Dropbox’s Infinite feature needs deeper access to your computer
On the surface, Dropbox’s Project Infinite sounds great. The feature will give you access to everything in your account without having to store them on your computer. It’s bound to save space, especially if you’re using an SSD with a smaller capacity. As Motherboard reported, though, a lot of people aren’t happy that for the feature to work, Dropbox will need to have deeper access to your system. When the company announced the project, its post said: “With Dropbox Infinite, we’re going deeper: into the kernel — the core of the operating system.”
Since the kernel is the most important part of an OS, Infinite’s critics believe that it’s a security risk to have Dropbox sitting in it. Sam Bowne, an Ethical Hacking teacher at the City College San Francisco, told Motherboard that it’s like Dropbox is “proposing to copy the keys to your house, move in and live with you.” Further, he explained that a flaw in the program could be used to take over your computer.
Despite the backlash, Dropbox head of product Rob Baesman told VentureBeat in an interview that the company can’t change how Infinite works. “We could not do what Infinite sets out to do without using the kernel. It would be technologically impossible.” Unfortunately, he also wouldn’t say whether it’s possible to opt out of the feature when it launches. He echoed the company’s defense of the product, however, telling VB that anti-virus programs typically access the kernel, as well.
Here’s Dropbox’s full response to the controversy:
“We wanted to address some comments about Project Infinite and the kernel. It’s important to understand that many pieces of everyday software load components in the kernel, from simple device drivers for your mouse to highly complex anti-virus programs. We approach the kernel with extreme caution and respect. Because the kernel connects applications to the physical memory, CPU, and external devices, any bug introduced to the kernel can adversely affect the whole machine. We’ve been running this kernel extension internally at Dropbox for almost a year and have battle-tested its stability and integrity.
File systems exist in the kernel, so if you are going to extend the file system itself, you need to interface with the kernel. In order to innovate on the user’s experience of the file system, as we are with Project Infinite, we need to catch file operation events on Dropbox files before other applications try to act on those files. After careful design and consideration, we concluded that this kernel extension is the smallest and therefore most secure surface through which we can deliver Project Infinite. By focusing exclusively on Dropbox file actions in the kernel, we can ensure the best combination of privacy and usability.
We understand the concerns around this type of implementation, and our solution takes into consideration the security and stability of our users’ experience, while providing what we believe will be a really useful feature.”
(35)