Contemplating File Sync/Sharing Services

I wrote a few months ago about what a difference the cloud has made for how I conduct business.  I rarely buy software for my new company anymore; I often am paying for some type of cloud-delivered service.

One of those services that I use (and love) is Dropbox.  It is an incredibly easy replacement for a file server when you need to share 10s to 100s of GB of files between mutliple users.  However, I definitely have some security concerns about it, and not just since the big snafu a few months ago.

One of my issues with dropbox is that they can access my data.  Data is encrypted in transit, but they can access my data because they have my password.  The same appears to be true of Syncplicity & Sugarsync.  Why do I think that? Because they have a "reset my password" link.  How does encryption work if they can change my password without a problem?  Compare this, for example, to wuala's answer and boxcryptor's answer to the question about a lost password.

Even with Wuala, who says they don't know my password, how do they share encrypted data with users I specify?  If all data is encrypted/decrypted locally, how does the person with whom I'm sharing files decrypt them?  I'm curious.

The last two listed are open source alternatives.  They're too limited in functionality for me, but I thought I'd throw them on there anyway.

SugarSync

Wuala

Syncplicity

Boxcryptor

iFolder

Sparkleshare

What do you think about all this?  Anyone I left out that I shouldn't have?


----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

7 thoughts on “Contemplating File Sync/Sharing Services

  1. BB says:

    Hi Curtis,

    Yes, please don’t forget us at Buddybackup.com, we have had a free peer to peer backup solution out there for almost 7 years!

  2. Urmet Liin says:

    If you think about keys to open content and passwords to access these keys, then there is still a possibility, that they designed it right. ๐Ÿ™‚ As if you share something, it gets decrypted and then encrypted again with some other key. Just my thoughts.

  3. aknisly says:

    I think you missed Dropbox’ strongest competitor: SpiderOak. They make a big deal of their ‘zero-knowledge data encryption’ 2G free, cross-platform, unlimited devices, version-control…big list. The setup is a little more involved than Dropbox, but much more ‘tweakable.’

  4. cpjlboss says:

    I did forget them in the article, but I did look at them. My impression (when I looked at them) was they were not as easy to use as dropbox, but I DID like the security part of their answer.

  5. Jimbo says:

    I am a member of a Dropbox network. When I installed the Dropbox client on my computer, it required me to log in as the local computer administrator. Therefore, Dropbox has full access to my PC. (Why this is necessary, I don’t know.)

    My biggest concern, however, is that if someone else on the network gets malware or gets hacked, will this put my PC at risk?

  6. cpjlboss says:

    @Jimbo

    I’d say the answer to your question is NO, unless it’s someone you’re sharing folders with. Even then, you’re only at risk (for the most part) if you’re not running virus/malware protection against that folder (which you most certainly should).

    As to the admin rights issue, there are all kinds of programs that install like that, including many MS programs that don’t really “need” admin access. It’s just easier to do it that way. Note that I’m not saying it’s right. I’m just saying that they’re not alone in their wrongness. ๐Ÿ˜‰

Leave a Reply to aknisly Cancel reply

Your email address will not be published. Required fields are marked *