I cannot imagine personal computing without a reliable, robust, full-featured sync solution. Over the past year or so, I’ve been using both Dropbox and Windows Live Mesh to keep my work files, pictures, Office settings, bookmarks, and other files in sync across multiple devices. I’ve used each service extensively, on the web, on every PC I own, and on the Mac that shares my desktop with a Windows PC.
Over the weekend, I deleted my Dropbox account and moved all my synchronization tasks to Windows Live Mesh and its companion service, Windows Live SkyDrive. To their credit, Dropbox makes the process simple and straightforward. On the Account Settings tab, look in the lower left corner for a Delete My Account link.
Click that link, enter your password, and you're done.
Why am I making this change? First and foremost, because a recent security failure at Dropbox makes me hesitant to trust the company. I first read about this problem in real time, when security researcher Christopher Soghoian posted details about a shocking lapse in Dropbox security that completely disabled the authentication system for an unknown period of time. For several hours, anyone could log into any Dropbox account using any password.
In a blog post, Dropbox CTO Arash Ferdowsi confirmed that the problem occurred and blamed it on “a code update … that introduced a bug affecting our authentication mechanism.”
Dropbox claims the outage lasted nearly four hours. A letter from the CEO to an affected customer confirms that user accounts were accessed during that outage:
Earlier this week, we wrote to tell you about a security lapse at Dropbox. Today I am writing to tell you something I never expected to tell a customer. During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.
Our investigation revealed that at around 11:25 PM UTC (Coordinated Universal Time) on June 19, 2011 someone logged into your account. It is likely that your account was compromised by a third party. According to our records, neither your account settings nor files were modified, but data was downloaded from your Dropbox account.
Ferdowsi acknowledged, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” An update to his blog post adds the detail that “fewer than a hundred” Dropbox users were affected.
It’s going to take more than just promises of “additional safeguards” to erase the doubt that a mistake like this inspires. At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.
If this were the first offense for Dropbox, I might be tempted to give them a break. But security researchers have pointed out other security bugs in Dropbox as well as problems with encryption and deduplication policies. And there have been ongoing problems with changes in the terms of service, including a dustup just this week. (For details, see 7 cloud services compared: How much control do you give up?)
I've seen mixed reactions from fellow Dropbox users. Some say they don't care, because they don't store any personal or confidential material there. Others are encrypting their files (an option I discuss on the next page). But a fair number have deleted their account, as I have.
If you're a Dropbox user, which option is right for you? Allow me to share my decision process. You might come to a different conclusion based on your needs and use case.
Page 2: Why I switched -->