Page 2 of 4 FirstFirst 1234 LastLast
Results 17 to 32 of 51

Thread: Please, Stop using DropBox

  1. #17
    Ninja Noxvayl's Avatar
    Join Date
    May 2007
    Location
    In the shadows
    Posts
    2,451
    Thanks
    748
    Thanked
    215 times in 173 posts
    • Noxvayl's system
      • Motherboard:
      • GigabyteZ87X-UD4H-CF
      • CPU:
      • Intel i7 4770K
      • Memory:
      • 16GB Corsair Vengaence LPX + 8GB Kingston HyperX Beast
      • Storage:
      • 120GB Snadisk + 256GB Crucial SSDs
      • Graphics card(s):
      • 4GB Sapphire R9 380
      • PSU:
      • ENermax Platimax 750W
      • Case:
      • Fractal Design Define S
      • Operating System:
      • Windows 10 64bit
      • Monitor(s):
      • ATMT + Dell 1024x1280
      • Internet:
      • Sky Fibre

    Re: Please, Stop using DropBox

    Perhaps I'm weird but I'm not bothered by this news... like peterb I accept that cloud storage is inherently insecure, it is just a redundancy to what I already have as back ups and convenience with synchronisation. With regards to increased system vulnerability, I'm already more vulnerable than most in the way I run my computer and don't want to run it more securely because it gives me other problems I'd rather not have, I prefer the flexibility to re-install everything within an hour if something gets compromised rather than have a system that is almost impossible to get into. I think the longest I have run windows without re-installing is 18 months, and I didn't re-instal because of system security.

    For me the likelihood of being attacked is far too low to warrant scrutinisation of all my programs to ensure my system is as safe as possible. I've also minimised the possible damage any attack could have by regular backups outside of the computer. Maybe later in my life when I store more sensitive information on my system I'll rethink my current way of using my computer, but until then security is light and my use of the computer will remain agile.

  2. #18
    Mostly Me Lucio's Avatar
    Join Date
    Mar 2007
    Location
    Tring
    Posts
    5,163
    Thanks
    443
    Thanked
    445 times in 348 posts
    • Lucio's system
      • Motherboard:
      • Gigabyte GA-970A-UD3P
      • CPU:
      • AMD FX-6350 with Cooler Master Seldon 240
      • Memory:
      • 2x4GB Corsair DDR3 Vengeance
      • Storage:
      • 128GB Toshiba, 2.5" SSD, 1TB WD Blue WD10EZEX, 500GB Seagate Baracuda 7200.11
      • Graphics card(s):
      • Sapphire R9 270X 4GB
      • PSU:
      • 600W Silverstone Strider SST-ST60F
      • Case:
      • Cooler Master HAF XB
      • Operating System:
      • Windows 8.1 64Bit
      • Monitor(s):
      • Samsung 2032BW, 1680 x 1050
      • Internet:
      • 16Mb Plusnet

    Re: Please, Stop using DropBox

    I don't know if I'm reading the article correctly, but if I am the comments relating to people accepting that cloud storage is insecure are missing the point. As I'm understanding the article the issue is that by not using ASLR, they are introducing a vulnerability into the OS, which can then be exploited to install malicious software on your PC.

    So it's not whether or not you risk losing the documents in the cloud, but that your PC is vulnerable to viruses and trojans designed to steal financial information.

    Of course, I could be misunderstanding the point, and that it's only your account at risk

    (\___/) (\___/) (\___/) (\___/) (\___/) (\___/) (\___/)
    (='.'=) (='.'=) (='.'=) (='.'=) (='.'=) (='.'=) (='.'=)
    (")_(") (")_(") (")_(") (")_(") (")_(") (")_(") (")_(")


    This is bunny and friends. He is fed up waiting for everyone to help him out, and decided to help himself instead!

  3. #19
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,232
    Thanked
    2,290 times in 1,873 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: Please, Stop using DropBox

    Quote Originally Posted by Lucio View Post
    I don't know if I'm reading the article correctly ...
    Yes, you are. By using a DLL without ASLR enabled, the dropbox client makes your PC more vulnerable to buffer overflow attacks and malicious code execution:

    Wikipedia page on ASLR.

    So whatever you think of the online security of, say, Google, they at least don't require you to install a virus back-door on your computer...

  4. Received thanks from:

    Lucio (14-09-2013)

  5. #20
    Minister of Silly Walks
    Join Date
    Feb 2013
    Location
    Surrey
    Posts
    314
    Thanks
    35
    Thanked
    67 times in 54 posts
    • stilkun's system
      • Motherboard:
      • GigaByte GA-B75-D3V (rev 1.1)
      • CPU:
      • Intel® Core™ i5-3470 Processor
      • Memory:
      • Patriot Black Viper 24GB 1600 Mhz
      • Storage:
      • Crucial M500 240GB, Samsung 32 GB mSATA, MAXTOR SATAI 250 GB, WD Blue SATA III 1TB
      • Graphics card(s):
      • Sapphire HD 7850 OC edition 2 GB
      • PSU:
      • XFX 450w Core
      • Case:
      • AvP Triton Mid Tower PC Case
      • Operating System:
      • Windows 8.1 Pro Update 1 (64 Bit)
      • Internet:
      • 8 Mbps (1 MBps) Tiscali

    Re: Please, Stop using DropBox

    As Lucio saying and scaryjim pointed about ASLR, the Dropbox desktop client on Windows can be exploited due to not using ASLR therefore making your system vulnerable to viruses and trojans or exploits.

    Dropbox is typically installed under appdata\roaming under windows 7 meaning, which I could be wrong, either a program or script can call upon that folder using environment/system variable i.e say %appdata%\dropbox and referencing the dll above in the article could be used for attacks. What the article is saying that you should remove Dropbox desktop client if you do not want to expose you computer to risk and you can still upload and download files from dropbox via browser but it has file size limit on it for files being uploaded.
    Last edited by stilkun; 11-09-2013 at 01:44 PM. Reason: Wrote post and posted after scaryjim + Grammar

  6. #21
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,168
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: Please, Stop using DropBox

    Little bit mistaken stilkun.

    ASLR is a mechanism that provides running programs with some protection if an exploitable bug is found in their code. The most common applications for this are WebBrowsers / Flash / Java. However the R bit means it has randomized the memory, so an attacker can not have a guarantee of being able to make the program run some code (see Buffer overflow exploits).

    Now as this is loaded into say FireFox, that means a bug in firefox, which normally wouldn't allow an attacker to do anything because of ASLR, could be exploited, to allow a webpage to execute code, theoretically.

    The point is that enabling ALSR is effectively a one line instruction in your build definition. Something any competent programmer would be doing as a matter of course.

    It isn't just the fact that DropBox were so inept that they didn't do this. But the fact they ignored the responsible disclosure of this security issue. Let's assume they pay their staff high end London prices (they don't) it shouldn't cost more than £100 of dev time to fix this flaw, then be regression tested as part of the next cycle. To ignore such a threat shows a company that doesn't take security at all seriously.

    Myself I stopped using them years ago after their first snafu (allowing other users to read your files) and stayed fully on SkyDrive, which tbh, I find the best out of the bunch anyway.
    throw new ArgumentException (String, String, Exception)

  7. Received thanks from:

    Lucio (14-09-2013),stilkun (11-09-2013)

  8. #22
    Minister of Silly Walks
    Join Date
    Feb 2013
    Location
    Surrey
    Posts
    314
    Thanks
    35
    Thanked
    67 times in 54 posts
    • stilkun's system
      • Motherboard:
      • GigaByte GA-B75-D3V (rev 1.1)
      • CPU:
      • Intel® Core™ i5-3470 Processor
      • Memory:
      • Patriot Black Viper 24GB 1600 Mhz
      • Storage:
      • Crucial M500 240GB, Samsung 32 GB mSATA, MAXTOR SATAI 250 GB, WD Blue SATA III 1TB
      • Graphics card(s):
      • Sapphire HD 7850 OC edition 2 GB
      • PSU:
      • XFX 450w Core
      • Case:
      • AvP Triton Mid Tower PC Case
      • Operating System:
      • Windows 8.1 Pro Update 1 (64 Bit)
      • Internet:
      • 8 Mbps (1 MBps) Tiscali

    Re: Please, Stop using DropBox

    Thanks for clearing that up, looks like I misunderstood that part. I primarily used TresorIT now, lucky to snag 50 GB via lifehacker website promotion before it ended in May as I was at that time a bit weary about Dropbox and their security when I was introduce to it last year.

  9. #23
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,168
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: Please, Stop using DropBox

    Update

    http://www.wncinfosec.com/dropbox-opening-my-docs/

    They really are a bunch of morons. This is a company that needs to quickly fade away into obscurity.

    So they open and evaluate .docs that are uploaded! Eeek. What a gaping security vector.
    throw new ArgumentException (String, String, Exception)

  10. Received thanks from:

    Platinum (13-09-2013),watercooled (13-09-2013)

  11. #24
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: Please, Stop using DropBox

    Despicable! I don't buy that de-duplication or malware scanning would trigger those events - dedup shouldn't care what a file is, it would be working on checksums for the entire file. And why would a malware scanner be opening it and executing commands like that?

    At the same time, it seems somewhat unlikely it's done entirely manually, surely they'd have far too many to process, but it still smells of epic fail either way.

  12. #25
    Technojunkie
    Join Date
    May 2004
    Location
    Up North
    Posts
    2,580
    Thanks
    239
    Thanked
    213 times in 138 posts

    Re: Please, Stop using DropBox

    Bad Animus doesn't post the dropbox response to this

    http://news.idg.no/cw/art.cfm?id=D39...248257D755CD5F

    What he was seeing is "automated backend processing that Dropbox does on certain kinds of files.

    Dropbox allows users to see previews of some kinds of documents, included ".doc" ones, but it must build a preview of those documents
    [so that] users can open Word, PowerPoint, PDF and text files from directly within their browser, "

    It isn't some employee browsing your files.

    Of course you can use the free boxcryptor to prevent this and other worries for cloud data:
    http://www.pcworld.com/article/20402...the-cloud.html
    Last edited by mikerr; 13-09-2013 at 11:34 AM.
    Chrome & Firefox addons for BBC News
    Follow me @twitter

  13. #26
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: Please, Stop using DropBox

    Why do they need to execute commands in the document to generate previews? At best, it's yet another 'oversight' demonstrating their incompetence.

  14. #27
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,232
    Thanked
    2,290 times in 1,873 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: Please, Stop using DropBox

    Quote Originally Posted by mikerr View Post
    What he was seeing is "automated backend processing that Dropbox does on certain kinds of files.
    Doesn't change the fact that sending an http request while generating the preview is an attack vector, which dropbox apparently does nothing to mitigate. A carefully crafted .doc could easily exploit that.

  15. #28
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,168
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: Please, Stop using DropBox

    Quote Originally Posted by mikerr View Post
    Bad Animus doesn't post the dropbox response to this
    I didn't have their response.

    But I also don't give a rats ass.

    They should not, ever, ever, ever make a request for data to an outside zone based on a file of mine.

    This means that code is been executed to perform frequently exploited (historically) functions reading my files. According to a reply on HN they use Libre to do this.

    http://www.cvedetails.com/vulnerabil...breoffice.html

    That component should be in complete isolation. It should be jailed and firewalled off from everything else. It being able to make public internet calls is a massive attack vector.

    They have no security design, no security policy. They can go die, I don't care they hired some guy from Python.
    throw new ArgumentException (String, String, Exception)

  16. #29
    Technojunkie
    Join Date
    May 2004
    Location
    Up North
    Posts
    2,580
    Thanks
    239
    Thanked
    213 times in 138 posts

    Re: Please, Stop using DropBox

    Quote Originally Posted by scaryjim View Post
    Doesn't change the fact that sending an http request while generating the preview is an attack vector, which dropbox apparently does nothing to mitigate. A carefully crafted .doc could easily exploit that.
    Agreed on that - it should be done behind a firewall/sandboxed at least
    Chrome & Firefox addons for BBC News
    Follow me @twitter

  17. #30
    Senior Member mikeo01's Avatar
    Join Date
    Oct 2011
    Location
    Wales!
    Posts
    1,402
    Thanks
    294
    Thanked
    98 times in 88 posts
    • mikeo01's system
      • Motherboard:
      • MSI B85i Gaming
      • CPU:
      • Intel Xeon 1230V3
      • Memory:
      • G.Skill RipJaws 2133MHZ
      • Storage:
      • Plextor M5S 128GB
      • Graphics card(s):
      • VTX3D R9 290
      • PSU:
      • Coolermaster VS450
      • Case:
      • Corsair 250D
      • Operating System:
      • Windows 8 PRO, Ubuntu
      • Monitor(s):
      • LG 22" W2261VP

    Re: Please, Stop using DropBox

    And this is why I don't really trust "cloud storage". Why should I trust 3rd parties to keep my data safe; especially when News comes out like this. Dropbox has been going on since 2008. Not the best impression.

    Trust yourself, keep your own data safe, at least you know what's actually happening with it
    "If at first you don't succeed; call it version 1.0" ||| "I'm not interrupting you, I'm putting our conversation in full-duplex mode" ||| "The problem with UDP joke: I don't get half of them"
    "I’d tell you the one about the CIDR block, but you’re too classy" ||| "There’s no place like 127.0.0.1" ||| "I made an NTP joke once. The timing was perfect."
    "In high society, TCP is more welcome than UDP. At least it knows a proper handshake."

  18. #31
    aka .:iGi:. Calcutter DannyM's Avatar
    Join Date
    Feb 2007
    Location
    Location Location!
    Posts
    915
    Thanks
    111
    Thanked
    125 times in 97 posts
    • DannyM's system
      • Motherboard:
      • Gigabyte Z68MA-D2H-B3
      • CPU:
      • Intel Core i5-2400
      • Memory:
      • 8GB Corsair Vengeance DDR3 - PC-12800
      • Storage:
      • 120GB A-Data SSD
      • Graphics card(s):
      • 1GB Nvidia ASUS 560Ti DirectuII
      • PSU:
      • Corsair 620W HX Modular PSU
      • Case:
      • Fractal Design Define Mini
      • Operating System:
      • Windows 7 Pro 64bit
      • Monitor(s):
      • 23" Dell UltraSharp U2311H
      • Internet:
      • 50Mb Virgin Media Cable Broadband

    Re: Please, Stop using DropBox

    I tried BitTorrent Sync (here) recently, it seemed to work fairly well, the only downside to this is that you potentially always have to have a machine always on to make sure you have the most up to date files. Most of us have servers so it shouldn't be an issue unless you're concerned about security.

    It's worth looking into if you do want full control over your files.

  19. #32
    Senior Member
    Join Date
    Aug 2003
    Posts
    6,587
    Thanks
    0
    Thanked
    246 times in 208 posts

    Re: Please, Stop using DropBox

    Eww.. and I spent the last 3 days heavily using DB and installing it in all my machines!! :O

    I've been very busy moving back to Japan (again) and decided to dump mostly unsorted junks into my Dropbox so that I can sort them out later. I even moved some important private document on DB, but fortunately as a password protected rar file. I was starting to trust DB and didn't think it was necessary, but I guess that I will now be grabbing everything and look for an alternative >.> Is there anything that is fundamentally the same in functions (it does have ease to use on it's side and is, in my experience, pretty fast), but with the security?

Page 2 of 4 FirstFirst 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •