Global CIO: The Dropbox Deception: Caveat Emptor


Anyone who entrusted sensitive data to Dropbox without code review, or at least skepticism regarding impressive security claims, wasn't behaving well, either.

By Jonathan Feldman InformationWeek

I read a tweet several weeks ago which mentioned that Dropbox, the online file-sharing utility, was trying to kill an open source project. In the scuffle, various researchers realized that Dropbox, contrary to its earlier claims, actually had access to encrypted files on the service. Wired subsequently reported that an FTC complaint has been lodged against Dropbox, charging that it lied to users.

I'm assuming that most IT leaders don't have their feelings bruised. At least I hope they don't.

I'm a big proponent of using tools like Dropbox, SugarSync, and Box.net. Cloud-based file storage synchronization is one of the only ways, given the dirt-road-monopoly state of broadband in this country, that users can have reasonably quick access to their files when they're on the go. These services are also a way for users to easily work on their files when disconnected from the network, given that universal wireless doesn't quite exist yet.

In fact, I'm writing a draft of this column on an airplane using one of these services. When I get home, I'll be able to edit it on a somewhat larger keyboard, and instead of playing the USB stick shuffle, my updated column will be available just about as soon as I turn on the computer.

But despite being something of a fanboy, I personally don't trust service providers who tell me that, in a super-secret, unknown-to-me methodology, they're encrypting my files in a way that even they can't read them. That sounds too good to be true. In fact, any cryptographer will tell you that any methodology that's too secret to be revealed is also probably too weak to be used.

Back when I was a security practitioner, it was common knowledge that the way software companies hid a bad encryption algorithm was to claim that it was proprietary. So I wasn't surprised to learn that, despite claims that files on Dropbox were "inaccessible without your account password," files were in fact accessible by Dropbox admins. I've worked with military and public safety long enough to know that such access is generally smiled upon by law enforcement. And I've worked with system admins and application programmers long enough to be paranoid about back doors that they don't mention to the marketing folks.

In my personal life, I've used open source software to encrypt files with sensitive data like social security numbers and health information. It's pretty easy: I create an encrypted file container that then gets synchronized with Dropbox.

In my work life, our guidance over the last year to employees who use Dropbox is that, though it's a cool tool, don't store anything that's super-sensitive on it. While we have third-party enterprise encryption software available to us, I highly doubt that my organization will be applying it to Dropbox, simply because there's not a huge use case.

Dropbox and other cloud file-synchronization providers are great for sharing anything but the family jewels. If an organization has a use case for sharing the family jewels among a distributed workforce, it can probably strike a deal with the provider. Such a deal might include a third-party inspection of the software's source code to ensure that no back doors exist, but providers will resist. Such a deal could be struck only if the dollar value of the contract is extraordinarily high; these types of reviews are usually the province of Fortune 500 organizations.

Here's my point: Even when Dropbox says it uses a non-proprietary and open standard, the U.S. government's Advanced Encryption Standard, the software itself remains an unknown quantity. And if you don't know, via third-party review, that the underlying software is what the provider claims it to be, you're not discharging your duty to your organization properly if you blindly accept that claim. When Ronald Reagan dealt with international relations, he was fond of quoting the Russian proverb "Trust, but verify."

That goes double for security matters at your organization.

Cloud software is tantalizing--better, faster, cheaper, more secure. But the Dropbox Deception, as I'm sure it will now be called, is a clear reminder of the basic rule of enterprise software procurement: caveat emptor.

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina.

Write to him at jf@feldman.org or at @_jfeldman.

http://www.informationweek.com/news/global-cio/interviews/229502488

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more