Using Insync with Dropbox to get Google Docs files to your iPad

I was reading an article over Christmas about a now free service for synchronising your Google Docs with your PC or Mac Files… If you google Dropbox and insync you’ll find lots of stories on it. I originally read this one:

Forget Dropbox, Insync is your Google Docs-loving alternative and it’s free
http://thenextweb.com/apps/2011/12/30/forget-dropbox-insync-is-your-google-docs-loving-alternative-and-its-free/?awesm=tnw.to_1CPlr

I have been a fan of Google Docs for a long time but I had converted over to Dropbox because I could sync back and forth to the Desktop and also get it via GoodReader on the iPad. So far, there isn’t an insync client for IOS so I made my insync folder inside my Dropbox folder.

On the iPad, inside Goodreader I added the new insync folder to my Remote Sync list and so now, those files also go to my iPad too.

It’s a roundabout way of doing it but it’ll server till a proper sync client comes out.

Recent Tech articles 27th June – 3rd July 2011

Its been one of those odd weeks in Tech this week as one giant dominates a lot of the news. At the beginning of the week Google started announced details of Google+ the much awaited social network from the search giant. Despite previous fails in this department, they are not giving up and with new management in the driving seat Google+ released to a limited audience. Rabid early adopters (like me) are still waiting for their invites to the network while others have gained access through backdoors (now closed). Once released, Google set upon changing the face of other sections with Search, Mail and Calendar getting a makeover

As well as releasing a new social network the boffins at Google labs released Swiffy – a Flash to HTML5 convertor aimed mostly at advertisers. It is not a global website changer as a very emphatic commenter let me know.

I heard through the Microsoft Faculty connection of an updated business application named Visual Studio Lightswitch 2011 that will be released fully on July 26. You can find more information on Lightswitch here including a beta download, training information and How-To videos.

The rest is security news:

Finally, Microsoft disables Autorun defaults in Vista and XP and Surprise Surprise! Infections decrease. A patch to change the Autorun defaults were pushed out in February this year and you can see the 3 monthly graphs of decreasing infections here.

In a couple of smaller stories I wrapped up together, Computer users, You are the weakest link is all about the weakest link that can confound almost any security policy: People.

Finally for this week a posting on an update of an existing botnet : Security experts describe new botnet as almost ‘indestructible’

I am as most of you know already a Mac and iPad user. I recently converted a colleague of mine to to the joys of the iPad and spent a few hours trying to get the setup just right for working. During all that Jean-Clause found a lovely webdav tool to allow you to access dropbox using webDAV for free. That allows Pages to save directly back to a Dropbox. See Using DropDav (Limited) with Dropbox and Pages (etc) on iPad if you want to set something similar up yourself.

Recent Tech articles – 20th-26th June 2011

A lot of news this week centers around security issues.. We will start with it, and end with it… We started the week with two biggish issues from Dropbox and WordPress; On the Monday it was reported that a programmer’s error in a code update at Dropbox caused a temporary security breach that allowed any password to be used to access any user account. This was followed in the Tuesday with a release from WordPress when it announced it was forcing users to reset their passwords at WordPress.org after several popular plugins were compromised by hackers.

In Adobe news, to try and get beyond critics comments on their reliance on Flash and the Desktop, released one new product and put out on Preview another; At the beginning of the week they announced that Flash Builder 4.5.1 was ready for release and would allow IOS and Playbook development on top of the already existing Android platform. They then ended the week by announcing the preview of Edge – an HTML5 animation design tool.

On the Wednesday I started hearing on Twitter about an [at that point] unverified story from Cory Doctorow on Boing Boing which was suggesting that the UK Copyright lobby was in closed talks with the British Government on national web censorship… If you are a Net Neutrality follower, it’s worth reading including the BBC followup.

As we head towards Microsoft Office365 cloud offering coming out of Beta, I am sure that they could be doing without BPOS (Business Productivity Online Suite), the suite that 365 will replace, experiencing further outages which was reported midweek last week.

After last weeks release of the Kinect Windows SDK, i picked up some a couple of URLS’s one pointing to a Kinect Hacks site for inspiration on what you can do with it and the other was a series of videos from the Microsoft developers event the previous week.

Gamification is a hot topic at the moment. So what is it and how can it be used in real world situations?

As promised, we end the news of this week with more security news. Firstly, in an international raid called Operation Tribune Herald resulted in multiple equipment seizures of a group spreading scareware malware. And finally after 50 days at sea, LulzSec announces that they are disbanding… Or do they?

Something to play with – I found a new social site last week after hearing it mentioned on Mashable.com. Infostripe – A personal landing page with mobile in mind.

Dropbox password glitch leaves user accounts open

On Monday 20th June a programmer’s error in a code update at Dropbox caused a temporary security breach that allowed any password to be used to access any user account. Between 21:54 on Sunday and 01:46 on Monday a bug that affected the authentication mechanism and allowed open access to users Dropbox data.

Read more of this post

I take a week off work and the Internet went to heck on a handcart

This stuff all happened around about the Easter weekend but I took a week and a bit off and I am only getting round to chatting about it now.. So I guess this is a bit of tech news yesterday. If you havent heard about this stuff, where have you been?

PSN Network
Even as I write this, the PSN network is still down after having been out of action since the 20th April. It was due back online on the 8th but may end up having to wait as long as the end of the month before access is re-instated.

The system went down after an intrusion was detected by Sony and they took the whole system offline. The news coming from Sony was slow to come out to users and there was some days of speculation as to the cause of the problem. It was suggested that the hacker group Antonymous was responsible thought they have since denied it was them as a group but couldn’t rule out an individuals actions.

Finally it was announced that Sony’s system was not patched and up to date and their user database was definitely compromised and that also users credit card information may have been exposed. The users database was not encrypted which is bad enough at least thankfully the credit card information was. Users were suggested to change their online passwords if they use the same password on all their accounts.

Official company statement:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility, if you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”

The next announcement stated that they were rebuilding the system from the ground up and there would be a couple of days to get it up and running but work on this was probably delayed when there was a hack on the Sony Entertainment site as well. There was also news that they were moving the servers so was the breach possibly internal rather than external.

This is going to cost Sony big time to get this sorted, not just in a monetary sense but in reputation too. Game developers will also question whether they can trust Sony’s online system to keep them in their comfy profit margins. Gamers are of course suffering the most in this from a lack of access. Will this cause a shift of PS3 users to XBOX to get their online gaming fix?

Amazon EC2 downtime
On the 21st April 2011, Amazon EC2 storage went down across the US (Most press coverage stated that the problem was with the North Virginia availability zone but in truth it affected other zones initially but was confined to Virginia) …In probably, the biggest Cloud outage story to date, the Cloud doubters and haters and the press leapt on this story. During this outage several high profile sites were unable to provide their services as well as many individuals.

If you want to read the technical summary Amazon published visit here

In summary (and hopefully English) what happened was essentially a network failure on the high speed link used for storage replication forcing these requests down a much slower link. Due to the volume of requests the replication state got pushed into a queued looping state which they technically called “Stuck” where unsynchronised volumes knew they were unsynchronised and pushed out another request to re-synchronise. While in this “stuck” state, no information could be read or written to the affected services. After 3 hours work, the engineers confined the problem to one zone. After that there were a lot of technical updates (but no real information) stating that they had fixed more volume problems and while many services were restored before then, it took Amazon until the 29th April to conclude all the works and release all the stuck volumes and release the full summary of the problem.

I personally cannot hold Amazon totally to blame for this. If they are guilty of anything (and this is the same the world over with engineers and techs) it is the communication of the problem to the users of the system. Either the information was techno babble or the engineers were busy trying to fix the problem rather than talk about it.

Just as I close out, think on this… According to the Movie terminator, Skynet went online on the 19th April 2011… On the 21st April 2011, Amazon lost it’s EC2 storage… Those dates are to coincidental..

LocationGate
Hopefully by now, you will have upgraded your IOS version on your iPhone/iPod/iPad to the latest 4.3.3 whereupon all I mention below is entirely irrelevant. If you haven’t upgraded, here’s why you should. It starts with Apple but moves beyond as the media coverage heats up. From my own Humble opinion, I feel that this story was hyped beyond all reality but it caused heightened responses in some and ‘meh’ in others

It all starts off when some researchers material that has been known about in forensic circles since 2010 becomes more public. This let’s everyone know that there is a file on IOS devices called consolidated.db that holds geolocation data that has been gathered from cell towers and wifi stations the phone has visited. Furthermore this file Is backed up to the desktop when the device is synchronised.

This raises the following opportunities for your location data to fall into others hands:

• If your device is stolen or lost
• If your desktop is compromised
• If you have jailbroken your device and not changed the default root password.

The answer to all of these is to simply increase your security by doing some or all of the following:

• Upgrade to 4.3.3; the option to switch off notifications does stop collecting data as it should and deletes the cache on the device.
• Set up passcoding your device if not done so already.
• Encrypt your iTunes backups so the content cannot simply be read
• Secure your laptop with password security for login and return from screen saver. This is of course a hindrance to usage but if it protected your data, is it not worth it?
• If you using a Jailbroken device, make sure it is secured with the root password changed from the default.

It should be noted that Apple stated that no data was ever used to identify an individuals movements but rather that crowdsourced anonymised data was sent back to widen the networks awareness of where cell towers and wifi spots are to speed up the pinpointing of location data. Many cried that Android did not do the same data collection but it was quickly stomped on by Apple when they stated that they don’t track people but Google does.

With both companies, all they collect is in the terms of service that you agree to or agree that your location data will be shared… However, I do think that they could bring this information to users in much better ways to prevent misunderstandings like this.

Now, American congress is taking an interest in the information gathering of these two giants… Interesting to see how that will change our mobile landscape in the future.

Dropbox security issues
There have been a couple of security alerts i have picked up on the Dropbox system. The first issue is in the change of TOS for users and the less-encrypted-than-you-thought file system. The second issue was around client connectivity where someone could hijack your account without your password. I have produced a separate blog posting on this one and it can be found here.

MAC Defender virus
Not the first of it’s kind but one that is receiving a lot of media attention. It is there to trap the unwary and less savvy user. Find out more here.

Security Alerts for Dropbox

I have long been an evangelist of Dropbox… Of course some of the time I am only looking to enhance my referral status and increase my own free Dropbox storage space but as every (worthwhile) application of the iPad allows connection with your Dropbox folder, it has almost become and essential addition to my core working.

I started listening to the Security Now Podcast on the TWIT network ( http://www.twit.tv/sn ) recently and I came across some worrying news over the security of using the Dropbox application that I thought was worth spreading ans sharing.

Dropbox encryption issue
First and foremost, in episode 297 we were aleerted to the change to the Terms of Service of using Dropbox where the company disclosed that if the American security services required access to a users Dropbox folder then they would decrypt the files and hand them over. Up till that point, users were under the impression that not only were the files transferred securely but they were also stored securely too. Essentially this is true but in this case Dropbox has the hash key required to decrypt files and this is unsalted so any Dropbox employee can look at your files even though they state that they wont except for support purposes but all it takes is one bad apple in the Company to expose someones personal information

The answer to this problem is of course for you to have your own key and pre-encrypt your secure files before sending them up to Dropbox using such tools such as Truecrypt (all OS’s) or Bitlocker (Windows Vista and above) to create a secure folder inside your synchronised folder. Another tool was suggested in episode 299 which is still in Beta right now and for Windows only currently there is which will encrypt ans sync on the fly without having to have the likes of truecrypt running a virtual folder on your drives. Heres hoping that this comes out for other OS’s soon including the iPad.

Config.db security and Dropbox authentication issue
The second worrying thing is something that I hope Dropbox fix real quick now is a possible desktop security issue highlighting the need for ensuring that your machine is made secure each time you leave your desk. I think he put this quite well so I’m not going to rearrange his words in my style so here’s the word for word text from his transcript.

Now, the other issue that came up was a question of their authentication. Someone named Derek Newton, who is a security researcher, was poking around in Dropbox-like applications, and he just decided he would take a look and see what they left behind, what was left behind after they installed. What he found was that, specifically in the case of Dropbox, there is a single file called config.db, which is an SQLite database file, which contains the email address, the dropbox_path, that is, where the Dropbox folder is on your system, which is being synchronized to the Dropbox in the cloud, and the host_id. Any SQLite DB-compatible client is able to open this file and look at it.

And what he determined by experimentation is that the only thing that identifies you to Dropbox is the host_id. There is no other lockage of that file to a given system. And so what he posted - and again, I learned about this from people saying in Twitter, hey, Steve, what do you think about this? And this has been a constant flow for the last couple weeks. And I mentioned last week that I hadn't had a chance to dig into this, but I would, to look into it and verify it. So I did want to follow up for everyone who's been wondering.

So what this means is that, if you weren't protecting this file, or if anything got onto your system which was able to grab this file through social engineering attack or spyware or malware, whatever, if you lost control of that file such that it was in any way exfiltrated from your control, then that file can be installed on any other system. And that provides the sole authentication of you, the instance of you, to Dropbox such that, with no other information, no username, password, no logon, anything, that authenticates that new system. And there is - it doesn't appear as a new machine in the set of machines that you have authorized to use. It's merely a clone of that first one, which then has full access, unencrypted access, to your Dropbox contents. Which to me says these guys aren't really looking at security.

I mean, on one hand we know now that they can decrypt the contents of our Dropboxes. And this could clearly have been done in a way that was more secure. Even if you change, if the user changes his username and password, that doesn't invalidate the host_id. It still functions. And so if somebody had it, their connectivity survives across a user changing his username and password. So it's just they really could have easily done a much better job of hashing username and password into this, tying it in some fashion, for example, to the serial numbers of the hard drives on the system. I mean, just anything to make it more difficult than simply one file which you can put on any machine anywhere, and suddenly it's authenticated just as solidly as the system it came from.

The transcript of this podcasts relating to the above can be found at http://www.grc.com/sn/sn-297.htm and http://www.grc.com/sn/sn-299.htm

You can read Derek Newtons Blog post on the authentication security issue at: “http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/