[Micronet] Dropbox

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Dropbox

Ann Geyer
A few postings ago there were some questions about Dropbox and restricted data.  I wanted to follow up with some comments.  Although I have not done and in-depth analysis of this product, I polled my counterparts at several large universities and have learned that there are some definite issues with the Dropbox solution for restricted data.  For example:

    * The files are not encrypted
    * No control over downstream sharing of dropbox access.  A adds B who adds C etc.
    *  Metadata may go in the clears: http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
    * The desktop client sets up a listening service which opens up the possibility of an exploit
    * No support for enterprise licensing.  Agreement is directly with the user.

_____________________________________________

Ann Geyer, Esq.
Chief Privacy & Security Officer 
University of California, Berkeley
510-847-1579

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Tom Salinaro
The files are encrypted in transmission and on the server. See dropbox.com/features.
Regarding the downstream sharing, I would agree that that is a problem.


On 3/16/2011 5:45 PM, Ann Geyer wrote:
A few postings ago there were some questions about Dropbox and restricted data.  I wanted to follow up with some comments.  Although I have not done and in-depth analysis of this product, I polled my counterparts at several large universities and have learned that there are some definite issues with the Dropbox solution for restricted data.  For example:

    * The files are not encrypted
    * No control over downstream sharing of dropbox access.  A adds B who adds C etc.
    *  Metadata may go in the clears: http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
    * The desktop client sets up a listening service which opens up the possibility of an exploit
    * No support for enterprise licensing.  Agreement is directly with the user.

_____________________________________________

Ann Geyer, Esq.
Chief Privacy & Security Officer 
University of California, Berkeley
510-847-1579
------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

-- 
Tom Salinaro
UC Berkeley
Physical Education Program
200 Hearst Gym

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Bill Clark
Here's another interesting article on dropbox security, including an
example of a JavaScript exploit:

http://www.ethicalhack3r.co.uk/security/dropbox-security/

>From what I've read, it seems as though dropbox is adequately secure -- as
long as the user doesn't do anything to compromise the security.  So the
standard reminders should apply about using strong passwords, making sure
not to put anything sensitive in public folders, be on the lookout for
phishing attacks, etc.  The fact that dropbox is a well-known (and thus
presumably highly targeted) application means that a weak password or
improper use of a public folder on dropbox is far more serious than it
would be on (say) a network drive in the office, but that's not really an
argument against the technology itself.

-Bill Clark
Systems Unit
Graduate Division

> The files are encrypted in transmission and on the server. See
> dropbox.com/features.
> Regarding the downstream sharing, I would agree that that is a problem.
>
>
> On 3/16/2011 5:45 PM, Ann Geyer wrote:
>> A few postings ago there were some questions about Dropbox and
>> restricted data.  I wanted to follow up with some comments.  Although
>> I have not done and in-depth analysis of this product, I polled my
>> counterparts at several large universities and have learned that there
>> are some definite issues with the Dropbox solution for restricted
>> data.  For example:
>>
>>     * The files are not encrypted
>>     * No control over downstream sharing of dropbox access.  A adds B
>> who adds C etc.
>>     *  Metadata may go in the
>> clears:http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
>>     * The desktop client sets up a listening service which opens up
>> the possibility of an exploit
>>     * No support for enterprise licensing.  Agreement is directly with
>> the user.
>>
>> _____________________________________________
>>
>> Ann Geyer, Esq.
>> Chief Privacy&  Security Officer
>> University of California, Berkeley
>> 510-847-1579
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.
>> This means these messages can be viewed by (among others) your bosses,
>> prospective employers, and people who have known you in the past.
>
> --
> Tom Salinaro
> UC Berkeley
> Physical Education Program
> 200 Hearst Gym
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Adam Carlson-2
I think that in reality, users who rely on Dropbox encryption are relying on Dropbox security to protect the AES key and their data.  I have not been able to find any official explanation of their encryption scheme but the current understanding in the security community is that Dropbox controls the AES key and that your data isn't encrypted with AES until it hits their servers.  This is not the ideal situation and much different than when you encrypt something client-side with your own key and then upload it.  This means that users are relying on Dropbox security to prevent attackers from getting access to that key and accessing their data.

This is very similar to a https web application with using a database on an encrypted disk.  Sure the data is secure in transit (due to SSL) and at rest (due to the disk-based encryption), but the reality is the most likely attack in todays world would be an SQL injection attack or some other attack on the web application itself.  The web application must be authorized to read the database, so the fact that the database is encrypted doesn't matter because the web application has the key.  

The important thing to know about encryption is that you are only as secure as the key, and with dropbox your key is only as secure as their security controls (which have not been vetted or explained in any real way).  If their web application has a vulnerability, there is a chance that an attacker could read your data.  If an employee goes rogue or gets socially engineered, there is a chance that an attacker could read your data.  They make claims that employees cannot get your key, but they don't explain what controls are in place to ensure that.  Quite frankly I don't believe them because ultimately there has to be someone  with administrator access to the system storing/processing keys and that person would have access.  

If you are using dropbox to mount a Truecrypt volume, that would be a different story as you really would be in control of that key and Dropbox would never know it.  However, relying on the default dropbox encryption is not sufficient in my opinion for any data considered sensitive.  


Bill Clark wrote:

> Here's another interesting article on dropbox security, including an
> example of a JavaScript exploit:
>
> http://www.ethicalhack3r.co.uk/security/dropbox-security/
>
>>From what I've read, it seems as though dropbox is adequately secure -- as
> long as the user doesn't do anything to compromise the security.  So the
> standard reminders should apply about using strong passwords, making sure
> not to put anything sensitive in public folders, be on the lookout for
> phishing attacks, etc.  The fact that dropbox is a well-known (and thus
> presumably highly targeted) application means that a weak password or
> improper use of a public folder on dropbox is far more serious than it
> would be on (say) a network drive in the office, but that's not really an
> argument against the technology itself.
>
> -Bill Clark
> Systems Unit
> Graduate Division
>
>> The files are encrypted in transmission and on the server. See
>> dropbox.com/features.
>> Regarding the downstream sharing, I would agree that that is a problem.
>>
>>
>> On 3/16/2011 5:45 PM, Ann Geyer wrote:
>>> A few postings ago there were some questions about Dropbox and
>>> restricted data.  I wanted to follow up with some comments.  Although
>>> I have not done and in-depth analysis of this product, I polled my
>>> counterparts at several large universities and have learned that there
>>> are some definite issues with the Dropbox solution for restricted
>>> data.  For example:
>>>
>>>     * The files are not encrypted
>>>     * No control over downstream sharing of dropbox access.  A adds B
>>> who adds C etc.
>>>     *  Metadata may go in the
>>> clears:http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
>>>     * The desktop client sets up a listening service which opens up
>>> the possibility of an exploit
>>>     * No support for enterprise licensing.  Agreement is directly with
>>> the user.
>>>
>>> _____________________________________________
>>>
>>> Ann Geyer, Esq.
>>> Chief Privacy&  Security Officer
>>> University of California, Berkeley
>>> 510-847-1579
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list
>>> server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe from its mailing list and how to find out about upcoming
>>> meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable,
>>> and the list's archives can be browsed and searched on the Internet.
>>> This means these messages can be viewed by (among others) your bosses,
>>> prospective employers, and people who have known you in the past.
>> --
>> Tom Salinaro
>> UC Berkeley
>> Physical Education Program
>> 200 Hearst Gym
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe
>> from its mailing list and how to find out about upcoming meetings, please
>> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and
>> the list's archives can be browsed and searched on the Internet.  This
>> means these messages can be viewed by (among others) your bosses,
>> prospective employers, and people who have known you in the past.
>>
>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>

--
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: [hidden email]

"Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Jonathan Felder
A good general rule of thumb is to not leave encryption up to someone
else.  If the data is sensitive, encrypt it yourself using a well vetted
known method before handing it to any intermediary.

On 3/17/2011 10:21 AM, Adam Carlson wrote:

> I think that in reality, users who rely on Dropbox encryption are relying on Dropbox security to protect the AES key and their data.  I have not been able to find any official explanation of their encryption scheme but the current understanding in the security community is that Dropbox controls the AES key and that your data isn't encrypted with AES until it hits their servers.  This is not the ideal situation and much different than when you encrypt something client-side with your own key and then upload it.  This means that users are relying on Dropbox security to prevent attackers from getting access to that key and accessing their data.
>
> This is very similar to a https web application with using a database on an encrypted disk.  Sure the data is secure in transit (due to SSL) and at rest (due to the disk-based encryption), but the reality is the most likely attack in todays world would be an SQL injection attack or some other attack on the web application itself.  The web application must be authorized to read the database, so the fact that the database is encrypted doesn't matter because the web application has the key.
>
> The important thing to know about encryption is that you are only as secure as the key, and with dropbox your key is only as secure as their security controls (which have not been vetted or explained in any real way).  If their web application has a vulnerability, there is a chance that an attacker could read your data.  If an employee goes rogue or gets socially engineered, there is a chance that an attacker could read your data.  They make claims that employees cannot get your key, but they don't explain what controls are in place to ensure that.  Quite frankly I don't believe them because ultimately there has to be someone  with administrator access to the system storing/processing keys and that person would have access.
>
> If you are using dropbox to mount a Truecrypt volume, that would be a different story as you really would be in control of that key and Dropbox would never know it.  However, relying on the default dropbox encryption is not sufficient in my opinion for any data considered sensitive.
>
>
> Bill Clark wrote:
>> Here's another interesting article on dropbox security, including an
>> example of a JavaScript exploit:
>>
>> http://www.ethicalhack3r.co.uk/security/dropbox-security/
>>
>> > From what I've read, it seems as though dropbox is adequately secure -- as
>> long as the user doesn't do anything to compromise the security.  So the
>> standard reminders should apply about using strong passwords, making sure
>> not to put anything sensitive in public folders, be on the lookout for
>> phishing attacks, etc.  The fact that dropbox is a well-known (and thus
>> presumably highly targeted) application means that a weak password or
>> improper use of a public folder on dropbox is far more serious than it
>> would be on (say) a network drive in the office, but that's not really an
>> argument against the technology itself.
>>
>> -Bill Clark
>> Systems Unit
>> Graduate Division
>>
>>> The files are encrypted in transmission and on the server. See
>>> dropbox.com/features.
>>> Regarding the downstream sharing, I would agree that that is a problem.
>>>
>>>
>>> On 3/16/2011 5:45 PM, Ann Geyer wrote:
>>>> A few postings ago there were some questions about Dropbox and
>>>> restricted data.  I wanted to follow up with some comments.  Although
>>>> I have not done and in-depth analysis of this product, I polled my
>>>> counterparts at several large universities and have learned that there
>>>> are some definite issues with the Dropbox solution for restricted
>>>> data.  For example:
>>>>
>>>>      * The files are not encrypted
>>>>      * No control over downstream sharing of dropbox access.  A adds B
>>>> who adds C etc.
>>>>      *  Metadata may go in the
>>>> clears:http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
>>>>      * The desktop client sets up a listening service which opens up
>>>> the possibility of an exploit
>>>>      * No support for enterprise licensing.  Agreement is directly with
>>>> the user.
>>>>
>>>> _____________________________________________
>>>>
>>>> Ann Geyer, Esq.
>>>> Chief Privacy&   Security Officer
>>>> University of California, Berkeley
>>>> 510-847-1579
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> The following was automatically added to this message by the list
>>>> server:
>>>>
>>>> To learn more about Micronet, including how to subscribe to or
>>>> unsubscribe from its mailing list and how to find out about upcoming
>>>> meetings, please visit the Micronet Web site:
>>>>
>>>> http://micronet.berkeley.edu
>>>>
>>>> Messages you send to this mailing list are public and world-viewable,
>>>> and the list's archives can be browsed and searched on the Internet.
>>>> This means these messages can be viewed by (among others) your bosses,
>>>> prospective employers, and people who have known you in the past.
>>> --
>>> Tom Salinaro
>>> UC Berkeley
>>> Physical Education Program
>>> 200 Hearst Gym
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or unsubscribe
>>> from its mailing list and how to find out about upcoming meetings, please
>>> visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and
>>> the list's archives can be browsed and searched on the Internet.  This
>>> means these messages can be viewed by (among others) your bosses,
>>> prospective employers, and people who have known you in the past.
>>>
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Adam Carlson-2
In reply to this post by Adam Carlson-2
I will also add that the lack of good encryption key management is the same reason that an encrypted iPhone is absolutely less secure than an encrypted Blackberry.  I feel like Apple's "encryption" was meant to address a literal interpretation of the privacy laws like SB1386 but not the real intent of actually protecting the data.  This is because as of the 3GS, Apple encrypts the data but then permanently stores the encryption key on the phone itself.  If there is any type of vulnerability in the operating system that an attacker could exploit with physical control of the iphone, then your key can be exposed and your data recovered.  Think of encrypting tape-backups but then attaching the password to the tapes as they are sent off-site, sure the data is encrypted, but whoever gets control of the tapes will also have control of the key.

The power of encryption is that when done well, only the people with authorized access to data have the key so only authorized users can recover the data.  When companies like Apple or Dropbox start storing the keys in places that users can't necessarily control or protect, suddenly that absolute control is lost.  

We need to start pushing back on vendors who try to fool us into thinking that encryption=security when in reality encryption is a tool that can be used well or badly.  It almost always adds some security but the way in which vendors are marketing it now is clearly meant to fool people into believing their data is really secure.  Apple pushed mobile security back significantly by getting away with their faux encryption.  Now no vendor is going to feel the need to actually do things well and Blackberry is losing market share even in those industries where security should be a major concern.

Bruce Schneier's blog entry on how the fact that security is an asymmetric market causes inferior products to succeed is a great read for any who haven't seen it before:

http://www.schneier.com/blog/archives/2007/04/a_security_mark.html

Adam Carlson wrote:

> I think that in reality, users who rely on Dropbox encryption are relying on Dropbox security to protect the AES key and their data.  I have not been able to find any official explanation of their encryption scheme but the current understanding in the security community is that Dropbox controls the AES key and that your data isn't encrypted with AES until it hits their servers.  This is not the ideal situation and much different than when you encrypt something client-side with your own key and then upload it.  This means that users are relying on Dropbox security to prevent attackers from getting access to that key and accessing their data.
>
> This is very similar to a https web application with using a database on an encrypted disk.  Sure the data is secure in transit (due to SSL) and at rest (due to the disk-based encryption), but the reality is the most likely attack in todays world would be an SQL injection attack or some other attack on the web application itself.  The web application must be authorized to read the database, so the fact that the database is encrypted doesn't matter because the web application has the key.  
>
> The important thing to know about encryption is that you are only as secure as the key, and with dropbox your key is only as secure as their security controls (which have not been vetted or explained in any real way).  If their web application has a vulnerability, there is a chance that an attacker could read your data.  If an employee goes rogue or gets socially engineered, there is a chance that an attacker could read your data.  They make claims that employees cannot get your key, but they don't explain what controls are in place to ensure that.  Quite frankly I don't believe them because ultimately there has to be someone  with administrator access to the system storing/processing keys and that person would have access.  
>
> If you are using dropbox to mount a Truecrypt volume, that would be a different story as you really would be in control of that key and Dropbox would never know it.  However, relying on the default dropbox encryption is not sufficient in my opinion for any data considered sensitive.  
>
>
> Bill Clark wrote:
>> Here's another interesting article on dropbox security, including an
>> example of a JavaScript exploit:
>>
>> http://www.ethicalhack3r.co.uk/security/dropbox-security/
>>
>> >From what I've read, it seems as though dropbox is adequately secure -- as
>> long as the user doesn't do anything to compromise the security.  So the
>> standard reminders should apply about using strong passwords, making sure
>> not to put anything sensitive in public folders, be on the lookout for
>> phishing attacks, etc.  The fact that dropbox is a well-known (and thus
>> presumably highly targeted) application means that a weak password or
>> improper use of a public folder on dropbox is far more serious than it
>> would be on (say) a network drive in the office, but that's not really an
>> argument against the technology itself.
>>
>> -Bill Clark
>> Systems Unit
>> Graduate Division
>>
>>> The files are encrypted in transmission and on the server. See
>>> dropbox.com/features.
>>> Regarding the downstream sharing, I would agree that that is a problem.
>>>
>>>
>>> On 3/16/2011 5:45 PM, Ann Geyer wrote:
>>>> A few postings ago there were some questions about Dropbox and
>>>> restricted data.  I wanted to follow up with some comments.  Although
>>>> I have not done and in-depth analysis of this product, I polled my
>>>> counterparts at several large universities and have learned that there
>>>> are some definite issues with the Dropbox solution for restricted
>>>> data.  For example:
>>>>
>>>>     * The files are not encrypted
>>>>     * No control over downstream sharing of dropbox access.  A adds B
>>>> who adds C etc.
>>>>     *  Metadata may go in the
>>>> clears:http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-secure-than-the-desktop-utility/
>>>>     * The desktop client sets up a listening service which opens up
>>>> the possibility of an exploit
>>>>     * No support for enterprise licensing.  Agreement is directly with
>>>> the user.
>>>>
>>>> _____________________________________________
>>>>
>>>> Ann Geyer, Esq.
>>>> Chief Privacy&  Security Officer
>>>> University of California, Berkeley
>>>> 510-847-1579
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> The following was automatically added to this message by the list
>>>> server:
>>>>
>>>> To learn more about Micronet, including how to subscribe to or
>>>> unsubscribe from its mailing list and how to find out about upcoming
>>>> meetings, please visit the Micronet Web site:
>>>>
>>>> http://micronet.berkeley.edu
>>>>
>>>> Messages you send to this mailing list are public and world-viewable,
>>>> and the list's archives can be browsed and searched on the Internet.
>>>> This means these messages can be viewed by (among others) your bosses,
>>>> prospective employers, and people who have known you in the past.
>>> --
>>> Tom Salinaro
>>> UC Berkeley
>>> Physical Education Program
>>> 200 Hearst Gym
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or unsubscribe
>>> from its mailing list and how to find out about upcoming meetings, please
>>> visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and
>>> the list's archives can be browsed and searched on the Internet.  This
>>> means these messages can be viewed by (among others) your bosses,
>>> prospective employers, and people who have known you in the past.
>>>
>>
>>
>>  
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>

--
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: [hidden email]

"Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Dropbox

Kevin Burney
In reply to this post by Adam Carlson-2
Again I would like to reiterate that Dropbox works very well for hosting
TrueCrypt files.  It is the only cloud storage system that I have found so
far that does bit level updates to your data.  It is because of this that
Dropbox works so well with large Truecrypt data files.  On most systems the
entire Truecrypt file must be uploaded and replaced every time you dismount
the volume.  If you have a large (1GB or larger) Truecrypt file the time to
upload can be considerable.  With Dropbox paired with Truecrypt I have a
20GB data file and it will update the online copy in less than 5 minutes and
my 1GB data file updates within a minute.  These times are both measured by
mounting the volume, copying a 1 kb file to the volume, dismounting and then
the automatic synchronization of the file up to the cloud.  The times I have
been experiencing from a campus computer is 15-20 minutes per GB to upload
to Dropbox initially so the original 20GB file took a few hours.  There
seems to be a fair amount of overhead associated with the 20GB file that is
not as apparent when using the 1GB file.  Theoretically copying the 1kb file
to either of the Truecrypt volume should be about to same time to sync but
the larger file (20GB) takes a considerably longer amount of time to sync
vs. the smaller file (1GB).  I think that it creates and index of the entire
file which it uses to perform the bit level sync so the larger the volume
the longer to synch regardless of the actual data added to the volume.  For
me the 1GB size is the best balance between volume size and time to perform
the sync.  Another big advantage to using Dropbox is that they allow you to
create large data files (i.e. 20GB).  Most of the other cloud storage
systems have very tiny limits on their file sizes (MS Skydrive is 25MB per
file).

Also using Dropbox in this manner data is never transported or stored
unencrypted.

Additionally, you can store any type of data file, when most of the online
storage systems restrict certain data types from being saved (i.e. zips /
mdb / dbf / pst).

Plus it works equally well when accessing the Truecrypt data from both
windows or Macs.

-Kevin

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Adam Carlson
Sent: Thursday, March 17, 2011 10:22 AM
To: Bill Clark
Cc: [hidden email]
Subject: Re: [Micronet] Dropbox

I think that in reality, users who rely on Dropbox encryption are relying on
Dropbox security to protect the AES key and their data.  I have not been
able to find any official explanation of their encryption scheme but the
current understanding in the security community is that Dropbox controls the
AES key and that your data isn't encrypted with AES until it hits their
servers.  This is not the ideal situation and much different than when you
encrypt something client-side with your own key and then upload it.  This
means that users are relying on Dropbox security to prevent attackers from
getting access to that key and accessing their data.

This is very similar to a https web application with using a database on an
encrypted disk.  Sure the data is secure in transit (due to SSL) and at rest
(due to the disk-based encryption), but the reality is the most likely
attack in todays world would be an SQL injection attack or some other attack
on the web application itself.  The web application must be authorized to
read the database, so the fact that the database is encrypted doesn't matter
because the web application has the key.  

The important thing to know about encryption is that you are only as secure
as the key, and with dropbox your key is only as secure as their security
controls (which have not been vetted or explained in any real way).  If
their web application has a vulnerability, there is a chance that an
attacker could read your data.  If an employee goes rogue or gets socially
engineered, there is a chance that an attacker could read your data.  They
make claims that employees cannot get your key, but they don't explain what
controls are in place to ensure that.  Quite frankly I don't believe them
because ultimately there has to be someone  with administrator access to the
system storing/processing keys and that person would have access.  

If you are using dropbox to mount a Truecrypt volume, that would be a
different story as you really would be in control of that key and Dropbox
would never know it.  However, relying on the default dropbox encryption is
not sufficient in my opinion for any data considered sensitive.  


Bill Clark wrote:

> Here's another interesting article on dropbox security, including an
> example of a JavaScript exploit:
>
> http://www.ethicalhack3r.co.uk/security/dropbox-security/
>
>>From what I've read, it seems as though dropbox is adequately secure
>>-- as
> long as the user doesn't do anything to compromise the security.  So
> the standard reminders should apply about using strong passwords,
> making sure not to put anything sensitive in public folders, be on the
> lookout for phishing attacks, etc.  The fact that dropbox is a
> well-known (and thus presumably highly targeted) application means
> that a weak password or improper use of a public folder on dropbox is
> far more serious than it would be on (say) a network drive in the
> office, but that's not really an argument against the technology itself.
>
> -Bill Clark
> Systems Unit
> Graduate Division
>
>> The files are encrypted in transmission and on the server. See
>> dropbox.com/features.
>> Regarding the downstream sharing, I would agree that that is a problem.
>>
>>
>> On 3/16/2011 5:45 PM, Ann Geyer wrote:
>>> A few postings ago there were some questions about Dropbox and
>>> restricted data.  I wanted to follow up with some comments.  
>>> Although I have not done and in-depth analysis of this product, I
>>> polled my counterparts at several large universities and have
>>> learned that there are some definite issues with the Dropbox
>>> solution for restricted data.  For example:
>>>
>>>     * The files are not encrypted
>>>     * No control over downstream sharing of dropbox access.  A adds
>>> B who adds C etc.
>>>     *  Metadata may go in the
>>>
clears:http://www.lifehacker.com.au/2011/03/dropbox-mobile-apps-are-less-sec
ure-than-the-desktop-utility/

>>>     * The desktop client sets up a listening service which opens up
>>> the possibility of an exploit
>>>     * No support for enterprise licensing.  Agreement is directly
>>> with the user.
>>>
>>> _____________________________________________
>>>
>>> Ann Geyer, Esq.
>>> Chief Privacy&  Security Officer
>>> University of California, Berkeley
>>> 510-847-1579
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> ----- The following was automatically added to this message by the
>>> list
>>> server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe from its mailing list and how to find out about upcoming
>>> meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and
>>> world-viewable, and the list's archives can be browsed and searched on
the Internet.
>>> This means these messages can be viewed by (among others) your
>>> bosses, prospective employers, and people who have known you in the
past.

>> --
>> Tom Salinaro
>> UC Berkeley
>> Physical Education Program
>> 200 Hearst Gym
>>
>>
>> ---------------------------------------------------------------------
>> ---- The following was automatically added to this message by the
>> list server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.  
>> This means these messages can be viewed by (among others) your
>> bosses, prospective employers, and people who have known you in the past.
>>
>
>
>
>  
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.
>

--
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: [hidden email]

"Most of the things worth doing in the world had been declared impossible
before they were done." ~Louis D. Brandeis


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.