[ale] Dropbox opinions wanted

Greg Freemyer greg.freemyer at gmail.com
Fri Sep 17 07:26:36 EDT 2010


Pat,

Did you look at SpiderOak as an alternative?

Greg

On 9/17/10, Pat Regan <thehead at patshead.com> wrote:
> On Fri, 17 Sep 2010 00:05:20 -0400
> Michael Trausch <mike at trausch.us> wrote:
>
>> They could be encrypting to 2 keys: your password and a key that they
>> do not share, but use to read from Amazon or whatever. It is possible
>> that they also then generate the hashes prior to encryption. The
>> level of protection is such that one couldn't steal the files from S3
>> but a DB empl might be able to.
>
> I've been thinking about this a lot today...  I'd really like dropbox
> like functionality (and an app on my phone!) but I'm not very
> trusting...
>
> If they store the hash prior to encryption that means anyone with
> access to their database can know what files I have stored in my
> account.  That could be the RIAA or MPAA.  If things work like everyone
> says they work then this is one of the things they do have or else they
> couldn't make it work.
>
> If they can deliver a file that is in my account to one of your
> machines then they have to have a way to decrypt it.  If they can
> decrypt my file I would consider it barely safe up there.
>
> Their FAQ says:
>
> "All files stored on Dropbox servers are encrypted (AES-256) and are
> inaccessible without your account password"
>
> "Dropbox employees aren't able to access user files, and when
> troubleshooting an account they only have access to file metadata
> (filenames, file sizes, etc., not the file contents)"
>
> I read these two bullet points when this discussion first started.  For
> these points to really mean anything the data needs to be encrypted
> before it leaves your computer.  If that were true my trust level in
> Dropbox would have gone up from where it was before this thread
> started...
>
> If everyone is correct and they are sharing files between users then
> the first point is barely useful and almost a falsehood.  They are
> almost implying that only your account password can decrypt the files.
> What they really mean to say is:
>
> "All files stored on Dropbox servers are encrypted (AES-256) and are
> inaccessible without your account password AND ONE OR MORE KEYS OWNED
> BY DROPBOX"
>
> That means that the second bullet point about employees not being able
> to access the files is probably more a matter of policy than it is a
> technical limitation.
>
> I figure my data would be just one notch more private with Dropbox than
> it is with Google...
>
> Pat
>
> I was thinking about how to implement some Dropbox functionality with
> inotify and rsync.  Is anyone interested in talking about that? :)
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list