Dropbox Hacked

Posted by Snezana Feige – 9. September 2013

I realize it’s taken me a while to react to this, I guess for a couple of reasons. The first was that Dropbox really wasn’t “hacked” in the true sense of the word, but instead reverse engineered by “white hat” academicians. What’s the difference? Well, for one thing it wasn’t done with malicious intent. And I don’t think it really exposed Dropbox – there was still layers of security left – it just made it clear that those other security layers were good to have. Granted, as security blogger Michael Mimoso pointed out, the hack also demonstrated “how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts.“ That’s a little scary. Now, ownCloud, because it’s open source, doesn’t need to be reverse engineered. The code is there for all to see, poke at, improve or just comment on. And that actually is an important security layer for us – and for our customers. No surprise Trojans, no back doors – benign or otherwise, the code is what it is. Not just a layer of security, but in some sense another layer of control. We’re big about control here, not our control, your control. I guess the second reason I held off commenting is related to the first – it’s sort of, “so what”? I mean, most code can be reverse engineered and of course in these paranoid post-PRISM days Dropbox would be a pretty big target. But I guess for businesses who have employees putting sensitive corporate data on Dropbox, it’s just another reason to maybe look at other alternatives.