

Hacking the Dropbox Space Race - josh_blum
http://blog.burtonthird.com/?p=81

======
dorianj
I don't have serious problem with this... but ballot stuffing and fake account
registration seems the domain of SEO/blackhats or Anon. This isn't a 'cute
hack' worthy of praise -- it's just abuse of MIT and Dropbox systems for no
great reason other than perhaps pride.

~~~
mayneack
As noted below, MIT had a significantly higher target than any other school.
The jump from 15 to 25 for MIT was ~50k points while NUS (26k students) got to
25 around 25k total points. Remember that by "not cheating" there are only
~10,000 MIT students (undergrad and grad), so the goal is impossible without
cheating (there aren't that many faculty members and staff).

It wouldn't surprise me if they assumed it would be cheated, so this was an
attempt to improve their fraud detection. After all, it's not like these extra
50,000 accounts actually cost much to Dropbox. They each will presumably have
only the starting files in them which are all duped in every other account.

~~~
jens009
I think Drew, as an MIT alum, expected MIT to script the process anyway. In
fact, I'll bet he's proud that his alma-mater by-passed dropbox's flagging
filters. Also, now Dropbox can look to hire new potential MIT interns and
employees.

I see no problem with that ^^

~~~
mayneack
Apparently yes: <http://news.ycombinator.com/item?id=4681215>

------
w1ntermute
> Dropbox’s founder and MIT Alum, Drew Houston, tried to lessen our emotional
> damage by creating a “United States Leaderboard” where we still held the #1
> position

It's pretty funny how butthurt the MIT people are that the Singaporeans and
Taiwanese managed to beat them. If you look at the leaderboard[0], Houston
even put the "United States Leaderboard" above the "Global Leaderboard" so
that people would think that MIT was in first place.

0: <https://www.dropbox.com/spacerace>

~~~
mikle
I'm going to guess you are from the US.

For me in Israel, Israel's board was the top one.

~~~
swastik
Yep, definitely based on location. For me, it shows the India leaderboard
first.

------
minimaxir
It's worth noting that MIT did get "punished" for cheating: the required
number of points for the extra 25GB space was relatively much, much higher:
<http://i.imgur.com/QLJP5.jpg>

It doesn't matter when you can create unlimited e-mail addresses, though.

~~~
josh_blum
The scaling for the number of points was set before the hack took place. Not
sure why Dropbox made it so much harder for MIT vs CMU. Also, creating the
mailing lists was actually one of the biggest bottlenecks and actually ended
the progress, so its not exactly unlimited :)

------
justjimmy
I wouldn't say it's cheating per say. When you open this kind of event to the
the world, you're definitely attracting going to attract alot of people who
are good at tech stuff - and throw that in with human tendencies, creativity
and competitiveness sets in.

Maybe it's because I play quite a bit of online games (so I don't find it too
troubling. Since there's no real stakes in play in this DB Race) but most
gamers are always looking to calculate (or exploit), pushing the boundaries
and efficiency of their playing experience. The only difference is the various
levels each party takes it to.

To me (as a outside audience), the boring way is to get real students to sign
up. Creatives and non conformers (trying to win) will be the ones to watch
for. Whether it's auto email generation and sign ups, poking at DB servers to
do w/e, or even posing as another university and massively signing up and
crashing the servers and getting them disqualified. Imagination and how
far/risk you're willing to go is the limit.

(And this is even more common and evident in competitions, like cute Dog
photos, where most likes/votes win something - and you get people generating
fakes and voting. Kinda expected more 'action' with all these tech schools
involved.)

And those crying foul at the US Leaderboard being at the top - I'm pretty sure
it depends on your position/location cause I'm seeing Canada leaderboard. So
let's all calm down :D

~~~
abat
It seems like cheating/fraud to me. Dropbox provides a service that usually
costs money. They're also offering to provide service for recruiting new users
instead of charging money.

If you fake users, you're getting the service without fulfilling your side of
the bargain (paying money or recruiting users). That seems like fraud to me.

That being said, I'm sure Dropbox expected some of this behavior and is still
happy with the legitimate signups and overall press they're getting.

------
thomasbk
I would characterize this as cheating/fraud, not as hacking. The technical
details are interesting nonetheless.

------
alt_f4
What if I told you... this could have been prevented by using captchas?

~~~
colinsidoti
I imagine requiring your users to fake a MAC Address is a pretty effective
captcha. For Dropbox, it's probably better to reduce the friction in the sign
up flow than to prevent against these kinds of edge cases.

~~~
alt_f4
> I imagine requiring your users to fake a MAC Address is a pretty effective
> captcha.

I guess we disagree over the meaning of the term 'captcha' then. Besides that,
it is also pretty trivial to spoof a MAC address.

> For Dropbox, it's probably better to reduce the friction in the sign up flow
> than to prevent against these kinds of edge cases.

Agreed. But there are smarter ways to do it. Take Gmail for example - it
normally doesn't require you to pass a captcha. But if you fail a certain
number of login attempts, it does. How hard can it be to start displaying a
captcha after, say, 5 accounts get registered within 24 hours for the same IP
address?

------
prezjordan
"MIT students aren’t ones to brag" pretty good one :)

------
Xcelerate
It's interesting how the US Dropbox leaderboard
(<https://www.dropbox.com/spacerace>) kind of reads like the US News
engineering university rankings ([http://grad-
schools.usnews.rankingsandreviews.com/best-gradu...](http://grad-
schools.usnews.rankingsandreviews.com/best-graduate-schools/top-engineering-
schools/eng-rankings)).

Although, I was really hoping Georgia Tech would beat MIT for once in
something...

(I was tempted to write a script to do something similar to what those guys
did, but I can't afford losing my campus internet access if caught.)

------
rctay89
Where's the glory in winning if you cheat?

~~~
patio11
There's a certain mindset under which a) most contests are boring, b) there
exists a metagame over all contests, and c) that metagame so fascinating that
success in it is interesting irrespective of the details of the underlying
contests.

I don't necessarily subscribe to that values system, but part of me
understands the attraction.

------
c16
"It’s left one of us without access to MIT’s network." - I'd be interested to
hear what happened.

------
darkhorn
Why MIT is at first place while they have 14,939 racers and Singaporeans have
17,497 racers?

~~~
brainsareneat
Because they have more points - you get extra points for referrals and
completing a set of 'Getting Started' activities.

------
cywiz
:)

