Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend
from the hacktastic dept
Dropbox’s security has been under increased scrutiny lately, after some security researchers claimed that some of its security practices were questionable. So, it was probably the worst time possible for the company to have a “programmer’s error,” leaving all Dropbox accounts completely wide open to anyone for four hours on Sunday. Apparently, during that period of time, you could log into anyone’s account with any password. Just type in a random string of gibberish and you’re in. Not surprisingly, the company is apologizing and investigating how this happened. At the very least, it seems like a good reason to explore alternatives if you’re doing remote storage.
Of course, this also raises interesting points concerning the big question of “cloud” security. Many people have suggested that relying on some third party — such as Dropbox — is inherently insecure. However, that assumes that an individual who goes a different route would be able to create a more secure system on their own. I’m sure that’s true for some people, but it might not be the case for the everyday user. In the long run, you would hope that these remote service providers can implement stronger security, so that individuals don’t have to. But, in the short run, I wouldn’t be surprised to see more such stories of less-than-optimal security being exposed at these kinds of service providers.
Filed Under: cloud, passwords, privacy, security
Companies: dropbox
Comments on “Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend”
How about TrueCrypt
One thing you can do is put an encrypted volume up as a file and then wherever you go use something like TrueCrypt to access it. Thus if someone gets access to the cloud storage they can’t get easily access to the data.
In the long term what these companies need to do is tie the password into some decent encryption so you cannot access the data without having the password. Like how LastPass does things.
Re: How about TrueCrypt
What TwistedMentat said. I never fully trusted Dropbox. It’s stored on their servers so what would stop them from looking into it. I encrypt everything that I put in there that I don’t want them to see.
What Twisted said about the password thing is how I was going to do my bittorrent idea, if only I could convince a programer to write it. Sounds like there would be one hell of a market for it.
Re: How about TrueCrypt
One problem with tying password to encryption is that every password change requires decryption and re-encryption under the new key. You can make it indirect: password used to encrypt an “inner key,” and the inner key used to encrypt the data. The inner key is small and can be decrypted/re-encrypted easily, while the inner key itself doesn’t change value so often.
Re: How about TrueCrypt
Whoa, wait a minute! If you encrypt all your files separately before uploading them, then Dropbox cannot do de-duplication of files on their servers. That would mean they would not only have to charge more to survive but they might as well change their system to have encryption/decryption happen on the clients computer without them knowing the key.
Re: How about TrueCrypt
thank you sir! i love dropbox and i’ve been using it for years to sync an aes 256 disk image that my macs can then mount natively. i store all my most important files there. it’s not hard at all to do, and what dropbox needs to do is put instructions on their website about how to use these encrypted file storage mechanisms for any person that is using the internet illegally without a license.
“I’m sure that’s true for some people, but it might not be the case for the everyday user.”
People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!
Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run “python -m SimpleHTTPServer” if I’m feeling stupid), but I’m sure there are more robust and user-friendly ways of doing it (apache?).
Re: Re:
“I’m sure that’s true for some people, but it might not be the case for the everyday user.”
People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!
Neither of these is true. The reality is that even experts make mistakes. A large provider (constantly under attack) can have better security than anything you can dream up yourself – even if you are a security expert. If you are a security expert you will know this already.
The proper thing to do with your expertise is to use it to choose a provider. Providers should be open about the mechanisms they use. If they aren’t then don’t use them.
Re: Re: Re:
“The proper thing to do with your expertise is to use it to choose a provider.”
lol-wut? … What are they providing and for whom.
If all one needs is a backup of their data, a couple of usb hard drives are much less expensive and apparently much more secure. In case of fire, keep one off site. The average person does not create the quantities of data which would make an online storage mechanism feasible.
Re: Re: Re:
This is specious nonsense, of course: my security measures are far better than any provider on the planet. That’s (a) because I’m a security uber-expert and (b) because I’m a paranoid, picky bastard who doesn’t cut corners to save a few bucks.
Re: Re: Re: Re:
Do hardware experts manufacture their own processors in a backroom?
Do automobile experts drive around in cars they knocked up in their own garages?
Do aircraft designers fly around on homebuilt aeroplanes?
Actually the answer to all these questions is yes – for the fun of doing it – but a definite NO for practical applications. It’s the same with security.
Re: Re: Re:2 Re:
No, it’s not.
I can do a vastly superior job with security measures than any of these companies, primarily because I have vastly more experience and knowledge than they do — and because, unlike them, I have no motivation to cut corners for profit. Dropbox doesn’t give a DAMN about security and privacy, other than as bullet points for their marketing department: they care about profit, profit, profit. If they can make twice as much money by accepting half as much security, they will do it without a second thought AND they will lie about it.
In this respect, they’re no different from any other corporation: it’s all about the bottom line.
I have no such issues. When I’m setting up security for my own systems, I can spend time and money as I deem fit…and that’s exactly what I do. Moreover, in operating that setup (once designed and implemented) I can be as careful as I think necessary — which is “very”. So I don’t have to worry about some inferior person plugging in a Windows box, or some junior employee bypassing a step, or any of that: these problems simply do not exist for me, which means *I don’t have to solve them*.
“Cloud security” is an oxymoron.
Re: Re: Re:
I think Richard hit the issue on the head when he said that these large providers are often constantly under attack. No matter who you are, you are eventually going to make a mistake. When you have such a large user-base out there, not only are more and more people going to try to break in (because if they do they’ve hit gold), but with so many users it’s more likely someone will NOTICE the issue. If my home Web server has a bug that lets you authenticate with any password, it may take months before you even notice it yourself. When it’s a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it.
Re: Re: Re: Re:
hen it’s a service that has many thousands of users, someone will notice quite quickly and someone will take advantage of it
Yes – but the odds against your data (out of all the millions) being attacked before the problem is fixed are very low.
Re: Re: Re:
Experts that make mistakes such as these are not experts. You need to review your definition of expert. Where I work, something like this means automatic boot to the head. Don’t expect your key card to work in the morning. And don’t expect references, you’re toast.
I’m sure that’s true for some people, but it might not be the case for the everyday user.
I’m pretty sure no single-end user would be stupid enough to pull something like this on their home system, even accidentally.
Re: Re:
Your house gets hit by a tornado and the rain floods your basement, everything is lost. What’s your data contingency plan?
Your 10TB raid got corrupted. What’s your plan to restore?
Basic stuff any server admin handles.
You’re at a friend’s house and want to download some stuff. Your friend has a 20mb pipe and your home connection has only 2mb upload. How do you get your data to him at full speed?
I’m not sure 98% of the users are ready for these questions.
Re: Re: Re:
“I’m not sure 98% of the users are ready for these questions.”
1) I’m sure 98% of the users do not have 10T of data.
2) What would one need to d/l “at their friends house”?
3) I’m sure you are full of shit
Re: Re: Re:
Datacenter gets hit by a tornado. Total loss. What’s your contingency plan? I hope you have accounts on a few “clouds” and sync them daily.
The whole idea of “cloud” is flawed. It’s just there to seduce you out of your money. Plus, I have over 40TB of data at home, no way in hell my ISP would let me transfer this anywhere without major fees. And imagine that data plans I would need to get on the “cloud”. And then the “cloud” has tons of security issues and everyone has access to my data? No thanks. I’ll keep my data in my house, where there’s been no tornado, floods, or natural disasters for over 50 years.
Re: Re:
OK, so you think people who barely know how to navigate around a Windows GUI are going to be able to setup a file server using Python or Apache?!!!!!! You ARE an idiot.
Re: Re:
Good luck with deciding whether getting your family out safely or grabbing your home made file server is more important if your house ever catches on fire. At least with a commercial “cloud” solution, my data can be safe and I can help get my family out of the house.
Re: Re: Re:
Of course, any minimally competent person designing and building such a setup will have off-site backups. You are making a strawman argument by presuming that the implementor is an idiot and then criticizing him/her for being so.
For example, I have three independent sets of off-site backups: all encrypted and none in the cloud. It’s quite easy to maintain them and keep them refreshed so that they’re kept up-to-date (within a week) of the live systems. They’re all in different locations, and any disaster that would take out all of them would also very likely take out me as well, so I do not need to worry about their survivability beyond such an event.
Now, I’m sure this is well beyond the capabitilies of the point-and-drool crowd, but we have no evidence to date which demonstrates (for example) that Dropbox isn’t part of that crowd.
Re: Re: Re: Re:
Dropbox have proved, twice, that they cannot handle your files securely. It should be evident enough to anyone reading the news, or able to google.
That being said, there might be safe and good alternatives out there. It doesn’t remove the security issues from the process though. It the past few months, “clouds” have been in the news numerous times because they failed to do what they were supposed to; not only amazon.
This is yet another wake up call for people who are security conscious. And since most of them are US-based, and the US has (and is trying to add more) draconian laws about data, then it’s an obvious answer. Don’t even think about touching it with a 1000 foot pole.
Re: Re:
“People should wake up to the information age and stop letting third parties to bottle feed them their crap. Take matters into your own hands!”
Yeah! I bet you do your won dental work too! Anyone who goes to a third party for anything is a fool!!! Don’t buy food at the grocery store! Grow it yourself! And don’t use a computer someone else designed! Make your own you twit! It’s easy! Any engineer could do it! But wait! Don’t take classes! That’s just using someone else’s knowledge! Teach yourself you fool!
Sounds like they need a gmail type feature that shows what IP’s accessed your account and when so people can tell if they were affected.
Running a file sever is not THAT hard. In fact, I could slap together an HTTP file server in Python with about 10 lines of code (or run “python -m SimpleHTTPServer” if I’m feeling stupid), but I’m sure there are more robust and user-friendly ways of doing it (apache?).
So could i, but would it be secure as something a multi-million/billon dollar company, whose main business is providing those services? Not even close
And that?s before costs come into play, power, connection, time spent keeping it patched, so forth, in majority of cases for individuals/small business a cloud provider will be cheaper and more secure once all factors are taken into consideration due to the economies of scale, thus making it the right choice for them
Now for medium or large business/enterprise… that’s a whole different kettle of fish and companies of that size considering the move to an external cloud provider need to have their IT management head?s examined
Re: Re:
I don’t think dropbox is that big – my understanding is that they use Amazon S3 for their cloud capabilities, so the majority of what they do seems to be designing the interface and syncing features. If that’s the case, just getting an S3 account puts you fairly close to dropbox functionality.
Not excusable. Period.
This isn’t the kind of error that occurs because one programmer made a mistake. It’s what happens when the programmer makes a mistake, the QA department makes a mistake, and the deployment isn’t validated or the migration process isn’t properly managed. And that many mistakes are the fault of management for not knowing the right things to do and ensuring that they’re done.
For a company that must have consumer confidence to succeed, this is inexcusable, and it’s the CEO’s fault.
Re: Not excusable. Period.
Isn’t QA what those old slow software companies used? Modern, web 2.0 companies can’t be tied down by that crap. Take a cue from Facebook’s motto, “Move fast, break stuff”.
Alternatives to Dropbox
– Host your own;
– Spideroak: https://spideroak.com/
– SugarSync: https://www.sugarsync.com/
– Windows Live mesh: http://explore.live.com/windows-live-mesh-sync-p2p-using
– Zumodrive: http://www.zumodrive.com/
– Wuala: http://www.wuala.com/
To name a few.
The cloud is not ready for prime time
http://www.engadget.com/2011/06/20/segas-online-pass-hacked-1-3-million-user-passwords-stolen/
http://www.dailymail.co.uk/sciencetech/article-1380050/Sony-admits-Weve-hacked-PlayStation-Network-outage.html
http://www.techjournalsouth.com/2011/06/digiday-citigroup-credit-card-info-hacked-social-marketing-rivals-email-benefits/
http://www.securityfocus.com/news/10271
http://www.webguild.org/20090510/160000-social-security-numbers-hacked-from-uc-berkeley
http://www.teamshatter.com/topics/database-security/maines-kennebec-savings-hacked-no-funds-card-data-or-social-security-numbers-compromised/
http://online-identity-theft.net/online-identity-theft/60000-university-of-wisconsin-madison-social-security-numbers-hacked
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR2005061701031.html
http://www.msnbc.msn.com/id/40841273/ns/technology_and_science-security/t/honda-online-database-hacked/
http://datalossdb.org/incidents/3196-hacked-server-exposes-106-884-names-social-security-numbers-and-dates-of-birth
http://abcnews.go.com/Politics/story?id=2601085&page=1
http://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected.html
http://consumerist.com/2007/09/td-ameritrade-hacked-customer-data-compromised.html
http://www.theinquirer.net/inquirer/news/1050908/faa-hacked
http://gadgetwise.blogs.nytimes.com/2010/12/13/gawker-passwords-hacked-what-you-should-do/
http://www.pcmag.com/article2/0,2817,2376049,00.asp
http://www.dailymail.co.uk/news/article-1218272/Microsoft-Hotmail-accounts-hacked-posted-online.html
http://securitycertificate.net/2011/06/google-gmail-account-passwords-hacked-from-china-hackers/
http://www.freakgeeks.com/2011/2768/ios-devices-passwords-hacked-in-6-minutes/
http://www.msnbc.msn.com/id/41059570/ns/technology_and_science-security/t/pentagons-credit-union-hacked/
http://mashable.com/2011/01/22/lushs-uk-website-hacked-credit-card-numbers-used/
Best alternative: SugarSync
Good article ? here is another cloud storage solution that is fully encrypted:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.
Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!
https://www.sugarsync.com/referral?rf=tbtp0asbw9pt
Hope it helps someone.
I'm sure its all been said, but,
“The Cloud” offers virtually no benefit to the individual user. It offers MANY benefits to the companies that want you to use it. Otherwise, why would they push you to use it so much?
ANY ANY ANY cloud service you intend to use, pre-encrypt anything you put there. Expect NSA (and, hopefully, Cryptome) to get it anyway. And don’t expect it to be there when you need it.
“The Cloud” is as ephemeral and fickle as, well, a real cloud. Sometimes, they look like choo choos.
All they need to do is add a mult-factor authentication method. Gmail has that and its great. Dropbox is still awesome. Still safer than on my local PC, this their files are encrypted.