[rubenfonseca]

Is it just me or /copy_ref could be used to make an awesome warez site? I hacked a quick prototype and it seems to work:

- User authenticates with Dropbox on my web app

- User sees his/her files and select the ones he/she wants to share

- Another User searches through the shared files, and by clicking "Download", and using /copy_ref, the file will appear on his/her Dropbox

I'm still undecided if I should use a full Root Dropbox access or just App Folder. The later would give users a more security sense, but would require more effort to share files (move the files to the app directory). What do you think?

[wladimir]

It really looks like the functionality that my Dropship hack offered :-)

Except that it's easier to trace, as the person sharing the file has to give explicit permission, instead of just giving some anonymous description of the file. I guess they can use that to punish "wrongdoers".

[rubenfonseca]

Thanks Wladimir :) I learned a lot in the process and by reading your source code!

[coob]

Edit: I now find out that wladimir has had this idea and shipped code on the same idea: https://github.com/driverdan/dropship

I have wondered for a while if it could be done without the API by hooking into whatever checksumming is done before uploading.

For example, if you were to find a popularly pirated file (for example, a widely distributed MKV of an episode of Break Bad) and copy it to your Dropbox, the upload is instant as there is a high probability that someone has already uploaded it.

If you were able to somehow able to hook into Dropbox's checksumming functions it may be possible to report a checksum on a 'fake' non-existent file that is the same as what would be provided by the real copy of the file. The file then appears in Dropbox where you are free to download it at top speed having only known the hash of the file previously.

I wonder have safeguards Dropbox have to prevent this.

[rubenfonseca]

Dropship hack was immediately rendered useless by Dropbox by requiring that a random part of the file be uploaded, even if Dropbox already has many copies of the file in their system.

[toomuchtodo]

So use the Dropbox as the golden copy/SHA reference, and fetch the file from peers over Bittorrent.

DB is always going to be able to be used like a resilient tracker/datasource, and DB devs can only put so many walls in the way of using it like that before it starts to hinder your "average" user.

Example: Get magnet hash, get data from Bittorrent swarm, and then fetch from both swarm and public copies available via Dropbox. Verify against Dropbox copy if necessary.

[tiles]

Is /copy_ref usable across API keys? Your API keys can easily be revoked, but you could instead just cache copy_ref links, and script the ability for a user to create their own dummy Dropbox app, then start downloading files.

[rubenfonseca]

I think that the /copy_ref links are scoped to the API key.

But anyway, why would Dropbox revoked the API? I would be using the official API, the user had to explicitly share the files and I would have no access to the Root directory of the user (assuming I'm using an Application API Key).

I think that's no different that me generating a share URL from any file of my Dropbox account and posting on reddit for everyone to download :) But I'm no TOS expert :P