Did the DropBox security lapse poison the well for iCloud?
Summary: For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. What will the ramifications be to iCloud?
For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. Take a second to read that first sentence again.
Scared? You should be.
If you're like me (and most regular iOS users, I suspect) you're a heavy DropBox user. Dropbox is deeply integrated into so many iOS apps and it bridges the gap left by iOS' lack of a real file system -- making it practically a requirement. It's no wonder that the service has 25 million users.
The sad part in this whole sordid tale is that Dropbox hoped to sweep it under the rug and only fessed up about the vulnerability after the media picked up the story.
Here’s the company’s blog post about the vulnerability:
Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
-Arash
Dropbox's second black eye (in as many months) has certainly shaken my trust in Dropbox, even though I don't use it as much as I used to.
The big question is what, if any, will the ramifications be to iCloud? Apple hasn't commented on the encryption scheme that iCloud will use, but let's hope that Apple takes a long, hard look at its iCloud security in light of this high-profile privacy flub by the "big dog" in the industry.
The lesson here is simple: Don't put anything on "the cloud" that you wouldn't want someone else to get access to -- unless it's encrypted on the client end. I still recommend Wuala for cloud-storage because it lets you hold the encryption keys.
How does the latest Dropbox fiasco leave you feeling about iCloud and cloud-based storage in general?
Further reading:
- Choosing a cloud service while waiting for iCloud
- Dropbox 'deceived' users over security: Files are open to government searches
- Philosophical differences: The Google cloud vs. the Apple cloud
- Can Apple win 'personal cloud' market?
- iCloud synchronization to push data caps to the limit
- Is the cloud still safe? How to survive a cloud computing disaster
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Until now, Apple has good history of protecting accounts of its users with
However, lets see how well Apple will face even bigger scale internet activity with the iCloud.
Umm, no,
RE: Did the DropBox security lapse poison the well for iCloud?
.... when running under windows. I presume.
Signs are unclear
It seems like iCloud should be about as secure as mobileMe email, although I hope Apple updates their security policy to suggest/require you update your password at some interval.
I'm curious to see if it will "just work" or not.
Security = Necessity
RE: Did the DropBox security lapse poison the well for iCloud?
well said "Security = Necessity".
It was actually a FBI request to give full access for an hour to any account so they can be inspected for terror links and DMCA violations.
just one thing about Wuala...
RE: Did the DropBox security lapse poison the well for iCloud?
But Google wants us to! I trust them with it, Google can't be hacked, right?
Oh, wait....
as to iCloud...
Actually ...
Jobs did make one brief mention that "everything is encrypted" then said something like "for storage and transmmission" (can't remember his exact wording now), but he didn't get specific about what form of encryption.
DropBox makes me re-think everything "Cloud"
- Cloud based architecture cannot be blindly trusted. They are calling this a bug, but the fact that it was fixed in less than five minutes leads one to believe they have a giant authentication off switch designed into their system.
- Users used to know when upgrades were happening and have the choice to opt-out of upgrades. When web apps just stored my settings, that was fine, but the distinction between "cloud" and "online" to me is determined by how critical the service is. Critical application (ie Cloud) users deserve notice. It may be impossible to let some users opt-out of cloud upgrades, but users should at least be given the courtesy of advanced notification including change details.
- Users need to trust a development shop?s ability to deliver quality code. This isn't a measure of developers, it's really a measure of the processes an organization wraps around the developers. Cloud based apps should have to disclose how they tested.
Based on recent events around DropBox, I get the impression they are a bunch of cowboys. This may be totally wrong, but that?s the impression. Most web start-ups would never make if they couldn?t be cowboys in the beginning, but there comes a time when an organization needs to grow up. A previous comment from an Apple fanboy is partially justified just for that reason. I trust that Apple, Google, Microsoft, Oracle, etc will follow proven life cycle processes and quality control to prevent really dumb things from happening too often.
If you like this train of thought, I wrote an article geared more towards users on this same thing at International Business Times. It?s called ?Is It Time for an Online Bill of Rights??
I totally disagree
Cloud based architecture can and should be blindly trusted when the service provider is Apple. There has never been any viruses on OS X and there never will be due to the fact that OS X is UNIX and UNIX is hacker proof.
That's what I was thinking ...
I'm not a DropBox user, but I've certainly checked out the service and considered it. And, despite their failings, I believe they still provide a useful, viable service.
That said, my impression is that they're still in that quick-and-dirty startup phase, where there's less process and more immediate tweaks.
Their willingness to quickly make changes and improvements is a big part of how they became successful: DropBox folks were willing to try something different. And it worked. And it grew.
But when you start having thousands of users -- let alone millions -- you have a responsibility and obligation to think things through before you dive into the code and proceed methodically.
As to whether DropBox has a "master on/off switch" or not ... sure they do: it's in their code. All they'd have to do is comment something out or perhaps mess up the code regarding the password check. But that's the same with any site/app. All it takes is one little character to create a syntax error or other logic flaw. Good companies build in safeguards to prevent such things from happening -- either error-checking code or at least processes to minimize the chance of bad code being introduced.
I would be surprised if Apple's, Microsoft's, Google's or any other large enterprise like them would have this kind of problem these days. It could happen -- stuff does -- but it's less likely at established businesses with proven development practices and experience.
No, I'm sure this will get mis-categorized...
The people who want to use iCloud (or any other cloud service) will rationalize their use by "That kind of stuff happens to the other companies, not Apple (or whoever), and it won't happen to me"
Just like, people still think "Macs don't get viruses, that's a Windows problem"
Moreover, there's also a large group of people that just don't know about who's looking at their data in the cloud (or they don't care, or both)
If anything, this just poisons Drop Box's head start up to this point.
iOS lacks a real file system?
There are flaws in an apple product? Impossible.
RE: Did the DropBox security lapse poison the well for iCloud?
RE: Did the DropBox security lapse poison the well for iCloud?
RE: Did the DropBox security lapse poison the well for iCloud?
Dropbox (which I use and like) has been pretty successful. It has had less problems than the hard drives on my PC. Or the 15 broken hard drives I have accumulated from a bunch of Thinkpads over the years.
Yes, there was a problem. Yes, there will be more. Some will be serious. As a user of dropbox, if I want to have something REALLY secure, I'll encrypt it strongly before I send it there. It's called responsible computing. I play a part. I can't expect every frigging coder out there to do everything right 100% of the time. I code and I don't.
Dropbox's problems don't influence me one iota regarding iCloud. If I ever use iCloud, I'll assume it's vulnerable and act accordingly. If you don't you are an idiot and deserve to be violated, regardless of your platform choice.
Since it appears they fixed it almost instantly
RE: Did the DropBox security lapse poison the well for iCloud?