Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend

from the hacktastic dept

Dropbox's security has been under increased scrutiny lately, after some security researchers claimed that some of its security practices were questionable. So, it was probably the worst time possible for the company to have a "programmer's error," leaving all Dropbox accounts completely wide open to anyone for four hours on Sunday. Apparently, during that period of time, you could log into anyone's account with any password. Just type in a random string of gibberish and you're in. Not surprisingly, the company is apologizing and investigating how this happened. At the very least, it seems like a good reason to explore alternatives if you're doing remote storage.

Of course, this also raises interesting points concerning the big question of "cloud" security. Many people have suggested that relying on some third party -- such as Dropbox -- is inherently insecure. However, that assumes that an individual who goes a different route would be able to create a more secure system on their own. I'm sure that's true for some people, but it might not be the case for the everyday user. In the long run, you would hope that these remote service providers can implement stronger security, so that individuals don't have to. But, in the short run, I wouldn't be surprised to see more such stories of less-than-optimal security being exposed at these kinds of service providers.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    twistedmentat (profile), Jun 21st, 2011 @ 4:01am

    How about TrueCrypt

    One thing you can do is put an encrypted volume up as a file and then wherever you go use something like TrueCrypt to access it. Thus if someone gets access to the cloud storage they can't get easily access to the data.

    In the long term what these companies need to do is tie the password into some decent encryption so you cannot access the data without having the password. Like how LastPass does things.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 4:25am

    "I'm sure that's true for some people, but it might not be the case for the everyday user."

    People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!

    Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run "python -m SimpleHTTPServer" if I'm feeling stupid), but I'm sure there are more robust and user-friendly ways of doing it (apache?).

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Richard (profile), Jun 21st, 2011 @ 4:39am

    Re:

    "I'm sure that's true for some people, but it might not be the case for the everyday user."

    People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!


    Neither of these is true. The reality is that even experts make mistakes. A large provider (constantly under attack) can have better security than anything you can dream up yourself - even if you are a security expert. If you are a security expert you will know this already.

    The proper thing to do with your expertise is to use it to choose a provider. Providers should be open about the mechanisms they use. If they aren't then don't use them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    abc gum, Jun 21st, 2011 @ 4:49am

    Re: Re:

    "The proper thing to do with your expertise is to use it to choose a provider."

    lol-wut? ... What are they providing and for whom.

    If all one needs is a backup of their data, a couple of usb hard drives are much less expensive and apparently much more secure. In case of fire, keep one off site. The average person does not create the quantities of data which would make an online storage mechanism feasible.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    milrtime83 (profile), Jun 21st, 2011 @ 4:52am

    Sounds like they need a gmail type feature that shows what IP's accessed your account and when so people can tell if they were affected.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Chronno S. Trigger (profile), Jun 21st, 2011 @ 4:54am

    Re: How about TrueCrypt

    What TwistedMentat said. I never fully trusted Dropbox. It's stored on their servers so what would stop them from looking into it. I encrypt everything that I put in there that I don't want them to see.

    What Twisted said about the password thing is how I was going to do my bittorrent idea, if only I could convince a programer to write it. Sounds like there would be one hell of a market for it.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Bengie, Jun 21st, 2011 @ 5:04am

    Re:

    Your house gets hit by a tornado and the rain floods your basement, everything is lost. What's your data contingency plan?

    Your 10TB raid got corrupted. What's your plan to restore?

    Basic stuff any server admin handles.

    You're at a friend's house and want to download some stuff. Your friend has a 20mb pipe and your home connection has only 2mb upload. How do you get your data to him at full speed?

    I'm not sure 98% of the users are ready for these questions.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    JackSombra (profile), Jun 21st, 2011 @ 5:09am

    Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run "python -m SimpleHTTPServer" if I'm feeling stupid), but I'm sure there are more robust and user-friendly ways of doing it (apache?).
    So could i, but would it be secure as something a multi-million/billon dollar company, whose main business is providing those services? Not even close

    And thatís before costs come into play, power, connection, time spent keeping it patched, so forth, in majority of cases for individuals/small business a cloud provider will be cheaper and more secure once all factors are taken into consideration due to the economies of scale, thus making it the right choice for them

    Now for medium or large business/enterprise... that's a whole different kettle of fish and companies of that size considering the move to an external cloud provider need to have their IT management headís examined

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 5:16am

    Re: Re:

    This is specious nonsense, of course: my security measures are far better than any provider on the planet. That's (a) because I'm a security uber-expert and (b) because I'm a paranoid, picky bastard who doesn't cut corners to save a few bucks.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 5:21am

    Re:

    OK, so you think people who barely know how to navigate around a Windows GUI are going to be able to setup a file server using Python or Apache?!!!!!! You ARE an idiot.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Dallas IT Guy, Jun 21st, 2011 @ 5:23am

    Not excusable. Period.

    This isn't the kind of error that occurs because one programmer made a mistake. It's what happens when the programmer makes a mistake, the QA department makes a mistake, and the deployment isn't validated or the migration process isn't properly managed. And that many mistakes are the fault of management for not knowing the right things to do and ensuring that they're done.

    For a company that must have consumer confidence to succeed, this is inexcusable, and it's the CEO's fault.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Marcel de Jong (profile), Jun 21st, 2011 @ 5:26am

    Alternatives to Dropbox

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    abc gum, Jun 21st, 2011 @ 5:28am

    Re: Re:

    "I'm not sure 98% of the users are ready for these questions."

    1) I'm sure 98% of the users do not have 10T of data.
    2) What would one need to d/l "at their friends house"?
    3) I'm sure you are full of shit

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Gus Jenkins, Jun 21st, 2011 @ 5:34am

    Re:

    Good luck with deciding whether getting your family out safely or grabbing your home made file server is more important if your house ever catches on fire. At least with a commercial "cloud" solution, my data can be safe and I can help get my family out of the house.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Boomhouser, Jun 21st, 2011 @ 5:46am

    The cloud is not ready for prime time

    http://www.engadget.com/2011/06/20/segas-online-pass-hacked-1-3-million-user-passwords-stolen/
    http ://www.dailymail.co.uk/sciencetech/article-1380050/Sony-admits-Weve-hacked-PlayStation-Network-outag e.html
    http://www.techjournalsouth.com/2011/06/digiday-citigroup-credit-card-info-hacked-social-mar keting-rivals-email-benefits/
    http://www.securityfocus.com/news/10271
    http://www.webguild.org/2009 0510/160000-social-security-numbers-hacked-from-uc-berkeley
    http://www.teamshatter.com/topics/datab ase-security/maines-kennebec-savings-hacked-no-funds-card-data-or-social-security-numbers-compromise d/
    http://online-identity-theft.net/online-identity-theft/60000-university-of-wisconsin-madison-soc ial-security-numbers-hacked
    http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR20050 61701031.html
    http://www.msnbc.msn.com/id/40841273/ns/technology_and_science-security/t/honda-onlin e-database-hacked/
    http://datalossdb.org/incidents/3196-hacked-server-exposes-106-884-names-social- security-numbers-and-dates-of-birth
    http://abcnews.go.com/Politics/story?id=2601085&page=1
    htt p://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected .html
    http://consumerist.com/2007/09/td-ameritrade-hacked-customer-data-compromised.html
    http://ww w.theinquirer.net/inquirer/news/1050908/faa-hacked
    http://gadgetwise.blogs.nytimes.com/2010/12/13/g awker-passwords-hacked-what-you-should-do/
    http://www.pcmag.com/article2/0,2817,2376049,00.asp
    htt p://www.dailymail.co.uk/news/article-1218272/Microsoft-Hotmail-accounts-hacked-posted-online.html
    h ttp://securitycertificate.net/2011/06/google-gmail-account-passwords-hacked-from-china-hackers/
    htt p://www.freakgeeks.com/2011/2768/ios-devices-passwords-hacked-in-6-minutes/
    http://www.msnbc.msn.co m/id/41059570/ns/technology_and_science-security/t/pentagons-credit-union-hacked/
    http://mashable.c om/2011/01/22/lushs-uk-website-hacked-credit-card-numbers-used/

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Mike P (profile), Jun 21st, 2011 @ 6:09am

    Re: Re:

    I think Richard hit the issue on the head when he said that these large providers are often constantly under attack. No matter who you are, you are eventually going to make a mistake. When you have such a large user-base out there, not only are more and more people going to try to break in (because if they do they've hit gold), but with so many users it's more likely someone will NOTICE the issue. If my home Web server has a bug that lets you authenticate with any password, it may take months before you even notice it yourself. When it's a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    halley (profile), Jun 21st, 2011 @ 6:38am

    Re: How about TrueCrypt

    One problem with tying password to encryption is that every password change requires decryption and re-encryption under the new key. You can make it indirect: password used to encrypt an "inner key," and the inner key used to encrypt the data. The inner key is small and can be decrypted/re-encrypted easily, while the inner key itself doesn't change value so often.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    sheenyglass (profile), Jun 21st, 2011 @ 6:48am

    Re:

    I don't think dropbox is that big - my understanding is that they use Amazon S3 for their cloud capabilities, so the majority of what they do seems to be designing the interface and syncing features. If that's the case, just getting an S3 account puts you fairly close to dropbox functionality.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Robert Doyle (profile), Jun 21st, 2011 @ 6:56am

    Re:

    "People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!"

    Yeah! I bet you do your won dental work too! Anyone who goes to a third party for anything is a fool!!! Don't buy food at the grocery store! Grow it yourself! And don't use a computer someone else designed! Make your own you twit! It's easy! Any engineer could do it! But wait! Don't take classes! That's just using someone else's knowledge! Teach yourself you fool!

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    aldestrawk (profile), Jun 21st, 2011 @ 7:16am

    Re: How about TrueCrypt

    Whoa, wait a minute! If you encrypt all your files separately before uploading them, then Dropbox cannot do de-duplication of files on their servers. That would mean they would not only have to charge more to survive but they might as well change their system to have encryption/decryption happen on the clients computer without them knowing the key.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    aldestrawk (profile), Jun 21st, 2011 @ 7:29am

    Re: Not excusable. Period.

    Isn't QA what those old slow software companies used? Modern, web 2.0 companies can't be tied down by that crap. Take a cue from Facebook's motto, "Move fast, break stuff".

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Jim, Jun 21st, 2011 @ 7:57am

    Re: How about TrueCrypt

    thank you sir! i love dropbox and i've been using it for years to sync an aes 256 disk image that my macs can then mount natively. i store all my most important files there. it's not hard at all to do, and what dropbox needs to do is put instructions on their website about how to use these encrypted file storage mechanisms for any person that is using the internet illegally without a license.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Richard (profile), Jun 21st, 2011 @ 8:57am

    Re: Re: Re:

    hen it's a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it
    Yes - but the odds against your data (out of all the millions) being attacked before the problem is fixed are very low.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Richard (profile), Jun 21st, 2011 @ 9:06am

    Re: Re: Re:

    Do hardware experts manufacture their own processors in a backroom?

    Do automobile experts drive around in cars they knocked up in their own garages?

    Do aircraft designers fly around on homebuilt aeroplanes?

    Actually the answer to all these questions is yes - for the fun of doing it - but a definite NO for practical applications. It's the same with security.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 9:17am

    Re: Re: Re: Re:

    No, it's not.

    I can do a vastly superior job with security measures than any of these companies, primarily because I have vastly more experience and knowledge than they do -- and because, unlike them, I have no motivation to cut corners for profit. Dropbox doesn't give a DAMN about security and privacy, other than as bullet points for their marketing department: they care about profit, profit, profit. If they can make twice as much money by accepting half as much security, they will do it without a second thought AND they will lie about it.

    In this respect, they're no different from any other corporation: it's all about the bottom line.

    I have no such issues. When I'm setting up security for my own systems, I can spend time and money as I deem fit...and that's exactly what I do. Moreover, in operating that setup (once designed and implemented) I can be as careful as I think necessary -- which is "very". So I don't have to worry about some inferior person plugging in a Windows box, or some junior employee bypassing a step, or any of that: these problems simply do not exist for me, which means *I don't have to solve them*.

    "Cloud security" is an oxymoron.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 10:58am

    Re: Re:

    Of course, any minimally competent person designing and building such a setup will have off-site backups. You are making a strawman argument by presuming that the implementor is an idiot and then criticizing him/her for being so.

    For example, I have three independent sets of off-site backups: all encrypted and none in the cloud. It's quite easy to maintain them and keep them refreshed so that they're kept up-to-date (within a week) of the live systems. They're all in different locations, and any disaster that would take out all of them would also very likely take out me as well, so I do not need to worry about their survivability beyond such an event.

    Now, I'm sure this is well beyond the capabitilies of the point-and-drool crowd, but we have no evidence to date which demonstrates (for example) that Dropbox isn't part of that crowd.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    w0qj, Jun 21st, 2011 @ 11:29am

    Best alternative: SugarSync

    Good article Ė here is another cloud storage solution that is fully encrypted:
    With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
    It gives you the ability to upload and sync any folder on your computer.
    It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
    You can also stream MP3 music files to your smartphone or computer.

    Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

    https://www.sugarsync.com/referral?rf=tbtp0asbw9pt

    Hope it helps someone.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 4:18pm

    Re: Re:

    Experts that make mistakes such as these are not experts. You need to review your definition of expert. Where I work, something like this means automatic boot to the head. Don't expect your key card to work in the morning. And don't expect references, you're toast.

    I'm sure that's true for some people, but it might not be the case for the everyday user.

    I'm pretty sure no single-end user would be stupid enough to pull something like this on their home system, even accidentally.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 4:21pm

    Re: Re:

    Datacenter gets hit by a tornado. Total loss. What's your contingency plan? I hope you have accounts on a few "clouds" and sync them daily.

    The whole idea of "cloud" is flawed. It's just there to seduce you out of your money. Plus, I have over 40TB of data at home, no way in hell my ISP would let me transfer this anywhere without major fees. And imagine that data plans I would need to get on the "cloud". And then the "cloud" has tons of security issues and everyone has access to my data? No thanks. I'll keep my data in my house, where there's been no tornado, floods, or natural disasters for over 50 years.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Parkway Cozy, Jun 21st, 2011 @ 6:33pm

    I'm sure its all been said, but,

    "The Cloud" offers virtually no benefit to the individual user. It offers MANY benefits to the companies that want you to use it. Otherwise, why would they push you to use it so much?

    ANY ANY ANY cloud service you intend to use, pre-encrypt anything you put there. Expect NSA (and, hopefully, Cryptome) to get it anyway. And don't expect it to be there when you need it.

    "The Cloud" is as ephemeral and fickle as, well, a real cloud. Sometimes, they look like choo choos.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jun 21st, 2011 @ 8:39pm

    Re: Re: Re:

    Dropbox have proved, twice, that they cannot handle your files securely. It should be evident enough to anyone reading the news, or able to google.

    That being said, there might be safe and good alternatives out there. It doesn't remove the security issues from the process though. It the past few months, "clouds" have been in the news numerous times because they failed to do what they were supposed to; not only amazon.

    This is yet another wake up call for people who are security conscious. And since most of them are US-based, and the US has (and is trying to add more) draconian laws about data, then it's an obvious answer. Don't even think about touching it with a 1000 foot pole.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Jun 22nd, 2011 @ 6:21am

    All they need to do is add a mult-factor authentication method. Gmail has that and its great. Dropbox is still awesome. Still safer than on my local PC, this their files are encrypted.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This