Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Ben Scott
On Wed, Apr 13, 2011 at 6:25 PM, Kurt Buff wrote: > I'm not clear on what the Dropbox host_id is either, but Muffett gives > the classic example: ssh keys. Good analogy, I think. Well, that depends. If the host_id is a private/secret key, okay, it's a great analogy. But private keys are, you

RE: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Ziots, Edward
-3505 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, April 13, 2011 5:35 PM To: NT System Admin Issues Subject: Re: OT: Dropbox authentication: insecure by design On Wed, Apr 13, 2011 at 11:17, Andrew S. Baker wrote: >>>The takeaway here: Don&#x

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Ben Scott
On Wed, Apr 13, 2011 at 7:52 PM, Andrew S. Baker wrote: > Back to me and my 15% shared storage.  If the full system of one of the > people who I share a set of folders with becomes compromised, some 3rd party > could setup a separate machine that would allow them to install DropBox and > get acces

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Andrew S. Baker
Okay, so I happen to have a shared DropBox configuration with a variety of collaborators. A few folders are overlapping, but most are not. Some 15% of my total DropBox storage is shared. * * *>>That's not the risk I am concerned about. I'm concerned about the risk where you're sharing a Dropbox

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Kurt Buff
On Wed, Apr 13, 2011 at 11:39, Ben Scott wrote: >  I'm not clear on what "host_id" actually *is*. > >  Muffett's comments[1][2] make it sound like Is it the private key > for an asymmetric cipher.  If so, then yes, getting it stolen would of > course compromise your Dropbox storage.  That's how pr

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Kurt Buff
On Wed, Apr 13, 2011 at 11:17, Andrew S. Baker wrote: >>>The takeaway here: Don't use any remote applications in the cloud  for >>> anything you wouldn't want to see posted on the front page of the NY Times. > FTFY I'll accept that fix. > This is much ado about nothing. I don't believe as you d

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Ben Scott
I'm not clear on what "host_id" actually *is*. Muffett's comments[1][2] make it sound like Is it the private key for an asymmetric cipher. If so, then yes, getting it stolen would of course compromise your Dropbox storage. That's how practically every modern cryptosystem works. However, t

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Andrew S. Baker
>>The takeaway here: Don't use any *remote applications in the cloud* for anything you wouldn't want to see posted on the front page of the NY Times. FTFY This is much ado about nothing. If your box is compromised, and you're sharing things remotely, then you have more risks than if you weren't

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Kurt Buff
On Wed, Apr 13, 2011 at 10:29, S Powell wrote: > again, if someone has access to your config.db  you have MUCH larger > problems than access to your dropbox. The problem is not necessarily *your* machine (although I think that's still a consideration), it's everyone else with whom you share the d

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread S Powell
again, if someone has access to your config.db you have MUCH larger problems than access to your dropbox. - Who'd you rather be, the Beatles or the Rolling Stones? On Wed, Apr 13, 2011 at 10:14, Kurt Buff wrote: > On Tue, Apr 12, 2011 at 22:39, Angus Scott-Fleming > wrote

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Kurt Buff
On Tue, Apr 12, 2011 at 22:39, Angus Scott-Fleming wrote: > WTF were they thinking? You assume facts which are not in evidence. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ ~ --- To manage subscriptions c

Re: OT: Dropbox authentication: insecure by design

2011-04-13 Thread Rene de Haas
"WTF were they thinking?" +100 On Wed, Apr 13, 2011 at 7:39 AM, Angus Scott-Fleming wrote: > Don't know if any of you (or your clients) use Dropbox (I do), but if you > do, > you should probably read this and pass it on: > > = Included Stuff Follows = > Dropbox authenticat

OT: Dropbox authentication: insecure by design

2011-04-12 Thread Angus Scott-Fleming
Don't know if any of you (or your clients) use Dropbox (I do), but if you do, you should probably read this and pass it on: = Included Stuff Follows = Dropbox authentication: insecure by design ... After some testing (modification of data within the config tabl