This article does not prove "steals everything" claim. Very shallow work for "Information Security Specialist".
He has shown - and others here in the comments have verified (https://news.ycombinator.com/item?id=9136740
) - the file access. It's not a "read contents" though, but only reading metadata.
He has shown there is network activity.
He has NOT shown what exactly that network activity consists of. Without that, the "steals everything" claim is just jumping to conclusions.
As others here have mentioned, setup a proxy and look at the actual data being transferred. Replace the certificate in the client if you have to, to get around cert pinning. The most important part is to get the data. This should be pretty easy to do for someone who claims to have those qualifications.
Shallow work indeed. This reminds me of the Samsung keylogger story a few years ago where a "security professional" ran one AV software, which falsely identified the presence of a single folder's path as a keylogger, and then based on this one data point and blind faith in his AV, claimed there was a keylogger preinstalled on some Samsung laptops. This made the news and was spread widely... yet he had not even taken the most basic step of looking at the contents of that folder, which would've instantly disproved the theory.
This is an example of the right way to investigate and substiantiate your claims:
Sadly, we'll probably see a round of "Dropbox steals your data!" going through the media before someone steps up with the truth. I personally don't use Dropbox and don't have the time to verify these claims --- but the onus should be on the one making them in the first place.
He has shown - and others here in the comments have verified (https://news.ycombinator.com/item?id=9136740 ) - the file access. It's not a "read contents" though, but only reading metadata.
He has shown there is network activity.
He has NOT shown what exactly that network activity consists of. Without that, the "steals everything" claim is just jumping to conclusions.
As others here have mentioned, setup a proxy and look at the actual data being transferred. Replace the certificate in the client if you have to, to get around cert pinning. The most important part is to get the data. This should be pretty easy to do for someone who claims to have those qualifications.
Shallow work indeed. This reminds me of the Samsung keylogger story a few years ago where a "security professional" ran one AV software, which falsely identified the presence of a single folder's path as a keylogger, and then based on this one data point and blind faith in his AV, claimed there was a keylogger preinstalled on some Samsung laptops. This made the news and was spread widely... yet he had not even taken the most basic step of looking at the contents of that folder, which would've instantly disproved the theory.
This is an example of the right way to investigate and substiantiate your claims:
http://doctorbeet.blogspot.ca/2013/11/lg-smart-tvs-logging-u...
Sadly, we'll probably see a round of "Dropbox steals your data!" going through the media before someone steps up with the truth. I personally don't use Dropbox and don't have the time to verify these claims --- but the onus should be on the one making them in the first place.
"Extraordinary claims require extraordinary evidence."