
Dropbox is using an unsigned binary to install kernel extensions on your Mac - tnorthcutt
https://twitter.com/JZdziarski/status/836022552770326529
======
newhouseb
Hi folks, I work at Dropbox...

\- We assert the validity of this binary through other (cryptographic) means
in the Dropbox Application.

\- We're going to start sign it using the means that JZ's tweet refers to, in
addition to our existing checks, to avoid confusion.

\- The kernel extension / driver is signed by Dropbox (and this binary asserts
that anything we install is signed only by us).

\- The kernel extension / driver is opt-in and not enabled for the general
population (it's used in our implementation of Smart Sync, née Infinite).

~~~
danieldk
Can you _please_ make installing a kext an option, rather than trying to
install it behind our backs? If you unload + remove the kext, it gets
installed again automatically.

The only way to block the kext is using e.g. Little Flocker.

Moreover, the kext _does_ get installed on my machines and I have a Pro
account without Smart Sync.

I have been pondering to uninstall Dropbox, because all this behaviour is not
acceptable. Unfortunately, I haven't found a good alternative yet.

~~~
JensRex
These shenanigans finally made me delete my Dropbox account, and set up an
OwnCloud instance on Digital Ocean.

I've found the OC client to be very nice on the platforms I use (Linux,
Windows, iOS). The Dropbox client on Linux was terrible to the point of being
unusable.

~~~
josteink
> These shenanigans finally made me delete my Dropbox account, and set up an
> OwnCloud instance on Digital Ocean. I've found the OC client to be very nice
> on the platforms I use (Linux, Windows, iOS

So an implementation-detail for a feature on a platform you don't use caused
you to shift to another product, which doesn't even support the feature you
are complaining about? Am I reading you correct?

By all means. If you're happy running a FOSS solution on servers you control,
more power to you. I'm just confused about your reasoning.

~~~
ogezi
> So an implementation-detail for a feature on a platform you don't use caused
> you to shift to another product, which doesn't even support the feature you
> are complaining about? Am I reading you correct?

I don't think he's talking about only this one issue. Dropbox had an issue
with something of this sort recently [0]. They secretly gave their Mac
application root privileges. They may have crossed the line for him here. I
should say that I'm not speaking for him but I can see how something like this
could have been the last straw for someone.

I personally think that the way a company treats it customers is a good
display of how good it's culture is. It's not a good sign that they did this.

[0]
[https://news.ycombinator.com/item?id=12619722](https://news.ycombinator.com/item?id=12619722)

~~~
stuaxo
Is this a different issue, or just a different part of the same thing ?

~~~
ogezi
I hazard the latter since they have had a series of problems except the one
here.

There was also a time that when you uploaded to Dropbox a file that was
already on its servers, instead of storing the new file they stored a
reference to the old one (that they already had) as per
[https://news.ycombinator.com/item?id=2478567](https://news.ycombinator.com/item?id=2478567)

------
j_s
Dropbox has been willing to get their hands dirty in their pursuit of user-
friendliness since day one, especially on the Mac¹. Didn't find any examples
where they walk it back; usually they stick to their guns with a few minor
tweaks (and top-of-HN-discussion PR replies).

 _Dropbox Hasn 't Learned Their Lesson_
[https://news.ycombinator.com/item?id=12619722](https://news.ycombinator.com/item?id=12619722)
(2016) "You seem to completely miss the point. It's not about the feature
itself, it's your way of "hacking" or "injecting" Dropbox features into places
the user didn't expect."

 _How Dropbox Hacks Your Mac_
[https://news.ycombinator.com/item?id=12463338](https://news.ycombinator.com/item?id=12463338)
(2016) "It's very strange that after I remove Dropbox from the accessibility
list you think it's ok to add it back in again."

 _Dropbox accesses all the files in your PC?_
[https://news.ycombinator.com/item?id=9136546](https://news.ycombinator.com/item?id=9136546)
(2015) "It does, however, 'QueryBasicFileInformation' and and 'QueryDirectory'
when I create a file on my desktop."

 _The Tech Behind Dropbox’s New User Experience on Mobile, Part 2_
[https://news.ycombinator.com/item?id=8203164](https://news.ycombinator.com/item?id=8203164)
[https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/cave...](https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-
for-authenticode-code-signing/) (2014) "what good is a code-signed executable
when that executable can simply download a payload from the internet like this
Dropbox installer does"

 _Dropship — successor to torrents?_
[https://news.ycombinator.com/item?id=2478567](https://news.ycombinator.com/item?id=2478567)
(2011) "Apparently Dropbox notices they already have that file, and instead of
you uploading it they just make it appear in your account." CEO Drew Houston
actually did the PR for the cleanup:
[https://news.ycombinator.com/item?id=2482712](https://news.ycombinator.com/item?id=2482712)

¹ [http://mjtsai.com/blog/2011/03/22/disabling-dropboxs-
haxie/](http://mjtsai.com/blog/2011/03/22/disabling-dropboxs-haxie/) (2011)
"Dropbox injects code into the Finder in order to draw the green and blue
badges atop your icons"

~~~
josteink
> Dropbox has been willing to get their hands dirty in their pursuit of user-
> friendliness since day one, especially on the Mac¹.

Where Apple is providing zero of the APIs you typically find on more open
platforms, like Linux and Windows.

Can't say I blame them. The other option would be to have a completely user-
hostile installer and we all know how well they fare with the general public.

Installation these days has to be one click, or nothing at all. Otherwise
you've lost your user.

~~~
_jal
> The other option would be to have a completely user-hostile installer

I'm unconvinced that a horrible installer is the only alternative, but even if
it were, you are asserting that you see subverting OS security mechanisms and
_intentionally ignoring user intent_ as somehow not user-hostile?

From my perspective, DB was kinda nifty when it first came out. The gap has
been filled by commodity software for folks who can deal with self-hosting, so
I'm personally happy. For other people, everyone and their pets wants to offer
us all seamless hosted storage; there's no need for a glorified rsync service
to be this creepy, evasive and intrusive.

> Otherwise you've lost your user.

I remain unconvinced that the various actions linked in the above were all
required for a nifty install experience. Indeed, some of them are only
required for forcing "features" on users that many have repeatedly indicated
they don't want, _after_ that all-singing, all-dancing install experience is
over.

Which, turns out, is a great way to lose your user.

------
dandare
Is Condoleezza Rice still working for Dropbox?

~~~
sp332
Yeah.
[http://www.bloomberg.com/research/stocks/private/board.asp?p...](http://www.bloomberg.com/research/stocks/private/board.asp?privcapId=49093148)

------
topspin
What value of "kernel" is involved here? It's a tweet, so there isn't much to
go on. I ask because I have this possibly naive view that one shouldn't need
an actual "kernel extension" to sync some files...

~~~
arachnids
Probably the "Infinite" extension [1] that lets you evict files from your disk
while still storing them in Dropbox. It's an opt-in feature (and perhaps only
available to Business customers?).

[1] - [https://blogs.dropbox.com/tech/2016/05/going-deeper-with-
pro...](https://blogs.dropbox.com/tech/2016/05/going-deeper-with-project-
infinite/)

------
sidcool
The Twitter account seems to have been deleted.

~~~
rplnt
mirror:
[https://webcache.googleusercontent.com/search?q=cache:CgzTBD...](https://webcache.googleusercontent.com/search?q=cache:CgzTBD2JNGAJ:https://twitter.com/JZdziarski/status/836022552770326529)

content:

> So @dropbox is using a completely unsigned binary to install kernel
> extensions on your Mac. This behavior is indistinguishable from malware.

------
thunder-ltu
Uninstalled and closed the account. Thanks Dropbox!

