Dropbox - Is it safe?

mac1
mac1
Community Member
in iOS

One of the users Dropbox has detected that the software synchronizes with its cloud not only the content of a dedicated directory, but also other files from the disk, no matter which directory they are located. Without the consent of the user.
Loitering Dropbox was trapped during testing DLP system. Mekin Pesen describes step by step how to reveal the "thieving practices" Dropbox.
What are your recommendations and whether it is a close relationship with 1Password?
http://www.e-siber.com/guvenlik/dropbox-accesses-all-the-files-in-your-pc-not-just-sync-folder-and-steals-everything/

Comments

  • Ben
    Ben

    Hi @mac1,

    Have you reached out to Dropbox for their comment on this article? I see a number of comments on the article that could easily explain the behavior the author is seeing, without any nefarious consequences.

    Frankly I personally don't believe Dropbox is sending files that live outside the Dropbox folder to their servers. If it were, bandwidth usage would be much higher. My bandwidth usage when running Dropbox correlates as I'd expect.

    Thanks.

    Ben

  • mac1
    mac1
    Community Member

    Thanks. Case can be closed.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    We can certainly close this thread if you wish @mac1 but if you've found evidence that this was a mistake that would also be very useful for others to review too.

    It's good that people are checking this sort of thing, it's good for everybody and if I learnt anything from academia it's that failure is also educational and we can learn plenty from when something doesn't work. A quick look suggests the analysis has been refuted based on attempts to monitor Dropbox's network activity and a better understanding of why it needs to query what it does, is this what you found too?

    Two links I found included Dropbox Is Probably Not Stealing All Your Files and No, Dropbox is not stealing your files but I don't know either author or their credentials. They come up with what seem like reasonable explanations for some of what I assume was at the source of the original claim.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited March 2015

    I use cloud services, but I also use a trusted encrypted container to store my sensitive files. That way if the cloud service has a crooked employee or a breach in their server, then I can still sleep knowing that my trusted container app protected my files. I can almost guarantee that in the future you will here about a password breach in one of the major cloud servers so I recommend to use a encrypted container and your password is not one the server. Also two factor authentication is twice as secure.

  • pbGuy
    pbGuy
    Community Member

    kunder, how does one implement a trusted encrypted container?

  • Ben
    Ben

    That is what 1Password does for you (not for all of your Dropbox data, but for your 1Password data).

    We do not recommend storing your 1Password data inside another encrypted container. That will almost certainly break 1Password.

    Thanks!

  • [Deleted User]
    [Deleted User]
    Community Member
    edited April 2015

    pbguy let me say it another way. 1Passwod is my container for my passwords and secure notes.
    I use another encrypted app container for storage of my PDFs documents or word files. It is a password manager as well, but not as good as 1Password.
    I would hope 1Password would allow storage of files in their app on Apple IOS operating system in the future so I cloud use only one app for my sensitive stuff.
    Containers are any apps that uses encryption so no one can get to your data inside the container or safe what ever you want to call it.
    Cloud servers like the apple iCloud or Dropbox are in encrypted as well, but what if their is a backdoor, security breach, or bad employee who might have clearance to the server.
    If that were to happen they could get my container, but the container would be scrambled data because it is an encrypted app that only you can open if you use a good long random password.
    It depens on what you trust.
    Me I do not trust servers so I use apps that encrpt data before using a server with my sensitive stuff.
    I recommend using the 1Password generator and make your password 12 characters or longer to make it strong. Seven characters or less will not be good enough in my opinion.
    Now on the other hand I have no choice, but to trust my E-mail server, because I do not use anything to encrypt that.
    Just use common sense on what you include in your E-Mail.
    The cloud servers are a big thing that a lot of us use for storage and to help us sync or share data.
    I just prefer to have an extra layer of protection.
    1Password does that!
    I have two backups.
    The icloud, local external device and my apple devices it self could be a third.
    I back them up immediately if I feel I can not remember any changes between backups.
    I also like manual backups vs auto.

  • khad
    khad
    1Password Alumni

    @pbGuy, as @kunder mentioned your 1Password data is a "trusted encrypted container". 1Password uses end-to-end encryption.

    What does it mean to be end-to-end encrypted?

    End-to-end encryption means that data is encrypted on your devices with keys generated on your devices and protected by your Master Password. It is not decrypted until it safely reaches it's destination on your other device(s). Because of this, the confidentiality of your data does not depend on the security of the communication channel or service you use to sync or store your data.

    Why you shouldn't ride a motorcycle naked

    A while ago, Vittorio Bertocci came up with a funny analogy to help explain end-to-end encryption, and we think it is a great way to help folks grasp the concept.

    Relying on the encryption of a communication channel or service to protect your data is like riding a motorcycle naked through a tunnel. If no one else is in the tunnel, you have a pretty good chance of avoiding an indecent exposure citation. However, you still have to get to the tunnel in the first place. (And you may want to get off the motorcycle and walk somewhere when you arrive at your destination.)

    End-to-end encryption is like wearing proper personal protective equipment at all times. Before you even step outside, you're wearing your jacket, boots, helmet, and gloves. You are better protected from the elements, an accident, and an indecent exposure citation. You don't need to rely on the tunnel to shield you from any of those things.

    So what does end-to-end encryption protect against?

    1Password does not rely on Dropbox, iCloud, or any other sync service—the "tunnel" in the analogy above—to protect your data when syncing. This means that even if your own computer, your sync provider, or the SSL communication between your computer and sync provider are all compromised, your 1Password data is still protected. The latter two are the least likely. However, 1Password was designed with the knowledge that some users would have their computers stolen. We do not believe that syncing to the cloud diminishes the security of your data in any meaningful way.

    End-to-end encryption is only as good as the encryption

    The end-to-end encryption 1Password provides would be of no use if the encryption itself was not secure (or implemented in a secure manner).

    1Password encrypts your data with keys that are derived from your Master Password. Those keys are never stored in your data (thus they are also never synced). Nobody, not even us at AgileBits, ever sees those keys or your Master Password. This is why it absolutely essential that you don’t forget your Master Password. We cannot reset it or reconstruct it. Your data can only be decrypted by you.

    We designed 1Password this way from the outset because we knew that computers get stolen and services get compromised. By placing all encryption and decryption under your control, we become far less reliant on the security of any sync service.

    For more information on the security of the encryption 1Password uses, see How does 1Password keep my data safe? And if you have any other questions or concerns, please let us know. We are always happy to help. It is great that you are thinking about these things.

  • Wylie
    Wylie
    Community Member

    Thanks to @all for the informative discussion.

    This gives me the assurance I was hoping for - that 1Password uses end to end encryption and does not depend on DropBox. DropBox cannot be trusted as they are quite cozy with the 1%, in fact Condoleezza Rice is on their board:
    theguardian.com/technology/2014/jul/17/edward-snowden-dropbox-privacy-spideroak

    Does anyone know if I can use SpiderOak instead of DropBox to share my vault keys with other members on my Team? Not that it is needed, but for other considerations.

    Thanks,
    Chris

  • Ben
    Ben

    Hi Chris,

    Thanks for the update! While SpiderOak may work in some cases it is not an officially supported solution, and definitely will not work at all with iOS.

    Thanks!

  • [Deleted User]
    [Deleted User]
    Community Member

    Do not get me wrong when I say I do not trust servers. I do use servers and drop box is a very good server from what I have read even though I do not use them currently. I just ment that just in case something like a security breach is possible and it is nice to use something like 1Password as a secure container.
    If I was a business type person and wanted to share files then Dropbox would be the server I would use.

  • ag_kevin
    ag_kevin

    Thanks kunder.

    Just to put a final message on this thread, we continue to recommend Dropbox because it is a safe and reliable method to sync your 1Password vaults. If that changed, we'd certainly reconsider offering it.

This discussion has been closed.