Dropbox Authentication Bug

[dandymcgee]

A few days ago Dropbox released some code on their production servers that allowed logging in to accounts without a valid password. It was live for about four hours before they noticed it and promptly took care of the situation.

The full blog post can be found here. Thoughts?

[k1net1k]

thoughts : not good

but hey at least they admitted the breaches and rectified the problem in a timely manner. Sony im looking in your general direction.

[Aleios]

I laughed at most of the people commenting on there. They are saying encryption is a good way to protect data. Well yes, and no. Anything that has been put on a device connected to the internet is at risk of being stolen. People think that just because it's on their hard drive its safe, which of course is a load of crap. And i find it especially funny how they all think that their data is the most important thing in the world. And using companies as the main target. Well im sorry, but if a company trusts their sensitive data on someone else's servers, then it seriously deserves to be stolen. Sure, dropbox fucked up, it happens, there is no such thing as a secure system. There is a well protected system, but nothing is secure. At least they responded, admitted fault, and most importantly, THE FIXED THE FUCKING PROBLEM! too many companies come out with these "fixes", which are really just obfuscation of fact to make it seem fixed. They fixed the problem, they didn't just shove it in under the stack of issues. So, a good job to them, and a smack on the heads to the idiots bitching and whining, when they most likely wouldn't be able to make the service themselves.

[WreckKa]

I fully agree with Aleios, nobody seems to understand that the illusion of security on the internet is one that will be compromised time and again, and it should be expected. They did a great job of accepting responsibility of the situation, and I believe they will legitimately strive to improve security measures. Things will always go wrong, and information will always be compromised; that is the beauty of the internet. If everything was safe and secure, cyberspace would be a very boring place.

:EDIT:
And the fact that people were storing financial records and sensitive information in cloud storage is absolutely ridiculous. Keeping it on an un-encrypted hard drive is bad enough, but keeping it on an online service where it is at risk 24 hours a day, 7 days a week? Ridiculous. Absolutely ridiculous.

[dandymcgee]

At least they responded, admitted fault, and most importantly, THEY FIXED THE FUCKING PROBLEM!

Agreed.

:EDIT:
And the fact that people were storing financial records and sensitive information in cloud storage is absolutely ridiculous. Keeping it on an un-encrypted hard drive is bad enough, but keeping it on an online service where it is at risk 24 hours a day, 7 days a week? Ridiculous. Absolutely ridiculous.

Haha, that was one of my favorite comments. :P

[Ginto8]

:EDIT:
And the fact that people were storing financial records and sensitive information in cloud storage is absolutely ridiculous. Keeping it on an un-encrypted hard drive is bad enough, but keeping it on an online service where it is at risk 24 hours a day, 7 days a week? Ridiculous. Absolutely ridiculous.

The cloud is fine... if your data is securely encrypted, and the storage providers don't actually have the encryption key. For example, LastPass doesn't actually know your master password, and simply can't. Your data is encrypted with it, but it isn't stored anywhere. And aside from the recent hacking (which was handled expertly and smoothly), there has been no issue with it.

</shameless LastPass plug>