

Dropbox passwords optional for four hours - andjones
http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/

======
ohyes
I use any online service with the assumption that the things I put up there
could likely become public, no longer anonymous, or what have you. I don't
think this is overly paranoid, given how difficult computer security is.

To me; it would make sense if Dropbox stored everything encrypted (as in,
encrypted pre-transfer), and you needed the private key to decrypt stuff,
unless you specifically state that it is to be public. It just makes sense
from a liability statement. That said, you can do this anyway as recomended in
this article. ([http://lifehacker.com/5813873/how-to-add-a-second-layer-
of-e...](http://lifehacker.com/5813873/how-to-add-a-second-layer-of-
encryption-to-dropbox))

~~~
VMG
The thing is that you can't do email then.

You can say that google might leak your emails, but the same is true if you
use your private email server.

~~~
masterzora
That's not exactly true. You just need to be super-paranoid and make sure that
everything of importance is sent (on both ends) encrypted.

That's still wholly untenable for the real world, but not all paranoid people
live in the real world per se.

~~~
baddox
It's unfortunate that simple public key encryption, which has been easily
available for many years, is still seen as untenable and "super-paranoid." Any
email client, or better yet Gmail, could easily implement it and make it
virtually transparent to the user (when both ends of the email are using such
a client, obviously).

~~~
masterzora
I apologise if you have mistaken my meaning! I certainly hope we don't take
wider scale encryption to be untenable, but it is very certainly untenable for
a single person to use the web in a meaningful way with normal people while
maintaining that every single email needs to be encrypted.

~~~
baddox
I agree. I didn't mean that your evaluation of the current state of things is
wrong, but rather that the current state of things is unfortunate.

------
grandalf
Anyone who had any confidential data in Dropbox (medical research data, credit
card transaction data) must now file a data breach report.

~~~
abofh
And anyone who stored that sort of data in dropbox more or less had it coming.
HIPAA & finance laws are very clear about the security they require -- dropbox
has always been hand-wavey in their explanation of their security.

~~~
tptacek
What's your point? The IT guys can't catch a break, can they? If they say "no
you can't install stuff on your machine", message board geeks are up in arms.
But when normal people, for whom these computer systems are designed in the
first place, make (layperson-) reasonable decisions about what folders to put
files in, there's the message board geek again, harassing them for not
understanding how transparent cloud file sync works under the covers and
interacts with regulated data.

~~~
abofh
If you're a 'normal person', you shouldn't be making decisions about the
security of my health-care or financial data; If you're in the position to
make that decision, you should have been aware that dropbox was not a "safe"
third party;

On the part of the _users_ of dropbox, I have empathy; In part of those
running their medical/finance business on assumptions of dropboxes security, I
have nothing but emnity.

~~~
tptacek
I hate to be the one to break this to you†, but normal people make up almost
the entire chain of custody for regulated data. Normal people write your
health records. Normal people check them out of databases and read them.
Normal people load them into spreadsheets. Normal people generate reports.
Businesses do not exist to support super-savvy BOFH's. It is rather the other
way around.

† _Ok, no I don't_

~~~
abofh
I didn't say they do, but they should hire people competent to make educated
decisions in the regulatory environment they're in. That's why they pay bofhs
-- not because they like our views, but because we _read_ the specs.

EDIT: To phrase less hostilely -- HIPAA and various finance laws consist of
thousands of pages of what to do and what not to do. Dropbox is a shiney
webpage that isn't PCI certified or HIPAA certified. If you chose to operate
in a business that requires HIPAA/PCI, and used dropbox for that data, _you_
are at fault, not dropbox, not the bofhs, and not the coder. In the case of
HIPAA - you would be the criminal.

~~~
kevin_morrill
HIPAA does not have thousands of pages on what and what not to do. It's
actually quite vague, and mostly comes down to fines after the fact. There's
also no such thing as a government sanctioned HIPAA certification. There's
just random people willing to 'certify' you.

~~~
tptacek
The HIPAA data security requirements are tiny and largely boil down to "data
should be encrypted in transit and at rest and require access control".

<http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.6.html>

------
Erwin
This joke PAM "happy hour" module became reality:
<http://www.brendangregg.com/specials.html#pam_happy_hour>

------
ern
I hope they add login activity to their "Recent Events" feed ASAP.

~~~
gcr
How would that work? Dropbox doesn't require login most of the time; do you
want them to log every time a computer viewed a file or just the web
interface, which isn't the primary use interaction?

------
SkyMarshal
Anyone using SpiderOak? They're the only other versioning diff-based backup
service I know of that supports Linux (with a free tier; there's also
Tarsnap). They also claim 'zero-knowledge' encryption. Anyone have any
opinions?

~~~
tincansandtwine
There's also ownCloud (<http://owncloud.org/index.php/Main_Page>), if you're
into that whole home server thing. It definitely supports Linux.

~~~
eropple
It supports Linux poorly, and supports nothing else at all.

(WebDAV isn't "support," when you look at the Dropbox/SpiderOak feature set.)

------
cypherpunks01
Hoping this convinced someone at dropbox to write a three-line release-
blocking test to ensure that you can't login with a wrong password... _Crosses
fingers_

~~~
tptacek
If you're disquieted by the idea that a single broken boolean expression could
allow arbitrary users to access a web site, one way to mitigate the concern is
indeed to write fiddly little tests to catch every point at which a broken
boolean expression could short-circuit authentication.

Another thing to do would be to change the design of the authentication
process so that it is more inherently fail-closed. For instance, you could
encrypt/decrypt the database ID of the user with a key derived securely and
deterministically from the user's password, perhaps (just to keep the code
simple) after verifying the password against a secure password hash.

------
Bud
They're probably rather distracted over at Dropbox, since iCloud is about to
eat their business model. That would kinda tend to suck.

~~~
DenisM
That's only assuming Apple does a competent job. Cloud is a new thing for
them, they can easily screw up.

------
redtwo
It's media like this that great minds are trying to fight, you just want to
make stories, create a buzz, even if it's by communicating misleading
information that, when interpreted by people would not show the truth of what
happens but just make them go nuts.

illustrated example: billgates twitter account: " Do you want me to give you
all my money or what lolz" techcrunch : "OH MY GOD, BILLGATES PLANING TO GIVE
A WAY ALL OF HIS MONEY" and later : "OH MY GOD, HERE'S THE GUY BILLGATES WAS
TALKING ABOUT" I mean seriously, I just hate buzz seeking journalists.

~~~
redtwo
I can smell all the journalists down voting

~~~
redtwo
hilarious, but you all know that journalists in the tech world are seen as the
"I-dont-know-nothing-but-I'll-just-pretend__with-a-smile-like-if-i-
understood."

------
cjoh
Dropbox's security is twitter's downtime. While much more is at stake than not
being able to tweet, I can't imagine that this isn't their number one growth
challenge -- something that, if they conquer it, will give them a much higher
market valuation.

If this happens, let's look forward to a trove of blogposts about "how to make
dropbox secure" from armchair CTOs, just like we saw with Twitter and the
string of posts around "How I'd scale twitter" Sharding! Webscale!

~~~
tptacek
I don't think this is a reasonable comparison. Twitter was at least 80% as
useful when its uptime was erratic as it is now, when it's uptime is
reasonably good. But Dropbox security flaws potentially cough up your data to
criminals; when Dropbox security fails, its utility is _negative_ , not
slightly diminished.

