[copsarebastards]

The cycle of security is this:

1. Security experts see a security hole and note that it could only be used by a widely trusted company or government.

2. People note that it's also possible that it's not happening, and claim that the widely trusted company or government would never use the security hole.

3. It is discovered that the widely trusted company or government has been using the security hole.

[Dylan16807]

"Touches files it doesn't have to" is not a security hole.

[jamiesonbecker]

Perhaps it's semantics, but you're right - it's not a security hole.

It's worse.

Exceeding authorization is exploiting an existing hole.

[copsarebastards]

"Users install program that touches files the users might not want it to" is a security hole. The unknown is whether Dropbox comes with malware which takes advantage of that security hole.

[Dylan16807]

A hidden function or update could enable malicious behavior on all files whether or not it had preexisting behavior of touching all files. Only in certain detailed permission structures would preexisting behavior matter.

[copsarebastards]

If a hidden function enabled malicious behavior, causing it to touch all files, the hidden function would very quickly cease to be hidden.

Are you seriously arguing that it's okay for Dropbox to touch files you didn't give it permission to touch? This is ridiculous.

[Dylan16807]

>If a hidden function enabled malicious behavior, causing it to touch all files, the hidden function would very quickly cease to be hidden.

I'm not sure where you're going with this. Yes, a security hole would become much more visible after it was exploited. That doesn't imply that anything visibly weird Dropbox does is a security hole.

The only notable flaw in security here is that it's a program on a normal OS outside a sandbox. This is a huge flaw but it applies to most programs.

>Are you seriously arguing that it's okay for Dropbox to touch files you didn't give it permission to touch? This is ridiculous.

I am. Touching files does not mean taking information from files. And between the explorer extension and the way file monitoring works on windows it's going to be fed a list of your files no matter what.

Security holes are a subcategory of "things a program can do, but shouldn't be able to do". They are described entirely in terms of potential behavior, not current behavior.

[copsarebastards]

Okay, if you want to be pedantic about the meaning of the words "security hole" instead of addressing the actual concerns people have with Dropbox, then we can just call Dropbox "potential malware" and be done with it. Does that address your terminology concerns? Can we move on to talking about the important stuff now?