TinyDisk, A File System on Someone Else's Web App

Psy writes "I attended Phreaknic this weekend where Acidus released TinyDisk, a shared file system that runs on top of TinyURL or his own implementation NanoURL. TinyDisk compresses a file, encrypts it, and dices it into clusters. Each cluster is submitted to TinyURL as if it were a url. This clusters can be read back out of the database, making TinyDisk a global file system anyone can use. There are safeguards in the default config to prevent people from dumping gigs of MP3s into TinyURL. While file-system-on-web-applications are nothing new (GMail file system anyone?) this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections. See his presentation for more info"

Insecure? Really?

[Afty0r]

this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections.

The design of these TinyURL style applications is insecure in the same way as a concrete wall is insecure because someone could spray paint on it.

Insecure? Rancid tabloid hyperbole more like.

Re:I'm sure this won't be abused

[MichaelSmith]

It's still interesting work.

Even more interesting would be something which encrypts your files and spreads them around in various free storage media (slashdot trolls?) in such a way that they can not be easily correlated with each other.

Cramming all this stuff into tinyurl is bound to be noticed, but if it is a couple of dozen bytes here and there it might be possible to store lots of stuff with a reasonable degree of safety.

Re:Nifty hack

[Anonymous Coward]

who hasnt had this idea to hide data in multiply dns records, or webhops, frame redirectors. I dont think i ever thoguht of putting it into use with a frontend for files. always thought it was kinda for malware to use. or cheap ppl like myself.

You could do this with blogs or any CMS

[tezza]

You could put this in an unapproved pending queue for Wikipedia, comments on Joel Spolsky's blog or wherever.

But overall 'WHY?' must be the question? Al Quaeda or The Real IRA? They still have their old working communication channels. Also who needs space like this? Space of this amount could be made redundant and available by using GoogleMail, Yahoo and Hotmail in synchrony. If none of those are available, presumably you'd have it on USB key as well.

It's simple.

[TheSpoom]

If you want your online app to not be used by scripts such as this, implement a CAPTCHA [captcha.net]. Sure, people could still use it if they wanted to input a bunch of letters for every single chunk of their file...

Re:It's simple.

[Smidge204]

Or better yet, validate all entered URLs by attempting to establish a connection to the server. If the URL is invalid then kick it back.

You wouldn't even need to do this with every URL added to the system. Spot-checking every 1 in 10 URLs or so will go a long way to preventing any sort of abuse.
=Smidge=

Re:Furthur Compression

[grimJester]

Which makes it more like what it really is, hosting your file on someone else's web server. "Compression" my ass.

Re:Nifty hack, or antisocial behavior?

[Anonymous Coward]

It is a nifty hack, but let's not kid ourselves and pretend this is anything new, or that it's even a good thing.

At its core, Tinyurl is just a write-once database. You add data and get back a key/pointer to said data. As with typical databases, the size of the pointer is logarithmic in the size of the input (* number of keys stored, not bytes; however, the number of bytes/key is bounded under some constant, so it's effectively the number of bytes).

This gives us a logarithmic compression scheme, where our compression ratio (N-logN)/N approaches 100% as N gets large. This kind of "infinite compression" is what makes the method attractive: you put in say a kilobyte of data and get out a (currently) 5 byte key. All you have to do is keep an index of the keys.

TinyDisk doesn't seem to do this, but you could then turn around and store the index as a key. Take 1000/5 = 200 keys and get back one key. Lather. Rinse. Repeat. In the end, you have a single key that points to the backup of your mp3 collection, all in one TinyUrl! Not too shabby. After all, it's free storage, right? Wrong. Someone ends up paying for the infinite compression. In this case, it's Tinyurl. If this kid had stopped to think for a few minutes before publishing his hack, he would have realized that he's actually doing a malicious, antisocial thing. I suspect there will be a dozen copycats in the wild before the end of the day.

Farewell TinyUrl, we knew ye well.

The end of TinyURL.

[tmroyster]

The end of TinyURL is in sight. Yes, this is (probably) a clever hack.
But this is a misuse of a really useful service.

When TinyURL's administrator has to either go out and buy his
second 2Terabyte disk array in a week or shutdown, which do
you think he will pick?

Re:Insecure? Really?

[julesh]

URLs could be checked on the serverside on availability for example; if your URL is phony, then it's rejected. I suppose that would make massive DOS-attacks possible

It would also prevent tinyurl being useful for private URLs (e.g. those behind firewalls which only allow connections from known IP addresses). You can also use currently use tinyurl with protocols that the tinyurl server knows nothing about, e.g. ed2k: or magnet:.

The better solution is just to disallow any single IP from creating more than, say, 10 URLs in an hour. This would make such a filesystem implementation useless without overly restricting legitimate users.

Security isn't the issue; resource exploitation is

[rjamestaylor]

Sorry to be Mr. Obvious this morning, but I take issue with submitter's conclusion that TinyDisk illustrates a security issue on the part of tinyurl.com. It rather illustrates the ease of creating a leachable web app that resource pirates can abuse. Yes, I have a negative opinion of those using such a creative hack against others who provide services to the general public in good faith.

Great Idea!

[Se7enLC]

I was looking for another way to store files online in such a way as to make them:

• Difficult to access
• Unreliable
• Split into many different pieces
• Under somebody else's control that has motivation to delete them

I guess once this goes down, I'll have to go back to posting UUencoded files in peoples blogs.

Juggling With Packets

[pizza_milkshake]

looks like an implementation of Michael Zalewski's Juggling With Packets [coredump.cx] concept, the storing of data in buffers of publicly available services for use as a filesystem.

Re:Nifty hack, or antisocial behavior?

[ezzzD55J]

In the end, you have a single key that points to the backup of your mp3 collection, all in one TinyUrl! Not too shabby.

Sure, but I think it's a pretty dumb idea because of the large overhead (in time and data) of actually retrieving that data.. http request and response, encoding, etc. And the fact that tinyurl will (rightly) kick your ass off the service once he's on to you.