And the moral of this story is, keep your CC#'s, password lists, etc. in a password protected spreadsheet on an encrypted thumb physically hidden with a spare in the safe deposit box.  And don't backup your collection of Japanese tentacle porn to the cloud.  ________________________________ From: Mike Bydalek To: michael@butash.net; Main PLUG discussion list Sent: Tuesday, July 31, 2012 8:48 PM Subject: Re: Dropbox popped Just some random thoughts to expound on Michael's ... I get what you're saying, but I think limiting it to cloud storage isn't enough (or fair).  Having *any* NPI (non-public information) stored in any means *other* than being encrypted is just asking for trouble - Dropbox or at home.  You can have all your sensitive data on your computer at home until you get robbed and now someone has all your CC#s, bank login info, etc. (or lose your laptop).  I pretty much live by the rule of thumb saying, "Anyone can get access to this data. How can I prevent them from using it?" To get back to Dropbox, the employee in question had a file of e-mail addresses.  Their account password was probably weak and someone guessed it.  This situation can happen under *any* web-based system that isn't using two-factor authentication (Gmail.com? Mint.com? etc.).  That's why when websites have really stupid password policies (ie. no more than 8 characters, no special characters, etc.) or don't have a system which locks the account after X failed attempts, auditing successful logins, etc., I have a really hard time believing they are taking security seriously. -Mike On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash wrote: > http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/ > > So yeah, about not trusting cloud storage services... > > "At any rate, users may want to think about examining more secure > alternatives, encrypting their files, or simply not storing ultra-sensitive > information in Dropbox." > > An employee account was exploited for this, probably a password gotten via > some other exploited site, or cracked (weak pw policy).  Sad > proprietary/confidential data, let alone pii, was even publicly accessible > in any means.  Why I'll keep mine on my rfc1918 ip lan, thanks. > > -mb > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss