Security culture, the Dropbox way
blogs.dropbox.comI'm sure Dropbox takes security seriously and works hard at it but this piece doesn't tell me a lot more than that except in much longer form. You can find/replace 'trust' (and 'security') with 'truck' and come away as informed and potentially slightly more amused.
Some informative parts that keep their meaning under s/trust/truck/g include:
"... daylong social engineering workshop designed and led by internal experts that immersed them in a hypothetical scenario involving a malicious insider."
"... a hands-on workshop where Dropbox employees researched, crafted, and presented their own phishing schemes."
"... our annual Capture the Flag"
It's interesting the emphasis on social attacks. You only have to get the cryptography right once, but every employee needs to defend against social engineering.
You forgot the really important ones, I think. Trucktober and tailgating. It does raise the interesting question of why Dropbox does not celebrate Trarch.
The harder a company tries to sell their philosophy the less I'm inclined to believe them. Words are cheap.
a better approach would be implementing a zero-knowledge storage infrastructure, like tarsnap.
which prevents issues like https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...
Thanks for this. I'm going to look at moving away from Dropbox.
These sorts of hills grow to mountains with the bones of hopeful pedants who die on them. But I think there's still a chance to hold this one. That's not what 'zero knowledge' means, it's a technical term for a different thing.
you are technically correct (the best kind of correct). but it's a commonly understood concept:
Hold the line. This one we can still win. Hold the line.
https://spideroak.com/articles/why-we-will-no-longer-use-the...
I surrender! End-to-end encrypted cloud storage with client- managed keys...
We call this "provider-independent security" in capability theory; the idea is that a security guarantee, like privacy or confidentiality, is inherent in the construction regardless of who is providing the service.