[newsimage]http://static.rankone.nl/images_posts/2011/05/6ErClW.jpg[/newsimage]With online data security being at the forefront of consumers’ minds after several recent high-profile breaches, cloud storage service Dropbox is now coming under fire for the way they handle customers’ files. Read the full article here: [http://www.myce.com/news/dropbox-misrepresented-security-features-researcher-claims-45122/](http://www.myce.com/news/dropbox-misrepresented-security-features-researcher-claims-45122/) Please note that the reactions from the complete site will be synched below.
I’m sure this is the situation with any cloud based storage and here’s the loophole they can use (not just Dropbox), especially when faced with a legal order to hand over files:
Think of what happens when you forget your password. You click the “Forgot password” option, type your e-mail, maybe a security question and receive a password reset e-mail a little while later.
So how does this give their staff access? Well, they just need to follow this same process. For a service with security questions, I’m sure they can skip this step. They just need to have their server divert the password reset e-mail to an internal account and voila, they now have access. Once they copy out the files they want, they can either flag the account as suspended or restore the old password hash and log files to make the account look it was not touched. If for some reason the end user tries accessing the account during this time and complains about access, it’s just a matter of them making an excuse (e.g. server maintenance.)
If a service provided true password based encryption, there would be no way of gaining access to that service account once the password is lost, much like a high security flash drive (e.g. IronKey). Even if a service does make such a claim, there is no way of knowing for sure that the service provider has no access.
This is why I will never trust or use cloud anything as long as I can help it. The only place your files are fully under your control and fully private is in a hard drive that is on your premises and managed by you. This was one of my concerns when I heard about the cloud storage craze. The other is break-ins and/ or server failure. If their answer is to do local backups then why would I need to store it in the cloud when I have a local copy. Yeah the “anywhere” access angle they sell to you with is the only benefit I see but I don’t need access to my files that bad and if I did I would come up with a solution like LogMeIn to give me access to my home PC.
Cloud storage=False security IMO