
Dropbox accesses all the files in your PC? - mekinpesen
http://www.e-siber.com/guvenlik/dropbox-accesses-all-the-files-in-your-pc-not-just-sync-folder-and-steals-everything/
======
tallanvor
In Windows, even with a filter limiting which directories to process, a
FileSystemWatcher object has to examine each event and decide whether or not
to call the event handler or let it pass without action. That means it would
have to read the file information and compare it against the filters that have
been defined.

These actions will show up as at least 4 or 5 entries in Process Monitor (and
maybe more, I'm not sure off the top of my head). This also means that
applications monitoring for file access will catch each time this happens.

Unfortunately, whoever wrote that article does not seem to understand Window's
internals, or how to determine what consists of bad or dangerous activity.

It should also be noted that Dropbox runs in the context of your own user
account. It does not run as a service or elevated user, so it will only have
access to the files you have access to (and that you have access to without
requiring elevation).

I'm not going to claim to be a security expert, but I don't see anything that
would suggest a security risk on Dropbox's part. Further, if a company has
data important enough that they need to run DLP software on individual
computers, they should not be allowing software such as Dropbox anyway.

~~~
SpaceInvader
Why it is scanning files outside of the agreed location?

~~~
yohui
Doesn't tallavor address this in the first sentence?

> _In Windows, even with a filter limiting which directories to process, a
> FileSystemWatcher object has to examine each event and decide whether or not
> to call the event handler or let it pass without action._

Sounds like the very act of checking whether the file falls within the "agreed
location" is what caught the author's attention. I can't say whether that's
true, but it doesn't seem unreasonable.

~~~
SpaceInvader
It was rhetorical question :)

------
hamstergene
This article does not prove "steals everything" claim. Very shallow work for
"Information Security Specialist".

The reason Dropbox accesses files all over the drive may be that FS events
driver generates events for every file accessed by every program, and Dropbox
has to read their metadata for some reason (e.g. to check if their full path
is under one of synced folders). He should elaborate by checking if Dropbox is
actually scanning _and reading_ all drives, which is hardly unnoticeable, or
is it something else.

Having network activity at the same time does not mean this file has been
transferred. It is incredibly hard for me to believe that Dropbox has sneakily
transferred >1TB from my various computers without me and my ISP noticing. The
author should monitor Dropbox traffic volumes over a week and check if it
actually exceeds synced folders size before spreading panic.

~~~
bobofettfett
Or maybe not. Your speculation is as good as mine. Or the op. Or everyone
else. The point was Dropbox is accessing files outside the folder, something I
would not want or expect.

"It is incredibly hard for me to believe that Dropbox has sneakily transferred
>1TB"

Did they transfer hashes? name+type+size for fingerprinting? Searching for
credit numbers or SSNs? Who knows. I don't. And don't do evil is no longer the
basic assumption.

~~~
onderkalaci
I agree with you. The main problem is that why dropbox accesses the files that
it is not permitted.

~~~
cremno
I don't know. I'm actually more interested in what it receives/sends.

------
gnud
I just had a quick look at dropbox with ProcMon, and I learned that

    
    
      1) when I created a new text file on my desktop, it was not read by Dropbox
      2) when I created a new text file in my dropbox folder, it was immideately read by Dropbox
      3) I have to find some sync tool that doesn't feel the need to enumerate my network interfaces 3 times every second, when nothing is actually changing.

~~~
hvm
Have you heard/tried Bittorrent sync? It's P2P, doesn't put your files on
their server. Very fast for transferring locally between your phone and
computer for example. You have to keep your computer running if you want your
files accesible anytime though.

~~~
jablan
Unfortunately btsync is very much not open-source. There are alternatives,
though. I am very satisfied with syncthing[1], although it didn't have usable
mobile app last time I checked.

[1] [http://syncthing.net/](http://syncthing.net/)

~~~
danieldk
And requires port forwarding, which may not be an option for people who are
not on IPv4 at home (e.g. my ISP uses DS-Lite, so I cannot use IPv4 port
forwarding).

Bittorrent Sync works pretty good. Somebody should reverse engineer the
protocol and make an open source client.

Edit: why the heck is the grandparent downvoted? He/she offers a good
suggestion.

~~~
benwaffle
or ownCloud

------
zzleeper
Independently of whether DB reads/uploads all the files or not, I've arrived
at a difficult position about Dropbox: I'm looking for alternatives. No, it's
unrelated with politics or pricing; it's just that in many cases _Dropbox
sucks_.

Why? Well, I mostly don't care about all the new features (mobile, Carousel,
etc.). What I care the most is that i) it syncs files and ii) acts as a quasi-
backup. However, I see the same old bugs from _years_ ago and nothing gets
done. To name just a few:

\- If I copy a file to the Dropbox folder in Windows, it will convert it to
small caps, even if the file is in Camel Case. Yes, I get that for windows
caps are just "optional", but do not change it just for the sake of it!

\- Many people sometimes have temporary files. Photoshop, Matlab, Word, Latex,
etc. leave crumbles of temp files and folders. Can't I just set a quick rule
to avoid "tmp" folders and e.g. ".tmp" files?

\- A few months ago their forums went down and stayed down for around a month?
Why? Technical problems. But the real reason is that they don't really care.

There is no way DB can justify their valuation with just the syncing part, and
I'm fine with that. But just stopping altogether to improve in that area _is_
a huge turn-off, and on top of that they do not care to fix bugs (there were
hundreds of bug requests about the lowercase bug in the forums, before they
deleted it).

Now that my rant is over, I ask you: are there any useful alternatives? I've
heard that GDrive is very slow and the MSFT alternative seems a bit risky to
me (will it work on Linux in the future? will it be customizable?).

~~~
mappu
GPL Unison?

Add in encfs with a cheap storage VPS for off-site redundancy. It should run
on android too if you have a normal-looking chroot installed.

~~~
smackay
Unison was the first thing I tried after moving away from DropBox. The main
problem I had with it was that both machines involved in the syncing had to be
running which made moving from laptop to desktop not as seamless as I would
have liked. Still the syncing process was flawless. I had better results using
Seafile, [http://seafile.com/en/home/](http://seafile.com/en/home/), their
free account was sufficient for my needs and worked great. You can self-host
if you are worried about keeping control of your files.

~~~
Already__Taken
You'll have that problem with anything you don't run yourself so that seems
like an unfair complaint. Can't this sync desktop <-> server and laptop <>
server?

~~~
moe
I ran unison for a while but the conflict resolution was unfortunately
lacking. It repeatedly stopped sync'ing properly until I intervened manually.

A few months ago I switched to csync[1], which looks better so far.

[1] [https://www.csync.org/](https://www.csync.org/)

~~~
a3_nm
The last csync release is from August 2013. Is the project still alive?

~~~
moe
I don't know. It simply works for me ever since I installed it (on linux and
OSX) so I never bothered to check for updates.

------
quotemstr
Process Monitor[1] will show you every filesystem call Dropbox is making.
(Like strace.) That should confirm or refute this article's claims.

(You could also just collect an ETW trace and analyze it in xperf (err, WPA,
of course) yourself.)

[1] [https://technet.microsoft.com/en-
us/library/bb896645.aspx](https://technet.microsoft.com/en-
us/library/bb896645.aspx)

~~~
beaugunderson
I copied a file in C:\ and saw Dropbox access it a few moments later, followed
by network activity:

[http://cl.ly/image/443Y1S092g1R](http://cl.ly/image/443Y1S092g1R)

~~~
poizan42
Uhm no. It calls QueryBasicInformation and closes it again right after.

~~~
beaugunderson
Do you think QueryBasicInformation is a mischaracterization of the word
"access"?

~~~
quotemstr
QueryBasicInformation is like a subset of stat(2). It can't access a file's
contents. While I'd prefer Dropbox not to go looking at file metadata on my
whole device, I'd chalk this one up to over-eager coding and not some kind of
data-smuggling backdoor.

------
fabian2k
I don't see any evidence that Dropbox actually transfers files, and I'd be
very surprised if that would actually happen.

But if the information is correct, it does transfer some kind of information
to the Dropbox servers directly after accessing files outside the sync folder.
I would have liked an examination of the tranferred data, or at least a
comparison of the amount of data transferred compared to the size of the
accessed file.

~~~
alkonaut
There are different levels of information, with the last being the actual file
contents. I doubt dropbox would sync file contents from unrelated files (that
would be the biggest security scandal ever), but there are multiple levels of
metadata that you may or may not expect Dropbox to upload. If something is
uploaded after you create a file in a separate directory, I'm guessing it's
one of two things

1) metadata such as a timestamp when all files in the _synced_ folder were
found up to date. 2) metadata about the non-synced file changes, such as
timestamps, checksums or etc.

While 2 isn't an upload of the file contents, it's still bad enough. I
wouldn't expect Dropbox to upload any data OR metadata related to my unsynced
files _at all_.

------
Scaevolus
This is probably an unfortunate combination of a broad watch for file changes,
code that opens changed files to determine whether to proceed (hacks for
hardlinks/junction points? collecting more information before bubbling the
event up to higher layers?), and built-in analytics.

I'd be shocked if it's actually _uploading_ a comparably sized payload.

------
jinushaun
_shakes head_

No, Dropbox is not stealing your stuff. Apparently people have never heard of
Windows Shell Extensions, the approved non-hacky way to overlay icons over
files.

[https://msdn.microsoft.com/en-
us/library/windows/desktop/bb7...](https://msdn.microsoft.com/en-
us/library/windows/desktop/bb761267\(v=vs.85\).aspx)

The tortoise apps do the same thing to overlay Git/Hg/Svn icons.

------
greenleafjacob
inotify_add_watch(29, "/root/Dropbox",
IN_MODIFY|IN_ATTRIB|IN_CLOSE_WRITE|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF)
= 1

Dropbox's call to inotify_add_watch [1] is properly scoped so this is either a
platform problem (but it looks like Windows' analogous API [3] allows only one
directory to be monitored), sloppy development on Windows, or something else.
I ran Dropbox under a Docker container under strace and grepped strace's logs
for inotify and got this [2]. At least on Linux, it's impossible for Dropbox
to receive any notifications about new files outside the Dropbox folder.

[1]: [http://man7.org/linux/man-
pages/man2/inotify_add_watch.2.htm...](http://man7.org/linux/man-
pages/man2/inotify_add_watch.2.html)

[2]: [http://pastie.org/9995412](http://pastie.org/9995412)

[3]: [https://msdn.microsoft.com/en-
us/library/aa364417(VS.85).asp...](https://msdn.microsoft.com/en-
us/library/aa364417\(VS.85\).aspx)

------
zaroth
"Access" is a bit vague. It's one thing if their 'fstat' is leaking, it's
another thing if they are actually reading all the bytes of those files.

Another piece of evidence I'd like to see is a mitmproxy checking out what's
under that TLS session. Improper local reads are one thing, it's another thing
entirely if they are communicating back file names, hashes and/or the file
data actual.

~~~
merlish
My personal theory is it's something to do with Dropbox's Explorer shell
extension.

(But I really don't know enough to day for sure. Still, if the shell extension
mechanism is such that you get a file or list of files, it'd need to figure
out whether they're in a Dropbox folder or not and play with the icons.)

------
flipp3r
I'm not a Dropbox user, but why doesn't anyone with Dropbox just install a
local proxy and try to read out the requests made to the Dropbox servers. The
speculations on spying, etc. in this thread are completely worthles, just look
at what they're sending to the servers.

~~~
pudquick
FYI - they do certificate pinning for their clients and won't let you proxy
the HTTPS connections, last I checked.

I'm not saying this as cause for alarm. Obviously if they were sending the
files you could measure the volume of traffic if nothing else.

Make a completely random non-compressible file that's of an arbitrarily
significant size (say 1M+) and see if that amount of traffic goes out to them.

I do think Dropbox is watching for filesystem events outside of the locations
users specify, but I see zero evidence they're uploading information about the
files / the files themselves so far.

~~~
kweinber
If anyone has a lenovo box, they could use its Superfish feature to get around
this.

~~~
zwily
Superfish doesn't get around pinned certificates.

~~~
lucb1e
Plus, anyone can create a root certificate and install it in their own trust
store. You don't need Superfish.

I think kweinber was kidding, though.

------
psk
Synchronizing all your files sounds like space-waste. It would be trivial to
determine if dropbox does that, simply by monitoring the number of bytes sent
to dropbox (Create a new file of size x, determine if the stream to dropbox
transmits at least x amount of bytes) or by replacing the SSL certificate in
the program with your own and then set up a fake server (This would be harder)
to determine exactly what is being transmitted.

If this is indeed something nefarious, I would much rather assume it would
transmit file hashes rather than the files itself. Although I can't possibly
imagine this is actually true, the implications would be devastating for
dropbox and it should be easy to verify by an independent third party.

~~~
onderkalaci
Dropbox does not allow SSL interception of its traffic. It immediately errors
out saying host is not trusted or smth else.

~~~
mahouse
Probably cert pinning.

------
bobofettfett
What if they upload file hashes? What if they upload name+type+size to
fingerprint files? They don't need to upload file contents for fingerprinting
your drive content.

~~~
yc1010
Hmm there is a business model right there!

Fingerprint popular torrent movie/tv/games etc files and then monitor (via
dropbox) their spread and how many computers around the world they end up on,
I bet movie studios would love to measure exactly how much piracy affects them

shiiiittt

~~~
bobofettfett
And we know automatic DCMA bots work on size and name alone.

------
geofft
If taken at face value, this implies that Dropbox is spending their own
bandwidth and storage space for data that's potentially much bigger than your
actual shared folder, without charging you for it.

What's actually going on here? What sort of false positives might we expect
from such a program?

~~~
orik
The article draws a pretty solid argument, if you wanted to confirm results
yourself I'd suggest creating a windows vm, installing dropbox, and getting a
packet capture of the traffic leaving when you drop a .docx file in the C://
directory.

It's not a stretch of the imagination that dropbox could still be making a
profit spending bandwidth and storage space this way. I can think of a
government agency or two that would re-imburse the costs.

~~~
agopaul
You say solid, but I don't see any proof that the client actually send the
file. Without something like a strace analysis, you can't really know for sure
if the file was even read completely and sent to the Dropbox servers

~~~
cevn
I really, really doubt that the client actually sends the file. But, imagine
if they read only metadata and uploaded that.

I agree with what another commented brought up - it's probably just
unfortunately overaggressive 'filesystem-watch' code - IE when you change a
file it checks to see if it needs to be synced and re-uploaded. It shouldn't
be able to affect other files, though. Makes me wish we had more nuanced
security controls, like per-app permissions a la Android/IOS.

~~~
agopaul
I thought the same thing: maybe eventually desktop OSes will have some sort of
permission control like on mobile

------
stared
I know that HN is not a help desk, but I have noticed DropboxOriginal eating a
lot of my CPU (on OS X), when I am writing files to folders which are NOT
under (official) control of Dropbox (or at least: out Dropbox folder, not
synchronized). Any ways to block this behavior on OS X?

Security aside, it is really annoying for scripts which modify a lot of files.

------
chinathrow
[http://www.drop-dropbox.com/](http://www.drop-dropbox.com/)

------
mietek667
Dropbox doesn't access all your files, it just hooks to explorer.exe and then
whatever directory you open in explorer Dropbox will query info about that
directory, files and subdirectories. To test this, just close every explorer
window, run Total Commander and Process Monitor, and use Total Commander to do
your stuff, you will see that Dropbox won't be quering directories/files.

And about that connections to dropbox servers, it needs them to sync files if
they were uploaded from another computer/smartphone.

------
vferreira
The article covers the dropbox app on windows. How about others platforms,
like OS X?

~~~
1_player
I've just run a quick strace on Linux but I don't see it accessing anything
outside by ~/Dropbox folder.

~~~
greenleafjacob
It calls inotify on the Dropbox folder only
[https://news.ycombinator.com/item?id=9136831](https://news.ycombinator.com/item?id=9136831)

------
blergh123
I didn't really think about it before, but I now feel very uncomfortable that
Dropbox has copies of my unencrypted files. I would feel much better if the
files were encrypted before being synched. Is there a service that does this?

I don't want Dropbox to be able to see the contents of my file system at their
end.

~~~
pmontra
If you don't trust Dropbox you should encrypt your files before copying them
to the Dropbox folder because you can't trust the client too. You should
encrypt them with a key the client cannot read from fs. Basically you're going
to use it as a backup service because you won't be able to work on files in
the DB folder. Maybe one of those file systems that work in user space and
store only encrypted data will do. Check this
[http://www.howtogeek.com/121737/how-to-encrypt-cloud-
storage...](http://www.howtogeek.com/121737/how-to-encrypt-cloud-storage-on-
linux-and-windows-with-encfs/)

------
java-man
"collect it all"

But I wonder why we don't have application isolation as a basic design
principle. Imagine an OS where applications/serices each get their own mini-
filesystem, without ability to access each other's data. Would that work?

~~~
tjohns
That's the basic idea behind sandboxing, and it's a model that a lot of newer
OSes are moving towards, especially in mobile.

Android does this for all apps, as does iOS. MacOS is also doing it for apps
downloaded from the App Store.

On the server side, that's also one of the things that Docker gives you.

~~~
java-man
So, if someone finds a vulnerability in Docker software and roots a process,
your filesystem is safe?

The idea is not sandboxing, it's "multiverse". Each process, even an OS one,
gets its own little filesystem, and connects to a limited set of interfaces
explicitly permitted by the user (and that can be audited by the user).

~~~
tjohns
> So, if someone finds a vulnerability in Docker software and roots a process,
> your filesystem is safe?

You could make the same argument about a vulnerability in the OS itself.
There's nothing magic about kernel code that gives it extra protection here.
:)

In fact, I'd argue that the most probable attack against Docker would already
be via a vulnerability in the OS. Docker uses a lot of kernel-level
technologies, like cgroups. Beyond that, the most likely way to escape a
Docker sandbox would be by finding a buggy syscall, since these weren't always
designed with containers in mind.

This presentation is a good overview of Docker's attack surface:
[http://www.slideshare.net/jpetazzo/linux-containers-lxc-
dock...](http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-
security)

> Each process, even an OS one, gets its own little filesystem, and connects
> to a limited set of interfaces explicitly permitted by the user (and that
> can be audited by the user).

That would be an interesting research project, at the very least. You'd
probably have to rewrite much of userspace, since it breaks many of the
assumptions the current generation of system tools rely on.

------
Fice
They might or might not steal your files, but the mere fact that to use their
service you have to install proprietary software is a reason not to trust
them.

~~~
ytdht
You don't have to install any Dropbox software besides using the web app...
just like you don't have to install Chrome to use Gmail (yet)

------
itsbits
If it access complete PC, why does it won't display in syncing list?..really
hope this is not the case..else i will plan to move away soon..

------
eps
This might be shallow, inaccurate and sensationlist in tone, but it is
inherently alarming.

Getting a list of files from the good old /Torrents directory that everyone
has, but pretends they dont can be incriminating enough to raise some very
serious privacy issues. They can explain this any way they want, but Dropbox
certainly has no business accessing any files outside of its config and its
sync folders.

------
ismailmechbal
[http://www.drop-dropbox.com/](http://www.drop-dropbox.com/)

------
anilmujagic
Is there (likely to be) an official response from Dropbox?

------
h1fra
They are probably doing statistics about our files not syncing the entire
drive.

Which is not cool either

~~~
dyoo1979
You are making a conjecture, assuming it's true, and then chastising them for
it. That's a bit hasty, no?

~~~
huhtenberg
He is saying that even if they are doing it for benign reasons, it still goes
against reasonable user expectations. What's "hasty" about it?

------
yuashizuki
snowden warned us not to use dropbox.

------
amitagrawal
First, the appointment of Condoleezza Rice to their board and now accessing
and uploading folder information without explicit permissions!

I'm going to stop using Dropbox now.

------
ivanche
_As you see below, Dropbox says that "only checked folders will sync to this
computer"_

Very interesting wording. I don't want to play conspiracy theory, but it only
says what will sync to the computer. It doesn't say anything about what will
sync (or upload) to the cloud.

~~~
frossie
That is because that is the ACTUAL purpose of that (Selective Sync) dialogue
he is showing, contrary to his implication that it is related to upload
configuration. When you have 2 work computers and one personal laptop, perhaps
you have a CAD Drawings folder that you would like to sync between your work
computers but don't want 100 GB of work stuff on your personal laptop. What
the Selective Sync feature allows you to do is untick "CAD Drawings" on your
laptop Dropbox settings, so that you don't fill up your disk with stuff you
don't want in that machine's context. It's a nice feature.

~~~
army
Nice feature or cunning conspiracy you be the judge.

------
pearjuice
In a while, this will be disregarded as a bug, might be fixed and maybe
Dropbox will even state that they apology and will be deleting all mistakenly
uploaded files from their server(s).

But you don't know. The lesson to be learned here is that proprietary software
cannot be trusted.

[https://www.gnu.org/philosophy/can-you-
trust.en.html](https://www.gnu.org/philosophy/can-you-trust.en.html)

~~~
aram
I'm curious - why is this downvoted?

~~~
mahouse
I can't downvote anything, but I can only guess it's being downvoted for being
propaganda.

~~~
aram
Propaganda of what exactly? That we shouldn't trust proprietary software?

