Discussion on:

Dropbox: Convenient? Absolutely, but is it secure?

The answer is simple:

Your data should never be treated as "secure" when stored on someone else's computer(s) unless you've encrypted the data before it gets there using the strongest encryption scheme you can reasonably use.

Are you still a dropbox user? With or without prior file encryption?

I still use Dropbox. Sensitive data is encrypted.

What do you use to encrypt data before uploading? True crypt can be cumbersome when encrypting entire disks, especially for data backups. I use axcrypt, any thoughts on that program?

Just a folder. It works okay, but not the greatest. I can't read the encrypted stuff on my iPhone either. I have heard good things about AxCrypt, but have not used it, myself. It certainly has to be better than nothing at all. You are no longer the low-hanging branch.

For personal stuff, your probably fine to use Dropbox to store your truecrypt blob files. If you control the encryption locally, you can better trust the encrypted data's storage by a third party.

For business stuff, you probably want to consider other service providers if you consider hosted storage at all. Jungle Disk provides much the same service but in a way where JD staff are unable to access your data at all.

If your outside the US, something to consider is that data stored within US borders falls under US privacy laws which can 'legally' break the privacy laws of your own home country. Australias privacy laws are more strict than the US laws as are Canada's so data stored by citizens of both countries falls outside of Canadian law and under much weaker legal protections.

JungleDisk may not be out of the woods. It seemingly has issues as well:

http://www.xydo.com/toolbar/21490376-insecurity_in_the_jungle_disk

People either care about security or they don't. Most don't.

Why do you feel that most people don't care?

Oh, I occasionally change minds. Often they're changing begrudgingly though.

I have very recently had advanced IT pros tell me they couldn't care less about most security and privacy concerns. They think obscurity is "good enough" security. "There's really no need to put in a VPN. What are the chances anyone's going to be actually snooping?"

This was regards to two networks passing HIGHLY sensitive data. I won't say any more.

If people who know better, people who know full well what a packet trace is and have done them, have that attitude, why the heck would we expect the non-technical people to be better?

What your IT Pros really want to say is... "I don't care about YOUR data. Now if we got paid a bonus of $0.0001 for every network packet we encrypted, and $0.10 for every encrypted megabyte-file stored per month, then we'd be all over it and everything would be encrypted. We'd even encrypt VoIP, internet radio, temporary cache files, backup tapes, and USB fobs! We'd be encrypting fools!"

Turn to human nature. If there weren't laws or loan requirements for people to carry insurance on stuff, how many people would actually pony up the premiums? Let's face it, encryption is insurance. Throughout the company, everyone wants to bury encryption support operations into overhead instead of programming operating costs. You need to have dedicated, capable staff encouraged with positive incentives to support a program of this complexity. Or the company needs to stash the cash for the potential loss payout, because fundamentally one person's bits of crap is another person's highly sensitive data. It all depends on who has a vested return value in those bits.

They don't care about the data. People only put real effort into protecting something when they actually care about it. I made that point in an article about how people "protect" their passwords, Like Passwords For Chocolate, Coming Soon To A Security Theater Near You.

I find that most people tend to:

1. refuse to learn about different ways of doing things that might be more secure and no more difficult than how they already do them (or, in some cases, even easier than how they already do things)

2. Nope, I guess there's just that one case that comes to mind right now. Everything else that springs to mind to add as another enumerated point can be derived from point 1.

I tend to see the opposite. Once I explain all possible pros and cons, I find that clients will lean toward increased security.

. . . but the moment I stop looking over their shoulders, they start to revert to their old, bad habits.

Which is why I keep showing face, touching bases and reinforcing whatever small victory I've accomplished.

I can't lean over everyone's shoulder all the time, especially when they stopped paying me after the initial deployment or fix I provided.

outrageous.. we can't do that! (and out come the old self confirting excuses) "no one is trying to get our stuff anyway." "what could they do with this information anyhow?" "it costs too much" "we haven't had a problem yet, we'll worry about that if it happens" "don't fix what we've decided isn't broke."

bah.. you can't protect people from themselves

I am forever the optimist. I try to convince people, by using what has happened to me.

I am persistant about the topic

I have too many passwords already. Most of my stuff is mundane and boring and my memory isn't getting better with age. Doesn't matter where you store your stuff, someone can get at it. If you use symmetric encryption, say Twofish, to encrypt your data before storing on Dropbox and keep the key on, say a thumbdrive, not a computer connected to Dropbox, good luck to anyone who steals your encrypted data. It will be useless.

Is that encryption is not ported to smart phones. And most of the people I interviewed use Dropbox as it allows syncing to their smartphone.

There are a few very nice ones that easily share the same database file across multiple systems. My Keepass runs happily on probably twenty different OS types and hardware sized incuding PalmOS, Android and Iphone. It's an easy way to deal with the "too many passwords to remember" issue.

Passwords should be disposable and unreused.

Sidenote: Everyone on Facebook has been screwed since 2007. They recently fixed the issue but user's need to change there passwords before the fix takes affect. (details: the way applications managed the access tokens left them sprayed across the internet in webserver logs. Anyone that plucks the token from a logged url has access to your FB profile.)

I wonder if it's in the delivery? I seldom fail to convince users to move in the direction of better security, even if it means inconvenience or that they have to learn and retain additional knowledge.

The one big exception to that rule is I often find noscript totally disabled. =(

I have taken several classes in debate and how to change people's minds. It is a tough thing to do, but with the right approach, one can work wonders.

All them multiple posts, or has your encryption gone haywire, too?

And I don't see anywhere that it is suggested that users use their own encryption for sensitive data in the main marketing pages. Possibly under the support links, but no one reads those until there is a problem. A quick mention could be easily used as a positive selling point. (But that may get in the way of the hip new web page style that uses loads of whitespace.)

If they are keeping things "close to the vest" due to the injunction.

The way I found to move around the website was to use the "fine-print" links at the bottom of the home page.

Sean, PM me please.

I'm sure there are plenty of good reasons to not address publicly those claims at this time.

Hi Sean,

You can find this information in the Security Overview, in the Help Center, and quite extensively discussed in the forums:
https://www.dropbox.com/security
http://www.dropbox.com/help/28
http://forums.dropbox.com/search.php?search=truecrypt

We want to make Dropbox easy to understand and simple to use for the mainstream consumer audience, so we have not talked about third-party encryption on our features page. The question of what data is "sensitive" is different for different people, but we recommend third-party encryption for more advanced users who understand and feel comfortable with these solutions. The help center is frequently the next place users go for questions, and we do discuss TrueCrypt there. Many of our more advanced/technical users also go to our forums to discuss how they use different encryption solutions on top of Dropbox.

You maintain that one more bullet point saying that a user can also use their own encryption on files prior to uploading would be confusing? I'd expect that people who are not storing anything that they consider to be sensitive would just ignore it. People to whom the option may apply might stop and think, "Hey, good idea. Why should I count entirely on someone else to secure my data? I should take some responsible action here."

Why should you, as a service, be in a position where people who don't think about security (maybe until they see it mentioned as one more feature) are going to wrongly blame you for their own errors?


The help center is frequently the next place users go for questions, and we do discuss TrueCrypt there.

I do volunteer support for another well-defined and entirely unrelated service, with plenty of KB articles, instructions, and a forum filled with previously answered questions and solved problems. Many people seeking support are quite incapable of reading anything beyond the one or two pages that they absolutely had to load to sign up, never mind all the links to readily available information. Maybe your experience is different. But like Facebook, I rather suspect you have users who expect that certain people can access their files while others cannot, magically. (Again, not via proper configuration or taking precautions, but magically.)

I suppose that your mileage may vary. Best wishes to you and Dropbox.

Keep in mind the issue of allowing the use of Dropbox at your company by employees. Dropbox would make it much easier to copy restricted company files by a disgrunted employee than copying them to a flash drive. Granted, you can set your servers to log that activity, but thats a heck of a lot of data to keep/store...and by the time you notice (if at all) "Elvis has already left the building". We block Dropbox access at my job site.

How do you go about blocking Dropbox? I have been wondering how to do that. I have not checked the packet traffic yet to see if that is an option.

We started taking a two-prong method. Initially, we blocked the domain name on our web filter. Next, we will add the application to our "denied application" list to prevent the program from executing on workstations.

What is your policy on proxy servers and mobile devices.

We don't allow proxy servers, our web filter blocks those automatically using vendor-provided lists. So many exceptions have been given to mobile device users, I can't even tell you WHAT the policy was...

Dropbox has apps for all the phone OSs and users can access the website.

why even worry about installing a local app. All those devices ship with a web browser on them now so you've already got a "dropbox client" installed by default. With smartphones using the mobile network isntead of company controled wifi.. skee-roo-id

That is one of the big reasons it is so popular. My password manager uses Dropbox to sync the encrypted database. My office editor uses Dropbox to sync documents as I edit them. The list goes on and on.

Bah.. that right there is reason to start shopping for a better password manager. As a permitted choice, perhaps. As a standard default.. not for me thanks. I can rsync just fine on my own.

In the case of password managers, all Dropbox does is sync an encrypted file.

In your case, it may be encrypted behind a solid passphrase but anyone with a weak passphrase is screwed.

Using blacklists to block proxies is kind of a losing game. Any technically-oriented user should be able to work around a blacklist like that.

It is true that although you may be risking the security of your data by sharing it and using Dropbox but it is a price that is paid through various synchronization services like that of Dropbox. Does there exist a file sharing and storing service that can guarantee you security along with easy usability and functionality??