Most active commenters
  • Sir_Cmpwn(4)
  • newman8r(3)

←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 24 comments | 09 Sep 16 15:52 UTC | HN request time: 0s | source | bottom
Show context
Sir_Cmpwn ◴[09 Sep 16 16:27 UTC] No.12463720[source]
Great article, but poor conclusion. He finds that Dropbox is untrustworthy, a finding that likely surprises no one, and reaches for iCloud as the solution. Why move into another walled garden driven by corporate interests? OwnCloud or a similar self hosted solution would be better. I just use NFS and a dead simple storage server to make ~/shared available on all of my machines.
replies(5): >>12463782 #>>12463790 #>>12463798 #>>12464361 #>>12467783 #
1. woah ◴[09 Sep 16 16:36 UTC] No.12463798[source]
If you're going to use a Mac, you're trusting Apple already. How does using iCloud make you trust them more?
replies(2): >>12463841 #>>12464156 #
2. Sir_Cmpwn ◴[09 Sep 16 16:41 UTC] No.12463841[source]
I wouldn't use a Mac, either :)
replies(1): >>12463908 #
3. Myrth ◴[09 Sep 16 16:47 UTC] No.12463908[source]
And if you're using Ubuntu, you're trusting package managers, and if you're using Gentoo, you're trusting original developers (how often do you audit source code?)
replies(3): >>12463958 #>>12463985 #>>12465868 #
4. Sir_Cmpwn ◴[09 Sep 16 16:51 UTC] No.12463958{3}[source]
>And if you're using Ubuntu, you're trusting package managers, and if you're using Gentoo, you're trusting original developers

This is correct. Consider, however, the motivations of the people involved. Apple's motivations are to make money from you. Debian's motiviations (intentionally avoiding Ubuntu here) are to make a good user-centric system. Packages are signed by named individuals that I can personally get to know and trust, and with an accessible process - I can download their package sources and build or verify or tweak them the same way that the maintainer can, report bugs and ask questions directly to them, etc. I trust this model much more than I trust the model of a company who, at the end of the day, has a bottom line and will make compromises to ensure it remains where they need it.

Apple is very well known for using proprietary formats, adapters, you name it. Apple's cloud is also write-only, they intentionally make it difficult for you to pull data out of it and interop with other services. These decisions serve the company's interests, not yours.

>how often do you audit source code?

You would be surprised!

replies(3): >>12464172 #>>12464837 #>>12477911 #
5. new299 ◴[09 Sep 16 16:54 UTC] No.12463985{3}[source]
It's interesting because at some level, particularly with closed source products trusting the company developing the product is important. Apple have made some effort to stand up for the privacy of their users. Dropbox on the other hand have board members who support and have authorized warrantless wiretaps:

http://www.drop-dropbox.com/

replies(2): >>12464209 #>>12467800 #
6. Dylan16807 ◴[09 Sep 16 17:12 UTC] No.12464156[source]
Because Apple doesn't have a mechanism to access files on your Mac, while they do have a mechanism to access files on iCloud. This means someone guessing your security questions, or somebody with a warrant, or somebody abusing their access rights can get to your files.
replies(1): >>12464263 #
7. Jerry2 ◴[09 Sep 16 17:14 UTC] No.12464172{4}[source]
Who do you think employs vast majority of Linux developers? Who do you think writes they paychecks? Ever looked into who the biggest Red Hat customer is? Hint, it's the DoD.
replies(1): >>12464858 #
8. Dylan16807 ◴[09 Sep 16 17:18 UTC] No.12464209{4}[source]
> board members

Plural? Who else?

There's a difference between bringing in a single famous person and the rest of the board agreeing with them on certain issues.

9. Xylakant ◴[09 Sep 16 17:23 UTC] No.12464263[source]
They do provide the OS, so they implicitly have access to all your files at a level that dropbox would have a hard time achieving.
replies(1): >>12464778 #
10. zymhan ◴[09 Sep 16 18:22 UTC] No.12464778{3}[source]
> so they implicitly have access to all your files

If you can demonstrate how Apple has access to my files on an OS X installation with no iCloud configured, I will round up a massive bounty.

replies(2): >>12465423 #>>12468340 #
11. elmigranto ◴[09 Sep 16 18:28 UTC] No.12464837{4}[source]
>>how often do you audit source code?

>You would be surprised!

It doesn't really matter if you do. OpenSSL is one example showing there are critical mistakes of grand level everywhere, same as there might be cleverly hidden backdoor in that multi-100k source tree (or any of the myriad of dependencies) you "audited".

replies(1): >>12465259 #
12. aioprisan ◴[09 Sep 16 18:31 UTC] No.12464858{5}[source]
Source?
13. riboflava ◴[09 Sep 16 19:16 UTC] No.12465259{5}[source]
It's still a lot better than not having the source. There are tons of other benefits too. The one downside is CPU cost to compile everything yourself.
14. Xylakant ◴[09 Sep 16 19:36 UTC] No.12465423{4}[source]
Open your finder. Every file that you see has just been touched by apples code.

Your OS does have access to all files that you have on your computer. It manages all network connections. It exposes all information that tools such as little snitch display to you. Apple signs and provides all software updates to you. They control SPI and app sandboxing. I'm not saying that Apple does access your files. I do trust them not to since they've shown that they at least attempt to step up and defend themselves and their users. Still, they could if they wanted to.

replies(3): >>12466791 #>>12467492 #>>12467794 #
15. kinkdr ◴[09 Sep 16 20:37 UTC] No.12465868{3}[source]
That's exactly right and what people complain about. That Dropbox betrayed the trust they(users) were giving to them(Dropbox).

I don't necessarily agree with them, but that's the sentiment here.

Edit: by the way, regarding open source projects, it doesn't matter if you don't look at the code personally. Somebody else does, and if there is problem with it, it becomes a huge public scandal sooner or later.

16. randomsofr ◴[09 Sep 16 23:36 UTC] No.12466791{5}[source]
burn.
17. olalonde ◴[10 Sep 16 03:12 UTC] No.12467492{5}[source]
You can melt your MacBook in the oven but not your iCloud account. You're comparing apples to oranges (pun intended).
18. newman8r ◴[10 Sep 16 05:05 UTC] No.12467794{5}[source]
lil snitch is one of the best tools out there, and it's what inspired me to never use apple software again... so I did the right thing and gave my lil snitch registration code to a friend.

I'm still looking for a linux alternative to lil snitch that is just as robust and intuitive - but I'm stuck using a few different things to achieve the same effect. Anyone have a recommendation with a slick GUI (for some reason I really like a GUI for firewall management)

replies(1): >>12467814 #
19. newman8r ◴[10 Sep 16 05:09 UTC] No.12467800{4}[source]
I personally think their privacy stance was mostly to protect their own interests rather than any concern for the common man, but they were able to spin it really well and get great publicity as usual. It hurts me to say this as an owner of 2 MBPs and a mac pro which I love, but Apple is not on our side and it's painfully obvious.
20. newman8r ◴[10 Sep 16 05:18 UTC] No.12467814{6}[source]
I really like EtherApe btw for visualization - would love recommendations for similar tools
21. rarepostinlurkr ◴[10 Sep 16 08:48 UTC] No.12468340{4}[source]
What he meant to say was "code can do anything! waves hands"
22. thingexplainer ◴[12 Sep 16 07:55 UTC] No.12477911{4}[source]
>> how often do you audit source code?

> You would be surprised!

How often do you audit OwnCloud's source code? (I'd describe it as "naive.")

replies(1): >>12477927 #
23. Sir_Cmpwn ◴[12 Sep 16 08:00 UTC] No.12477927{5}[source]
I actually don't use OwnCloud, so never.
replies(1): >>12554081 #
24. thingexplainer ◴[22 Sep 16 03:19 UTC] No.12554081{6}[source]
Something to consider when you're comparing products based on "trustworthiness."