Storage

Dropbox: A File Sharer's Dream Tool?

The folks behind Dropbox have not been having an easy time recently. First it was suggested their PC client might be insecure, then changes in their terms and conditions raised security concerns.

Now Dropbox's management is accused of trying to kill an intriguing open source project that turns the cloud storage service into a file sharing network.

Dropship makes use of an interesting feature of Dropbox uncovered by a hacker last month. Rather than waste storage space and bandwidth duplicating the same file uploaded by many users (for example, a popular PDF such as a tax form), the Dropbox server simply places a single copy in a public pool on the server and links to it from each Dropbox account--even if the file has a different name. All this is done invisibly, and for each user it appears as if the file is contained in their own personal Dropbox (even if it's stored in a private rather than public folder).

The system uses checksum hashes--a long series of hexadecimal characters--to identify the duplicated file. Hackers discovered that, by supplying the hash at the right moment during a phony file upload, they can magically make the duplicated file in question appear in their Dropbox folder.

In other words, files can be instantly shared between Dropbox cloud storage without the need to either download and upload them first.

The official Dropbox client doesn't support a feature like this, and encourages users simply to use their "Public" Drobbox folder to make files available for others.

The hackers have not uncovered a security flaw. An individual would need to deliberately share the hash of a file for the technique to work. Instead, the hackers simply spotted that the way Dropbox works makes it amenable to file sharing.

It didn't take long for Dropbox to learn of the hack, as Web consultant Dan DeFelippi discovered, and wrote about on his blog. First, Dropbox's CTO and cofounder Arash Ferdowsi asked "in a really civil way" if the creator of Dropship--Wladimir van der Laan--would take down the source code for the project. He complied, but by then both DeFelippi and another interested party was also offering the code.

Dropbox managed to get the other party to take down the code, but DeFelippi received a Digital Millennium Copyright Act (DCMA) request that claimed the Dropship code was copyrighted material. It wasn't, and was released under an open source license. When DeFelippi pointed out the request was bogus, Ferdowsi got in touch--again in a "really civil" way--and pointed out that he wasn't happy with how the Dropship client exposed the workings of the Dropbox client-server protocol.

However, DeFelippi held fast and refused to take down Dropship. He says Ferdowsi is aiming for "security by obscurity" which "falls flat on its face in this case since their client can be analyzed by anyone with the proper skills". He also says that the piracy concerns raised by Ferdowsi are something for Dropbox to handle, and claims Dropship has a ton of legitimate uses, such as "sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases".

And that's where the matter rests. The source code is still available although it's a command-line tool that requires some knowledge of Python to use properly. Nobody has yet created a graphical user interface for the code. That would propel Dropship into a new universe of users. No doubt Ferdowsi is praying this doesn't happen.

DeFelippi is keen to point out that Dropbox staff never threatened him or anybody else involved in the project, and he's happy to accept the explanation given by Dropbox that the DCMA notice he received was an error.

Somebody claiming to be "Drew from Dropbox" commented on the original Hacker News write-up of Dropship, saying that the company acted as it did because "when something pops up that encourages people to turn Dropbox into the next RapidShare or equivalent," it could "ruin the service for everyone."

But the fact is that Dropship is a genuinely useful extension of Dropbox. I can imagine coworkers using it to effortlessly share files, for example. Ultimately, I can't understand why DropBox doesn't already integrate the feature, via a "Send file to" menu option or similar. To limit piracy--such as the sharing of ripped DVD movies--Dropbox could limit it to paid-for accounts, rather than free.

It's starting to feel as if one of the appealing features of DropBox--its overriding simplicity--is also one of its hindrances. DropBox's popularity has arisen because it makes the cloud accessible to every PC; after installing the client, users just copy a file to a magical folder for it to be duplicated online. There are few other features within the client software and that's deliberate. However, this approach inspires others to find solutions for problems and be creative, which is what happened here.

In the technical implementation of Dropbox things are also kept very simple but this is also causing problems. It feels almost as if Dropbox is a technology designed for a more innocent age, when users could be trusted not to look too closely at how things work, or fiddle with software.

Dropbox is going to have to go back to the drawing board to figure out how best to continue offering its service, otherwise this kind of thing will keep on happening.

Update, 1:02 pm PT: Dropbox has gotten in touch with me and said they've now "implemented a fix on the backend" that means Dropship will no longer work, adding: "We feel Dropship is a violation of our TOS (Terms of Service)." Additionally, they point out at the "Drew" who commented on the Hacker News write-up is in fact Drew Houston, CEO and Co-Founder of Dropbox.

Subscribe to the Power Tips Newsletter

Comments