DTPO Sync in the Cloud & Security /Tinfoil Hats?

Using Sync with Dropbox. What are the security/cloud implications? With a large DTPO database being transmitted and sitting on Db (for example), how vulnerable is that? Every day brings new reports of “sophisticated and prolific” hacking exploits, by ruthless state agencies and many others. Beyond that, if a laptop is stolen or confiscated, then even an empty database could potentially be restored via Sync. I’m sure DT have considered this and included robust measures to secure user data (password encryption), so my apologies if this has already been addressed elsewhere. But should we be concerned?

Dropbox users report spam emails amidst fears of another data breach (Mar/2013).
itproportal.com/2013/03/01/d … ta-breach/

Google Boss Schmidt calls aggressive China Hacking Menace (Feb/2013).
ntdtv.org/en/news/china/2013-02- … enace.html

How much data can police swipe from suspects’ phones without a warrant? (Hint: A lot).
zdnet.com/how-much-data-can- … 000011891/

This is a good question – I’d be curious to hear the answer as well in terms of what kind of encryption is happening with the databases, if any, etc.

This seems like a worthwhile topic for a future “DEVONthink database security” tutorial, if not already covered elsewhere (I’m still looking).

Locally, I can’t report much. The balance seems to be a DropBox question.

(Nice to see you, sjk!) :smiley:

I have been concerned about these issues too, and I vacillate between paranoia and then thinking, oh, forget it.

It seems that the only real solution is to encrypt files locally before they are uploaded to cloud services like Dropbox, and to decrypt them again on download.

For a while I used sparseimage bundles (disk images), until I saw a plethora of conflicts inside the packages.

I have noticed an application called BoxCryptor (https://www.boxcryptor.com) but I would guess that this kind of thing would not work at all with DEVONthink sync?

What about Dropbox’s new two-factor encryption?

Agreed, thou I am certainly no expert. But what would it take for DTP Sync to work via services similar to DropBox, but with some actual data security? For those users that care about such things.

For example, SpiderOak.
spideroak.com/engineering_matters

MacWorld Review (Sept 2012).
macworld.com/article/116841 … _sync.html

ArsTechnica (Apr 2012).
arstechnica.com/business/2012/04 … obsessive/

Sample Quotes:
The chief difference between SpiderOak and its competitors for the security and privacy-conscious is in how the services treat user data. Dropbox employees can get file-level access to your data when they deem it necessary (for example, when complying with a request from law enforcement).

SpiderOak, on the other hand, tells users up front that it never knows a user’s password or encryption keys, preventing anyone at the company from accessing your data for any reason. Both Dropbox and SpiderOak encrypt user data on their servers using 256-bit AES encryption, but SpiderOak takes the extra step of encrypting the decryption key itself. This key can itself only be decrypted with the user’s password, which SpiderOak never knows.

The downside of this scheme is that your data is unrecoverable if you forget your password. But the upside is that you’re absolutely guaranteed security and privacy, a must for individuals and businesses that deal with sensitive data. Dropbox offers no such capability, and while some users have used extra software like TrueCrypt to add an extra layer of security to files uploaded to Dropbox, the company doesn’t officially support this solution—since, obviously, using TrueCrypt would also prevent easy file sharing and the use of the Dropbox Web client.

SpiderOak also offers two-factor authentication.

A possible alternative to SpiderOak.
However, it does come with some unfortunate notoriety.
mega.co.nz/#privacycompany

Sample Quote:
All files stored on MEGA are encrypted. All data transfers from and to MEGA are encrypted. And while most cloud storage providers can and do claim the same, MEGA is different – unlike the industry norm where the cloud storage provider holds the decryption key, with MEGA, you control the encryption, you hold the keys, and you decide who you grant or deny access to your files, without requiring any risky software installs. It’s all happening in your web browser!

Another good alternative to DropBox. From an established, successful company: LogMeIn. With actual data Security. Cubby Locks: User-held Encryption Key.
cubby.com

Another optional secure sync technology: BitTorrent Sync

Looked at that too.
lifehacker.com/bittorrent-sync-k … -478810621

Nice idea. However, since there is no “cloud” intermediate, it would make sense that both machines have to be on at the same time for a sync. Plus some firewalls block bittorent. Also, it may be slower for various other reasons. So probably not practical for general use.

I hate the cloud. (Oops, did I type that out loud.) 8)

Truthfully I am a P2P kinda guy. My machines, my control. Sorry OT. Nothing to offer here. LOL

(Offical work hat back on) I fully support the cloud as a wonderful way of making data available whenever and wherever you are. 8)

1 Like

Plenty of OfficeDrop users probably now do, too:

What Happens When The Cloud Abandons You – ReadWrite

Cloud-related issues can be a major PiTA to troubleshoot and recover from. I’m not pleased with how hundred of purchased iTunes tracks (both local and “in the cloud”) continue to get incremented play counts and marked partly played/watched, seemingly at random, since iCloud service with iTunes 11 started. :angry:

I hear what you’re saying. But I don’t have a problem with cloud storage in general. However, it does need decent security protocols. And DropBox does NOT offer that. Fortunately, there are several robust alternatives out there. So here’s hoping that DT can allocate the resources to find a secure solution. Thou it may not be on the top of every user’s wish list… until they have a problem. Just imagine, all your private “stuff” laid out there for the bad guys to plunder. Not good. (Plus, my secret blancmange recipes are invaluable).

Ouch!! I hadn’t seen that OfficeDrop release.

It’s a tough call, Pajama, whether it’s our call or theirs. (I am inclined to put it on them, not us but this is outside my jurisdiction. 8) I am also not a fan of the culpability it creates when someone’s data is compromised and they say, “Umm… but YOU had a set of keys, DEVONtech!”)

Again, I am a fan of controlling my data and my privacy - whatever amount I desire and applied where I want and need it to be. I also feel very little desire to have all my data accessible 24/7/365. Nothing I’m doing or thinking about is critical enough to require an electrical outlet all the time. (Though I never leave home without a pen and with the back of my hand and arm - this is my “mobile tech” most of the time. Though I do take the company iPad when I’m working.) I do keep up and work with these services as I need to but I personally don’t use any of them. (I’m a diehard Direct Connection / local syncStore User.) Just my personal take.

Cheers! 8^)

Curious. Did not realize that DT would need the cloud keys to effect the sync process if done via a secure server. Thought the access keys would be only be held by the user. But yes, that could create other issues and concerns for DT. Unfortunately, I don’t know enough to understand why that might be necessary, or what the technical alternatives are. Perhaps someone with a larger brain can explain. Tarnation, there has to be a workable solution to this out there somewhere…

It’s not necessarily “a need” for us. It’s just one of the possible ways it could be implemented. Each service handles these things in their own way so I was just speaking off the cuff. I highly doubt we would put ourselves in this kind of jeopardy though. I don’t think we’d put something in place where the potential for litigation could be high.

Any chance that something like this could work for private Dtpo sync via Dropbox?
cloudfogger.com/

Quote: “Cloudfogger encrypts your data on the local device before it gets uploaded to the cloud. That guarantees that Dropbox and others never get access to the content of your files.”

My guess is No. Since the extra encrypt/decrypt process would interfere with the preordered direct sync setup & execution between the local/dropbox and remote instance. But maybe there’s a way.

I’m going off-topic a bit here but… doesn’t all this talk of data encryption show an inherent distrust of the service providers and cloud services in general?

Why not: Don’t want anyone to be looking at your “private data”? Don’t upload it to anyone else’s servers. ?

Just asking…

Jim has a good point.

Hmm, that’s something that Ed Snowden recently pointed out, I hear.

This article may be of interest:
easternlegalsystems.com/blog … roduction/

It is the first in a series by Jack Schaller specifically written with Law firms in mind, but there are some really good points. Describing the attraction of the Cloud he particularly says: “Perhaps more than anything else, the ubiquity of high-speed broadband connectivity to the Internet has created a fundamental “paradigm shift” in the way we use information technology today. This seems so self-evident as to not even be worth stating, yet many people have failed to “connect the dots” and grasp the fact that new capabilities almost inevitably lead to new – and better – ways of doing things…The second driving force in adoption of “The Cloud” is mobility. People work everywhere today, and want their tools to be accessible wherever they are. Notebooks, cell phones, and tablets, coupled with pervasive broadband connectivity, have made this feasible for almost everyone” It is this second that is attractive to many users.