Dropbox Attempts To Kill Open Source Project 250
Meskarune writes "Dropbox is trying to kill the Dropship project, a useful program that allows users to import files into their accounts using hashes and bypassing the need to make files public. Dropbox sent out fake DMCA requests to all parties involved, and is banning and censoring the program."
Is that fraud? (Score:5, Interesting)
Wouldn't an attempt to intentionally mislead someone with regard to DMCA be regarded as fraud?
Re:Is that fraud? (Score:5, Informative)
Well, intentionality would seem to be missing. As I quoted in a comment below, the update at the bottom of the article now reads as follows:
Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.
Re: (Score:3, Interesting)
None of which makes me feel any better.
The statement that no threats, legal or otherwise, were made is false. Even if the threats were made accidentally, threats were made. Saying an automated email was kicked off inadvertently does not mean the email was never sent.
Then there's the issue of the mistakenly activated automated email. Why do they have a process that automatically sends out DCMA notices?
Then there's the action of removing the files at issue. I'm not sure how I feel about the selective acti
Re:Is that fraud? (Score:5, Insightful)
I don't want the admins at Dropbox going through my files.
Don't put them on Dropbox's servers.
Re:Is that fraud? (Score:5, Informative)
Use SpiderOak instead - zero prior knowledge encryption so no one but the password holder can see the files. (My relation to SO is as a non-paying customer).
Re: (Score:2)
+1 for SpiderOak
Used it for over a year.
Never had a problem with them.
It's a shame SpiderOak's sync funtion doesn't work (Score:4, Interesting)
Never has, never will based on the replies from CS/Tech Support. Seems that it will work okay with a simple setup and small data set, but get one thing off or try to use what you paid for (in my case, about 100GB of corporate data), and you can just give up. I spend two months, five re-installs, and countless hours trying to get things to work - we finally just gave up and went with an inferior service that we could make work acceptably.
FWIW - SO's backup service was flawless. I never found a missing file or had a problem with it keeping the backup data working.
Re: (Score:3)
Or just use Dropbox's folder as the storage directory for encfs, and then mount it somewhere else - it's what I've been doing.
Re: (Score:3, Insightful)
It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.
There are no edge cases in the DMCA. Either it was a valid DMCA request or it was perjury.
Re:Is that fraud? (Score:5, Insightful)
There was never a DMCA takedown notice.
The DMCA takedown notice is what a copyright holder sends to a content host.
The e-mail from the content host to the user saying "we deleted your file because ______" is not a DMCA takedown notice, regardless of what the reason they give.
Content hosts are supposed to notify users whose content has been removed due to DMCA takedown notices so that the users have the opportunity to file counter-notices under the DMCA, but that correspondence is not itself a DMCA takedown notice.
Re: (Score:3)
So they either lied about the existence of the notice, or actually went and delivered themselves the notice.
They either lied about the existence of the notice, or the system simply sent that in error due to an honest mistake on their part. But either way it wasn't illegal.
And they obviously didn't deliver themselves a notice... that would make no sense whatsoever.
Re:Is that fraud? (Score:5, Interesting)
It was not a DMCA "request". It was a notification that they were removing the file in order to comply with DMCA Section 512 C-1-c, which indicates "No liability if ... upon obtaining knowledge or awareness, OSP expeditiously removes Work" [benedict.com]
In other words, they believed the material to infringe on DMCA, and as the file host, they have the right and duty to remove such a file when they believe it to be infringing. See, Dropbox isnt just the potentially "injured party", they are also the service provider-- and that is the capacity they were issuing the notice in. (NB- IANAL)
Re:Is that fraud? (Score:5, Informative)
Except if you read the article, only one "fake" DCMA notice was sent out, and it appears to have been a legitimate accident. While the author of the article is not exactly happy with Dropbox's response to this matter he is not nearly as down on it as the summary suggests, and Dropbox's behavior was no near as flagrant as the summary suggests. This is not "nothing", but it's not anywhere near the level of "awful" suggested in the summary. Whole situation is somewhere between "tempest in teapot" and "very mildly concerning".
Re: (Score:2, Informative)
Except if you read the article, only one "fake" DCMA notice was sent out
It wasn't even a DMCA notice. It was an erroneous letter from provider to customer informing customer that the provider received a DMCA notice, when the provider had not (the provider was exercising their privilege of removing the file).
Re: (Score:2, Funny)
So this really should read,
"Blogging Blogger Libels DropBox"
Correct?
Re: (Score:3)
The further correction makes it even MORE not libel.
Re: (Score:2)
Fraud on who's side? I am pretty sure you are not allowed to (illegally) distribute copyrighted material on Dropbox, using dropship or otherwise.
While I think that dropship is a neat hack, the main use for it seems to be a fast and "free" warez server. And obviously Dropbox cannot support that, for so many reasons. Dropbox offers a great service, for free, and I would like it to stay that way. You use their servers, you play by their rules... simple.
Fake DMCA = illegal, right? (Score:2)
Or is that merely filing a takedown on false pretenses?
Re: (Score:3)
According to an anonymous comment on the blog:
Maybe a BIT sensationalistic... (Score:5, Informative)
Okay, according to the update at the bottom of the link (I know, I RTFA, weird, eh?),
Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.
Apparently, Dropbox is asking nicely, but when they flagged the file it triggered an accidental DMCA notice, for which they seem to be apologizing.
Re:Maybe a BIT sensationalistic... (Score:5, Interesting)
Re:Maybe a BIT sensationalistic... (Score:5, Interesting)
VIA post at slashdot.org
Re: Copyright Claim
The Slashdot Hosting Company:
I am the copyright owner of the post being infringed at:
http://news.slashdot.org/comments.pl?sid=2105778&cid=35944048 [slashdot.org]
Copies of the post being infringed are included to assist with their removal from the infringing Web sites.
This letter is official notification under the provisions of Section 512(c) of the Digital Millennium Copyright Act (“DMCA”) to effect removal of the above-reported infringements. I request that you immediately issue a cancellation message as specified in RFC 1036 for the specified postings and prevent the infringer, who is identified by its Web address, from posting the infringing photographs to your servers in the future. Please be advised that law requires you, as a service provider, to “expeditiously remove or disable access to” the infringing photographs upon receiving this notice. Noncompliance may result in a loss of immunity for liability under the DMCA.
I have a good faith belief that use of the material in the manner complained of here is not authorized by me, the copyright holder, or the law. The information provided here is accurate to the best of my knowledge. I swear under penalty of perjury that I am the copyright holder.
Please send me at the address noted below a prompt response indicating the actions you have taken to resolve this matter.
Sincerely,
0100010001010011
Re:Maybe a BIT sensationalistic... (Score:5, Funny)
Oh shit. Sorry about that. I don't know what the system was thinking.
Re: (Score:2)
Re: (Score:2)
His initials, more likely, but still an awesome coincidence.
Re: (Score:3)
Presumably because the requirements of the DMCA legislation in the US is so onerous on services like Dropbox that an automated system is the only reasonable way to go. I'm not sure, being a Canadian (and waiting with great anticipation for our new government to slap our own version of the DMCA down on us)...
Seems to me that if I were the coder in question, I might be tempted to say "okay, the only reason we're ever going to block anything from public sharing is because someone filed a DMCA complaint... so
Re: (Score:2)
Re: (Score:2)
Or from a programmers point of view: If 99.9% of the time B follows A, automate B. Handle the
Re: (Score:2)
Re: (Score:2)
Maybe it did and the admin forgot to tick the non-default reason. Who knows... all that really matters is that it does appear to have been an honest mistake.
Re: (Score:2)
For some reason this topic has built up an epic level of FUD.
Their system was designed to be used in response to DMCA notices. Dropbox would get a takedown notice, they'd flag the file to be removed, and an e-mail would be sent to the uploader of the file informing them of the DMCA notice.
In this case, a dropbox guy used the tool without realising that the last step was automated. There was never any DMCA notice generated, just a DMCA notice notice.
Re: (Score:2)
Alright, but why was the file even flagged for take down at all. It didn't violate any copyright, or any other law. It's just because Dropbox didn't like it. They shouldn't be removing or flagging files and users for things they just don't like (DMCA take down notice or not).
Are they fake though? (Score:2)
Re: (Score:3)
I mean, from the FA, it talks about how Dropship is exploiting the Dropbox hashing algorithm, which might be copyrighted along with the rest of Dropbox (I don't know). If it was, then I could see why there would be grounds for copyright infringement, unless the OSS project could demonstrate that it arrived at that dropbox hashing algorithm through blackbox testing.
Thankfully, copyright does not apply to algorithms and the US has a legal system based on the idea that people are innocent until proven guilty.
Re: (Score:2)
And, the DMCA has an explicit exception for interoperability and such, which I think this would be covered under.
Unless one is suspected of copyright infringement, kiddie porn or terrorism, then it's straight on to the presumption of guilt and you needing to prove you didn't do it.
Sadly, it seems like those three can pretty much bypass any court oversight.
Re: (Score:2)
And, the DMCA has an explicit exception for interoperability and such, which I think this would be covered under.
I think you're confused. Perhaps you're thinking of the anti-circumvention clause [wikipedia.org] which clearly doesn't apply in this case. Dropbox is not claiming copyright infringement and seems to have admitted that the DMCA takedown notice was a mistake. They are claiming that using Dropship violates their terms of service, which it probably does. However, the DMCA has nothing to say about that since it is not at all related to copyright.
Even if the DMCA's anti-circumvention clause applied, it still doesn't change the
Re: (Score:2)
Not confused, maybe interpreting it differently ...
Revealing their "proprietary client-server protocol" is part of the issue here, and we have explicit rights to reverse engineer a protocol. I'm not sure on what basis Dropbox can really keep their protocol sec
Re: (Score:2)
The implementation of an algorithm, however, CAN be copyrighted, which Dropbox IS.
As for that "innocent til proven guilty", where does it say that the blogger was convicted of anything? This hasnt even gone to court; "innocent till proven guilty" has absolutely nothing to do with it. Dropbox is the service provider, and thus has the explicit right under DMCA to remove all material it believes to be infringing (as does, for example, Youtube).
Re: (Score:2)
Funny, before coming to slashdot I was reading NYTimes, about an afghan farmer being imprisoned for a few years because he had a pair of binocular on him.
"Useful" (Score:5, Insightful)
They're not running a filesharing service, that's not their business model, and they don't want to end up like Rapidshare or any of the N other filesharing services in legal hot water. I love Dropbox, and I would hate to see one of it's most useful features- public collaboration folders- shut down because some asshats can't obey the TOS and just use torrents instead. Dropbox should be trying to find a technical solution to block something like this, but if that's not possible, what can they do?
Re: (Score:2)
It also appears that the take down notices are a mistake, and Dropbox is apologizing for them.
Re: (Score:2)
That doesn't give them the right to issue takedown notices to other sites on copyright grounds...
I don't believe that's what happened.
Re: (Score:2)
Who cares, its not like anyone is going to read the article anyhow. This is too juicy of a chance to rail about copyright, the government, and corporations.
Re: (Score:2)
Re: (Score:2)
I love Dropbox, and I would hate to see one of it's most useful features- public collaboration folders- shut down because some asshats can't obey the TOS and just use torrents instead.
The shared folder feature is not the problem. The problem is that the client only sends a hash of the file to the server to check whether the server already has that file in its global database. If this is the case, it doesn't have to be uploaded. I experienced that when I put a ~2GB file into my Dropbox, and it synced within a second (and no, I don't have a fast Internet connection). Somebody else has the same file in a Dropbox, and so the server already knows about that hash.
What the hack does is pretend
where's the firehose (Score:5, Informative)
Vote this article down - it's misleading flamebait in the extreme. In particular, it fails to mention that the software was designed to facilitate anonymous filesharing, which would most certainly be used for copyright infringement and illegal purposes. And, the whole thing goes against Dropbox's TOS, even if it isn't used for dubious file sharing purposes.
Comment removed (Score:5, Informative)
Re: (Score:3)
Or maybe people just want to share files privately. Not everyone wants to make their files public to share them.
Everything these days is "Oh noes, teh illegal stuffs", get fucking over it. Baseball bats have lots of illegal uses, no one fights the sales of those.
The TOS violation is the only thing that matters here. It is also why I never used dropbox and never will. I will keep my own files on my own server thank you.
Re: (Score:2)
Dropbox already lets you share files privately. Just not in this particular manner.
I have Dropbox on this machine with a handful of shared folders from other Dropbox users.
Re: (Score:2)
Vote this article down - it's misleading flamebait in the extreme. In particular, it fails to mention that the software was designed to facilitate anonymous filesharing, which would most certainly be used for copyright infringement and illegal purposes.
Yeah, anonymous file sharing has no legitimate [linuxtracker.org] purposes [tuxdistro.com] whatsoever [libreoffice.org].
Re:where's the firehose (Score:4, Insightful)
According to some, 90% of all email is spam [cnet.com]. Does that make SMTP an illegitimate protocol? Often, the easiest way to find copyright infringing works is using Google. Does that make the search engine illegitimate? Porn drove early VCR development [indiana.edu]. Is VHS an illegitimate technology?
Re: (Score:2)
I was talking specifically about torrents.
No, jonner's point is still valid. It's just a protocol.
Re: (Score:2)
So much for innocent until proven guilty.
Re: (Score:2)
Er, "innocent until proven guilty" refers to court cases. This hasnt gone to court. How is that statement even remotely relevant?
Mirror, mirror... (Score:2)
Gotta love how the guy is still hosting Dropship, just not on Dropbox itself.
Don't be surprised if his Dropbox account gets yanked for real this time, and some sort of lawsuit follows.
Meh (Score:5, Insightful)
I'm with dropbox on this one. The idea of converting dropbox into some sort of filesharing/torrent service, for passing potentially illegal files around is not good.
I can see why Dropbox doesn't want to be linked to such a thing, when the big media people come a knocking, who do you think is going to end up getting sued?
And just because its open source doesn't make it right, or wrong, or change anything.
Re: (Score:2)
I can see why Dropbox doesn't want to be linked to such a thing, when the big media people come a knocking, who do you think is going to end up getting sued?
The end user, as Dropbox will duck behind the DMCA.
Re: (Score:2)
That sure worked for the tons of other cases when sites were taken down.
Encryption? (Score:2)
Dropbox states that all files on their servers are encrypted. I had assumed this meant the key was encrypted with your own password, but this exploit suggests that the files either are not encrypted, or encrypted with a freely accessible key.
From: https://www.dropbox.com/help/27 [dropbox.com]
"All files stored on Dropbox servers are encrypted (AES-256)"
Re:Encryption? (Score:5, Informative)
If they used real encryption they would have to host files over and over again. Encryption breaks file deduping. No way is dropbox going to do something like that, there is no advantage in it for them.
Re: (Score:2)
Re: (Score:3)
Encrypting after dedupe breaks the whole point of encryption. It means every copy of the same file is encrypted the same way. That means I can tell who has what files. At that point you are encrypting only to claim you do it.
Re: (Score:2)
The files are encrypted, but Dropbox holds the key. This is how you can access the files through the website and share folders directly with other Dropbox users. It means that your files are susceptible to intrusion, so encrypt anything secret yourself before sending to Dropbox. Truecrypt volumes do work in Dropbox because it uses a block cipher(only changed blocks are synced, not the whole volume), but you do need to disable the option to not update modification timestamp in order for syncing to work. KeeP
Re:Encryption? (Score:5, Informative)
It's already been shown [tirania.org] that Dropbox's claims about security are mostly bogus. If Dropbox can Hand Over Your Files to the Feds If Asked [pcworld.com] then the encryption method they use to store files on their servers is meaningless since they have the private keys anyway.
Re: (Score:2)
Of course they have the private keys. How else would they be able to do password recovery?
Re: (Score:3)
Jungle Disk [jungledisk.com] claims "The master key is based on a password YOU choose, known only to you and not stored with Jungle Disk." It doesn't say where the encrypted private key is stored, but at least they say they don't know the password used to encrypt the key.
Re: (Score:2)
It is likely that your password grants you access to the encryption key-- that way if you lose your password, you can reset it without losing access to all of your files.
Don't understand (Score:2)
>import files into their accounts using hashes and bypassing the need to make files public.
???
It bypasses the need to make files public?
So, when you use Dropbox, you have to make files public? Isn't DropBox a way to share email attachments without attaching it to an email?
Why would you want to make it public?
Re: (Score:3)
>import files into their accounts using hashes and bypassing the need to make files public.
???
It bypasses the need to make files public?
So, when you use Dropbox, you have to make files public? Isn't DropBox a way to share email attachments without attaching it to an email?
Why would you want to make it public?
My understanding is that you normally have to invite people one by one to see your non-public files.
However, it's apparently possible for people to just have the hash and add it to their own dropbox account using Dropship to gain access to it.
Re: (Score:3)
To put it in DMCA terms (since this is eventually where it will end up), Dropship
is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title
-- U.S. Code, Title 17, Chapter 12, Section 1201 [cornell.edu](a)(2)(A)
Re: (Score:2)
Well, I'm not a lawyer, either, but, it's OK: see sig.
Anyway, isn't the copyrighted work the file that Dropbox users are sharing (or doing whatever with)?
How can Dropbox file a DMCA notice regarding a work that's not even their's?
Re: (Score:3)
Or generate random hashes and see what they get?
Re: (Score:2)
[ding][ding][ding]
[ding][ding][ding]
[ding][ding][ding]
[ding][ding][ding]
[ding][ding][ding]
[ding][ding][ding]
[ding][ding][ding]
Actually yeah someone make a script to poll the server, lets see what the casino of files gives us.
Re: (Score:3)
Re: (Score:2)
Fortunately, it's much, much harder to have accidental hash collisions, even with the weakest commonly-used hash algorithm, than anyone appreciates.
If a billion Dropbox users filled their 2 GB of free space with 1 kB files, these were all hashed with MD5, and you guessed a million hashes a second, it would take on the order of a trillion years to have a reasonable chance of guessing the hash of an existing file.
Re:Don't understand (Score:4, Insightful)
Re: (Score:2)
> The hash is the key and invites and sharing are not even checked.
Yes, so? Encryption works the same way, except that the key is the key. Once you give someone the key or the hash, you may leak your data.
Streissand tag? (Score:2)
I doubt I would have heard of this any time soon were it not for this advertising.
Re: (Score:2)
Well, you might have heard about it if you read Hacker News or Reddit. :-)
I realize what you are saying, and yes, this is a perfect example of the Streisand effect. I am commenting more on how lagged Slashdot has gotten on current news. I read about this (and almost every other Slashdot front page story) on other sources many hours or days ago.
So what is the best drop-in file uploader? (Score:2)
If someone wants to turn a apache webserver into a "ftp site" using the http protocol, what is the best drop-in solution. One that does not involve programming. I found one that has progress bar and stuff, but I am sure there are others out there.
What is the state of the art?
Last Straw (Score:2)
Re: (Score:2)
2003 called, they want their rant back.
Censoring? (Score:3)
Re: (Score:2)
This isn't censoring. This isn't the government. That word is going to stop meaning something if people can't use it in some sort of rational context.
Do you know what the word means? Because I don't think you do.
Censorship, noun: the practice of examining for and suppressing unacceptable parts.
"Government" does not show up in the definition of the word. There is such a thing as "government censorship" in which case you must actually qualify "censorship" by preceding it with the word "government." You can even qualify it with the word self, as in "self-censorship," the practice of examining and suppressing your own unacceptable behavior.
Never mind that Dropbox is just trying to prevent their system from being turned into a big anonymous piracy farm - a very real concern, and one that they have every reason (and latitude within their TOS) to fight.
That's a fai
Re: (Score:2)
dropbox examined content and deemed it inappropriate
FTFA, both sides seem guilty. I'm confused. (Score:2, Insightful)
Dropship that allows users to exploit Dropboxâ(TM)s file hashing scheme to copy files into their account without actually having them."
I can see why they would be a bit ruffled over this. Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.
"First of all, attempting to protect a proprietary protocol is going to get them nowhere. "
Ok, that's a problem. The reason the protocol is proprietary is because the company has put a lot of time, money and effort into developing their product. They want to recoup some of the development costs through the implementation of their protocol.
The DMCA thing well ...that's what the DMCA is. It's basically a catch-all b1tchstick that can be bent i
Re: (Score:2)
Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.
The hack only allows people to share their own files with others more easily. It's not like it would allow them to take over the web server or access other people's files without permission.
I don't see how this could compete with BitTorrent - everything a pirate uploads onto Dropbox is logged and can easily be used against them in a trial.
Bullshit (Score:5, Informative)
The DMCA confusion is because they stopped a file from being shared on their own service, which generated a silly mail that a DMCA request had been received from themselves and hence a file was taken down. The blogger confused this with a DMCA request (and corrected it afterwards, but it seems slashdot missed this).
So can we cut it with the flamebait title?
Re: (Score:2)
If you read the article, the claim is that the DMCA request was a mistake, not "fake". Big difference there!
Fair enough. But with a weapon as powerful as the DMCA, extra caution is warranted when using it. "I didn't know the gun was loaded . . ." isn't something you want to have to say.
Re: (Score:2)
The DMCA was never invoked, because there was never an actual DMCA takedown notice, just a form e-mail that stated that his file had been deleted because of a DMCA takedown notice. There wasn't a DMCA takedown notice and his file wasn't deleted because of one - it was deleted for an entirely different reason - but apparently that same form e-mail was set to go out to anyone whose file was deleted by an admin for any reason at all.
A DMCA takedown notice is what a copyright holder would send to DropBox, not w
Re: (Score:2)
It wasn't deleted in any case. Access to it was blocked, and the CTO reversed the block after conversing with the post's author. The CTO requested that he remove it, but did not demand that he do so.
Re: (Score:2)
True - not that it makes a whole lot of difference, though. "Lazy" delete is pretty common, so at what point do you want to say it was deleted? When they set the "deleted" bool on the database record for the file that's good enough to call it deleted from the user's point of view. Chances are they could get it back even if it really was deleted if they went down to undelete it at the filesystem level or if they did any sort of regular backups.
Re: (Score:2)
I'm not sure if you're trying to argue semantics here, but nowhere in the article does it say that it was deleted, soft or otherwise. The e-mail sent to him said that DropBox had "removed or disabled access to the material" and that "public sharing on your account has been disabled." Arash Ferdowski restored the access to the public files and requested that the author delete the file in question. No one deleted the file. Permissions were changed. That's not even remotely the same thing as deletion.
Re: (Score:2)
So they perjured themselves by accident?
Seems like courts would frown on that sort of thing.
Re: (Score:2)
They didn't issue a DMCA takedown notice (which would have been perjury). They claimed that they had received one, which is either simply lying or an honest mistake.
Re: (Score:2)
They didn't issue a DMCA takedown notice (which would have been perjury). They claimed that they had received one, which is either simply lying or an honest mistake.
Perjury is lying under oath during a judicial proceeding. This would not have been perjury.
Re: (Score:2)
Sending a DMCA takedown notice which asserts that you are the owner of content which you don't actually own is, in fact, perjury.
Re:Fake DMCA request (Score:5, Informative)
Sending a fake DMCA takedown is illegal, yes, but an e-mail that says "we deleted your file due to DMCA takedown notice we received" isn't a DMCA takedown notice. And apparently that e-mail just went out automatically any time they banned a file from someone's account. Apparently it never occurred to whoever designed their system that a file might be removed for anything other than copyright violation... or maybe the admin just didn't select the correct reason when he banned it.
Re: (Score:2)
Exactly how illegal is this? My guess is "very."
How about "not at all". There's nothing "fake" about it. A DMCA takedown notice isn't sent by any government agency. It is simply a claim from a content owner to someone else, usually a content host, claiming that copyrighted content is being illegally published.
Re: (Score:3)
they clearly want a open source program off the internet
No. What they clearly want is to not have their reputation and business model tarnished by having their system turned into a big content piracy farm by people who are violating their very reasonable TOS.