Popular file-syncing service Dropbox has been in hot water lately. It was bad enough to find out awhile back their misleading phrasing wasn’t true and that files were indeed accessible to its employees. This has resulted in a formal complaint to the Federal Trade Commission. Now apparently that same design choice – the one about which they claim they didn’t mislead customers – made a new security snafu possible.
Apparently, for a four-hour window this past Sunday, any user account could be accessed using any password. Because a user’s files are encrypted on Dropbox’s servers (not on your computers or mobile devices), this means a security screw-up like this can give unimpeded access to any user’s files.
Conversely, had they chosen to encrypt files client-side, this authentication bug would not have granted access to the files because the password / decryption key would not match and the files would come back scrambled if they came back at all.
Twice, Dropbox has demonstrated poor security practice. Some would argue they also demonstrated dishonesty by claiming their employees couldn’t access the files (their wording suggested “unable” rather than “not allowed”). Now a new problem has been demonstrated: they have poor or nonexistent testing practices when rolling out updates to their servers. Had they at least automated testing of their authentication system, they would’ve discovered the problem before ever having deployed the changes to their public-facing servers. As a user, I have yet to learn of a single one of these incidents from Dropbox themselves.
This latest sin and all it reveals has caused me to abandon Dropbox entirely. I can no longer trust them. Wired suggested two alternative services: Wuala and SpiderOak. Both offer client-side encryption and Mac and iOS clients (important to me).
I’m currently leaning toward Wuala (see update below) but have learned to do my homework first. I won’t be signing up for another Dropbox-like provider, free or not.
It’s that last sentence that could be used as a retort: “Relax, it’s a free service.” Granted if you need 2 GB or less, the service is completely free. Nice of them but not nice enough to allow them to – in my opinion – mislead me about their security and for me to put up with repeated ham-headed security offenses. Those who’ve known me awhile (or at least followed me on Twitter) likely remember I was hesitant to use something like Dropbox for awhile at all. I begrudgingly tried it and changed my opinion. I found a few good uses for it. Not good enough to make me want to integrate my own applications with it (a popular request a year or two ago), but good enough to use on its own.
I’m of the opinion that Apple’s upcoming iCloud service will offer a seamless file syncing experience (hopefully more “seamless” than iDisk). I also believe they’ll worry over security as well – they do have a reasonable track record. As I use all Apple devices, I should have no trouble getting to the stuff I need … with style. For this reason, I’ll be using Wuala (or SpiderOak) as a stopgap until iCloud is available.
So long, Dropbox, and thanks for all the fish.
Update – Err, never mind about Wuala. It’s Java-based (I’m a “native app purist”) and decidedly not user friendly. I can’t figure out whether it offers automatic syncing at all and it appears to be still in beta. Further, its completely unexplained “file system integration” setting in preferences is enabled but its “check” says it can’t “Access Root Directory” to offer this feature. No fucking thanks.