
Keeping your stuff safe, simply - johns
https://blog.dropbox.com/2014/09/keeping-your-stuff-safe-simply/
======
diafygi
Here's two projects that Dropbox should tackle for security:

1\. Open source their client app.

2\. Client-side encrypt their user's data.

~~~
jl6
Is there anything stopping you writing your own client that uses the Dropbox
API?

~~~
diafygi
Heh, I do:
[https://github.com/diafygi/byoFS](https://github.com/diafygi/byoFS)

------
ef4
I left Dropbox when I decided I just can't trust my long-term important data
to closed source software. Since then I've been on a little odyssey exploring
the open source contenders.

I ran owncloud briefly. File syncing performance was terrible. You really
don't want to write your file synchronization service as an afterthought
inside a PHP application.

I ran seafile for a while, but I don't like their security story. The authors
have said some things that show they are a little out of their depth when it
comes to crypto. Also, last I checked they had no good story for running
multiple server in parallel, and the data on the server is not accessible as
regular files. Also, written in C, and there are very few people I trust to
write C without nuking my security.

I ran git-annex. Joey Hess is doing a good job with that project, but I think
the symlink-oriented architecture is just not good enough. "Direct mode" is
supposed to avoid symlinks, but direct mode seems much less stable, and it
still exposes symlinks when you have data that's only partially synced. Too
many apps do bad things when you give them symlinks. Also, I like Haskell the
language, but Haskell the toolchain sucks hard, and I gave up trying to build
git-annex from source to play with it.

Now I'm running syncthing and I have to say I've been pleasantly surprised. I
had passed on them earlier due to reports of performance problems, but since
the 0.9 release performance is much improved. The global discovery is
particularly nice. I have two servers and two laptops all synchronizing with
each other. One server is publicly reachable, the other is inside a LAN only
accessible when I'm inside. It does the right thing whether I'm home inside
the LAN, where I get fast sync with the local server. It does the right thing
when I'm away, synchronizing with the publicly addressable server, which then
transitively synchronizes with the LAN server.

It's written in Go, so I'm less worried about buffer overrun shenanigans. It
uses the stock Go SSL stack, so no worrying about weird hand-rolled transport
and authentication protocols. And authentication is clear and simple: every
client has a cert, the client's name is the cert's fingerprint. No certificate
authorities.

Syncthing has some versioning support, but I decided to use bup instead for
belt-and-suspenders. So all my synced files are also snapshotted by bup every
ten minutes on both servers.

------
nvk
I will only come back to Dropbox when I can have client-side encryption.

~~~
dangerlibrary
You can!

[https://help.ubuntu.com/community/EncryptedHome](https://help.ubuntu.com/community/EncryptedHome)

~~~
diafygi
I'm confused, can't Dropbox still read your files?

~~~
kalmi10
One could (in theory) use Dropbox to store the encrypted ~/.Private directory.
For example by making it a symlink pointing into the Dropbox directory. And it
could be auto-mounted using the Encrypted Private feature at ~/Private. It
would probably work very well as ecryptfs only does file-by-file encryption,
and thus Dropbox can efficiently track changes.

------
mark_l_watson
I almost stopped using Dropbox when they hired C. Rice on the board of
directors. I blogged over a few week period about finding alternatives.

After the bump to 1 terabyte of storage I decided to keep using them, with a
few procedures: any thing sensitive gets encrypted and the encrypted files get
copied to appropriate Dropbox sub folders. This includes a ton of stuff: any
customer work materials, backups of non open source software projects,
records, etc. then there is a ton of stuff that I don't consider sensitive, so
unencrypted is fine: purchased movies, music ever and books; all the
photographs I take, archival of research material found on the web, etc.

BTW, Dropbox saves a ton of money by de duplicating files, so encrypting stuff
on the client side costs them extra money.

~~~
qq66
I'm not sure how much they save with deduplication. Dropbox is very expensive
per GB, so people don't back up system files etc., and they preemptively block
sharing of copyrighted files. What deduplication can they do on a large scale?
I don't think I have even one file in my Dropbox account that can be
deduplicated.

~~~
nieve
You can have copyrighted files uploaded, I believe you can even share them
with another account. What you can't do is get a public download link for a
copyrighted file. I guess the latter cuts some of the motivation, but plenty
of people are still going to be putting those files into the dropboxes.

------
probably_wrong
This gives me a funny feeling.

For any other company, I'd say those are good news. However, given their
latest change to the Board of Directors, I cannot help but think "I bet this
has a backdoor somewhere".

I guess that says more about me than about them, though.

~~~
flyt
What are your objections to Bob Mylod?

~~~
jamessb
I thing probably_wrong is more likely to object to the appointment Conoleezza
Rice, despite this no longer being the latest change: [http://www.drop-
dropbox.com/](http://www.drop-dropbox.com/)

------
aw3c2
I can recommend Seafile as self-hosted FOSS file/dir sync tool. Been using it
for a year now and I am really happy[1].

[1] Except for the ridiculous decision of not syncing any files with names
that are not Windows-compatible anywhere.

------
abrkn
BoxCryptor provides client-side encryption on top of Dropbox and Box

