I wrote just last week about how not only was the Dropbox service compromised in theory through the changes in their Terms of Service but also with a series of scripts that could potentially quickly and easily access your Dropbox information (though granted it required local access to your machine). A recent mis-step occurred however, that has broken whatever confidence I had in the Dropbox service for anything but the public sharing of files.
What happened, and why does it concern anyone that isn’t just some geek that wants to share files on the internet?
What happened is that a Dropbox developer pushed changes to the software to the system yesterday that left a big, gaping security hole for four hours wherein anyone could log into any Dropbox account without passwords. Here’s the story from Dropbox’s blog. No authentication meant that files could be rifled through, including files thought secure — client files, your personal files, even a backup of your password list.
Unless you have encrypted your files yourself before uploading them to a Dropbox account, all of that data that you may have put there, regardless of place in private or public folders, was vulnerable.
What does this mean?
For me it means that Dropbox is out as a service that I can trust with secure or confidential data. As a file-sharing platform with people, I can see that it might still have some value. But as a service that actually can be trusted to keep my private data private, I feel that they’ve misstepped too many times. And when your data is precious to you, trust should be a major factor.
So what to do?
I recommend to my clients that for security reasons they re-assess their use of Dropbox.
If your subscription is up or if you’re feeling that it is worth the money to invest in a new subscription, then move to a more secure cloud-based file storage system. My current favorite is SpiderOak, a service similar to Dropbox, but that encrypts the files on your system before uploading them to their server, so that they are never in possession of any data that could be read without your specific password. I’ve noticed that this encryption seems to slow down data transfers compared to the blue box’s service, but since most of my transfers happen in the background, I haven’t had a problem with it. SpiderOak has a free account that allows for two gigabytes of storage, which should allow you to learn whether it is an acceptable service.
If a new subscription isn’t in the cards for you now, then by all means, make sure that you’re keeping your files safe and secure by doing the encryption yourself before uploading the files to Dropbox. Lifehacker has a couple of timely posts about how you can better secure your Dropbox-uploaded files with TrueCypt and how to secure your files with an encrypted zip file that is worth checking out.
Encrypting your files can be a pain in the ass, but if your business focuses on legal, medical or financial realms where client confidentiality is a huge component of keeping your business running, it’s worth the effort. Feel free to contact me if you need some assistance in getting it all set up.
What do you think?
So what do you think? Does Dropbox’s utility still outweigh any misgivings that you might have? Am I blowing this out of proportion? Is there something that I’m not seeing here? Let us know in the comments!
Box photograph used with Creative Commons permission by kowitz.
About Me
Contact me:
- email: "my name" (that's "bob") @bobmoseley.com
- twitter: Follow @bob_moseley
- phone me at (415) 742-2593