Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Dropbox Security

It doesn't matter what you do, if your doing it, or communicating it, over the internet it's not secure or private.

Anyone who thinks otherwise is in denial. It's as simple as that.

Learn how the internet actually works and it will really open up your level of awareness.
 
Well, the sad scary truth is that if your data is in your home PC, and your home PC is plugged into the Internet for even a few minutes a day -- it is probably less secure than in DropBox or iDisk.

Consumer grade operating system, router, and firewall security is pretty much a joke. You may (or may not 😱) have your WiFi locked down, but even so -- it's not all that difficult to come in right through your Cable Modem or DSL line.

If you have a commercial grade Cisco router, firewall, intrusion detection hardware, a full time 24 x 7 security staff at your home PC, then you can claim that the Cloud is "less" secure.

Otherwise, you're fooling yourself.
 
Don Kosak said:
Well, the sad scary truth is that if your data is in your home PC, and your home PC is plugged into the Internet for even a few minutes a day -- it is probably less secure than in DropBox or iDisk.

Consumer grade operating system, router, and firewall security is pretty much a joke. You may (or may not 😱) have your WiFi locked down, but even so -- it's not all that difficult to come in right through your Cable Modem or DSL line.

If you have a commercial grade Cisco router, firewall, intrusion detection hardware, a full time 24 x 7 security staff at your home PC, then you can claim that the Cloud is "less" secure.

Otherwise, you're fooling yourself.
Click to expand...

the difference is no cares about my computer, so no one is making the effort to hack into it to take anything, there is nothing of value for them. now the cloud is an entirely different story, it is actually worth their time to try to hack that to get data because there is actually useful info in there
 
Don Kosak said:
Well, the sad scary truth is that if your data is in your home PC, and your home PC is plugged into the Internet for even a few minutes a day -- it is probably less secure than in DropBox or iDisk.

Consumer grade operating system, router, and firewall security is pretty much a joke. You may (or may not 😱) have your WiFi locked down, but even so -- it's not all that difficult to come in right through your Cable Modem or DSL line.

If you have a commercial grade Cisco router, firewall, intrusion detection hardware, a full time 24 x 7 security staff at your home PC, then you can claim that the Cloud is "less" secure.

Otherwise, you're fooling yourself.
Click to expand...

Yes, you have good points. However, what makes you think that there are less possibilities & incentives for a hacker to hack into DropBox than your own home PC? 😕 Furthermore, maybe I'm just totally ignorant, but you really think that the DropBox service is that much more secure than your own home PC? 😕
 
So is anyone going to trust Apple's new, future iCloud service with anything important/personal?

Or are you all going to Assume than Apple are gong to retain the right to nose around your files if they so wish?
 
Piggie said:
So is anyone going to trust Apple's new, future iCloud service with anything important/personal?

Or are you all going to Assume than Apple are gong to retain the right to nose around your files if they so wish?
Click to expand...

I won't "Assume" anything, I will read the TOS like anyone ought to do.

The fact of the matter is any cloud provider must retain some level of permissions that allow certain individuals the ability of file-level access to whatever you put out there. That's just part of the operational realities of such a business.

There are people at your bank, credit card company, brokerage, IRS, etc. with access to your personal information. People at your doctor or hospital with full access to your medical history. Whats so different here?

A smart person is already encrypting any truly sensitive files anyway. No telling when/where your computer might get stolen.

I'm kind of curious though -- what sort of stuff are you keeping on your computer that you're so concerned about an anonymous stranger seeing?
 
If I was 007, Jason Bourne or part of the Mission Impossible team, I might be concerned... but then again, I would likely not be using DropBox for my storage

But honestly, there is absolutely nothing of value in any of my data
If someone wants to read my divorce papers for a laugh or steal my login to the Papa John's pizza site... have at it

I pretty much welcome someone to steal my identity so they can take on all of my debt 😉

If you store it, someone can get it, period
 
Don Kosak said:
Consumer grade operating system, router, and firewall security is pretty much a joke. You may (or may not 😱) have your WiFi locked down, but even so -- it's not all that difficult to come in right through your Cable Modem or DSL line.
Click to expand...

what you're claiming is bull and if you really knew what you were talking about, it would be evident. stop trying to scare people.

a properly configured router (NAT translation, no port forwarding, etc) plus a properly configured client (disable most MS services on the internet facing NIC, + software firewall) and that would defeat all but the most knowledgeable hackers. it goes without saying that wireless is turned off too. sure they could probably kill my internet connectivity with a DOS attack but that's another matter entirely.

it would take a user action (to initiate a payload whether browser or attachment based) for you to establish a connection into the system.

my data on my PC is a lot more secure & private than anything in dropbox (unless dropbox offers encryption).
 
Last edited:
deeddawg said:
Not sure why this would be a surprise... I'd expect anything I put on a cloud service that wasn't encrypted by me would be readable by someone at the service company. 😕
Click to expand...

I'm also confused as to why he thinks DropBox is an exceptional case. If you do anything online that's not directly encrypted, it'll be accessible by someone at the service provider. But people still use Facebook, Google and Bing.

Just last year, we've had these reports:

http://gawker.com/5637234/?tag=valleywag
David Barksdale, a 27-year-old former Google engineer, repeatedly took advantage of his position as a member of an elite technical group at the company to access users' accounts, violating the privacy of at least four minors during his employment,
...
Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
Click to expand...

http://therumpus.net/2010/01/conver...ernet-5-anonymous-facebook-employee/?full=yes
Rumpus: Do you think Facebook employees ever abused the privilege of having universal access?

Employee: I know it has happened in the past, because at least two people have been fired for it that I know of.

Rumpus: What did they do?

Employee: I know one of them went in and manipulated some other person’s data, changed their religious views or something like that. I don’t remember exactly what it was, but he got reported, got found out, got fired.
Click to expand...
 
deeddawg said:
Thats right in the TOS: https://www.dropbox.com/terms#security

Third paragraph under Privacy.


Not sure why this would be a surprise... I'd expect anything I put on a cloud service that wasn't encrypted by me would be readable by someone at the service company. 😕
Click to expand...

That's what the TOS say now. Back when a lot of us signed up they made a big deal about how nobody at Dropbox could possibly access our data ever. I didn't believe them, but it's not quite as simple as reading the TOS.
 
peterjcat said:
That's what the TOS say now. Back when a lot of us signed up they made a big deal about how nobody at Dropbox could possibly access our data ever. I didn't believe them, but it's not quite as simple as reading the TOS.
Click to expand...

I've only recently used dropbox, so I'll just take your word on what the TOS did or didn't say previously.

Glad you didn't believe them, since it's even simpler than reading TOS:

If you store unencrypted files on someone else's storage, then someone might access and read those files. They might be breaking TOS, company policy, laws, etc. but those only create repercussions and only if you find out; they don't prevent the access in the first place.
 
I agree, though I'd make this clarification to avoid doubt: "If you store files that you haven't encrypted yourself on someone else's storage..." since the whole deal with Dropbox was that they claimed to encrypt your stuff automatically so that their own staff couldn't (not just wouldn't) access it -- which is why the new state of affairs is controversial at all.
 
So.....................

Let's say you encrypt your personal data.

You upload it into Dropbox, or iCloud.

The government then, I suppose has the legal right to force you to decode this information if they feel you are storing something you should not.

I believe that's the case in the UK, unsure about US, and if you refuse to do so, I believe you would be deemed guilty of whatever you are suspected of.

Can anyone confirm?
 
Piggie said:
So.....................

Let's say you encrypt your personal data.

You upload it into Dropbox, or iCloud.

The government then, I suppose has the legal right to force you to decode this information if they feel you are storing something you should not.

I believe that's the case in the UK, unsure about US, and if you refuse to do so, I believe you would be deemed guilty of whatever you are suspected of.

Can anyone confirm?
Click to expand...

My understanding of US law is that the government will need a court order to compel you to provide the encryption key. And in order to get the court order, they need to convince a judge that they have reasonable cause. If you refuse to comply, you could get charged with contempt of court, or perhaps even obstruction of justice, but you can't be convicted of whatever they suspected you of in the first place, assuming that the encrypted material is the only definitive evidence against you.
 
Piggie said:
So.....................

Let's say you encrypt your personal data.

You upload it into Dropbox, or iCloud.

The government then, I suppose has the legal right to force you to decode this information if they feel you are storing something you should not.

I believe that's the case in the UK, unsure about US, and if you refuse to do so, I believe you would be deemed guilty of whatever you are suspected of.

Can anyone confirm?
Click to expand...
In the UK, we have specific legislation (under the Regulation of Investigatory Powers Act) that makes it a legal requirement to divulge encryption keys when demanded by the Police as part of an investigation: The right to not self-incriminate has been deemed not applicable in the case of handing over encryption keys

Failure to comply is a crime in and of itself and carries a penalty of 2 years in jail (5 years if terrorism is suspected)
 
deeddawg said:
  1. A smart person is already encrypting any truly sensitive files anyway. No telling when/where your computer might get stolen.
  2. I'm kind of curious though -- what sort of stuff are you keeping on your computer that you're so concerned about an anonymous stranger seeing?
Click to expand...

1. Really interested in how you encrypt stuff and manage your files. Do you just create a sparse bundle using Disk Utility and set a password on there or do you use TrueCrypt to create a disk image and like the sparse bundle, mount and use your files from there?

I've been wanting to do this for a while but it seemed rather troublesome because I have lots of different folders on my desktop, and lots of sub-folders under that. You'd also miss the value of file versioning without Time Machine, wouldn't you?

I thought about FileVault but it takes too much storage and I've heard that it will slow down your computer, so I decided against it.

2. Just don't like other people seeing my stuff. Can't answer for others though. Most of my important stuff are essays and probably some design-experiments, writing, lots of stuff that I have collected on the Internet (Design inspiration, DeviantArt things, ...), tutorials/lists, ...
 
Piggie said:
Let's say you encrypt your personal data.
You upload it into Dropbox, or iCloud.
The government then, I suppose has the legal right to force you to decode this information if they feel you are storing something you should not.
Click to expand...

*If* you're doing something that you'd be concerned about the government discovering, it'd be mindbogglingly stupid to put that on the cloud whether encrypted or not. Can we not bother with worrying about the situations requiring the primary actor to be a moron? I'm assuming most people here to be reasonably intelligent individuals.



rekhyt said:
1. Really interested in how you encrypt stuff and manage your files.

2. Just don't like other people seeing my stuff.
Click to expand...

#1 -- work computer (PC) is encrypted with PGP whole disk encryption. Backups are to a TrueCrypt volume on an external drive. On my personal computer, any sensitive items like passwords and account #'s are stored in eWallet which provides its own encryption.

#2 -- Each to their own I guess. I don't really care. If someone wants to read stored emails or grad school assignments, no big deal. I don't have anything in my computers that I'd be embarrassed about other people seeing. Perhaps I lead what others would call a boring life, but there's nothing I need to hide from anyone including wife and kids. (there's a whole different discussion of why people do stuff they'd be afraid of other people discovering, but not going there today)
 
deeddawg said:
#2 -- Each to their own I guess. I don't really care. If someone wants to read stored emails or grad school assignments, no big deal. I don't have anything in my computers that I'd be embarrassed about other people seeing. Perhaps I lead what others would call a boring life, but there's nothing I need to hide from anyone including wife and kids. (there's a whole different discussion of why people do stuff they'd be afraid of other people discovering, but not going there today)
Click to expand...

People may not have anything to hide, but they may still not like the idea of random strangers being able to snoop through their stuff. Everyone has an underwear drawer, there's nothing shameful or illegal about having one, yet few people would feel comfortable if anyone else could take a peep at what's inside.
 
Piggie said:
So.....................

Let's say you encrypt your personal data.

You upload it into Dropbox, or iCloud.

The government then, I suppose has the legal right to force you to decode this information if they feel you are storing something you should not.

I believe that's the case in the UK, unsure about US, and if you refuse to do so, I believe you would be deemed guilty of whatever you are suspected of.

Can anyone confirm?
Click to expand...

Night Spring said:
My understanding of US law is that the government will need a court order to compel you to provide the encryption key. And in order to get the court order, they need to convince a judge that they have reasonable cause. If you refuse to comply, you could get charged with contempt of court, or perhaps even obstruction of justice, but you can't be convicted of whatever they suspected you of in the first place, assuming that the encrypted material is the only definitive evidence against you.
Click to expand...

The current state of the law on this in the U.S. is a bit blurry. The prevailing thought and most case law says you cannot be compelled by the police or a court order to give up your password because doing so would violate your fifth amendment right not to incriminate yourself. There was a case where the district attorney said they would agree not to use the fact the person knew the password as evidence against them, so that negated the fifth amendment defense. I don't recall the outcome of that case, which to my mind was nothing but a way to skirt a valid fifth amendment right.
 
Night Spring said:
People may not have anything to hide, but they may still not like the idea of random strangers being able to snoop through their stuff. Everyone has an underwear drawer, there's nothing shameful or illegal about having one, yet few people would feel comfortable if anyone else could take a peep at what's inside.
Click to expand...

Exactly why I said "each to their own".

Anything you don't want the possibility of someone looking through shouldn't be out on the network in unencrypted format. Regardless of what the storage provider says is supposed to happen, the fact that someone else has physical control and access over the storage means there will always be the possibility of someone accessing those files. Might be a rogue admin, might be a screwup on the storage providers part, but once you give up physical control you open yourself to that possibility.

To use your underwear drawer analogy -- do you ever let anyone in your house that you don't accompany everywhere at all times? Cleaners, contractors, friends, party invitees? Rhetorical question meant only to point out that there are aspects of physical security/privacy we don't really think about.
 
Weaselboy said:
The current state of the law on this in the U.S. is a bit blurry. The prevailing thought and most case law says you cannot be compelled by the police or a court order to give up your password because doing so would violate your fifth amendment right not to incriminate yourself. There was a case where the district attorney said they would agree not to use the fact the person knew the password as evidence against them, so that negated the fifth amendment defense. I don't recall the outcome of that case, which to my mind was nothing but a way to skirt a valid fifth amendment right.
Click to expand...

Yeah, I was unsure how the fifth amendment related to this. But let's say fifth amendment is not an issue -- say, police suspects that my encrypted file contains evidence against my friend Bob. They'd need a court order to compel me to decrypt the file, no?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back