That's a severe oversimplification, IMO. Just recently there was news that duplicating the host_id from the Dropbox config onto another system will immediately gain access to all of the Dropbox files associated with that host_id, without further authentication.
It's not security theatre to acknowledge that the security in such a system could be improved, especially as an option for those that require it.
#3 could easily be paralyzing for many businesses. There are already services (like Tarsnap) which are engineered to not require you to trust them; why should we ignore such services and limit ourselves to doing business only with those companies that we can trust implicitly?
As a specific example, I've had a client for a few years which is government funded and quite paranoid about security. However, they also need to communicate with outside contractors. I don't advise them to "trust" their ISP, the outside contractors' network, and all the other businesses in-between. I tell them that nothing sensitive leaves the building unless it's been encrypted, and that once someone else opens that file, it can no longer be considered secure in any sense.
"Trust us" is not a compelling requirement for doing business, nor can businesses limit themselves only to relying on service providers that they trust. Fortunately, the technology exists now to eliminate that requirement.
Dropbox is currently off-limits to all employees at my client.
duplicating the host_id from the Dropbox config onto another system will immediately gain access to all of the Dropbox files associated with that host_id, without further authentication
Sounds like the host_id is the secret key. So to paraphrase: "If you type someone's username & password into the facebook login page, you get complete access to their account"
If you dupe someone's Dropbox host ID, they'll only see the one entry on their page, so it's quite likely they would not be aware that they've been "duped".
To dupe the key they would need access to your system, though. At which point they would also have access to all your files anyway.
Now, if you fix your system to no longer be vulnerable the duped key will allow them to keep snooping your files, but personally I think this risk is marginal.
There is a difference between someone stealing a snapshot of your data, and someone gaining permanent, undetectable access to your data.
It's also about attack scenarios;
With an USB stick crafted for this purpose I could steal your credentials in under 10 seconds, while you're on the toilet and forgot to enable your screensaver. Locating and downloading the actual data would take much longer, planting a trojan for later would be much more difficult and unreliable.
Whether or not the risk is marginal depends on the circumstances of the user. I there's probably a time and an place for this security model, though I don't see myself using it.
I see two key questions:
* Has the security model has been properly implemented?
* Have its properties have been communicated to the users of the system in a clear enough way that people can evaluate how the risks apply to them?
I don't know about the first question, but on the second they could certainly stand some improvement.
Great points. Trust and hope are not IT Security Controls.
Take the matter into your own hands and GPG encrypt everything that you place into the cloud. That way, only you hold the decryption key. I'm sure this may violate their ToS and it is inconvenient for end-users, but in order to have a firm technical control, you have to remove "trust and hope" from the equation.
If this violates their ToS, they need to rethink their policies. There a ton of reason you might have an encrypted file in your dropbox. Like sharing it with a friend or holding it there because you are moving files around etc.
It's not security theatre to acknowledge that the security in such a system could be improved, especially as an option for those that require it.
#3 could easily be paralyzing for many businesses. There are already services (like Tarsnap) which are engineered to not require you to trust them; why should we ignore such services and limit ourselves to doing business only with those companies that we can trust implicitly?
As a specific example, I've had a client for a few years which is government funded and quite paranoid about security. However, they also need to communicate with outside contractors. I don't advise them to "trust" their ISP, the outside contractors' network, and all the other businesses in-between. I tell them that nothing sensitive leaves the building unless it's been encrypted, and that once someone else opens that file, it can no longer be considered secure in any sense.
"Trust us" is not a compelling requirement for doing business, nor can businesses limit themselves only to relying on service providers that they trust. Fortunately, the technology exists now to eliminate that requirement.
Dropbox is currently off-limits to all employees at my client.