TinyDisk, A File System on Someone Else's Web App 188
Psy writes "I attended Phreaknic this weekend where Acidus released TinyDisk, a shared file system that runs on top of TinyURL or his own implementation NanoURL. TinyDisk compresses a file, encrypts it, and dices it into clusters. Each cluster is submitted to TinyURL as if it were a url. This clusters can be read back out of the database, making TinyDisk a global file system anyone can use. There are safeguards in the default config to prevent people from dumping gigs of MP3s into TinyURL. While file-system-on-web-applications are nothing new (GMail file system anyone?) this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections. See his presentation for more info"
Insecure? Really? (Score:5, Insightful)
Insecure? Rancid tabloid hyperbole more like.
Re:I'm sure this won't be abused (Score:3, Insightful)
Even more interesting would be something which encrypts your files and spreads them around in various free storage media (slashdot trolls?) in such a way that they can not be easily correlated with each other.
Cramming all this stuff into tinyurl is bound to be noticed, but if it is a couple of dozen bytes here and there it might be possible to store lots of stuff with a reasonable degree of safety.
Re:Nifty hack (Score:1, Insightful)
You could do this with blogs or any CMS (Score:5, Insightful)
But overall 'WHY?' must be the question? Al Quaeda or The Real IRA? They still have their old working communication channels. Also who needs space like this? Space of this amount could be made redundant and available by using GoogleMail, Yahoo and Hotmail in synchrony. If none of those are available, presumably you'd have it on USB key as well.
It's simple. (Score:3, Insightful)
Re:It's simple. (Score:5, Insightful)
You wouldn't even need to do this with every URL added to the system. Spot-checking every 1 in 10 URLs or so will go a long way to preventing any sort of abuse.
=Smidge=
Re:Furthur Compression (Score:2, Insightful)
Re:Nifty hack, or antisocial behavior? (Score:5, Insightful)
At its core, Tinyurl is just a write-once database. You add data and get back a key/pointer to said data. As with typical databases, the size of the pointer is logarithmic in the size of the input (* number of keys stored, not bytes; however, the number of bytes/key is bounded under some constant, so it's effectively the number of bytes).
This gives us a logarithmic compression scheme, where our compression ratio (N-logN)/N approaches 100% as N gets large. This kind of "infinite compression" is what makes the method attractive: you put in say a kilobyte of data and get out a (currently) 5 byte key. All you have to do is keep an index of the keys.
TinyDisk doesn't seem to do this, but you could then turn around and store the index as a key. Take 1000/5 = 200 keys and get back one key. Lather. Rinse. Repeat. In the end, you have a single key that points to the backup of your mp3 collection, all in one TinyUrl! Not too shabby. After all, it's free storage, right? Wrong. Someone ends up paying for the infinite compression. In this case, it's Tinyurl. If this kid had stopped to think for a few minutes before publishing his hack, he would have realized that he's actually doing a malicious, antisocial thing. I suspect there will be a dozen copycats in the wild before the end of the day.
Farewell TinyUrl, we knew ye well.
The end of TinyURL. (Score:2, Insightful)
But this is a misuse of a really useful service.
When TinyURL's administrator has to either go out and buy his
second 2Terabyte disk array in a week or shutdown, which do
you think he will pick?
Re:Insecure? Really? (Score:4, Insightful)
It would also prevent tinyurl being useful for private URLs (e.g. those behind firewalls which only allow connections from known IP addresses). You can also use currently use tinyurl with protocols that the tinyurl server knows nothing about, e.g. ed2k: or magnet:.
The better solution is just to disallow any single IP from creating more than, say, 10 URLs in an hour. This would make such a filesystem implementation useless without overly restricting legitimate users.
Security isn't the issue; resource exploitation is (Score:4, Insightful)
Great Idea! (Score:4, Insightful)
I guess once this goes down, I'll have to go back to posting UUencoded files in peoples blogs.
Juggling With Packets (Score:4, Insightful)
Re:Nifty hack, or antisocial behavior? (Score:3, Insightful)
Sure, but I think it's a pretty dumb idea because of the large overhead (in time and data) of actually retrieving that data.. http request and response, encoding, etc. And the fact that tinyurl will (rightly) kick your ass off the service once he's on to you.