[flyt]

Hi Sneak! As you're no doubt aware, people change over the years. They learn from mistakes, improve how they live their lives, and become better over time.

Companies tend to be the same way, learning along the way and maturing, especially when it comes to business processes and risk-related parts of the business.

It's entirely possible that the Dropbox of 2016 isn't like the Dropbox of five years ago in many concrete ways. For example, they could have hired new people, improved testing and release processes, and become more serious about engineering discipline.

Many startups early-on make dumb mistakes and go on to great success and professionalization, but we should have both empathy and forgiveness for them in the long term. Dropbox has recently demonstrated a focused attention on large scale, challenging engineering projects (building a replacement for S3 in-house from scratch, writing kernel extensions, etc) and a reasonable observer might conclude that they've learned from the mistakes of 2011.

[sneak]

Regardless of how much they've changed, 2011 Dropbox was decidedly not two guys in a garage and their complete and total lack of security engineering diligence and multiple overlapping process failures that must have occurred to lead to that incident call every future "At Dropbox we take security seriously" into question. (See also: "goto fail".)

At some point, Dropbox clearly didn't take security seriously. They claim otherwise now. The question is now "at what point should we believe them?" It's subjective and my opinion is that the 2011 management that didn't take security seriously then probably still doesn't take it that seriously now - they've simply hired underlings to worry about it.

I have experiences with companies that have security in their DNA from day one, and I've {observed, worked with, been a customer of} a whole fuckton more who bolt it on later once time and money permit. Most of the latter do not actually care one whit about security, it's just one more "avoid existential threat x" box they have to tick as their business grows.

Google falls into the former. Dropbox and Slack and LinkedIn fall into the latter.

https://www.troyhunt.com/we-take-security-seriously-otherwis...

There is no reasonable amount of time that needs to pass until I willingly let a Dropbox or a Slack or a LinkedIn run code in my workstation's kernel. Maybe that makes me a jerk - if it does, I apologize.

PS: That's not how you spell my username.

[rrdharan]

Google most certainly does not fall into the former.

Google has had multiple security incidents during the lifetime of the company that resulted in an increasing investment in upping their security profile. Operation Aurora (https://en.wikipedia.org/wiki/Operation_Aurora) was one of them (which of course bit a number of companies and was quite a sophisticated attack), but they have had other screwups, like the SRE spying incident (http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...) and others.

For Dropbox, the password incident did result in major and serious change; it was a turning point resulting in significant investment in product and infrastructure security. In my admittedly biased opinion Dropbox now has one of the best security teams out there. For example the product security team invests heavily in the XSS protections on Dropbox's website that are top of class, and stronger than those on many of Google's own first party properties (I'll demur on details here at the risk of likely violating one or more NDAs, but I encourage you to read https://blogs.dropbox.com/tech/category/security/).

Source: I've worked as a software engineer at both Google and Dropbox and I'm reasonably familiar with engineering, infrastructure/operational and physical security practices at both organizations.

[sneak]

Will you run the closed-source Dropbox kext on your machine?

[flyt]

I will. My system runs lots of closed source code already.

[hughw]

Surely you have higher standards for kernel space.

[flyt]

nah. I trust Dropbox.