OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


DropBox Insecurity

Some of my clients have begun sharing files through the popular Dropbox Service. I dislike the service a lot because it is poorly setup from a security point of view. If the people designing it were this ignorant and unconcerned about security, then I don't want their software on my (or my clients') computers.

Their terms of service says, ""As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox's encryption from the files before providing them to law enforcement."

The problem with this is not that they cooperate with law enforcement, but that they can. In a properly designed system, the data you store on the remote server, that is supposed to be private, is encrypted on your computer before transfer. You have the passphrase and they do not, so they cannot provide it to anyone. You may not be worried about offending government officials or law enforcement officers, but what about the possibility that some employee of theirs is corrupt or corrupted? Also these sites frequently get hacked and the database stolen. If the thief also gets the keys, then your data will be exposed.

When they talk about their great data encryption, what they mean is that it is secure while in transit, not after it reaches their servers.

It gets worse. Dropbox keeps a small configuration file on your computer that holds the information it needs to maintain synchronization between the web account and your dropbox folder. That file is not protected in any way. If someone gains access to  your computer and steals that file, they can access all your data as if they were you. No password or authentication is needed. They did not provide any security or checks. They could have accessed and embedded say a hard drive serial number or something which would require a password if it changed.

Because of these basic design flaws, I don't trust the company to keep a hacker out of their site or properly protect the data from their own employees. I don't trust them to quickly patch their software if a security flaw is discovered.

Two of the best possible replacements I have found for this sort of service, in this price range, are Wuala and SpiderOaks. I have not tried them myself, so am only going by what I've read. If any readers have experience with secure services like this,  let me know your experiences, and I'll report back in the next Newsletter.

A comparison of Wuala, Dropbox and sugarsync is here:http:⁄⁄www.elias-lange.de⁄cloud-storage-wuala-dropbox-sugarsync⁄Check out the PDF download for a pretty detailed table.

Date: June 2011

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster