Dropbox Opens Your Files

It’s just that they don’t open them in the way that you think they do. WNC InfoSec has a post from vintsurf about something he caught Dropbox doing with Word documents: All .doc embedded HoneyDocs appear to have been accessed…from different Amazon EC-2 instance IPs. Essentially what he found was that every time a new […]

It’s just that they don’t open them in the way that you think they do. WNC InfoSec has a post from vintsurf about something he caught Dropbox doing with Word documents:

All .doc embedded HoneyDocs appear to have been accessed…from different Amazon EC-2 instance IPs.

Essentially what he found was that every time a new Word document is uploaded, it is opened on an Amazon server in libreoffice — it appears to only be opened once. Ok, so before we get too riled up we need to look at reasonable explanations for this behavior.

The most reasonable explanation is that this is done to render a preview of the file for the web interface. And that makes a lot of sense. Hacker News seems to agree with this notion as well.

Two weeks ago I would have given Dropbox the benefit of the doubt that, yes, this is likely just to render previews and that I was OK with that.

But this isn’t two weeks ago.

I have no reason to trust Dropbox — to trust that the NSA hasn’t subverted their systems some how. That’s unfortunate for Dropbox, and for me.

Dropbox has always held the encryption keys for user files, and has repeatedly said there is a vigorous security system in place to keep prying eyes from our files. Since making those statements here are a few things we know to be fact:

  1. The NSA probably has a more vigorous security system in place, and Snowden stole so many documents that the NSA isn’t even sure what he has.
  2. Dropbox clearly allows Amazon instances access to user files. At the very least to render previews.
  3. The NSA is known to weaken cryptography and get backdoors installed for them, and there is simply no way to verify that this hasn’t happened at Dropbox or Amazon.
  4. We know that Dropbox was/is a target for NSA’s PRISM program — there’s little reason to doubt that the NSA places a high value on getting access to user files stored in the cloud.

So, in light of all of this, as of 10:54am PT I cancelled my Dropbox account. I didn’t just stop using it this time, I deleted it.

For now the biggest bottle neck will be 1Password syncing, but more on that in a later post. (You can see some of my alternative Dropbox solutions here.)

I highly suggest you either get rid of your Dropbox account or encrypt every file on it that you wouldn’t want getting leaked into the public domain.

This sucks — for everyone.