Security: Cloud Syncing

CurbedEnthusiasm

[quote name='brenty' timestamp='1308650857' post='29735']

Hey guys, I just wanted to weigh in here. I am not personally invested in Dropbox myself. I use their service because it suits my needs. When it no longer does, I will use something else. It's as simple as that.



But I feel like it needs to be said that no company is immune to these threats. No security is perfect. The reasons that Dropbox has suffered these setbacks are manifold, but the two big ones that I can see are that they grew rather quickly and became a big target as a result. I think the important thing is that they are learning from their mistakes and leanring some humility. We all have to do the best we can to anticipate threats and prepare accordingly. Dropbox underestimated the risk and is paying the price, mainly from a PR standpoint.

[/quote]



Hi brenty,



Just wanted to reply briefly and state that this recent Dropbox issue was of their own doing - they uploaded untested code and it caused the 4 hour exposure to everyone's data. So, yes there are ongoing threats to companies, but another aspect is when the company themselves gets - for lack of a better word - sloppy.



Regards,



Curbed

khad

[quote] 4 hour exposure to everyone's data.[/quote]

Technically, it was less than one percent of their users, but there is still no excuse. I am curious as to why there have not been any reports of actual data loss or capture, though. All I have seen so far are the sensationalistic, page-view-bumping headlines scaring people. Maybe the damage is yet to be uncovered...or maybe it was just like coming home and realizing that you left the door unlocked the whole time you were out, but nobody even tried to come in...



I'm just thinking out loud here. I am genuinely curious to see how this shakes down.



Regardless, in case it hasn't been reiterated enough, your sensitive 1Password data is secure. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

CurbedEnthusiasm

[quote name='khad' timestamp='1308722841' post='29892']

Technically, it was less than one percent of their users, but there is still no excuse. I am curious as to why there have not been any reports of actual data loss or capture, though. All I have seen so far are the sensationalistic, page-view-bumping headlines scaring people. Maybe the damage is yet to be uncovered...or maybe it was just like coming home and realizing that you left the door unlocked the whole time you were out, but nobody even tried to come in...



I'm just thinking out loud here. I am genuinely curious to see how this shakes down.



Regardless, in case it hasn't been reiterated enough, your sensitive 1Password data is secure. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

[/quote]



I'd say you're right with that scenario: "maybe it was just like coming home and realizing that you left the door unlocked the whole time you were out, but nobody even tried to come in..." and I imagine DB has escaped unharmed, without any user data theft. Curious though, where does it state it was only one percent of users? I thought I read that authentication was not working for any DB user for the 4-hour period?

brenty

[font="arial, verdana, tahoma, sans-serif"][size="2"][quote name='stu' timestamp='1308692589' post='29833']

[quote name='alexr' timestamp='1308690743' post='29832']

Why not add the option to use something like [url="https://www.jungledisk.com/"]JungleDisk[/url].[/quote]

If I remember correctly, JungleDisk ties into Amazon's S3 service. The problem is that that would possibly work for the desktop applications, but the biggest issue is that we'd need to build a whole syncing solution around Amazon S3 for our mobile applications, which would take quite a bit of time and resources.

[/quote][/size][/font]

[font="arial, verdana, tahoma, sans-serif"] [/font][font="arial, verdana, tahoma, sans-serif"][size="2"]The irony is that we already have this. It's called Dropbox! Dropbox uses Amazon S3 storage, so their API is essentially giving us this for free. Obviously, alexr was suggesting JungleDisk specifically since it allows you to choose your own encryption key, but I found it an interesting irony. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />[/size][/font][font="arial, verdana, tahoma, sans-serif"][size="2"][font="arial, verdana, tahoma, sans-serif"][size="2"][quote name='CurbedEnthusiasm' timestamp='1308713242' post='29874']

Just wanted to reply briefly and state that this recent Dropbox issue was of their own doing - they uploaded untested code and it caused the 4 hour exposure to everyone's data. So, yes there are ongoing threats to companies, but another aspect is when the company themselves gets - for lack of a better word - sloppy.

[/quote][/size][/font][/size][/font]

[font="arial, verdana, tahoma, sans-serif"][size="2"][font="arial, verdana, tahoma, sans-serif"][size="2"]

I absolutely agree, which is why I said that "[color="#1C2837"][size="2"]I think the important thing is that they are learning from their mistakes and leanring [sic] some humility." They messed up. [i]To err is human.[/i] I guess this just doesn't seem any more (or less) unfortunate than any other company with a security breach: It is a result of a security failure on the part of agents of said company. The only real differences are what is at stake and how the weakness is exploited in each particular instance. Otherwise, it is the same sad story.[/size][/color][/size][/font][/size][/font]

[font="arial, verdana, tahoma, sans-serif"][size="2"][font="arial, verdana, tahoma, sans-serif"][size="2"][size="3"][color="#1C2837"] [/color][/size][/size][/font][/size][/font]

[font="arial, verdana, tahoma, sans-serif"][size="2"][font="arial, verdana, tahoma, sans-serif"][size="2"][color="#1C2837"] [/color][/size][/font][font="arial, verdana, tahoma, sans-serif"][size="2"][size="3"][color="#1C2837"][size="2"]But we are all learning. The trick is to learn from others' mistakes as much as possible, rather than having to learn from your own...the hard way.[/size][/color][/size][/size][/font][/size][/font][img]http://forum.agile.ws/public/style_emoticons/default/mellow.gif[/img]

khad

[quote]I thought I read that authentication was not working for any DB user for the 4-hour period?[/quote]

[url="http://forum.agile.ws/index.php?/topic/5199-security-cloud-syncing/page__view__findpost__p__29697"]Tommy[/url] linked to [url="http://blog.dropbox.com/?p=821"]Dropbox's blog post[/url] in this thread yesterday. In Dropbox's own words:



[indent]Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users ([b]much less than 1 percent[/b]) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.[/indent]

Catcher

[quote name='khad' timestamp='1308725655' post='29897']

[url="http://forum.agile.ws/index.php?/topic/5199-security-cloud-syncing/page__view__findpost__p__29697"]Tommy[/url] linked to [url="http://blog.dropbox.com/?p=821"]Dropbox's blog post[/url] in this thread yesterday. In Dropbox's own words:



[indent]Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users ([b]much less than 1 percent[/b]) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.[/indent]

[/quote]



Yes that was bad.

khad

[quote]Yes that was bad.[/quote]

Yes...



It was...



My point was only that the number of affected users was not 100% but in fact much less than 1% which is [i]less bad[/i] than 100%. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



I'm not sure if you are getting at something specific or if I am just getting tired. I didn't understand the point of your post. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

Boru

Hi there,



My 2 cents on this issue is if you use Dropbox for 1Password syncing use it ONLY for that and nothing more.

I just deleted my Dropbox account because I was using it for more than that. I'll just use WiFi syncing for 1P on my mobile devices.

It's easy and I have all the control.

Buh bye, Dropbox.



And thanks as always for the superb 1Password support !!



Best,

Brian

Catcher

[quote name='khad' timestamp='1308738932' post='29926']

Yes...



It was...



My point was only that the number of affected users was not 100% but in fact much less than 1% which is [i]less bad[/i] than 100%. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



I'm not sure if you are getting at something specific or if I am just getting tired. I didn't understand the point of your post. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

[/quote]



Ah sorry my bad, I thought you were saying something else so I thought I'd agree with you. Probably me who's tired.



C

Tezcatlipoca

I took it to be that the "bug" affected [i]every single account[/i], but that only 1% of Dropbox users happened to log in to the website during the time that the "bug" was in effect.

khad

[quote name='Boru' timestamp='1308766708' post='29998']

My 2 cents on this issue is if you use Dropbox for 1Password syncing use it ONLY for that and nothing more.

I just deleted my Dropbox account because I was using it for more than that. I'll just use WiFi syncing for 1P on my mobile devices.

It's easy and I have all the control.

Buh bye, Dropbox.



And thanks as always for the superb 1Password support !!

[/quote]

That is definitely an option, Brian! Many of our users sync manually over Wi-Fi between 1Password for Mac and 1Password on their iOS device(s). You are most welcome for the superb 1Password support. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



[quote name='Catcher' timestamp='1308767732' post='30000']

Ah sorry my bad, I thought you were saying something else so I thought I'd agree with you. Probably me who's tired.

[/quote]

No worries at all. I think we both were tired. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



[quote name='Tezcatlipoca' timestamp='1308768699' post='30003']

I took it to be that the "bug" affected [i]every single account[/i], but that only 1% of Dropbox users happened to log in to the website during the time that the "bug" was in effect.

[/quote]

My understanding is that you are correct, but it may be splitting hairs at this point. A bug can exist even if [i]no one[/i] is actually affected by it. Back to my earlier analogy, I am not affected by leaving my door unlocked if no one enters my home while I am gone. But it is definitely not good security practice to leave my door unlocked when I am not home. I want to be clear that I am not defending an obvious mistake/problem, but I am glad that so far no one seems to have been actually affected and the number of users who were potentially affected is much less than one percent. Again, this is probably just semantics now.

kagy

[quote name='stu' timestamp='1308675619' post='29775']

so unless you use a very weak master password for your 1Password data file, the attackers would have to spend somewhere in the region of 149 trillion years brute-forcing that encryption as we detail here:[/quote]



Which brings up another question, Stu: I've been wringing my hands over just what a "strong" master password is. 1PW is great for making absolutely unmemorable passwords, but that master password must be "memorable" by design, or it's useless. My own master password is between 8 and 12 characters (that's how paranoid I am - I won't even reveal the character count!), contains alpha-numerics, but is quite memorable, to me. I'd like some commments/advice on just what others do, i.e.: do you choose a sixteen character, completely nonsensical password, and just memorize the damned thing? Or do you do like me, and choose one that can be easily memorized, but might be stumbled upon by someone who knows me intimately (not that intimately, but as in someone who stole my computer and knows a lot about me!)

khad

You're in luck! Jeff just wrote a great blog post on exactly that topic. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



[size="3"][url="http://blog.agilebits.com/2011/06/toward-better-master-passwords/"]Toward Better Master Passwords[/url][/size]



I hope that helps. Please let me know. We also have a "[url="http://forum.agile.ws/index.php?/topic/1774-choosing-a-good-master-password/"]Choosing a Good Master Password[/url]" thread if you are interested.



Cheers!

iWarwick

1Password is great and makes my life a whole lot easier.



I particularly love the "automatic" cloud sync-ing feature between my Mac, my IOS devices etc.



With all the security problems that Dropbox has been experiencing, however, I wonder if Agile has any plans to expand the range of syncing services.



I guess you are working on an iCloud solution. However, I want to flag a further consideration. The security problems have highlighted that someone who gains access to the "cloud" service, such as a dropbox account, can actually read the files stored there. The strong security recommendation is to encrypt the stored data on your computer before it gets stored in the cloud in the way that services like Spideroak operate their cloud services. Is it possible for the 1password keychain to be stored through these secure type cloud services?

[Deleted User]

Hello iWarwick and welcome to the Forums!



I moved your topic to the appropriate thread.



As a current 1Password and Dropbox user, you've learned to [i]love [/i]auto-sync functionality as much as I do. For those who may not be aware, currently, Dropbox is the only [b][i]c[/i][/b][i][b]loud[/b][/i] sync solution supported for auto-synching a Mac/PC with your iOS devices. AgileBits is always willing to investigate alternatives, but please realize that when it comes to syncing iOS devices, there are certain coding hurdles/speed bumps/road blocks that cannot be overcome with all current cloud solutions.



AB's security guru, Jeff Goldberg, discusses Dropbox and alternatives in more detail in the following post: [b][url="http://forum.agile.ws/index.php?/topic/5199-security-cloud-syncing/page__view__findpost__p__29779"]Alternatives to Dropbox[/url][/b]



[quote]The strong security recommendation is to encrypt the stored data on your computer before it gets stored in the cloud...[/quote]

I agree. With all the recent news regarding Dropbox it is absolutely imperative to remember that 1Password encrypts your data file, the [i]1Password.agilekeychain[/i], on your device (desktop, iPad, etc.) [b]before [/b]it is synched to Dropbox or any other cloud server. So, your 1Password data is safe from prying eyes.



Caveat: Your data is safe [i]provided[/i] you've selected a good/strong Master Password. Please see Khad's post above for a link to a recent blog post on choosing a good Master Password.



If you have additional questions or concerns, please let us know.



Cheers!



Brandt

kagy

[quote name='khad' timestamp='1308883083' post='30192']

You're in luck! Jeff just wrote a great blog post on exactly that topic. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



[size="3"][url="http://blog.agilebits.com/2011/06/toward-better-master-passwords/"]Toward Better Master Passwords[/url][/size]



I hope that helps. Please let me know. We also have a "[url="http://forum.agile.ws/index.php?/topic/1774-choosing-a-good-master-password/"]Choosing a Good Master Password[/url]" thread if you are interested.



Cheers!

[/quote]





I like it, khad, thank you! Just what I needed.

khad

Jason Kincaid has posted an article on TechCrunch that includes a copy of the email Dropbox CEO Drew Houston sent to the owners of the [i]fewer than 100 accounts[/i] which were compromised. Dropbox has 25 million users. Considering the situation, things could have been much worse.



Of note: all 100 accounts were allegedly accessed by a single person who had discovered the flaw and was attempting to…who knows what? Many — most? — of the accounts did not have a single file modified or even viewed. The email which the TechCrunch article reproduces is that which was sent to users who fell into that category. Another email was allegedly sent to users who [i]did[/i] have files viewed or modified.



Excerpts from Dropbox CEO Drew Houston's email:

[indent]

…



We have made arrangements for you to have free access to a credit monitoring service. Please email us at support@dropbox.com if you would like to use this program. …



…



I cannot express how deeply sorry I am. Dropbox is my life, and I know that we are only as good as the trust we have built with our customers. This should not have happened, and I am hopeful that you will give us the chance to make this right and regain your trust.



I am here and ready to answer your questions and do whatever I can to help. Please do not hesitate to call me at +x-xxx-xxx-xxxx. Or if you’d like me to call you just reply with your phone number and I’ll give you a call.



Drew[/indent]

The full text of the email is available, along with Jason's article, [url="http://techcrunch.com/2011/06/24/dropbox-breach-fewer-than-100-accounts-affected-but-one-person-actively-exploited-it/"]on TechCrunch[/url].

CurbedEnthusiasm

[quote name='khad' timestamp='1308959301' post='30264']

Jason Kincaid has posted an article on TechCrunch that includes a copy of the email Dropbox CEO Drew Houston sent to the owners of the [i]fewer than 100 accounts[/i] which were compromised. Dropbox has 25 million users. Considering the situation, things could have been much worse.



Of note: all 100 accounts were allegedly accessed by a single person who had discovered the flaw and was attempting to…who knows what? Many — most? — of the accounts did not have a single file modified or even viewed. The email which the TechCrunch article reproduces is that which was sent to users who fell into that category. Another email was allegedly sent to users who [i]did[/i] have files viewed or modified.



Excerpts from Dropbox CEO Drew Houston's email:

[indent]

…



We have made arrangements for you to have free access to a credit monitoring service. Please email us at support@dropbox.com if you would like to use this program. …



…



I cannot express how deeply sorry I am. Dropbox is my life, and I know that we are only as good as the trust we have built with our customers. This should not have happened, and I am hopeful that you will give us the chance to make this right and regain your trust.



I am here and ready to answer your questions and do whatever I can to help. Please do not hesitate to call me at +x-xxx-xxx-xxxx. Or if you’d like me to call you just reply with your phone number and I’ll give you a call.



Drew[/indent]

The full text of the email is available, along with Jason's article, [url="http://techcrunch.com/2011/06/24/dropbox-breach-fewer-than-100-accounts-affected-but-one-person-actively-exploited-it/"]on TechCrunch[/url].

[/quote]



Yes, I think the actual reality of what happened wasn't that bad at all - it was more the potential of the situation, and how it happened in the first place. If any good can come from this, it is that Dropbox realize they have security/authentication issues and go about re-engineering their service to become more secure, i.e. introducing multi-factor authentication like a competitor is just starting to do. Dropbox is a great service, but it hasn't exactly changed much since its inception. Due to its huge increase in popularity, there's a risk of them being open to more exploits and hacks if they don't stay ahead of the game.

khad

[quote]Yes, I think the actual reality of what happened wasn't that bad at all - it was more the potential of the situation, and how it happened in the first place. If any good can come from this, it is that Dropbox realize they have security/authentication issues and go about re-engineering their service to become more secure, i.e. introducing multi-factor authentication like a competitor is just starting to do. Dropbox is a great service, but it hasn't exactly changed much since its inception. Due to its huge increase in popularity, there's a risk of them being open to more exploits and hacks if they don't stay ahead of the game.[/quote]

Superfluous +1 to this. Competition FTW.

Catcher

[quote name='khad' timestamp='1308971870' post='30297']

Superfluous +1 to this. Competition FTW.

[/quote]



DropBox is not a great service, get out of their bed and next time be a bit more circumspect...

Stefan Schmidt

Hi folks,



after migrating from dropbox *cough* to Sparkleshare [1] for syncing i wanted to let you know that 1Password seems to work splendidly with it on Snow Leopard (10.6).

Sparkleshare is basically an automated git (or mercurial) repository updater frontend which lets you sync via github and gitorious or even better your own host holding a git repository [2].

However as it employs Mono it is sadly not yet working with Lion (10.7) - still you can just 'cd' to the right directory and 'git commit -a', 'git push' your changes manually.

This of course means that you earn an additional distributed backup of your agile keychain. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />



[1] http://sparkleshare.org/

[2] https://github.com/hbons/SparkleShare/wiki/How-to-set-up-your-own-server

Kato

Awesome. Thanks for the tip.

[Deleted User]

[quote name='Stefan Schmidt' timestamp='1309303120' post='30641']

Hi folks,



after migrating from dropbox *cough* to Sparkleshare [1] for syncing i wanted to let you know that 1Password seems to work splendidly with it on Snow Leopard (10.6).

Sparkleshare is basically an automated git (or mercurial) repository updater frontend which lets you sync via github and gitorious or even better your own host holding a git repository [2].

However as it employs Mono it is sadly not yet working with Lion (10.7) - still you can just 'cd' to the right directory and 'git commit -a', 'git push' your changes manually.

This of course means that you earn an additional distributed backup of your agile keychain. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />



[1] [url="http://sparkleshare.org/"]http://sparkleshare.org/[/url]

[2] [url="https://github.com/hbons/SparkleShare/wiki/How-to-set-up-your-own-server"]https://github.com/h...your-own-server[/url]

[/quote]



Stefan,



I merged your topic with a similar thread.



Thanks for sharing your success using 1P and Sparkleshare! As is evidenced by Kato, I'm sure some users will appreciate learning about the solution.



Cheers!



Brandt

[Deleted User]

[quote name='Kato' timestamp='1309330335' post='30657']

Awesome. Thanks for the tip.

[/quote]



Hello Kato and welcome to the Forums!



Great to have you as a member. I look forward to seeing you around! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Brandt

kagy

[quote name='Stefan Schmidt' timestamp='1309303120' post='30641']

Hi folks,



after migrating from dropbox *cough* to Sparkleshare [1] for syncing i wanted to let you know that 1Password seems to work splendidly with it on Snow Leopard (10.6).

Sparkleshare is basically an automated git (or mercurial) repository updater frontend which lets you sync via github and gitorious or even better your own host holding a git repository [2].

However as it employs Mono it is sadly not yet working with Lion (10.7) - still you can just 'cd' to the right directory and 'git commit -a', 'git push' your changes manually.

This of course means that you earn an additional distributed backup of your agile keychain. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />



[1] http://sparkleshare.org/

[2] https://github.com/hbons/SparkleShare/wiki/How-to-set-up-your-own-server

[/quote]





I'm sure that some people understand this, but I'm equally sure that some, like me, don't have a clue what you just said. After reading through the responses to this thread, I'm sticking with Dropbox. I "fairly" confident that the data I put in there is secure - and that's about as confident as I would be of any cloud syncing. I have decided, however, that the only data I will sync there is the 1PW keychain, which, as discussed numerous times herein, is encrypted locally on your own computer. I've stopped syncing my Quicken data file there, and will instead sync it to a Knox encrypted thumb drive to transfer onto a laptop when needed.

dogpaw

Is my agilekeychain always encrypted even while I'm using it locally after entering my master password? In other words, is the keychain "open" while it's "open" on my desktop?



thanks

jpgoldberg

Fantastic question, dogpaw!



[quote name='dogpaw' timestamp='1310229440' post='31598']

Is my agilekeychain always encrypted even while I'm using it locally after entering my master password? In other words, is the keychain "open" while it's "open" on my desktop?[/quote]

No, it is not really all "open" when 1Password is unlocked. 1Password decrypts only the minimum amount of information needed at any one time. Only a very small amount of unencrypted data is in memory (so is unlikely to be written to swap), and decrypted data is never written to disk.



I know that we present things to the user as "locked" or "unlocked", but for security reasons which you've hit upon, that really isn't how things work under the hood.



Cheers,



-j

khad

dogpaw,



Jeff actually did a really good job explaining how "locked" and "unlocked" states actually operate in 1Password when he wrote the Cloud Storage Security document. Take a look at the "[url="http://help.agilebits.com/1Password3/cloud_storage_security.html#unlocked_vaults_or_unlocked_boxes"]Unlocked vaults or unlocked boxes[/url]" section for a more in depth overview. The entire document is a great read if you are interested in this sort of thing. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

dogpaw

[quote name='khad' timestamp='1310263953' post='31633']

dogpaw,



Jeff actually did a really good job explaining how "locked" and "unlocked" states actually operate in 1Password when he wrote the Cloud Storage Security document. Take a look at the "[url="http://help.agilebits.com/1Password3/cloud_storage_security.html#unlocked_vaults_or_unlocked_boxes"]Unlocked vaults or unlocked boxes[/url]" section for a more in depth overview. The entire document is a great read if you are interesting in this sort of thing. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

[/quote]

Very interesting read. I appreciate the link.



So, it sounds like one "box" is open at a time for use. But if I understand correctly, that open "box" or one login/password is only available locally and not actually written to the Dropbox servers? Is that correct?

khad

Correct. The unencrypted data is not written to disk, so not even the Dropbox application on your local machine can read the unencrypted data much less the Dropbox [i]servers[/i]. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />