

Dropbox sued for June 19 Authentication Bug - mtviewdave
http://www.consumeraffairs.com/news04/2011/06/cloud-site-dropbox-drops-the-ball.html

======
darklajid
Disclaimer: Subjective, no offense intended.

This is once again proving that, while I understand the language, probably
shop the same things, the USA is a strange place for me. This 'just sue'
culture seems weird. It seems that the whole point is to run to the court and
claim 'He did something wrong. Please spend a lot of time to check that I
actually have a point and if I'm lucky, please define a grossly exaggerated
sum in damages'.

I _know_ I'll take flak for this, but it warps my mind. The nation that
always, even if it hurts, defends the right of free speech, seems to severely
limited elsewhere. It sure looks like you can _say_ anything, but _doing_
anything could lead to a nightmarish jungle (political
correctness/discrimination, braindead users don't get the concept of 'hot
coffee' and it's your fault, chocolate eggs with toys inside are mightily
dangerous) of potential problems.

~~~
tomjen3
>braindead users don't get the concept of 'hot coffee' and it's your fault

The coffee was served hotter than it should have been, and wastely hotter than
it would have been if it had been taken from the machine at home, it was
served in a cup that was so difficult to open that the customer had to put it
between her legs, and when the coffee was spilled she suffered 3th degree
burns to her crotch.

And she only asked that they payed her medical expenses. It was the jury who
gave her all those millions.

~~~
darklajid
Okay, okay. I don't claim to be an expert on that case.

But: If you buy coffee, it's hot enough to hurt you (or it's crap. There's a
range of temperatures that are decent, and personal factors determine what is
deemed too hot as well).

I don't buy the 'had to put between the legs to open the cup' thing. In that
case don't do it near your private parts, open it properly. Not between your
legs, probably sitting in a car. Why is there no applied concept of common
sense?

Leaving the whole cause of the accident aside, the next part was really
emphasized my point:

The jury gives you millions for 'damage'. Let's not discuss if the problem was
the person sueing, but what you have to think about is this:

What message are you sending out, if someone suing a company for (arguably
only) slightly irritating service (a couple degrees ~too~ hot, usability
issues with a coffee cup, both probably annoying but didn't completely destroy
the tiny rest of that company's customers..) could get you the FU money this
community is often obsessed about? If you asked for the money on day one of
the trial or made the jury feel so sorry for you that they drown you in money
at the end is not relevant.

Which leads to my first post again: A culture of fear for being sued, with
damages completely out of proportion [1].

1: In a large area of the world. I understand that it can seem completely
normal if you limit your view to the area where this is happening.

~~~
ohyes
It was hot enough to melt her genitals and cause serious disfigurement. If she
had spilled it anywhere, she would have been seriously injured...

The coffee was scalding hot. The temperature of the coffee was from a
corporate order intended to save a few bucks on having to re-brew coffee. The
McDonald's corporation was negligent.

In this case, Dropbox was horribly negligent. Releasing all of the data in my
Dropbox folder to everyone is not a 'minor inconvenience'. It is a big fucking
deal, particularly if I had no idea it could happen so easily, and I am paying
them under the assumption that their service is relatively secure.

~~~
yaix
How do you heat liquid water to more than 100°C? Coffee is supposed to be just
below 100°C when you brew it, or it is not good. Goes for home made or McD
coffee. Whatever, maybe in some parts of the world, the laws of physics don't
apply and liquid water does not lose energy though evaporation...

Back on topic: Dropbox is telling everybody that they are "encrypting" stuff
on their drives. How do they decrypt without a password? This case is a much
different from the "stupid McD coffee customer" case, because details on cloud
storage technicalities are not common knowledge, whereas "boiling water may be
hot" kinda is.

~~~
pyre

      > "boiling water may be hot"
    

Most people don't equate 'boiling water' with 'coffee.' Sure you need to boil
water to brew it, but I've never been handed a bubbling cup of coffee.

~~~
joesb
> "hot coffee may be hot"

~~~
pyre
"hot liquid" and "liquid so hot that it will burn my skin" are not necessarily
the same thing. Unless you think that people should feel afraid of a _hot_
bath or a _hot_ tub (or even going to a _hot_ spring).

In more precise terms, 'boiling' is a subset of 'hot.'

~~~
yaix
Wow, you all are really discussing this? If "hot" may mean "hot" or just "hot"
and if the fact that hot coffee is hot is common knowledge?

Thanks, now I understand why it is so important to write obvious things on
products in the USA. Maybe it actually is necessary...

------
tzury
According to the TOS, which all drop box users claimed of "reading and
agreeing with" he's got no case ($100 at most)

see <https://www.dropbox.com/terms#terms>

Cloud brings risks, one shall be aware of it, and do the math of
advantages/disadvantages.

I will keep my dropbox account, despite that incident, and know deep in my
heart that such glitch can happen to me as well, no matter how well my
develop/test/deploy routine is designed.

Having say that, I will never have anything high sensitive on any hosted
machine, no matter who the provider is, unless it is strongly encrypted (that
includes, pgp for sensitive mail (gmail) attachments, etc.)

I really hope dropbox will learn from this and continue improve their service
as they have been doing since day one.

from the terms page:

    
    
        IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING, 
        WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF 
        USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR 
        ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR 
        ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY 
        CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR 
        ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, 
        EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY 
        ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS
         OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER, 
        DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO 
        OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST, 
        CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.
    
        FREE ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL CLAIMS 
        ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO TWENTY ($20) U.S. 
        DOLLARS. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE 
        BARGAIN BETWEEN DROPBOX AND YOU.
    
        PREMIUM ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL 
        CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO LOWER OF THE 
        AMOUNTS YOU HAVE PAID TO DROPBOX DURING THE THREE MONTH PERIOD PRIOR TO SUCH CLAIM, FOR ACCESS TO AND 
        USE OF THE SITE, CONTENT, FILES OR SERVICES, OR ONE-HUNDRED ($100) DOLLARS. THE LIMITATIONS OF DAMAGES
         SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN DROPBOX AND YOU.

~~~
ry0ohki
I've always wondered if these really work. We all use these EULAs and TOS that
essentially say "you can't sue us for anything no matter what!" but I have a
feeling that kind of thing doesn't actually hold up in court.

~~~
Maxious
It doesn't that's why they have: > Severability > In the event that any
provision of these Terms of Service is held to be invalid or unenforceable,
the remaining provisions of these Terms of Service will remain in full force
and effect.

In Australia, Europe and the UK, there are laws that make "unfair" clauses
unenforceable... where unfair includes all kinds of things you see in every
consumer level contract like no liability for death/injury or avoiding
delivery with no notice or compensation.

For US examples, see "The Puzzling Persistence of Unenforceable Contract
Terms"
[http://moritzlaw.osu.edu/lawjournal/issues/volume70/number5/...](http://moritzlaw.osu.edu/lawjournal/issues/volume70/number5/Sullivan.pdf)

~~~
willyt
In the UK the legislation is 'the unfair contract terms act 1977'.
<http://www.legislation.gov.uk/ukpga/1977/50> Also, the case law suggests that
if you are providing a professional service your appointment should make it
clear that you will take 'reasonable skill and care' in carrying out the
services otherwise you will be judged as to whether the service you have
provided is 'fit for purpose' which is a much harder test to pass. I dont know
if this test would apply to SAAS T&C's and IANAL by the way. Edit: Clarity &
Bad grammar.

------
thirsteh
I'm sorry, but good. When you respond to such a serious issue with anything
less than an immediate email announcement to your entire userbase, and
especially if your eventual announcement is an unapologetic, obscure blog post
stating something like "that wasn't supposed to happen"/"that wasn't okay",
you show that you care very little about the integrity and safety of your
users' data.

~~~
breck
I think in this case the critical issue was that they needed to focus 100% of
their efforts on preventing the damage to those <100 users who's accounts were
accessed. Some person out there could now be inflicting serious harm on these
<100 people. I'm really hoping Dropbox is working with the authorities to
catch him or her and minimize the potential damage.

I emailed Dropbox asking if my account was accessed and they replied quickly
saying no it wasn't. I think that's a perfectly good response.

A mistake was made, and 1 person made a terrible decision to take advantage of
it. I hope we can all rally around Dropbox and cut them some slack so they can
do all they can for these <100 users who should have huge concerns.

When they've resolved the crisis, then if you want to complain about them it'd
be the time to do so. Right now I just hope they are doing everything they can
for the seriously affected users, because if I was one of those users that's
what I would want.

~~~
pavel_lishin
They can't multi-task, and send one PR guy out to send a batch of e-mails
informing their users what happened? Literally everyone in the company was
chasing down this one miscreant?

~~~
breck
Think of how many customers would call and email them if they did a blast
email. 1 million maybe? It would be a self inflicted ddos.

------
tptacek
Here's the actual complaint:

<http://www.courthousenews.com/2011/06/24/Dropbox%2016.pdf>

Claims (bracketed comments mine):

1\. Unfair competition (per California's law) caused damages [ _by for
instance causing people to pick Dropbox instead of some other less expensive
storage solution._ ]

2\. Invasion of privacy, for which punitive damages are being sought.

3\. Negligence [ _for enabling that invasion of privacy_ ], for which actual
damages are being sought [ _whatever those might be... maybe things like,
billable time being spent moving files off Dropbox?_ ].

4\. Breach of express warranty, for which the purchase price of Dropbox is
sought.

5\. Breach of implied warranty, for which the purchase price of Dropbox is
sought.

Not a lawyer, am a security practitioner, somewhat versed in the issues here,
and:

This probably doesn't go anywhere. Don't these cases have to pick up a certain
amount of steam before they matter? My sense of it is, as bad as the security
lapse at Dropbox appears to have been, it was an issue primarily for the
geekerati; "my mom" probably doesn't care, and might even assume stuff like
this happens all the time. If it did go somewhere, presumably Dropbox would
just provide vouchers for refunds for people who want to close their accounts.

There is, as I understand it, still no formal standard of due care required
for software vendors. There was no slam-dunk tort available for the plaintiffs
in the CardSystems case, where a card processor lost millions of credit cards.
Similarly, lapses in Microsoft code enabled tens of millions of machines to be
compromised during the "summer of worms", and the class action case brought
against it was dropped as well.

Meanwhile, contract law is of little use, because virtually every professional
piece of software is shipped with an airtight contract limiting the vendor's
liability for defects. This complaint alleges some form of breach of contract,
but it's entirely possible that such a claim dies a quick death when
reconciled against the Dropbox user agreement, which surely says something to
the effect of "shit happens, if you can't deal, use an external hard drive
instead".

For a 2005 perspective on the issue by two law professors, which reaches the
conclusion that we need to create a whole new tort ("negligent enablement of
cybercrime") to address the issue, check out:

[http://www.law.suffolk.edu/faculty/addinfo/rustad/rustad.koe...](http://www.law.suffolk.edu/faculty/addinfo/rustad/rustad.koenig.final.pdf)

Without going into another 7 grafs of noodling about whether software
liability is a good idea or not, let me just say one thing I'm fairly
confident of: the industry cannot afford a "due care" standard for software.
Security flaws happen all the time, in everything anyone ships. You don't hear
about most of them. Simple supply & demand has driven software security bill
rates to very high levels, and that's largely without any legal mandate that
would effectively require everything to get assessed.

------
babar
Shouldn't someone have to show actual damages in order to sue? The California
Unfair Competition Act seems to be about unlawful, unfair or fraudulent
business practices - I don't immediately see how that is relevant.

My guess is this is going to just force Dropbox into some kind of settlement
because it will be cheaper than fighting it. And the lawyers promoting this
get a nice cut, of course.

Does corporate insurance cover this sort of thing? How does a company protect
itself from these kind of lawsuits?

~~~
tezza
A friend of mine was a corporate insurer.

Whenever a large firm like dropbox made a clanger and got sued, the insurers
would work out how much negligence there was involved.

The insurers discussed the issue with the company and said "you were negligent
here, here and here" therefore "we're only going to cover you to X<100% of
your public liability"

So negligent actions are not covered by insurance, and some portion will still
have to be coughed up.

~~~
dctoedt
> _So negligent actions are not covered by insurance_

Depends on the kind of insurance. E&O (errors & omissions) most assuredly does
cover negligence.[1]

[1]
[http://en.wikipedia.org/wiki/Professional_liability_insuranc...](http://en.wikipedia.org/wiki/Professional_liability_insurance#Errors_and_omissions_insurance)

------
random42
Dropbox attitude towards users data, privacy and security has been troubling,
and their responses have been less than comforting. They really need to do
some good PR/branding exercises to make sure they dont continue, on what looks
like a slippery slope to me.

~~~
iamichi
For this reason, I think I'm jumping ship now and moving to Spideroak or
Wuala.

------
erikb
THIS is the first time I read about this bug. How incredible is that not to
tell your users about that? But okay, if at all I expect it from dropbox. It's
already the second time they don't care about their promise so much (at least
towards me). I will quit them just now.

But to not say just bad things: This kind of info here on HN is so very much
important. That is exactly why I read here, to read what I can't read anywhere
else.

~~~
lancewiggs
I got an email notification from Dropbox on June 23rd as follows:

Hi Lance,

On June 19, 2011, we had a software bug that caused authentication issues. You
can read more about it in our blog post. Our records show that your account
wasn't improperly logged into during this time.

We are writing to you because one or more users you share a Dropbox folder
with logged into their account during that period. We have no reason to
believe that the login was improper, but in the unlikely event it was, there
could have been access to the information in the following shared folder:

foldername

We are very sorry as this never should have happened. We are implementing
additional safeguards to prevent this from happening again. If you have any
questions please contact us at support@dropbox.com

\- The Dropbox Team

~~~
lancewiggs
That's 00:01 on the 23rd New Zealand time - anywhere else it would have been
the 22nd.

------
furyg3
I'm pretty torn.

On the one side, this was a realllly stupid mistake that should have been
caught earlier, not by some external party who was kind enough to report it to
them. I feel like the stakes should be raised a bit for companies who are
keeping my data.

On the other side, fear of lawsuits leads toward less disclosure and
meaningless PR announcements.

~~~
allenp
I'm with you. I will point out that fear of lawsuits also leads to being more
careful.

------
jvandenbroeck
Interesting, I just had a course in which they say there's a difference
between risk for software company's and other company's.

If Toyota makes an error with their gas pedal, massive lawsuit. Bug in
Windows? Nobody even thinks about suing Microsoft although it brings countless
businesses in danger.

Ok there's a difference, but generally, people expect bugs in software and
they don't expect them in other goods. It's a huge market failure which
doesn't do software security any good.

Now for Dropbox, I hope this turns out well, I like Dropbox:-) but I don't
think suing for bugs is a bad evolution.

------
matt1
Say you run a small startup and accidentally push out a production bug like
this. What should your response be?

Does it matter whether it's been reported by someone else or you discover it
yourself? Does it matter whether you're a sole proprietor or a formal business
entity? And in general should you form an entity to shield yourself from
personal liability because of the remote chance something like this happens?
Does it matter what type of content is exposed (passwords, file storage, bingo
cards)? How do you decide?

~~~
buro9
Immediately lock-down, then communicate to all affected before doing a root
cause analysis and taking steps to ensure it doesn't happen again.

Dropbox faltered on the communication, and they made claims about their
security which hasn't been backed up by practise.

They stated that they would communicate to those whose accounts were
'compromised', yet those 'affected' by this was literally every user they
have. They should've communicated to all, as that is who has been affected.

They also state and sell based on security, and do give you the feeling that
you are able to trust them, then when you do you find that they leave the door
open. So their claims of security haven't been backed up by the practise of
it.

Locking down was the right thing.

Communication was dire.

And there hasn't been a follow-up to demonstrate clearly that lessons were
learned, and that it cannot happen again. Hell, we haven't even heard if there
are now unit tests over this piece of code.

Just act ethically, clearly, and don't be afraid to have egg on your own face
by coming clean. But when you do this, come fully clean and be transparent.
Don't err, or dodge the details... just come clean, put your hands in the air
and admit you screwed up, and then say why you've learned and why it really
truly is not repeatable.

And if you've already had a security flaw or two preceding this... then stop
what the hell you're doing, stop working on new features, and go back and
check every line of code and look for every attack vector or flaw in your
processes and put them right.

They sell on securing our data... I want them to be paranoid on my behalf.

~~~
matt1
I can't help but feel like most of what you're saying doesn't really matter
with respect to getting sued or not.

Does it really matter whether advertise that they are secure or not? If
security wasn't listed all of their site, would that have mattered?

Does it matter whether they wrote a lessons learned blog post?

And as far as communication goes, Drew did respond and I thought the response
was pretty good [1]. It was not immediate, nor should it have been. They had
to determine the extent of the breach, consult with their lawyers, devise an
appropriate strategy, etc.

It's not as simple as immediately notifying every account holder. That's
what... 30 million people? Less than 100 accounts were actually exploited--why
create mass hysteria when you can simply notify the small batch that were
actually impacted? As bad as this situation is for them, awareness is mostly
confined to the tech elite which in the grand scheme of things is a pretty
good outcome.

[1] [http://techcrunch.com/2011/06/24/dropbox-breach-fewer-
than-1...](http://techcrunch.com/2011/06/24/dropbox-breach-fewer-
than-100-accounts-affected-but-one-person-actively-exploited-it/)

------
sadlyNess
Would the "Limitations on Liability" section on their TOS help them in this
case?

FREE ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU
FOR ANY AND ALL CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR
SERVICES IS LIMITED TO TWENTY ($20) U.S. DOLLARS. THE LIMITATIONS OF DAMAGES
SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN
DROPBOX AND YOU.

PREMIUM ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO
YOU FOR ANY AND ALL CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES
AND/OR SERVICES IS LIMITED TO LOWER OF THE AMOUNTS YOU HAVE PAID TO DROPBOX
DURING THE THREE MONTH PERIOD PRIOR TO SUCH CLAIM, FOR ACCESS TO AND USE OF
THE SITE, CONTENT, FILES OR SERVICES, OR ONE-HUNDRED ($100) DOLLARS. THE
LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS
OF THE BARGAIN BETWEEN DROPBOX AND YOU.

~~~
matt1
I'd love to hear a professional chime in here. Does adding this to your Terms
of Service actually have an impact?

If the answer is yes, why are the woman and her lawyer suing Dropbox anyway?

And if no, why do most Terms of Service include similar wording?

~~~
acangiano
My guess, and IANAL, is that it would hold in many courts, but not in
Californian ones. California seems to have little tolerance for contracts that
restrict basic freedoms (e.g., non-compete agreements.) In this case the basic
freedom is to be compensated according to the tort perpetrated, and not
limited to a specified arbitrary amount.

~~~
tptacek
My understanding is that these contract terms have teeth in California, just
like everywhere else. An enforceable contract doesn't mean you can't sue
Dropbox if they cough up your data to an attacker; it just means you sue for a
tort instead of breach-of-contract.

------
gyardley
Any company with even a small amount of success will be sued for any public
mistake, whether it violates the law or not - _especially_ if you're open and
transparent about what happened and why.

Class-action trolls, like patent trolls, are just another business risk.

~~~
rakkhi
Sure they were transparent? They didn't say what the bug was, how it was
introduced, what they are doing to stop it happening again. They didn't email
all their customers immediately.

~~~
gyardley
No, I'm not sure they were all that transparent.

I'm sure that in this situation and legal climate, the _only_ way they
could've _potentially_ avoided a lawsuit was to try and keep it quiet (to the
detriment of their user base.)

Sadly, doing the right thing just makes you a target.

~~~
rakkhi
Potentially. But see how Lastpass dealt with a potential breach [1]. Have not
heard of them being sued. I don't think "cover it up to avoid getting sued" is
the right message.

[1] [http://blog.lastpass.com/2011/05/lastpass-security-
notificat...](http://blog.lastpass.com/2011/05/lastpass-security-
notification.html)

------
avree
This is a ridiculous response, and one which seems very ungrounded in the law.
Dropbox made a mistake—a big one. They pushed bad code to production that
allowed for unauthenticated account access.

But, they're still a startup. There's no SLA. They responded quickly, fixed
the bug as soon as they caught it, and have been thorough in investigating any
unauthorized access of accounts.

Why sue them? It's just going to disrupt a very good service. It's not going
to help them recover (I'm sure they've already learned heavily from the
mistake.)

~~~
random42
> This is a ridiculous response, and one which seems very ungrounded in the
> law.

What is the basis of such assertion? Let the courts decide that if the basis
is unfounded or not.

> But, they're still a startup.

This is no excuse, if you charge money for your services AND claim to be
military grade secure with respect to data. <https://www.dropbox.com/security>

> There's no SLA. They responded quickly, fixed the bug as soon as they caught
> it, and have been thorough in investigating any unauthorized access of
> accounts.

They took 4 hours to know entire dropbox was accessible to everyone, and tried
to sweep the incident under the rug by not emailing the issue to users.

> Why sue them? It's just going to disrupt a very good service. It's not going
> to help them recover (I'm sure they've already learned heavily from the
> mistake.)

Because they are not entitled to be on the goodside of the user, which
unacceptably bad handling of the situation. They, like everyone else, are not
entitled to anything, other than what is contracted. You screw users, you get
screwed. It is as simple as that.

~~~
jvandenbroeck
Idd, being a startup is no excuse, how hard can it be to make a test case
which tests if their authentication works?

------
jcoder
Here's some attorney practice materials (a whitepaper) on the California's
Unfair Competition Law: <http://www.stroock.com/SiteFiles/Pub168.pdf> (PDF).
In the first paragraph it is described, quoting a CA Supreme Court Justice, as
"a standardless, limitless, attorney fees machine" that, because of its "broad
and sweeping provisions," "will continue to be alleged in almost every
consumer protection action."

------
o1iver
The number of comments supporting Dropbox in this thread astonish me. It seems
like people think that such "engineering" mistakes are acceptable in the
software/web industry. But let me ask you: What if a construction engineer
made a little mistake (humans err right?) when building that bridge? Maybe
nothing happens but believe me he will get sued and no one here would object.

Sure, in the latter example people could get killed, but a big security error
with Dropbox could also lead to serious personal damage (personal health
documents published, business confidentiality breached, etc, etc).

It seems like people don't understand that building a "structure" in the
software world should be the same as building a "structure" in the real world.
Would you not sue the safe company that produced a safe that just opened by
itself the day you were robbed (leading to theft of personal important
documents, money, jewelry). Would you not sue the produced of an over-heating
oven that leads to your house burning down?

Why do people assume that it is acceptable to make mistakes in the software
world, but not in the "physical" world? Maybe this points towards some kind of
basic problem with the software/web business model. Maybe all these
free/premium product are really too cheap (and can be so cheap because they
are inadequately produced). Maybe we need to accept that these ship-quickly
products are not really acceptable, that there really needs to be considerable
investment into such products (and thus increasing prices)...

Note: I do understand that nobody would accept a 50/50 % chance-of-breaking
bridge, but may very well accept a 50/50 % chance-of-being-breached "Dropbox".
But then don't advertise differently.

~~~
gruseom
You assume that the word "engineering" means the same thing in bridge building
vs. software development. It doesn't. These activities are no more alike than
software development is to, say, writing novels.

If you really want to compare software to bridges, imagine that humans had
written the same simple program millions of times over thousands of years.
We'd be pretty good at it by now. (Even that analogy, though, doesn't level
the playing field. The physical world is not programmable.)

 _Why do people assume that it is acceptable to make mistakes in the software
world, but not in the "physical" world?_

We know the answer to this. It is possible to make software that has very low
defect rates -- among other things, you have teams of programmers intensively
review every line of code -- but these practices have drastic consequences:
projects become massively more expensive, development slows to a crawl, and
innovation is greatly restricted. There are only a few fields where those
tradeoffs are worth it. Elsewhere, they aren't close to being economic. The
net benefit of software to society would be crippled if we built it this way.
Of course we never would, because any software company trying to would be out-
competed into oblivion.

As for Dropbox, when I see programmers jump all over other programmers for
making a mistake, even a big mistake (or series of mistakes compounded), I
think schadenfreude. People who engage in such gleeful condemnation are making
an implicit claim to their own perfection. I'd think twice about doing that.

~~~
o1iver
I do understand the difference between engineering in the "real world" and the
"software world". There is no doubt that the latter is immensely more complex
(see Fred Brooks).

Nonetheless, in cases where somebody may get hurt (physically, emotionally,
financially, etc) we have to make a greater effort. All I was saying is that
we have to either lower our expectations of how good affordable software can
be or accept much higher costs for it.

Dropbox love to advertise that they are an extremely safe solution to data
storage, thus leading people to believe that their data is safe. Unless every
line of code in the authentication module is reviewed and checked and tested,
that statement cannot be true. So there is a paradox there.

I guess I may have positioned Dropbox too extremely, but Dropbox breaking is
much worse than say a music application, some game or other non-critical
software. And with Dropbox I believe that development should be approached
more like NASA would do it than EA would. People can get hurt!

"As for Dropbox, when I see programmers jump all over other programmers for
making a mistake, even a big mistake (or series of mistakes compounded), I
think schadenfreude. People who engage in such gleeful condemnation are making
an implicit claim to their own perfection. I'd think twice about doing that."

Believe me that that was not my intention. I am without not as good a
programmer as anybody at Dropbox!

------
Welc
IANAL but an advantage of this lawsuit is that Dropbox will be forced to
disclose in greater detail what happened, and we will be able to determine if
the "1% of accounts possibly compromised" really was that low (it probably
was, but given the seriousness of the bug, and their tendency to downplay
this, confirmation would be good). As it stands currently, users are forced to
rely on scant information released by Dropbox.

------
akl
I can't help but wonder if all of this might have gone away had they even just
_appeared_ to take this issue seriously. They didn't even bother to reply to
my request for access logs on my account, personally.

------
meow
I wonder if the developer who caused the bug got fired. As a developer, this
is one of the few nightmares I get at night :) (making a small change and
bringing every thing down)

~~~
buro9
Every developer makes mistakes, to err is human.

With that understood, systems and processes should be designed to catch the
errors early and hopefully long before they reach live.

This is the insurance policy that TDD gives you, this is why you make all of
those unit tests, functional tests, etc.

I wouldn't sack a developer who did this, I'd look at my processes and ask why
they didn't catch this. After all, if 1 developer can push low quality code to
production, then they all can.

The problem isn't with the developer... as with everything in the cloud,
expect failure and design to handle it. Sometimes the failure is human, so
design to handle that too.

~~~
edoloughlin
_This is the insurance policy that TDD gives you, this is why you make all of
those unit tests, functional tests, etc._

TDD was discussed with Greg Wilson on a recent Stackexchange podcast
(<http://blog.stackoverflow.com/2011/06/se-podcast-09/>) and the (early)
evidence seems to be that TDD does not improve quality:

 _[...] while Test Driven Development is very popular right now, a survey of
all of the studies that have been done on TDD have shown that the better the
study done, the weaker the signal as to its benefit._

~~~
buro9
I understand.

However I didn't claim it improved quality, just that it's an insurance
policy.

What I mean by that, is that you pay up front in time, to help protect against
things going wrong in future... such as shipping code to production that
allows anyone to login to anyone else's account.

All unit tests are, are externalised asserts about what your code should and
shouldn't do.

There should certainly have been one that said, "User A should not be able to
login to User B's account.", or at the very least "Login should fail when the
password is not right.".

My point remains: You should expect people to make errors from time to time,
just like you expect servers to go down from time to time. Whilst you're busy
handling what happens when servers fail, you should also be busy thinking
about how to deal with human errors too... and that means detecting and
catching those errors early so that the impact that they have is minimal.

------
fedxc
You make a mistake >>> You got served!

The American justice system sucks.

~~~
pyre
Not true. Just look at Wallstreet. How many of those firms were sued?

------
chrisjsmith
This is a valid response if you ask me.

There is a culture of half-arsedness with some businesses where they don't
respect user's security and privacy requirements. This is partially down to
plain old incompetance but in my experience it's usually down to the fact that
if doing something properly and testing it properly doesn't add business
value, then it's not done. At the risk of pissing people off here; that
culture is prevalent amongst startups.

They screwed up, they're getting sued. They should have tested it properly.

If this was a public organisation that left everyone's files in an open skip
overnight they'd get sued too.

------
suking
I'm no lawyer, but wouldn't Ms. Wong have to prove actual damages occurred as
a result?

------
PartyDawg
More startups need to be sued for their failures. Maybe then there will be
less ridiculous startups for services that are not secure.

