Picture of Darren P Meyer

Darren P Meyer

an information security researcher, technology hobbyist, maker, parent, and rabid moderate. I work at Veracode, but I don't speak for them here.

Dropbox Is Probably Not Stealing All Your Files

A bit of additional material has been added to clarify why “a few hundered KB isn’t much”

There is a pretty serious allegation that Dropbox is stealing all your files making the rounds. The allegation is based on the following observations:

  • An unnamed DLP product noted that the Dropbox application accesses newly-created files outside the Dropbox folder

  • Firewall logs show the Dropbox application accessing Dropbox itself and Dropbox-controlled AWS endpoints around the same time as the above file access.

Seems pretty damning, right? Well… maybe not so much.

The Dropbox application uses a filesystem monitor to detect when changes are made by monitoring filesystem write events. This is, by necessity, a system-wide process. So DLP alerting that Dropbox is “acccessing” a new file shouldn’t be surprising.

Update: it turns out that it’s the Dropbox shell extension that’s most likely triggering these events. Thanks to @razvanh’s Medium explanation that clarifies this important point.

Likewise, the Dropbox application routinely communicates with its sync infrastructure at Dropbox and AWS endpoints, so it’s not surprising to see Dropbox communicating regularly to check whether there is a new sync point or the like.

So the provided evidence doesn’t show that Dropbox is reading or transmitting any files outside your Dropbox folder; but it doesn’t disprove it either. So how can we test?

A simple protocol can give us an idea of whether data is being sent to Dropbox:

  1. Create a large-ish file (1MB) outside of the Dropbox ...

Selecting a Passphrase Policy

Anyone who has spent a fair bit of time dealing with passwords and password security knows the pain of trying to establish a good password policy. That is, one which:

  • results in resistance to online and offline password-guessing attacks
  • won’t cause your users to rebel and burn down the office
  • maximizes the chances that your users will choose and remember a strong password

There is a great deal of guidance on this, including the NIST Electronic Authentication Guideline (pdf) that is commonly-referenced as a source for the “8 chars, mixed-case, digits, and special chars” default password policy that so many organizations establish.

But what about when you switch to passphrases? How do you set a passphrase policy that gives you same-or-better security as a good password policy?

When organizations start to consider switching from pass-words to pass-phrases—that is, authentication secrets made up of a series of words rather than simply characters—they end up either needlessly resisting passphrases or coming up with truly mind-boggling policies around them. It seems that many organizations have never ingested the reasoning behind common password guidance.

What I hope to do here is make some small progress toward fixing that situation by:

(This is long: if you want, you can skip to the recommendation.)

The principles behind password policies

The idea behind having a strong password policy is to make it infeasible for an ...

An open letter to the FCC

I sent this letter to the FCC’s public commentary mailbox; I’m posting it here in the spirit of openness.

The Age of the Internet has brought untold benefits, innovation, and prosperity. Such benefits are possible because there has always been a sort of “gentlemen’s agreement” that the ISPs are neutral when it comes to who is sending data to them.

Data from a tiny startup is treated the same as data from giants like Microsoft. People providing services using the Internet pay their providers for the Internet service they need, and subscribers do likewise.

However, large ISPs want an end to this ‘Net Neutrality. Not content with record profits from large and small providers alike, these ISPs want to charge again for “fast lane” access to the homes and offices of their subscribers. Businesses will pass these increased costs to consumers, and small organizations will have find themselves with greatly increased barriers to serving their potential customers.

Our lack of effective last-mile provider competition has already made the US struggle to compete with Europe and Asia; allowing ISPs to dispense with network neutrality will only pump their profits—without significant benefit to consumers, and with harm to small innovators.

The FCC should be acting to preserve network neutrality, thus continuing to protect the fertile environment for Internet innovation. Instead, the chairman is proposing rules that will undermine it.

Effective meetings: focus on purpose

I’m all for eliminating meetings… but focusing overmuch on eliminating meetings is just as harmful as the mindless meeting culture. Meetings have their uses. I contend that if we focus on having purposeful, effective meetings, the number and frequency of meetings will automatically be reduced. There are really only three kinds of meetings, because there are only three reasons to have a meeting:

  • Conveying information
  • Making decisions
  • Solving problems through collaboration

If you’re clear on what the purpose of your meeting is, and there isn’t a better way to accomplish that goal, then have that meeting. The very exercise will result in fewer, better meetings.

Meetings that convey information

Status meetings are by far the most common meeting in this class. Stop that. The only useful status meeting is a Standup, and then only if it’s run properly. The vast majority of status is much more effectively communicated through text or images that can be explored and referenced at people’s own pace. Status meetings typically occur when people are bad at contributing to a status document or database of some kind—but using a meeting for accountability is harmful in the extreme. There are other management tools available to hold people accountable for communicating status.

Announcements are valid things to hold meetings for, but only if it’s important that the vast majority of affected parties receive the information at the same time, or if a Q&A session will be profitable. For example, announcing ...

I don’t care what you believe

I want to make one thing perfectly, crystalline clear: I don’t care what you believe.

If you want to believe that the entire universe was created 500 years ago when a magical purple manatee shat it out while swimming through the Æther, fantastic. You go ahead. I hope it brings you much happiness.

Here’s what I actually care about:

  • You accept that your individual successes and failures are strongly related to the communities in which you live, work, and play
  • You take tangible action to help those in need
  • You use whatever privilege you have (earned or unearned) to help those less fortunate than yourself
  • You make an effort to adopt and follow a rational code of ethics
  • You respect and value a diversity of being, ideas, backgrounds, and cultures

If your love for the magical purple manatee motivates you to do the above, yay for you. I’m glad you found a way of processing the world that helps make you a good person. But the moment your love for the magical purple manatee becomes more important than being a good person who does good things, you fail humanity.

So, again: I don’t care what you believe, but dammit, I care what you do with it.

« Page 2 / 2