Slashdot Mirror
Dropbox Attempts To Kill Open Source Project
Meskarune writes "Dropbox is trying to kill the Dropship project, a useful program that allows users to import files into their accounts using hashes and bypassing the need to make files public. Dropbox sent out fake DMCA requests to all parties involved, and is banning and censoring the program."
Wouldn't an attempt to intentionally mislead someone with regard to DMCA be regarded as fraud?
Exactly how illegal is this? My guess is "very."
Or is that merely filing a takedown on false pretenses?
0x09F911029D74E35BD84156C5635688C0
Comment removed based on user account deletion
Okay, according to the update at the bottom of the link (I know, I RTFA, weird, eh?),
Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.
Apparently, Dropbox is asking nicely, but when they flagged the file it triggered an accidental DMCA notice, for which they seem to be apologizing.
"Legal" is about filing the right paperwork.
I mean, from the FA, it talks about how Dropship is exploiting the Dropbox hashing algorithm, which might be copyrighted along with the rest of Dropbox (I don't know). If it was, then I could see why there would be grounds for copyright infringement, unless the OSS project could demonstrate that it arrived at that dropbox hashing algorithm through blackbox testing.
while(1) attack(People.Sandy);
Useful though it may be, it's very clearly against Dropbox's Terms of Service. That doesn't give them the right to issue takedown notices to other sites on copyright grounds, but let's separate, "evil for issuing fake takedown notices" (which they are), from "evil for wanting to prevent this kind of activity" (which is perfectly reasonable).
They're not running a filesharing service, that's not their business model, and they don't want to end up like Rapidshare or any of the N other filesharing services in legal hot water. I love Dropbox, and I would hate to see one of it's most useful features- public collaboration folders- shut down because some asshats can't obey the TOS and just use torrents instead. Dropbox should be trying to find a technical solution to block something like this, but if that's not possible, what can they do?
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
So, still stupid, but at least there's the possibility that it wasn't malice.
...'tis easier to blame than to improve.
Vote this article down - it's misleading flamebait in the extreme. In particular, it fails to mention that the software was designed to facilitate anonymous filesharing, which would most certainly be used for copyright infringement and illegal purposes. And, the whole thing goes against Dropbox's TOS, even if it isn't used for dubious file sharing purposes.
If you read the article, the claim is that the DMCA request was a mistake, not "fake". Big difference there!
Gotta love how the guy is still hosting Dropship, just not on Dropbox itself.
Don't be surprised if his Dropbox account gets yanked for real this time, and some sort of lawsuit follows.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I'm with dropbox on this one. The idea of converting dropbox into some sort of filesharing/torrent service, for passing potentially illegal files around is not good.
I can see why Dropbox doesn't want to be linked to such a thing, when the big media people come a knocking, who do you think is going to end up getting sued?
And just because its open source doesn't make it right, or wrong, or change anything.
Dropbox states that all files on their servers are encrypted. I had assumed this meant the key was encrypted with your own password, but this exploit suggests that the files either are not encrypted, or encrypted with a freely accessible key.
From: https://www.dropbox.com/help/27
"All files stored on Dropbox servers are encrypted (AES-256)"
I'll have something intelligent to add one of these days...
http://news.ycombinator.com/item?id=2483053
No kharma whore
>import files into their accounts using hashes and bypassing the need to make files public.
???
It bypasses the need to make files public?
So, when you use Dropbox, you have to make files public? Isn't DropBox a way to share email attachments without attaching it to an email?
Why would you want to make it public?
I'm not a lawyer, but I play one on the Internet. Blog
It doesn't matter if they sent a DMCA or not, they clearly want a open source program off the internet.
Activate Streisant effect in 5, 4, 3, 2 ...
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Comment removed based on user account deletion
If I were running DropBox, I wouldn't go after the guys who exploited a weakness in the way my filesharing worked...I'd fix it. Seems very odd that DropBox would worry about DropShip at all. Now I don't know anything about how this stuff works and so it may not be a simple change, but if you're going to be a company that wants to provide secure filesharing, then you've got to make the change anyway, DropShip or no DropShip. So, update your code to close the loophole so it doesn't work any more. Problem solved, not only for DropShip but also for any other person looking at the same thing.
Skip Franklin
It's always darkest just before it goes pitch black. -- despair.com
http://www.horrendum.de/images/laanwj-dropship-464e1c4.tar.gz
Just to clarify, the email under discussion was not really a DMCA Takedown Notice, as we generally think of it. Those are notices sent by content owners to a service provider, demanding that certain content be removed. Those carry the legal restrictions and penalties for false filings. *This* was the notice sent by the service provider to the customer saying, "Oh, by the way, we had to take down XYZ because someone claims you can't do that." Which is completely different.
Now, the guys at Dropbox did contact others who were publishing Dropship. These were, by all accounts, very cordial messages, along the lines of, "We hope you understand that this isn't good for us. Could you please help us out?"
I doubt I would have heard of this any time soon were it not for this advertising.
If someone wants to turn a apache webserver into a "ftp site" using the http protocol, what is the best drop-in solution. One that does not involve programming. I found one that has progress bar and stuff, but I am sure there are others out there.
What is the state of the art?
Slashdot has become increasingly misleading and sensationalist in recent years. So much so that I'm moving Slashdot's RSS feed to bottom of my pile; to be seen only in moments of extreme boredom. I have far better things to do with my time that wade through the constant stream of FUD that this site is generating these days.
This isn't censoring. This isn't the government. That word is going to stop meaning something if people can't use it in some sort of rational context. Never mind that Dropbox is just trying to prevent their system from being turned into a big anonymous piracy farm - a very real concern, and one that they have every reason (and latitude within their TOS) to fight. But ... "censoring?" Why not just call them fascists, while we're at it? Idiots. This article it inaccurate, alarmist trolling.
Don't disappoint your bird dog. Go to the range.
Dropship that allows users to exploit Dropboxâ(TM)s file hashing scheme to copy files into their account without actually having them."
I can see why they would be a bit ruffled over this. Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.
"First of all, attempting to protect a proprietary protocol is going to get them nowhere. "
Ok, that's a problem. The reason the protocol is proprietary is because the company has put a lot of time, money and effort into developing their product. They want to recoup some of the development costs through the implementation of their protocol.
The DMCA thing well ...that's what the DMCA is. It's basically a catch-all b1tchstick that can be bent into whatever shape the law wants to blame whoever for whatever. The way dropbox handled things *is* pretty crappy IMO, but if you're going to be a dick and crack peoples websites.... expect to get dick'd back.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.
The hack only allows people to share their own files with others more easily. It's not like it would allow them to take over the web server or access other people's files without permission.
I don't see how this could compete with BitTorrent - everything a pirate uploads onto Dropbox is logged and can easily be used against them in a trial.
Hi, I'm the person why wrote dropship. This thread is completely bogus, as there were no DMCA requests issued at all. They mailed me and asked me nicely to take the code down from github, which I did.
The DMCA confusion is because they stopped a file from being shared on their own service, which generated a silly mail that a DMCA request had been received from themselves and hence a file was taken down. The blogger confused this with a DMCA request (and corrected it afterwards, but it seems slashdot missed this).
So can we cut it with the flamebait title?
Does this mean that DMCA is an actually restricted four letter word? That would make DMCA the strongest cuss word of them all! What ever you do, don't threaten to DMCA someone, especially in writing, unless you have what it takes to DMCA someone! That's just DMCA'd up.
It's not even *remotely* like an exploit or SQL injection attempt. It reproduces exactly what the original client does through HTTPS. Except that it skips the initial hashing part. But it's certainly not a server exploit like you pretend.
Comment removed based on user account deletion
Thanks, Barbra!
Trolling is a art,
Hmm.. the author calls it an exploit in the article. Seems to me that anytime you devise a method to utilize something that it wasn't really intended for is indeed and exploit, hack, workaround, kludge, whatever.
I think it's marvelous this person found a way to use the system in a way it wasn't intended. He/She is probably very bright. Thing is though, if you're going to mess around in places you really aren't supposed to, don't be surprised if someone takes issue with it. That's the risk you take. Used to be people used pseudonyms to mitigate some of the risk, but that's a whole 'nother discussion on privacy vs. idiocy.
boycott slashdot February 10th - 17th check out: altSlashdot.org
If someone can grab access to files by uploading a hash without worrying about sharing, that means they can generate random hashes and gain access to files. ouch.
Never has, never will based on the replies from CS/Tech Support. Seems that it will work okay with a simple setup and small data set, but get one thing off or try to use what you paid for (in my case, about 100GB of corporate data), and you can just give up. I spend two months, five re-installs, and countless hours trying to get things to work - we finally just gave up and went with an inferior service that we could make work acceptably.
FWIW - SO's backup service was flawless. I never found a missing file or had a problem with it keeping the backup data working.
Is it just my observation, or are there way too many stupid people in the world?
Thanks for your feedback. It's quite right that it took us a long time to get zero-knowledge Sync working perfectly with all the amazing edge cases. I'd say the newer versions of SpiderOak are probably 98% there now (just gauging from how many customers are very happy with it) and in the next release or two we'll be golden.
The challenges are different than a traditional sync algorithm, because there's not a server which sees everything and can direct the traffic. Every calculation has to happen client side. Thanks for giving us a try regardless. :)
>I never found a missing file
Wait, is that a good thing or a bad thing? I'm confused.
"According to some, 90% of all email is spam. Does that make SMTP an illegitimate protocol? Often, the easiest way to find copyright infringing works is using Google. Does that make the search engine illegitimate? Porn drove early VCR development. Is VHS an illegitimate technology?"
There's a difference between a protocol specification and actually wanting to foot the bill for the infrastructure and legal battles. You want to defend file sharing? Fine, buy a hosting account and go for it. Don't expect DropBox to foot the bill, though.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
FUCKING SLASHDOT EDITORS STOP POSTING SENSATIONALIST BULLSHIT.
There, I said it. There are in fact news worthy for slashdot readers within all this mess:
1. That Dropbox uses a transfer mechanism which is pretty much "security through obscurity".
2. (Most important) that you can potentially get any file by only having their hashes. I think this is a huge security problem waiting to be exploited. What prevents someone to "brute force" a JSON file to download scan and download any available files? I am sure with a bit more of thinking, that would be interesting.
Too bad it was nobody else than Mr. Malda who posted this... it really shows that he is more interested in posting sensationalist crap, instead of real and interesting NEWS FOR NERDS and STUFF THAT MATTERS.
Quick someone, make a slashdot clone (I'll try again hackernews).
Ubuntu is an African word meaning 'I can't configure Debian'
If you want 250 Mb extra when joining Dropbox you can use this link:
http://www.dropbox.com/referrals/NTM1MDM5MTE5
Why host your files in a country that is hostile to creativity and RW culture? Sure, you may still live there, but that doesn't mean that your files have to.
Yes, they may be able to sue you but the entity who hosts the files doesn't have any obligation to respond to DMCA takedown notices.
git-annex uses git to track your metadata and rsync to move your files around. It knows which repos hold what files and can enforce minimum copies, trust levels, etc.
Also, it can store transparently encrypted data with untrusted third parties like Amazon S3. You can even have it use bup as a back-end which gives you change tracking of actual data, not only metadata. Oh, and a FUSE front-end is in the works which means you get 100% transparent file tracking, distribution and backup. All based on FLOSS and you are in control.
If you know how awesome VCS are and want to use them to actually get some order into your files, configs and maybe even life, click the links below.
http://git-annex.branchable.com/
https://github.com/apenwarr/bup
http://lists.madduck.net/listinfo/vcs-home
#vcs-home on irc.oftc.net
Fair enough. I wasn't clear on that.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Thats the way I see it.
Leslie Satenstein Montreal Quebec Canada
I think you misunderstand. The tool never allowed to store more than your quota worth of files. The files "teleported" into your account still counted as normal files. They also have to be in someone elses folder at the moment that dropship is used. Their problem with it that it would make illegal file sharing easier, and they didn't want to run the risk to be associated with that. It's simple as that.
Thank you for the clarification. I would not use Dropbox for illegal file sharing. I was always honest and only took music from my kids. They told me that they got the music legally, but did not tell me more. I have not seen CDs with stereo versions of classical music, only older monaural recorded CDs.
Thanks for clearing that up.
Here is a security risk as far as I can tell....
Pretend there is a large company 'BigOilCo'. Now suppose that everyday they set a price on a commodity. The person who does the work uses dropbox to transfer the document to someone at head office, who embargoes it for publication until the next day. The (.txt) file always looks exactly the same, except the date is changed in the upper left, and the price is different. ( Pretend that the file comes from a financial mathematical modelling script). Then guessing the hash of the 'still secret' file is not a problem, just look at yesterdays file, change the date, and put in like 1000 different possible prices for oil tomorrow. Then you get 1000 hashes. Try downloading all those files from Dropbox. The one that downloads is tomorrows price.
A 2^256 hash table is huge, but the available space of small files that you already know almost all the details of can be very small.
I don't know how many sensitive files like this are floating around on Dropbox, but there are likely more than there should be!
I have had repeated problems with their sync also - though it does work 99% of the time for me as a very small user (2gb free account). Great to know that their sync stuff doesn't work for large/complex deployments.
Ditto their backup solution -- it works great and has never lost anything for me.
Exactly how illegal is this? My guess is "very."
IMO, it need not be criminal if a false statement causes harm $$. Civil action
might cause more effective action than limp noodle legal actions by a civil servant that
in a department of Justice some place with a murder to persecute/prosecute.
It is not clear to me that Xfast.con has the legal right to provide a pay
per view service. What if I was to launch a DMCA against that company?
As per the DMCA the ISP must act even if the ISP is also the service
company..... And if the material was in fact copyright and illegal the ISP
would loose for not acting. Durned if they do durned if they don't.
Ok, so there's some confusion as to whether there really was a DMCA notice, and whether such notice was (would have been?) valid. Quite aside from that, I am puzzled about the notice response quoted in TFA. Basically, the responder says the material is non-infringing because it has a copyright notice allowing copying/modification/etc. But the existence of such a notice does not in any way guarantee that someone else does not have a legitimate claim of infringement, right? Which is not to say that DropBox has one, just that this does not seem to be a valid argument that they don't.