[pfitzsimmons]

From skimming the original paper, it seems as if you can bypass authentication if you know certain keys that that particular dropbox client stores locally. Of course, if you were able to access those values on the local hard-drive, you likely already have access to the victim's hard-drive or computer. In that case you have the victim's local copy of the dropbox folder already, there is no need for reverse engineering.

This "weakness" is no different than the weakness of two-factor authentication in any scenario where login is persistent. I have two-factor gmail authentication for gmail with "remember me" set so I do not have to log in every day. If someone steals my laptop and gets my cookies, they can log in as me regardless of two-factor authentication, until the cookie authentication expires.

[bad_user]

If somebody steals my laptop and it's still open, they still have to provide my user password since the screen gets locked after some time of inactivity. And reading from the hard-drive directly won't help, because I got an encrypted hard-drive (with dmcrypt).

I did this precisely because the laptop is a single point of failure. Steal somebody's laptop and bam, you've got access to everything important to that person.

My Android phone is also encrypted (with a much weaker password) and I can also remotely delete everything on it through Google Apps.

[kefka]

I hope you did things like disable firewire, and superglue the ram in the slots.

And I've done something similar with my iPhone. It reverse SSHs in to my server, and provides me a shell login. Something bad happens? I can rm -rf * to my iPhone.

And I can do bad things :)