Dropbox and other hosted storage / "cloud storage"

ortac wrote:

Combined with this there is the strange paradox that people seem obsessed with online security and privacy and yet they don’t hesitate, for example, to post photos of their kids on social media, or continually “check in” and declare their location to the world.

And somehow it makes ginormous headlines how you iPhone must not be hackable at all, not even by government through due judicial process, no, no, no. It’s all a bit hypocritical.

Anyway, I still think that there is a good reason to stop supporting a WinXP dropbox app, if Microsoft themselves ended support for the platform so “long” ago. At some point we need to look forward, not backwards. 15 years of looking backwards is a VERY VERY long time in IT…..

Peter wrote:

How exactly would you penetrate NAT inbound without conning the user to open a channel for you?

If you have an old non-updated operating system, with old vulnerable libraries, there are quite a few vulnerabilities kicking around that requires no explicit act by the user. Things like merely previewing an email may be enough.

The “drive by browser exploit” for instance, can be embedded on a legitimate website which itself has been hacked. Or it can come in some advertising, or embedded in an email, merely viewing the malicious web page or email is enough – the user doesn’t have to confirm anything for this class of exploit and may never know. Windows XP has had some particularly egregious exploits over the years that were vulnerable to this style of attack. Once they are in your network all bets are off. Most NAT routers will have things like uPnP enabled by default, so the now exploited client machine can then open the network wide open to the attacker to add to their botnet. Even without uPnP, they can open an outbound connection. Very few home networks implement egress filtering – they just let everything out. And there’s your channel.

Now XP is no longer getting updates, and modern browsers are one by one dropping support for XP (Chrome drops XP support this month for example) – eventually the only browsers you’ll have for XP will be old vulnerable ones. Microsoft stopped updating XP two years ago.

Windows wasn’t targeted because people hate Bill Gates or Microsoft, Windows has been the prime target because:

• very high market share – why try to build a botnet of Mac users when they are only 3% of desktop systems, where you can make a botnet bigger than the entire Mac installed base by exploiting only 1/10th of the Windows user base?
• lots of naive users
• lots of machines on unsecured networks
• software philosophy for Windows well into the XP days has been “single user, single tasking” with much software not running properly unless run as administrator (not Microsoft’s fault, software vendors fault), whereas with other operating systems the assumption has always been that an unprivileged user would be running software.
• lots of easy exploits, especially in the early days of XP with all the services turned on, many unauthenticated, many full of programming errors – unchecked buffers etc.
• no OS level mitigation of exploits until Windows Vista (the various OS level things to prevent buffer overflows from turning into an exploit – such as guard pages, address space allocation randomization etc).
• flaws in the x86 architecture – unlike other CPU architectures, x86 didn’t get things like non-executable memory pages until quite late on, probably thanks to the single-user, single-tasking heritage of the architecture – this again facilitated turning programming errors like buffer overflows into actual exploits as executable code could be written into a data page and executed. These flaws will still be available on 32-bit XP.

Peter wrote:

All of those are “trick the user to open an inbound channel” exploits.

No. Tricking a user to open an inbound channel is doing something like “Click on this link for XYZ!” or other social engineering to get a user to click on an exploit. “Drive by” browser exploits don’t require a user to be tricked.

What I’m describing are the ones where a site – possibly a legitimate trusted site the user visits every day – has been compromised, or its advertising partner has been compromised – and the user unwittingly picks up an exploit without having to actively click on a suspicious link or be tricked to click on something via social engineering, in other words just being in the wrong place at the wrong time going about their daily business – hence “drive by” – kind of comparing an innocent bystander getting shot in a drive by shooting. Modern browsers have defences against this kind of thing, but old browsers (“old” in this context means even something as recent as released a year ago) may not have quite as much defence against this kind of thing. No tricking going on.

That’s before we get into the vulnerabilities present on many consumer grade routers, but that’s out of scope when discussing the things that can get ancient, vulnerable, but still somewhat popular operating system choices.

Peter wrote:

Bill Gates is just not a popular character

Can you back up this statement with data or evidence?

Peter wrote:

you will be absolutely delighted to know that I am gradually moving to Onedrive

Not really. There is no money to make in storage (it’s commodity since trivial). Best would be to use dropbox for file storage, have them absorb the file hosting cost, and use Office 365, where the profit margins are high (because its not commodity since extremely complex). That would delight me :-)