Dropbox Drops the Ball on Security

InfoWorld posted a great story about Dropbox getting caught doing the old slight of hand routine on the real nature of how secure your files are in their cloud storage system.

Sharp-eyed doctoral candidate Christopher Soghoian caught Dropbox in a bit of, uh, let’s call it an inconsistency. Here’s what he found.

Even though Dropbox claimed, “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Yet the company also claimed, “If we detect that a file you’re trying to upload has already been uploaded to Dropbox, we don’t make you upload it again. Similarly, if you make a change to a file that’s already on Dropbox, you’ll only have to upload the pieces of the file that changed.”

How, Soghoian asked, could Dropbox find duplicate files — or detect which pieces of a file had changed — if it didn’t have access to the contents of those files? Dropbox responded with a resounding thud.

I’ve been praising Dropbox to anyone who would listen since I signed up over a year ago. I even paid for a year’s worth of service not too long ago. I’m starting to have some serious second thoughts about that.

So Dropbox’s site went from claiming:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.


Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

Wait, it gets worse. They also added a new “provision” to their TOS:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

It went from they absolutely can’t access users files to ok, they can to well we’d only access them if the nice authorities at the DHS or the County Sheriff’s office asked them to.

Honestly my mind is still reeling about this. The guy who discovered this monumental gaffe filed a 16-page complaint with the Federal Trade Commission.

As a result, Soghoian has filed a 16-page complaint with the U.S. Federal Trade Commission, which asks the FTC to have Dropbox admit that it can get at Dropbox data, making your data vulnerable to an attack on Dropbox’s servers; require Dropbox to email its 25 million customers to warn them of the potential problem and suggest that customers encrypt their data independently; force Dropbox to refund money to people who paid for “Pro” service, if they felt they were deceived; and enjoin Dropbox from making future deceptive statements.

So, anyone have any SECURE alternatives to Dropbox?


Louis C.K. on Same Sex Marriage

I couldn’t have said it better. This is the most absurd topic of our times.

Serena Williams Posts the Sexiest Twitter Profile Pic Ever and Douchebag Tennis Writer Goes and Ruins It

Not only is Serena Williams one of the best tennis players of our generation she’s also one of the sexiest and not afraid to show off her natural curves. In a world where skin and bones is revered, I for one am happy to see a woman show off something besides her rib cage. In Serena’s case, it’s her booty.

Either earlier today or late yesterday Serena posted a new profile pic of a gorgeous, well done and elegant photo taken of her as her profile pic on Twitter. (It’s that ->>>> picture if you haven’t guessed.)

If I took a picture that hot not only would it be my Twitter profile pic, it would be on the cover of my family Christmas card. Still, you’re always going to have the stalker/rapist apologists out there who are going to blame the victim for what they see.

Last week, a man was arrested for allegedly stalking Williams, having gotten too close to her, too many times all over the country, even in her dressing room at Home Shopping Network. On Thursday, she has posted a new avatar on her Twitter page, a photo suggestive of us peeping at her through a lace curtain while she unknowingly looks the other way in white bra and panties.

It’s a sexy photo, she looks great and it’s not pornographic. To be honest, I would actually find it to be somewhat artistic if it weren’t for the serious business of stalking women. What was her message anyway? What was she trying to say? Just this: Look at me.

Instead, what she was saying was this: Peep at me, but don’t stalk me.

Seriously? A woman can’t share completely non-explicit, beautiful photos of herself online without inviting stalkers? Thanks for proving all the asshole-isms about guys right.

The fact that Serena has gone through what she has gone through, through no fault of her own, and still has the courage to be herself and not hide and be afraid is a testament of courage and should be applauded not questioned in a half-ass attempt to create derision of some sort.

Whether through the idiotic comments of the above mentioned blogger or not, Serena has since changed her profile pic back to an equally sexy pic of her in a tennis outfit. I blame the blogger. Regardless, to even pose this question as something that might have any substance whatsoever is irresponsible and egregious.

At best I would say it was a lapse in judgement on the writer’s behalf, at worst I would say it was an obvious cry for attention. Either way, it’s disturbing and uncalled for and I would hope you would consider publishing an apology to Ms. Williams.

Being Batman Ain't What it Used to Be [Video]

Damn, you know if you’re dressed up like the original Batman on the Las Vegas Strip, whatever the reason is, your life isn’t going exactly the way you planned. That being said, if you’re dressed up like the original Batman on the Las Vegas Strip you may not want to encourage the drunken rabble to “play” fight with you. Remember, it’s all fun and games until Batman gets knocked out.

Disqus Adds Cool New Feature For @Replies on Twitter

I went to leave a comment on a blog via Disqus earlier and got this nice, little message after clicking in the comment area.

Disqus has long had the option to simultaneously publish a blog comment on either Twitter or Facebook but this feature is rather intuitive and seems like a great way to help jump start conversations among individual users.

I’m definitely looking forward to using this feature in the future.

Microsoft Acquires Skype for $8.5 Billion

Microsoft made it’s largest acquisition since purchasing aQuantive in 2008 for $6.3 billion.

Press release:

Microsoft Corp. (Nasdaq: “MSFT”) and Skype Global S.à r.l today announced that they have entered into a definitive agreement under which Microsoft will acquire Skype, the leading Internet communications company, for $8.5 billion in cash from the investor group led by Silver Lake. The agreement has been approved by the boards of directors of both Microsoft and Skype.

The acquisition will increase the accessibility of real-time video and voice communications, bringing benefits to both consumers and enterprise users and generating significant new business and revenue opportunities. The combination will extend Skype’s world-class brand and the reach of its networked platform, while enhancing Microsoft’s existing portfolio of real-time communications products and services.

With 170 million connected users and over 207 billion minutes of voice and video conversations in 2010, Skype has been a pioneer in creating rich, meaningful connections among friends, families and business colleagues globally. Microsoft has a long-standing focus and investment in real-time communications across its various platforms, including Lync (which saw 30 percent revenue growth in Q3), Outlook, Messenger, Hotmail and Xbox LIVE.

Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices, and Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities. Microsoft will continue to invest in and support Skype clients on non-Microsoft platforms.

It seems as if part of the reason Microsoft made such a large offer over Skype’s original $7 billion asking price was to make sure that Google or Cisco Systems didn’t get their hands on the service. Google already has the fairly popular Google Voice as well as the fairly new ability to make VoIP calls and video calls right inside of Gmail, you can see why Microsoft wouldn’t want them to also take control of Skype’s user base as well.

Hopefully Microsoft’s first mission with Skype will be to improve call quality. While Skype’s video is probably the best around, their call quality leaves a bit to be desired. Second, please do something about the cheesy UI, it’s just horrible and was made even more horrible by the last update. There’s something to be said about beauty in simplicity.

I think this is a good buy for Microsoft if they are actually serious about leaving Skype basically intact. With their resources they definitely have the ability to elevate Skype even more because, like it or not, it’s definitely the industry leader right now. It’ll be interesting to see what, if any, improvements Microsoft makes to it.

Twitter Gets Separation Anxiety

Back in the good old days you used to be able to log out of Twitter and go on your merry way without giving it a second thought. Twitter hopes to change all that.

Now, when you log out of Twitter you’re redirected to a new landing page encouraging you to “go mobile” with a handy device guide on just how you can do that.

Fortunately this isn’t an issue for me because I stay logged into Twitter simultaneously from 7 different devices and 12 different clients. Still, I’m curious about what the rest of you think about this move? A nice, fresh reminder to stay connected or a needy cry for attention? I’m leaning more toward the former.