Monday 14 June 2010

Why paywalls makes free news better

Almost a year ago Rupert Murdoch started talking about how News Limited would start charging for news content online. It's interesting that he started doing this, not in a time of record profits for News Limited, but at a time when they were suffering record losses - this is the first hint that his idea may not be a good strategy, i.e. that it didn't come out of some noble concept of how to make news better, but rather out of a desperation in trying to turn a buck.

But the trouble with Murdoch's idea of paid news is that in simply setting up your business model, you help your competitors.

You see, at the moment, there are lots of free news services - and they're all competing for advertising dollars, which comes from eyeballs on websites. If Murdoch puts his quality content behind a paywall then that means more eyeballs for his competitors, who will then be able to offer better quality news.

Traditional media is struggling to turn a dollar in the online world, yet strangely enough new media companies seem to be quite comfortable with their online ventures - maybe the problem is not with the ability to turn a dollar in online news, but simply the expectations and preconceptions from old media moguls as to how online works.

Wednesday 9 June 2010

Dropbox Security Problem - Data Leakage

Dropbox has an issue with the way it handles link sharing that could potentially lead to data leakage.

The problem is fourfold:
  • Files outside of the Public folder can be shared
  • Shared files leak data about the file structure
  • Deleting and replacing the shared file with another allows the new file to be leaked
  • Shared files can’t be revoked

This security problem is demonstrated below.

First of all I start by creating a file called ‘PrivateFiles’ in the ‘My Dropbox’ folder. I’m going to use this to store my most private of data.

Inside that folder I’ll store ‘MyPrivateFile.txt’:
As you can see, it has some very personal data in it:

I’ve got to use my iPad for the next step, because the PC or Mac client won’t let me share a file from anything other than the Public folder (in fact I’m not sure if allowing sharing from other than the Public folder on the iPad is an oversight or not – regardless, this is the first security concern – the sharing of files from outside of the Public folder on the iPad when other clients won’t let you).

So when I look at my iPad I see the PrivateFiles folder:


And inside that I can see MyPrivateFile.txt, including the correct contents of that file:

Next, I’ll share the file by emailing a link of it:

The link that is sent is actually a short link – in this case http://db.tt/GdBSei, which redirects to http://dl.dropbox.com/0/view/1xldjhg9mbrt95s/PrivateFiles/MyPrivateFile.txt

This demonstrates the next data leakage problem – i.e. that I can see the path ‘PrivateFiles’ – I didn’t choose to share this, I only chose to share the file – this path may not be something you wish to reveal.'

The major problem happens for me after I create new file in the same directory, in this case ‘AnotherFile.txt’…


Then delete the original file…

And now rename the second file to have the same name as the original.

Note that copying a replacement file into the directory will also work, all that matters is there be a file there with the same name as the original. Now when I open the file using the link I was emailed before I get:

I get the replacement file!! Is that what anyone expects to happen? I guess I did share a link to the file, not a copy of the file, but it still doesn’t feel right – it’s not the original file!!

What makes this problem worse is that Dropbox won’t allow me to revoke shared links. That means that I’ve now published a permanent copy of whatever file ends up sitting in that folder with that name. What if it is something like resume.doc where I don’t want people to see me editing the file? Or what if it is temp.zip? Whatever it is – it is now permanently out there, permanently shared for anyone to access – no dropbox account required to access it!

Anyone want to try running through filename combinations for that db.tt domain? You don’t need to have had it shared with you as no authentication is required, you just need to hit the right URL!


Recent Geocaching Logs

Stuff I"ve read lately