
Dropbox Attempts To Kill Open Source Project - driverdan
http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/
======
dhouston
drew from dropbox here. i hope you guys can give us the benefit of the doubt:
when something pops up that encourages people to turn dropbox into the next
rapidshare or equivalent (the title on HN was suggesting it could be the
successor to torrents), you can imagine how that could ruin the service for
everyone -- illegal file sharing has never been permitted and we take great
pains to keep it off of dropbox. the internet graveyard is filled with
services that didn't take this approach.

so, when something like this gets called to our attention, we have to do
something about it. note that this isn't even by choice -- if we don't take
action, then we look like we are tacitly encouraging it. the point is not to
censor or "kill" it (which is obviously impossible and would be idiotic for us
to try to do), but we sent kindly worded emails to the author and other people
who posted it to take it down for the good of the community so that we don't
encourage an army of pirates to flock to dropbox, and they voluntarily did so.

there were no legal threats or any other shenanigans to the author or people
hosting -- we just want to spend all our time building a great product and not
on cat-and-mouse games with people who try to turn dropbox into an illegal
file sharing service against our wishes. (for what it's worth, dropship
doesn't even work anymore -- we've fixed the deduplication behavior serverside
to prevent "injection" of files you don't actually have, for a variety of
reasons.)

that said, when we disabled public sharing of that file by hash, it auto-
generated an email saying we had received a DMCA takedown notice to the OP,
which was incorrect and not what we intended to do, so i apologize to dan that
this happened.

(*edited the last paragraph: we didn't send a takedown notice, we sent a note
saying that we received a DMCA takedown notice, which was also in error)

~~~
random42
> illegal file sharing has never been permitted and we take great pains to
> keep it off of dropbox.

Which is great, except you are punishing the crime, before it even occurred.
Remember use of torrents are not illegal per se, sharing files which you do
not copyright of, and piracy is.

> there were no legal threats or any other shenanigans to the author or people
> hosting. (EDIT - No applicable. Read Drew's edit.)

DMCA takedown notice is a legal threat. Worse part is, its not even valid,
IANAL, but do _you_ own the copyright of the data or the copyright owner
approached you to issue a DMCA takedown notice?

> it auto-generated a DMCA takedown notice to the OP, which as many pointed
> out here was invalid and particularly inappropriate in this case, and was
> absolutely not what we intended to do.

Please do not send legal notices, without lawyers reviewing them?

~~~
SwellJoe
> Which is great, except you are punishing the crime, before it even occurred.

No, they aren't. They're enforcing the terms of use that Dropbox users agreed
to when signing up.

I don't think asking folks to take stuff down was the correct solution...I
think fixing the bug was the right solution, which they've also done. But, I
don't see how Dropbox is "punishing" anyone, when they're just asking people
to use the service as it is intended.

~~~
tlrobinson
It's clearly a violation of ToS to _use_ Dropship, however, it's less clear
whether it's a violation to _store code_ that has the _potential_ to violate
the ToS.

~~~
pbhjpbhj
Presumably if someone has reverse engineered Dropship¹ then we're not far off
having an FOSS Dropbox-a-like to use it with? I'd have thought that is the
problem Dropbox is most likely to be addressing?

Run your own organisation-wide Dropbox? Yes please.

Edit: ¹ I mean of course created Dropship by reverese engineering Dropbox's
protocols.

~~~
SwellJoe
> Presumably if someone has reverse engineered Dropship¹ then we're not far
> off having an FOSS Dropbox-a-like to use it with?

That's a pretty big stretch. You believe the client-side code to trigger
download of a file that doesn't exist on the system is "not far off from
having an FOSS Dropbox-a-like"? That's like finding a hub cap in the woods,
and deciding you've almost got all the parts needed to construct a car.

I don't believe Dropbox is using any techniques that are secret; I believe
anyone with the know-how, and time, and inclination, could use publicly
available algorithms to replicate everything Dropbox has done. The "secret
sauce" is not the protocol. There are a number of protocols for doing
versioned filed storage (WebDAV, for instance) and a number of protocols for
transferring only the parts of files which have changed (rsync, for instance).
The hard part is in putting them all together, not in any magic to be found in
a few lines of code.

I highly doubt this is all a conspiracy to prevent people from building a FOSS
"Dropbox-a-like". People can already do that, without needing any Dropbox
magic. Oddly enough, no one has. I reckon it's because it's really hard to put
all those pieces together in a way that works easily for end users. Highly
technical users have had these kinds of capabilities for years in the form of
version control systems, rsync, etc. Open Source developers have solved the
hard algorithmic problems already (and Dropbox is standing on their
shoulders). What Dropbox did is make it accessible and usable by anyone.

Do people really need any explanation other than, "Somebody made a mistake and
sent out the wrong email"? They don't strike me as being particularly evil
guys when I've met some of them, and while they aren't bastions of Open Source
generosity as far as I know, they also never seemed to be anti-Open Source, to
me.

~~~
pbhjpbhj
> _The "secret sauce" is not the protocol._

Verily.

> _People can already do that, without needing any Dropbox magic. Oddly
> enough, no one has. I reckon it's because it's really hard to put all those
> pieces together in a way that works easily for end users._

These two sentences are contradictory. The magic clearly doesn't lie in the
protocol _per se_ or the specific idea but in the implementation. Having a
client that emulates Dropbox _seems_ to be the hard bit strange as that may
sound.

I have used the web interface, but the client is generally the only point of
contact I have if I have a new client that does exactly the same and that
client can be switched to a new server my experience will be >99% unchanged
and, in my scenario, the effectiveness will be the same.

If I can switch service without noticing any change in interaction (dropbox
just sits there after all) and in fact can use the same client with either
dropbox itself or a different server then it seems like a bad thing for
dropbox.

------
tptacek
Consider that maybe what's happening here is boring. Recognize that we all
have a cognitive bias towards narratives, and especially interesting
narratives. The discussion on this story is trying to build a narrative about
Dropbox vs. open source developers. The real story is probably not that
interesting.

The CTO of a service as technically interesting as Dropbox certainly knows
that he can't prevent the disclosure of their proprietary protocols. So
impassioned arguments about "security through obscurity" and "the futility of
trying to hide protocols" aren't adding much to the discussion. Everybody
understands those things. To the extent that Dropbox's protocols factor into
this story, they are obviously a fig leaf.

Thus far, the only thing Dropbox is purported to have done here is to politely
ask a developer to remove an application; then, presumably believing that the
mirror posts were simple nerd-rage, and that the author of the application
agreed with Dropbox, Dropbox's CTO filed takedowns at Github. This is not the
end of the world. As has been amply demonstrated, Dropbox can't effectively
suppress MIT-licensed code, and probably won't try to.

Instead, consider that maybe all Dropbox is trying to do here is establish a
track record of "not wanting Dropbox to become Rapidshare". This story then is
not a "PR nightmare" for them; it's the expected outcome of their actions.
They are trying to communicate both through words and actions that they are
going to do what they can to not be Rapidshare.

That Dropbox cannot technically keep determined nerds from trying to coerce
them into Rapidshare's use case is also not worth arguing about. I think we
all know that's true. But how many of us are going to go out of our way to
stick a thumb in Dropbox's eye?

~~~
anotherjesse
Understandable except the assertion of filing a dmca because he thinks that
the reposts of code are "geek rage". The DMCA provides that you may be liable
for damages (including costs and attorneys fees) if you falsely claim that an
item is infringing your copyrights.

Using this powerful law as a scare tactic isn't acceptable. If you wish to
claim that the code was infact infringing, then the conversation is different.

This seems to be:

* illegal use of dmca by dropbox * dropbox says dropship using reverse engineered sync protocol broke anti-circumvention techniques or contains their copyright

Either of which are bold statments

~~~
tptacek
Are we arguing over whether filing DMCA takedowns on innocuous MIT-licensed
code was a mistake? I'm sorry if I communicated that I didn't think it was a
mistake. But it's my perception right now that _even Dropbox_ thinks this was
a mistake; the guy who wrote this blog post posted more mirrors of the code.
Is Dropbox trying to get them taken down?

People make mistakes. In the grand scheme of mistakes, this is an extremely
trivial one.

~~~
knowtheory
I don't think that the unjustified and unilateral removal of code from someone
else's access or threatening anyone with legal action is _ever_ an acceptable
mistake, let alone "trivial".

The law is not a toy, and it's not supposed to be wielded casually. The DCMA
is certainly not treated with the respect it is supposed to afford citizens,
and this is just another example of that.

~~~
tptacek
We disagree. The mechanism for getting Github to take down code is the DMCA
request; it's what you use when someone at Github is hosting code that they
didn't own that you'd like removed and you feel you have some grounds to have
removed.

It was a mistake for them to use a DMCA request here, because the code was
MIT-licensed and thus even the author can no longer ask for it to be taken
down. But nobody paid legal fees here, nobody was sued, and the code is back
online, so, no, I am not amenable to the idea that Dropbox is being abusive.

Continuing to file DMCA requests would be abusive.

~~~
dhouston
We didn't file a takedown to github -- the author voluntarily took the code
down

~~~
blasdel
Someone complained that their fork on Github had been summarily deleted:
[http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-
ope...](http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-
project/#comment-145)

~~~
phaylon
Have you read the replies? No context, but insults. Plus the original forked
repo on github is still available. Someone complaining means nothing.

------
arashf
This is Arash from Dropbox. We removed the ability to share the project source
code because it enables communications with our servers in a manner that is a
violation of our Terms of Service. By our TOS, we reserve the right to
terminate the account of users in this case. However, we chose to remove
access to the file instead of terminating the account of the user.

We recently built a tool that allows us to ban links across the sytem (as of a
few weeks ago) and I wasn't aware that a DMCA takedown email would be auto-
generated and sent. This was a tool built for our support team and I'd never
personally used it. That said, we feel strongly that the code is a violation
of our TOS and don't believe the removal of the content from our site is
censorship.

I'd also like to clarify that nobody's accounts were threatened: in every case
my phrasing was as follows: 'I hope you can understand our position and can
agree to remove the Dropship code'.

~~~
tghw
Would you mind highlighting what part of the ToS this sort of thing violates?

~~~
argos
yeah, one thing is to _use_ the code on drop box servers... I could understand
the ToS violation in that case.... but having the code is a violation?

~~~
RBerenguel
This is my point in a comment in the post, before reading the comments here in
HN. Burning books because they have forbidden knowledge.

------
CoffeeDregs
Most interesting comment to that article:

    
    
        Thankfully all DMCA requests are filed under penalty of      
        perjury. If he claims that he owns the copyright to 
        material he doesn’t own, he has now opened himself up 
        to civil litigation.
    

Really. Seems so: [http://www.aaronkellylaw.com/Internet-Law-and-
Intellectual-P...](http://www.aaronkellylaw.com/Internet-Law-and-Intellectual-
Property-Articles/Consequences-of-filing-a-false-DMCA-Takedown-Request.shtml)

~~~
rprasad
Not an invalid DMCA request, even assuming one was sent out.

Copyright applies to original _and derivative_ works, though multiple parties
may own copyrights to a derivative work.

In America, derivative works include software programs which are inseparably
reliant on code or features (including APIs) of another program. It's
basically the same argument that WordPress and Drupal make in regard to
themes, plugins, etc., falling under the same open source licenses (i.e.,
copyrights) as the platforms themselves.

In this case, dropship is entirely reliant on unique features of Dropbox. This
makes it a derivative work, and would mean that Dropbox has copy rights over
dropship. The programmer of dropship _also_ has copyrights over dropship to
the extent that the code is an original work, but Dropbox's rights trump his
b/c they own the rights to the original underlying work.

~~~
dctoedt
> _In America, derivative works include software programs which are
> inseparably reliant on code or features (including APIs) of another program.
> ... In this case, dropship is entirely reliant on unique features of
> Dropbox. This makes it a derivative work, and would mean that Dropbox has
> copy rights over dropship._

I don't think that's true; if you've got any case authority, I'd certainly
like to remedy my ignorance of it.

"Derivative work" is defined in the Copyright Act: [1]

 _"A 'derivative work' is a work based upon one or more preexisting works,
such as a translation, musical arrangement, dramatization, fictionalization,
motion picture version, sound recording, art reproduction, abridgment,
condensation, or any other form in which a work may be_ recast, transformed,
or adapted _. A work consisting of editorial revisions, annotations,
elaborations, or other modifications which, as a whole, represent an original
work of authorship, is a 'derivative work'."_ [Emphasis added]

I don't recall ever having seen any kind of ruling that sending API-compliant
messages to another computer via the Internet, for processing by code already
running on the other computer, somehow constitutes creating a derivative work
of that code.

And I don't see how, in any normal case, the owner of the code on the other
computer could claim that the API message sender had caused an infringing copy
of the code to be made. If I were representing the API message sender, I'd
likely argue that the owner of the code -- by (putatively) licensing the
computer operator to configure the code to listen for and process API messages
-- had consented to whatever copying might have occurred.

[1]
[http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_0...](http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000101
----000-.html)

------
thecoffman
I can see why Dropbox would be upset about the existence of such a thing, but
trying to force people to take it down seems incredibly foolish. The whole
issue will garner them negative publicity and people will see it anyways
thanks to the Streisand effect.

I had actually missed the original post, but now thanks to their takedown
attempts I've downloaded a copy for myself as its very interesting.

~~~
cabalamat
> trying to force people to take it down seems incredibly foolish

As does the fake DMCA takedown. If Arash Ferdowsi wants people to think he's
dishonest, he's going the right way about it.

~~~
Goronmon
There was no DMCA takedown notice.

~~~
bigiain
That's not what Dropbox say:

<http://news.ycombinator.com/item?id=2482803>

(admittedly, several hours after you posted)

~~~
ugh
There was no takedown notice. Those emails (erroneously) informed the
recipient that a third party had sent a takedown request.

------
ramanujan

      Dan DeFilippi: "In my unhumble opinion censorship is never an option."
    

Dan DeFilippi would certainly not like it if all his documents and code from
his personal hard drive were splashed across the internet.

What he considers "censorship", another person would call "not pushing someone
in front of a train". He knows full well that (a) Dropbox is a pretty friendly
company with reasonable people solving a real problem and (b) the RIAA and
MPAA are NOT friendly and NOT reasonable.

This linkbait title ("kill open source project") is the equivalent of police
going after students for bike tickets while avoiding the dangerous parts of
town. Dan DeFilippi is going after the good citizen (Dropbox) for the minor
philosophical crime of not supporting everything that calls itself "open
source", while completely lacking the balls to actually take on the _real_ bad
guys here, namely the RIAA and MPAA's _real_ lawsuits.

Indeed, even if he did set up his own torrent server, they'd ignore him for a
while. Dropbox has financial resources, so they'd actually be the target. So
DeFilippi is getting behind them and trying to push them in a fight that is
certainly NOT one they want to engage in, without taking any personal risk
himself. Not particularly ethical, IMHO.

------
jeremymcanally
And now they see the Streisand Effect in action.

This was an unfortunate reaction by them that will damage their social capital
(a little at least) among one of their core markets. I doubt it'll drive them
into bankruptcy, but it's irritating for me to see this sort of behavior.

------
superuser2
However justified you think piracy is, resisting efforts to turn a product you
created for legitimate personal file sharing into a better BitTorrent is a
valid business decision.

That's a really incendiary headline. Yes, they tried to kill an open source
product, _whose purpose was to facillitate illegal file sharing over DropBox_.

The PR fallout from this among the tech community is probably nowhere near the
fallout it would experience if it became the next Kazaa.

~~~
ceejayoz
> Yes, they tried to kill an open source product, whose purpose was to
> facillitate illegal file sharing over DropBox.

Where are you getting that information? My understanding it that its purpose
was explicitly to facilitate _legal_ file sharing over DropBox - Linux ISOs,
for example.

~~~
sorbus
Linux ISOs are always the example people come up with when they're defending
protocols and methods which are primarily used for illegal purposes.

The original post for DropShip gave, as an example, the trailer for a movie.
Not the movie itself, but the trailer. That's the equivalent of saying "I've
developed this great way to share files, such as videos, but am not going to
explicitly say that it could be used for piracy even though everyone knows
that that's the only thing it will be used for."

~~~
calloc
The trailer is from the free video that was released by the Blender foundation
...

~~~
sorbus
Yeah, I know. I feel that my point still stands, though it is somewhat
weakened.

------
dporan
The journalist A.J. Liebling said, "Freedom of the press is guaranteed only to
those who own one."

I guess the corollary here is, "If you don't own the server, you don't own the
file."

Maybe this is why Richard Stallman calls cloud computing "careless computing."

~~~
billswift
Something Eric Raymond agrees with him about - <http://esr.ibiblio.org/?p=932>

Eric also had another post _Three Systemic Problems with Open-Source Hosting
Sites_ a few months later (October 2009) - <http://esr.ibiblio.org/?p=1282>

------
cmatthias
Wow, did not expect this from a savvy company like Dropbox. Filing a fake DMCA
complaint? I think I'll take my files elsewhere.

~~~
adamhowell
Well that makes one of us who can live without Dropbox.

Drew would have to kill a baby panda with an elephant tusk for me to even
begin thinking about switching.

~~~
amock
Do you need Dropbox or just something like it? Dropbox doesn't seem to have
very strong network effects so it seems like it would be easy to replace with
a similar product. If you're willing to give up features that require hashes
to be shared across accounts you could even have a secure replacement with
client side encryption.

~~~
runjake
Your comment would've been much more helpful had you provided said
alternatives.

~~~
mtogo
Four seconds on duckduckgo:
[https://secure.wikimedia.org/wikipedia/en/wiki/List_of_onlin...](https://secure.wikimedia.org/wikipedia/en/wiki/List_of_online_backup_services)

~~~
runjake
Thanks for the sarcastic response, but I'm already familiar with that page.

What I'm more interested in is what HN users like and dislike and recommend,
as opposed to a bunch of features charted into a table with nothing valuable
in terms of reliability, usability and actual security.

Lately, I've been leaning towards Jungle Disk for file syncing & some S3
solution for cloud backups.

~~~
amock
I've used SpiderOak and I was happy with it. I only used it to synchronize
files across my laptops and desktops so I don't have any experience with
mobile clients for it. I now use cron, rsync, and ZFS snapshots for versioning
of all of my home directories. Both solutions worked well for me and which
one, if either, is best depends on your situation.

------
Pahalial
You know, I really don't understand the rage around this case, or more
specifically that it's supposedly all coming from people who otherwise love
Dropbox.

So let's examine what you're (potentially) doing by forcing this issue and so
on:

(1) Calling down a streisand effect on Dropbox. Perhaps you believe that code
is meant to be free to such an extent that this is part of your goal, so,
sure.

(2) They clearly have no intention of allowing DropShip to become a common use
case. If your Streisand effect results in wide adoption by people who just
latch onto your censorship angle, they will have to take rushed action to
prevent further spread.

(3) This rushed action could be a technical solution (maybe challenge-
response, as mentioned) or a banhammer once they have narrowed down the use
signature for dropship.

\--

(3a-technical) If it's the technical solution, as it was produced under rapid
duress, is buggy. Suddenly, your beloved dropbox starts corrupting your files,
or refusing to sync some in edge cases. Oops. Some [paying] users who never
even heard about this 'censorship' issue notice this issue and take their
business elsewhere, and of course it's less useful to you too as a tool until
they fix it.

(3a-technical alternative) It's not a buggy fix because they're supercoders.
Still, their team had to put in an ungodly week to make and stress-test the
fix; congratulations on ruining their quality of life for a week while still
losing dropship.

(3b-banhammer) Well, they figure out how to track people using dropship, and
maybe institute a 3 strikes policy (2 emails, 1 ban.) So you stop using
dropship after the first email, with a bit of simmering resentment at dropbox;
still no dropship. Meanwhile, there are false positives because of course
there are; this generates a second, far louder streisand effect, and dropbox
again loses some paying customers.

-

In summary: sure, open-source code is meant to be free. But your actions don't
exist in a vacuum. At the end of the day, Dropbox is clearly not going to
tolerate dropship on its network. Consider whether you would rather keep using
dropbox as it is, or shoehorn yourself into basically open war on dropbox
unless you can dropship on it.

(Tangentially: it was a neat enough hack, but it still doesn't seem any
functionally different than sharing public URLs for the file, with the only
differences being that you circumvent the bandwidth limits - again, congrats
on fighting the TOS of a service you supposedly love.)

~~~
gordonbowman
Well laid out. The worst crime here is taking up the invaluable time of
Dropbox developers who could and should be focused elsewhere.

~~~
bigiain
Or from a slightly different perspective, "strongly encouraging the developers
at Dropbox to focus _now_ on security/privacy issues that ought to have been
dealt with before pushing their existing code live". Doesn't seem to deserve
the label "worst crime" when described like that.

------
shasta
Dropbox has a simple technical recourse to prevent de-duplication from being
used for file sharing - issue a random challenge (a slightly more
sophisticated version of "ok, what is the 100th word in the file?") before
acknowledging a collision as a true duplicate.

Edit: Thinking about this a bit more, the primary expense of this scheme would
probably be accessing the file to verify the challenge results. Here's a
question: is there a cryptographic scheme which would allow responses to some
form of challenge to be verified using a relatively small key (32 or 64 bytes
would be nice), but for which it isn't feasible to rebuild the key given a few
thousand sample challenges?

~~~
kragen
AIM used to ask for a cryptographic checksum of a randomly chosen byte range
of the AIM executable. The Gaim (now Pidgin) developers had to set up a server
that would return checksums on demand. This doesn't meet your requirement of
the verifier needing a small key.

Given that Dropbox apparently has no qualms about perjuring themselves in
order to stop Dropship (or, as discussed in an earlier thread, lying about
their security measures in order to defraud their customers), they could
probably also take retaliatory action beyond just denying service to the user.
Here are some possible retaliatory actions they could take:

* they could publish the user's private files, or simply look through them for the user's credit card numbers.

* they could sell the above data to the highest bidder.

* they could use it to attempt to impersonate the user to their bank in order to empty their bank account.

* they could randomly corrupt the user's data. (This might require a backdoor in the client software.)

* they could wait for an unusual volume of requests from the user (perhaps indicating that the user was trying to restore from backup) before terminating the user's account without warning.

* they could carefully comb through the user's files looking for evidence of any crime (illegal drug use, underage drinking, copyright infringement, possessing seditious literature, importing obscene material, defaming Islam, apostasy, embezzlement, tax evasion, whatever is the biggest no-no in their locale) and anonymously tip off the appropriate authorities.

* they could insert faked evidence of such crimes into the user's files, and then tip off the appropriate authorities.

Perhaps potential Dropbox users ought to be wary. This is a second data point
in the company's history of seriously unethical behavior; one hopes they
wouldn't engage in any tactics like the above in a dispute with a former user,
if their extremely polite requests failed, but my experience is that people
who behave unethically in medium-large ways often behave unethically in larger
ways as well.

 _Caveat utilitor_.

~~~
crocowhile
caveat utilitor.

~~~
kragen
Thanks, fixed. My acquaintance with Latin is mostly by way of Spanish, where
it _is_ utilisador (well, in normal speech, usuario.)

------
duck
Tip: If something is on the web and has been linked to via a site like HN,
don't ask them to remove it no matter how bad it hurts you. It will _never_
result in a good thing for you and will definitely hurt more afterwards.

------
arkitaip
What a PR disaster. There is something really wrong at Dropbox if this kind of
dishonest and abusive behavior is coming from a co-founder.

------
phren0logy
The author of the software stated very clearly that he was approached by the
CTO of Dropbox, who asked civilly that the repo be taken down.

This seems an intentional exaggeration of the issue to drive traffic.

>wladimir: Arash (the CTO) asked me to, in a really civil way. So I decided to
respect his wish and take down the repository.

<http://news.ycombinator.com/item?id=2478688>

~~~
soult
This is not about the Github repository of the original developer. Someone
managed to download a tar archive of the repository from github (after the
repository was removed from github) and uploaded it to his public dropbox
folder.

------
warthurton
I spent a few minutes going over the Dropbox Terms of Service.

The section I believe that they are referring to when they removed the public
link is:

General Prohibitions You agree not to do any of the following while using the
Site, Content, Files or Services:

Post, publish or transmit any text, graphics, or material that: (i) is false
or misleading; (ii) is defamatory; (iii) invades another's privacy; (iv) is
obscene, pornographic, or offensive; (v) promotes bigotry, racism, hatred or
harm against any individual or group; (vi) infringes another's rights,
including any intellectual property rights; or (vii) violates, or encourages
any conduct that would violate, any applicable law or regulation or would give
rise to civil liability;

...

Attempt to decipher, decompile, disassemble or reverse engineer any of the
software used to provide the Site, Content, Files or Services;

(Excerpted in whole for clarity. Full Terms at:
<https://www.dropbox.com/terms#terms>)

Seemingly not only is posting the code for DropShip a violation, but just by
me putting up this file ( <http://dl.dropbox.com/u/1498040/2plus2equals5.txt>
) in my public folder, I'm also violating the Terms, as I am publishing text
that is false and possibly misleading.

------
SoftwareMaven
The DMCA notice came as a result of an automated support system. The CTO's
understanding was the system blocked access to individual files, but the real
purpose is blocking access as part of DMCA requests, so it automatically sends
the DMCA notices out.

This wasn't somebody trying to strong-arm somebody else. It was an
understandable mistake.

~~~
driverdan
I agree with your assessment. It seems that the DMCA notice was a mistake,
there was no real takedown issued to Dropbox.

------
apperoid
Just in case here are a few other mirrors:

<https://github.com/apperoid/dropship>

<http://min.us/mvjl61c>

<http://www.mediafire.com/?6gplpdpib6zg5dm>

[https://rapidshare.com/files/459187624/driverdan-
dropship-56...](https://rapidshare.com/files/459187624/driverdan-
dropship-56b4296.tar.gz)

------
getsat
> and reverted the lockdown on my public files

Is this line terrifying to anyone else? Between this and the published
security problems, I am steering clear of this service.

------
w1ntermute
Here's another mirror, just in case: <http://ompldr.org/vOGY0dg/laanwj-
dropship-464e1c4.tar.gz>

------
arethuza
What a completely unedifying spectacle:

\- Overblown "geek rage" over a non-existent DMCA takedown notice and bizarre
"legal" arguments

\- A company mishandling a security flaw by asking a developer to remove code
that exposes the problem rather than simply fixing the problem and leaving the
code in wild to demonstrate that the flaw doesn't exist anymore

I use DropBox, although I wouldn't say I depend on it. What this episode did
make me appreciate is the degree to which DropBox is a closed product - there
may be good commercial reasons for this but as a consumer I'd rather use a
service that has at least an open and documented interface (even if the
implementations are still proprietary).

------
driverdan
I've seen a lot of comments that misunderstand the DMCA. Many people seem
fixated on this issue. Had I realized this would be the case I wouldn't have
emphasized it as much.

It was an automatic email sent by mistake and was retracted by when
discovered. It's certainly an issue worth mentioning and discussing but don't
fixate on it.

Don't get me wrong, I was completely enraged when I received it but I think
Dropbox has done well in addressing it.

------
mef
Am I the only one who finds it refreshing to see a business trying to protect
itself with a friendly email rather than legal threats? Kudos to the Dropbox
guys for walking that fine line with such finesse.

~~~
wladimir
Yes. I think that's the only thing that's deserved to be said here.

People here should just relax, I'm sure there are many companies that deserve
your rage but Dropbox is not one of them.

They simply asked me to take down the repository while they could work on
blocking Dropship technically on the server side. No threats involved. This
should be very good PR and many companies can learn from this.

Sure, trying to prevent people from writing/distributing programs that use a
service in unexpected ways is pointless in the long run. If something is
technically possible it _will_ be done.

Hence, as some more validation is added, Dropbox will overall be a more secure
service. In my opinion it was a feature instead of an exploit :) but hey, it's
their service.

All the meanness flunged in this thread at either me or Dropbox is completely
uncalled for.

------
ugh
Understandable. Dropbox doesn't want to become a piracy website. Using a DMCA
takedown request was a stupid way of dealing with the issue, though.

~~~
mncolinlee
Why does everyone make the assumption that torrents and services like Dropship
must be used for piracy? Major video game companies use torrents all the time
to distribute patches and betas.

A knife can be used to commit murder, but most often it is simply used to cut
food. The problem with the way DMCA works is that it bars the development of
new technologies because one of many uses _could_ be harmful. The law stifles
innovation when used this way.

~~~
rick888
"A knife can be used to commit murder, but most often it is simply used to cut
food."

Most of the time, a knife is used for cutting food and it can be used for
murder.

Most of the time, torrents are used for piracy and they can be used for
legitimate and legal files.

Search for "torrent" on Google. The majority of the results are search engines
for pirated material (and in many cases, direct links to the torrents).

See the difference?

~~~
TheAmazingIdiot
I would tentatively disagree.

You are indeed correct that most Torrent Sites are mainly piracy distribution
hubs. However, torrent sites are not indicative of torrent traffic by
_Clients_. *

From what I understand, Blizzard uses torrents to spread patches for World of
Warcraft. It is also used, I believe, in Steam as well.

* I would also argue that, although copyright violations, transfers of TV shows are already done via the main distributors' websites. Other than where the source is from, I do not see much a difference.

I would also argue that piracy itself is a response to market failure. When
it's easier to get working media (notably cracked programs and
music/movies/shows) via a 3rd party distribution than from the source, there
is _something_ wrong. Many times, it is because of "We wont sell to that
country until $later", or "Our antipiracy software wont run on your computer",
or it just is infeasible to find it. But essays have been done on this topic
alone.

~~~
ugh
My guess is that Dropbox cares about its image and wants everything piracy
related to be kept at arms length. It’s not their business model. They want to
be a trustworthy service everyone – from nerds to their moms and dads – wants
to use.

I would argue that the prevalence of piracy harms, for example, Rapidshare’s
image as a serious filesharing service. That’s not an issue for Rapidshare
because piracy is their business, but it isn’t the business of Dropbox.

This is consequently not so much about the nature of piracy and much more
about the image of Dropbox.

Whether or not Dropship would actually be a good tool for piracy is very much
an open question (and one you can certainly argue about), Dropbox seems to
think it is.

(I also want to note that even if only one percent of all torrent traffic is
piracy related, it’s still wrong to compare it to knives. There are so many
knives in the world, the fraction of knives which are used to harm people must
be infinitesimal. And, to clarify something else: I would be vigorously
against any legislative attempts at banning torrents. Legislatively, that’s
just not the right way to go. But that’s the law and Dropbox is no
government.)

------
neworbit
As much as I'd like to see companies busted for abusing the DMCA to take down
things they object to, I would rather it had been one of the traditional Big
Media Thugs who was on the wrong end of a lawsuit for fraudulent DMCA claims
rather than Dropbox... who I otherwise like.

------
mrud
Isn't the so called DMCA take down notice in this example not just a
notification for the user that Dropbox received such a take down notice and
not a DMCA takedown notice?

~~~
spudlyo
Shhh. You're spoiling everyone's fun. How can you expect me to get all worked
up about a notice about a non-existent notice?

------
jayp
This behavior is unconscionable when there is such an obviously trivial
technical solution to this problem.

Here is my quick and dirty technical solution.

(1) Place a restriction: only allow users who have uploaded a given file to
download that file. In essence, keep an "uploaded" flag for each file/user.

(2) Challenge-response to validate local copy of a globally-known file: To
continue receiving the benefits of de-dup, don't actually upload an already
globally-known file, but perform a challenge-response with the client on the
contents of the actual file. This will still leverage most of the benefits of
de-dup w.r.t bandwidth savings.

~~~
marshray
I gues they're already at a point in their business where they feel like it's
easier for them to try to silence their fanbase-hackers-modders-addon
developers instead of just quietly fixing the issue.

At least Twitter had the sense to phase-in client auth for apps before
shutting down 3rd party developers.

------
cnicolaou
The title of the post +HN post should be changed after the author updated his
entry and clarified Dropbox' position.

------
plasma
Dropbox can decide what its servers/resources are used for, and allowing
'Dropship' to be used to transfer copyrighted files sounds like a problem they
don't want - and neither would I, as a company owner.

Legitimate users are not impacted at all from this recent change; people who
were wanting to share copyrighted files to the masses are impacted but they
aren't customers Dropbox would want in the first place.

I think its disingenuous to say Dropbox shouldn't have tried to stop the
project from being used; if I ran Dropbox and something came up that
threatened my company and its customers I would try and stop it being used in
an instant.

The people Dropbox contacted voluntarily took down the project, so they must
have agreed with Dropbox's logic in some form that yes perhaps the project
would better off not be available.

I'm not sure I like the title, "... attempts to kill open source project" as
if to say open source is some how an endangered species and Dropbox is some
horrible elephant killer? :)

I suppose its disappointing to me when I read some comments that are
immediately on the attack when it may not be warranted or fair, or put up
arguments like 'torrents can be used to distribute linux ISOs' (not a real
quote!) when everyone knows thats not what Dropship would be used for at all.

------
JCB_K
_Second, dealing with piracy is the responsibility of Dropbox. It’s not the
problem of an innocent hacker who wrote some useful code that could benefit
legitimate users and advocates the use of his software for “sharing photos,
videos, public datasets, git-like source control, or even as building block
for wiki-like distributed databases."_

Could someone give me 1 example of a use case here? The only reason I can
think of to share the hash of a file instead of a direct link, is because it's
an illegal file, and you don't want to link straight to it. Why else would you
go through the effort of hashing all 4mb blocks of the file, and sharing those
elsewhere?

Of course, this is a dangerous gray legal area, but I think it's fair to say
that the only reason to use this is because of illegal files. Also, they
didn't take legal action (which wouldn't be right, as no one has been proven
of doing illegal stuff), they just asked nicely, so it seems. Dropbox is right
to act on this, as it could potentially ruin their platform.

~~~
JCB_K
Could someone elaborate on why I was downvoted here?

~~~
St-Clock
I don't know because I thought your comment was insightful. But since this is
one of the worst threads I have read since I joined HN, in terms of FUD and
signal-to-noise ratio, it is not impossible that someone who misunderstood the
situation downvoted you.

The fact that comments like "Man you guys are dumb."
(<http://news.ycombinator.com/item?id=2482925>) wasn't voted down is
indicative of the health of this thread.

------
staunch
Is there anything Dropbox can do to prevent this de-dupe hack?

~~~
judofyr
Sure: When the client has created a hashsum of the file and sent it to the
server, the server can respond with a challenge: "What's the SHA1 of the bytes
between X and Y" (where X and Y are random numbers). This is something both
parts can easily compute and the client _must_ have the whole file in order to
answer the challenge.

------
p09p09p09
OTOH, wouldn't it be neat if a distributed Tahoe-LAFS supported dropship-like
functionality as a feature?

------
mborromeo
If you spend so much time, passion and money building a product like Dropbox
you will try to defend it from every kind of threat: today the "piracy" topic
is a hot one, sounds like its worse than killing someone, and Dropbox is hit
by this "piracy" threat. I fully understand and respect Dropbox founders
positions, and the DMCA issue is clearly a bug in my opinion (i wouldn't
automatically send those kind of communications upon a system-forced file
deletion, however).

------
rryan
Anyone saying that Dropship has legal uses is wrong -- you're stealing from
Dropbox by using it whether you're sharing your academic, public-domain
dataset or your pirated movie.

Dropship sidesteps the TOS of Dropbox by letting users get unlimited sharing
bandwidth. Dropbox itself has a share feature which uses the exact technical
mechanism by which Dropship works, except it also puts rate limits and caps on
sharing.

OT: This is probably the worst comments thread I've ever read on HN. It's like
an echo-chamber telephone game. Jeez.

------
sha90
Forked so that I can hopefully get one of those cool friendly emails!

------
shad0wfax
Strike 2, dropbox

~~~
wewyor
What was strike 1?

I can understand them not wanting the files to be public, but as tptacek said
this is probably fluffed up quite a bit.

As far as I'm concerned the only issue with how they handled it is the DMCA
takedown request, and if the CTO acted as said but that is less of a factor.

If the files were never removed from the persons dropbox and only public urls
disabled I'm okay with that. However if the files were removed I would
probably count that as all three strikes and jump ship.

~~~
kragen
Strike 1 was when they got caught lying about whether their employees could
decrypt your files or not.

~~~
wewyor
I suppose so, I always took that statement to be that employees didn't have
easy access to your files (such as without decrypting from the servers).

It should have been obvious to anyone else remotely familiar with security
that dropbox had/has access to your files from the simple fact that you could
reset your password, as well as the web interface.

~~~
shad0wfax
wewyar, like kragen & iamjustlooking pointed out I considered that whole
episode as strike1. I agree I am being extremely critical and have to agree in
spirit that this is their real goof up. Poor security is not a reason to
abandon the ship if they show an intent to fix it ASAP. What I felt a bit let
down by this whole take down thing was, their initial approach was to surpress
the hackers rather than fix their problem. I see in another post they seem to
addressed it the loophole (?), which is the way to go. Embrace ppl tinkering
this way but make your platform robust.

------
forkrulassail
Just lost all my respect for them.

------
leon_
Way to alienate customers, Dropbox. I gonna cancel our teams account and
refrain from using dropbox alltogether.

------
donpark
Forget about DMCA and other excuses. Dropship-like hacks could have huge
negative impact on Dropbox business model. I can't fault them for taking
actions to protect their business.

------
Dubois
It's a shame that Dropbox has resorted to attacking its users and threatening
them with loss of data. Looks like it's time to clone Dropbox and offer some
respectable service to users.

~~~
injekt
I can't see that they've done any of this. They've been pretty polite about
the whole thing. At least that's what the article says. The fact they mention
that their terms give them the right to deny users access to their service at
any time doesn't mean they're threatening. It's just a reminder.

They're said the DMCA was a mistake and they hold their hands up to that.
Aside from that, I can't see how they've done anything wrong. OK so asking the
author to remove it from 3rd party sites is a bit cheeky, but that's all they
did.. ask. I would have asked too, the author didn't have to. He clearly
didn't want any trouble.

Imo Dropbox should have just fixed then, and sat there and laughed when people
tried to use Dropship and it not work. It would have saved 'Dropbox attempts
to kill open source project' and may have even caused for 'Dropbox fixes file
hashing issue x days after open source project built to exploit it'. That way,
both win. But that's just my 2 cents

