Tuesday, September 19, 2017

Excited to join Dropbox!

I’m excited to announce that I’ve joined Dropbox as their new Head of Security. Truth be told, I’ve been here a little while and I’ve been enjoying on-boarding too much to make the announcement. If you were wondering why my blog has been quiet for a while, now you know why!

I exited a fun period of semi-retirement to take up this challenge. What attracted me to Dropbox enough to make the switch? Many things but briefly:
  • Scale and sensitivity of the data. Half a billion users storing sensitive files is a worthy stash to protect.
  • The excellent caliber and decent size of the existing security team. Working with strong leaders and team members is a big draw.
  • Perhaps above all else, the warmth of the people and the culture. This is the friendliest, most collaborative company I’ve worked at. I fully expect to become less of a jerk by imbibing the vibe! :)

The assertion about the warmth of the people and culture deserves some supporting evidence. This is a little story from before I joined. As you may recall, I was researching server-side usage of ImageMagick and one of my discoveries affected Dropbox in a fairly minor way. The response was spectacular -- and warm, and competent. Of course, the foundations you expect from a solid security program were present: a public bug bounty program with a fast response time. Beyond that, upon submission of what was considered an interesting bug, I was…. invited up to Dropbox HQ for chai(!), a snack, and a chat with Dev (@frgx) plus the author of the sandboxing for this area. What a great experience.

It would be remiss of me to not mention that Dropbox is hiring for all types of security roles. The team is already a decent size, but we are growing. This job req is what you are looking for.

On a social note, this move means that I’m now up in SF city a lot of the time. Hit me up if you want to grab a drink and talk about security.


Anonymous said...

Chris, you might be in a position to reevaluate the issue I reported #235584-Unannounced file share at hackerone. Unauthenticated file share with limited 80bits of entropy is hardly secure. Not to mention that desktop users are likely sharing their files and not knowing about it. I'm posting it here because DropBox has been advised against these practices and they decided to "accept" the risk, even thought the risk is not their to accept. I almost left an important private file exposed due to these practices. Cheers.

Anonymous said...

Reason why I moved out from Dropbox Pro customers time ago...

Abhishek Dubey said...

Chris - my name is Abhishek and I am CEO of RedMarlin. My company has developed an AI based technology that provides fully automated end-end-end brand protection from detection of fake pages to the take down.

I figured this might be of interest to you as Dropbox is most phished brand from the phishing sites we detect https://checkphish.ai/stats

I’d love to get your feedback even if you’re not in the market for this right now. Do you have 20 minutes this week? It looks like I am open on Thursday at 11am or 12pm PT if either may work

We are based in Mountain View and I am happy to drive upto SF.

Abhishek Dubey