drag and drop(box)

May 1 | 2012

dropbox has been a popular host for data and file storage. Many designers are using it, as its GUI is simple and easy to use. But not all is gold what glitters. As dropbox is run by a company, we can never be sure how the user’s files are being handled, not to mention security issues. Unfortunately so, dropbox hasn’t exactly been a good example with the things mentioned above:

“Dropbox has been criticized by independent security researcher Derek Newton, who has argued that Dropbox’s authentication architecture is inherently insecure, and by software expert Miguel de Icaza who claims that Dropbox’s terms of service contradicts its  privacy policy and that the company’s famous claim “Dropbox employees aren’t able to access user files” is a lie” (source: Wikipedia)

What does that mean? Dropbox has been using a system, which detects if a file has been uploaded by another user before and links it to the existing copy. It is using the same key type (as a “security” measure”) for every file on the system, that would encrypt files being uploaded. So what happens, if someone gets that key? Yes, one can access all files… and who else could it be except some lost script kiddies breaking stuff? Yes, the people who build it, read: employers.

You thought these were just made up examples? No. Actually, dropbox got hacked in 2011 (probably by some lost script kiddies) and as a result, accounts were accessible without a password for a few hours. At that time, a bunch of users who were online got affected. You wanna hope that all is well ever since. It’s not in dropbox’ interest to admit if not, so… What else? Oh yes, the employers. They would never ever want to access any user’s “encrypted” files, right? Unless the government asks for it. If there is a law enforcement, the files are useless if they cannot be read while encrypted. You can imagine the rest of the story.

Of course you can keep using dropbox if you like, but at least know the risks and act adequately to it. You might want to store files that don’t contain any sensitive data (in the case of a designer that might be personal or financial data on the newly designed letterhead of a client). Other than that, you might open your mind a bit to some alternatives.

To visualize how an alternative could look like, I’d give my own workflow as an example. First of all, it depends on the client I deal with and if they can handle encrypted material or not. In most cases, the latter applies, so lets start off with this one first:

Just like most of us, I create a folder for the client’s relevant files. If the files are ready to send off, I’m digitally signing each file. You can on how all that stuff works. Next, I create an archive of the files and their signatures (.zip for Windows, .tar.bz2 for (other) operating systems). To upload that file, I’m using a place like sendspace. I can then post a link to the recipient, set a link expiry if I want to or just let it be deleted after 30 days (if using the free variant of the service).

If a client can handle encrypted material, I sign and encrypt and armor the folder. You can how to get this done as well. As soon as the file is ready to go, I’d upload it either to sendspace, or pastebin. The latter lets you set the link on in “private” mode and you can also set an expiry. Downside is, you can only send text material. As the encrypted file looks like a random mix of letters and numbers, it is considered as text, hence pastebin is able to process the it. Again, you give the link to your client a download link.

As far as backups go, it’s definitely safer to do it by yourself. Get USB drives, you can never have enough of those. You can get them in all shapes or forms, so that even an designer will be happy. Keep your important stuff on them, if internet is down or your box blows off, you’re not that screwed. And if you managed to read all this until now, you might realize that it’s all not as hard as it seems. So long, stay safe!

no new insights yet

share yours...

* required | ** required and kept in secret, promise!