ArsTechnica as well as many other sites are reporting that 7 million older Dropbox accounts have been leaked, and posted on line.
Dropbox says these were leaked by "other services" (third parties that Dropbox users have authorized to use their Dropbox account).
So far, no word on what that "other service" may have been.
Dropbox is aware of what was posted, and have expired all of the passwords on these accounts.
This points out once again the risks of signing up for a secure cloud account and then authorizing other applications to use that account such as for backup or upload of images.
Dropbox relies heavily on SSL to protect data in transit, it does not encrypt data in your computer or device before sending it. This is just ONE of the reasons why Edward Snowden said just days ago to Get rid of Dropbox.
There are reports of yet another SSL flaw about to be revealed.
Update: Here is a blog summary and full report (pdf) of the vulnerability. In essence, an attacker can perform a man-in-the-middle attack on the network connection and force a TLS connection to downgrade to SSL 3.0 — "an obsolete and insecure protocol." See also: CVE-2014-3566.
(Score: 4, Interesting) by Nerdfest on Wednesday October 15 2014, @11:12AM
Didn't they hire Condoleeza Rice as well, who has some very authoritarian views on privacy? Use SpiderOak, or one of the other options where you control the encryption key, or better yet, host your own data.
(Score: 2, Interesting) by mtrycz on Wednesday October 15 2014, @12:21PM
Why not Owncloud on a Raspberry with a dynamic dns service?
In capitalist America, ads view YOU!
(Score: 3, Informative) by Nerdfest on Wednesday October 15 2014, @12:28PM
That would be covered by "host your own data".
(Score: 2) by Nerdfest on Wednesday October 15 2014, @01:20PM
No need to mod the dude down, this is a valid specific self-hosting implementation.
(Score: 3, Interesting) by arashi no garou on Wednesday October 15 2014, @01:26PM
I've tried it, and it technically works but it's painfully slow. Even on a dedicated x86-64 server, Owncloud's interface is slow and tends to hang on file transfers involving multiple small files. On the Raspberry Pi though, it's slow to the point of uselessness if you try to use the web UI. For calendar and contact syncing, it seems to work fairly well. The Android app also has bugs, but nothing show-stopping that I've found.
Basically, for me at least, it's just not quite good enough to replace Dropbox. Since I don't keep anything illegal, incriminating, or all that private in Dropbox (unless my family recipes for chili and roast beef are valuable intel), I don't worry too much about government snooping. It bugs me that they would do it with impunity, but I don't have any secrets in there. But that's just me; I definitely recognize that Dropbox's vulnerabilities are an issue for anyone keeping more than basic unimportant stuff in there. For those people I'd recommend SpiderOak or something else with end to end encryption.
All that said, I'm definitely looking forward to the day that Owncloud's major issues are dealt with and it becomes a viable contender for private cloud storage. I'll switch to it in a heartbeat, if nothing else just so I can say that my data is wholly owned by me.
(Score: 3, Informative) by zeigerpuppy on Wednesday October 15 2014, @01:56PM
Owncloud has great core functionality but does take some tweaking to get performing well. There are some issues with chunked transfers that can be partly remedied by serving owncloud on nginx rather than apache. You can always roll your own WebDAV implementation (owncloud uses sabreDAV).
Overall I've been happy with owncloud's desktop client sync, easy sharing and versioning system but for some jobs a git repository is even better. Sure there's bugs but it's overall a pretty robust system.
For extra security encfs is great to layer on top of your favorite WebDAV implementation.
(Score: 2) by chromas on Wednesday October 15 2014, @02:39PM
Don't underestimate the power of a good chili. And roast beef? Well, surely you heard about the little piggy who had none.
(Score: 2) by hemocyanin on Wednesday October 15 2014, @02:48PM
You have no idea what will be illegal in the future and as unrealistic as it sounds, you might find yourself on the wrong end of any number of laws. I don't eat mammals for ethical reasons. Would I make your kind of chili a crime and go ex post facto on you? Maybe. The thing is, you don't have a crystal ball and you have absolutely no idea what data you store will get you in trouble.
(Score: 2) by arashi no garou on Wednesday October 15 2014, @04:41PM
The thing is, you don't have a crystal ball and you have absolutely no idea what data you store will get you in trouble.
I never claimed to, and as I said in my post, I recognize that my needs are not everyone's needs. I'm still looking for the perfect (or near enough) solution, just like everyone else, I'm simply not so concerned about my data content that I've given up on Dropbox entirely yet. I'll continue to weigh the risks vs the benefits, and when the scale starts to tip I'll jump ship for good.
You have no idea what will be illegal in the future and as unrealistic as it sounds, you might find yourself on the wrong end of any number of laws.
If you've read any of my other posts here or on other sites like HN, you'd know that I agree 100% with that statement. I'm not sure how you inferred that I don't.
(Score: 2) by hemocyanin on Wednesday October 15 2014, @05:07PM
This is the part of your post that prompted mine. While the chances are low that your recipes will get you in trouble, those chances are not zero and those recipes might be a perfectly innocuous piece of data that might lead to some other huge problem. People discount the value of their personal information. Turning to government snooping, if the information _is_ so innocuous, why are they so hell bent on shredding the constitution and spending billions to get it? Because little pieces of data of perfectly legal things that you would not be embarrassed to have leaked individually, when aggregated, end up telling a lot about you -- stuff that could ruin your life.
I'm not trying to be snide with you ... if you are as you said in agreement, then I think you aren't acting paranoid enough. That's all.
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @07:42PM
The really shitty thing about all this is that you simply don't know what might end up being used against you. It is all open-ended in the favor of the attackers (be they government-gone-wild or hackers or yet another internet startup grown large on the fat of Big Data commercialization). Us normal people are busy living our lives while the enemy is spending millions of dollars trying to figure out how to make use of your data in 'innovative' ways that never have your best interests in mind. We are simply outmatched in even understanding the risks we face. It is enough to make a thinking person into a digital hermit.
(Score: 2) by arashi no garou on Wednesday October 15 2014, @11:09PM
Oh I get it...it's the metadata that they want. Again, I don't disagree with you, I just felt that you hijacked my comment to prove a point that I never contested in the first place. As I said, I'm always weighing alternative services.
Besides, if data security and hiding information from the government, no matter how seemingly innocuous, was a priority, I wouldn't be using *any* online services, nor cellphones, nor even leave the house for fear of being tracked. There's knowing they are watching, and there's letting yourself become paralyzed by the fear of it. I choose to not live in fear.
(Score: 2) by frojack on Wednesday October 15 2014, @08:26PM
family recipes for chili and roast beef are valuable intel
Is that one dish or two?
/Licks lips....
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Wednesday October 15 2014, @08:48PM
Its not the Raspberry's fault that it is slow, its just that Owncloud is poorly written bulkware.
I gave up on it.
With ssh and sftp its lightning fast, and things like ES file Explorer on Android can access it very quickly.
No, you are mistaken. I've always had this sig.
(Score: 2) by arashi no garou on Wednesday October 15 2014, @10:59PM
Yes, as I said even on a modern x86-64 system Owncloud is fairly slow. When you combine that with the RPi's already limited resources, it gets really ugly. The RPi is a wonderful device that is useful for many projects (I use it for a homebrew Roku-like player for the TV, a cheap low power home file server, and I have one that is strictly for testing new projects on) but software that is already inefficient can reveal the limitations of the hardware platform.
(Score: 3, Informative) by WizardFusion on Wednesday October 15 2014, @11:45AM
Now, although there *are* loads of alternatives to Dropbox, spideroak for example. When it comes to synchronising your data inside applications (1Password, Titanium Backup), they all use Dropbox.
I would love to host my own data, I already do this for contacts and calendar (owncloud), but syncing data from android apps is impossible for me without it.
As a side to this, always make sure you are using 2-factor authentication when it's provided. I use this on all my accounts when I can.
(Score: 2) by hemocyanin on Wednesday October 15 2014, @03:07PM
https://play.google.com/store/apps/details?id=eu.kowalczuk.rsync4android&hl=en [google.com]
I've never tried that app but it does say you should understand rsync over ssh, and rsync over ssh is a classic way to do cloud backup dating from before there were clouds. I've used rsync over ssh in the past though currently I find it more convenient to use tar, ncrypt, and scp in a cron job. Anyway, there are myriad tutorials on secure rsync over ssh: https://duckduckgo.com/?q=rsync%20over%20ssh [duckduckgo.com]
(Score: 2) by frojack on Wednesday October 15 2014, @08:36PM
(1Password, Titanium Backup), they all use Dropbox.
Add mSecure to that list.
Hopefully all of these wallets that sync to Dropbox know enough to encrypt before syncing to Dropbox, because not only does Dropbox rely on SSL, but they also will hand over your files with nothing but a nsa letter. That's why mSecure heavily encrypts the file on your device before it sends the encrypted file to Dropbox.
Plus one for 2-Factor. (Although the Apple version is useless).
I'm willing to bet that these leaked account names and passwords were extracted from the same iCloud penetration that was used to publish all the celebrity nude photos. Anything that backs up your phone's setting might include this information.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by MrGuy on Wednesday October 15 2014, @02:06PM
OK, I'm used to commenters hijacking stories for off-topic conversations. But editors?
There's a story about DropBox passwords possibly being compromised. There is NO INDICATION that the mechanism there was an SSL flaw or attack (in fact, as I read TFA and other articles, the mechanism was 3rd party services storing credentials insecurely.
Meanwhile, there's a story floating around (that is getting more resolution all the time) that there's a potential flaw in SSL implementations.
These are two important stories. But they are almost completely unrelated. The only remote tie between them is that DropBox (like almost everything else on the internet) uses SSL.
(Score: 1) by dwmoody on Wednesday October 15 2014, @05:17PM
After some research, I have to agree with you 100%. The best explanation of this "breach" that I have found is that some other site (not Dropbox) got hacked and now the hacker is trying to log in to Dropbox using the account details they stole from the other site. This was partially successful since some people are still using the same password for all of their accounts, but this also made it easy for Dropbox to detect and they expired the passwords on the accounts that were affected.
I'm sure all Soylentils use a password manager, and if you're even halfway concerned about security, I'm sure you also have Dropbox's 2-factor authentication turned on, so we should have nothing to worry about here. This story should be one we can use to help transition friends and relatives to using a password manager, not one in which we bash Dropbox.
(Score: 2) by frojack on Wednesday October 15 2014, @08:57PM
In the editor's defense, I opened the door to the SSL issue in my original submission, because it was mentioned in the article about Snowden.
I included a link about the current SSL problem, because I couldn't be sure that Leebert's submission [soylentnews.org] would make it out of the queue when I posted my story. I would have just included a link to Leeber's post but I didn't know if it was safe to link to a pending submission.
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by Alfred on Wednesday October 15 2014, @02:17PM
Most people don't have really secret files, or not many anyhow. We should teach people to actively seek to reduce the attack surface covering their actually important files. And teach them to accept the idea that "oh, that will happen eventually" in terms of security.
(Score: 2) by hemocyanin on Wednesday October 15 2014, @03:23PM
Remote data storage is however, a good idea with respect to backups because no amount diligent local backingup will protect your data from fire or flood. The thing is, backups should be encrypted locally before being fired off to some remote location which makes it harder (though not impossible) to use the offsite data as a means of keeping different devices in sync and there is probably no easy way to do this with a phone. Of course, you can _try_ to evaluate which data is sensitive, and then use a syncing tool for that, but I would think it is actually very difficult to accurately gauge exactly how sensitive your data is. People get in trouble more often than you might think when one piece of seemingly innocuous random data leads to something not so innocuous.
(Score: 2) by Alfred on Wednesday October 15 2014, @04:01PM
Business and personal backups are very different. Business backups being primarily hindered by managers and accountants and not by lack of wisdom. With personal backups I haven't found an effective way to teach people that their tax returns and home movies are more important than their iTunes library.
(Score: 2) by Tork on Thursday October 16 2014, @02:57AM
The thing is, backups should be encrypted locally before being fired off to some remote location which makes it harder...
I *almost* agree... but I've become addicted to a feature of Dropbox that makes me question this line of approach. I have PDF files of documentation for scripting in various applications that I use. The DropBox viewer on iOS natively views those files, I can just whip out my phone and view that document right away. That is something I use quite a bit. If my account got hacked... big deal! Not all useful data is private and secret. If somebody gets into my account and gets my MP3s I purchased from Amazon? BFD!
I'm not sure how an encrypted-at-take-off app would be able to do that, without keeping the keys on my phone anyway.
People get in trouble more often than you might think when one piece of seemingly innocuous random data leads to something not so innocuous.
Ugh, I do agree with this. I cannot wait until we get a TrueCrypt replacement that is verified and trustworthy.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @02:46PM
At least it is finally one breach where I dont have to change my password... again. Since I never got around to using them.
(Score: 3, Informative) by zafiro17 on Wednesday October 15 2014, @04:29PM
I've been looking into alternatives. Here is what I've found as competition to dropbox:
Spideroak: $10/month for 100g
Rsync.net: $10/month for 50g
tarsnap: depends on your usage; works great on BSD, fully encrypted like Spideroak
strongspace.com: works well with rsync
cyphertite: $10/month unlimited with encryption
This market is evolving quickly. Spideroak has always caught my fancy since the day I discovered it in the opensuse repos. They give you 2G free for life as an enticement, and I've been able to make pretty good use of those gigs. But they've been more expensive than the competition. I see now their prices are coming down.
Tarsnap was written by a serious BSD guy - the code is totally opensource and it's well-regarded and apparently not that expensive. I went with rsync.net for a project because I was so impressed by their approach to customer service - pick up the phone and you're talking to an engineer, no lower-level tech support, etc. But admittedly they're a bit more expensive.
There was another one out there called www.rsyncit.com that should be used in any VC funding course on how not to run a start-up: weird reseller docs, confusing-as-all-get-out start up info. I used it for 20 minutes before deciding it was worth losing my $5 and quit on the spot.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
(Score: 2) by computersareevil on Wednesday October 15 2014, @04:30PM
I've said it before: If you're going to use cloud storage, make sure it uses client-side encryption. Then they don't have your password so it can't be compromised by the service of so-called "3rd parties".
The best I know of (and use) is Wuala.com. I have no financial interest in them, just find them to be the best for me.