This Week in Tech 655: Banana Is Phone

Samsung announces 2 new phones as Mobile World Congress kicks off in Barcelona. iCloud keys are stored in China. All 150 new emojis for 2018 revealed. Nokia’s newest phone is a nod to The Matrix. GDPR and H.R. 1865 and their implications. Intel knew about flaws in chips but didn’t mention it. Dropbox announces its IPO. Kylie Jenner’s tweet takes down Snapchat and AT&T is taking advantage of the end of Net Neutraility.


Dropbox bug deletes some users’ files permanently

Cloud services, especially cloud storage is a common thing these days but some people are still weary of storing their sensitive files in the netherworld. And whenever they argue against cloud storage solutions they point to events like the one Dropbox just went through, where some users’ data was permanently deleted by a bug.

The company has confirmed that a bug in an older version of its desktop apps could lead to files being deleted permanently, without the user’s knowledge or consent. The problem is related to Selective Sync, which allows users to only synchronize some important folders across machines.

Now the good news is that Dropbox says they’ve fixed the bugs in newer versions of their apps and they’re also restoring some of the lost data where that’s possible. And to give credit where it’s due, the company did acknowledge this problem quickly and is trying to help and reimburse the users that were affected.

via Dropbox bug deletes some users’ files permanently – Neowin.

Dropbox clarifies its policy on reviewing shared files for DMCA issues

For years now, Internet users have accepted the risk of files and content they share through various online services being subject to takedown requests based on the Digital Millennium Copyright Act (DMCA) and/or content-matching algorithms. But users have also gotten used to treating services like Dropbox as their own private, cloud-based file storage and sharing systems, facilitating direct person-to-person file transfer without having to worry.

This weekend, though, a small corner of the Internet exploded with concern that Dropbox was going too far, actually scanning users’ private and directly peer-shared files for potential copyright issues. What’s actually going on is a little more complicated than that, but it shows that sharing a file on Dropbox isn’t always the same as sharing that file directly from your hard drive over something like e-mail or instant messenger.

The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file via IM. The Dropbox webpage warned him and his friend that “certain files in this folder can’t be shared due to a takedown request in accordance with the DMCA.”

Whitelaw freely admits that the content he was sharing was a copyrighted video, but he still expressed surprise that Dropbox was apparently watching what he shared for copyright issues. “I treat [Dropbox] like my hard drive,” he tweeted. “This shows it’s not private, nor mine, even though I pay for it.”

In response to follow-up questions from Ars, Whitelaw said the link he sent to his friend via IM was technically a public link and theoretically could have been shared more widely than the simple IM between friends. That said, he noted that the DMCA notice appeared on the Dropbox webpage “immediately” after the link was generated, suggesting that Dropbox was automatically checking shared files somehow to see if they were copyrighted material rather than waiting for a specific DMCA takedown request.

Dropbox did confirm to Ars that it checks publicly shared file links against hashes of other files that have been previously subject to successful DMCA requests. “We sometimes receive DMCA notices to remove links on copyright grounds,” the company said in a statement provided to Ars. “When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes.”

Full Story: Dropbox clarifies its policy on reviewing shared files for DMCA issues | Ars Technica.

Dropbox: Recent downtime caused by routine maintenance error, not hackers

Cloud storage provider Dropbox went offline for several hours on Friday. Those claiming to be members of the loose knit hacking collective Anonymous were quick to claim responsibility for the downtime but Dropbox officials have since confirmed that a routine maintenance task gone wrong, not a hacking attempt, was to blame.

Service was restored a few hours later but the proverbial damage was already done. A group known as AnonOpsKorea, a Korean branch of Anonymous, claimed one of their affiliates hacked the service to avenge the death of Aaron Swartz. If you recall, Swartz committed suicide last year as he was facing federal charges for hacking into MIT’s network.

The hacker, going by the Twitter handle 1775Sec, claimed to have compromised the service and threatened to publically share stolen data if Dropbox didn’t fix the vulnerability used to gain entry. Shortly after, the hacker posted a link to data that was allegedly stolen from Dropbox although the company pointed out that the information in the dump was posted a month prior and wasn’t from them.

In a statement issued to the New York Times, a spokesperson for Dropbox said the outage was indeed caused by internal maintenance and not an external factor. In regard to claims of leaked user information, the spokesperson said it was little more than a hoax. The company echoed these same sentiments on their official Twitter page that same day.

via Dropbox: Recent downtime caused by routine maintenance error, not hackers – TechSpot.

Attackers reported seeding cloud services with malware

LAS VEGAS — Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week’s Black Hat conference here.

Traditionally, malware writers had distributed their malicious code from their own sites.

But as security vendors get better at detecting and blacklisting those sites, hackers are increasingly distributing their malware products from legitimate host sites. The technique has been used a bit for more than two years, but now appears be gaining steam, researchers said. (See also “When malware strikes: How to clean an infected PC.”

Dodging the blacklist

Often, the owners of legitimate sites fail to properly scan the content they are hosting, which allows attackers to furtively post malicious code with relative ease, said Michael Sutton, vice president of research at ZScaler, a provider of cloud-based security services for enterprises.

Malicious content distributed from a legitimate site is more likely to make it past corporate defenses. Vendors are also unlikely to blacklist a legitimate hosted service, allowing malicious content hosted on one to stay up longer, he said.


Zscaler said he’s heard reports of malicious files hosted on Dropbox, but the they appear to have been removed, the blog noted.

Sutton pointed to recent incidents were attackers posted and distributed malicious code on Google Code and Dropbox as an example of the trend. A blog on Zscaler’s website lists nearly three dozen malicious files hosted on the Google Code site, which contains tools for software developers.

The message for IT managers: Don’t blindly trust domains that seem to be secure, Sutton said.

“Attackers are starting to leverage hosting services” to stage malicious code, he said. “It used to be that [attackers] would set up their own servers,” to host malware. “Then we saw them infecting legitimate third-parties. Now they are using hosting services. They are no longer paying for hosting [malware] and are less likely to get blacklisted.”

Increased infections noted

Meanwhile, Firehost, a provider of cloud-hosting services for enterprises, has seen an increase in Web application attacks originating from the networks of legitimate Web hosting services, said CEO Chris Drake.

In its latest quarterly security review, Firehost observed a noticeable increase in the number of SQL injection attacks, directory traversal attacks and other Web application attacks launched from within cloud service provider networks, Drake said.

Cloud providers often have weak validation procedures when signing up new customers, allowing attackers to create accounts with fake information. The accounts are then used to deploy and administer powerful botnets that run in the cloud infrastructure, he said.

In the second quarter of 2013, the IP filtering system that Firehost uses to protect its customers against malicious attacks blocked about 1.3 million unique attacks. Of the total, a noticeable number of attacks originated from IP addresses belonging cloud services companies, Drake said.

via Attackers reported seeding cloud services with malware | PCWorld.

Dropbox for Business launches, offering single sign-on

Cloud-storage provider Dropbox announced today the introduction of Dropbox for Business, a team-oriented version of the service with a particularly IT-friendly feature: single sign-on (SSO).

Dropbox, of course, allows users to archive, share, and access files across multiple devices: desktops, laptops, smartphones, tablets, and so on. Over the years it has grown synonymous with online file storage, arguably beating out every other service for mind-share, if not actual number of users.

The new Dropbox for Business is actually a rebranded Dropbox for Teams, which launched in 2011. Pricing continues to start at $795 annually for up to five users, though you now get “as much storage as you need” rather than a fixed amount.

Back in February, the company unveiled a new admin console and sharing controls for the service. But the marquee feature accompanying the new launch is SSO, which, as described by Dropbox’s Anand Subramani, “works behind the scenes to let users sign in just once to a central identity provider, like Active Directory, and securely access all their business apps, like Dropbox. With SSO, companies can put their existing trusted identity provider in charge of the authentication process.”

That also gives IT managers great control over user authentication and management. And for end users, SSO means one less password to deal with and one less step to get connected to their Dropbox accounts. (Once they’re logged into the company network, they’re logged into Dropbox.)

Dropbox has partnered with several sign-on identity providers, including Ping Identity, Okta, OneLogin, and Symplified. The SSO system employs industry-standard Security Assertion Markup Language (SAML), and brings Dropbox in line with competing cloud services such as Box and Google Drive, both of which already offer SSO.

What’s more, the aforementioned admin console brings Dropbox closer to Box with features like user-specific activity monitors, though the latter still offers a few extra perks for the IT crowd and end users alike, including virtual workspaces and Google Apps integration.

According to Subramani, the new feature will roll out to Dropbox for Business customers next month.

via Dropbox for Business launches, offering single sign-on | PCWorld.

Dropbox buys Audiogalaxy. Is a cloud music service on the way?

Online file sync and storage service Dropbox has acquired Audiogalaxy, a peer-to-peer file sharing utility turned online music streaming service. The move suggests some form of media streaming is coming to Dropbox, based on the acquisition announcement from Audiogalaxy. “We are excited about the opportunity to join the amazing folks at Dropbox and bring great new experiences to 100M+ Dropbox users,” the Seattle-based streaming service said on its blog. Financial details were not revealed.

It’s not clear what the Audiogalaxy team will be doing once it joins Dropbox. The company’s current service allows you to stream your music collection from a mobile device via remote connection to your own computer at home. That’s very different from services such as Google Music, which require you to upload your music collection to a remote server and then access it from anywhere via your mobile device.

Audiogalaxy’s mention of “great new experiences” for Dropbox users suggests the company was purchased specifically for its media streaming expertise. Dropbox doesn’t advertise it very much, but the service already offers limited media streaming. You can, for example, stream music tracks one at a time, as well as stream video using Dropbox’s mobile apps. For complete access to playlists and albums you need to use a third-party media player connected to Dropbox.

Full Story: Dropbox buys Audiogalaxy. Is a cloud music service on the way? | PCWorld.