Dropbox security

[Ether]

FWIW, article about Dropbox security:
http://windowssecrets.com/newsletter...-alternatives/

[tim-tim]

Thanks for the info.

Good thing I only keep college work on there.

[JesseK]

Quote:

Originally Posted by Woody Leonhard

He argues with some authority that Dropbox has an unfair advantage over competing cloud file-sharing services by maintaining its own keys (which allows its programs and employees access to your data).

I don't understand how this is an unfair advantage? Is the claim that dropbox security is sub-par simply because employees have a process to go through in order to access the file contents?

Using COTS cloud services, especially free services, to store sensitive proprietary information for a company has been a known no-no in the IT industry since the word "cloud" was even coined. For anything sensitive, the best philosophy isn't centered around if something gets hacked, but rather a matter of when it will become hacked (hi Sony!). Sure, we lose agility by the inability to automatically sync files, or have files available anywhere -- but the tradeoff is well worth it for trade secrets.

For the really paranoid, there's also the good-ol' trusty IronKey USB sticks. 4GB of 256-bit AES on a key chain FTW.

[Ether]

Quote:

Originally Posted by JesseK

I don't understand how this is an unfair advantage?

Because if they can un-encrypt your data, they can "deduplicate" files and use delta storage for large files, which takes less storage. He mentioned that in the article.

Quote:

Originally Posted by JesseK

Is the claim that dropbox security is sub-par simply because employees have a process to go through in order to access the file contents?

Yes. He mentioned other companies in the article which have no access to decryption.


Please note: I am neither agreeing nor disagreeing with the above, simply explaining what I think he meant.

[JesseK]

Quote:

Originally Posted by Ether

Because if they can un-encrypt your data, they can "deduplicate" files and use delta storage for large files, which takes less storage. He mentioned that in the article.

Yes. He mentioned other companies in the article which have no access to decryption.

Please note: I am neither agreeing nor disagreeing with the above, simply explaining what I think he meant.

Gotcha. Interestingly, I'd never heard of drop box until I went back to school, and hadn't heard of any of the other sync-services until this article.

TANSTAAFL indeed.

[sanddrag]

Is there something exactly like dropbox but where you run the server on your own machine somewhere?

[Ether]

Quote:

Originally Posted by sanddrag

Is there something exactly like dropbox but where you run the server on your own machine somewhere?

In the article the author mentions alternatives to Dropbox. All of them are client applications I think, but at least one of them generates the passwords and encryption locally so that the server has no access to the content of your files.

If you want to run an Apache server on your own machine you could certainly store files there and completely control access to them. I know that's not "like Dropbox", but it would give you access to your files from any internet-connected device.

[Alan Anderson]

Quote:

Originally Posted by sanddrag

Is there something exactly like dropbox but where you run the server on your own machine somewhere?

SparkleShare is supposed to do what you're asking. It doesn't look quite ready for regular use yet, though. There's also iFolder, which seems more complete.

[Hugh Meyer]

Quote:

Originally Posted by sanddrag

Is there something exactly like dropbox but where you run the server on your own machine somewhere?

Funambol is one that I have been looking at. It has several sync clients that work with several different types of devices.

http://www.funambol.com/

I use Subversion, but it is not "exactly like dropbox" but it is a great way to keep files in sync across many computers.

http://subversion.apache.org/

-Hugh

[Stuart]

1745 Still uses Dropbox for its stuff but all of our financials are now in a Truecrypt container.

I found the whole thing stinks. the way they presented it to people is that they encrypted/decrypted it locally then only stored the hash ( without the password) like lastpass. but really the only thing keeping your files safe is a company policy (and disgruntled/blackmailed/hacked employees always follow policy)

as far as alts ( if you dont want to pre encrypt ) Steve Gibson ( from Security Now / Grc.com) uses Jungle disk for all his stuff and if its good enough for Steve it should be good enough for us.