Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Marco Arment on Dropbox: Don’t use it for anything valuable

IT Pros

If you haven’t heard of Marco Arment–creator of Instapaper, co-founder of Tumblr, and
Internet-famous software developer–go follow him on Twitter…now.

Not only is Marco an amazingly successful entrepreneur, but his blog (marco.org) and weekly podcast (Build and Analyze) are consistently packed with unique and thoughtful insights on technology and, on occasion, coffee.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Build and AnalyzeOn episode 85 of Build and Analyze, Marco responds to a listener question about the (in)security of Dropbox.  In a nutshell, the listener asked whether Marco felt comfortable storing his data in Dropbox given that they hold the encryption keys.

Marco’s response echoes my personal feelings about Dropbox and other public cloud services – treat Dropbox as though it’s nearly public. Marco’s rule of thumb is that he doesn’t put anything in Dropbox that could potentially be harmful or embarrassing if it were leaked.

Arment says:

“Anything that is really sensitive or extremely valuable or needs to be kept very secret, I wouldn’t store on anybody else’s servers. That, to me, seems ridiculous unless I held the encryption keys like with the online backup service that I use.”

Marco makes some salient points worth repeating here for users who may not be fully aware of how services like Dropbox typically work and the ramifications of storing your data off-premise.

In case you didn’t realize, Dropbox holds the keys to encrypt and decrypt your data on their servers.

This means that a Dropbox employee could theoretically view (or steal) your data. Why do they hold the keys?  Dropbox isn’t just online backup, it’s a collaboration tool.  In order to offer public file sharing features, they have to be able to decrypt data that is stored on their servers.

They also need to be able to decrypt data for legal reasons – if they get a DMCA takedown notice or a subpoena from the US government requesting certain files, servers, or even racks of servers [1].  And because Dropbox hosts data for 25,000,000+ users, some of which are undoubtedly doing very bad things, the likelihood of being served with a subpoena is far greater for them than for an individual person or organization.

For similar reasons, public cloud services are more likely to be hit by hackers because they are high value targets and, by definition, accessible over the Internet.  Also worth noting – you don’t get to decide who Dropbox hires and which employees have access to encryption keys.

Marco and co-host Dan Benjamin briefly discussed Dropbox’s most recent (at the time) security snafu which allowed anyone to login to any account without a password. Coincidentally, a little more than a week after the show aired, Dropbox is involved in another security investigation.

Marco concludes by saying that there are ways to use public cloud services responsibly, but you can’t use them for everything.

I’m with Marco on this.  Any time I store something in the cloud–be it Dropbox or Twitter or Facebook–I ask myself, “How would I feel if this data were on the front page of the New York Times tomorrow?”

Listen to episode 85 of Build and Analyze to hear Marco talk about this topic in detail (it starts around 57:36). He also has a really interesting viewpoint on how leaked source code usually has no meaningful consequences.

[1] Marco experienced this first-hand with Instapaper when his hosting provider DigitalOne was raided by the FBI and one of his servers was confiscated: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.