[liberationtech] Is Dropbox opening uploaded documents?
Dropbox is pulling a Skype. ----- Forwarded message from Joe Szilagyi <szilagyi@gmail.com> ----- Date: Thu, 12 Sep 2013 08:42:17 -0700 From: Joe Szilagyi <szilagyi@gmail.com> To: liberationtech@lists.stanford.edu Subject: [liberationtech] Is Dropbox opening uploaded documents? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 Reply-To: liberationtech <liberationtech@lists.stanford.edu> Found online: http://www.wncinfosec.com/dropbox-opening-my-docs/ -- Joe Szilagyi -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys@stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails. also this is advertising. -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt
At 02:14 AM 9/13/2013, stef wrote:
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails. also this is advertising.
Unless Dropbox has changed what they do, I wouldn't expect them to be generating thumbnails of my documents, at least not beyond the level of taking "foo.doc" and using a MS Word icon for it. Yes, I know gmail is different, but I would have expected Dropbox to leave my bits alone. At $DAYJOB, the firewall blocks access to Dropbox, because Corporate Security doesn't trust them with our own proprietary information, much less with customer data or sensitive personal info like employee SSNs. It's a useful servivce, so we've got our own Dropbox-clone which we can use instead.
On Fri, Sep 13, 2013 at 2:14 AM, stef <s@ctrlc.hu> wrote:
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails.
Dropbox generates thumbnails and optimized document views for smartphone clients. This could happen on demand, or it could be batched after the upload. Checking whether the embedded link is accessed a second time on displaying a doc on a smartphone might be revealing. It also wouldn't be surprising if they were working on some kind of content indexing as other sync services are. Cloud storage is a competitive space, and Dropbox needs to keep up in order to maintain their rather high price per unit of storage. Some Dropbox developers are visible in their forums if someone wants to ask first-hand. This level of scrutiny doesn't make sense for any service with a closed source, self-updating client, however. Even if they encrypted client-side, made every kind of promise and did everything else perfectly, they could be compelled to quietly change things overnight. That could happen for everybody, or for just a few users who get slipped a different version.
I also suspect they're doing some level of malware screening. If so, it didn't work too well here - not that this is malware (the author of the original service that created these docs is a personal friend) but it has a lot of similar code / functionality. On Mon, Sep 16, 2013 at 11:31 AM, Reed Black <reed@unsafeword.org> wrote:
On Fri, Sep 13, 2013 at 2:14 AM, stef <s@ctrlc.hu> wrote:
On Fri, Sep 13, 2013 at 07:58:17AM +0200, Eugen Leitl wrote:
Dropbox is pulling a Skype.
no it's not, it's generating thumbnails.
Dropbox generates thumbnails and optimized document views for smartphone clients. This could happen on demand, or it could be batched after the upload. Checking whether the embedded link is accessed a second time on displaying a doc on a smartphone might be revealing.
It also wouldn't be surprising if they were working on some kind of content indexing as other sync services are. Cloud storage is a competitive space, and Dropbox needs to keep up in order to maintain their rather high price per unit of storage.
Some Dropbox developers are visible in their forums if someone wants to ask first-hand.
This level of scrutiny doesn't make sense for any service with a closed source, self-updating client, however. Even if they encrypted client-side, made every kind of promise and did everything else perfectly, they could be compelled to quietly change things overnight. That could happen for everybody, or for just a few users who get slipped a different version.
-- @kylemaxwell
2013/9/16 Kyle Maxwell <kylem@xwell.org>
I also suspect they're doing some level of malware screening. If so, it didn't work too well here - not that this is malware (the author of the original service that created these docs is a personal friend) but it has a lot of similar code / functionality.
Are you suggesting they pull external resources to scan them too? This'd be quite proactive. It remains quite unusual. Some variations of the experiment with: * non suspicious/interesting documents - should trigger well-intended automation as well as interesting documents * boring file formats (like txt) and URLs - do all URLs get pulled or only automatically requested ones? * files that won't load for rendering but would load for a crawler that tries to find malware * you own server so that you may examine all the data send along with the request, like the headers!
participants (6)
-
Bill Stewart -
Eugen Leitl -
Kyle Maxwell -
Lodewijk andré de la porte -
Reed Black -
stef