
Marco Arment on Dropbox: Don't use it for anything valuable - rsobers
http://blog.varonis.com/marco-arment-on-dropbox-dont-use-it-for-anything-valuable/
======
gurkendoktor
If you think Dropbox is bad, what about the recent preview of Office 2013 that
stores _all business documents in the cloud by default_? (I haven't been able
to find any mention of client-side encryption.)

Non-US governments should seriously consider anything from sales bans to
education in order to protect their citizens' privacy and business secrets.

~~~
ghurlman
You mean the preview that isn't licensed for production use? That Microsoft
warns you away from using for anything useful? That preview?

~~~
glhaynes
Isn't the point that the released version is expected to behave the same way?

~~~
ghurlman
If you buy the cloud version, you get the cloud stuff. There will be a
standalone version that works like it's always worked.

------
rickmb
I find this kind of odd. I wouldn't store anything valuable on my own systems
either unless I held the encryption key.

When it comes to accidental data loss, I trust cloud services a lot more than
my own little server. Ditto as far as security is concerned (in that I assume
neither of them are safe from being compromised).

If you encrypt it yourself, Dropbox is an excellent place to store anything
valuable. Just make sure it's not the _only_ place you store it.

~~~
ed209
_> Just make sure it's not the only place you store it._

This is the main problem for me. I'd love to have my working files (say
photoshop files) in dropbox so I could access them on any mac I use, but I
don't trust it to hold the master file. All it takes is for it to be flattened
in one place and I lose layers everywhere.

Does anyone know of products that clone files to Dropbox? Almost like
TimeMachine with dropbox as the target?

~~~
timaelliott
I use <http://sugarsync.com> personally which provides versioning and also
lets you arbitrarily sync directories, not just the 'dropbox' one.

~~~
Splines
Nice to see a sync solution that lets me sync arbitrary folders. I was
thinking of building a layer on top of dropbox for myself, but this works
great. Thanks for the recommendation!

------
andrewparker
I wonder if Marco hosts his own email? Email's the place where
embarassing/sensitive information is most commonly stored, not the FS.

~~~
arthurgibson
Email was designed to be explicitly private, where file sharing, well its file
sharing.

~~~
aw3c2
I wish. Mail is designed to be not private at all. It is transferred
unencrypted through the internet unless you as user take care of upper level
encryption.

------
axx
I don't see any reason to be shocked about marcos statement about dropbox.

Dropbox has the only advantage to be the first cloud-storage provider who
get's the job done right. It's not Dropbox's security that made it so popular,
it's just the way how simple it is to setup. Create an account, download the
client, insert credentials and BAM you're ready to go.

There is also an alternative to Dropbox called "Sparkleshare"
(<http://sparkleshare.org/>) it's nearly equal to dropbox's functionality
(except the webinterface). The only reason why i'm not using it (yet) is the
fact that they use there own IRC server to keep your data in sync (some kind
of sync-messaging between your client machines).

So if you're having real security concerns, you can use sparkleshare and use
your own IRC server ([https://github.com/hbons/SparkleShare/wiki/Notification-
serv...](https://github.com/hbons/SparkleShare/wiki/Notification-service)).
Rent a small/slowish VPS with enough hdd space for your needs, run
sparkleshare on it and you have your own dropbox. :)

~~~
nroach
That's fine if you're storing only small files, but sparkleshare is based on
git and absolutely chokes on large files. So photos, home movies, and the like
which live happily on Dropbox are a disaster on Sparkleshare. The main reason
seems to be that it wants to buffer the entire file in RAM during the sync,
which rapidly kills most consumer-grade machines.

~~~
axx
Oh, afaik, isn't Dropbox also based on Git?

"home movies" - i see what you did there!

------
stephengillie
_“Anything that is really sensitive or extremely valuable or needs to be kept
very secret, I wouldn’t store on anybody else’s servers. That, to me, seems
ridiculous unless I held the encryption keys like with the online backup
service that I use.”_

He doesn't say anything specific about Dropbox that couldn't be applied to
other cloud-storage locations.

~~~
rarrrrrr
Several cloud storage vendors including SpiderOak, Wuala, and Tarsnap do
encryption client side, encrypting the data before it leaves your machine and
only decrypting it back on your machine. In the SpiderOak case, all we see
server side are sequentially numbered containers of encrypted data.

------
Kiro
Am I the only one who doesn't own any valuable data?

~~~
johncoltrane
No.

Not owning valuable stuff is nice, too. Losing everything you own because of a
basement fire is an eye opening experience.

------
mynegation
Unencrypted data is the main reason I am trying to move away from Dropbox to
Spideroak that at least claims to encrypt stuff without knowing the key
(cannot verify that as their client is closed source). The setup of Spideroak
seems a bit more complicated compared to Dropbox though.

------
mattmaroon
I just throw sensitive stuff inside a truecrypt volume. Dropbox works pretty
well for that, as long as you don't leave the volume open on one pc and then
log into it from the next. Even then you just have a second copy you have to
reconcile with the first.

~~~
patdennis
I do this too. The only problem I have is that, for my larger sensitive
folders, any small change will result in Dropbox having to sync the whole
(often multiple gig) volume. Which is only really annoying if you're trying to
access these things through a slow connection.

~~~
makaio
I use encfs instead because it encrypts at the individual file level, so there
is no need to sync an entire volume. Additionally the volume can be mounted on
multiple computers simultaneously without causing sync conflicts.

[http://www.packetslave.com/2011/04/21/dropbox-encryption-
w-e...](http://www.packetslave.com/2011/04/21/dropbox-encryption-w-encfs-on-
macos-x/)

------
mcmillion
While I agree, this is kind of a no-brainier. Dropbox is a great service,
especially for keeping settings and such in sync, but anything that needs to
be kept private shouldrpbably be kept...private.

------
giulianob
Why not just encrypt your data with your own keys as well (
<https://www.boxcryptor.com/> )

~~~
domador
I've been doing that for Dropbox, indeed, since the last security scandal,
many months ago.

------
mtgx
Can we please get a good cloud storage provider from Europe? I'm getting
really tired of American companies snooping on our data at will, or the US
Government snooping on it at will as well, without even a Court order, just
because they passed a law that says they can do that, or sometimes even
illegally.

~~~
stephengillie
Or maybe one hosted on one of the Pacific islands which is supposed to be a
privacy and tax haven?

~~~
goatforce5
I'd be concerned that it would be relatively easy for someone to bribe a
government/police/datacenter official to physically get at the servers located
in a developing country that held my data.

------
1SaltwaterC
Nobody stops people to use a stackable encrypted filesystem such as EncFS or
eCryptfs over Dropbox. This "cloud security snafu" thing is getting old.

~~~
rsobers
Yes, but out of 25,000,000 users, how many of them know what encryption is,
nevermind EncFS? The important point is that it's generally a good idea to
treat anything you don't control as nearly public.

~~~
lvh
How many of those users care or need to know what encryption is? The argument
appears to be that users treat Dropbox like a private store when it isn't, and
somehow that's Dropbox' fault.

~~~
1SaltwaterC
Their privacy policy contains some interesting stuff about your actual
privacy: "Compliance with Laws and Law Enforcement Requests; Protection of
Dropbox's Rights". Also, the "Security Overview" page explains that the files
are encrypted by themselves after they are uploaded, plus the fact that they
manage the encryption keys. Combine that with the previous statement. Dropbox
is responsible for what they say. It isn't responsible for what the user
understands, or the fact that people don't properly read/understand ToS'es.

People that care about their privacy, take measures.

------
rwhitman
Is there a more secure cloud drive option for sensitive data out there that is
as convenient as Dropbox or Google drive etc?

~~~
mdc
I use TrueCrypt to create encrypted files containing the sensitive data I want
on the cloud. TrueCrypt is free and quick to install, so I can pretty easily
access the files from any computer if I need to.

~~~
mynegation
While this (and other things mentioned like EncFS) is a solution, it
integrates badly with user experience. I cannot access my data via web
interface or smartphone app and I value this very much.

It is a bit complicated, but you _can_ create smartphone application and web
interface for the data encrypted on a server.

------
jsvaughan
Value to you doesn't equate to value to someone else

------
chmars
I guess Marco Arment doesn't use iCloud either?!

------
xwowsersx
So what online backup service does Marco use?

~~~
rsobers
I think he said he uses Backblaze (on a different episode), but don't quote
me. It's either that or CrashPlan.

~~~
rdl
With Crashplan you can also host your own server (setting that up myself);
it's an annoying piece of Java, but we had a spare 40TB box or two lying
around.

