Taking Your Ball And Going Home; building your own secure storage space that mirrors Dropbox's functionality

Video thumbnail (Frame 0) Video thumbnail (Frame 369) Video thumbnail (Frame 728) Video thumbnail (Frame 1343) Video thumbnail (Frame 1749) Video thumbnail (Frame 2094) Video thumbnail (Frame 2903) Video thumbnail (Frame 3370) Video thumbnail (Frame 3751) Video thumbnail (Frame 4628) Video thumbnail (Frame 6901) Video thumbnail (Frame 7356) Video thumbnail (Frame 8380) Video thumbnail (Frame 9860) Video thumbnail (Frame 10277) Video thumbnail (Frame 11590) Video thumbnail (Frame 12266) Video thumbnail (Frame 13232) Video thumbnail (Frame 13842) Video thumbnail (Frame 14580) Video thumbnail (Frame 14925) Video thumbnail (Frame 15286) Video thumbnail (Frame 15688) Video thumbnail (Frame 17918) Video thumbnail (Frame 18457) Video thumbnail (Frame 18888) Video thumbnail (Frame 19763) Video thumbnail (Frame 20125) Video thumbnail (Frame 20471) Video thumbnail (Frame 20866) Video thumbnail (Frame 22243) Video thumbnail (Frame 23038) Video thumbnail (Frame 24613) Video thumbnail (Frame 24955) Video thumbnail (Frame 26212)
Video in TIB AV-Portal: Taking Your Ball And Going Home; building your own secure storage space that mirrors Dropbox's functionality

Formal Metadata

Title
Taking Your Ball And Going Home; building your own secure storage space that mirrors Dropbox's functionality
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Phil Cryer - Taking Your Ball And Going Home; Building Your Own Secure Storage Space That Mirrors Dropbox's Functionality https://www.defcon.org/images/defcon-19/dc-19-presentations/Cryer/DEFCON-19-Cryer-Taking-Your-Ball-and-Going-Home.pdf When for-profit companies offer a free app, there is always going to be strings attached. As we have increasingly seen, these strings are often tied to your privacy to enable said third party company to monetize you in some way, but in worse cases your security can be compromised leaving you open to identity theft at best or legal repercussions at worst. One of today's most ubiquitous apps is Dropbox, which operates as a file hosting service that uses "cloud computing" (aka the internet) to enable users to store and share files and folders with others using file synchronization. Sounds harmless enough until you start thinking about how they can do so much for free. Learn about the flaws discovered by security researchers that have caused Dropbox to significantly change their terms of service, and about a group building a free, open sourced option for anyone to use to share and protect their data with. Learn, get involved, help and CYA, because for-profit third party companies are not going to do it for you. Phil Cryer (fak3r) is a systems engineer and privacy advocate who has worked on Linux and open source solutions for over 10 years. While balancing security with openness he has lectured globally on ways to open data silos to facilitate scientific discovery, but is equally comfortable talking about sharing any kind of data. His favorite memory from previous DEFCONs was yelling at the screen during a late night screening of Wargames, but locking himself out of his own room at last year's con is a close second. He learns by doing, believes that imagination is more important than knowledge, and like all good IT professionals, has a bachelor degree in fine arts. Twitter: @fak3r
Function (mathematics) Building Data storage device Cuboid Spacetime Data storage device Functional programming Drop (liquid) Information security Spacetime
Blog Aliasing Twitter
Degree (graph theory) Programming language Focus (optics) Different (Kate Ryan album) Multiplication sign Bit Neuroinformatik
Server (computing) Link (knot theory) Process (computing) Multiplication sign Fitness function Computer
Adventure game Process (computing) Integrated development environment Different (Kate Ryan album)
Group action Variety (linguistics) Multiplication sign Event horizon
Execution unit Distribution (mathematics) Open source Different (Kate Ryan album) Information privacy Information security
Execution unit Mobile app Cross-platform Multiplication sign Strut Collaborationism Data storage device Shared memory Information privacy Element (mathematics) Local Group Synchronization Average Synchronization Computing platform Backup Data storage device Freeware Window Spacetime
Mobile app Computer file Data storage device Data storage device Freeware
Point (geometry) Manufacturing execution system Service (economics) Computer file Website Cuboid Drop (liquid) Line (geometry) Advanced Encryption Standard Information security Data transmission
Band matrix Computer file Hash function Blog Data storage device Information security Term (mathematics) Information privacy Information security Metadata
Authentication Laptop Commutative property Server (computing) Computer file Sequel Mass Database Personal digital assistant Statement (computer science) Configuration space Cuboid Right angle Statement (computer science) Energy level Extension (kinesiology)
Point (geometry) Dew point Data storage device Point cloud Cuboid Cloud computing Black box Drop (liquid) Information privacy Local ring Information privacy Point cloud
Authentication Execution unit Game controller Computer configuration Password Point cloud Mereology Sinc function
Information Maxima and minima Password Internet service provider Cloud computing Data storage device Software bug Error message Normed vector space Point cloud Information Information security Information security Point cloud
Scripting language Server (computing) Service (economics) Information Computer file Server (computing) Password Set (mathematics) Directory service Mathematics Cache (computing) Term (mathematics) Password Synchronization Configuration space Quicksort
Mobile app Computer file Shared memory Information privacy Freeware Information security
Game controller Open source Computer file Synchronization
Default (computer science) Computer file Key (cryptography) Projective plane Maxima and minima Client (computing) Mereology Hierarchy Mathematics Kernel (computing) Synchronization Different (Kate Ryan album) Computer configuration Kernel (computing) Synchronization File system Quicksort Error message Directed graph Task (computing)
Wechselseitige Information Server (computing) Dependent and independent variables Open source Feedback Projective plane Similarity (geometry) Directory service Drop (liquid) Proof theory Mathematics Synchronization Different (Kate Ryan album) Blog Cloning Convex hull Cloning
Execution unit Website
Hacker (term) Building Multiplication sign Feedback Open source Time zone Letterpress printing Cloning
Scripting language Installation art Onlinecommunity Email Dependent and independent variables Server (computing) Computer file Projective plane Electronic mailing list Client (computing) Software bug Mathematics Integrated development environment Synchronization Lipschitz-Stetigkeit Directed graph
Web page Email Hazard (2005 film) Link (knot theory) Electronic mailing list Greatest element Event horizon Mathematics Revision control File system Website Functional programming Proxy server Window
Mobile app Email Distribution (mathematics) Computer file Software Data storage device Electronic mailing list Point cloud Information privacy Information security
Process (computing) Information Coma Berenices Family
my talk is called taking a ball going home building your own secure storage space that mirrors drop boxes functionality all right so I'm Phil
crier I'm also known as faker on Twitter and my blog faker calm sure thanks quick
background on me then why I may or may not be qualified to speak here calm when
I was a kid I started learning different programming languages and I loved learning and playing around with apple and basic logos Pascal and then things
changed a bit when I got to high school it started it wasn't quite as cool back in the time to be in the computer club so actually changed focus a little bit eventually graduated from college with an art degree and after working of our
different job so I just start found myself getting back into a more of a technical roles and even though I was just self-taught I really enjoyed it and thought I you know fit in so I started
doing desktop support as an IT technician fixing servers networking printers and it was that time that I came across linux and that pretty much
changed everything I had kind of the same freedom and the same sense of adventure that I had back in the days when I was banging away at the apple TV and all of a sudden we could solve problems with without of him by solutions and could run a unix-like environment at home too and began IT
contractor I worked in a lot of different jobs in the industry jumped around a lot startups large corporations as well as nonprofits and it was a good way to learn a lot of different things and being able to pick up new ways to approach ideas and
partially because of events of the day I became more aware and interested in the civil liberties and while they're important at the time to review their I think it's much more important to think about for the future too so I got
involved with a variety for groups and learning more about them in acadec and help them succeed sakura i'm working on
a non-profit using linux and open source to distribute biodiversity data globally and we've got a lot of partners we work with and again it's an opportunity to use different different tools and open source to to really benefit a lot of people and outside of work continuously exploring open source and finding ways to increase online privacy and security so that's enough about me now they're
talk how many people here use Dropbox
and how do people here trust it with their personal private data so Dropbox always has your stuff and it does it's a great little app and it just works really can't fault the the design are the idea of it and it works really well and for a long time I thought it was just the killer app very fun easy to use and cook me some background on dropbox there they're very well funded startup company and they offer two gigs of free storage with annual membership to increase the space now lets you sync data across many different devices any device you want so if you'll use it to sink they do have ad hoc backups with it and social sharing and it's called cross platform which was always nice to mac linux and windows as well as mobile devices and i seen a really quick growth of the past two years and TechCrunch that a article recently that they said dropbox has 25 million users and those
users use sorry they save 200 million files daily and more than 1 million every five minutes she couldn't believe but so to point that out on average
about four million files will be saved on dropbox during this talk so for per
company has a free app with free data storage what's to worry about what do we
know about drop boxes service dropbox we know dropbox of sakura kiss dropbox ESO they use the files RAR it's available for the website all the transmission of the files are over ssl files are stored or dropbox and encrypted in aes 256 so that's all good last two lines were a little less convincing protect yourself without meaning to think about it i think that's probably not something people that def counter go go for and the last point your stuff is safe but that last one made me say oh
really so I mean while security
researchers have turned to have evidence otherwise Christopher siguen has a blog
slight paranoia and he discovered ways the UH the way the files are detected by Dropbox and uploaded and basically the hash files or are compared with what Dropbox might already have in stock or have it storage on the servers and if a hash matches it won't actually upload that file it'll just upload the metadata about the file so they were able to watch traffic to determine that they only uploaded you know a little bit and serve the whole file so the idea of data deduplication makes a lot of sense definitely with concerns of bandwidth and storage but I probably not the best idea for privacy of security Chris Rose
work led to an empty FTC complaint the dropbox was using to suck the statements to their consumers regarding the extender with which they protect and encrypt the data they saw there was a deceptive case of deceptive trade practice another researcher found of the
authentication I'm sorry defendant ignition was done with a sequel sequel light file and it's just a simple sequel light file that you can look at then the problem with that is if you get a hold of that config DB file or a host ID you can gain access to the purses Dropbox and when you sign up for dropbox you have to actually give rights to you accept this this server or this laptop can access my stuff this server can access my stuff so the problem here is if somebody gets ahold of that file and they have access to your stuff and you don't know it they have access until you actually revoke that access on that box and Technology Liberation
Front they called drop out to the privacy black box and basically the idea of the third party doctrine in the Fourth Amendment is putting the cloud user privacy in question and drop boxes policies don't do anything to make this safer for consumers so hit another good point they made was cloud exposes dated to risk that local storage doesn't so
Dropbox has some privacy considerations to address at least safe and secure they
had a an issue where a new a new update was updated and it basically made authentication optional for four hours so you could log into basically anybody's Dropbox using any password so again this was a obviously an accident but it kind of again shows that you know authentication not part of your control since it's in the cloud and clearly an epic fail so Dropbox confirm the
security glitch and basically pointed out that you know is just a code update and there was a bug that's cool I mean accidents happen certainly but again it kind of highlights the fact again that things in the cloud are you know you're relying on somebody else to secure your stuff so Dropbox knows what you have may
or may not be more secure than the next cloud provider but at least it's protects information about your personal data usage it's up for dropbox reader
Dropbox readers a set of Python scripts that you can use to basically interrogate that config file and get all sorts of information about sneaking activity including directories you have shared in earlier this year Dropbox change
their terms of service from other files stored on dropbox are encrypted and inaccessible having how password to all files our dropbox servers are encrypted so that's definitely a change so Dropbox
is a free app with privacy security concerns that you can use to freely backup your stuff and share files with people but knowing what I owe about open
source I know we can do better if you want to keep all the control yourself so I thought about how to build this and
start out and I want to start out really simply of course so what can sync files remotely that's pretty easy rsync just
been around forever and also unison which is a really interesting option and it really specializes in to ant to wait synchronization so then we wanted to know what excuse me what we could use to trigger to kick off a sink like when a file changes are updated I notify has been part of the Linux kernel since 26 basically watches for changes to the file system it's very fast and I know that's up to the task of monitoring many files because it's exactly the dropbox uses to monitor your dropbox folder so this is a an era kicked out to syslog just when you're running dropbox with the default max user watches setting and that's a great two great error also because again it it shows you exactly how to fix it so that's great there's another project till L sync d and it basically combines the file or the file watching with our sick basically it watches for any file changes from I notified and then you can have a kickoff different commands by default rsync but it could do all sorts of other stuff to you and have it securely transfer the data that's pretty much a no-brainer go over an SSH it's easy to tunnel over
and work for unison also and other sinking things I might try the future it also keeps the the keys client-side by default so if something goes wrong you know do you have the keys with the client so when to start simple to use
ell sinky to monitor a directory and then when it sees a change just have it kick off sync to the remote server over ssh I want to try that add more features later on once the proof of concept was working and I got some feedback to the community so September in 2009 I put a
post on my blog about how to build your own drop open source Dropbox clone and basically just you know talking about these ideas and kind of a little how-to about you know you can basically make this work I thought it was just kind of a really simple way of describing it but the responses is tremendous I mean people just posted down stop and just everybody seemed really excited about the idea it was cool because they actually brought up a lot of different similar projects that were already kind of doing the same thing but their
article got picked up and posted two sites like Reddit lifehacker / not an IT
world so then at the end of last year it
was in a print magazine called hacker monthly which was actually a pretty nice magazine if you haven't seen her I haven't heard about it at the time that he approached me and so well done okay
so head announce my idea and I've gotten feedback and compared this to some other methods and ideas but I still had some some things that I thought I could do with mine they keep it a little more open and yeah so I decided to press on and it was time to build a project about
around that's idea so i put it up on github they called a lip sync and includes just a bash script that's an installer that sets up the environment for you it's bsd licensed and it's a setup to be the projects have to be transparent and open because on github i just want to get as much community involvement around it as possible so currently just pretty basic but lip-sync runs on linux watches files for changes kicks off our sink over ssh to sync the data it's got basic like growl like desktop notifications but again great response to the community users are forking the project making pull requests helping me fix bugs writing you know issues and there's a pretty active mailing list now too this
is just kind of a basic idea of how it works again client has a new file and it gets synced to the server another client gets another file it sinks to the server also notices that there's a new file for it to grab and then if a client is not making any changes there's a right now we just use cron which just kicks off and checks with the server every now and then to see if it there's any files it it needs
and future things coming up contributor hazard running on OS X think it's using FS events instead of I notify so there's some changes and things to look at there but it should be ready soon and we want to make things more secure and private cool whatever you want to figure out best way to do like encrypted file systems and then looking at other ways to sink like over p2p freenet BitTorrent see if we can use tor or another kind of proxy and we really ought to make it cross-platform linux is obviously the easiest Mac we have some ideas some windows out can work it with in cygwin I don't know if I want to have that requirement or not but but uh I don't do much working windows anymore so that i don't know how hard that i'll be that's another one and there's more ideas for the community people are still coming up with questions and suggestions for more functionality got a basic website up the
easy to remember URL and thanks to anthony and again just links for the github page and all the issues and the mailing list so conclusions it's
possible to create a secure file distribution app that protects users privacy and security but it probably won't be built by a for-profit third party they'll be built by the community and we should probably look at all cloud or App Store software with the same kind of skepticism I think probably everybody here does so if you're interested in the lipstick at all I'm get involved try it out join the mailing list submit an issue discussed ideas and continue to ask questions and just explore privacy and security and software and always bring a child that's what I
have I want to thank my sponsors SBS critics we also dot com eff Nikita and the great job they did this year and my family and there's my contact info thank you
Feedback