23 comments

[ 4.9 ms ] story [ 56.2 ms ] thread
The first comment on the page reads:

> Holy crap, the iPhone version is worse! I just fired up my proxy and found it's transmitting both the metadata and the files via HTTP.

Could anyone confirm? This would be a pretty serious flaw.

Something I found interesting from the comments on that article was the claim that Dropbox remotely deletes mp3 files that infringe copyright.

Can anyone else confirm that they do this? It's surprising to hear that--I would have expected that if something's in your private Dropbox, there couldn't be any copyright infringement at all. Aren't backups generally considered fair use?

Well, backups of your torrented music are obviously not fair use, and doesn't Dropbox have a "public" folder or something?

That said, yes, I'd expect them to stay out of my data unless I do something silly like using them as a distribution mechanism.

> backups of your torrented music are obviously not fair use

Obviously, but how can Dropbox tell if the files are torrented or were purchased legally without DRM? Or legally ripped from a CD for a backup?

(comment deleted)
I think watermarking - inserting a few nearly-inaudible bits in a song/whatever to identify the owner - is becoming more and more common. To name just one example.

That said, I don't think Dropbox should care.

They probably dont care if they are torrented or not, they likely care if they are made public.
The music thing is not true. Many people use dropbox to dunce their iTunes library. (I do) and that's just crazy talk.
It's for people who are backing up their music, and then sharing publicly. Private backups shouldn't be effected.
Dropbox will react to DMCA notices and "will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Site."

http://www.dropbox.com/terms#dmca

As they will probably never receive a DMCA notice for your private folders they won't delete anything. (My opinion, I'm not associated with Dropbox)

edit: replaced provide with private

I'm sure they must have received DCMA notices for infringing files people host in their publicly shared folders.
I'm guessing the guy put his mp3 files in his public folder which is as good as sharing them on the web.
which would mean that the session info is also going over the clear, which means that you don't need to dump the files or info, you can use their own client to do that along with a forged session token
A great feature of OSX is the Apple Disk Image. [1] It lets you have a single file, with AES-256 encryption, that can be mounted and then used as a disk (put files on it, create folders etc). Perfect for keeping anything sensitive in Dropbox, such as passwords, statements from your bank etc etc. Even if your account gets compromised and the file gets copied, your data is safe.

1. http://en.wikipedia.org/wiki/Apple_Disk_Image

The article mentions TrueCrypt, which is a better option for people who are using multiple platforms. However, neither TrueCrypt nor Apple Disk Image are appropriate for people who need to access their Dropbox files from their Android phone, which is what the article discusses.
That's true. I wasn't responding directly to the article, but just wanted to share a convenient solution to the problem of "I want my private stuff synced, but I don't want to trust Dropbox or anyone else with it".
The response on this is pathetic. Dropbox was made aware that some people have a valid objection to metadata being plaintext three months ago and now they only take it seriously when it shows up on HN?

As a paid DropBox and Android user I'm second guessing use of the product.

Here is a pro-tip: If your way to get "Speed" involves being "Insecure" than someone needs to get wacked aside the head with the hardest nerf bat you can find. Repeatedly. While screaming "NO NO NO THAT'S STUPID".

(comment deleted)
Absolutely unacceptable. I was planning on upgrading from free to 100GB literally today but this changes my mind.

How can I trust that Dropbox cares about the safety of my data when they make such amateur security mistakes in their mobile app?

Dropbox's website was vulnerable to passive session hijacking until they took note of Firesheep and fixed it.

Both this and the mobile issues would have been identified on the first day of a security audit by even someone with little experience. Dropbox has continued to demonstrate that they do not take security seriously, which is confusing and unacceptable considering the entire company is built on the idea that people will trust them with their data.

Dropbox's claim that the lack of SSL is a speed issue sounds like total nonsense. I'll again reference Adam Langley's work at Google:

"In January this year (2010), Gmail switched to using HTTPS for everything by default. [...] In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead."

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...

Reminds me of Firesheep. Another reason to use VPN when in public wifi.