Or maybe not. Your speculation is as good as mine. Or the op. Or everyone else. The point was Dropbox is accessing files outside the folder, something I would not want or expect.
"It is incredibly hard for me to believe that Dropbox has sneakily transferred >1TB"
Did they transfer hashes? name+type+size for fingerprinting? Searching for credit numbers or SSNs? Who knows. I don't. And don't do evil is no longer the basic assumption.
I would be very interested in seeing if Dropbox does the same thing the author claims, but on non-Windows OSes. There are official Dropbox packages for OS X, Debian-based Linux distros, Fedora/Redhat and derivatives, and a source release for packaging the binary for other OSes. If the same or similar activity is seen on other OSes, something's afoot. If the issue only shows up on Windows, it's likely a Windows-only issue or quirk (but could still be nefarious and only targeting Windows users, though personally I'm not that paranoid).
Would this really work? I would expect the SSL certificate of Dropbox's servers to be hardcoded in the client, so the client would refuse to connect to an interceptor.
The Dropbox client is running with normal user privileges on a computer that you have root access to. It should be possible to use reverse engineering/debugging tools to either bypass SSL checks or analyze the dropbox client binary to see what is being sent/recvd.
Sure, I'm just saying it would be less straightforward than mitmproxy. I wonder if there are tools to hook into whatever SSL library is being used (OpenSSL?) and intercept traffic before it gets encrypted and after it gets decrypted? (probably using LD_PRELOAD, like tsocks)
They could look for bitcoin wallet files, thats what typical malware does nowadays. Could theorethically only takes the infection of one computer to strike it rich.
That would be a solid line of thought if this would be some shady adware from some unknown company. But Dropbox is valued more than $10B, that's more than twice the market cap of all Bitcoin. Even if everyone at Dropbox went criminally insane, there would be no way for them to recover even a reasonable fraction of it in BTC markets. Not to mention it would completely kill their reputation and thus the highly-valued business.
Lenovo is a $16B company, and we learned they're breaking SSL and man-in-the-middle attacking all their customers. I think we should be careful in not assuming "big, rich company" means "sensible, responsible company"
Also, theoretically, it could be a single (or a few) developers going rogue, rather than an approved company policy. It wouldn't be the first time.[0]
Collecting "metadata" such as Address X stored on Computer Y on ip address Z could be worth quite alot to likes of NSA who I am sure have plenty of incentive to monitor crypto-currencies and would either pay Dropbox to do it or alternatively bang them over the head with a hammer and make them their bitches in order to collect all sorts of juicy "metadata" on millions of people world wide.
Hell access to so much information could make for quite a political tool, remember that general in washington who was kicked out because he was having an affair and somehow his private communications via gmail drafts became public. What would prevent an opportunistic dictator from gaining absolute control over political landscape of a country if this dictator has access/control to an organization such as NSA?
Americans get up in arms over their right to be armed all the time, but they ignore (or do not realize?) that without privacy and secure communications they would never be able to organize a resistance to a totalitarian government which is better armed and could potentially (already does?) monitor everything and everyone on a scale that would make Orwell blush and spin in his grave.
all of bitcoins, including every lost bitcoin, have a market cap of $3.8 billion combined, a valuation set based on worldwide trading volume of only $40m over 24h.
Dropbox has already closed hundreds of millions of venture capital money at a valuation of $10 billion. I think it's safe to say Dropbox has found some wallets that are much easier to open than bitcoin wallet files. :)
"It is incredibly hard for me to believe that Dropbox has sneakily transferred >1TB"
Did they transfer hashes? name+type+size for fingerprinting? Searching for credit numbers or SSNs? Who knows. I don't. And don't do evil is no longer the basic assumption.