Is there a secure file hosting service?

Tonight I was at my kids school event, and a friend called me over  to tell me that he ran into my blog post about the problems with Dropbox, and wondered if there is a good alternative and what I thought about the other solutions such as Evernote, to which I only have a little detail so far. I was planning on really digging into these solutions soon, but now seems like the time. So I’m going to be starting some research with my team to see what we can find.

So far there are the following solutions to dig into

  • Dropbox – Already know some of the problems. Has some add-ons popping up to help with security byt generally breaks multi-platform support
  • Evernote – Solid player in the space, but there are problems to look into
  • SugarSync – Another decent looking solution, but need to dig into it more
  • Box.net – Decent looking as well, but will research
  • SparkleShare - Nice looking Open Source project to have your own service.
  • RubyDrop - Another Open Source project to have your own Dropbox like service

I’m looking forward to finding out what can be learned in this process, and maybe after finding the collective set of problems, I can offer suggestions to those looking for a solution.

Its even possible that I could some up with suggestions on how to solve the problems so that they may be avoided by other entries into the market.

Will keep you posted on my progress…

Dropbox (in)security

Dropbox is a handy solution for storing files in “the cloud” and having the ability to sync from various devices (PC/Mac/iPhone/Andriod). The idea is that these files are stored in an encrypted for, and should only be accessible by the person with the account and no one else. As a user of dropbox myself, I read with horror as security issues with their service as hit the web, but the saga has gotten more interesting.

This week I saw the news that someone has filed a complaint with the feds, that asks the U.S. Federal Trade Commission (FTC) to investigate Dropbox for deceiving their users as to the extent of the security of the users data. This complaint is due in large part to these 3 recently published problems.

The first issue that Derek Newton pointed out was that once you enable a device it stores a simple file with some HostID which is then used for all future authentication. So you provide your user/pass and it generates a random HostID that it stores in your accounts list of verified hosts. This in itself is not too horrible, but the problem is that this HostID does not include any mechanism that uses some fingerprint of the system to make sure that HostID matches up with the current system. So someone can get ahold of your file with the HostID and place it on their computer and then they have access to your files. This seems like a major oversight, which I assume may have been done to make it quicker to deal with the multi-platform support. It needs to be fixed.

The second issue popped up when Dropbox changed their Terms of Service and it became clear that your files are not as secure as was thought. The change to the ToS says that if the authorities show up and ask for your files, that they would comply and provide them unencrypted copies of your files. I wont really make too much fuss about them not being willing to refuse, because that would take some serious legal expenses and I don’t get the sense that Dropbox is big enough to say NO to the US gov.  The real point to this is that the only way they could provide unencrypted copies is if the files are not encrypted with some key from the login, which appears to be the case. With the explanation Dropbox provided, the only real restriction is their internal company policy. Not very reassuring, as I am not sure I have ever worked in a place where employees have ever completely followed “company policy”. I can imagine some bored and curious admin running a search on *.jpg during some middle of the night shift. Solutions like TrueCrypt and Boxcryptor can help, maybe Dropbox should acquire Boxcryptor and integrate it into their client software.

The third issue that was blogged about was an issue with the use of deduplication by Dropbox. The idea here is that Dropbox is storing a crap-load of data for its users. To cut down on the costs they implemented a solution for de-duplication which in short means that when you put a new file in your dropbox it first checks on their servers for some other user having the same exact file already being stored, and if it finds one, it will just link you to that copy and not need to upload your file or store another copy on their drives. Now think about this… it would require that they take the unencrypted form of your file and generate a Hash, lets hope this is happening on your local machine, and this hash is stored in some table of file hashes. So then they check new files against their list, and if match is found then they now have a single file which is accessible by two users, which users key is this encrypted by? I assume the first… so if UserB wants a copy of the file at some point, then it would unencrypt UserA’s file and give it to UserB? Ugh! This sure seems like terribly flimsy encryption to me.

I have no idea what will happen with the FTC involvement, just because a complaint was filed doesn’t mean they have to act on it, but if they do it will likely be a precedent setting case that should be watched closely as more and more computing is moving to “the cloud”. For my part, I don’t think Dropbox is a villain that was intentionally doing anything wrong, but simply have made mistakes on implementation issues and maybe a little naive as to some of the issues security researchers would be able to dig up as their service gained popularity. If I’m correct about my assumptions about Dropbox, then I hope they respond by fixing their technology and being open with the community about the process.

This is one I will certainly be watching closely…

An Information Security Place Podcast – Episode 05-2011

I am tired of making excuses about us being late, so here is friggin’ episode #05-2011. Have fun!

Show Notes:

InfoSec News Update -

Discussion Topic – Scoping too small…

Music Notes:

Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour dates:

  • July 9 – with Powderburn, Earthrot, and more – Tomcats West in Fort Worth, TX
  • July 24 – with Creeper, Phantom X, and more – Oriley’s in Dallas, TX

Intro – RivetHead – “Stirring It Up Again”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”