I noticed that a lot of internet users feel that their data is secure when they put it online in some file storage websites or using backup services, or even worse, they just don't care about it. This statement became more true when the naive user is faced with a web 2.0 service, "yeah, cuz it's so clean and simple, and it's in AJAX so it must be secure!" [don't ask him what does AJAX actually mean]. This article will essentially focus on security in new internet services (2000-2007).
I'm really cynical when it comes to reviewing Web 2.0 services (if you agree with me so you'll agree with Jake Billo who has also written a review about Box.net integration on Facebook). Some of them are actually worth the attention, "Tangler" for example is a great way to gather all the discussion board in one point, so that you can chat in several boards, crossing several subjects and still staying in the same website. Dailymotion or Youtube are also great but they are too much abused this days (but I am sure that they won't disappear in the next 10 years ,hmm, especially with Youtube). Others, and unfortunately, many of them are well-advertised, really suck. I still don't know what I should do with my "Facebook" or with my "Twitter"... (twitter being the silliest of all of them... why would you feel the need to write everything you are doing on a public webpage?). They are just useless in my opinion : facebook attracts more and more "relationship-needing" teenagers, while the cro$oft instant messaging system is already filling the gap in this market. The problem with all of that is that people seems to publish knowingly more and more personal datas about them, without being aware of all the risks they may encounter.
When data is encrypted and then stored in a secure datacenter, the password (try to gather the maximum of informations about a person, list potential common words that the user may have used, add to it some general things like the birthday) is the ONLY weak point in the chain. Complex encryption algorithms such as Blowfish (448-bit) or AES (256-bit) are still uncrackable, even by intelligence services (NSA, FBI, etc...). The newbie user won't think a second about securing his data, or using a webservice that will (at least) guarantee him that his data will be stored securely and that all the transfers between his terminal and the server will be encrypted. The power user who is concerned about his privacy will encrypt his data locally and may or may not want to store it on the web.
If you want to know more about that field, you may want to read Schneier's weblog (Schneier is the security expert who invented the Blowfish algorithm).
A web service isn't problematic just because it's a web service. The fact that it's a web service becomes a problem when the password may not be the weakest point if we want to attack an account.
Dedikam.com is a french yet-not-association that provided until December the 30th free unlimited space, with FTP and HTTP access. They reduced this space a little after that I tried to talk them into admitting that unlimited and free cannot be put together. It took me 5 minutes to find a GIANT hole in their script.
I could list all the files of the server with arw permission... neat. I warned them about the problem (I can be honnest some times), and they locked down the website for 12 hours, after that they thought that they fixed the problem. I admit that the hole got secured, but their script is a sort of Gruyère... if you see what I mean.
A similar hole can be found on the PHP script "Web Jeff File Manager 1.6" that enable to manage your files if you have access to a webserver with an FTP running service.
Concerning Box.net and others alike (Humyo, Adrive, SteekR, NeufGiga, XDrive), you have no mean to transfer your files securely using SSL (Box.net wants you to pay about 200$ a year to be able to have an HTTPS access to your files). Using a wireless connection on a public space may end up in seeing your private videos stored on massivly-viewed video hosting services like Youtube or Dailymotion.
Last update: December, 31th 2007.