I cannot imagine personal computing without a reliable, robust, full-featured sync solution. Over the past year or so, I’ve been using both Dropbox and Windows Live Mesh to keep my work files, pictures, Office settings, bookmarks, and other files in sync across multiple devices. I’ve used each service extensively, on the web, on every PC I own, and on the Mac that shares my desktop with a Windows PC.
Over the weekend, I deleted my Dropbox account and moved all my synchronization tasks to Windows Live Mesh and its companion service, Windows Live SkyDrive. To their credit, Dropbox makes the process simple and straightforward. On the Account Settings tab, look in the lower left corner for a Delete My Account link.
Click that link, enter your password, and you're done.
Why am I making this change? First and foremost, because a recent security failure at Dropbox makes me hesitant to trust the company. I first read about this problem in real time, when security researcher Christopher Soghoian posted details about a shocking lapse in Dropbox security that completely disabled the authentication system for an unknown period of time. For several hours, anyone could log into any Dropbox account using any password.
In a blog post, Dropbox CTO Arash Ferdowsi confirmed that the problem occurred and blamed it on “a code update … that introduced a bug affecting our authentication mechanism.”
Dropbox claims the outage lasted nearly four hours. A letter from the CEO to an affected customer confirms that user accounts were accessed during that outage:
Earlier this week, we wrote to tell you about a security lapse at Dropbox. Today I am writing to tell you something I never expected to tell a customer. During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.
Our investigation revealed that at around 11:25 PM UTC (Coordinated Universal Time) on June 19, 2011 someone logged into your account. It is likely that your account was compromised by a third party. According to our records, neither your account settings nor files were modified, but data was downloaded from your Dropbox account.
Ferdowsi acknowledged, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” An update to his blog post adds the detail that “fewer than a hundred” Dropbox users were affected.
It’s going to take more than just promises of “additional safeguards” to erase the doubt that a mistake like this inspires. At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.
If this were the first offense for Dropbox, I might be tempted to give them a break. But security researchers have pointed out other security bugs in Dropbox as well as problems with encryption and deduplication policies. And there have been ongoing problems with changes in the terms of service, including a dustup just this week. (For details, see 7 cloud services compared: How much control do you give up?)
I've seen mixed reactions from fellow Dropbox users. Some say they don't care, because they don't store any personal or confidential material there. Others are encrypting their files (an option I discuss on the next page). But a fair number have deleted their account, as I have.
If you're a Dropbox user, which option is right for you? Allow me to share my decision process. You might come to a different conclusion based on your needs and use case.
Page 2: Why I switched -->
<-- Previous page
If you plan to continue using Dropbox, I strongly recommend that you encrypt the contents of the Dropbox folder using a third-party utility like Truecrypt. This Dropbox wiki article provides step-by-step instructions and several cautions. Lifehacker has a more comprehensive set of instructions that includes other options as well.
So why didn't I choose this approach? Because, for me, it neutralizes Dropbox’s biggest advantage, its simplicity and ease of use. Adding an encryption layer turns the once-easy Dropbox into a complicated system.
Ultimately, I've come to the conclusion that scale matters in the cloud. Microsoft, Google, and Amazon have the experience and the engineering depth to get operational and security issues right. Startups and small players may be scrappy, but they get stretched thin. That's a dangerous combination that can lead to errors like the one Dropbox made.
My use case also has changed over time. Most of what I do involves syncing files between PCs and devices I own, so that I don't have to think about where a file is at any given time. I very rarely share a file that I can't easily send as a Dropbox attachment or via SkyDrive.
For larger-scale projects, Dropbox has had a mixed track record in my experience. Our editorial team used Dropbox when we were working on the latest edition of Windows 7 Inside Out earlier this year. Our production director was initially enthusiastic but soured over time when files sometimes took a full day to sync on connected workstations. After a few weeks of heavy use, they went back to an FTP-based system.
Besides, based on my year’s experience with both products, I prefer Windows Live Mesh, which does every synchronization task I previously used Dropbox for. In fact, it has several significant advantages over Dropbox:
- You can sync multiple folders on multiple local drives. Dropbox allows you to sync a single folder (called Dropbox by default) with an advanced option to choose subfolders within that folder. I use Windows Live Mesh to sync files stored in a multitude of folders, some in the Documents folder, others on a separate hard drive. And I can choose a different destination for the synced files on different PCs.
- Windows Live Mesh offers more free storage. The space available in the free SkyDrive Synced Storage location is 5GB; Dropbox only offers 2GB for free. SkyDrive also offers 25GB of space that’s accessible through the web interface but not through Windows Live Mesh. Dropbox has a slight edge if you’re willing to pay for more storage, but the 5GB Windows Live Mesh limit is much less of a problem when you realize…
- You can use Windows Live Mesh to sync between PCs without using the cloud. With Dropbox, everything you sync goes in your web-based storage locker. With Windows Live Mesh, SkyDrive Synced Storage is an option for any synced folder. If you leave it unselected, you can use your local network to sync the contents of a folder between two (or more) PCs or Macs, without ever taking a trip to the cloud. You can sync up to 200 folders, each up to 50 GB in size and containing up to 100,000 files, and because their contents are never stored in the cloud, you eliminate the risk of disclosing confidential information if your account is hacked.
I know there are other synchronization solutions out there. I use Amazon Web Services for backup, and I have accounts with both Box.net and SugarSync that I might dust off for my next book project. I’ve heard good things about SpiderOak and am testing their service as well. But for my needs, Windows Live Mesh is more than good enough.