back to article Dropbox nukes bloke's file share in DMCA brouhaha – then admits it made a 'HASH OF IT'

A Dropbox user sparked outrage after he revealed he was blocked from sharing a file he'd deposited in the online storage locker – because it was the target of a Digital Millennium Copyright Act (DMCA) anti-piracy takedown notice. The trouble started when designer Darrell Whitelaw found he couldn't share a file in a personal …

COMMENTS

This topic is closed for new posts.
  1. Kanhef

    Hope they're using a good hash

    and not one prone to collisions. If they're using something weak like md5, there's a potential denial-of-service attack here: identify a (legitimate) file you want removed, upload a copyrighted image or video carefully padded to have the same hash, issue DMCA notice, and they'll block access to both files.

    1. Adam 1

      Re: Hope they're using a good hash

      Whilst collisions are possible and indeed information theory tells us necessary for a mapping to a hash of a fixed tiny size, what you suggest is computationally unfeasible. It would be orders of magnitudes cheaper to lobby for "improved copyright protection"

      1. frank ly

        Re: Hope they're using a good hash

        I'm sure that hash collisions are not "necessary". They may be possible/probable.

        1. Adam 1

          Re: Hope they're using a good hash

          Put it another way then, if collisions were not possible then you would have a very effective compression algorithm.

          The number of unique hash values is 2^size of hash. So for md5 that is 2^128 possible target values. So given a source set containing 2^128 + 1 unique pieces of data, at least 1 must clash.

          The challenge posed by the OP requires you to not only find a collision but to do so in a way that preserves the image information and doesn't make your cat picture contain 500MB of nonsense in its EXIF detail. That is the unfeasible part.

          1. YetAnotherLocksmith Silver badge

            Re: Hope they're using a good hash

            Unless someone actually opens the cat picture or other text or whatever to check, then it makes no difference if the picture works or not - it is checked by a script, so if it matches it gets killed.

            Yes, computationally tricky, but far from impossible. Just look at rainbow tables. It would be possible to do that for hash values so it becomes a relatively simple look up in a big database. Every time one doesn't appear, you add it. Eventually you have a huge Database with reasonable coverage.

            Might want an algorithm to generate the actual files though, else storage would rapidly become an issue!

          2. Tom 13

            Re: Hope they're using a good hash

            Your maths are correct, but the assertion that it is unfeasible is not. I was discussing the issue with a friend the other week and he is aware of several programs which perform exactly that function. We were discussing it in a different context, essentially a theoretical hashing index to independently check high capacity storage volumes for altered files rather than continuous virus scanning which is unfeasible on their volumes.

      2. Suricou Raven

        Re: Hope they're using a good hash

        The old MD5 algorithm has some weaknesses known now that do make it possible to create a hash collision, though not easy. That's why they should be abandoned in favor of something like SHA1 (Or, for the really concerned, SHA256).

    2. druck Silver badge
      Go

      Re: Hope they're using a good hash

      Just append a zero byte to the file, and the hash collision is solved.

  2. slim mcslim
    FAIL

    well personally

    i hate dropbox, but no matter how often i advise people of its complete inadequacies in every way i am the one met with derision...

    what kind of professional paid for service would allow me to send me a file share link to a client for them only to get a message that their dropbox was full and they could not download the link?

    or a group shared folder that somebody has put GB's worth of data in that dropbox tries to sync over the first internet connection it finds, filling up all available space on the already full local machine?

    or a client uploading video content to share with others but dropbox displaying the first 10 minutes of video, but not giving a link to download it, thus making the client believe that the rest of the video has been lost...

    these are 3 simple scenarios that i have had forced upon me in the last month, the fewer people who use it and pay for the poor service the better....

    p.

    1. Anonymous Coward 101

      Re: well personally

      "i hate dropbox, but no matter how often i advise people of its complete inadequacies in every way i am the one met with derision..."

      For these other people, the service is good enough. As a way to save files and make them available to all one's devices, it's very good.

      1. JaitcH
        FAIL

        Re: well personally

        @Anonymous Coward 101

        Dropbox, just another NSA/GCHQ compliant web site.

        1. Anonymous Coward 101

          Re: well personally

          "Dropbox, just another NSA/GCHQ compliant web site."

          Are you waiting for another offering that absolutely, totally promises not to cooperate with these organisations? Have you thought about encrypting your files before saving them to Dropbox, thereby at least greatly increasing the effort the NSA and GCHQ have to put in to get access to them?

          1. Fred Flintstone Gold badge

            Re: well personally

            Are you waiting for another offering that absolutely, totally promises not to cooperate with these organisations?

            If they're US based that would be a lie, or a very short-lived organisation. Planning upfront for defy a legal notice is not exactly a sustainable business model :)

    2. Tom 35

      Re: well personally

      You forgot to tell us what perfect tool we should all be using...

      For what I do it works great, but it might well be a poor tool for other uses.

      1. petur
        Thumb Down

        Re: well personally

        How about moving away from the overpriced cloud? After all, you're just sharing a few files, you can do this from your home computer. Or a small NAS.

        QNAP even has been adding specific functionality for sharing files with unique links (and time limits), and some dropbox-like syncing functionality.

        These days I only fire up dropbox if somebody insists on using it to send me stuff.

        1. Anonymous Coward
          Anonymous Coward

          Re: well personally

          @petur - How about moving away from the overpriced cloud? After all, you're just sharing a few files, you can do this from your home computer. Or a small NAS.

          Oh yes, because EVERYONE is a fully qualified network engineer and sysadmin with the chops to not only load-balance (where needed) but fully secure their servers before making them Internet facing. AND they have a business-grade connection that allows them to run a server. AND they have a static IP OR they have correctly configured DynamicDNS. AND they have the time to do all the above. AND they don't mind paying the leccy. AND lots of low-efficiency, under utilised servers running at home is somehow better for the environment than ones in a datacentre kept at close to capacity (or switched off).

          People don't use DropBox because it's "the best", they use it because it works and they do not have the time/skills to roll their own. Tell me, when was the last time you built your own car? Made you own oven? Constructed your own house by hand? Ran your own bank? Buying in services/items that you do not have the time/skill/scale to do personally is not evil.

          I am certain you use Linux as you are clearly out of touch with the reality of the real world.

          1. petur
            FAIL

            Re: well personally

            @AC (lame AC)

            Oh yes, because EVERYONE is a fully qualified network engineer and sysadmin with the chops to not only load-balance (where needed) but fully secure their servers before making them Internet facing. AND they have a business-grade connection that allows them to run a server. AND they have a static IP OR they have correctly configured DynamicDNS.

            Maybe you should catch up with NAS vendor offerings before ranting....

            Just going to describe the QNAP offering because I know that best, similar offers from others too.

            - QNAP offers its own cloud portal (DDNS), directly set up and configured from your NAS.

            - The NAS software provides the functionality, QNAP firmware updates keep it secure. User only ticks the box to enable functionality.

            - Load balancing on a private system? Come on.

            - Maybe not in every place, but here the uplink speeds have increased in recent years to usable levels. I have about 5mbps uplink these days....

            One point you could make but forgot, is that some ISPs still block ports to prevent you from running a server, so I have to run mine on alternate ports.

            1. Anonymous Coward
              Anonymous Coward

              Re: well personally

              @petur - Maybe you should catch up with NAS vendor offerings before ranting....

              So you agree with buying in a service, you just want something physcial at home (which still leaves all the issues over firewalls, back-ups, updates etc.) to give yourself a false sense of control and security.

              "QNAP offers its own cloud portal (DDNS), directly set up and configured from your NAS."

              Whoa. Stop right there. So this really isn't a home system at all, is it? You now have to 100% trust QNAP and be certain that they are not playing silly bastards with your data in-transit. It's no different to DropBox.

              "Load balancing on a private system? Come on."

              Perfectly legitimate. As is having a stand-by server running at another location in the event of a power cut. Which brings in concepts of high-availability. Something a user gets "for free" with DropBox but isn't trivial for the average person to do.

              "QNAP firmware updates keep it secure. User only ticks the box to enable functionality."

              Oh, so the user has to totally trust this magic software of unknown provenance. How is that *ANY* different to bunging it into DropBox? Clue: It isn't.

              "One point you could make but forgot, is that some ISPs still block ports to prevent you from running a server"

              No, I think you'll find that I did make that point. Trying reading what I wrote. Clue: "business-grade".

              Your "hybrid" system is no different to the like of DropBox expect that it means more bother for the end-user. Whilst the media might be sat in your basement, you are still trusting a third party with all your data. You've changed the architecture, but not solved the problem.

              1. petur

                Re: well personally

                The QNAP DDNS portal is just nice to have, you can use it as free DDNS only, I just wanted to point out that setting up DDNS can be quite painless. In the end it is still my home system and setting up any other DDNS is always possible, you're not locked in.

                The main argument is that my data sits at home. No worries on monthly fees as my collection of pictures and other files I like to share grows...

                Setting up backups is equally painless...

                If I don't use dropbox I can buy new harddisks every year

                But hey, do keep on downvoting and keep your dropbox-branded blindfold on

                1. Anonymous Coward
                  Anonymous Coward

                  Re: well personally

                  @petur - Setting up backups is equally painless...

                  For you, maybe. Not for others. Do you have a firesafe? Do you keep copies off-site? On what media?

                  "But hey, do keep on downvoting and keep your dropbox-branded blindfold on"

                  That's not the point I am making. The point is, it might be easy for you to have a part-baked system (because I doubt you are running multiple servers in different locations, have UPS etc) but it is *NOT* easy for the average user and it is damned near impossible for them to have a proper system (redundancy, off-site back-ups etc).

                  So they chose DropBox etc. Is that so hard to understand?

          2. nematoad
            Windows

            Re: well personally

            "I am certain you use Linux as you are clearly out of touch with the reality of the real world"

            Well all I can say is that if Windows 8 represents the real world, then you are welcome to it.

      2. autocatakinetic

        Re: well personally

        How about a simple FTP server? Dropbox is for morons.

        1. SuccessCase

          Re: well personally

          You mean SFTP server. FTP is for suicidal morons.

        2. Anonymous Coward
          Anonymous Coward

          Re: well personally

          @autocatakinetic - Dropbox is for morons.

          Quick, in 5 easy steps how does your non-IT literate granny spec, install, configure, secure, maintain and back-up a public-facing FTP server?

          Now who's the moron?

          Not everyone is a nerd stuck in a basement cultivating their neckbeard, some people have actual lives. Buying in a service is not evil.

          1. ElReg!comments!Pierre

            Re: well personally

            > Quick, in 5 easy steps how does your non-IT literate granny spec, install, configure, secure, maintain and back-up a public-facing FTP server?

            -download Filezilla-FTP-for-dummies-setup.exe

            -click on Filezilla-FTP-for-dummies-setup.exe

            That's 2 steps. You're welcome.

            1. Gav
              Facepalm

              Re: well personally

              And where is this magic setup application? Any installation of an FTP server would require configuration of your router. Your mythical "for dummies" setup isn't going to do that for you.

              1. Anonymous Coward
                Anonymous Coward

                Re: well personally

                @Gav - Your mythical "for dummies" setup isn't going to do that for you.

                Exactly. Even these people who claim it is soooooo easy can't get it right and think their cobbled together system is going to have anything like the resilience of a professional offering.

                Add to that ISPs blocking servers for non-business customers and you have a fantasy world.

                There is NOTHING WRONG with running your own server. But just because you have a week to kill sorting out back-ups, redundancy etc does not mean everyone else has, or even has the skill to do so.

            2. Anonymous Coward
              Anonymous Coward

              Re: well personally

              "download Filezilla-FTP-for-dummies-setup.exe"

              From where? What does "download" mean?

              "click on Filezilla-FTP-for-dummies-setup.exe"

              In the Google? What does that do? What do I do after? Did you mean double-click?

              "That's 2 steps."

              Which don't actually work and presume much more knowledge than your target actually audience has.

              1. ElReg!comments!Pierre

                Re: well personally

                > In the Google?

                Yes, in the Google.

                > What does that do?

                It allows you to share your cat videos with your grand-grand-kids

                > What do I do after?

                Nothing

                > Did you mean double-click?

                Yes

                > "That's 2 steps." Which don't actually work

                They do. Just try.

                > and presume much more knowledge than your target actually audience has.

                Not more than using Dropbox. And it relies considerably less on unspoken visual codes than "dumbed-down" (but unintuitive and undocumented) solutions like Dropbox.

                The cowards here lack the tech clout of a elderly woman apparently. Dropbox is _not_ easy for the non-technical people, especially the older ones (its retarded interface is based on Facebook visual codes, which is not familiar to the elder).

                Also, local solutions these days are plug-and-play, more so than Dropbox. In most cases, _no_ config changes at all are needed. The only cases where I've seen them fail was on internal network where the admins had put a lot of effort into insulating the local network from the outside world. On a home system it'll go directly through the firewalls Go look up the stuff you diss (filezilla et al), you'll look considerably less stupid.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: well personally

                  "Go look up the stuff you diss (filezilla et al)"

                  I'm not dissing Filezilla, I am dissing your instructions.

                  Which are still incomplete, by the way. You are still assuming knowledge on the part of the user. And you simply can't do that.

                  After entering the term into Google and then clicking on it. Nothing happens. You have to tell them to click "Seacrh". And then tell them how to identify the correct result. And then how to get to the actual download link. And then how to download. And then how to find that downloaded file. And then how to verify it's safe. And then how to run it. And then...

                  Way, way, way more that your "two steps".

                  1. Swarthy

                    Re: well personally

                    "I'm not dissing Filezilla, I am dissing your instructions."

                    If I were training an toddler on how to do this, then maybe.

                    Neither my 5 year old son, my 93 year old grandmother, nor (most) of the tech support clients I had (from 1997-2003) needed the kind of hand-holding you espouse for the "average" user.

                    Also: The Dropbox install is about on par with the filezilla setup, so if they can't setup filezilla, how are they going to work Dropbox?

      3. Not That Andrew

        Re: You forgot to tell us what perfect tool we should all be using

        Just about all of the shared storage & "private cloud" offerings out there are better than DropBox. Probably even Microsoft's. DropBox it OK for personal use, but anyone using it for professional purposes is insane.

      4. ElReg!comments!Pierre

        Re: well personally

        > You forgot to tell us what perfect tool we should all be using...

        SFTP

    3. Anonymous Coward
      Anonymous Coward

      Re: well personally

      Dropbox is exceptionally useful; the "complete inadequacies" you cite are all user errors.

      "what kind of professional paid for service would allow me to send me a file share link to a client for them only to get a message that their dropbox was full and they could not download the link?"

      One in which the client has used up their quota and either needs to put their hand in their pocket or delete some cat videos.

      "or a group shared folder that somebody has put GB's worth of data in that dropbox tries to sync over the first internet connection it finds, filling up all available space on the already full local machine?"

      How is the piss-poor management of a client machine's free space any problem of Dropbox's? Especially one allocated to the role of collaberation of GBs of data? Sort it out.

      "or a client uploading video content to share with others but dropbox displaying the first 10 minutes of video, but not giving a link to download it, thus making the client believe that the rest of the video has been lost..."

      Dropbox isn't a media streaming service; despite this they will stream video up to ten minutes, anything longer needs downloading. The client sounds a bit thick to be brutally honest.

      This DMCA thing has been blown out of proportion by the original Twit who has leapt to conclusions. Dropbox hashes all files to permit de-duping at the back end. If they receive a DMCA takedown for a file they will block that file from being shared as a blanket operation across the service based on all instances of that hash allocated to a link. They are not trawling users' files or poking around. Various services such as Boxcryptor can help if you want to ensure that only you can interpret or access content, but this won't let someone share copyrighted films.

    4. Ole Juul

      Re: well personally

      @slim mcslim: One down vote for not bothering to fix your shift key before posting on an IT site.

    5. Anonymous Coward
      Anonymous Coward

      Re: well personally

      Well, this has always worked for me. But you get what you pay for, and, as always, YMMV.

      Personally, I'm wary of the whole "free" and "sharing" trend because the first usually isn't (personal data has a value too, so it's not "free" at all), and the second tends to share with more people than I like.

  3. Mage Silver badge

    Or

    Your own domain and a hosting service.

    Dropbox, Google drive etc are lazy solutions for people that can't be bothered or don't want to set up their own solution.

    1. A Non e-mouse Silver badge

      Re: Or

      Dropbox, Google drive etc are lazy solutions for people that can't be bothered or don't want to set up their own solution

      Or for people who don't understand how this all works.

      El Reg readers are probably quite tech savy. The general population less so. If the general population were tech savy, why are hundreds of millions of people still using Hotmail/Gmail/Yahoo/etc?

      1. Anonymous Coward
        Anonymous Coward

        Re: Or

        @A Non e-mouse - Or for people who don't understand how this all works.

        \o/ The first commentard who seems to get it. Well done Sir/Madam.

        1. ElReg!comments!Pierre

          Re: Or

          > \o/ The first commentard who seems to get it. Well done Sir/Madam.

          That the "smiley" for a gaping... something or other?

          1. Jonathan Richards 1

            Inappropriate emoticon?

            Prolly thought it was a reasonable facsimile of an "arms in the air" celebration

            \o/

            |||

            / \

            PS El Reg's insistence that it knows where I want to put <p></p> tags is a bit irritating sometimes...

      2. Anonymous Coward
        Anonymous Coward

        Re: Or hotmail

        I'm savy (enough), but still use hotmail. I guess it's just a matter of old habits dying hard, sentiment, but also convenience, to have another mail box (and 25 GB of MS cloud space). Yes, I'm aware of snooping, but there are innocent uses for the Internet too. All to its own.

  4. Peter 39

    hash

    The article doesn't say whether or not the problem was caused by a hash-collision. Or if it was improper sharing.

    So both Dropbox and El Reg have made a hash of this one.

    1. Old Handle

      Re: hash

      Just for the sake of argument it's also possible that something would be copyright infringement when shared publicly, but another person would still have a lawful reason to share it privately.

      1. Jonathan Richards 1

        Re: hash

        > it's also possible...

        Yes, if I was sharing a draft of my first novel with my editor, for instance. But in that case, it's hardly likely to be the subject of a DMCA takedown notice in the first place, is it? DMCA takedown has to be initiated by the copyright owner or his agent.

    2. Anonymous Coward
      Anonymous Coward

      Re: hash collision

      hash collision

      Ah, causing an accident after smoking a few

      :)

      1. TRT Silver badge

        Re: hash collision

        Your file share with a work colleague on a collaborative project suddenly disappears 10 minutes before your presentation before the board...

        it's hash brown trousers time.

        1. Hollerith 1

          Re: hash collision

          If you've pinched data or images or other copyrighted work, yes, it should disappear and you shouldn't be using it. Especially if you have a Legal and Compliance department.

  5. Anonymous Coward
    Anonymous Coward

    So he stored his data on someone else's computer and was discombobulated when the rules changed?

    1. A Non e-mouse Silver badge

      Actually, the only thing the article says has changed is that you must go to arbitration before calling a lawyer, not that Dropbox have suddenly started blocking access to files due to DMCA notices.

      1. Not That Andrew

        Dropbox have been blocking files to DCMA notices for a long while. As far as anyone can tell this was not an infringing file, but had a hash collision with one.

        1. Blarkon

          According to his own admission, the material he was pinged for was infringing.

  6. Mikel

    Fix

    echo "b" >> midgetjellowrestling.mp4

    Then upload it again. A stray letter on the end won't harm the movie and it will change the hash.

  7. Anonymous Coward
    Anonymous Coward

    Blocking by Hash?

    Easy to get round.

    echo . >> <blockedfile>

    Done.

  8. Anonymous Coward
    Anonymous Coward

    I utterly fail to see the problem

    1. The material was copyrighted.

    2. He did not have permission to share (i.e. make more copies)

    3. He was prevented from doing so.

    As a designer you think this idiot would know how copyright works and not infringe on another's rights. If his stuff was been stolen, you can bet he'd be crying all the way to the court house.

    If it's not yours, and you don't have the license, don't share it (i.e. don't steal revenue from the creators). Simple.

    1. Ben Norris

      Re: I utterly fail to see the problem

      What you have failed to account for is that he may well have had permission to share it, eg. within an organisation to do some work. This naive hashing method by dropbox is all or nothing, it completely disregards context.

  9. lansalot

    also..

    Hashes also useful as a de-dupe mechanism. Why store the same file a million times, if it really is identical? (Here's hoping for no hash collisions in that case then...tho of course second-level could always kick in with multiple hashes with different-schemes to try and ensure a difference)

  10. Anonymous Coward
    Anonymous Coward

    Problem?

    On winduz, I always find

    copy /B original_dcma_file.mp4 + short_random_textfile.txt new_hash_file.mp4

    breaks the file hashing but plays fine, not that I suggest you do this to fill dropbox with uniquely hashed files.

  11. Anonymous Coward
    Anonymous Coward

    Birthday Paradox

    Makes this a bad idea. Honestly, look up the math(s).

  12. marty101

    obvious work around

    and yet if you just modified those "copyrighted" files you're storing on dropbox slightly the hashes wouldn't match and it would significantly decrease the chances of something getting taken down.

This topic is closed for new posts.

Other stories you might like