Skip to content
Apr 25 / Dan DeFelippi

Dropbox Attempts To Kill Open Source Project

Very poor sketch of a desired icon for DMCA ta...

Image via Wikipedia

Yesterday morning I woke up much earlier than I wanted. Instead of lying in bed, wishing I was asleep, I decided to get up and check out Hacker News. Better to waste my time reading industry news than lying around. One headline in particular caught my attention: “Dropship — successor to torrents?“. The name was an obvious reference to Dropbox and the suggestion it could replace torrents was enticing. Data storage and distribution has been a long time interest of mine and I can’t resist reading about the industry. I had no idea that by the end of the day I’d have received a fake DMCA takedown notice, correspondence with Dropbox’s CTO, and witness the near killing of an open source project.

Make Files Appear

The HN post linked to a blog post about an open source project called Dropship that allows users to exploit Dropbox’s file hashing scheme to copy files into their account without actually having them. Dropship will save the hashes of a file in JSON format. Anyone can then take these hashes and load the original file into their Dropbox account using Dropship. This has some real potential benefits for Dropbox’s users. Anyone could easily share a private file with someone else by simply giving them the JSON string. No need to make the file public. The downside is potential for abuse in distribution and sharing of illegally pirated files.

In Steps Dropbox

Dropbox’s CTO and cofounder, Arash Ferdowsi, did not like Dropship. His reaction was swift. According to the project’s creator, Wladimir van der Laan, Ferdowsi contacted him soon after and requested “in a really civil way” that he take the project off of github. van der Laan complied. This was within hours of the HN post. Another HN member, Peter Steinberger, mirrored the project on his github account using an archive from the blog post. I also mirrored the archive in the public folder of my Dropbox account and linked to it from HN. Within hours Ferdowsi contacted Steinberger and the author of the blog post, Krzysztof Dziądziak, and had them remove Dropship too.

At 1:46PM ET I received the following email from Dropbox support (emphasized text is mine):

Subject: [Dropbox Support] Re: DMCA Violation for [my email address]

Dan DeFelippi, Apr-24 10:46 am (PDT):

Dear Dropbox User:

We have received a notification under the Digital Millennium Copyright Act (“DMCA”) from Dropbox that the following material is claimed to be infringing.

/Public/laanwj-dropship-464e1c4.tar.gz (the Dropship archive)

Accordingly, pursuant to Section 512(c)(1)(C) of DMCA, we have removed or disabled access to the material that is claimed to be infringing or to be the subject of infringing activity.

As a result of this notice, public sharing on your account has been disabled for a period of 3 days.

Please be aware that copyright infringement violates our Terms of Service (TOS) and Copyright Policy,which can be found at the following locations:

https://www.dropbox.com/terms#terms

https://www.dropbox.com/help/210

Also note that Dropbox has a policy of terminating the accounts of repeat infringers. If you repeatedly use Dropbox to infringe copyrights, your account will be terminated and you will lose access to your files.

If you believe that this DMCA notice was sent in error, you may file a counter notification. Such a notification must comply substantially with 17 U.S.C. § 512(g)(3) and include a statement under penalty of perjury of a good faith belief that the DMCA notice was the result of mistake or misidentification. You cansend counter notifications to the following address:

Copyright Agent
Dropbox Inc.
760 Market Street #1150
San Francisco, CA 94102
copyright@dropbox.com

The Dropbox Team

This was something new to me. A DMCA takedown being issued against an open source project? I immediately looked up the proper format for responding to a takedown and replied with the following:

 

The material in question, a file stored on Dropbox under the filename and path of /Public/laanwj-dropship-464e1c4.tar.gz, is not infringing the DMCA. The following is the license contained within the archive:

License
———
Copyright (C) 2011 by Wladimir van der Laan

Permission is hereby granted, free of charge, to any person obtaining a copyof this software and associated documentation files (the “Software”), to dealin the Software without restriction, including without limitation the rightsto use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the Software, and to permit persons to whom the Software isfurnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Based on this license, which issues permission to copy and distribute freely, it is my good faith belief that this material is non-infringing. As such, I demand the file be restored per 17 U.S.C. Section 512(g).

Signed,
Daniel A DeFelippi
contact info removed

Soon after Ferdowsi contacted me directly, sending what I now assume is the same “really civil” request he sent to others. He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown. He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy. He told me that the DMCA takedown was a mistake and reverted the lockdown on my public files.

First of all, attempting to protect a proprietary protocol is going to get them nowhere. His argument implied security by obscurity. Security by obscurity falls completely flat on its face in this case since their client can be analyzed by anyone with the proper skills and could be deciphered again.

Second, dealing with piracy is the responsibility of Dropbox. It’s not the problem of an innocent hacker who wrote some useful code that could benefit legitimate users and advocates the use of his software for “sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases.”

The Censored Respond

At this point I started emailing everyone who had been contacted by Ferdowsi to find out what had happened to them. I asked Dropship’s author to find out if he had issued a takedown. He told me he had not and that “my code is MIT licensed anyway, you can do with it what you want.” One person told me he took Dropship down for fear of losing his Dropbox account. A few of them expressed support for my resistance to the takedown attempts.

Aftermath

Dropbox’s censorship was nearly successful. In the aftermath Dropship all but disappeared from the internet. All public repositories and archives I could find were taken down. The takedown requests instilled fear in Dropbox users who didn’t wish to lose their account. I doubt van der Laan will continue developing Dropship. Even if he does it will most likely be private since he took his public repository down.

To Ferdowsi’s credit, I understand his position. He’s trying to protect his company. His correspondence was friendly and non-threatening. He’s obviously a very intelligent person and probably made a snap judgement on how to do damage control. The DMCA takedown seems to have been an accident and he remedied it.

In my unhumble opinion censorship is never an option. I’ve defied Ferdowsi’s requests and posted Dropship on my github account. If you are able to I’d love to see contributions. Fork and submit a pull request. To be certain it doesn’t disappear I’m also making the archive available from my own servers.

Dropship Mirror #1
Dropship Mirror #2

Censorship doesn’t work, especially in a community of open source using geeks.

Update: I want clear up a few things. As far as I’m aware all of the Dropship repositories and archives that were taken down was done so voluntarily. Dropbox never made threats, legal or otherwise. It appears the DMCA notice was automatically sent to me when the file was banned from public sharing. There was no real DMCA takedown issued. It was an edge case bug in their file removal system.

Enhanced by Zemanta

139 Comments

  1. Daniel / Apr 26 2011

    This is EXACTLY the kind of adverse effects that not properly encrypting data and deduplicating across accounts lead to.

    • Roberto / Apr 30 2011

      Daniel, I second that.

  2. SomeDude / Apr 27 2011

    http://en.wikipedia.org/wiki/Streisand_effect

    If you want something to fade into obscurity on the internet the best way is to shut up about it. Internet 101 & compulsory knowledge for CTOs.

  3. kturner / Apr 27 2011

    This means that knowing the hash of any file is enough to get that file, as long as someone, somewhere has it on their dropbox. Even if they close this hole on the dropbox servers (can they – or will it take a client update?), it means that people could have been doing this for years.

    Not exactly awe inspiring. Your private files are a hash away from being public. In other words a malicious software program could just send hashes of all your files back to the crooks website. Saves on bandwidth, which is important.

    –KT

  4. Brian / Apr 27 2011

    I am a DropBox user, and have been for some time. I have been worried about security, more than anything, and have already considered dumping the service, and feel somewhat conflicted after reading all this. One the one hand it sounds like the take-down notice was really a mistake (although it looks like we can’t be sure). And it also sounds like the DropBox folks were trying to be pretty civil. But… the whole thing is a serious mistake on their part. You can’t ever get something like this file “off the Internet.” And even if you did, some other clever person, who really did have bad intent, could recreate it in no time. If I ran DropBox, I would have talked the creators and said, “Hey that is really nifty trick. We’ll make it a cool new feature of DropBox, and even though you open sourced it, here is $10k ‘cuz we think you are cool.” And then, if someone abuses the feature, original code, or comes up with a similar hack and abuses DropBox, go after them. That would be a big win, PR-wise, for DropBox, rather than a poke in the eye with a stick of loyal geek DropBox users.

  5. Gump / Apr 27 2011

    There is another project out there that attempts to provide a dropbox-like syncing using some typical tools related to rsync. In this case, it’s a different approach.

    I am generally suspicious of any public service that stores files. We’ve all seen what the CIA will do to gain access to our data (remember the massive traffic sniffers outed in AT&T’s closets?). Almost surely at some level, the files on Dropbox are being scanned, cataloged, etc. At least, you should assume as such when using the service accordingly.

    That being said, Dropship is nifty and I hope the author continues its development. The basic innards could be used elsewhere.

    We have use for some type of “dropbox” like syncing in our organization — it would help keep people’s files uniform. Other than the small project I found (available: http://fak3r.com/geek/howto-build-your-own-open-source-dropbox-clone/), I wonder if there are others.

    I’m sure we’ve not heard the last from Dropbox on this issue…

    • Dan DeFelippi / Apr 27 2011

      Thanks for the link. The project looks interesting and is being actively developed.

      • fak3r / Apr 28 2011

        Dan – First let me say that I appreciate your efforts on keeping Dropship alive, and I’m in complete agreement with your stance on why it should be. It also reminds me that I should be learning more Python.

        I came up with an ‘open source Dropbox clone’ idea since Dropbox is a proprietary platform you can’t trust to provide privacy or security, made it a blog post and then the project. Now it’s getting some great feedback and motivation from the community. Check out lipsync here: https://github.com/philcryer/lipsync My goal is to make it simple for anyone to use and setup on any system (win/osx/linux…maybe even “tracking devices” like Android and iPhone!)

  6. kturner / Apr 27 2011

    Here is a security risk as far as I can tell…. This should be checked with someone more involved with the problem.

    Pretend there is a large company ‘BigOilCo’. Now suppose that everyday they set a price they will pay on a commodity (oil). The person who does the work uses dropbox to transfer the document to someone at head office, who embargoes it for publication until the next day. The (.txt) file always looks exactly the same, except the date is changed in the upper left, and the price is different. ( Pretend that the file comes from a financial mathematical modelling script). Then guessing the hash of the ‘still secret’ file is not a problem, just look at yesterdays file, change the date, and put in like 1000 different possible prices for oil tomorrow. Then you get 1000 hashes. Try downloading all those files from Dropbox. The one that downloads is tomorrows price.

    A 2^256 hash table is huge, but the available space of small files that you already know almost all the details of can be very small.

    I don’t know how many sensitive files like this are floating around on Dropbox, but there are likely more than there should be!

    • Dan DeFelippi / Apr 27 2011

      That’s an interesting attack vector. It wouldn’t be easy to pull off by any means but seems feasible.

    • Bla / Apr 29 2011

      Only problem with that is BigOilCo would use MS Word instead of Notepad ;)

  7. Samy / Apr 27 2011

    Mmmhh, what is the interest of Dropship ? You can already share a private file using this : https://www.dropbox.com/help/167

    • my1stname / Apr 27 2011

      Yes, you can use the public share feature of Dropbox, but you have to 1) give up your DropBox user name (in the URL) and 2) have a copy of the file in question. With Dropship you can avoid #1. #2 means that you never need to have a copy of the file in question to share it.

      Let’s say my buddy Jim has a copy of “Iron Man 5″ that he downloaded via torrent. He works out the hash and sends it to me. I don’t really have a lot of interest in watching Iron Man 5, but I know my brother does so I send him the hash. He grabs a copy from DropBox and I’ve just shared a file without ever having it on my PC.

      Neat!

  8. Turtle lover / Apr 28 2011

    While I fully understand and respect all the dissenters here, I really don’t think DB is THAT bad.
    Clumsy? Yes, they acted a bit too hastily and bluntly
    Overreacting? Probably

    Evil? Hell no.
    You have to appreciate the following from them:
    1) They were direct and open from the get-go
    2) They were courteous (marginal, perhaps, but so rare it HAS to be mentioned)
    3) Acknowledged wherever cockups happened

    Yes, the best option would be to update their system so dropship wouldn’t work (as they have done) and just keep quiet but it’s easy to understand why someone with a life interest in an operation could get all panicky from any association with piracy or lack of security.

  9. Other / Apr 28 2011

    Dropbox is an arrogant teen brat. They want to grow too fast, maybe they should have waites longer to put in production the realization of wht it is a good idea but doing it right.
    All these security risks, privacy concerns and now this… I use it, hehe, because I am forced to by team members.

  10. Graham / Apr 29 2011

    Hey, I just noticed that there’s already a Wikipedia article about Dropship!

    http://en.wikipedia.org/wiki/Dropship_(software)

    Is Dropbox’s claim that this will no longer work because of back-end changes they’ve made a valid one? Or is it likely that Dropship will continue to function (perhaps with adjustments) for as long as Dropbox continues to run an insecure protocol?

  11. Ab / Apr 30 2011

    Thanks for keeping the code around for other to download! F*ck Censorship!

  12. Richard M Stallman / Apr 30 2011

    Good on you for resisting censorship of a free (as in freedom)
    program, but if you refer to sharing as “piracy” you’re repeating
    the propaganda of the anti-sharing bullies. They don’t deserve
    such support. Their cause is unjust because sharing is good.

  13. Harry Johnston / May 2 2011

    A few people have mentioned the potential security issue involved. Another potential issue is documented here:

    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

  14. Dave / May 5 2011

    I have to agree with the comments here – security by obscurity is most certainly the wrong way to go about protecting user data. I’d like to point out another file sharing project (http://www.broolz.com) that does not rely on the client server model employed by others. It allows people to share files only with others they want to share with, so files only ever reside on authorized computers and never 3rd party servers. (Note – I work for them). Though not currently mentioned on their web site, the full version of the product is currently free for personal use, so no limits as to how much you can share.

  15. frank / May 7 2011

    Thank you for sharing.
    It is always a delight to feel what I believe – that
    information is inspiration

  16. Laurent Raufaste / May 11 2011

    Thanks for keeping the source alive, we never know!

  17. w0qj / Jun 21 2011

    Good article – here is another cloud storage solution that is fully encrypted:
    With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
    It gives you the ability to upload and sync any folder on your computer.
    It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
    You can also stream MP3 music files to your smartphone or computer.

    Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

    [Referral link removed]

    https://www.sugarsync.com/

    Hope it helps someone.

    • Delphia / Sep 23 2011

      Apapernlty this is what the esteemed Willis was talkin’ ’bout.

  18. Aser / Sep 26 2011

    Dropbox swoje, ale jest ciekawsza alternatywa MINUS –

    http://minus.com (affiliate link removed)

    Zyskujemy na starcie 10 GB po czym przez linki referencyjne rozszerzamy do, UWAGA, aż do 50 GB! (każdy zaproszony użytkownik to dodatkowy 1GB pojemności).

    Fajne nie :) aha 2 GB na jeden plik, jeszcze ciekawiej.

    Należy dodać iż minus posiada fajne programy dla wszystkich systemów desktop oraz mobilnych do zarządzania, udostępniania i czegokolwiek tylko chcemy w tym serwisie (nie musimy logować się na stronę).

    • Dan DeFelippi / Sep 26 2011

      For those who don’t speak Polish, I ran this through Translate and found this person is promoting an online file sharing service that’s nothing like Dropbox. I left the comment but removed the affiliate link in case anyone wants to check it out.

  19. Kira T. / Mar 13 2012

    Hi!

    I happened to stumble upon your article. I have no technical background what so ever (also its 2:30am). Can you explain exactly what dropship is/was, I have a general idea, but I feel that I don’t quite get it entirely yet. Thanks!

Trackbacks and Pingbacks

  1. In search of an Open Source Dropbox alternative - SparkleShare - Adlibitum
  2. Future of Dropship | Forwardfeed's blog
  3. Can Dropbox be used for P2P? | WebBizClass- Study Abroad UAB
  4. Universal Geek: Good and Justice, Regardless | Sean D. Francis
  5. Dropbox Tries To Kill Off Open Source Project With DMCA Takedown | quack's Shared Items

Comments are closed.