Feeds

back to article Dropbox nukes bloke's file share in DMCA brouhaha – then admits it made a 'HASH OF IT'

A Dropbox user sparked outrage after he revealed he was blocked from sharing a file he'd deposited in the online storage locker – because it was the target of a Digital Millennium Copyright Act (DMCA) anti-piracy takedown notice. The trouble started when designer Darrell Whitelaw found he couldn't share a file in a personal …

COMMENTS

This topic is closed for new posts.

Page:

Hope they're using a good hash

and not one prone to collisions. If they're using something weak like md5, there's a potential denial-of-service attack here: identify a (legitimate) file you want removed, upload a copyrighted image or video carefully padded to have the same hash, issue DMCA notice, and they'll block access to both files.

19
0
Bronze badge

Re: Hope they're using a good hash

Whilst collisions are possible and indeed information theory tells us necessary for a mapping to a hash of a fixed tiny size, what you suggest is computationally unfeasible. It would be orders of magnitudes cheaper to lobby for "improved copyright protection"

6
10
Silver badge

Re: Hope they're using a good hash

I'm sure that hash collisions are not "necessary". They may be possible/probable.

2
6
Bronze badge

Re: Hope they're using a good hash

Put it another way then, if collisions were not possible then you would have a very effective compression algorithm.

The number of unique hash values is 2^size of hash. So for md5 that is 2^128 possible target values. So given a source set containing 2^128 + 1 unique pieces of data, at least 1 must clash.

The challenge posed by the OP requires you to not only find a collision but to do so in a way that preserves the image information and doesn't make your cat picture contain 500MB of nonsense in its EXIF detail. That is the unfeasible part.

13
0

Re: Hope they're using a good hash

Unless someone actually opens the cat picture or other text or whatever to check, then it makes no difference if the picture works or not - it is checked by a script, so if it matches it gets killed.

Yes, computationally tricky, but far from impossible. Just look at rainbow tables. It would be possible to do that for hash values so it becomes a relatively simple look up in a big database. Every time one doesn't appear, you add it. Eventually you have a huge Database with reasonable coverage.

Might want an algorithm to generate the actual files though, else storage would rapidly become an issue!

2
1
Silver badge

Re: Hope they're using a good hash

The old MD5 algorithm has some weaknesses known now that do make it possible to create a hash collision, though not easy. That's why they should be abandoned in favor of something like SHA1 (Or, for the really concerned, SHA256).

1
0
Silver badge

Re: Hope they're using a good hash

Your maths are correct, but the assertion that it is unfeasible is not. I was discussing the issue with a friend the other week and he is aware of several programs which perform exactly that function. We were discussing it in a different context, essentially a theoretical hashing index to independently check high capacity storage volumes for altered files rather than continuous virus scanning which is unfeasible on their volumes.

0
0
Bronze badge
Go

Re: Hope they're using a good hash

Just append a zero byte to the file, and the hash collision is solved.

1
0
FAIL

well personally

i hate dropbox, but no matter how often i advise people of its complete inadequacies in every way i am the one met with derision...

what kind of professional paid for service would allow me to send me a file share link to a client for them only to get a message that their dropbox was full and they could not download the link?

or a group shared folder that somebody has put GB's worth of data in that dropbox tries to sync over the first internet connection it finds, filling up all available space on the already full local machine?

or a client uploading video content to share with others but dropbox displaying the first 10 minutes of video, but not giving a link to download it, thus making the client believe that the rest of the video has been lost...

these are 3 simple scenarios that i have had forced upon me in the last month, the fewer people who use it and pay for the poor service the better....

p.

16
13
Silver badge

Re: well personally

"i hate dropbox, but no matter how often i advise people of its complete inadequacies in every way i am the one met with derision..."

For these other people, the service is good enough. As a way to save files and make them available to all one's devices, it's very good.

8
8
Silver badge

Re: well personally

You forgot to tell us what perfect tool we should all be using...

For what I do it works great, but it might well be a poor tool for other uses.

5
2

Re: well personally

Dropbox is exceptionally useful; the "complete inadequacies" you cite are all user errors.

"what kind of professional paid for service would allow me to send me a file share link to a client for them only to get a message that their dropbox was full and they could not download the link?"

One in which the client has used up their quota and either needs to put their hand in their pocket or delete some cat videos.

"or a group shared folder that somebody has put GB's worth of data in that dropbox tries to sync over the first internet connection it finds, filling up all available space on the already full local machine?"

How is the piss-poor management of a client machine's free space any problem of Dropbox's? Especially one allocated to the role of collaberation of GBs of data? Sort it out.

"or a client uploading video content to share with others but dropbox displaying the first 10 minutes of video, but not giving a link to download it, thus making the client believe that the rest of the video has been lost..."

Dropbox isn't a media streaming service; despite this they will stream video up to ten minutes, anything longer needs downloading. The client sounds a bit thick to be brutally honest.

This DMCA thing has been blown out of proportion by the original Twit who has leapt to conclusions. Dropbox hashes all files to permit de-duping at the back end. If they receive a DMCA takedown for a file they will block that file from being shared as a blanket operation across the service based on all instances of that hash allocated to a link. They are not trawling users' files or poking around. Various services such as Boxcryptor can help if you want to ensure that only you can interpret or access content, but this won't let someone share copyrighted films.

15
5
Silver badge
Thumb Down

Re: well personally

How about moving away from the overpriced cloud? After all, you're just sharing a few files, you can do this from your home computer. Or a small NAS.

QNAP even has been adding specific functionality for sharing files with unique links (and time limits), and some dropbox-like syncing functionality.

These days I only fire up dropbox if somebody insists on using it to send me stuff.

9
4
Silver badge
FAIL

Re: well personally

@Anonymous Coward 101

Dropbox, just another NSA/GCHQ compliant web site.

7
3
Silver badge

Re: well personally

@slim mcslim: One down vote for not bothering to fix your shift key before posting on an IT site.

8
1

Re: well personally

How about a simple FTP server? Dropbox is for morons.

4
6
Silver badge

Re: well personally

You mean SFTP server. FTP is for suicidal morons.

16
1
Bronze badge

Re: You forgot to tell us what perfect tool we should all be using

Just about all of the shared storage & "private cloud" offerings out there are better than DropBox. Probably even Microsoft's. DropBox it OK for personal use, but anyone using it for professional purposes is insane.

1
1
Anonymous Coward

Re: well personally

@petur - How about moving away from the overpriced cloud? After all, you're just sharing a few files, you can do this from your home computer. Or a small NAS.

Oh yes, because EVERYONE is a fully qualified network engineer and sysadmin with the chops to not only load-balance (where needed) but fully secure their servers before making them Internet facing. AND they have a business-grade connection that allows them to run a server. AND they have a static IP OR they have correctly configured DynamicDNS. AND they have the time to do all the above. AND they don't mind paying the leccy. AND lots of low-efficiency, under utilised servers running at home is somehow better for the environment than ones in a datacentre kept at close to capacity (or switched off).

People don't use DropBox because it's "the best", they use it because it works and they do not have the time/skills to roll their own. Tell me, when was the last time you built your own car? Made you own oven? Constructed your own house by hand? Ran your own bank? Buying in services/items that you do not have the time/skill/scale to do personally is not evil.

I am certain you use Linux as you are clearly out of touch with the reality of the real world.

19
4
Anonymous Coward

Re: well personally

@autocatakinetic - Dropbox is for morons.

Quick, in 5 easy steps how does your non-IT literate granny spec, install, configure, secure, maintain and back-up a public-facing FTP server?

Now who's the moron?

Not everyone is a nerd stuck in a basement cultivating their neckbeard, some people have actual lives. Buying in a service is not evil.

14
7
Silver badge

Re: well personally

"Dropbox, just another NSA/GCHQ compliant web site."

Are you waiting for another offering that absolutely, totally promises not to cooperate with these organisations? Have you thought about encrypting your files before saving them to Dropbox, thereby at least greatly increasing the effort the NSA and GCHQ have to put in to get access to them?

2
2
Anonymous Coward

Re: well personally

Well, this has always worked for me. But you get what you pay for, and, as always, YMMV.

Personally, I'm wary of the whole "free" and "sharing" trend because the first usually isn't (personal data has a value too, so it's not "free" at all), and the second tends to share with more people than I like.

0
1
Gold badge

Re: well personally

Are you waiting for another offering that absolutely, totally promises not to cooperate with these organisations?

If they're US based that would be a lie, or a very short-lived organisation. Planning upfront for defy a legal notice is not exactly a sustainable business model :)

0
0
Silver badge
FAIL

Re: well personally

@AC (lame AC)

Oh yes, because EVERYONE is a fully qualified network engineer and sysadmin with the chops to not only load-balance (where needed) but fully secure their servers before making them Internet facing. AND they have a business-grade connection that allows them to run a server. AND they have a static IP OR they have correctly configured DynamicDNS.

Maybe you should catch up with NAS vendor offerings before ranting....

Just going to describe the QNAP offering because I know that best, similar offers from others too.

- QNAP offers its own cloud portal (DDNS), directly set up and configured from your NAS.

- The NAS software provides the functionality, QNAP firmware updates keep it secure. User only ticks the box to enable functionality.

- Load balancing on a private system? Come on.

- Maybe not in every place, but here the uplink speeds have increased in recent years to usable levels. I have about 5mbps uplink these days....

One point you could make but forgot, is that some ISPs still block ports to prevent you from running a server, so I have to run mine on alternate ports.

1
7
Anonymous Coward

Re: well personally

@petur - Maybe you should catch up with NAS vendor offerings before ranting....

So you agree with buying in a service, you just want something physcial at home (which still leaves all the issues over firewalls, back-ups, updates etc.) to give yourself a false sense of control and security.

"QNAP offers its own cloud portal (DDNS), directly set up and configured from your NAS."

Whoa. Stop right there. So this really isn't a home system at all, is it? You now have to 100% trust QNAP and be certain that they are not playing silly bastards with your data in-transit. It's no different to DropBox.

"Load balancing on a private system? Come on."

Perfectly legitimate. As is having a stand-by server running at another location in the event of a power cut. Which brings in concepts of high-availability. Something a user gets "for free" with DropBox but isn't trivial for the average person to do.

"QNAP firmware updates keep it secure. User only ticks the box to enable functionality."

Oh, so the user has to totally trust this magic software of unknown provenance. How is that *ANY* different to bunging it into DropBox? Clue: It isn't.

"One point you could make but forgot, is that some ISPs still block ports to prevent you from running a server"

No, I think you'll find that I did make that point. Trying reading what I wrote. Clue: "business-grade".

Your "hybrid" system is no different to the like of DropBox expect that it means more bother for the end-user. Whilst the media might be sat in your basement, you are still trusting a third party with all your data. You've changed the architecture, but not solved the problem.

5
3
Silver badge
Windows

Re: well personally

"I am certain you use Linux as you are clearly out of touch with the reality of the real world"

Well all I can say is that if Windows 8 represents the real world, then you are welcome to it.

5
1
Silver badge

Re: well personally

> You forgot to tell us what perfect tool we should all be using...

SFTP

0
0
Silver badge

Re: well personally

> Quick, in 5 easy steps how does your non-IT literate granny spec, install, configure, secure, maintain and back-up a public-facing FTP server?

-download Filezilla-FTP-for-dummies-setup.exe

-click on Filezilla-FTP-for-dummies-setup.exe

That's 2 steps. You're welcome.

0
2
Gav
Facepalm

Re: well personally

And where is this magic setup application? Any installation of an FTP server would require configuration of your router. Your mythical "for dummies" setup isn't going to do that for you.

1
1
Silver badge

Re: well personally

The QNAP DDNS portal is just nice to have, you can use it as free DDNS only, I just wanted to point out that setting up DDNS can be quite painless. In the end it is still my home system and setting up any other DDNS is always possible, you're not locked in.

The main argument is that my data sits at home. No worries on monthly fees as my collection of pictures and other files I like to share grows...

Setting up backups is equally painless...

If I don't use dropbox I can buy new harddisks every year

But hey, do keep on downvoting and keep your dropbox-branded blindfold on

2
1
Anonymous Coward

Re: well personally

@petur - Setting up backups is equally painless...

For you, maybe. Not for others. Do you have a firesafe? Do you keep copies off-site? On what media?

"But hey, do keep on downvoting and keep your dropbox-branded blindfold on"

That's not the point I am making. The point is, it might be easy for you to have a part-baked system (because I doubt you are running multiple servers in different locations, have UPS etc) but it is *NOT* easy for the average user and it is damned near impossible for them to have a proper system (redundancy, off-site back-ups etc).

So they chose DropBox etc. Is that so hard to understand?

2
1
Anonymous Coward

Re: well personally

"download Filezilla-FTP-for-dummies-setup.exe"

From where? What does "download" mean?

"click on Filezilla-FTP-for-dummies-setup.exe"

In the Google? What does that do? What do I do after? Did you mean double-click?

"That's 2 steps."

Which don't actually work and presume much more knowledge than your target actually audience has.

3
3
Anonymous Coward

Re: well personally

@Gav - Your mythical "for dummies" setup isn't going to do that for you.

Exactly. Even these people who claim it is soooooo easy can't get it right and think their cobbled together system is going to have anything like the resilience of a professional offering.

Add to that ISPs blocking servers for non-business customers and you have a fantasy world.

There is NOTHING WRONG with running your own server. But just because you have a week to kill sorting out back-ups, redundancy etc does not mean everyone else has, or even has the skill to do so.

3
2
Silver badge

Re: well personally

> In the Google?

Yes, in the Google.

> What does that do?

It allows you to share your cat videos with your grand-grand-kids

> What do I do after?

Nothing

> Did you mean double-click?

Yes

> "That's 2 steps." Which don't actually work

They do. Just try.

> and presume much more knowledge than your target actually audience has.

Not more than using Dropbox. And it relies considerably less on unspoken visual codes than "dumbed-down" (but unintuitive and undocumented) solutions like Dropbox.

The cowards here lack the tech clout of a elderly woman apparently. Dropbox is _not_ easy for the non-technical people, especially the older ones (its retarded interface is based on Facebook visual codes, which is not familiar to the elder).

Also, local solutions these days are plug-and-play, more so than Dropbox. In most cases, _no_ config changes at all are needed. The only cases where I've seen them fail was on internal network where the admins had put a lot of effort into insulating the local network from the outside world. On a home system it'll go directly through the firewalls Go look up the stuff you diss (filezilla et al), you'll look considerably less stupid.

1
1
Anonymous Coward

Re: well personally

"Go look up the stuff you diss (filezilla et al)"

I'm not dissing Filezilla, I am dissing your instructions.

Which are still incomplete, by the way. You are still assuming knowledge on the part of the user. And you simply can't do that.

After entering the term into Google and then clicking on it. Nothing happens. You have to tell them to click "Seacrh". And then tell them how to identify the correct result. And then how to get to the actual download link. And then how to download. And then how to find that downloaded file. And then how to verify it's safe. And then how to run it. And then...

Way, way, way more that your "two steps".

0
0
Bronze badge

Re: well personally

"I'm not dissing Filezilla, I am dissing your instructions."

If I were training an toddler on how to do this, then maybe.

Neither my 5 year old son, my 93 year old grandmother, nor (most) of the tech support clients I had (from 1997-2003) needed the kind of hand-holding you espouse for the "average" user.

Also: The Dropbox install is about on par with the filezilla setup, so if they can't setup filezilla, how are they going to work Dropbox?

0
0
Silver badge

Or

Your own domain and a hosting service.

Dropbox, Google drive etc are lazy solutions for people that can't be bothered or don't want to set up their own solution.

7
10
Silver badge

Re: Or

Dropbox, Google drive etc are lazy solutions for people that can't be bothered or don't want to set up their own solution

Or for people who don't understand how this all works.

El Reg readers are probably quite tech savy. The general population less so. If the general population were tech savy, why are hundreds of millions of people still using Hotmail/Gmail/Yahoo/etc?

15
2
Anonymous Coward

Re: Or

@A Non e-mouse - Or for people who don't understand how this all works.

\o/ The first commentard who seems to get it. Well done Sir/Madam.

1
1
Anonymous Coward

Re: Or hotmail

I'm savy (enough), but still use hotmail. I guess it's just a matter of old habits dying hard, sentiment, but also convenience, to have another mail box (and 25 GB of MS cloud space). Yes, I'm aware of snooping, but there are innocent uses for the Internet too. All to its own.

8
0
Silver badge

Re: Or

> \o/ The first commentard who seems to get it. Well done Sir/Madam.

That the "smiley" for a gaping... something or other?

0
0
Bronze badge

Inappropriate emoticon?

Prolly thought it was a reasonable facsimile of an "arms in the air" celebration

\o/

|||

/ \

PS El Reg's insistence that it knows where I want to put <p></p> tags is a bit irritating sometimes...

0
0

hash

The article doesn't say whether or not the problem was caused by a hash-collision. Or if it was improper sharing.

So both Dropbox and El Reg have made a hash of this one.

11
1
Bronze badge

Re: hash

Just for the sake of argument it's also possible that something would be copyright infringement when shared publicly, but another person would still have a lawful reason to share it privately.

8
0
Anonymous Coward

Re: hash collision

hash collision

Ah, causing an accident after smoking a few

:)

2
0
TRT
Silver badge

Re: hash collision

Your file share with a work colleague on a collaborative project suddenly disappears 10 minutes before your presentation before the board...

it's hash brown trousers time.

0
0
Bronze badge

Re: hash collision

If you've pinched data or images or other copyrighted work, yes, it should disappear and you shouldn't be using it. Especially if you have a Legal and Compliance department.

0
0
Bronze badge

Re: hash

> it's also possible...

Yes, if I was sharing a draft of my first novel with my editor, for instance. But in that case, it's hardly likely to be the subject of a DMCA takedown notice in the first place, is it? DMCA takedown has to be initiated by the copyright owner or his agent.

0
0
Silver badge

So he stored his data on someone else's computer and was discombobulated when the rules changed?

1
0
Silver badge

Actually, the only thing the article says has changed is that you must go to arbitration before calling a lawyer, not that Dropbox have suddenly started blocking access to files due to DMCA notices.

0
1

Page:

This topic is closed for new posts.