Please, Stop using DropBox

[TheAnimus]

http://codeinsecurity.wordpress.com/...-to-lose-aslr/

DropBox has shown time and time again that they don't get the concepts of security... at all.

This latest one is very worrying for windows users who don't use IE.

There are many other cloud data space providers, use them instead.

[kalniel]

Ew. Isn't there a way of using dropbox without installing anything, like good old fashioned uploading/sftp or something?

[TheAnimus]

This is more about their security principles.

They've had bugs which allowed other users to read your files. Not massively complex my god that was a clever hack. A bloody bug shipped to production which didn't provide isolation.

[GeorgeStorm]

I don't use it for anything important, just handy to move things from place to place/make them available to others every now and again, but if it opens up general security holes then I'll look into others in more detail.

[finlay666]

Mine is generally used for syncing settings and transferring bits, anything secure goes directly to my server

[TheAnimus]

It's not just a case of your files being at risk. It is more a case as a company they don't give a hoot about safety.

If you are writing some software that is a 'shell extension' something like putting their logo on any folder which is sync'd. That means the code to put that logo on has to be loaded into every process that uses a file dialog. Which is pretty much every interactive program.

If you are doing that, the code has to be really, really top grade.

By disabling ASLR they have removed a rather handy security feature. ASLR isn't a perfect defence, but it is more a sign that they are very rooky. Like taxying an airplane with your flaps down, it makes you look like a rooky and people will question if you are safe.

[Dooms]

It's a shame its not perfect but I'll continue using it as I have 54Gb of space and nothing I keep on there really matters if its public knowledge.

[TheAnimus]

It's a shame its not perfect but I'll continue using it as I have 54Gb of space and nothing I keep on there really matters if its public knowledge.

Do you understand that it is making any windows machine that you have the client installed on unsafe?

And that they've sat on a responsible disclosure, that should cost very little dev time to rectify for ages.

[watercooled]

I did give Spideroak a try a while back, but the client just wasn't stable enough IMO; it crashed fairly frequently, eating a CPU core until you noticed via task manager and terminated it. It might have improved recently, and they do seem to get security a heck of a lot better than Dropbox.

Not only do Dropbox not get it, they've essentially lied in the past about how your data is secured, claiming it would not be possible for employees to access it.

And remember the time where they messed up accounts and people were seeing documents belonging to other accounts etc?

They're just disastrously bad at security, and even if they patched everything, it would be hard to have any confidence in them considering the lack of competence they've already demonstrated.

[Funkstar]

I moved away from DB, but thanks for giving me a reason to uninstall the client

[Firejack]

I'm still using Dropbox. Don't run it on my server or any privileged accounts. The convenience of it still outweighs the security issues ever so slightly for me.

Tried all kinds of alternatives from Cubby, Ubuntu One, SkyDrive, Google Drive, Box but I've had problems with each.

At the moment I'm following the development of BTsync as maybe the long term solution

[machkris]

I agree. I don't prefer Dropbox personally. Google Drive is way better.

[herulach]

Does anyone have any experience with the self hosted solutions?

[sunhint]

You can use Google Drive instead and if it is personal info which should be shared with rather narrow group of people you can use something like RetroShare.

[mikerr]

The convenience of it still outweighs the security issues ever so slightly for me.

Indeed, I haven't found a cross platform (windows/mac) replacement that sits there working and never bothers you.

[peterb]

Indeed, I haven't found a cross platform (windows/mac) replacement that sits there working and never bothers you.

It's cross platform convenience (includes *nix) is a big plus - anything sensitive I store there is encrypted by me before it goes there. Otherwise I accept that that cloud storage is inherently insecure.

Anyone storing stuff on the cloud in clear should accept that it may be compromised, and I'd no more trust Google with the privacy of my data than any other cloud provider.