I may have just pissed off a lot of people with my experiment :(
I realised immediately afterwards how reckless that was, but Dropbox - WTF? Why is this even allowed?
Pinging all viewers of a public document with a message should not be possible.
I went a while being followed by spam after a Dropbox email leak a few years ago
That's why we don't test on production
so what are my alternatives if I literally only want:
- a folder that syncs on my devices
- the ability to share a folder with others
I can choose to share specific folders for each device. I have one set up on a DO droplet and seamlessly syncs across all my devices.
Also, when two devices are on the same LAN, it discovers the devices automatically.
Couldn't praise it enough!
To its credit, you can always resolve the problems with some careful deleting and the occasional permissions kludge.
However, multiple users can use the same server, so you can set it up once and share it with family members. You (the server admin) have full control over your data, so it won't be parsed and collected by third parties. It's also FOSS. There exist sync clients for all desktop and smartphone operating systems as well as a web interface for everything else.
They are on GitHub, though: https://github.com/nextcloud
It's pretty much an open-source version of Dropbox. It works incredibly well, you can host it yourself and does what you expect you to do.
Most of the modern files like office documents and pdfs are compressed. Delta Sync only will help in scenarios if you have bitmaps and vm disks.
The big plus for me is end to end encryption. I use it for documents and scans and never felt okay having those in Dropbox.
I also have their cli client running on my Synology NAS so I get a local copy as well as in the cloud.
The only downside, it is a fair bit more pricey when you need a lot of storage.
Sharing with others is possible, but they have to have the app installed to access the files. Resilion Sync doesn't provide any server through which you can download the files, it's all P2P.
- Crypto wallets that go on your public profile if you want the alert to shut up
- Git. I mean, would you trust a production repo to magic crypto remote relying on a third party service that has no SLAs?
- We're kind of Slack/Mattermost/Discord now but with none of the accessability or SLA offerings and you need one or the other to have an audience besides "tech nerds" who are already fragmented on 20+ platforms and clearly just needed one more
Things people want:
- An app that is less entitled and forces focus over everything. Games, your presentation, everything, it doesn't care.
- Dark mode? Literally the highest voted thing and it took them 2 years to start working on it.
- Seamless mobile notifications. Signal can show content while maintaining strong crypto, why does Keybase just show '<person> sent you a message'. That is super annoying if you want to use Keybase for an actual team.
- Random reliability issues and nobody seems to care about them with any sense of urgency.
It's okay to be run like a hobby, to move fast and break shit and pay no attention to polishing the experience. But then don't be surprised if nobody seriously uses your product.
In spite of all of those other points, I've found the sync does work pretty seamlessly if you just need 1:1 sync and limited special features. That suits me well enough.
They're not even saving metadata which is available on all filesystems such as timestamps etc.
- not self-hosted, but hosted by someone big enough to have a decent security team.
I don't want to take care of the security of this myself, nor do I want to rely on some mostly unknown 3 people startup.
I am having trouble finding the original "Show HN" for Dropbox but I recall people just calling it, more or less, "rsync with a web GUI."
Taking it one step further, you could use rclone (https://rclone.org/) which is like rsync but adds the functionality of syncing files with different cloud storage providers.
It has been on my TODO list to setup rclone with Nuage as the front end (https://github.com/mickael-kerjean/nuage) so I can have a Dropbox-like interface with org-mode text file rendering on the go.
Also integrates with Files on iOS, and has camera-upload which works better than Dropbox.
Best switch I ever made.
Works for me, though, for what it’s worth.
Thanks for the recommendation though.
"Got it, agreed."
"What if they make it public, and the team is anyone on the internet?"
"Same! Name, email, maybe more?!"
No. No! If something is shared publicly, who views it should not be public knowledge. Or it should be screamed in blaring, blinking, marquee high-contrast banner across the screen to everyone before viewing the document.
On the other hand I feel like Google Docs does the same thing.
Although I think you might have the option to "reveal your Google Account" to other users/viewers of the shared document.
Is it not the default when you are logged in? It used to be the case that when you are logged in and you visit Google Docs, you (your name at the very least) show up on the list of viewers.
It was like everyone was just resigned to raking in money on top of an extremely boring storage platform and clearly nobody was going to risk generous salary or equity coming in so they could rock the boat with an ambitious project.
All to say it doesn’t surprise me that there was some lapse of quality checking or oversight on some feature of Paper integrating with Dropbox.
The whole place reminded me of this quote by TS Eliot, “Oxford is very pretty, but I don’t like to be dead.”
But this goes against the premium pricing and branding they have created for consumer storage plans, and I think hamstrings them from doing anything else really.
And at the end of the day, if Google is worried you’re underpricing them, they have way more levers to pull on to retain or win back customers, and more cushion to absorb losses.
Just seems like a bad business strategy by Dropbox all around. Probably should just focus on how to deliver consumer storage accounts with lower and lower prices instead.
I did not get a visible notification when creating it although there may have been one buried under some links or button. Paper documents are publicly editable by default if you have the url.
I got no notification when viewing it from a different user. I used the public link to do so and could see the identities of other viewers.
(And they have no idea how twitter threads work)
> We understand the concerns, and want to assure you that privacy considerations are built into how we design our features. While Paper has a setting that allows anyone with the link to access a Paper doc, we warn users who try to access a doc owned by another team or a...[1/3]
> ...user not on their team that their information will be visible in a screen that pops up before the Paper doc loads. Displaying this information is needed to enable collaboration and security features for our users. Users and admins can control who can view a Paper doc..[2/3]
> ...in our settings. For more information see: https://help.dropbox.com/files-folders/paper/sharing-permiss... [3/3]
You (I mean, the support account) need to make the following items a reply of the 1st item then it will work
I always thought those indicators about who is viewing a publicly shared document were creepy
Whenever I open Dropbox Paper with my work Chrome profile, it shows to have access to my personal Dropbox. These two are separate Dropbox accounts with separate emails associated to them. Yet, I'm able to access them since I sync a shared folder from my personal account on the same computer as the work Dropbox account (Work Dropbox account being the account thats logged into on the computer).
Seems like UX overtook security in this aspect since I didn't explicitly want to "connect" both accounts outside of shared folder.
For example, there are a lot of hits for
Airtable has a somewhat worse issue, any file you upload is publicly available without login, as long as you have the attachment URL. There isn’t any way to protect file assets, even though the underlying worksheet is private and requires a login.
It's 2019 and humans still make typos.
I'd rather have a Dropbox email service and client than this silly product
This was the sole reason I checked it out, however I have grown to appreciate many of their other features. Their collaboration functionality is quite unique, and the generally smooth way you can add structured information (eg. "todos" with assigned users and due dates) is great.
That being said, it often feels "half-baked" still compared to other solutions. The Paper file organization interface feels like it is just bolted on top of Dropbox's existing interface, and sometimes their formatting is too restrictive (eg. you can't change text alignment). The issue raised in this post is yet another example of the product being half-baked.
It looks like it is on their radar:
In the meantime, there is this workaround:
It's not a great workaround, however, since (by the way it works) it looks like it would only work locally on the user's browser assuming they install the violentmonkey browser extension, it is rather verbose (the code block + `math:` prefix), and having to press F2 to rerender all inline math.
Does this apply to cookies? I am asking because lot of websites have "necessary" cookies and there is no way to opt out of them (other than by closing the tab), and if there is and you do, then you cannot proceed further. I really do not understand why some cookies would be necessary to view a page though, but I have seen this on A LOT of sites.
On the right, you will see a down-arrow, click on that. You can clearly see the first checkbox on the left being checked and disabled, it is the "necessary" or "essential" cookies to what I am referring. You cannot deselect. On top of that, there is no way to close the popup (?), it is by design. Of course there are ways to circumvent it, but that is besides the point.
There are many other websites like this, but I cannot remember them. :/
I suppose most of the time the box is there to allow you to consent to additional cookies as well.
There are also a lot of broken implementations out there.
You must click on "Continue with Recommended Cookies", or you cannot use the site (you could use uBlock to block the element, but that is besides the point).
While it clearly could be implemented many different ways, and I agree Dropbox should do better in this case, I think this is one of the difficulties in enforcing something like GDPR. Almost anything could be made to work in an anonymous way, so where do you draw the line? When signing up for Facebook or an email account, for example, there is no reason they need my phone number. Sure, they say it is for password reset purposes, but there are other solutions for this, or I can simply agree not to be able to reset the password for that account... etc.
I'm honestly curious, which part of the feature requires every user to know every other user who has viewed the page?
Clearly it doesn't have to and should not be this way. My point was that:
1. They are saying that their particular implementation did require it to be this way.
2. Almost every web app could be made to require less private data from the user, however if this is something that GDPR is going to enforce then there will end up being some subjective analysis (according to non-tech lawyers?) as to whether a particular implementation was in violation.