Dropbox let me down

UPDATE: Dropbox answered, deny, and think it’s my error. See below.

Even if there were rumors that Dropbox could access files, I somehow felt safe having everything in there that I consider private documents. This changed this weekend.

A friend messaged me, telling me that I might have mistakenly moved a certain private document in a shared folder. Shocked (I thought no one ever saw this document), I looked at the shared folder, but the document couldn’t be found, neither in the iOS app, nor on the Mac. I asked my friend to send me screenshots, and he had the file there, and could also tell me the contents. (I don’t blame him, I’d have looked at it too)

Here are the screenshots. His is the Android screenshot with the critical file circled (“Eurowerte.doc”, which is in another folder called “Tim” in my Dropbox that I never ever shared):

2013-11-21

I added two screenshots, one from my web login, and one from my finder. My web login (not showing Eurowerte.doc):

mine

… and my Finder window, also not showing the file:

mine_mac

 

This means, I couldn’t delete that file, and I have no idea at all which of my other files appear in other peoples Dropboxes. I share a lot of folders via Dropbox, party at work, partly privately, but I’m 100% certain that I never shared that particular file. I have never experienced something like this before. But it clearly shows two things:

  1. Dropbox does in no way encrypt anything everything serverside, but they decrypt it for anyone else using their service, effectively making the encryption only protect the physical harddrives, in case they get stolen or accessed by non-dropbox software. In any way it’s no encryption that can only be decrypted by “your” dropbox-user, and also there’s no kind of sandbox in place, so in case of a bug those files can be accessed by other users.
  2. There are bugs that can let any of your files show up somewhere else. Still.

 

Technically, I guess this was a rare case of hash collision. Nevertheless, I have to move critical stuff from Dropbox, sadly. I wanted to trust you, but you’ve let me down.

UPDATE: I’ve contacted Dropbox about this, let’s see if they answer.

UPDATE 2: They answered this:

Hi Tim,Thanks for reaching out to us about this.

You shared the “RPG” folder via a shared link on the 2013-10-17 at 18:43:48 (UTC). A shared link is a semi-public, read-only link to any file or folder in your Dropbox folder via the Dropbox website or desktop application. You can read about it in our help center here:

https://www.dropbox.com/help/167

You can also review current links and delete them here:
https://www.dropbox.com/links

The first thing that stands out from your screenshots is that the “Teller” & “RPG Floorplans” folders are not shared folders. This indicates that the entire RPG folder was added to your friend’s account using a Shared Link and added to their Dropbox using the “Add to my Dropbox” feature. This feature makes a static copy of the files as they appear in the Web Link.

I think this explains the confusion. Please provide the email address of your friend if you would like me to look into the issue further.

We would really appreciate you would also take some time to correct some of the things you posted on your blog post:

>”1. Dropbox does in no way encrypt anything serverside”

This is false. Files are stored using 256-bit AES encryption. Data is split into individual discrete file blocks, each encrypted for storage using an AES-256 cipher. For more information on our security policy, please see our security overview:

http://www.dropbox.com/security

>”2. There are bugs that can let any of your files show up somewhere else.”

This also appears to be false, and not a case of a hash collision.

Let me know if you have any further questions.

Best,
Sean

This appears to be false? No it is proven to be true. If it’s a case of hash-collision was just an educated guess, of course it can be any other kind of bug. I also checked my links, but I have never shared or linked to that file. Also, I don’t hate Dropbox, in fact, I like the service a lot. But if there’s a bug, that came to my line of sight more accidentally and usually wouldn’t have been found, I expect Dropbox to find and fix it.

Leave the first comment

My todo workflow & Appigo ToDo

Appigo ToDo is great (reviewed it when the Mac version was pretty new) for the following reasons – and how I use it:

  • I can have my main contexts home and work. Also I have two other contexts called GET (where everything I need to get lives, and movies, where my favorite movie list lives). I can switch between those easily on every screen, with one click in the mac app, or two taps in the iOS version. When a context is activated, the list is filtered so I can only see the stuff I can do right now, sorted by due date. I’m always in some context. Therefore, stuff I’d never like to see, like my reminders for organizing the whole list once a week or going to bed in time just get no context attached.
  • At work, where I have different projects, I can add a “tag” to every task for a given project. At the moment, I have a lot of stuff for UpdateYeti (the next product I’ll be releasing soon) using the tag #uy and #organizational tasks for team-lead stuff. When I select one of these additional tags as filter, it’s effectively like selecting a subcontext, so I only see tasks in this project.
  • There’s a quick entry shortcut on the mac, which opens a simple text input box. As I’m mostly collecting tasks at work, work is my primary context set automatically for those tasks. The intelligent task parsing (that I originally proposed to Appigo and that I’m still amazed got implemented by them, thanks Appigo!) makes it possible to set another context writing “@context” or setting tags by writing “#tag” just in the tasks description, and using shortcuts for this (for example via TextExpander, although I use Keyboard Maestro for this right now), adding a task to the correct project and context is very fastly done.
  • Good price, either pay once for each app, and you’re good to go (Mac 15$, iPhone 5$, iPad 5$). Or you pay ~20$ per year for the cloud version (like I do, Mac, iOS)  and also have a web-version and shared tasks for other pro users. The apps for this version are free on the AppStore but can only be used with this subscription.
  • It syncs, it can do reminders, recurring tasks, location based tasks, due dates & times, priorities, and it doesn’t need the full screen on the mac, as they don’t have much stuff in there that nobody needs anyways (like many of the more expensive task managers like OmniFocus).
  • They’re actively developing the applications, which is much more than can be said about all it’s competitors. And they have the best name of a todo-tool: ToDo.

→ Feature requests for Appigo

  • Make a checkbox-like filter that hides tasks that have a start date but have not started yet (would make me use start dates finally)
  • On iOS: background sync, now that it’s possible with iOS 7 – please!
Leave the first comment

Problem Report Checklist

If you report a problem, tell the person who could fix the problem:

  • how to reproduce the problem
  • what is expected instead of the current state
  • what did you try / think of so far to solve the problem yourself
  • if you have any clues, logs, stacktraces

Just for reference, and with as few text as possible, for linkage.

Leave the first comment

Jony Ive, Steve Jobs and pseudo 3D design

Many might think what I thought yesterday:

Jony Ive is not Steve Jobs. Steve understood how usual people tick. He liked having the skeudomorphic design around, as computing devices and especially software is something inherently abstract that needs to be made understandable for the usual customer. Jony Ive just seems to only have his designers point of view. Now a button is now indistinguishable from a usual text label.

Here’s a quick thought for you:

What if Jony Ive didn’t want to make everything flat? What if Jony Ive just understood that shadows and borders are only useful if you have to create the illusion of 3D?

What if the paralax effect is the simple soution for many of those design problems in usual apps’s GUIs?

Leave the first comment

Json.NET and Serializing only base class properties

I was just working with Json.NET in C# and was looking for a solution to create a JSON-String from an object where I only wanted to put in the properties of the base type, as I have stored subtypes in memory which contain additional ViewModel properties that were unneeded as I only needed the business data. As I didn’t find anything fitting via Google, I researched how to build a custom ContractResolver that only serializes the Properties belonging to my business model class type T:

public class DerivedTypeFilterContractResolver<T> : 
        DefaultContractResolver
{
  protected override JsonProperty CreateProperty(
        MemberInfo member, 
        MemberSerialization memberSerialization)
  {
    JsonProperty property = base.CreateProperty(
         member, memberSerialization);
    if (property.DeclaringType == typeof(T))
    {
        property.ShouldSerialize =
          instance => false;
    }
    return property;
}
One comment so far, add another