[liberationtech] Is Dropbox opening uploaded documents?
Dropbox is pulling a Skype.
----- Forwarded message from Joe Szilagyi
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails. also this is advertising. -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt
At 02:14 AM 9/13/2013, stef wrote:
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails. also this is advertising.
Unless Dropbox has changed what they do, I wouldn't expect them to be generating thumbnails of my documents, at least not beyond the level of taking "foo.doc" and using a MS Word icon for it. Yes, I know gmail is different, but I would have expected Dropbox to leave my bits alone. At $DAYJOB, the firewall blocks access to Dropbox, because Corporate Security doesn't trust them with our own proprietary information, much less with customer data or sensitive personal info like employee SSNs. It's a useful servivce, so we've got our own Dropbox-clone which we can use instead.
On Fri, Sep 13, 2013 at 2:14 AM, stef wrote:
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails.
Dropbox generates thumbnails and optimized document views for smartphone clients. This could happen on demand, or it could be batched after the upload. Checking whether the embedded link is accessed a second time on displaying a doc on a smartphone might be revealing. It also wouldn't be surprising if they were working on some kind of content indexing as other sync services are. Cloud storage is a competitive space, and Dropbox needs to keep up in order to maintain their rather high price per unit of storage. Some Dropbox developers are visible in their forums if someone wants to ask first-hand. This level of scrutiny doesn't make sense for any service with a closed source, self-updating client, however. Even if they encrypted client-side, made every kind of promise and did everything else perfectly, they could be compelled to quietly change things overnight. That could happen for everybody, or for just a few users who get slipped a different version.
I also suspect they're doing some level of malware screening. If so,
it didn't work too well here - not that this is malware (the author of
the original service that created these docs is a personal friend) but
it has a lot of similar code / functionality.
On Mon, Sep 16, 2013 at 11:31 AM, Reed Black
On Fri, Sep 13, 2013 at 2:14 AM, stef
wrote:On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails.
Dropbox generates thumbnails and optimized document views for smartphone clients. This could happen on demand, or it could be batched after the upload. Checking whether the embedded link is accessed a second time on displaying a doc on a smartphone might be revealing.
It also wouldn't be surprising if they were working on some kind of content indexing as other sync services are. Cloud storage is a competitive space, and Dropbox needs to keep up in order to maintain their rather high price per unit of storage.
Some Dropbox developers are visible in their forums if someone wants to ask first-hand.
This level of scrutiny doesn't make sense for any service with a closed source, self-updating client, however. Even if they encrypted client-side, made every kind of promise and did everything else perfectly, they could be compelled to quietly change things overnight. That could happen for everybody, or for just a few users who get slipped a different version.
-- @kylemaxwell
2013/9/16 Kyle Maxwell
I also suspect they're doing some level of malware screening. If so, it didn't work too well here - not that this is malware (the author of the original service that created these docs is a personal friend) but it has a lot of similar code / functionality.
Are you suggesting they pull external resources to scan them too? This'd be quite proactive. It remains quite unusual. Some variations of the experiment with: * non suspicious/interesting documents - should trigger well-intended automation as well as interesting documents * boring file formats (like txt) and URLs - do all URLs get pulled or only automatically requested ones? * files that won't load for rendering but would load for a crawler that tries to find malware * you own server so that you may examine all the data send along with the request, like the headers!
participants (6)
-
Bill Stewart
-
Eugen Leitl
-
Kyle Maxwell
-
Lodewijk andré de la porte
-
Reed Black
-
stef