What I can't seem to wrap my head around is why if someone actually breached DB security that what they'd do with it is send spam. So, to me, that suggests that whatever breach might have occurred must have been minimal or via a non-critical system (i.e.: someone had an unencrypted copy of some set of users email addresses, possibly for marketing purposes, and their machine was compromised, etc.)
Otherwise, it just doesn't make sense that spam is the first sign we'd see of problems.
So, my fellow HN readers, what's the explanation for this?
Suppose the spam is specifically to get people to reason as you have you done, with the hope that it will cause a more serious leak to be overlooked?
Often, one of the best ways to hide that you've done something really bad is to let it slip that you've done something less bad, so investigators and other nosy people think they have solved the case.
This is also why, if you are using some scheme where you have an encrypted volume that is really two volumes, where one password reveals the volume that will get you sent to jail or executed, and one is the volume that is the decoy you give up after they think they have forced the password from you, you really should have something genuinely bad on the decoy. For instance have some porn that is legal but very taboo in your society, so that it makes sense for you to have protected it with strong encryption.
Or the opposite is true. Maybe the breach was major and the "hackers" aren't in it for fame and glory. But cash. Number one rule of a "professional hacker"; don't leave foot prints. That means you sell off the data you copied. Piece by piece. Email addresses are the easiest to sell.
Time will tell though.
What's troubling to me is Dropbox calling in outside auditors (experts). Means they really have no ideas what is happening. If it is a hack, it's damn good one.
If Dropbox say there is no issue and there was no (serious) hack then it is far more credible having outside auditors substantiating the claim. I'd be more troubled if they didn't call in outside experts since Dropbox's existing people and processes are what allowed whatever attack it was to happen in the first place.
> What's troubling to me is Dropbox calling in outside auditors (experts). Means they really have no ideas what is happening. If it is a hack, it's damn good one.
Not necessarily.
It's just that you might actually be blind to the problem if its your code so it's better to have a separate set of eyes looking at things.
Also, there might be problems in the code where you never imagined them - let alone the server setup which most probably are complex beasts in their own right...
A music website that competed with the one I worked for (and with whom we were quite chummy, hence me having some inside information) had their entire database cloned by a rogue dev who then sold it on the black market. The first sign for users that anything had gone wrong was an influx of spam to their addresses, even though the database had far more nefarious potential uses.
If this was a professional compromise for commercial purposes there would be no other signs than simple spam. Possible that the email addresses have been sold to one group, the passwords to another, etc. etc.
A lot of the Wordpress 0day came from guys who wanted nothing more than links back to a website. Don't underestimate what parts of the target are valuable to others, just because they aren't publically dumping databases (the linkedin database was passed around underground for a while before going public)
My biggest concern is that we are near 48 hours now and Dropbox are not able to rule out a compromise. If they had systems in place and any confidence in them they should be able to do that, not something that takes days.
On the iPhone it works by opening Mail.app and there you can select the outgoing email address (i've got 4 configured) and i happened to chose the one which has my clearname as for it to be recognized by the people i've sent the invite to.
(probably forgot to mention that i've used the Dropbox app on the iPhone to send out the invites)
Speaking of encfs, has anyone else had problems using encfs under OSX Lion? OSX would occasionally freeze on me, and when I eventually uninstalled encfs, the problem went away. It might be a coincidence tho.
Otherwise, it just doesn't make sense that spam is the first sign we'd see of problems.
So, my fellow HN readers, what's the explanation for this?