
Dropbox on Mac now updates itself with a process in background - evanslify
https://www.dropbox.com/help/9300
======
larsnystrom
Of course I see the possibility of harm here, but really, isn't automatic
updates pretty standard by now? I mean, it's got to be better than letting a
large swath of users run old versions of the software because they don't know
how/don't care to update it. I mean, isn't that the more severe security issue
at hand?

And if you're conscious enough about your digital security that you really do
mind Dropbox updating itself automatically, why did you install their app in
the first place? The only OS I actually expect to protect me from the apps I
install is iOS, and only in combination with the AppStore review process.

From what I hear, Apple's attempts at creating similar safeguards in macOS
with the Mac AppStore has not been received that well with developers because
of the restrictions sandboxing place on the apps.

~~~
ddebernardy
> because they don't know how/don't care to update it

In this case the reality probably is closer to: because they don't know they
should be worrying about it.

(Sample of one, obviously, but I certainly didn't know I should, and yet never
got any kind of notification to that effect until I sought to delete the app a
few weeks ago.)

It's so matter of factly on consumer devices that things just update
themselves or nag you to do it from time to time, that it somewhat boggles the
mind that it wasn't automated.

~~~
disiplus
i disabled the automatic update on my android device. i had a lot of apps
installed and had the feeling something is updating all the time and trashing
my battery life. and then there is problem that alot of times the new wersions
are worse then older ones. i had the instance where newer versions of apps,
had features removed because they now offer "pro" version, and also change the
layout to cram more ads. so now im updating the app only if i notice that
something is not working right.

------
Gaelan
Ugh. I'm all for calling out Dropbox (or anyone else) when they actually do
something wrong, but this is getting ridiculous.

~~~
tajen
I think the concern might be that we are more and more granting ownership of
our machines: If NSA wants to install a spyware on targetted systems, they
have a dozen autoupdate channels to do it through now.

Which is good because we do nothing wrong. Apart from Youporn, where only one
underage model that you didn't know about could lead you to jail. You know,
accusations do wonders for your career.

Apart from this catastrophic scenario, I don't either see what's wrong. How
many people per year are accused of pedophilia, that could be due to
conflicting work/nation interests?

~~~
thanksgiving
> I think the concern might be that we are more and more granting ownership of
> our machines: If NSA wants to install a spyware on targetted systems, they
> have a dozen autoupdate channels to do it through now.

> Which is good because we do nothing wrong. Apart from Youporn, where only
> one underage model that you didn't know about could lead you to jail. You
> know, accusations do wonders for your career.

> Apart from this catastrophic scenario, I don't either see what's wrong. How
> many people per year are accused of pedophilia, that could be due to
> conflicting work/nation interests?

Thank you. And to people who think this won't affect them, it doesn't even
have to be cp charges. NSA has lost the fight to keep its uncensored dragnet
data to itself. Today, it is FBI who has access to it. Tomorrow, it will be
the IRS which is fine. However, the real kicker will come when state
departments of revenue and city police get their hands on it.

Remember, we as a people, legitimately break the law millions of times every
day. It doesn't have to be cooked up evidence. If someone wants to hang any of
us "upstanding" citizens, they just have to look hard enough.

~~~
JustSomeNobody
How long until we are issued tickets for speeding when we say simple things
like, "I was hauling butt to get to work today!" on FB? Or have our insurance
premiums jump because of it.

Certainly the former wouldn't hold up with current laws, but how long until
the laws are changed?

The more we allow our privacy to be eroded, the closer we are to having this
come true.

------
eps
This is NOT about keeping everyone updated and reducing the pool of older
clients. This can be done by simply denying service to outdated versions. It
worked very well for AOL Messenger 20 years ago, no reason why it won't work
just as well today.

This is strictly about being able to install anything on users' machines at
will and having a formal consent to do that.

The fact that Chrome and others do that doesn't make it any less
_unacceptable_. You are losing control over what exactly and when you allow to
run on your machine.

~~~
victorhooi
You do realise that would probably _increase_ the amount of customer support
cases raised, from confused/angry users - which is the exactly the opposite
effect that Dropbox wants.

For the majority of typical users of Dropbox (and HN certainly doesn't count
as typical), this is a net win in every way. They get the latest bugfixes, and
they don't need to worry about all this downloading installers rubbish that
seems so last decade.

Also - if you were deathly worried about Dropbox and what they could do -
firstly, why would you install their client to begin with, considering it's
entirely closed-source? Secondly, why would you use a cloud storage provider
like them to begin with?

You talk about "losing control" \- why not spin your own Dropbox? (I suspect
many people, nerds included, underestimate the sheer amount of engineering and
technical man years that go into something like this). However, for the
Stallman's among it, it may make sense.

~~~
huhtenberg
> _You do realise that would probably increase the amount of customer support
> cases raised, from confused /angry users_

No, it won't.

It's an urban legend.

For every support request that cannot be answered from a stock pile of
answers, the first reply is "update to the latest version and then come back."
and not once did I see anyone ever complain about it (leave alone become
angry) in my 20+ years in IT business. Never. Not a single complaint. Those
who can upgrade will upgrade when asked.

~~~
lokedhs
That depends on the industry. I have worked with support for about as long as
you, and many clients wants to find a solution that they can use until they
upgrade (since the upgrade process can take quite some time if you have lots
of dependent software that needs validating).

~~~
huhtenberg
Sure, there are clients like that and those who can't upgrade due to internal
policies, QA restrictions, etc.

Point being is that the extra load from having to deal with clients on
outdated versions is insubstantial and it certainly does not justify force-
shoveling updates down everyone's throats.

------
dexcs
I wonder how they did the auto-update that brought that feature to me... I
have a pretty shitty internet connection here and i recognized the dropbox
updater sucking up my bandwidth yesterday... I've not triggered any manual
update...

~~~
phobius
Thought this too as soon as the notification popped up.

To the best of my knowledge I haven't updated recently, so they've basically
had an auto-update feature sitting dormant for a while.

Nothing fishy here.

------
hemancuso
When exactly did HN transition from from fawning over one of the best YC
success stories to being upset with nearly everything Dropbox does?

The number of extremely negative comments here here about using a second
process [just like Chrome, Creative Cloud and countless others] to auto-update
is really surprising. I can understand people not being thrilled with a kernel
extension being installed, but most of those comments there seem misguided or
uninformed.

The obvious transition point [to me, it seems] was when they put Condi on the
board. HN opinion on nearly everything Dropbox does has really soured since
then.

~~~
mulletbum
I started looking at HN right when Dropbox announced on it.

Funny enough, I came to HN looking for something like Dropbox. I even remember
when Dropbox was doing odd things that Apple had to ask them about because
they didn't know how they put the check marks in.

Yet here we are, angry at Dropbox for continuing down that path of making
things more and more user friendly.

------
cdransf
This doesn't seem any worse than Chrome continually updating itself.

~~~
eps
Both of them doing that in mandatory fashion is unacceptable.

I might be OK with running _this_ bit of their code on _my_ computer, but it's
not an open bar for dropping anything executable onto my machine at will.

~~~
victorhooi
If it's unacceptable, why would you use the Google Chrome browser?

It's open-source (Chromium project) - just compile it yourself?

Once you've run somebody else's binary, you're already conferring significant
trust on them. And I might be biased, but the Chrome team has shown themselves
to be very vigilant with security, and generally on-the-ball on all of these
things. (Memory issues aside...although I'm not going to get into that...lol).

Many newer projects do this - e.g. Atom from Github auto-updates.

VS Code from Microsoft does this - I think it's awesome! =)

~~~
natch
>Once you've run somebody else's binary, you're already conferring significant
trust on them.

This is the "you agreed to a date, that means you agreed to go all the way"
argument.

Even when a someone extends trust or tentative trust, that doesn't mean they
should be expected to give up the right to maintain control of that choice at
each successive moment in time.

EFF strongly discourages auto updates that can't be turned off, because they
can be used for enabling DRM and curtailing freedom.

~~~
angry_octet
Chrome updates can be turned off. Easily.

~~~
natch
Exactly. Dropbox should afford users the same respect.

------
agermanov
Did Dropbox fix malware way to get privileges?

[https://translate.google.com/translate?sl=ru&tl=en&js=y&prev...](https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F310074%2F&edit-
text=&act=url)

------
radley
When did they post this? Is it old? It mentions OS 10.7, so I'd guess it's
been in place for a few years now.

~~~
citruspi
The minimum required operating system version isn't necessarily indicative of
the age of the feature. I can develop an application on macOS 10.12 now and
have it support all previous versions up to OS X 10.7.

------
konceptz
I wonder why the option to disable automatic updates was omitted?

~~~
gkoberger
(Assuming this is true....) Because if they're stuck supporting old versions
of Dropbox, they're miserable (having to support dozens of versions) and
you're miserable (things start to break). I understand why people would be
worried about Dropbox auto-downloading software, but honestly... if you're the
kind of person worried about the security around Dropbox auto-updating the
same way every app on your phone does, you probably aren't using Dropbox to
begin with.

~~~
greenhatman
I'd still prefer to be prompted to update.

I know my phone is a security mess. But I want my desktop not to be.

~~~
nkristoffersen
That is funny to me because I assume my phone is much more secure (with strict
sandboxing) compared to my desktop.

~~~
izacus
Except that each of those sandboxed apps keeps uploading your behavioural and
private data pretty much constantly with no ability for you to limit or stop
it like you can on the deskop :)

~~~
angry_octet
And you can never downgrade to an old version. Or add a firewall that will
block ads. Or disable javascript selectively. Or control when programs can
run. Or know whether they use crypto safely. Or have any control over when
your phone will get patched for the 200-day level 10 RCE bug.

Now I just want to smash my phone with a hammer. Smash it into tiny tiny
pieces.

------
gumby
I don't understand the implementation. They already _have_ a background
process running (on my Mac it shows an icon in the menu bar) and that
application talks to the network. Why use a second process? I can understand
spawning a process to actually do an update once one has been downloaded. So
what am I missing?

(and since this is HN: as for the updating, fine. It's no different from
visiting a web site and having the pages served by different revisions of the
back end, and it's not like it has a complex UI that could cause user
confusion. I assume DB doesn't update all that often anyway).

------
protomyth
If anyone from DropBox is in this thread. Did a DropBox update put itself on
the toolbar of the Finder, and if so, did you test that functionality with a
machine that already had a custom toolbar setup?

------
brador
What are some good alternatives to Dropbox that don"t do this?

~~~
MrQuincle
You can remove the executable bit from the update process probably.

Disclaimer: I run Ubuntu.

~~~
rainforest
I could be mistaken but on install the Dropbox app adds a few SetUID binaries
that probably allow them to put the bit back.

------
natch
This makes the client a tempting target for court-ordered and government-
ordered surreptitious and potentially individually tailored updates (i.e. a
malware delivery service for any government). It's a very bad idea.

------
reiichiroh
Is this done without the admin prompt?

------
beedogs
This seems like a terrible idea. Glad I don't use Dropbox.

------
redxblood
This is not okay.

