back to article Dropbox snuffs open code that bypassed file-sharing controls

Dropbox – the San Francisco startup that offers a free service for sharing files over the net – has suppressed a fledgling open source project that lets anyone use the service outside of its control, saying the project exposed Dropbox's proprietary protocol and could be used for piracy. The open source project is called Dropship …

COMMENTS

This topic is closed for new posts.
Happy

Must be nice

to be able to freely examine the source code so you can see how to stop the back end working with it...

3
0
Bronze badge
Coat

So...

Dropbox is trying to cover their back end...?

6
0
WTF?

A replacement for torrents? Errr...no actually!

Who in their right mind would think that this could be a successful replacement or alternative for Bittorrent as suggested by that Hacker News article? A piece of software designed around a propriety system under the control of a single entity that is being used against their ToS??? Uhhh yeah that will make a great alternative!

11
0
Grenade

Is he bluffing?

"According to Dropbox, however, the Dropship workaround will no longer work due to changes the company has made on its backend. ®"

Surely , it's just game of cat and mouse? Can't the coders just tweak it some more?

Maybe Dropbox feels its business model is threatened. I love Dropbox. But how can they claim DMCA on an open source thing? That's a tautology / oxymoron, right?

1
2
Anonymous Coward

ummmmm....

not exactly. If dropbox re-designs their protocol to make sure that hashes cannot be used to transfer files between accounts (simple salting should do if properly applied), then they will fix this - it was most likely just a way of saving space on amazon S3 by trying to de-duplicate user storage.

Of course, one can download the file from one account and re-upload it - but that ain't going to be as fast as telling server that "a new file with identical hash has been detected and there's no need to upload it to amazon".

They issued DMCA notice fraudulently, so it's possible the guy would win if he sued them - it's a different matter if he wants to or has enough money.

1
0
FAIL

Re DMCA

There is no tautology. There has been other open source software recently that has allegedly breached the DMCA - for example George Hots vs Sony being the most recent.

1
0

err

As DMCA isn't just the protection of copyrighted content that is out in the wild, but aims to prevent sharing of mechanisms used to break DRM

1
0

This post has been deleted by its author

Silver badge
Boffin

No.

As I understand it, the trick had to do with the fact that Dropbox didn't actually store a separate copy of each file for each account. If someone uploaded a file that had already been uploaded by someone else, Dropbox would just make a note that the second person had the file too, rather than really keeping a second copy. But someone figured out how to add a file to your account this way *without* actually uploading it.

3
0
Anonymous Coward

key principle seems to be:

1. When you upload a file to Dropbox, a hash of the file is sent to them

2. Dropbox use the hash to determine whether or not their servers already store a copy of the file you are trying to upload

3. Naughty People (TM) have figured out that they can simply upload a hash, and their account will then be given access to the file to which that hash relates.

4. Naughty people (TM) propose uploading WAREZ to Dropbox and sharing the hash, such that anyone with the hash can then trick Dropbox into giving them access to the file.

5. With this software, Naughty people (TM) would find that the WAREZ magically appear in their own Dropbox account, from where they can be safely downloaded.

Somebody who has actually used Dropbox can probably clarify.

3
0
Thumb Up

Re encryption

If you are relying on Dropbox's encryption then no, actually, they ARE able to look at file contents (this was covered on Tech News Today last week).

If you encrypt a file and upload it then yes, you're safe.

1
0
Go

Spideroak

Spideroak fully encrypted no one can ever tell who is hosting what.

1
0

Aaand

no-one can instantly share the files based on their hash because there's no de-duplication going on.

1
0

Automatic DMCA

Ain't the modern world lovely.

Wake me up when they issue automatic hugs.

5
0
Anonymous Coward

DMCA notice

It looks like they assumed, when they implemented the ability to ban a file, that they would only do so because a particular file exposed them to the lovely effects of the DMCA. They forgot to add the "ban a file just on a whim" option, perhaps in the belief that they would remain level headed at all times.

3
0
Unhappy

Open Source

I feel sad to see this attempted con passed off with the excuse that 'open source' makes it ok

Guess GIThub is a good name

0
6
Silver badge

@I'm too stupid to comprehend this

You can already allow anybody to download a file from your public folder - you just send them the dropbox generated link, what this software did was work out the secret link that dropbox uses to refer to any file on the system. So no big deal really

What is interesting/important is:

1, Dropbox sent a DMCA take down notice to scare the user with the threat of a major fine/federal crime. If he was using a university computer this was probably already enough to get him kicked out - whether it was true or not. Sending a threat-o-gram is easy, claiming you own the copyright on something that you shared (as he did) involves lawyers and official processes.

2, Dropbox checked inside the contents of the compressed tar file he was hosting to find his code. So dropbox routinely checks the contents of files you upload looking for things that damage their business model. You don't know what their business model is, who their shareholders are, or who they partner with. Out of general paranoia you should assume in business that all your cloud content is delivered directly to your worst enemy - but in this case it seems to be valid.

3, Anything you upload to Dropbox that is to do with business should be encrypted - this will cost dropbox money since they rely on being able to identify identical files from different users and use hashing to only store a single copy (they use Amazon S3 for their backend)

3
0
Anonymous Coward

eltiT

If you read DeFelippi's account you'll laugh or cry.

And there's still no executions due to improper (under penalty of perjury) DCMA notices.

Its like punching your little brother in the back of the head and being required to say 'sorry'.

1
0

perjury?

If Dropbox could convince a judge that Dropship was a circumvention device, then the DMCA notices might have been appropriate despite the fact that Dropship itself is free software.

Dropbox provides a service that lets a user add files to their account if they know the hash as a way to speed up uploads of common files. The official Dropbox client software only allows access to this service if you have a copy of the file locally, so could be considered a technological protection measure. If they can convince a judge of this, then it would be pretty clear that Dropship is circumventing this protection.

The fact it is a bad idea to provide a service that lets you reverse a cryptographic hash function for popular inputs doesn't really matter.

1
0
Unhappy

Utter sheisters

Not only do they want to deny people a living by distributing pirated software, they want to do so by stealing another companies infrastructure to distribute it.

They then go and try to give the project some sort of legitimacy by pinning the Open Source moniker on it.

These dicks are going to give open source a bad name.

8
2
FAIL

This makes things simpler

I had great suspicions about dropbox. It sounded like a pretty shady organization. Of course anyone who wants me to put private data on their mythical servers has an uphill battle on their hands.

Clouds are made of vapor after all!. Just ask Amazon's poor victims^H^H^H^H ah, customers.

I am pretty sure you can get the crap sued out of you for filing false DMCA notices. Of course no one does, and it's probably not even illegal to just lie and say you got one. Still I can now cross dropbox off the list of "things that exist in the universe" with a clear conscious.

Thanks for showing your colors so early on and removing all moral ambiguity from your company.

0
1
FAIL

So files stored on dropbox are protected only by their hash.

Not exactly confidence inspiring. Your private files are a hash away from being public. In other words a malicious software program could just send hashes of all your files back to the crooks/FBI/NSA/etc. Saves on bandwidth, which is important. (ie a nice list of filenames + links to download the file).

This means that knowing the hash of any file is enough to get that file, as long as someone, somewhere has it on their dropbox. Even if they close this hole on the dropbox servers (can they - or will it take a client update?), it means that people could have been doing this for years.

--KT

0
1
Silver badge

@So files stored on dropbox are protected only by their hash

Yes, note from our legal dept this morning - we aren't allowed to store anything financial/legal/patentable on Dropbox anymore

According to them the stock exchange could regard anything on Dropbox as published and so had to be told to investors first.

0
1

How I use Dropbox...

I still use Dropbox daily and will continue to. Stuff I put there is either my own or open source. This does have me wondering about recorded public broadcast radio shows I sometimes store there? How I use it --> http://goo.gl/pAS4B

0
0
Alert

Here is a security risk from it

Pretend there is a large company 'BigOilCo'. Now suppose that everyday they set a price on a commodity. The person who does the work uses dropbox to transfer the document to someone at head office, who embargoes it for publication until the next day. The (.txt) file always looks exactly the same, except the date is changed in the upper left, and the price is different. ( Pretend that the file comes from a financial mathematical modelling script). Then guessing the hash of the 'still secret' file is not a problem, just look at yesterdays file, change the date, and put in like 1000 different possible prices for oil tomorrow. Then you get 1000 hashes. Try downloading all those files from Dropbox. The one that downloads is tomorrows price.

I don't know how many sensitive files like this are floating around on Dropbox, but there are likely more than there should be!

3
0

They did fix it

I looked through the Dropship source code and did a few tests.

Normally, when the client is going to upload a file it first hashes it, and then send the hashes to the server. If they hashes already exist, then it makes a new pointer to the file data in that person's account and tells the client not to bother uploading the file. If the hashes don't exist then the client must upload the file.

From what I can tell, they have just changed the server code so that it always responds with a "Hashes not found" message.

This looks like a quick fix, as it's probably going to result in increased bandwidth expenditure for them until they come up with a better solution.

One solution might be to only allow hashing on a per-user basis, and still require uploads even if the file already exists for another user. Once the file is stored they can safely use pointers as long as they don't implement it such that the timing of availability (or similar) reveals whether the file already existed in the datastore. This wouldn't fully solve the bandwidth problem, but it would make the system more secure.

0
0
This topic is closed for new posts.

Forums