Forgot your password?
typodupeerror
Open Source Security News

Dropbox Attempts To Kill Open Source Project 250

Posted by CmdrTaco
from the draw-your-swords dept.
Meskarune writes "Dropbox is trying to kill the Dropship project, a useful program that allows users to import files into their accounts using hashes and bypassing the need to make files public. Dropbox sent out fake DMCA requests to all parties involved, and is banning and censoring the program."
This discussion has been archived. No new comments can be posted.

Dropbox Attempts To Kill Open Source Project

Comments Filter:
  • Is that fraud? (Score:5, Interesting)

    by Sprouticus (1503545) on Tuesday April 26, 2011 @01:17PM (#35943946)

    Wouldn't an attempt to intentionally mislead someone with regard to DMCA be regarded as fraud?

    • Re:Is that fraud? (Score:5, Informative)

      by drosboro (1046516) on Tuesday April 26, 2011 @01:22PM (#35944018)

      Well, intentionality would seem to be missing. As I quoted in a comment below, the update at the bottom of the article now reads as follows:

      Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.

      • Re:Is that fraud? (Score:3, Interesting)

        by mcmonkey (96054) on Tuesday April 26, 2011 @01:47PM (#35944296) Homepage

        None of which makes me feel any better.

        The statement that no threats, legal or otherwise, were made is false. Even if the threats were made accidentally, threats were made. Saying an automated email was kicked off inadvertently does not mean the email was never sent.

        Then there's the issue of the mistakenly activated automated email. Why do they have a process that automatically sends out DCMA notices?

        Then there's the action of removing the files at issue. I'm not sure how I feel about the selective action on files. If I'm breaking the ToS, why not freeze my account? On the one hand, I can appreciate the effort to not freeze accounts, but at the same time, I don't want the admins at Dropbox going through my files.

      • Re:Is that fraud? (Score:3, Insightful)

        by Hatta (162192) on Tuesday April 26, 2011 @01:58PM (#35944414) Journal

        It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.

        There are no edge cases in the DMCA. Either it was a valid DMCA request or it was perjury.

        • Re:Is that fraud? (Score:5, Insightful)

          by _0xd0ad (1974778) on Tuesday April 26, 2011 @02:11PM (#35944584) Journal

          There was never a DMCA takedown notice.

          The DMCA takedown notice is what a copyright holder sends to a content host.

          The e-mail from the content host to the user saying "we deleted your file because ______" is not a DMCA takedown notice, regardless of what the reason they give.

          Content hosts are supposed to notify users whose content has been removed due to DMCA takedown notices so that the users have the opportunity to file counter-notices under the DMCA, but that correspondence is not itself a DMCA takedown notice.

        • Re:Is that fraud? (Score:5, Interesting)

          by LordLimecat (1103839) on Tuesday April 26, 2011 @02:16PM (#35944654)

          It was not a DMCA "request". It was a notification that they were removing the file in order to comply with DMCA Section 512 C-1-c, which indicates "No liability if ... upon obtaining knowledge or awareness, OSP expeditiously removes Work" [benedict.com]

          In other words, they believed the material to infringe on DMCA, and as the file host, they have the right and duty to remove such a file when they believe it to be infringing. See, Dropbox isnt just the potentially "injured party", they are also the service provider-- and that is the capacity they were issuing the notice in. (NB- IANAL)

    • Re:Is that fraud? (Score:5, Informative)

      by DrgnDancer (137700) on Tuesday April 26, 2011 @01:25PM (#35944068) Homepage

      Except if you read the article, only one "fake" DCMA notice was sent out, and it appears to have been a legitimate accident. While the author of the article is not exactly happy with Dropbox's response to this matter he is not nearly as down on it as the summary suggests, and Dropbox's behavior was no near as flagrant as the summary suggests. This is not "nothing", but it's not anywhere near the level of "awful" suggested in the summary. Whole situation is somewhere between "tempest in teapot" and "very mildly concerning".

    • by thsths (31372) on Tuesday April 26, 2011 @02:34PM (#35944918)

      Fraud on who's side? I am pretty sure you are not allowed to (illegally) distribute copyrighted material on Dropbox, using dropship or otherwise.

      While I think that dropship is a neat hack, the main use for it seems to be a fast and "free" warez server. And obviously Dropbox cannot support that, for so many reasons. Dropbox offers a great service, for free, and I would like it to stay that way. You use their servers, you play by their rules... simple.

  • by ehrichweiss (706417) * on Tuesday April 26, 2011 @01:18PM (#35943962)

    Or is that merely filing a takedown on false pretenses?

    • by denis-The-menace (471988) on Tuesday April 26, 2011 @02:08PM (#35944552)

      According to an anonymous comment on the blog:

      The perjury provision (17 U.S.C. 512(c)(3)(A)(vi)) applies to persons who submit formal complaints to service providers. It does not apply to informational messages that service providers may send to their users. So even if DropBox had intentionally lied about receiving a DMCA takedown notice (which it didnâ(TM)t; see Arashâ(TM)s comment noting that the DMCA message was mistakenly autogenerated in response to banning the file), it would still not implicate the DMCA perjury provision.

      IOW: If you can get ISPs to be your puppets to send "kind" emails to their users, nobody is at fault regardless of the damages done by the emails.

      DMCA: Best draconian law you can buy!

  • by drosboro (1046516) on Tuesday April 26, 2011 @01:20PM (#35944000)

    Okay, according to the update at the bottom of the link (I know, I RTFA, weird, eh?),

    Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.

    Apparently, Dropbox is asking nicely, but when they flagged the file it triggered an accidental DMCA notice, for which they seem to be apologizing.

  • by O('_')O_Bush (1162487) on Tuesday April 26, 2011 @01:23PM (#35944042)
    I mean, from the FA, it talks about how Dropship is exploiting the Dropbox hashing algorithm, which might be copyrighted along with the rest of Dropbox (I don't know). If it was, then I could see why there would be grounds for copyright infringement, unless the OSS project could demonstrate that it arrived at that dropbox hashing algorithm through blackbox testing.
    • by Jonner (189691) on Tuesday April 26, 2011 @01:34PM (#35944164)

      I mean, from the FA, it talks about how Dropship is exploiting the Dropbox hashing algorithm, which might be copyrighted along with the rest of Dropbox (I don't know). If it was, then I could see why there would be grounds for copyright infringement, unless the OSS project could demonstrate that it arrived at that dropbox hashing algorithm through blackbox testing.

      Thankfully, copyright does not apply to algorithms and the US has a legal system based on the idea that people are innocent until proven guilty.

      • by gstoddart (321705) on Tuesday April 26, 2011 @01:49PM (#35944334) Homepage

        Thankfully, copyright does not apply to algorithms

        And, the DMCA has an explicit exception for interoperability and such, which I think this would be covered under.

        the US has a legal system based on the idea that people are innocent until proven guilty.

        Unless one is suspected of copyright infringement, kiddie porn or terrorism, then it's straight on to the presumption of guilt and you needing to prove you didn't do it.

        Sadly, it seems like those three can pretty much bypass any court oversight.

        • by Jonner (189691) on Tuesday April 26, 2011 @02:05PM (#35944520)

          Thankfully, copyright does not apply to algorithms

          And, the DMCA has an explicit exception for interoperability and such, which I think this would be covered under.

          I think you're confused. Perhaps you're thinking of the anti-circumvention clause [wikipedia.org] which clearly doesn't apply in this case. Dropbox is not claiming copyright infringement and seems to have admitted that the DMCA takedown notice was a mistake. They are claiming that using Dropship violates their terms of service, which it probably does. However, the DMCA has nothing to say about that since it is not at all related to copyright.

          Even if the DMCA's anti-circumvention clause applied, it still doesn't change the fact that you cannot copyright an algorithm. Unfortunately, you can patent one.

          the US has a legal system based on the idea that people are innocent until proven guilty.

          Unless one is suspected of copyright infringement, kiddie porn or terrorism, then it's straight on to the presumption of guilt and you needing to prove you didn't do it.

          Sadly, it seems like those three can pretty much bypass any court oversight.

          What you're describing certainly happens, but is a gross violation of the principles of the legal system. The post I responded to seemed to be implying that it was reasonable to assume that a work infringed on a copyright until it was proven non-infringing.

          • by gstoddart (321705) on Tuesday April 26, 2011 @02:21PM (#35944726) Homepage

            I think you're confused. Perhaps you're thinking of the anti-circumvention clause which clearly doesn't apply in this case.

            Not confused, maybe interpreting it differently ...

            He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy.

            Revealing their "proprietary client-server protocol" is part of the issue here, and we have explicit rights to reverse engineer a protocol. I'm not sure on what basis Dropbox can really keep their protocol secret.

            The second half of the "could be used for piracy" is the only tenuous link to the DMCA. And, as the article said, the whole DMCA part is a red herring. Basically it says that since you might use the posted technique to perform copyright violations, the whole thing needs to go.

            Even if the DMCA's anti-circumvention clause applied, it still doesn't change the fact that you cannot copyright an algorithm.

            Yes, this is me agreeing with you that you can't copyright an algorithm, as I initially did ... and pointing out that in terms of interoperability, even if you could copyright one, there are explicit exemptions that allow you to reverse engineer to be able to work with it. There isn't even anything to do with "circumvention" in this case -- they didn't bypass passwords or DRM.

            What you're describing certainly happens, but is a gross violation of the principles of the legal system.

            Depressing, isn't it? And yet, it seems to be becoming the norm in terms of how this is done. Send a DMCA notice, regardless of merit, and it is expected to be acted upon without any evidence. Merely an assertion. Who needs the principles of the legal system when you can screech loud enough about copyright infringement to go straight to enforcement on the say-so of a lawyer?

            The post I responded to seemed to be implying that it was reasonable to assume that a work infringed on a copyright until it was proven non-infringing.

            Which is the exact same logic the *AA's use, and apparently the basis for the "three strikes" laws being enacted in many countries.

            It's not reasonable, but that seems to be how it's being done. :(

      • by LordLimecat (1103839) on Tuesday April 26, 2011 @02:21PM (#35944730)

        The implementation of an algorithm, however, CAN be copyrighted, which Dropbox IS.

        As for that "innocent til proven guilty", where does it say that the blogger was convicted of anything? This hasnt even gone to court; "innocent till proven guilty" has absolutely nothing to do with it. Dropbox is the service provider, and thus has the explicit right under DMCA to remove all material it believes to be infringing (as does, for example, Youtube).

      • by muffen (321442) on Tuesday April 26, 2011 @02:24PM (#35944792)

        and the US has a legal system based on the idea that people are innocent until proven guilty.

        Funny, before coming to slashdot I was reading NYTimes, about an afghan farmer being imprisoned for a few years because he had a pair of binocular on him.

  • "Useful" (Score:5, Insightful)

    by AdmiralXyz (1378985) on Tuesday April 26, 2011 @01:24PM (#35944050)
    Useful though it may be, it's very clearly against Dropbox's Terms of Service. That doesn't give them the right to issue takedown notices to other sites on copyright grounds, but let's separate, "evil for issuing fake takedown notices" (which they are), from "evil for wanting to prevent this kind of activity" (which is perfectly reasonable).

    They're not running a filesharing service, that's not their business model, and they don't want to end up like Rapidshare or any of the N other filesharing services in legal hot water. I love Dropbox, and I would hate to see one of it's most useful features- public collaboration folders- shut down because some asshats can't obey the TOS and just use torrents instead. Dropbox should be trying to find a technical solution to block something like this, but if that's not possible, what can they do?
    • by DrgnDancer (137700) on Tuesday April 26, 2011 @01:28PM (#35944096) Homepage

      It also appears that the take down notices are a mistake, and Dropbox is apologizing for them.

    • by _Sprocket_ (42527) on Tuesday April 26, 2011 @02:01PM (#35944454)

      That doesn't give them the right to issue takedown notices to other sites on copyright grounds...

      I don't believe that's what happened.

    • by am 2k (217885) on Tuesday April 26, 2011 @02:37PM (#35944964) Homepage

      I love Dropbox, and I would hate to see one of it's most useful features- public collaboration folders- shut down because some asshats can't obey the TOS and just use torrents instead.

      The shared folder feature is not the problem. The problem is that the client only sends a hash of the file to the server to check whether the server already has that file in its global database. If this is the case, it doesn't have to be uploaded. I experienced that when I put a ~2GB file into my Dropbox, and it synced within a second (and no, I don't have a fast Internet connection). Somebody else has the same file in a Dropbox, and so the server already knows about that hash.

      What the hack does is pretend that a certain file with a certain hash is there when it's not, and then letting the client resync (and thus, download that file from the global database to the local Dropbox).

      The big problem is that this flaw is inherent in the way Dropbox works, and there's nothing technical they can do about it without rewriting their whole concept and implementation from scratch (and copy the concepts of wuala for example). Their whole business plan is based around the fact that they do deduplication on the server, and thus the only relevant cost is network transfer (which is very cheap).

  • where's the firehose (Score:5, Informative)

    by penguinchris (1020961) <penguinchris AT gmail DOT com> on Tuesday April 26, 2011 @01:29PM (#35944108) Homepage

    Vote this article down - it's misleading flamebait in the extreme. In particular, it fails to mention that the software was designed to facilitate anonymous filesharing, which would most certainly be used for copyright infringement and illegal purposes. And, the whole thing goes against Dropbox's TOS, even if it isn't used for dubious file sharing purposes.

  • by VGPowerlord (621254) on Tuesday April 26, 2011 @01:31PM (#35944138) Homepage

    Gotta love how the guy is still hosting Dropship, just not on Dropbox itself.

    Don't be surprised if his Dropbox account gets yanked for real this time, and some sort of lawsuit follows.

  • Meh (Score:5, Insightful)

    by Haedrian (1676506) on Tuesday April 26, 2011 @01:31PM (#35944140)

    I'm with dropbox on this one. The idea of converting dropbox into some sort of filesharing/torrent service, for passing potentially illegal files around is not good.

    I can see why Dropbox doesn't want to be linked to such a thing, when the big media people come a knocking, who do you think is going to end up getting sued?

    And just because its open source doesn't make it right, or wrong, or change anything.

  • by PunchMonkey (261983) on Tuesday April 26, 2011 @01:34PM (#35944158) Homepage

    Dropbox states that all files on their servers are encrypted. I had assumed this meant the key was encrypted with your own password, but this exploit suggests that the files either are not encrypted, or encrypted with a freely accessible key.

    From: https://www.dropbox.com/help/27 [dropbox.com]
    "All files stored on Dropbox servers are encrypted (AES-256)"

    • Re:Encryption? (Score:5, Informative)

      by h4rr4r (612664) on Tuesday April 26, 2011 @01:42PM (#35944242)

      If they used real encryption they would have to host files over and over again. Encryption breaks file deduping. No way is dropbox going to do something like that, there is no advantage in it for them.

    • by wastedlife (1319259) on Tuesday April 26, 2011 @01:52PM (#35944366) Homepage Journal

      The files are encrypted, but Dropbox holds the key. This is how you can access the files through the website and share folders directly with other Dropbox users. It means that your files are susceptible to intrusion, so encrypt anything secret yourself before sending to Dropbox. Truecrypt volumes do work in Dropbox because it uses a block cipher(only changed blocks are synced, not the whole volume), but you do need to disable the option to not update modification timestamp in order for syncing to work. KeePass 2.x encrypted databases also work well, unfortunately KeePassX does not support writing to KeePass 2.x databases as of now.

      On topic, the headline and summary are blowing this way out of proportion. Dropship fakes the hashing algorithm to make Dropbox think you have a file that you don't. Dropbox already supports both public links for files and folders, and can also privately share folders between accounts. I don't know of any legitimate purpose for Dropship that isn't covered by built-in features.

    • Re:Encryption? (Score:5, Informative)

      by Jonner (189691) on Tuesday April 26, 2011 @01:55PM (#35944380)

      It's already been shown [tirania.org] that Dropbox's claims about security are mostly bogus. If Dropbox can Hand Over Your Files to the Feds If Asked [pcworld.com] then the encryption method they use to store files on their servers is meaningless since they have the private keys anyway.

    • by LordLimecat (1103839) on Tuesday April 26, 2011 @02:23PM (#35944768)

      It is likely that your password grants you access to the encryption key-- that way if you lose your password, you can reset it without losing access to all of your files.

  • by Compaqt (1758360) on Tuesday April 26, 2011 @01:42PM (#35944238) Homepage

    >import files into their accounts using hashes and bypassing the need to make files public.

    ???

    It bypasses the need to make files public?

    So, when you use Dropbox, you have to make files public? Isn't DropBox a way to share email attachments without attaching it to an email?

    Why would you want to make it public?

  • by erroneus (253617) on Tuesday April 26, 2011 @02:02PM (#35944464) Homepage

    I doubt I would have heard of this any time soon were it not for this advertising.

    • by Chapter80 (926879) on Tuesday April 26, 2011 @02:45PM (#35945096)

      Well, you might have heard about it if you read Hacker News or Reddit. :-)

      I realize what you are saying, and yes, this is a perfect example of the Streisand effect. I am commenting more on how lagged Slashdot has gotten on current news. I read about this (and almost every other Slashdot front page story) on other sources many hours or days ago.

  • by Marrow (195242) on Tuesday April 26, 2011 @02:04PM (#35944490)

    If someone wants to turn a apache webserver into a "ftp site" using the http protocol, what is the best drop-in solution. One that does not involve programming. I found one that has progress bar and stuff, but I am sure there are others out there.
    What is the state of the art?

  • by Sensiblemonkey (1539543) on Tuesday April 26, 2011 @02:08PM (#35944558)
    Slashdot has become increasingly misleading and sensationalist in recent years. So much so that I'm moving Slashdot's RSS feed to bottom of my pile; to be seen only in moments of extreme boredom. I have far better things to do with my time that wade through the constant stream of FUD that this site is generating these days.
  • by ScentCone (795499) on Tuesday April 26, 2011 @02:10PM (#35944572)
    This isn't censoring. This isn't the government. That word is going to stop meaning something if people can't use it in some sort of rational context. Never mind that Dropbox is just trying to prevent their system from being turned into a big anonymous piracy farm - a very real concern, and one that they have every reason (and latitude within their TOS) to fight. But ... "censoring?" Why not just call them fascists, while we're at it? Idiots. This article it inaccurate, alarmist trolling.
    • by LateArthurDent (1403947) on Tuesday April 26, 2011 @02:59PM (#35945322)

      This isn't censoring. This isn't the government. That word is going to stop meaning something if people can't use it in some sort of rational context.

      Do you know what the word means? Because I don't think you do.

      Censorship, noun: the practice of examining for and suppressing unacceptable parts.

      "Government" does not show up in the definition of the word. There is such a thing as "government censorship" in which case you must actually qualify "censorship" by preceding it with the word "government." You can even qualify it with the word self, as in "self-censorship," the practice of examining and suppressing your own unacceptable behavior.

      Never mind that Dropbox is just trying to prevent their system from being turned into a big anonymous piracy farm - a very real concern, and one that they have every reason (and latitude within their TOS) to fight.

      That's a fair argument to be made. I would most certainly agree they have the authority to block such a program for the reasons you've mentioned.

      But ... "censoring?" Why not just call them fascists, while we're at it? Idiots.

      Although they are within their rights to block the usage of the program in their servers, and ban any accounts which make use of it, they are not within their rights to prevent a program they do not own the copyrights to from being disseminated (which would be the 'censorship' part). That said:

      This article it inaccurate, alarmist trolling.

      The article is perfectly accurate and points out that dropbox's founder politely requested the removal of the program from the repositories, and the author voluntarily took it down. I don't see any wrongdoing on the part of dropbox (the DMCA request was a mistake they apologized for, as is also accurately noted in the article). The word censorship still applies: dropbox examined content and deemed it inappropriate, the author removed the content on request, thus applying self-censorship of his work.

      • by ScentCone (795499) on Tuesday April 26, 2011 @03:13PM (#35945508)

        dropbox examined content and deemed it inappropriate

        ... but has no central authority, as a censor must in order actually censor things. The author didn't censor, he retracted, removed, etc., on his own volition. Censorship requires authority, and doesn't include choice.

  • by bl8n8r (649187) on Tuesday April 26, 2011 @02:13PM (#35944620)

    Dropship that allows users to exploit Dropboxâ(TM)s file hashing scheme to copy files into their account without actually having them."

    I can see why they would be a bit ruffled over this. Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.

    "First of all, attempting to protect a proprietary protocol is going to get them nowhere. "

    Ok, that's a problem. The reason the protocol is proprietary is because the company has put a lot of time, money and effort into developing their product. They want to recoup some of the development costs through the implementation of their protocol.

    The DMCA thing well ...that's what the DMCA is. It's basically a catch-all b1tchstick that can be bent into whatever shape the law wants to blame whoever for whatever. The way dropbox handled things *is* pretty crappy IMO, but if you're going to be a dick and crack peoples websites.... expect to get dick'd back.

    • by metacell (523607) on Tuesday April 26, 2011 @02:42PM (#35945050)

      Seems like this could be in the same realm as an SQL injection attempt. It's just using JSON instead.

      The hack only allows people to share their own files with others more easily. It's not like it would allow them to take over the web server or access other people's files without permission.

      I don't see how this could compete with BitTorrent - everything a pirate uploads onto Dropbox is logged and can easily be used against them in a trial.

  • Bullshit (Score:5, Informative)

    by wlad (1171323) on Tuesday April 26, 2011 @02:51PM (#35945204)
    Hi, I'm the person why wrote dropship. This thread is completely bogus, as there were no DMCA requests issued at all. They mailed me and asked me nicely to take the code down from github, which I did.

    The DMCA confusion is because they stopped a file from being shared on their own service, which generated a silly mail that a DMCA request had been received from themselves and hence a file was taken down. The blogger confused this with a DMCA request (and corrected it afterwards, but it seems slashdot missed this).

    So can we cut it with the flamebait title?

A penny saved is a penny to squander. -- Ambrose Bierce

Working...