Thursday, June 23, 2011

Why I will keep using DropBox

There have been some “privacy scares” in relation to the cloud-storage desktop application DropBox recently that may have shaken confidence in the product; however, I am not going to leave them just because of these issues. These problems even triggered possible FTC scrutiny into their activities.

First, not too long ago it was revealed that even though DropBox touts the fact that they encrypt the contents of your shared data, the crypto key is available internally to employees—this means that they can decrypt your information and look at it anytime they want. The reason for this is that the only way that they can enable a user to retrieve the contents of their box if they lose their password is to keep the key in house. Otherwise, a user who forgets their password loses access to their data forever.

The second scandal happened recently when DropBox accidentally opened up everyone's storage to access via any password. This meant that anyone connecting to any DropBox account could have pilfered the contents for the four hour period it was open.

Why am I largely unconcerned?

I don’t store anything in my DropBox that I don’t already allow to be publicly accessible. Certainly, I do keep some secret information in there that I’d rather not people see (such as manuscripts for upcoming novels) but I do the second-best-thing that I do for anything I put into the cloud: I encrypt it.

Any passwords, sensitive information, or secrets that end up in my DropBox are encrypted and often named things that make it difficult to discern what’s in them. An attacker who manages to break DropBox’s security (or gets in when its down) will have to content with a second layer of defenses—my defenses—and certainly it’s not about to stop a determined attacker to copy and attempt to decrypt my information; but at that point I wouldn’t be able to do much to stop them anyway.

Using encryption on top of my manuscripts and secrets doesn’t just protect them from potential prying eyes, but it also means that I can be reasonably certain that they haven’t been tampered with. Attempting to change one of my cryptographic files would ultimately destroy it and render it useless (annoying to me but I keep backups.)

If you use any cloud service (backup, sharing, etc.) don’t expect that their security is ever secure enough. “Always padlock your own fscking data,” as Elaine Mercer from Black Hat Magick would say.

No comments: