On Tuesday, Dropbox published the technical details for Project Infinite, a new update coming to its desktop client that plans to revolutionize how content is shared online using its service.
Announced last week, Dropbox Project Infinite lets users view all their content on their Dropbox-synced computers, even if the files aren’t stored locally. All files take zero space on the user’s hard-drive, but they’ll be able to navigate them with ease.
If they choose to open one of these files, Dropbox streams the content and provides the user with access in real time, also syncing back any changes. Basically, Project Infinite removes the need to allocate huge space on your hard drive for Dropbox content, and also the practice of opening a browser to see all your Dropbox content, if you didn’t sync it all locally.
Future Dropbox versions will operate in the OS kernel
According to the technical specs the Dropbox teamtwo days ago, these miraculous features are up and running after the development team made fundamental changes to how the Dropbox client works.
“Traditionally, Dropbox operated entirely in user space as a program just like any other on your machine,” Damien DeVille, Dropbox engineer, wrote. “With Dropbox Infinite, we’re going deeper: into the kernel – the core of the operating system. With Project Infinite, Dropbox is evolving from a process that passively watches what happens on your local disk to one that actively plays a role in your filesystem.”
While this may be a satisfactory explanation for end users, security experts have immediately reacted vilely. Telling engineers and privacy advocates that Dropbox can theoretically access everything on your computer is not a good idea, and they immediately pointed out the security and privacy implications of such a move.
If security weaknesses exist in Project Infinite, attackers would not need to escalate their access and get more privileges because they’re already in the OS kernel. Finding Dropbox exploits would certainly become a top priority for state-backed cyber-espionage agencies and APTs.
Previously, only antivirus engines, drivers, and other core OS utilities had access to the kernel, and for good reasons.
Privacy and security implications may drive users away
Dropbox, for its part, was already running a bug bounty program, so at least the company is dedicated to hardening its products.
There are already solid alternatives such as Google Drive and Microsoft’s OneDrive that provide the same features for end users while Box has been dominating the business market for quite some time now.
Regardless, the company may end up losing as many users as it gains at the end of the day. Some users might feel uncomfortable with Dropbox running code in the kernel while others will just don’t care because they already trust Dropbox with all their personal data anyway.
Now that DropBox.kext exists, when will we get Facebook.kext and LinkedIn.kext? Google.kext? Step up your game people! — the grugq (@thegrugq)
Dropbox.kext? It’s a joke, right? — Edgar Barbosa (@embarbosa)
The nextclient is gonna be a kernel module? Folks, I love your product, but this is a security nightmare. — Tim Weber (@scy)
Remember when accidentally turned off authentication? Yeah that’s not something I trust in kernel space. — John Hawksley (@johnhawksley)
“actively plays a role in your filesystem”? Nope. No. No. Noo — Io e Me (@New_DarkAge)
Things I don’t want:up in my kernel. — Dusty (@duspom)
— Sven Hesse (@TheRealDrMcCoy)