Dropbox: A file sharer's dream tool?

Hackers have found a way to make Dropbox offer a BitTorrent-like file sharing service, but Dropbox management is not happy.

The folks behind Dropbox have not been having an easy time recently. First it was suggested their PC client might be insecure, then changes in their terms and conditions raised security concerns.

Now Dropbox's management is accused of trying to kill an intriguing open source project that turns the cloud storage service into a file sharing network.

Dropship makes use of an interesting feature of Dropbox uncovered by a hacker last month. Rather than waste storage space and bandwidth duplicating the same file uploaded by many users (for example, a popular PDF such as a tax form), the Dropbox server simply places a single copy in a public pool on the server and links to it from each Dropbox account -- even if the file has a different name. All this is done invisibly, and for each user it appears as if the file is contained in their own personal Dropbox (even if it's stored in a private rather than public folder).

The system uses checksum hashes -- a long series of hexadecimal characters -- to identify the duplicated file. Hackers discovered that, by supplying the hash at the right moment during a phony file upload, they can magically make the duplicated file in question appear in their Dropbox folder.

In other words, files can be instantly shared between Dropbox cloud storage without the need to either download and upload them first.

The official Dropbox client doesn't support a feature like this, and encourages users simply to use their "Public" Drobbox folder to make files available for others.

The hackers have not uncovered a security flaw. An individual would need to deliberately share the hash of a file for the technique to work. Instead, the hackers simply spotted that the way Dropbox works makes it amenable to file sharing.

It didn't take long for Dropbox to learn of the hack, as Web consultant Dan DeFelippi discovered, and wrote about on his blog. First, Dropbox's CTO and cofounder Arash Ferdowsi asked "in a really civil way" if the creator of Dropship -- Wladimir van der Laan -- would take down the source code for the project. He complied, but by then both DeFelippi and another interested party was also offering the code.

Dropbox managed to get the other party to take down the code, but DeFelippi received a Digital Millennium Copyright Act (DCMA) request that claimed the Dropship code was copyrighted material. It wasn't, and was released under an open source license. When DeFelippi pointed out the request was bogus, Ferdowsi got in touch -- again in a "really civil" way -- and pointed out that he wasn't happy with how the Dropship client exposed the workings of the Dropbox client-server protocol.

However, DeFelippi held fast and refused to take down Dropship. He says Ferdowsi is aiming for "security by obscurity" which "falls flat on its face in this case since their client can be analyzed by anyone with the proper skills". He also says that the piracy concerns raised by Ferdowsi are something for Dropbox to handle, and claims Dropship has a ton of legitimate uses, such as "sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases".

And that's where the matter rests. The source code is still available although it's a command-line tool that requires some knowledge of Python to use properly. Nobody has yet created a graphical user interface for the code. That would propel Dropship into a new universe of users. No doubt Ferdowsi is praying this doesn't happen.

DeFelippi is keen to point out that Dropbox staff never threatened him or anybody else involved in the project, and he's happy to accept the explanation given by Dropbox that the DCMA notice he received was an error.

Somebody claiming to be "Drew from Dropbox" commented on the original Hacker News write-up of Dropship, saying that the company acted as it did because "when something pops up that encourages people to turn Dropbox into the next RapidShare or equivalent," it could "ruin the service for everyone."

But the fact is that Dropship is a genuinely useful extension of Dropbox. I can imagine coworkers using it to effortlessly share files, for example. Ultimately, I can't understand why DropBox doesn't already integrate the feature, via a "Send file to" menu option or similar. To limit piracy -- such as the sharing of ripped DVD movies -- Dropbox could limit it to paid-for accounts, rather than free.

It's starting to feel as if one of the appealing features of DropBox -- its overriding simplicity -- is also one of its hindrances. DropBox's popularity has arisen because it makes the cloud accessible to every PC; after installing the client, users just copy a file to a magical folder for it to be duplicated online. There are few other features within the client software and that's deliberate. However, this approach inspires others to find solutions for problems and be creative, which is what happened here.

In the technical implementation of Dropbox things are also kept very simple but this is also causing problems. It feels almost as if Dropbox is a technology designed for a more innocent age, when users could be trusted not to look too closely at how things work, or fiddle with software.

Dropbox is going to have to go back to the drawing board to figure out how best to continue offering its service, otherwise this kind of thing will keep on happening.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags hackersdropboxnetwork attached storagecopyrightintellectual propertystoragelegalmusic & video sharing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?