[TriLUG] Dropbox and folders (directories)

Thomas Delrue via TriLUG trilug at trilug.org
Sat Feb 13 12:39:53 EST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Since we're going from 'how to get my files up in DropBox' to
'encryption and online storage':

According to the available information, and I have no reason to believe
otherwise, your data in DropBox is encrypted in transit and at rest (and
they'll throw around 'AES-256' to make even techies feel comfortable),
but the important question is hardly ever asked and answered even less
frequently:

Who has access to the key used for this encryption?
The answer is: /you/ don't, but others (not limited to DropBox) do.

That being said, DropBox is not the worst out there (for more info,
check out the latest "Who Has Your Back" from the EFF:
https://www.eff.org/who-has-your-back-government-data-requests-2015 ).
It's not the worst, but it's not great either...

Regarding a question down in the thread:
> On Fri, Feb 12, 2016 at 3:21 PM, Roger W. Broseus
> <rogerb at bronord.com> wrote:
>> Can Dropbox scan contents of folders/ files, e.g., for the purpose
>> of data mining?
Yes, most certainly and loudly, yes! Do they? See previous answer!
If you believe otherwise, I've got a nice bridge for sale...very cheap
and located at a prime location!
Have a look at
https://en.wikipedia.org/wiki/Dropbox_%28service%29#Privacy_concerns for
a succession of mini-heart attacks if privacy is something you care
about.

Sure, sure, you've got nothing to hide and you're not dealing with state
secrets so all this talk about encryption and security is not needed,
it's all over the top, not for you because who would be interested in
/your/ data, right?
You wouldn't be the first (nor the umpteenth, nor last) who would be
'seriously inconvenienced' by your data being compromised, be that
willingly or less willingly by DropBox.
But more importantly: no-one has any business looking at your data, for
whatever reason! So why give them that opportunity?  After all, you
don't do "sudo chmod -R 777 /*" either, do you?

For all intents and purposes, encryption is relatively cheap these days,
even with maxed out keys. I don't see any reason why data should not be
encrypted when stored or moved. This includes your own machines (LUKS) &
communications (GPG) and most certainly when stored 'in the cloud' (aka
"someone else's servers").

If you really must use someone else's servers: OpenSSL (man openssl)
provides a very easy mechanism to encrypt (and decrypt) files which you
can invoke from the script that uploads to your favorite
"someone-else's-servers"-provider.
And then there's also:
$> gpg --recipient a at ddr.ess --encrypt < encrypt_this > encrypted_file

That being said: if you're looking for proper Op- & ComSec: don't use
the cloud. It's lonely here, but I'm not complaining...

> Nothing beats using real "off line" backups for retention.
> Especially for important and confidential data.

Hear, hear!

On 02/12/2016 03:29 PM, C TC via TriLUG wrote:
> Whoops, missed the thread on my first reply.
> 
> -- I keep private materials (printed bill payments, etc.) zipped and
> password protected.
> 
> I'm no pirate, but here's one reason why: bit.ly/1gKajlr

I don't think I've ever encountered an article that tries so hard to
*not* be read (bit-ly link goes to extremetech.com [which is part of
ziff davis] which makes requests to _at least_ 37 other domains and
requires JS to run from at least 21 different sites - and I still
haven't got it working, so I'm giving up on this)
(Sorry, pet peeve of mine)

> On Fri, Feb 12, 2016 at 3:21 PM, Roger W. Broseus
> <rogerb at bronord.com> wrote:
> 
>> I was under the impression that Dropbox storage of files was not
>> encrypted so this is news.
>> 
>> Is the encryption end-to-end? Can Dropbox scan contents of folders
>> / files, e.g., for the purpose of data mining?
>> 
>> I might change my mind about using Dropbox!
>> 
>> -- Roger W. Broseus - Linux User Email: RogerB at bronord.com Web
>> Site: www.bronord.com
>> 
>> On 02/11/2016 09:34 AM, C TC via TriLUG wrote:
>> 
>> Nothing beats using real "off line" backups for retention. 
>> Especially for important and confidential data. Though Dropbox data
>> is encrypted with 256-AES, I don't rely on it as a standalone
>> backup.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIbBAEBCgAGBQJWv2ppAAoJEKosl9oIs/pO2EoP+PBUVUuDOnvCWTXac8alBAFq
Ns+kFCgTgXt5SMbX5PM+esq6q86QzRF03eYgVRQtu13zXCRKMQnHxNGWeZE1Vv4j
S9iTwBq87l9Ns3BeOqpYlR7N3nsWvD3qD6hD/8OtS3hpUyl6j/zAbC7Wq8maRVuj
FUXsDG7WuvBJde1P16dRaH7hVq2btuFykg3q4xH5lt57a7K0KnGENwzTjDSYcKcj
d59La8okky2832mnpCAbGIuptgYi0OW54ARdFIiest3QlFQURjmQSKT0Nkl7INLW
PXxBpijjhJJ02YJFTpCi0vrM6c1YiyHtPnvUy7Y7UxenYYEDOmTpykx01TxPs+8k
RTpDC3Izq4RhUU6c7pUERut3bpSNXz9PxRkWVGZDi9MkwD6Ri1S7LenFGvlg+fgO
uExLz3cTl5qedD4nFpGUR6upoVMhVR07ZRjIUdZPJc9zDQJ/F0pPtpV1ieHyu6ZX
+ZP61In+ICU8rToyVfywblucdMC2KuJxqzzcnhcJpbkrH2mS8YuDn5Ca4dRv42Mh
2rK2LDcs56fF2663BFQaj+GMYJ7A+bJh65pmZ65FXMla/x0K0g6t0QA+2eTL3kHf
QEIO0M3fb980+t87Rmlj7mx8n9cmIUcMETPlqrANDhphG5n0L2nq+afbXfOIzAeq
+8AFfyZ9L8le8lJlcXY=
=Qmn+
-----END PGP SIGNATURE-----

More information about the TriLUG mailing list