DropBox Insecurity

Some of my clients have begun sharing files through the popular Dropbox Service. I dislike the service a lot because it is poorly setup from a security point of view. If the people designing it were this ignorant and unconcerned about security, then I don't want their software on my (or my clients') computers.

Their terms of service says, ""As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox's encryption from the files before providing them to law enforcement."

The problem with this is not that they cooperate with law enforcement, but that they can. In a properly designed system, the data you store on the remote server, that is supposed to be private, is encrypted on your computer before transfer. You have the passphrase and they do not, so they cannot provide it to anyone. You may not be worried about offending government officials or law enforcement officers, but what about the possibility that some employee of theirs is corrupt or corrupted? Also these sites frequently get hacked and the database stolen. If the thief also gets the keys, then your data will be exposed.

When they talk about their great data encryption, what they mean is that it is secure while in transit, not after it reaches their servers.

It gets worse. Dropbox keeps a small configuration file on your computer that holds the information it needs to maintain synchronization between the web account and your dropbox folder. That file is not protected in any way. If someone gains access to your computer and steals that file, they can access all your data as if they were you. No password or authentication is needed. They did not provide any security or checks. They could have accessed and embedded say a hard drive serial number or something which would require a password if it changed.

Because of these basic design flaws, I don't trust the company to keep a hacker out of their site or properly protect the data from their own employees. I don't trust them to quickly patch their software if a security flaw is discovered.

Two of the best possible replacements I have found for this sort of service, in this price range, are Wuala and SpiderOaks. I have not tried them myself, so am only going by what I've read. If any readers have experience with secure services like this, let me know your experiences, and I'll report back in the next Newsletter.

A comparison of Wuala, Dropbox and sugarsync is here:http:⁄⁄www.elias-lange.de⁄cloud-storage-wuala-dropbox-sugarsync⁄Check out the PDF download for a pretty detailed table.

Date: June 2011

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		DropBox Insecurity Some of my clients have begun sharing files through the popular Dropbox Service. I dislike the service a lot because it is poorly setup from a security point of view. If the people designing it were this ignorant and unconcerned about security, then I don't want their software on my (or my clients') computers. Their terms of service says, ""As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox's encryption from the files before providing them to law enforcement." The problem with this is not that they cooperate with law enforcement, but that they can. In a properly designed system, the data you store on the remote server, that is supposed to be private, is encrypted on your computer before transfer. You have the passphrase and they do not, so they cannot provide it to anyone. You may not be worried about offending government officials or law enforcement officers, but what about the possibility that some employee of theirs is corrupt or corrupted? Also these sites frequently get hacked and the database stolen. If the thief also gets the keys, then your data will be exposed. When they talk about their great data encryption, what they mean is that it is secure while in transit, not after it reaches their servers. It gets worse. Dropbox keeps a small configuration file on your computer that holds the information it needs to maintain synchronization between the web account and your dropbox folder. That file is not protected in any way. If someone gains access to your computer and steals that file, they can access all your data as if they were you. No password or authentication is needed. They did not provide any security or checks. They could have accessed and embedded say a hard drive serial number or something which would require a password if it changed. Because of these basic design flaws, I don't trust the company to keep a hacker out of their site or properly protect the data from their own employees. I don't trust them to quickly patch their software if a security flaw is discovered. Two of the best possible replacements I have found for this sort of service, in this price range, are Wuala and SpiderOaks. I have not tried them myself, so am only going by what I've read. If any readers have experience with secure services like this, let me know your experiences, and I'll report back in the next Newsletter. A comparison of Wuala, Dropbox and sugarsync is here:http:⁄⁄www.elias-lange.de⁄cloud-storage-wuala-dropbox-sugarsync⁄Check out the PDF download for a pretty detailed table. Date: June 2011 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk