Must be nice
to be able to freely examine the source code so you can see how to stop the back end working with it...
Dropbox – the San Francisco startup that offers a free service for sharing files over the net – has suppressed a fledgling open source project that lets anyone use the service outside of its control, saying the project exposed Dropbox's proprietary protocol and could be used for piracy. The open source project is called …
Who in their right mind would think that this could be a successful replacement or alternative for Bittorrent as suggested by that Hacker News article? A piece of software designed around a propriety system under the control of a single entity that is being used against their ToS??? Uhhh yeah that will make a great alternative!
"According to Dropbox, however, the Dropship workaround will no longer work due to changes the company has made on its backend. ®"
Surely , it's just game of cat and mouse? Can't the coders just tweak it some more?
Maybe Dropbox feels its business model is threatened. I love Dropbox. But how can they claim DMCA on an open source thing? That's a tautology / oxymoron, right?
not exactly. If dropbox re-designs their protocol to make sure that hashes cannot be used to transfer files between accounts (simple salting should do if properly applied), then they will fix this - it was most likely just a way of saving space on amazon S3 by trying to de-duplicate user storage.
Of course, one can download the file from one account and re-upload it - but that ain't going to be as fast as telling server that "a new file with identical hash has been detected and there's no need to upload it to amazon".
They issued DMCA notice fraudulently, so it's possible the guy would win if he sued them - it's a different matter if he wants to or has enough money.
As I understand it, the trick had to do with the fact that Dropbox didn't actually store a separate copy of each file for each account. If someone uploaded a file that had already been uploaded by someone else, Dropbox would just make a note that the second person had the file too, rather than really keeping a second copy. But someone figured out how to add a file to your account this way *without* actually uploading it.
1. When you upload a file to Dropbox, a hash of the file is sent to them
2. Dropbox use the hash to determine whether or not their servers already store a copy of the file you are trying to upload
3. Naughty People (TM) have figured out that they can simply upload a hash, and their account will then be given access to the file to which that hash relates.
4. Naughty people (TM) propose uploading WAREZ to Dropbox and sharing the hash, such that anyone with the hash can then trick Dropbox into giving them access to the file.
5. With this software, Naughty people (TM) would find that the WAREZ magically appear in their own Dropbox account, from where they can be safely downloaded.
Somebody who has actually used Dropbox can probably clarify.
It looks like they assumed, when they implemented the ability to ban a file, that they would only do so because a particular file exposed them to the lovely effects of the DMCA. They forgot to add the "ban a file just on a whim" option, perhaps in the belief that they would remain level headed at all times.
You can already allow anybody to download a file from your public folder - you just send them the dropbox generated link, what this software did was work out the secret link that dropbox uses to refer to any file on the system. So no big deal really
What is interesting/important is:
1, Dropbox sent a DMCA take down notice to scare the user with the threat of a major fine/federal crime. If he was using a university computer this was probably already enough to get him kicked out - whether it was true or not. Sending a threat-o-gram is easy, claiming you own the copyright on something that you shared (as he did) involves lawyers and official processes.
2, Dropbox checked inside the contents of the compressed tar file he was hosting to find his code. So dropbox routinely checks the contents of files you upload looking for things that damage their business model. You don't know what their business model is, who their shareholders are, or who they partner with. Out of general paranoia you should assume in business that all your cloud content is delivered directly to your worst enemy - but in this case it seems to be valid.
3, Anything you upload to Dropbox that is to do with business should be encrypted - this will cost dropbox money since they rely on being able to identify identical files from different users and use hashing to only store a single copy (they use Amazon S3 for their backend)
If Dropbox could convince a judge that Dropship was a circumvention device, then the DMCA notices might have been appropriate despite the fact that Dropship itself is free software.
Dropbox provides a service that lets a user add files to their account if they know the hash as a way to speed up uploads of common files. The official Dropbox client software only allows access to this service if you have a copy of the file locally, so could be considered a technological protection measure. If they can convince a judge of this, then it would be pretty clear that Dropship is circumventing this protection.
The fact it is a bad idea to provide a service that lets you reverse a cryptographic hash function for popular inputs doesn't really matter.
Not only do they want to deny people a living by distributing pirated software, they want to do so by stealing another companies infrastructure to distribute it.
They then go and try to give the project some sort of legitimacy by pinning the Open Source moniker on it.
These dicks are going to give open source a bad name.
I had great suspicions about dropbox. It sounded like a pretty shady organization. Of course anyone who wants me to put private data on their mythical servers has an uphill battle on their hands.
Clouds are made of vapor after all!. Just ask Amazon's poor victims^H^H^H^H ah, customers.
I am pretty sure you can get the crap sued out of you for filing false DMCA notices. Of course no one does, and it's probably not even illegal to just lie and say you got one. Still I can now cross dropbox off the list of "things that exist in the universe" with a clear conscious.
Thanks for showing your colors so early on and removing all moral ambiguity from your company.
Not exactly confidence inspiring. Your private files are a hash away from being public. In other words a malicious software program could just send hashes of all your files back to the crooks/FBI/NSA/etc. Saves on bandwidth, which is important. (ie a nice list of filenames + links to download the file).
This means that knowing the hash of any file is enough to get that file, as long as someone, somewhere has it on their dropbox. Even if they close this hole on the dropbox servers (can they - or will it take a client update?), it means that people could have been doing this for years.
Yes, note from our legal dept this morning - we aren't allowed to store anything financial/legal/patentable on Dropbox anymore
According to them the stock exchange could regard anything on Dropbox as published and so had to be told to investors first.
Pretend there is a large company 'BigOilCo'. Now suppose that everyday they set a price on a commodity. The person who does the work uses dropbox to transfer the document to someone at head office, who embargoes it for publication until the next day. The (.txt) file always looks exactly the same, except the date is changed in the upper left, and the price is different. ( Pretend that the file comes from a financial mathematical modelling script). Then guessing the hash of the 'still secret' file is not a problem, just look at yesterdays file, change the date, and put in like 1000 different possible prices for oil tomorrow. Then you get 1000 hashes. Try downloading all those files from Dropbox. The one that downloads is tomorrows price.
I don't know how many sensitive files like this are floating around on Dropbox, but there are likely more than there should be!
I looked through the Dropship source code and did a few tests.
Normally, when the client is going to upload a file it first hashes it, and then send the hashes to the server. If they hashes already exist, then it makes a new pointer to the file data in that person's account and tells the client not to bother uploading the file. If the hashes don't exist then the client must upload the file.
From what I can tell, they have just changed the server code so that it always responds with a "Hashes not found" message.
This looks like a quick fix, as it's probably going to result in increased bandwidth expenditure for them until they come up with a better solution.
One solution might be to only allow hashing on a per-user basis, and still require uploads even if the file already exists for another user. Once the file is stored they can safely use pointers as long as they don't implement it such that the timing of availability (or similar) reveals whether the file already existed in the datastore. This wouldn't fully solve the bandwidth problem, but it would make the system more secure.
Biting the hand that feeds IT © 1998–2019