Desktop SoftwareSecurity

Don’t Assume Dropbox Is Secure

Dropbox, a very popular online file storage solution, recently made a big mistake, allowing any user to log in to their service without a password. This means that if you have a Dropbox account and I tried to log in as you, with your email address instead of my own, I would have been granted access to your files. No fancy hackery needed, just getting your email address correct was all that was needed. Simple, huh? This comes on the heels of Dropbox’s recent admission that, contrary to what they told their users for years, they can access your data files.

Dropbox’s admissions should serve as wakeup calls for users of all online services. We’ve seen cases before where Google and others have rapidly complied with government requests for access to users’ online data. In short, if you put your data on someone else’s servers, unless you have used your own encryption prior to doing so, you should assume that your data could be accessed by someone else.

I use Dropbox myself. I don’t put anything there that is super-secret unless it’s encrypted first, however. How can you do this? A variety of programs exist to enable this. If you only want to use an online storage solution for backups, you can use Truecrypt to easily encrypt files or a volume before it gets backed up. This means I need to have Truecrypt on a Linux, Mac, or Windows PC to be able to decrypt the data should I need to restore it, and I can’t, for instance, use my iPhone to do so. This has never proven to be a problem, however, as I don’t generally attempt to, for instance, restore Quickbooks backups on my iPhone.

As always, there is a tradeoff between security and convenience. What you need to decide is how inconvenient it would be, not if you had to decrypt your data before restoring it, but if someone else got their hands on your data.

Comments are closed.