Truthful security disclosures should always be legal. Period.

After a week of blockbuster security revelations from Defcon it's important to take a step back and address the ongoing battle by companies to seize a veto over who can reveal defects in their products. Read the rest

Former military contractor found guilty of stealing U.S. Navy drone secrets

It’s raining military secrets!

Earlier this week, it was revealed that a group of hackers got their meathooks on an operator manual for the United States military’s MQ-9 Reaper UAV. The manual was fair game: a U.S. Air Force captain had it stashed away on his under-protected home network—you know, as one does with sensitive documents that could fuck with national security. My guess is that the captain wasn’t aware of the case against military contractor Jared Sparks. The company Sparks was employed by was developing an underwater drone for the U.S. Navy. While he was drawing a paycheck from them Sparks decided it’d be cool to upload scads of documents that detailed trade secrets to his personal Dropbox account.

The Navy, Sparks’ former employers and the U.S. Department of Justice? They weren’t really comfortable with that. Today, the Department of Justice announced that a federal jury has found Sparks guilty of multiple counts of the theft and of uploading of trade secrets, with each count carrying a penalty that could land Sparks in the clink for a decade.

From Gizmodo:

Sparks used to work for LBI Inc., a Connecticut-based defense contractor that makes underwater drones for the U.S. Navy, as well as weather data-gathering buoys for the National Oceanic and Atmospheric Administration. While at that company, he collaborated with Charles River Analytics (CRA), a company that made software for the LBI drones. Sparks was eventually hired by CRA in January 2012, but before he switched jobs, he saved sensitive company and military information—including renderings and design photos of LBI drones and buoys—onto the cloud-storage service Dropbox, according to DOJ.

Read the rest

Dropbox has some genuinely great security reporting guidelines, but reserves the right to jail you if you disagree

Dropbox has published a set of guidelines for how companies can "encourage, support, and celebrate independent open security research" -- and they're actually pretty great, a set of reasonable commitments to take bug reports seriously and interact respectfully with researchers. Read the rest

Dropbox acquires "stealth" messaging company

Condi, not satisfied with just reading your documents, buys secret chat company; NSA backdoor to follow. Read the rest

BitTorrent Sync: like Dropbox, but fully peer-to-peer and private

Ars Technica's Jon Brodkin reviews the new BitTorrent BitTorrent Sync, a peer-to-peer-based Dropbox replacement that's now in public alpha testing. BTSync uses the BitTorrent protocol to keep the files on several computers synchronized, and the actual file-transfers are robustly encrypted so that no one -- not BitTorrent Inc, not your ISP, and not a hacker -- can sniff them as they traverse the Internet and invade your privacy. There's no central server for the police to seize or for hackers or backhoes to knock offline, either. Brodkin's review is comprehensive and makes this sound like a hell of a product.

"Since Sync is based on P2P and doesn’t require a pit-stop in the cloud, you can transfer files at the maximum speed supported by your network," BitTorrent said. "BitTorrent Sync is specifically designed to handle large files, so you can sync original, high quality, uncompressed files."

In the pre-alpha testing that began in January, 20,000 users synced more than 200TB of data. BitTorrent Sync clients can be downloaded now for Windows, Macs, Linux desktops, and Linux-based network-attached storage devices. Mobile support will come later.

Setting the client up is easy. No account is required, but a randomly generated (or user-chosen) 21-byte key is needed to sync folders across computers. After installing the application and choosing a folder to sync you'll be given a string of random letters and numbers that should be typed into a second computer to sync the folder...

BitTorrent Sync creates private, peer-to-peer Dropbox, no cloud required Read the rest

Dropbox: "We wuz hacked"

A couple weeks ago, a few hundred Dropbox users noticed they were receiving loads of spam about online casinos and gambling websites, at email addresses those users had set up only for Dropbox-related actions. The online file storage service now admits that hackers snagged usernames and passwords from third party sites, and used this data to break into those Dropbox users' accounts. Dara Kerr, reporting for CNET:

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked. Read the rest

Dropbox ups free bonus space to 16GB

Dropbox just made it so that  I  you can get up to 16GB of storage by referring new users to the awesome, life-changing free-of-charge cloud service. Noobs also get the same bonus for being referred, too. Let's get this pyramid scheme rolling, people. Update: I'm maxed out. Scroll down to the comments and give your fellow readers some. Read the rest