Dropbox Hacked

I realize it’s taken me a while to react to this, I guess for a couple of reasons. The first was that Dropbox really wasn’t “hacked” in the true sense of the word, but instead reverse engineered by “white hat” academicians.

What’s the difference? Well, for one thing it wasn’t done with malicious intent. And I don’t think it really exposed Dropbox – there was still layers of security left – it just made it clear that those other security layers were good to have.

Granted, as security blogger Michael Mimoso pointed out, the hack also demonstrated “how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts.“

That’s a little scary.

Now, ownCloud, because it’s open source, doesn’t need to be reverse engineered. The code is there for all to see, poke at, improve or just comment on. And that actually is an important security layer for us – and for our customers. No surprise Trojans, no back doors – benign or otherwise, the code is what it is. Not just a layer of security, but in some sense another layer of control. We’re big about control here, not our control, your control.

I guess the second reason I held off commenting is related to the first – it’s sort of, “so what”? I mean, most code can be reverse engineered and of course in these paranoid post-PRISM days Dropbox would be a pretty big target. But I guess for businesses who have employees putting sensitive corporate data on Dropbox, it’s just another reason to maybe look at other alternatives.

Comments

  • I think the point isn’t whether or not the code for owncloud is any more secure than dropbox as far as source code goes – but the fact that you can host it yourself, and know who has access to your data. You can do your own backups. You can do your own encryption.

    Dropbox could be the most secure codebase in the history of the world, but if they’re willing to hand over credentials to other parties (NSA, etc.) or they have their servers seized then you’re still boned.

  • One thing I hate about OC is that they sell highlighting the bad points about their competition. That’s not ethical and shows they are not a mature company.

    Dropbox might be evil or whatever but it just works. It’s faster, all it’s features WORK, it’s sync client and protocol is waaaay better. The web client look and feel is consistent across browsers, etc.

    Hacker-proof?? no way… being open source means problems might be spotted early and patched, but it might also mean that malicious people can find way in an owncloud system without much effort. The thing that makes OC more secure is that most instances are likely behind a firewall and access might require a VPN.

    I have my own instance of owncloud for home, it saves me a lot of trouble but even in a LAN it’s slower than dropbox over a 4Mbit connection. My server is not the fastest but it should be enough for a PHP app that never uses much of it’s resources (8GB RAM, Core i5 750). The same sync it would take an 4 hours in dropbox takes a day. OC performance is just no there yet.

    • Don’t get us wrong. We love Dropbox – just not for enterprises. They have essentially created the need to sync and share files in an easy way. What we like to add to that is security and control and yes, it will take more development to be as nearly perfect as Dropbox is (till you reach 300,000 files in one account). We are also adding features they don’t have like public links which expire after a certain time.

  • ….like other readers I’m sure, I read your post to find out if we should be wary of using Dropbox, or maybe even ‘dropping’ it all together (no pun intended ;-)
    Unless I’m mistaken you’re simply bringing to our attention the very real facts that large systems are vulnerable to hackers (white hat, black hat, or whatever hat flavor of the month it happens to be). Is OwnCloud more secure than Dropbox? is OwnCloud ‘the most’ secure system out there? I don’t know, but if it were I’m sure it would be the marketing slogan of the decade – for any security/privacy sensitive company.
    As for being Open-source, sure it does have its benefits but does it necessarily become hacker-proof I think is the real question. So perhaps the article could have ‘inserted’ any one of the many cloud services out there (Amazon, Google Drive, MS Skydrive), but It chose to target Dropbox – no doubt as it the most popular and easiest to use.

    Thanks for the article, but a little less ‘sky-is-falling’ and more salt please ;-)

Leave a comment