| Regardless of how much they've changed, 2011 Dropbox was decidedly not two guys in a garage and their complete and total lack of security engineering diligence and multiple overlapping process failures that must have occurred to lead to that incident call every future "At Dropbox we take security seriously" into question. (See also: "goto fail".) At some point, Dropbox clearly didn't take security seriously. They claim otherwise now. The question is now "at what point should we believe them?" It's subjective and my opinion is that the 2011 management that didn't take security seriously then probably still doesn't take it that seriously now - they've simply hired underlings to worry about it. I have experiences with companies that have security in their DNA from day one, and I've {observed, worked with, been a customer of} a whole fuckton more who bolt it on later once time and money permit. Most of the latter do not actually care one whit about security, it's just one more "avoid existential threat x" box they have to tick as their business grows. Google falls into the former. Dropbox and Slack and LinkedIn fall into the latter. https://www.troyhunt.com/we-take-security-seriously-otherwis... There is no reasonable amount of time that needs to pass until I willingly let a Dropbox or a Slack or a LinkedIn run code in my workstation's kernel. Maybe that makes me a jerk - if it does, I apologize. PS: That's not how you spell my username. |
Google has had multiple security incidents during the lifetime of the company that resulted in an increasing investment in upping their security profile. Operation Aurora (https://en.wikipedia.org/wiki/Operation_Aurora) was one of them (which of course bit a number of companies and was quite a sophisticated attack), but they have had other screwups, like the SRE spying incident (http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...) and others.
For Dropbox, the password incident did result in major and serious change; it was a turning point resulting in significant investment in product and infrastructure security. In my admittedly biased opinion Dropbox now has one of the best security teams out there. For example the product security team invests heavily in the XSS protections on Dropbox's website that are top of class, and stronger than those on many of Google's own first party properties (I'll demur on details here at the risk of likely violating one or more NDAs, but I encourage you to read https://blogs.dropbox.com/tech/category/security/).
Source: I've worked as a software engineer at both Google and Dropbox and I'm reasonably familiar with engineering, infrastructure/operational and physical security practices at both organizations.