    3,507
    So, can we get a refund? Pretty annoying to find out it's not securely encrypted like they first said. Sounds like the hot water is well deserved.
    Dallas Colocation by Incero, 8 years and counting!
    e: sales(at)incero(dot)com 855.217.COLO (2656)
    Colocation & Enterprise Servers, SATA/SAS/SSD, secure IPMI/KVM remote control, 100% U.S.A. Based Staff
    SSAE 16, SAS70, Redundant Power & Network, Fully Diverse Fiber

  3. #3
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    467
    Quote Originally Posted by gordonrp View Post
    So, can we get a refund? Pretty annoying to find out it's not securely encrypted like they first said. Sounds like the hot water is well deserved.

    LOL! I would love to see if they actually give a refund!

  4. #4
    Join Date
    May 2011
    Posts
    319
    I am always sort of wondering if they will EVER release some sort of packages to allow you to build your private DropBox type of thingy...I guess not...

  5. #5
    Join Date
    Mar 2009
    Posts
    534
    If it's private and needs to be secured away from prying eyes, either pre-encrypt using your own methods before sending up to a service - or just don't stick it in the cloud, no matter which service. Paranoia saves.

    --Chris
    The Object Zone - Your Windows Server Specialists for more than twelve years - http://www.object-zone.net/
    Services: Contract Server Management, Desktop Support Services, IT/VoIP Consulting, Cloud Migration, and Custom ASP.net and Mobile Application Development

  6. #6
    Join Date
    Aug 2004
    Location
    Dallas, TX
    Posts
    3,507
    Quote Originally Posted by ObjectZone View Post
    If it's private and needs to be secured away from prying eyes, either pre-encrypt using your own methods before sending up to a service - or just don't stick it in the cloud, no matter which service. Paranoia saves.

    --Chris
    Encrypting the data before isn't feasible, because the whole encrypted container (100GB) changes each time. I use encryption on my drives at home.

    It's not about requiring encryption, obviously I don't put private business data in there. But desiring encryption for personal files in the cloud, otherwise I probably wouldn't of put them there, just like I wouldn't leave my USB drive on my doorstep but am happy having my USB drive behind my locked front door.

    The issue is how they sold the service as being encrypted when it's actually not!
    Dallas Colocation by Incero, 8 years and counting!
    e: sales(at)incero(dot)com 855.217.COLO (2656)
    Colocation & Enterprise Servers, SATA/SAS/SSD, secure IPMI/KVM remote control, 100% U.S.A. Based Staff
    SSAE 16, SAS70, Redundant Power & Network, Fully Diverse Fiber

  7. #7
    Join Date
    Jul 2007
    Location
    Ashburn, VA
    Posts
    1,314
    Old news...
    I've known about this for almost a month now.

    No one watches tech podcasts? http://www.jupiterbroadcasting.com/7...ws-techsnap-1/
    Preetam Jinka

    Isomerous - High performance web services for business and individuals.
    Bitcable Colocation, KVMs, cPanel hosting, Oracle expertise, and more.

  8. #8
    Join Date
    Aug 2005
    Posts
    309
    Quote Originally Posted by Bitcable View Post
    No one watches tech podcasts?
    ...or reads Slashdot?

  9. #9
    Join Date
    Jan 2011
    Location
    Varna, Bulgaria
    Posts
    1,270
    Maybe the data is still encrypted, but they also have a key for decrypting it? So their original promise "your data is encrypted" is still true.

  10. #10
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    Quote Originally Posted by rds100 View Post
    Maybe the data is still encrypted, but they also have a key for decrypting it? So their original promise "your data is encrypted" is still true.
    That's what I was thinking... "inaccessible without your account password" leaves many possibilities.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  11. #11
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by rds100 View Post
    Maybe the data is still encrypted, but they also have a key for decrypting it? So their original promise "your data is encrypted" is still true.
    Most likely the data is encrypted while in transit across the Internet and decrypted at the other end to be stored, like ssh, https, etc are.

    Quite honestly, though, if you are worried about a dropbox employee stealing your data, you should re-evaluate your decision to trust dropbox to store any of your data and billing details in the first place. After all, if you trust them with your credit card number and address you should be able to trust they won't steal the files you upload either.

    For 99% of dropbox users this is a non-issue.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  12. #12
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    what happens when dropbox gets a admin server or account hacked ?

    anyone storing sensitive data with any company that can access it is clueless when it comes to security.

    there was a hosting company not too long ago that got completely hacked the main admin box the hacker from this box took down 100's of servers and some people took weeks to get back online.


    Quote Originally Posted by ramnet View Post
    Most likely the data is encrypted while in transit across the Internet and decrypted at the other end to be stored, like ssh, https, etc are.

    Quite honestly, though, if you are worried about a dropbox employee stealing your data, you should re-evaluate your decision to trust dropbox to store any of your data and billing details in the first place. After all, if you trust them with your credit card number and address you should be able to trust they won't steal the files you upload either.

    For 99% of dropbox users this is a non-issue.

  13. #13
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    what happens when dropbox gets a admin server or account hacked ?

    anyone storing sensitive data with any company that can access it is clueless when it comes to security.
    By "sensitive data," you mean like a client database with names, account passwords, addresses, and credit card numbers?

    Even if the clients self-uploaded data was encrypted, an attacker would still get access to the above information if they got admin access to dropbox and could just login to the clients account and access/decrypt the data themselves as the client. Not to mention do a lot more (like steal someones identity).

    But as long as the data you upload is encrypted that's fine, right?

    </sarcasm>

    When you purchase a service from a company, you create a trust relationship and presume they won't deliberately screw you over by stealing your data and your identity. The off-chance of dropbox getting themselves hacked is irrelevant to that.

    But as was previously mentioned, If you are truly storing sensitive data on a file hosting service, you should be encrypting it yourself instead of relying on third party encryption of unknown cryptographic algorithms of unknown strength/reliability anyway. There are several encryption methods that are trivially reversed.
    Last edited by ramnet; 05-18-2011 at 02:14 AM.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  14. #14
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    your clueless what does me possibly getting hacked have to do with someone else having access to my data ?

    2 people having access to data makes the possibility of data being stolen 200% greater now who is someone going to try to hack me ? or a huge company that controls 100tb or more of data ?

    let me clue you in the company that controls 100tb of data will be targeted.

    sony just has their whole ps3 network hacked if you think that dropbox or any other cloud storage provider is not hackable then your clueless.



    Quote Originally Posted by ramnet View Post
    By "sensitive data," you mean like a client database with names, account passwords, addresses, and credit card numbers?

    Even if the clients self-uploaded data was encrypted, an attacker would still get access to the above information if they got admin access to dropbox and could just login to the clients account and access/decrypt the data themselves as the client. Not to mention do a lot more (like steal someones identity).

    But as long as the data you upload is encrypted that's fine, right?

    </sarcasm>

    When you purchase a service from a company, you create a trust relationship and presume they won't deliberately screw you over by stealing your data and your identity. The off-chance of dropbox getting themselves hacked is irrelevant to that.

  15. #15
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    your clueless what does me possibly getting hacked have to do with someone else having access to my data ?
    If dropbox gets hacked, they have all your information. So if dropbox gets hacked, it's equivalent to you getting hacked.

    Lets say I hack dropbox and have admin access. I now have your login username and password, your real name, your address, your credit card number, your birthdate (all of which you provided to dropbox when you purchased their service), and I can login to your dropbox account as you, and decrypt all your precious files that were encrypted using dropbox technology.

    Or I can just erase them all if I don't care what your files contain.

    Your encryption just became worthless since i have your decryption keys (and the rest of your access credentials).

    Quote Originally Posted by cyberhouse View Post
    sony just has their whole ps3 network hacked if you think that dropbox or any other cloud storage provider is not hackable then your clueless.
    last i checked ps3 isn't a cloud storage provider. and do you really think if ps3 encrypted your game scores that would stop a hacker of ps3's network from viewing, erasing, and/or modifying your data?

    You can call me names all you want it doesn't make you any more right
    Last edited by ramnet; 05-18-2011 at 02:26 AM.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  16. #16
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    your only right if dropbox stores the data needed to decrypt my data as long as that its stored on my end and dropbox has no access to it like it should be setup then you could hack dropbox all you wanted and you would never be able to decrypt my data.



    Quote Originally Posted by ramnet View Post
    If dropbox gets hacked, they have all your information. So if dropbox gets hacked, it's equivalent to you getting hacked.

    Lets say I hack dropbox and have admin access. I now have your login username and password, your real name, your address, your credit card number, your birthdate (all of which you provided to dropbox when you purchased their service), and I can login to your dropbox account as you, and decrypt all your precious files that were encrypted using dropbox technology.

    Or I can just erase them all if I don't care what your files contain.

    Your encryption just became worthless since i have your decryption keys (and the rest of your access credentials).



    last i checked ps3 isn't a cloud storage provider. and do you really think if ps3 encrypted your game scores that would stop a hacker of ps3's network from viewing, erasing, and/or modifying your data?

    You can call me names all you want it doesn't make you any more right

  17. #17
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    your only right if dropbox stores the data needed to decrypt my data as long as that its stored on my end and dropbox has no access to it like it should be setup then you could hack dropbox all you wanted and you would never be able to decrypt my data.
    The DropBox client software is closed source so I guess we'll never know exactly what data they harvest off systems and store on their servers now will we
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  18. #18
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    well if they claim that they cant access your data and they can they can be sued and be out of biz in no time thats why they updated their terms to tell you that your data is not secure and they can access it.



    Quote Originally Posted by ramnet View Post
    The DropBox client software is closed source so I guess we'll never know exactly what data they harvest off systems and store on their servers now will we

  19. #19
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    well if they claim that they cant access your data and they can they can be sued and be out of biz in no time thats why they updated their terms to tell you that your data is not secure and they can access it.
    Technically, the previous terms of service stated "all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." They never claimed they couldn't access your data themselves.

    I think most people would believe it's a fair assumption that DropBox has "your account password" since a reasonable person would believe they would need your password to authenticate you, and thus DropBox must know what your login credentials are - and now that has been explicitly stated in their new ToS.

    I don't think you'd get very far if you tried to sued DropBox over their previous terms of service.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  20. #20
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    keep dreaming if you think they need to store you password to authenticate you then you are clueless about security.




    Quote Originally Posted by ramnet View Post
    Technically, the previous terms of service stated "all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." They never claimed they couldn't access your data themselves.

    I think most people would believe it's a fair assumption that DropBox has "your account password" since a reasonable person would believe they would need your password to authenticate you, and thus DropBox must know what your login credentials are - and now that has been explicitly stated in their new ToS.

    I don't think you'd get very far if you tried to sued DropBox over their previous terms of service.

  21. #21
    Quote Originally Posted by gordonrp View Post
    Encrypting the data before isn't feasible, because the whole encrypted container (100GB) changes each time. I use encryption on my drives at home.
    Not necessarily. Some encryption software stores the encrypted disk image as several small files, so the entire thing doesn't change every time you modify something (e.g. Apple's sparse bundles).
    Adam McMaster

    Valcato Hosting Over nine years of great service
    Shared, VPS and dedicated servers.

  22. #22
    Join Date
    Jul 2007
    Location
    Ashburn, VA
    Posts
    1,314
    Just throwing this out there...
    BY UTILIZING THE SITE, CONTENT, FILES AND/OR SERVICES, YOU CONSENT TO ALLOW DROPBOX TO ACCESS YOUR COMPUTER TO ACCESS ANY FILES THAT ARE PLACED IN THE 'MY DROPBOX,' 'DROPBOX' FOLDERS, AND/OR ANY OTHER FOLDER WHICH YOU CHOOSE TO LINK TO DROPBOX.
    Preetam Jinka

    Isomerous - High performance web services for business and individuals.
    Bitcable Colocation, KVMs, cPanel hosting, Oracle expertise, and more.

  23. #23
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    keep dreaming if you think they need to store you password to authenticate you then you are clueless about security.
    I'm well aware they don't "need to," however a layperson would come to the reasonable conclusion that if you enter your password onto their website, they have access to it (since you submitted it to them when you logged in).

    And regardless, you don't know if dropbox has their clients login password's one-way hashed, stored as a reversible cypher, or stored in plain text anyway.
    Last edited by ramnet; 05-18-2011 at 06:16 AM.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  24. #24
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,557
    if they clearly say your data is not secure and they have access to it then yes i would assume they can access it whats your point ?

    if the advertize that all your data is secure and encrypted then i would assume they dont have access to it since its my data not theirs.


    Quote Originally Posted by ramnet View Post
    I'm well aware they don't "need to," however a layperson would come to the reasonable conclusion that if you enter your password onto their website, they have access to it (since you submitted it to them when you logged in).

    And regardless, you don't know if dropbox has their clients login password's one-way hashed, stored as a reversible cypher, or stored in plain text anyway.

  25. #25
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by cyberhouse View Post
    if they clearly say your data is not secure and they have access to it then yes i would assume they can access it whats your point ?
    The username and password they created for you use to sign in to their service is their data and it is a requirement imposed by them and is a dependency on your account functioning.

    You might want to step back and stop "dreaming" and read more carefully next time

    Quote Originally Posted by cyberhouse View Post
    if the advertize that all your data is secure and encrypted then i would assume they dont have access to it since its my data not theirs.
    The average layperson would also come to the logical conclusion that DropBox has access to anything uploaded to, and encrypted (or not), by DropBox, unless explicitly told otherwise.

    The analogy here would be of a safe deposit box. Anything you upload (store inside), using their encryption (lock & key), is reasoned that the host institution has access to it unless indicated otherwise. If you don't want them to have access, don't give it to them, and don't rely on their encryption.

    You know what they say about people that assume ....
    Last edited by ramnet; 05-18-2011 at 06:40 AM.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

Similar Threads

  1. Anything like dropbox/sugarsync but better?
    By e5volcano in forum Cloud Hosting
    Replies: 8
    Last Post: 01-22-2011, 05:39 PM
  2. Dropbox Like Software
    By Ricky Smith in forum Hosting Software and Control Panels
    Replies: 5
    Last Post: 11-18-2010, 02:28 PM
  3. Dropbox on your server
    By Danny159 in forum Programming Discussion
    Replies: 1
    Last Post: 12-22-2009, 02:17 PM
  4. Dropbox is an incredible tool!!
    By Ryan - Limestone in forum Web Hosting Lounge
    Replies: 38
    Last Post: 08-05-2008, 09:44 PM
  5. Are these guys to be believed???
    By bellgamin in forum Web Hosting
    Replies: 2
    Last Post: 03-25-2002, 11:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •