I'm thankful there are so many folks out there still doing this sort of thing for "fun" or pure mischieviousness. Imagine how much worse it could be if they tried to be as stealthy as possible, got people downloading a hijacked dropbox service, etc.
Edit: which isn't to say this sort of thing is awesome, but it's a damn sight better than the alternative. These sorts of pranksters are like cow pox, and hopefully they encourage resistance to the real deal.
Every time a serious hack-and-reveal happens, I wonder how many times it's _already_ happened, by someone who kept it quiet for their own continued use.
I'm reminded of the gawker attack. So much information was revealed to the attackers unwittingly and they had no clue they were hacked, it could have been so much worse, bank accounts could have been drained, sites could have been used to host exploits or malware, etc.
It's a ridiculous claim.... they want more publicity. Dropbox has done nothing to warrant this attack for 'activism'. Let's hope they don't leak sensitive information if Dropbox reaches out to them and fixes the issue - that would especially be something Aaron wouldn't do.
Yeah, I saw the article on TheNextWeb after posting my comment, but I figured I'd leave it up. Either way, I'm happy to hear that Drop Box wasn't compromised.
Haha, seriously? Did you really have to use a "citation" for a twitter link in your 10 word comment?[0] Pretentious pseudo-scientific nonsense. Only on hacker news.
For what it's worth, I write most things in Markdown and I use reference style links[0] by default. So, I tend to do that in comments on Hacker News, but I omit the brackets which would go around the link "value," (i.e. the inner value of the a tag in HTML). Plus, by listing the links under the comment, I find that it's neater and easier to read. And by simply including the links (even if it's just for "a twitter link" in my "10 word comment") it saves other people time because they don't need to search for it themselves.
"We are aware that the Dropbox site is currently down. This was caused during routine internal maintenance, and was not caused by external factors. We are working to fix this as soon as possible. We apologize for the inconvenience."
Pathetic people spreading false news. We should shame them publicly. Anyone putting up false news is as guilty as, as shameful as, as fucked up as, as stupid as anyone sabotage security on purpose secretly. We have enough stupid political propaganda full of false statements in the news these days and we don't need more in our tech community on Twitter. What are they? 12 years old? Right, they say "don't feed the trolls."
For everyone linking to a certain Twitter account saying that Dropbox is compromised:
The Twitter account is lying. This is almost always the case (especially when there is some sort of Anonymous affiliation). Anyone can make a Pastebin of fake emails.
(If Dropbox actually gets hacked, it's more likely to be by a state-sponsored organization, and definitely not by someone who is going to brag about it on Twitter)
I'm totally with you. This is such a critical point, probably not attracting enough people's attention yet.
In order to achieve real robustness with high availability, clustering is not enough. Distributed computing architecture is the next hot topic we are going to bring up.
I haven't seen any proof from the hackers. The emails in the pastbin from @1775Sec are old. They are in this pastebin from a month ago: http://pastebin.com/64PAAV1c
I find it humorous how you are more likely to trust the word of some blackhat organization over that of an established company with a reputation that it needs to uphold. Lying would hurt it eventually. Also, the hackers admitted that they only DDOS'ed the website and made up the bit about the database leak. https://twitter.com/1775Sec/status/421852503848656898
They're saying it's an issue that "arose during routine maintenance", so that doesn't preclude the possibility they had inadvertently exposed a security vulnerability by doing that, leading to it then being exploited.
Probably. But due to how huge they are now, I don't blame them for trying to pass this off as a routine maint thing. Shit's either going to blow up or will be OK.
> We are aware of an issue currently affecting the Dropbox site. We have identified the cause, which was the result of an issue that arose during routine internal maintenance, and are working to fix this as soon as possible. We apologize for any inconvenience.
Comments are now, of course, closed. Whew, that's reassuring!
Clearly they have seen the twitter account claiming responsibility as well. It's been changed a little.
>We are aware that the Dropbox site is currently down. This was caused during routine internal maintenance, and was not caused by external factors. We are working to fix this as soon as possible. We apologize for the inconvenience.
I almost feel sorry for the PR automata having to produce this BS on a Friday night. Compared to Target's multi-billion-dollar gift to credit card thieves, this is nothing.
Is this the latest website or cached somewhere? Look different though. I don't quite believe that DNS would be hacked.
I was thinking that they should quickly point the DNS to a different front end server to avoid this type of unavailable. Guess they are doing their job.
If indeed the twitter spewings are correct and they've gained access to the database, I suppose now is the time to see how Dropbox secures passwords and user details.
Just as a random update, I've been monitoring this thread & twitter etc since the beginning and it appears that dropbox is sort of working now just on extreme delay. I have auto upload on my phone and it took about 14 minutes for the picture I took to get synchronized with my desktop (normally its almost instant).
Yeah, this is terribly easy to fake. Also, if you look closely, they repeat a lot of the same e-mail addresses with different "real" names attached to them. e.g., flyman@gmail.com and kidrock@msn.com (which appears right next to each other...)
I noticed it too. But it does not quite make sense, because nobody likes to sign up twice using different email address immediately, even if they don't remember their password. This reminds me that the exposed the data might be fake too.
This is stupid. Leaking the database will compromise users, which may hurt the company a bit, but will hurt the common person more. Its a pointless hack that won't accomplish much more than just reporting the bug would.
We've heard that several large Internet companies were angered that their networks were tapped by the NSA for surveillance, and subsequently put a lot of effort into securing them with encryption. While it seems unlikely, it's conceivable that this has something to do with a response to surveillance, such as problems encountered while implementing encryption.
It's unbelievable to realize that the Yahoo or Google never experienced such accident. This is not the time for maintenance. Failover is the key, production should have hardware load balancing to switch to, right? Actually the front end should not be affected with the backend, unless the entire website is compromised.
The hackers are also threatening a database leak: https://twitter.com/1775Sec/status/421822727331131392
EDIT: Dropbox's statement is that it's maintainance issues: https://tech.dropbox.com/2014/01/dropbox-status-update/
EDIT2: There is a high probability that the Twitter account is faking the hack, due to the "proof" of the hack being taken from an old dump.
EDIT3: The account admits they did not hack Dropbox, just DDOSed it. https://twitter.com/1775Sec/status/421848589480910848