Dropbox drops the box?

We regularly get requests for software to be installed on DICE and we are generally happy to put anything on provided it meets certain criteria (which is in itself another blog posting). Probably the most popular one recently has been Dropbox. I’ve been meaning to write something about Dropbox but a recent story has kind of pushed it to the front of my to do list.

At it’s most basic dropbox offers a way of seamlessly synchronising your files across multiple machines; the fact that it offers offsite backup, file sharing, version control and supports multiple OS’s and devices makes it very attractive. Install the software and anything put in a designated directory, on linux ~/Dropbox, gets copied to the dropbox server and then replicated across any of your devices that have the software installed and are registered to your account (If you’re interested the features are listed on the dropbox site but read on a bit before you rush off and install it).

In terms of installing it on DICE I have a couple of issues…the first is that phrase “copied to the dropbox server”. Dropbox is a San Fransisco based startup and they use Amazon S3 for their filestore. Unfortunately they don’t guarantee where data is stored and whilst Amazon are certified to the EU-US safe harbour initiative Dropbox is not. Put anything holding personal information in your Dropbox and you’re probably in breach of the Data Protection Act. Also while they cheerfully state that your agreement with Dropbox is covered by Californian law the files you put in your dropbox are presumably subject to whichever law is in place anywhere DropBox/Amazon copies them. There’s nothing wrong with that in itself but files which are legal in the UK may not be so legal elsewhere in the EU, in the US or indeed California. Equally in the event of some kind of civil action the other party may decide to act under Californian Law, or Belgian law, for no other reason than it’s a long way for you to go to fight a case but it’s just round the corner for them. This is presumably just part of the price of using the cloud.

My other problem is more technical. From a System Administrators point of view it’s a horrible program. On first sight of the linux download page it looks like we have an open source application which someone has helpfully packaged up for most of the large distributions. Unfortunately, what you’d downloading is not the daemon that does the heavy lifting with your files, what you’re getting is a plugin to nautilus and an installer for the actual daemon. Dropbox itself is a proprietary daemon which is downloaded when you register your installation and takes up 25M of space in your home directory. AFAICT this software gets updated automatically on the fly whenever there’s a new version, seemingly with no notification. So from an admin point of view we have a 25M application that is using very expensive replicated, tape backed afs filespace when it could easily be sitting on the cheap non-networked, unbacked up disk in your desktop. 25M doesn’t sound much, but multiply it up by the number of DICE accounts we have and you’re into the tens of gigabytes. Looking at the files themselves that are shipped it’s even more muddy, there are a number of local versions of site wide libraries which can really add to the fun if you’re trying to debug things. Finally there’s one other file that makes the heart sink, _sqlite3. Sqlite is “a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.” unfortunately if it’s used unsympathetically it can cause real problems for network filesystem response. You may remember we had issues shortly after we deployed firefox 3 well….. step forward sqlite.

So here is the problem, from the users point of view we have a useful application that they can use for work or personal use to safely copy files around and has all kinds of funky features like version control and built in cryptography. I can see all this but also that there are possibly horrible legal wrangles involved in it’s use, it uses a database library we’ve already had issues with, if there are problems it’s not really possible for us to control the version that people are using or seriously debug it. Oh and the command line tools are not really rational under linux

-bash-4.1$ dropbox status
Dropbox isn’t running!
-bash-4.1$ ps auxww|grep dropbox
iainr 21297 0.0 0.0 4420 716 pts/10 S+ 13:34 0:00 grep –color=auto dropbox
iainr 30765 0.0 1.5 227224 31904 ? Ssl Apr12 0:23 /afs/zathras.org/home/iainr/.dropbox-dist/dropbox
-bash-4.1$ dropbox stop
Dropbox isn’t running!
-bash-4.1$ dropbox start
Dropbox isn’t running!
Dropbox is already running!

So it’s not really a no-brainer for installing on DICE.

Then came this article by Derek Newton. It appears that your dropbox installation identifies itself via an alphanumeric host-id stored in ~/.dropbox/config.db. By copying this hostid you can access the particular dropbox without any password. I hadn’t really given much thought to how it does authentication but had thought it would be a bit more sophisticated than an obfuscated hash. This isn’t a shock horror security bug but it does mean that you have to be very careful who has access to your ~/.dropbox directory or equivalent. You may want to run fs listacls on ~/.dropbox right now to check it’s not world readable. Equally Dropbox don’t really make it easy for you to be a bit more secure. there’s no option to password protect the hostid, no ability to lock it to an individual IP address or set of addresses, no logging if the address using it changes. In fact the logging is very limited and inexact.

If you must use dropbox then by all means do so, but guard the ~/.dropbox directory with your life, revoke any key that seems to be doing anything un-towards and encrypt anything you put in there that’s important.

This entry was posted in DICE, Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *