Global CIO: The Dropbox Deception: Caveat Emptor

Anyone who entrusted sensitive data to Dropbox without code review, or at least skepticism regarding impressive security claims, wasn't behaving well, either.

By Jonathan Feldman InformationWeek

I read a tweet several weeks ago which mentioned that Dropbox, the online file-sharing utility, was trying to kill an open source project. In the scuffle, various researchers realized that Dropbox, contrary to its earlier claims, actually had access to encrypted files on the service. Wired subsequently reported that an FTC complaint has been lodged against Dropbox, charging that it lied to users.

I'm assuming that most IT leaders don't have their feelings bruised. At least I hope they don't.

I'm a big proponent of using tools like Dropbox, SugarSync, and Box.net. Cloud-based file storage synchronization is one of the only ways, given the dirt-road-monopoly state of broadband in this country, that users can have reasonably quick access to their files when they're on the go. These services are also a way for users to easily work on their files when disconnected from the network, given that universal wireless doesn't quite exist yet.

In fact, I'm writing a draft of this column on an airplane using one of these services. When I get home, I'll be able to edit it on a somewhat larger keyboard, and instead of playing the USB stick shuffle, my updated column will be available just about as soon as I turn on the computer.

But despite being something of a fanboy, I personally don't trust service providers who tell me that, in a super-secret, unknown-to-me methodology, they're encrypting my files in a way that even they can't read them. That sounds too good to be true. In fact, any cryptographer will tell you that any methodology that's too secret to be revealed is also probably too weak to be used.

Back when I was a security practitioner, it was common knowledge that the way software companies hid a bad encryption algorithm was to claim that it was proprietary. So I wasn't surprised to learn that, despite claims that files on Dropbox were "inaccessible without your account password," files were in fact accessible by Dropbox admins. I've worked with military and public safety long enough to know that such access is generally smiled upon by law enforcement. And I've worked with system admins and application programmers long enough to be paranoid about back doors that they don't mention to the marketing folks.

In my personal life, I've used open source software to encrypt files with sensitive data like social security numbers and health information. It's pretty easy: I create an encrypted file container that then gets synchronized with Dropbox.

In my work life, our guidance over the last year to employees who use Dropbox is that, though it's a cool tool, don't store anything that's super-sensitive on it. While we have third-party enterprise encryption software available to us, I highly doubt that my organization will be applying it to Dropbox, simply because there's not a huge use case.

Dropbox and other cloud file-synchronization providers are great for sharing anything but the family jewels. If an organization has a use case for sharing the family jewels among a distributed workforce, it can probably strike a deal with the provider. Such a deal might include a third-party inspection of the software's source code to ensure that no back doors exist, but providers will resist. Such a deal could be struck only if the dollar value of the contract is extraordinarily high; these types of reviews are usually the province of Fortune 500 organizations.

Here's my point: Even when Dropbox says it uses a non-proprietary and open standard, the U.S. government's Advanced Encryption Standard, the software itself remains an unknown quantity. And if you don't know, via third-party review, that the underlying software is what the provider claims it to be, you're not discharging your duty to your organization properly if you blindly accept that claim. When Ronald Reagan dealt with international relations, he was fond of quoting the Russian proverb "Trust, but verify."

That goes double for security matters at your organization.

Cloud software is tantalizing--better, faster, cheaper, more secure. But the Dropbox Deception, as I'm sure it will now be called, is a clear reminder of the basic rule of enterprise software procurement: caveat emptor.

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina.

Write to him at jf@feldman.org or at @_jfeldman.

http://www.informationweek.com/news/global-cio/interviews/229502488

Up to 20 million Americans 'overcharged' by AT&T for data usage

By DAILY MAIL REPORTER

AT&T are 'systematically overcharging' up to 20 million Americans who use their iPhone or iPad to access data on the go, an investigation has uncovered.

The lawsuit alleges the phone giant routinely over charges customers between 7 and 14 per cent, and in some cases up to 300 per cent. In tests, engineers said they found the company charged for downloading data and surfing the web even when the iPhones remained untouched.

Speaking to MSNBC, lawyer Barry Davis who worked on the suit, said: 'It's like a rigged gas pump.

'Where when you go to the gas station and ask for a gallon of gas but only get 9/10's.'

When asked by a reporter whether his team found overcharging for every single transaction, he replied: 'yes, every single one.'

The reporter the asked: 'Did you ever find a discrepancy where the customer was undercharged?'

Mr Davis replied: 'Never. Always an overcharge, never an undercharge.'

Over 20 million Americans have iPhones or iPads  with AT&T, who until a few months ago were the sole network allowed to sell the phones.

In order to test the allegations, the team bought several new iPhones, disabled all software that would automatically access the internet or download data and left them on, but un touched, for 10 days.

When they received the bill, they found AT&T had charged them for 35 different transactions.

Independent engineers also measured the amount of data downloaded in a series of tests, and then compared the results to the bill sent by AT&T.

They found that in every case AT&T overcharged by between 7-14 per cent, and in some cases by as much as 300 per cent.

Speaking to MSNBC, AT&T customer Mike Stewart said: 'Its just like someone stealing those minutes away from you.  'There just robbing the time from your plan.'

At&T responded by saying the allegations were: 'Without merit' and 'reflect a misunderstanding of the way data is measured.'

The company said some apps have software that runs in the background or is automatically updated which may use data that consumer isn't aware of.

Read more:

http://www.dailymail.co.uk/sciencetech/article-1388796/Up-20-million-Americans-systematically-overcharged-AT-T-data-usage.html#ixzz1MueUI8yT

http://www.dailymail.co.uk/sciencetech/article-1388796/Up-20-million-Americans-systematically-overcharged-AT-T-data-usage.html

Microsoft's Windows 8 on ARM Will Lack Legacy Apps: Intel Exec

By: Nicholas Kolakowski

Microsoft's Windows 8 on ARM-based devices will lack support for legacy apps, according to an Intel executive. But that's coming from ARM's chief rival.

An Intel executive suggested during a company investor meeting May 18 that Microsoft will manufacture different versions of its upcoming "Windows 8" tailored for Intel and ARM-based devices. That echoes statements made by Microsoft executives at January's Consumer Electronics Show in Las Vegas.

Bloomberg reports that Renee James, senior vice president and general manager of Intel's Software and Services Group, told those assembled at the meeting that the next version of Windows for Intel chips will run programs designed for previous versions of the operating system, while the ARM-based versions will not. Intel will apparently offer its own Windows-supporting architecture for mobile devices such as tablets.

Rumors suggest that Microsoft will release Windows 8-as it's been termed, at least for brevity's sake, by the media and analysts-sometime in 2012. In April, bloggers Rafael Rivera and Paul Thurrott dissected various features of what they called an early operating-system build on Rivera's Within Windows blog. According to those postings, the next version of Windows could incorporate an Office-style ribbon interface into Windows Explorer, complete with tools for viewing libraries and manipulating images. The bloggers also included a screenshot of an early device-unlock window, done in the "Metro" design style already present in Windows Phone.

Whether those elements eventually find their way into Windows 8 remains to be seen. What is confirmable, though, is that it will support SoC (system-on-a-chip) architecture, in particular ARM-based systems from partners such as Qualcomm, Nvidia and Texas Instruments. That would give Microsoft the ability to port Windows 8 onto tablets and other mobile form factors powered by ARM offerings. And that, in turn, would allow Microsoft to finally establish a beachhead in a tablet market currently dominated by Apple's iPad and the growing family of Google Android devices.

Steven Sinofsky, president of the Windows and Windows Live Division, suggested at CES 2011 that "under the hood there are a ton of differences that need to be worked through" with regard to SoC-supported Windows. Nonetheless, he added, "Windows has proven remarkably flexible at this under-the-hood sort of stuff."

If an ARM-based Windows 8 can't run legacy applications, that could potentially hobble adoption among those businesses and consumers-and ultimately benefit Intel, which has a long history of supporting Windows on a variety of devices. But as a high-ranking Intel executive, James also has a vested interest in promoting her company's offerings over those of its rival.

Windows 7 managed to sidestep some "last ditch" compatibility issues with certain Windows XP applications via Windows XP mode, which ran those applications within a virtual environment; the question is whether a similar solution could solve compatibility issues with the next version of Windows, despite James' insistence to the contrary.

Whatever the final capabilities of the next Windows, though, the emphasis on both ARM and Intel for its hardware backbone suggests that Microsoft is making a very big play-not only to hold its ground in traditional PCs, but also to take its own piece of the burgeoning tablet market.  

http://www.eweek.com/c/a/Mobile-and-Wireless/Microsofts-Windows-8-on-ARM-Will-Lack-Legacy-Apps-Intel-Exec-545504/