"Taking Your Ball And Going Home; Building Your Own Secure Storage Space That Mirrors Dropbox's Functionality" is the talk that I presented for DEFCON 19, August 7, 2011, in Las Vegas, Nevada. For full effect, see the 'Speaker Notes' tab below the presentation for an outline of what I spoke about during each slide.
1. Taking your
ball and going
home; building
your own secure
storage space that
mirrors Dropbox's
functionality
Phil Cryer (@fak3r)
open source technologist
DEFCON 19 - August 2011 v1.5
2. $ echo O’HAI! I am `whoami`
O’HAI! I am phil
$ echo AKA `alias | grep phil`
AKA phil='fak3r’
6. computer |kәmˈpyo͞otәr|
noun
an electronic device for storing and processing data, typically in
binary form, according to instructions given to it in a variable
program.
• a person who makes calculations, esp. with a calculating machine.
12. • Now working for non-profit
• Linux systems administrator
• Distributed storage, cloud computing
• Open source technologist
• Civil liberties activist
• Security researcher
13. • Now working for non-profit
• Linux systems administrator
• Distributed storage, cloud computing
• Open source technologist
• Civil liberties activist
• Security researcher
17. Brief history
2007 June - founded, receives series A funding
2007 September - receives $1.2M in seed funding (Y Combinator)
2007 October - receives $6M in Series A funding
2008 Fall - secures $7.2M Series A funding (Sequoia Capital, Accel Partners)
http://www.crunchbase.com/company/dropbox
18. Dropbox enables people to sync files and media across platforms and devices, in order to
have them available from any location.
The service also allows people to easily and quickly share files with others.
Dropbox provides users with 2 GB of space for free, and they can pay for more.
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
19. People use Dropbox for personal storage, file syncing between machines, and group
collaboration on projects.
They have desktop software for the usual OSs (Mac OSX, Linux and Windows) and mobile
access, that makes things run smoothly.
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
20. Current growth
2009 2 millions users
2010 4 million users
2011 April - Dropbox claims to have 25 million users of its free service
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
21. “Today, Dropbox has 25 million users and 200 million files are “saved” daily, and
more than 1 million every five minutes.”
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
22. 25 million users
200 million files
are “saved” daily
more than 1 million
every five minutes
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
23. 25 million users
200 million files
are “saved” daily
more than 1 million
every five minutes
http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day
24. So, a for-profit company offers a free app, with free data
storage... what’s to worry about?
25. We know Dropbox is secure because Dropbox says so:
■ “Your files are always available from the secure Dropbox website” (secure sounds good)
■ “All transmission of file data occurs over an encrypted channel (SSL)” (wow, that sounds good too!)
■ “All files stored on Dropbox are encrypted (AES-256)” (dude, that's “military grade” encryption! That's
gotta be good!)
■ “...protects your files without you needing to think about it” (How can you argue with that?)
■ “Your stuff is safe” (O’RLY?)
http://dropbox.com
26. We know Dropbox is secure because Dropbox says so:
■ “Your files are always available from the secure Dropbox website” (secure sounds good)
■ “All transmission of file data occurs over an encrypted channel (SSL)” (wow, that sounds good too!)
■ “All files stored on Dropbox are encrypted (AES-256)” (dude, that's “military grade” encryption! That's
gotta be good!)
■ “...protects your files without you needing to think about it” (How can you argue with that?)
■ “Your stuff is safe” (...)
http://dropbox.com
29. How Dropbox sacrifices user privacy for cost savings
“While the decision to deduplicate data has probably saved the company quite a bit of
storage space and bandwidth, it has significant flaws which are particularly troubling given
the statements made by the company on its security and privacy page.” Christopher Soghoian
(files hashes are checked before upload, bandwidth testing shows that files aren’t transferred if
they exist (elsewhere) on the servers)
http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-user-privacy-for.html
30. Dropbox Lied to Users About Data Security, Complaint to FTC Alleges
Christopher Soghoian published data last month showing that Dropbox could indeed see
the contents of files, putting users at risk of government searches, rogue Dropbox
employees, and even companies trying to bring mass copyright-infringement suits.
Soghoian, who spent a year working at the FTC, charges [... ] “(Dropbox) has and continues to
make deceptive statements to consumers regarding the extent to which it protects
and encrypts their data,” which amounts to a deceptive trade practice that can be investigated
by the FTC.
http://www.wired.com/threatlevel/2011/05/dropbox-ftc
31. Dropbox authentication: insecure by design
“Here’s the problem: the config.db file is completely portable and is *not* tied to
the system in any way. This means that if you gain access to a person’s config.db file
(or just the host_id), you gain complete access to the person’s Dropbox until
such time that the person removes the host from the list of linked devices via the Dropbox web
interface.” Derek Newton
http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids
32. Dropbox: A Privacy Black Box
”National Security Letter authority and the impoverished “third party doctrine” in
Fourth Amendment law puts cloud-user privacy on pretty weak footing.
Dropbox’s policies do nothing to shore that up. It’s not alone, of course. It’s just a
nice discrete example of how “the cloud” exposes your data to risks that local storage doesn’t.”
Jim Harper
http://techliberation.com/2009/12/12/dropbox-a-privacy-black-box
33. Ok, so Dropbox has *some* privacy considerations to
address, at least it’s safe and secure now...right?
34. Dropbox Security Bug Made Passwords Optional For Four Hours
“This morning a post on Pastebin outlined a serious security issue that was spotted at
Dropbox: for a brief period of time, the service allowed users to log into
accounts using any password. In other words, you could log into someone’s account
simply by typing in their email address. Given that many people entrust Dropbox with secure
data (one of the service’s selling points is its security), that’s a big deal.
http://www.washingtonpost.com/business/technology/dropbox-security-bug-made-passwords-optional-for-four-hours/2011/06/20/AGupXTdH_story.html
35.
36. Dropbox confirms security glitch -- no password required
”Web-based storage firm Dropbox confirmed this afternoon that a programmer's error caused
a temporary security breach that allowed any password to be used to access any user account.
The San Francisco-based start-up attributed the security breach to a "code update"
that "introduced a bug affecting our authentication mechanism." Access without
passwords was possible between 1:54pm PT and 5:46pm PT yesterday, the company said.”
Declan McCullagh
http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required
37. Ok, so maybe Dropbox knows what you have, and might not be more
secure than the next cloud service provider, at least it has security to
protect information about your personal data usage...right?
38. Dropbox Reader™
Dropbox Reader is actually a series of six command line Python scripts which parse the
configuration and cache files of a Dropbox account, including the user's registered e-mail
address, dropbox identifier, software version info and list of recently changed files
stored in config.db, the information about shared directories and files marked for
sync stored in filecache.db. [the] Python scripts operate on SQLite3 Dropbox database files.
http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader
http://www.betanews.com/article/Now-anyone-not-just-cops-with-a-warrant-can-peek-inside-your-Dropbox/1308256016?=
41. April 13, 2011
From
All files stored on Dropbox servers are encrypted (AES256)
and are inaccessible without your account password.
http://www.utternewsense.com
https://www.dropbox.com/terms
42. April 13, 2011
To
All files stored on Dropbox servers are encrypted (AES256)
and are inaccessible without your account password.
http://www.utternewsense.com
https://www.dropbox.com/terms
44. “So, Dropbox is, a free app with privacy and security concerns that you can use to
freely backup your stuff and share your files with others, huh? Great, that's just
what everybody needs, right?” Ceiling Cat
http://blog.milkandcookies.com/files/2010/08/ceiling_cat.jpg
50. Jun 21 20:57:32 rogue Dropbox[1448]: Unable to monitor entire Dropbox
folder hierarchy. Please run "echo 100000 | sudo tee /proc/sys/fs/
inotify/max_user_watches" and restart Dropbox to correct the problem.
64. ✓ lipsync daemon in Linux runs watches for file changes via inotify
✓ kicks off rsync over ssh to securely sync the data
✓ growl-like desktop notifications
✓ great response from the community
✓ user’s forking the project, submitting pull requests
✓ contributing to an active mailing list
- a contributor has lipsync running on OSX (ready ‘soon’)
- make it more secure/private/cool/etc
- encrypted filesystems, p2p, freenet, bittorrent?
- make it cross platform
- Linux, Mac, Windows, Android, iOS, etc
- preliminary ideas of how a win32 version 'could work'
- installer running under Cgywin?
- more ideas from the community
66. ✓ lipsync daemon in Linux runs watches for file changes via inotify
✓ kicks off rsync over ssh to securely sync the data
✓ growl-like desktop notifications
✓ great response from the community
✓ user’s forking the project, submitting pull requests
✓ contributing to an active mailing list
- a contributor has lipsync running on OSX (ready ‘soon’)
- make it more secure/private/cool/etc
- encrypted filesystems, p2p, freenet, bittorrent, Tor?
- make it cross platform
- Linux, Mac, Windows, Android, iOS, etc
- preliminary ideas of how a win32 version 'could work'
- installer running under Cgywin?
- more ideas from the community
69. ■ it is possible to create a secure, file distribution app that protects user’s privacy
and security…
■ it won't be built by any for-profit, third party; it will be built by the community
■ we should look at all cloud or ‘app store’ offerings with this same skepticism
70. ■ it is possible to create a secure, file distribution app that protects user’s privacy
and security…
■ it won't be built by any for-profit, third party; it will be built by the community
■ we should look at all cloud or ‘app store’ offerings with this same skepticism
71. ■ interested in lipsync? Get involved, try it out, join the mailing list, submit an
issue, fork it!
■ discuss your ideas, implement them, make changes, think about what you
want it to do, make it better
■ continue to ask questions, explore privacy and security in software
■ and always bring a towel!
72. ■ interested in lipsync? Get involved, try it out, join the mailing list, submit an
issue, fork it!
■ discuss your ideas, implement them, make changes, think about what you
want it to do, make it better
■ continue to ask questions, explore privacy and security in software
■ and always bring a towel!
73. www lipsync.it
Thanks to SBS Creatix
for sponsorship
Thanks to DEF
CON, EFF and Nikita
www philcryer.com
twitter @fak3r
Special thanks to
Mary, Kacy and Ben
Keep circulating the tapes!
Editor's Notes
Taking your ball and going home; building your own secure storage space that mirrors Dropbox’s functionality\n
Hello DEF CON, I’m Phil Cryer, also known as fak3r on Twitter and my Blog, fak3r.com\n
Some quick background on me, and why I may, or may not be, qualified to speak at DEF CON\n
when I was a kid I started learning different programming languages * I loved learning the ins and outs of building things with code..solving puzzles * BASIC, LOGOS, Pascal and Assembly\n
High school brought a change of focus (being in The Computer Club wasn’t as cool as it is today :)) * Fast forward a few years, and I ultimately graduated college with a fine arts degree\n
After working a number of different jobs I found myself getting into technical roles * I enjoyed it * found that even thought I was ‘self taught’ I enjoyed it and was decent at it\n
So I started doing desktop support, as an IT technician * fixing printers, running servers and networking for a company * it was during that time that I came across...\n
Linux... and everything changed * I had the same feeling of freedom and adventure that I had in the days of banging out BASIC on the Apple //e * at work we could solve problems w/o having to buy solutions * I could run a Unix like operating system at home and really explore/grow\n
being an IT contractor allowed me, like most in the industry, to work in a variety of companies * startups, large corporate clients, as well as non-profits * it was a good time to learn on the job, ‘play with Linux’ at home and just see what I could do\n
Partially because of events of the day, I came more aware and interested in civil liberties * while their survival was important for the present, they were more important for the future\n
...so I started working with a variety of groups * learning more about them and how I could contribute to their success\n
Currently I am working for a non-profit * using Linux and open source apps to distribute biodiversity data to global partners * working with virtual machines, cloud and distributed computing \n
Outside of work I continuously explore open source, and try to find ways to increase online privacy and security\n
But enough about me, now on to the talk\n
How many people here use Dropbox?\nHow many trust it with their most private data?\n
And it does, it’s a great little app that ‘just works’ with minimal demand on the user * I can’t fault the overall function or idea of the product * for a time it seemed to be the ‘killer app’\n
Quickly some background on Dropbox, they’re a very well funded startup company * with many rounds of funding\n
They offer anyone 2 Gigs of free storage * with and annual membership for more space * users can sync data across multiple devices * allowing open sharing of data \n
People use it for file syncing, add-hoc backups, group collaboration and social sharing * it is cross platform with support for Mac, Linux and Windows * plus mobile devices to make things happen seamlessly \n
They’ve seen quick growth over the past two years...\n
Techcrunch: “Today, Dropbox has 25 million users and 200 million files are “saved” daily ... more than 1 million every five minutes.”\n
just to emphasize the numbers we’re talking about\n
...and to point out that, on average, about 4 million files will be saved during this talk\n
So a for-profit company offers a free app, with free data storage... what’s to worry about? * What do we know about Dropbox’s service?\n
but the last two were a little less convincing....\n
...and that last one made me say...\n
\n
\n
Christopher Soghoian (SEG-goy-in) posted in his blog, slight paranoia * data reduplication...not the best thing for privacy or security * files are hashed first, and only uploaded if the file wasn’t already on Dropbox * by watching net traffic and seeing how much data is uploaded, you can determine if a user already has a file or not\n
Christopher’s work led to this FTC allegation that Dropbox was using deceptive statements to consumers regarding the extent to which it protects and encrypts their data * they said that this was a case of deceptive trade practice\n
Looked at how Dropbox does authentication * approve devices to access your account * info is stored in a Sqlite file on the client machines, but that file is not tied to that host * if you can get ahold of a Dropbox user’s config.db file (or just the host_id) you can impersonate that user * until revoked\n
Jim Harper called Dropbox, A Privacy Black Box * the idea of the 3rd party doctrine in the 4th amendment puts cloud-user privacy in general on weak footing * Dropbox’s policies don’t do anything to make this safer for their users. * cloud exposes your data to risk that local storage doesn’t\n
\n
For four hours you could access any Dropbox user’s account, using *ANY* password * while this was an accident, it highlights how insecure things can be ‘in the cloud’, and is clearly a EPIC....\n
\n
Dropbox confirms the glitch, but the point that things can be that insecure is made * and relying on cloud infrastructure that a user has no control over is a loss of control you can’t regain\n
\n
Dropbox reader is a set of python scripts that can read even more details about files a user has stored on Dropbox * including share directories * syncing activity all from the config.db file we covered earlier...remember, it’s not tied to the host\n
\n
\n
\n
\n
\n
\n
Knowing what I know about open source, I know we can do better, and it won't cost us our privacy or security\n
as with any project I wanted to start simple: what can sync files to remote systems?\n\n
That’s easy, we have the long proven stalwart, rsync, and an interesting alternative specializing in 2 way synchronization, Unison\n
\n
inotify has been part of the Linux kernel since 2.6, it watches for notices from the Linux kernel about changes to the filesystem. We know this is up to the task of monitoring tons of files because...\n
..it’s what Dropbox uses to watch the file system * detailed error that Dropbox will kick to syslog if you’re running it in Linux with the default max_user_watches settings\n
to watch the system * lsycnd is a C program that uses inotify to watch for file system changes * issues commands (rsync by default) when a change is noticed \n
\n
OpenSSH, it’s easy to tunnel rsync over ssh, and would work with Unison too, or other syncing apps we could try * Lsyncd uses SSH by default * when running it this way there’s no need for the ‘server’ to actually run rsyncd. (lowering the barrier for entry) * clients have the keys (not the server, like Dropbox)\n
start simple * use lsyncd to monitor a directory, when it senses a change (read, write, delete) have it kick off rsync to sync with a remote server over SSH * add more features later once this was a working proof of concept and vetted by the community as being 'a good idea'\n
September 2009, I wrote an article about how I put these various apps together to crate an ‘open source Dropbox clone’ * comments and feedback was tremendous * to this day I still get far more traffic to this post than any other post I have made * New people find the post all the time and chime in\n
The article was picked up, and reposted to sites like Reddit...\n
...Lifehacker...\n
...Slashdot...\n
...itworld...\n
...And in late 2010, even a print magazine, Hacker Monthly\n
So now I’ve announced my idea and got feedback * it was compared to other methods, started conversation, lots of positive feedback * other options out there * continuous interest in this idea * something that users could control and fill the roll that a proprietary ‘black box’ app had\n
...it was time to build a project around my idea\n
So I created lipsync on github * includes a BASH installer that builds a working implementation of my idea in Linux * BSD licensed * project is setup to be fully transparent and encourage community involvement\n
I got kinda bullet crazy here (I always try to resist that, but...) \n
Here’s a generalized diagram of how things currently work * Cron job is kind of a hack-y way to cover things, but it works for now (Unison may solve this)\n
Future thoughts...\n
We now have a user-friendly URL for the base of the project, thanks to Anthony\n