Radio silence from @ncw.
Could it be that Amazon has contacted him to create for them an official Linux client but dropping the mount capability so we won’t be able to run for example Plex servers?
Could it be that he was abducted by aliens and is stuck in some other galaxy with a probe up his rectum? Given that both statements aren’t based on anything we’ve seen or read, they could be equally true.
Either way, check your privilege and stop acting as if an open source maintainer can’t have better things to do for a few days.
6 Likes
I think contrary to how he said it, @Peterrrr has the right idea. @ncw no doubt has other things to do. He will get back to us when he can.
I imagine he’s busy busy. With everything that’s been going on over ACD, he’s probably been inundated on every front. Just be patient. 
Sorry for the silence! Nothing to report I’m afraid - still waiting to hear back from Amazon about my proposal to make an auth server.
I’ll post any news here!
18 Likes
As someone who has dealt with large technical companies professionally, I know what a PITA it can be to get information and updates from them. Your diligence and effort around this is very much appreciated. Thank you!
1 Like
Thank you for the update Nick.
Appreciate your efforts
Thank you Nick for the update
I would like to point that seems everybody is migrating… but I’m not (Few other maybe not as well)… but why they do that?.. no idea, but I would like to share my reasons why I’m not migrating (or at least not yet ;P…), and this is not due the ammount of data I have (just few 1,5 TB uploaded so far since I registered) … I’m not migrating for several reasons, many of them seems people dont care about;
- GDrive is more expensive, not much but…
- GDrive doesn’t state unlimited storage for just one account (despite some people say they allow it…).
- Who knows if GDrive will start to apply bans to accounts (or apps!) just because they are uploading such ammounts of data from now on?
- And last but never the less important, I still keep hope that Amazon will unban rclone if the problem is corrected… And I know that Amazon, for sure, didn’t state any of the above reasons why they ban rclone (no users abuse, no app abuse, no contract problems or change of terms…), it was just a matter of best practise method when connecting to their platform… just that.
Just go, go to GDrive, and in a couple of weeks let’s see where all of this ends…
All the best,
It’s about the app signature, client_id and secret_id is in plain text and easy to find.
I agree with some of your points @uncuervo about not leaving Amazon… the thing that got me the most was the no-notice turnoff. Some warning, or even (if it was really a security emergency) a notice after the fact. But to just leave it for customers to figure out that an app doesn’t work?
Not good in my book.
1 Like
@bdillahu , Yep, sure, but how would you let people know or give any notice in advance without discovering the easy-to-find “secret” and not encourage at the same time any other users with bad intentions to take advantange of such security gap? In my opinion and if it would be me, as soon as I would have found something like that I would stop access inmediately, just to protect the developer and the users using his app!.
The bad thing as you are pointing is that they block the app and they didn’t let ncw know inmediately why (not to everybody but just him)… And with such big companies my guess is that Google would do exactly the same, blocking without notice about the reason why, and even worse, maybe not answering to the developer afterwards?..
@uncuervo - probably… it’s a hard problem to deal with, and lack of an easy communications channel makes it worse.
Just “burned” a bit when I was in the middle of something kind of important to me and it “breaks”. Then I spend time debugging, etc. only to finally figure out they turned it off.
Could that happen elsewhere, sure, and probably will. It’s a tradeoff I make in looking for cheaper online storage vs. paying a lot more and having more of an argument as a customer
1 Like
Let’s be clear. It wasn’t a security problem for customers. It was a problem specifically for AMAZON since others can use that key within their own apps. It never allowed anyone to authenticate as a user. This isn’t a security breach. This is a implementation problem on Amazon’s side by forcing developers to run a authentication server which then COULD compromise user’s data (like what happened with acd_cli).
@calisro , Ok, no security gap for user data itself … but let me say it on a different way… I start using the app credentials as different app, me and some friends just to abuse the service and make all the legitimate users to lose access through that app… wouldn’t it be harmful?
“abuse the service” how? Do DOS attack? Good luck. Security problem, no.
This is an implementation problem on the Amazon side. They could also easily prevent DOS from your friends simply with rate limiting (look at Google).
I’m not gonna discuss different ways of abusing a service, in any case, I wouldn’t consider a best practise to “share” your app id and secret with everyone 
I wouldn’t consider it a best practice to create a intermediate device to do authentications on behalf of users. 
well, neither do I? 
Glad we can agree. Now back to a poor implementation on Amazon’s side. If, as a developer, I had to choose between a encypted client side secret and a auth server, i’d choose the client side secret.
Maybe the point is that the app id and key on the client side wasn’t a secret…? … I suggested ncw a different approach, at least to secure the app secret a little bit more? some other apps use a pfx to secure that information (I guess), he said that sort of approach would be probably banned as well… maybe with an external CA…? … Obviously, I don’t want any developer to be able to trace my ACD credentials … there must be a way to do it without compromising the app secret and the user credentials, don’t you think?
1 Like
A combination of oauth and xauth? One to authenticate as a authorized user of hte API and the other for user credentials. This would still require an auth server but then at least customer data is secured separately. I dont think the ACD API can do this though. This is a problem Amazon needs to solve if they want to allow opensource products.