back to article Dropbox security fubar infuriates customers

Storage and file-sharing vendor Dropbox made a huge cock-up during last weekend's upgrade leaving all of its user accounts unlocked. Encryption is not performed by the cloud provider's client, meaning that all customer information was there for the taking on Sunday between 1.54pm and 5.46pm. Dropbox issued no official comment …

COMMENTS

This topic is closed for new posts.
  1. Arrrggghh-otron

    Yay Cloud!

    Another massive win for the cloud...

    1. Ian Yates
      Big Brother

      Security

      Security in other peoples' hands - what could go wrong?

      It might cost slightly more and not be as well polished, but SpiderOak does at least ensure that things like this can't happen to your data (assuming SO aren't lying, of course).

      1. Airhead

        SpiderOak

        Agree about the interfaces, but SpiderOak is actually half the price of Dropbox - $10/month per 100gb vs $20/month per 100gb for Dropbox.

  2. Anonymous Coward
    FAIL

    Account ...

    ... canceled. They've been rather too cavalier of late and rather too full of their own importance.

    1. Anonymous Coward
      Pint

      Um ,,,,

      They've been full of their own importance?

      How so?

    2. Chris007

      why cancel - encrypt

      If they got access to my account then they could have downloaded an encrypted truecrypt file

  3. Anonymous Coward
    Facepalm

    well duh

    "This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again…"

    You mean testing changes before you implement them ?

    Intriguing. I wonder why nobody has thought of this before !

    1. Framitz

      Oh they probably tested

      Yeah, they probably tested alright. On the live system instead of dev or tst instances.

      All credibility is lost, for how long?

  4. Anonymous Coward
    Anonymous Coward

    Percentages

    "affected less than 1%..."

    I recently got fobbed off by Royal Mail with the same line "less than 1% of our customers have problems with redirections"...

    THAT IS FOR YOUR SHAREHOLDERS!!! If as a user I am in that 1%, then it 100% affects me.... you muppets.

    1. Anonymous Coward
      Pint

      No

      It isn't for their shareholders. They're not even a publicly listed company. You are not a shareholder. You're a user of a free service.

      1. Anonymous Coward
        Anonymous Coward

        free service?

        Whats free, posting costs stamps, and redirection costs a fee depending on how long you redirect for.

  5. Neill Mitchell

    Typical security breach spin

    Less than one percent. So that's perfectly alright then. Sounds so much better than 250,000.

  6. Not That Andrew
    WTF?

    (untitled)

    Isn't this their third security fubar in as many months?

  7. Gary F

    I'm right not to have trusted them

    I've used Dropbox for a few years and love the free service, but I have never trusted them enough to put my most private and important files into my dropbox. It's tempting to use it as an off-site backup of critical files (in case you house burns down or a burglar steals your PC and backup DVDs) but I don't totally trust the competence of these services where encryption is not done at the client and the customer doesn't exclusively hold the key.

    Communication is critical if there's a problem. Failing to talk to customers quickly enough always ends with angry customers. Yeah, I know it's a free service for most people. Glad I didn't upgrade.

    1. pixie lott's g-string

      2.5Gb backup space for your pc?

      and as far as i know, the upgrades are automatic - you don't get to choose when it happens?

      1. Anomalous Cowturd
        Linux

        Re: you don't get to choose when it happens?

        I do.

        See icon.

  8. Dimitri
    Paris Hilton

    Typical

    Unacceptable, but typical... Cloud providers who offer free services or even cheap budget services statistically WILL screw up at some point.

    The important thing is for users to be aware of this and not treat the cloud as secure storage for sensitive data. Honestly anyone who trusts dropbox, mobileme, box.net or any other such service who their sensitive data is a fool...

    On the other hand if people managed to access some photos that I wanted to share with my mum, or an mp3 that I wanted to sync to my phone, no big deal. And that's the kind of thing these services are only good for really.

    Paris, because only she would trust her private data to the cloud e.g. her sex tapes ;-)

  9. CashmanLawFirm.com
    IT Angle

    Dropbox should include client-side encryption.

    Sugarsync, Wuala, SpiderOak are all viable alternatives, some (all?) of which properly encrypt user data. There is no reason for a service as popular as Dropbox to protect its customers by implementing client-side encryption. If they did, this would not have been an issue.

  10. Anonymous Coward
    Anonymous Coward

    Less than 1%

    1% is a dimensionless number and is utterly worthless and meaningless. Being *nearly* right isn't ever *good enough*.

    If I wrote code that was only 99% accurate then it would, to me and my customers, be completely useless.

    Similarly, if a typist is only 99% accurate in her work, she'll soon get fired.

    The devil is in the detail, not the stats.

    1. Decius
      Boffin

      1% of what?

      If 99% of the programs I write compile and work correctly the first time, that's pretty good. If my typist has a 1% chance of making a mistake on any given day, that's outstanding. If my engine blows up once every 10 million rotations, that's still better than six-sigma performance.

      Check your context before you start spouting nonsense.

      1. Anonymous Coward
        Thumb Down

        Spouting nonsense?

        If you intended your engine example to also be an example of good performance, then it is way out. 10 million rotations of an engine = 85 hours (assuming a very conservative average 2000 RPM), which for a 1 hour a day commuter would be a shade over 4 months. In any case, six sigma relates to defect-free products and has nothing to do with expected failure rate.

      2. Joe Harrison

        Decimated

        At say 2500rpm ten million rotations/revolutions only sounds like a month or two's normal driving...

  11. Jonathan White
    FAIL

    Going somewhere else

    Given it's a free service, exactly what sort of threat is 'well, I'll just have to take my business elsewhere!' going to be? Pretty much sod all, I'd have thought, unless like 40% of their user base does it, which probably isn't going to happen.

    Jon

    1. Stevie

      Bah!

      And here we we why the penetration of "Free and Open" software, such as Open Office./Office Libre have such corporate pushback.

      No-one wants to be standing on the CEO's carpet saying "well, what do you expect, It's *free*".

      I keep telling people that this is not an excuse and not an explanation, but I keep hearing it from people who don't understand the negative payload of that viewpoint in the long run.

      Either it's a free alternative, or it's just free. That should be clear when the service is offered. Don't act surprised when people don't want to use "Just Free" instead of the Big Boy alternatives, even if they cost money up front.

      The issue isn't that the accounts were thrown open to anyone who cared to ask to come in for a read (well, it is but that apparently is beyond the "talents" of the people working at this mickey mouse operation), it's that the owners of those now compromised accounts were kept out of the information loop once the problem was discovered.

      Clearly, then, it matters from *someone's* point of view that this not get about, and the only reason for that - given that the EULA undoubtedly offers no suggestion that security will be a given - must be that Dropbox do *NOT* want their customers flying the coop.

  12. lotus49
    Facepalm

    Encryption FTW

    Any miscreants could have got hold of a list of my son's choir practice dates and a complete database of all my passwords.

    Fortunately, one of these was encrypted.

    The lack of client-side encryption is precisely why I don't trust Dropbox with anything sensitive. I also have a full backup of most of my family's data (>1.5TB) on Crashplan's servers. Crashplan (which, BTW, I strongly recommend) implements client-side encryption with the option of a user generated key.

    One of these companies got my money, the other didn't. Guess which was which?

  13. Anonymous Hero
    Coat

    Why would you put sensitive stuff on a thing like dropbox anyway?

    I use dropbox but would never entertain dropping anything of any importance or sensitivity in there. That just seemed like asking for trouble. I'm just waiting for the BBC report about some civil servant who's been sharing confidential excel spreadsheets with colleagues via drop box. It'll be the new "USB-stick-lost-on-a-train" story template.

    However given this latest performance I'm ditching it. Who knows what other little "flaw" is awaiting users such as whole machine pwning through some undocumented backdoor they've been asked to secretly add by the security services.

    That's me grabbing my tin foil hat and jacket.

    1. Leona A
      Flame

      no there wont.

      because 'dropbox' is blocked from here ;)

  14. Anonymous Coward
    Megaphone

    Three things....

    Encrypt

    Encrypt

    Encrypt

  15. Anonymous Coward
    Flame

    The the article author

    Please look up the meaning of FUBAR and use it correctly.

    While not normally a grammar/spelling Nazi, this use of FUBAR is just ignorant, and not entertaining.

    Trusting the 'cloud' is foolish and this is just one example of that foolishness.

    1. Not That Andrew
      Mushroom

      Nice to know you've read the Jargon File

      We all know FUBAR is short for f*cked up beyond all recognition. However many would argue that that is exactly the situation at Dropbox

  16. XMAN
    Facepalm

    Sigh

    I had just signed up and started using Dropbox. I didn't know anything about this. Now I'm worried about whether I should continue using it or not.

    For a company that's handling millions of peoples files, how could they allow such a huge security problem to slip through?

    For those saying "encrypt your files before uploading to dropbox" - that's easy to say but slightly impractical and difficult to actually do.

  17. joe.user
    FAIL

    Captain Obvious here....

    Someone explain to me for as popular as Dropbox is, why the HELL don't they force encryption on the client side BEFORE uploading.

    Oh wait, I know why. So they can TURN OVER your stuff to the authorities!

  18. Paul Stimpson
    Coat

    Failbox

    First they admit their staff can access our files (but won't because the rules say not... honest) and now they open password-free access to my data for a night. I'm off...

    ...Mine's the one with the Spideroak logo on the pocket.

  19. The Dodoman

    Simple solution is to use..

    USB drives... Some of them come with decent backup software. Use two, alternate regularly and you have a good home backup.

  20. The Brave Sir Robin
    Happy

    I dropped Dropbox...

    a few weeks ago when I discovered that they had changed "can't access user data" to "not permitted to access user data".

    I went to Wuala which uses client side encryption. Not quite a classy on the client software user interface but it works, is cheaper and I'm much more comfortable about its security.

  21. SelimD

    It can happen to the best of us!

    Dropbox is stil good product and with cloudHQ you can even synchronize all you Dropbox files with Google Docs, edit Dropbox files inside a Google Docs interface, etc...

    More info:

    http://cloudHQ.net/dropbox/

  22. James Holt
    Joke

    I don't have this problem because...

    ...for my PC backups I use Mozy which is owned by EMC, who also own RSA... who better to trust with your data?

  23. b-a-r-k-i-n-g-m-a-d
    Meh

    Encrypted or not...

    "If they got access to my account then they could have downloaded an encrypted truecrypt file"

    Encrypted or not I would still rather they did not get 'access' to the file at all.

  24. Anonymous Coward
    Anonymous Coward

    Considering options

    I really like Dropbox for various reasons (great Mac/Linux support, seamless mirroring of files, multiple backups of important stuff, etc.), but have always used a Truecrypt container for anything sensitive - just as well, it would seem.

    Think it's time I looked seriously at an EncFS folder in my Dropbox - I'd rather not go to a competing service, though I'll be considering it seriously if this carries on (Wuala looks interesting).

  25. bugalugs

    Just received an invite from big brother to join DB

    as I've shunned FB invites past. ( adjusts tinfoil hat jacket pants and boots ) Sent him links here and a bunch of attached photos by return. Ain't SMTP grand ! Note to self - use it more.

    Hi Pete !

  26. Anonymous Coward
    Facepalm

    Hmmmm

    You just have to accept that ANY data you store off site on a 3rd party service may be exposed to the entire web.

    Once you have accepted that then decide what data you feel comfortable with that the world and his wife plus dog & goldfish can possibly have access to.

    the thing is, for some people you need data storing off site and it has to be secure. As a photographer, I have a massive archive of photographs that includes the very fist photographs I ever took. the negatives long since lost. I need this to be safe and at no risk of loss. My sister is also a photographer and needs a very safe off-site backup.. we decided the best way is to run identical servers and at the end of each day my data is backed up on her servers and her data is backed up on my servers via VPN tunnelling. both of our servers have plenty of levels of redundancy...

    if you want secure data, don't trust anyone but yourself with that security...

    I use dropbox, its a very convenient way to share data between my mobile phone and my pc, but i wouldn't use it for anything that i consider to be confidential.

    I would also imagine out of the 1% or 250,000 users that its only a very small % of those that actually have data that needs to be uber secure and when you consider how many of those actually had data accessed then your probably looking at a handful... and shame on them for using a web based service for sensitive data and not encrypting it first.... and that goes for the rest of the people complaining about data exposure....

This topic is closed for new posts.

Other stories you might like