[bxr]

Last time the Dropbox security thing was in the news, regardless of your personal preference on what encryption keys dropbox should have been using, the issue and more importantly the way they handled it made me question their abilities. Then they sent a DMCA takedown notification notification to someone they were just trying to censor, and now they temporarily set their auth method to "allow any password".

They are showing us that they are technologically incompetent at managing their own systems. I don't know why anyone continues to do buisness with them for files they want any sort of privacy over.

I've moved to rsync.net. Its uglier, but at least they know what the fuck they're doing.

[mcrittenden]

> I've moved to rsync.net. Its uglier, but at least they know what the fuck they're doing.

How do you know? Could it just be that the only reason Dropbox has publicized exploits and rsync.net doesn't is because Dropbox has many, many more users? And thus more people trying to exploit it and more publicity when an exploit is found?

[bxr]

>How do you know?

Pubkey auth connecting to openssh on freebsd to hippa- pci- sox- and sas 70- compliant storage with a warrant canary and you can give them a call to talk to the engineers (I have). Looking back dropbox feels like a fly by night in comparison.

[nokcha]

> Then they sent a DMCA takedown notification notification to someone they were just trying to censor...

That's not true. They used an admin control to disable public sharing of a file in DropBox; this procedure apparently is typically used when DropBox receives a DMCA request and it had a side-effect of (mistakenly) notifying the file's owner that DropBox received a DMCA notification. See http://news.ycombinator.com/item?id=2483053. DropBox didn't send a DMCA takedown request to any service provider hosting the file.

[jsprinkles]

Honestly the whole DMCA explanation from the executive team sounded like finding an explanation that fits. I hate that people read a comment like that then turn around and claim it to be the truth as you are doing.

You do not know what happened any more than the OP does so your usage of the word 'true' is weak at best. I'd be more okay with your comment if you had written "Drew explained" instead of "That's not true" as if you speak authoritatively.

[palish]

This is completely unfair to Drew and also out of line.

We do know what happened, because Drew told us what happened.

Years ago, when my wife thought her MacBook was stolen, I emailed Drew and asked if he would notify us if it connected to Dropbox, and he was happy to help. This was back when Dropbox was small. (My account is number 315, for example.)

Drew is a good person, and unless you have some basis for calling him a liar, don't.

[jsprinkles]

What is "out of line" is attacking me for operating on a default-untrusted policy instead of a default-trusted policy. We all don't share your happy Drew Houston story do we?

That is great that Drew helped you when the company was small. Facts are easy to distort when your company's reputation is getting flushed down the toilet and it is not a reflection upon Drew personally that I do not automatically trust him.

I tried believing in the best in people. It stopped working. Until shown otherwise I question every input and you would be stupid to do otherwise.

[palish]

I can relate with "I tried believing in the best in people. It stopped working." I've had some nasty experiences as well. I've been burnt, badly, a lot. By both family and friends.

You're right. I was probably just clinging to the fantasy that YCombinator is the one pure group of people in a world of backstabbers. But I guess Airbnb already disproved that.

I don't distort facts. Neither did Feynman. Drew is an MIT alum, so I was assuming/hoping YCombinator consisted mostly of people with that type of scientific integrity.

[jessedhillon]

Curious, what does this refer to: "But I guess Airbnb already disproved that."

[CWuestefeld]

I think there's a difference between deciding that you're skeptical, so that you're not going to act in a way that risks too much; versus publicly implying that it's actually a lie.

[ugh]

The story is completely plausible and makes, unlike all other explanations, sense.

[drdaeman]

I must remind you that DMCA email did contain name of the company who sent it (and it was "Dropbox", if I remember it correctly). I guess, Dropbox administrator had to type it by hand (I doubt they frequently send DMCAs from "Dropbox") - and it is hard to imagine that UI was unclean on purporse of that field.

[brown9-2]

Then they sent a DMCA takedown notification notification to someone they were just trying to censor

It came out in the aftermath that the takedown notice was the result of an automated process that was accidentally triggered.

[bxr]

I know. I didn't bring that up to accuse them of malice as far the DMCA part, I brought that up as an example that dropbox employees don't understand what their own internal tools do.

[SoftwareMaven]

I don't think that is as damning as you seem to. Once a company reaches more than a handful of people, knowing all the tools inside and out (especially in the divide between development and support, which this particular case highlighted) becomes impossible.

However, regardless of whether I feel like the previous event said anything about DropBox's development capabilities, I do feel like this event does.

I'm responsible for the authentication code for my company. I can't imagine having a default "YES" in any circumstance, and that DropBox did shakes my faith in them and their ability to protect my information significantly.

[blasdel]

At this point I'm only surprised that the thread for this incident wasn't moderated away by YC (hidden from the front page, [dead], or deleted)

[hemancuso]

Have you tried strongspace.com ?

Just like rsync.net but infinitely cheaper and based on ZFS. With a web interface [and ZFS snapshots]

[presidentender]

I'd suspect that rsync's security advantage is more related to their obscurity than their superiority. My personal site has not been compromised by LulzSec or Anonymous, for instance, but that's simply because I haven't attracted the attention. I'm sure my Wordpress, FTP or hosting passwords could be discovered by some attack.

[swix]

If it's online, it's not safe, period. Not combination of encryption, or BSD*, or any operating system will make it safe. Why? Human error.

Brain surgeons makes mistakes, people die. Pilots makes mistakes, people die. _Everyone_ makes mistakes. There is not one single person on this planet who is perfect, human error, this includes the employees of rsync.net, or any other company for that matter.

Today it happened to dropbox, tomorrow it happends to Visa, Bank of america, Amazon, rsync.net, <insert X company here>

Its just life, learn to deal with it. If you seriously have seriously confidential stuff, you're probably intelligent enough not to "upload" it anywhere, much less some file service with millions of users.

The more users the more exposed it is, human error. No encryption or system will ever protect against it, at least until we have true AI, and yes you also make mistakes, now matter how stupidly simple or complicated they are, nevertheless you do.

And dropbox, don't get a sad face because of this, just look at Sony or whatever, then smile.

[bxr]

Indeed security is never prefect, however "its hard at it and we all suck at it" does not mean that everyone sucks at it equally.