Dropbox popped

[Michael Butash]

On 07/31/2012 09:17 PM, Mike Bydalek wrote:
> When people (*especially* internal
> Dropbox employees), start putting unencrypted NPI data out there, that
> falls in the whole, "You're doing it wrong!" bucket.
>
Here here.  I would say most business fall into this in some way 
however, that is the reality.  User security is like cat herding.

> I agree with everything in your post except I'm not so sure about the
> "no pii data should live outside a firewall."  While generally (for
> network accessed data), yes, the reality is that it is not always
> practical.
>
Indeed, well I meant more what is stored by the organization receiving 
your data, provide some pretense to security within their application to 
maintain under layered security.  We do transmit, and trust via SSL/TLS 
for this otherwise, which is somewhat flawed in the fact most systems 
will still downgrade to weak crypto or backward-compatibility to keep 
vermin like ie6 compat alive.  Or the pki registrars sell an 
intermediary to the gov to mitm your sessions anyways.  :)

The fact a list of emails, of users, were stored in a "project document" 
(ahem, spreadsheet) is telling of just what else occurs there as a 
general corporate posture.  Only with all your personal data too as raw 
files.

So yeah, how was that "personal cloud" projet going by the person that 
mentioned it before?

> -Mike