Tag Archive for "security"

Wired recently published an article on a new FTC complaint filed by Christopher Soghoian. Soghoian is a PHD as well as having been the first real cyber-ninja to be employed by the FTC’s Division of Privacy and Identity Protection. That being said, it discourages me that the information presented was at such a low level of expertise.

After reading through the Wired article and following up with the link to Soghoian’s blog post; I’ve come to only one surprising conclusion. It takes a few years and a PHD to figure out that Dropbox isn’t secure???

Over two years ago I spent 5 minutes evaluating Dropbox as a solution to a small client’s backup problem. I had quickly knocked Dropbox off the list due to two defining facts.

1) Dropbox is not Pro grade for business. It’s consumer-grade, targeted towards the same user base that upload drunk photos of themselves to Facebook then cry about privacy. There are plenty of other services that offered business grade services. (i.e. Jungledisk.)

2) Dropbox’s ‘share’ feature meant that the company’s claim of being secure had to be completely false. If Dropbox has the ability to allow a completely unrelated user access to my files, then they obviously have the encryption keys.

No PHD, no affiliation with a national commission. This isn’t rocket science. I don’t like the fact that Dropbox isn’t holding true to their claims but if you’re going to fight them over it, please do a little better than flashing your badge and offering zero data to support your findings.

Soghoian’s claim seems to revolve around one interesting fact. Fellow FTC cyber warrior Ashkan Soltani, “was able to verify”, that uploading the same file to two accounts results in the second copy taking up considerably less bandwidth and time to upload. He states that this took only a few minutes with a packet sniffer to determine that a 6.4MB file used only 16k of network traffic to upload to the second account after being uploaded to the first.

Why was a packet sniffer used? Why wouldn’t you simply upload a 10MB file (even number) and see if the second upload completes almost instantly. This is rather unscientific but the test is only a couple of minutes and will easily confirm the theory right then and there. What was in the 16k of traffic? A scientific mind would want to know. Why was it a 6.4MB file? Sounds like it was a file just sitting on the desktop and thrown into a ‘scientific’ test environment in which zero controls were put in place. Where is the data collected? If you go all out and test with a packet sniffer you could at least present the captured data without any filters applied. This way we can make our own conclusions.

With Soghoian’s level of expertise then, It’s no surprise that he suggests that law enforcement or copyright ‘trolls’ could upload sample files and based on the short-upload time, determine whether someone on Dropbox has the files. It does not occur to him that despite being a nice idea and all, that it is negated by simply adding or modifying any part of a file, or that several variation of each file are available across various areas of the Interwebs. Law enforcement or copyright ‘trolls’ (I hate that term) only require filenames and a court order to have Dropbox hand over a list of users with the file.

Perhaps one of the worst parts of Soghoian’s blog post is where he states that, “Dropbox is likely calculating hashes of users’ files before they are transmitted to the company’s servers.”

If you are making an assumption and stating that something is ‘likely’ to be the case, it would be nice to at least verify your claim. A simple test of this theory would be to drop a 500MB file into Dropbox and watch the network for activity. If the Dropbox client software is computing hashes before sending the data to Dropbox then it should take a few seconds at least to compute a hash for a 500MB file. My own test proved this to be false… the 500MB file started uploading instantly after being dropped into the folder. Hashing is not performed on the client side.

In closing, I’m not defending Dropbox at all; I’m simply annoyed that I see incompetence at all levels. Recently during the whole HBGary incident, it became apparent to me that even in support structures for Government and big banks, idiots seem to hold key positions. This scares me.