TinyDisk, A File System on Someone Else's Web App

Psy writes "I attended Phreaknic this weekend where Acidus released TinyDisk, a shared file system that runs on top of TinyURL or his own implementation NanoURL. TinyDisk compresses a file, encrypts it, and dices it into clusters. Each cluster is submitted to TinyURL as if it were a url. This clusters can be read back out of the database, making TinyDisk a global file system anyone can use. There are safeguards in the default config to prevent people from dumping gigs of MP3s into TinyURL. While file-system-on-web-applications are nothing new (GMail file system anyone?) this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections. See his presentation for more info"

Nifty hack

[FidelCatsro]

This does seem to be a bit of an abuse of the service. whilst it does not contravene the TinyURL terms of use in any real way

Terms of use:
TinyURL was created as a free service to make posting long URLs easier. Using it for spamming or illegal purposes is forbidden and any such use will result in the TinyURL being disabled and you will be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.

, it just seems rather untoward .

Nifty little program all the same and a nice hack ,
Having it running on his NanoURL implementation locally , could allow for a cool little service . Though there are better ways to offer web based file systems in the real world .

He does state in the FAQ that its not intended to pollute TinURL in any way .. but this is what some people will use it for (and I doubt the restrictions will be hard to remove).

Perhaps it will give TinyURL a nudge to tighten up their security though .

Re:Nifty hack

who hasnt had this idea to hide data in multiply dns records, or webhops, frame redirectors. I dont think i ever thoguht of putting it into use with a frontend for files. always thought it was kinda for malware to use. or cheap ppl like myself.

Re:Nifty hack

"who hasnt had this idea to hide data in multiply dns records, or webhops, frame redirectors."

quite a lot of people I imagine...

Re:Nifty hack

[Pollardito]

luckily there are no such provisions in my new SlashDisk...

@!!#13261713723487358458439469494946090721ufhdfhsd fhassdfhejdsk
58458439469494946090721ufhdfhsdfhassdfhejdsk@!!#13 2617137234873
9494946090721ufhdfhsdfhassdfhejdsk@!!#132617137234 8735845843946
1713723487358458439469494946090721ufhdfhsdfhassdfh ejdsk@!!#1326
4946090721ufhdfhsdfhassdfhejdsk@!!#132617137234873 5845843946949

Re:Nifty hack

You sig is so bad that I'd feel like punching you in the face.

Re:Nifty hack

C'mon. I thought of it and I don't even use a computer.

Oh, wait.

Re:Nifty hack

[networkBoy]

how the hell did that get past the lameness filter?
damn that's a lame filter. :-)
-nB

Problems ahead? ;)

[sznupi]

TinyURL might become not so tiny anymore...

Re:Problems ahead? ;)

[Knx]

TinyURL might become not so tiny anymore...

And if we go a step further, there might be no TinyURL anymore, actually. While the hack is -- arguably -- interesting, this is clearly a misuse / abuse of the system, which is likely to make their DB grow at an unexpected rate, not talking about wasted bandwidth.

Re:Problems ahead? ;)

[Knx]

Big deal ... just change the name to NotSoTinyAnymoreURL, and that's fixed!

Re:Problems ahead? ;)

[sznupi]

On the second thought...perhaps it would be better to use something like http://hugeurl.wiggy.net/ for this kind of proof-of-concept...

TinyDisk?

[BladeMelbourne]

I got a BigDisk - I dont know about you guys.
I love to upload DNA strands using it.

Re:TinyDisk?

[Ice+Station+Zebra]

Disk? Disks are usually circular, does that mean you are fscking yourself?

Re:TinyDisk?

[Capt+James+McCarthy]

I got a BigDisk - I dont know about you guys. I love to upload DNA strands using it.

Uhhhh, why are you interested in what I have?

Re:TinyDisk?

[jazman]

typo: the S should be a C **ducks**

Re:TinyDisk?

[orasio]

Maybe you sould review your logs:

2005-10-25 04:55:23 - Uploading DNA .....
2005-10-25 04:55:35 - ftp: kleenex.tissue: Unknown host
2005-10-25 04:55:36 - DNA Upload failed. Cleaning up... OK.
2005-10-25 04:55:46 - Retrying Upload DNA .....

Re:TinyDisk?

[somersault]

that was implied.

Re:TinyDisk?

[c_forq]

I've heard uploading to too many places runs a high risk of a virus getting into your data, and curropting all future uploads, and the only prevention of this eliminates all uploading capabilities. I'm sure of they open sourced it we could eliminate these problems quickly though...

Re:TinyDisk?

[xtracto]

Is it a floppy?

Mine is not so *Big*Disk
but it is certainly HardDisk permanent media! ;-)

Re:TinyDisk?

[hobbit]

2005-10-25 04:54:53 - Attempting to contact external host
2005-10-25 04:54:56 - Connection refused
2005-10-25 04:55:34 - Attempting to contact external host
2005-10-25 04:55:36 - Connection refused
2005-10-25 04:55:38 - All hosts unreachable except localhost
2005-10-25 04:55:40 - Connecting to loopback interface

Re:TinyDisk?

[bobbyjack]

So you're the one all those spammers have finally won over! ;)

Re:TinyDisk?

[qazwsxqazwsx90]

It's not the size of the disk that matters, but it is what is contained in the disk.

From what I understand

[FST]

I saw this a few hours ago, and from what I understand the process goes as follows:

1- Open a meta file
2- Retrieve and concatenate all the clusters from TinyURL in the order
specified in the meta file.
2- Base64 decode the file
3- Decrypt the file with the algorithm and key in the meta file
4- Decompress the file with the algorithm in the meta file.
5 - Verify the file size given in the meta file is correct for the
decoded/decrypted/decompressed file
6- Verify the checksum with the algorithm and value in the meta file matches
for the decoded/decrypted/decompressed file
7- Set the filename of the decoded/decrypted/decompressed file to the
filename specified in the meta file.

Hope that helps somebody :)

Re:From what I understand

Aren't you supposed to have "# - Profit" in there somewhere?

Re:From what I understand

Gee, thanks for copying and pasting a bit (newlines included!) from the TinyDisk details file located at http://www.msblabs.org/tinydisk/tinydisk-details.t xt, karma whore.

Insecure? Really?

[Afty0r]

this hack shows how easy it is to accidentally design a web application insecurely despite the default PHP protections.

The design of these TinyURL style applications is insecure in the same way as a concrete wall is insecure because someone could spray paint on it.

Insecure? Rancid tabloid hyperbole more like.

Re:Insecure? Really?

[LarsWestergren]

Rancid tabloid hyperbole more like.

Well, your reaction is not very restrained either.

Hang on. Is it hyperbole day on Slashdot and no one told me? obBart: "This is the greatest injustice in the history of mankind!"

Re:Insecure? Really?

URLs could be checked on the serverside on availability for example; if your URL is phony, then it's rejected. I suppose that would make massive DOS-attacks possible, but hey - we could also do a count on the frequency that URLs are submitted from one source, _and_ we could count the amount of times a certain host is referenced.

Re:Insecure? Really?

[julesh]

URLs could be checked on the serverside on availability for example; if your URL is phony, then it's rejected. I suppose that would make massive DOS-attacks possible

It would also prevent tinyurl being useful for private URLs (e.g. those behind firewalls which only allow connections from known IP addresses). You can also use currently use tinyurl with protocols that the tinyurl server knows nothing about, e.g. ed2k: or magnet:.

The better solution is just to disallow any single IP from creating more than, say, 10 URLs in an hour. This would make such a filesystem implementation useless without overly restricting legitimate users.

Re:Insecure? Really?

[xappax]

Is it hyperbole day on Slashdot and no one told me?

Hyperbole day? That's the most ridiculous thing I've ever heard in my entire life!

Re:Insecure? Really?

[LarsWestergren]

Hyperbole day? That's the most ridiculous thing I've ever heard in my entire life!

Of course, on Slashdot, every day is hyperbole day!

Re:Insecure? Really?

[YU+Nicks+NE+Way]

If I've told you once, I've told you a thousand times: the first rule of Slashdot Hyperbole Day is that you don't mention hyperbole day!

Re:Insecure? Really?

In fact every place, which enables anonymous cowards to store any information could be used as "a filesystem". Even slashdot postings.

==Begin DATA FRAME==
M+#4P#:!6X%==X)NH]&N+K4)#@B'RD^K$$_H/UKGI,AL^)M;&L W2*
M!'X4ZB@!%8,,J01[4M1LL;G+8)'.8BRKN7^A_6@"Q16)+K=]8 L
MWV_0[ORATFLV%POXJ,./^^34EAXIT+4YO(M=5M6N`O3/%2T4` 9E]81C3[B)+2.XAEC*RV9`
MVS*1@J`.>0+QF*4*0!W&0,YQ[GIWJU10`44R5VCB9U
MC:0J,[%(R?89XS5#5%6X6.WD\^.-I!BXMY-K0O\`PD^QZ=QS@ C%`&E7&7_B&
M7Q!K,NA:#B6.!BE[=`_(C=TS[=_8K9O(=2U'1KBSCFFM;AB8& NHL1LH(P9$
==End DATA FRAME==

(Okay, you got to break the CAPTCHA).

Re:Insecure? Really?

[slavemowgli]

Thanks - you said that better than I could've hoped to do myself.

Re:Insecure? Really?

[guitaristx]

The better solution is just to disallow any single IP from creating more than, say, 10 URLs in an hour. This would make such a filesystem implementation useless without overly restricting legitimate users.

What about set-ups where a large number of users (say > 1000) are masqueraded behind one IP address?

Re:Insecure? Really?

[Andrewkov]

Isn't that also the second rule?

Re:Insecure? Really?

[phishtrader]

Then you go back through your logs and figure out what the maximum rate of URL submissions was in the last year per ip address, add ten percent and go with that. Anyone what exceeds that rate will be prompted with a captcha and the rate can be reevaluated later.

Re:Insecure? Really?

[hobbit]

Exactly! Has anyone written AnonymousCowardFS yet?

Re:Insecure? Really?

[bobbyjack]

That's every one of the rules!

Re:Insecure? Really?

Not exactly a monumental task. Slashdot uses a poorly-developed CAPTCHA. It's only a matter of time before one of the handful of CAPTCHA decoders under development is released and second-rate sites like this one can really face the music.

Re:Insecure? Really?

[cloudmaster]

"Sorry, you are only allowed to post up to 10 URLs within a few minutes. You might be behind a firewall or proxy - please try again in a couple of minutes". It works for Slashdot...

Re:Insecure? Really?

[petermgreen]

/. has rate limiting and the lameness filter to contend with though.........

Re:Insecure? Really?

[petermgreen]

spraying paint on the concrete wall doesn't generally affect its ability to do its original job.

tinyurl is insecure because it allows itself to be flooded with the ultimate implication being either a lot of cost to its owners or denial of service to its legitimate users when the DB fills up. Some kind of rate control would make abuses like the one described in the article impractical.

NanoURL review

I like NanoURL but it scratches real easily.

Re:NanoURL review

[Taladar]

Somehow I don't see iTiny gain much market share either...

I'm sure this won't be abused

[Dekortage]

Pretty soon you'll see someone trying to use this as their backup system for 30gb of pr0n. Will large files kill TinyURL? What kind of latency is this going to introduce? If nothing else, this might constitute a DoS attack on TinyURL.com (which would be illegal.

It's still interesting work.

Re:I'm sure this won't be abused

[FidelCatsro]

I don't think it would constitute a DOS attack (unless someone was trying to DOS it deliberately using said program) it would just be overloading the servers. if it did constitute one Slashdot would have a criminal record the length of the Nile .

Re:I'm sure this won't be abused

[MichaelSmith]

It's still interesting work.

Even more interesting would be something which encrypts your files and spreads them around in various free storage media (slashdot trolls?) in such a way that they can not be easily correlated with each other.

Cramming all this stuff into tinyurl is bound to be noticed, but if it is a couple of dozen bytes here and there it might be possible to store lots of stuff with a reasonable degree of safety.

Re:I'm sure this won't be abused

[Dekortage]

You're probably right. "Illegal" is too much.

Though, when Slashdot readers kill a server, it's because thousands of people are trying to legitimately access information that is put online for this purpose. If thousands of people kill TinyURL because they're swapping large files, it is frankly an illegitimate use of the service. Maybe not illegal, but certainly inappropriate to the vast detriment of the service and its other customers. Your public library is free, too, but if a bunch of people began standing in the doorway to swap goods and kept other patrons out, the police would probably show up to eject them.

Re:I'm sure this won't be abused

[FidelCatsro]

It is a bit malapropos , especially to a free/donation based services such as this .

Re:I'm sure this won't be abused

[Dekortage]

if it is a couple of dozen bytes here and there it might be possible to store lots of stuff with a reasonable degree of safety.

Wow... this gaves me a great idea... the Slashdot Sig File System!

Re:I'm sure this won't be abused

Worst Moderation ever.
First funny and then overrated, Moderators please abandon your crack pipe .

Re:I'm sure this won't be abused

[Lord+Kano]

It's not a DoS unless Denial Of Service is the intent.

If it's an unintended consequence of the actions of thousands of users who aren't trying to initiate a DoS, then it's clearly not a DoS.

LK

Default PHP protections?

[Egregius]

Bwahahahahaha.

Re:Default PHP protections?

[bsytko]

I agree, its more like, what default PHP protections? PHP as little to none default protection so much so that they make it insecure by default. You would have to go through a considerable amount of work to make any script secure.

Re:Default PHP protections?

[digitalstruct]

He is talking about the protections that are automatically set in php.ini. There really isn't many and more of the security problems are due to the large undertaking of people that have no clue on how to really code php. Thus introducing a security problem. I could basically have the same thing happen with perl, asp, asp.net, cold fusion, etc. Security problems are more noteful on a specific case and not towords the language itself.

Re:Default PHP protections?

[digidave]

"PHP as little to none default protection so much so that they make it insecure by default. You would have to go through a considerable amount of work to make any script secure."

Really? So in what way is 'echo "hello world";' insecure? The only PHP scripts that are insecure are the ones where programmers made stupid decisions or wasn't thinking the design through, just like in any other language. 99% of these PHP problems are using external data without checking it. 99% of those cases are where the programmer didn't use the readily available tools such as prepared SQL statements.

In fact, with PHP in its default configuration, a script that does not accept user data has zero chance for exploitation. You do get cases where programmers do exceedingly stupid things such as get data in such a way as so internal data can be injected, but programming that way is actually much more difficult than doing it the right way. Programs ported from very old versions of PHP may suffer from this if they weren't ported properly.

Anyway, this is all aside from the fact that the TinyURL issue isn't a vulnerability caused by PHP. The program is working exactly as intended, but the programmers didn't think about it being used in this way. They could have easily written a couple lines of code to check to make sure the URL is valid before accepting it.

Re:Default PHP protections?

[n0-0p]

The security issue is a design flaw, and I've never seen a language that can really protect you from design flaws. That stated, I've reviewed millions of lines of code across at least a dozen languages and I consider PHP one of the worst from a security and maintainability perspective. The only built in protection mechanism I know of is magic quotes. And I really consider magic quotes an extremely poor sustitute for parameter binding that you get with properly implemented prepared statements or stored procedures.

Good web app frameworks offer things like mandatory site-wide authentication, integrated user roles, and basic XSS filtering by default. They're also designed to enforce seperation of tiers, so you can remove your presentation from your business logic. And if you're using stored procedures, you can actually establish a hard security perimeter between your data and logic tiers. I haven't identified good support in PHP for any of these approaches. It's not that it's impossible, but the platform sure doesn't help you.

Unfortunately I haven't had a chance to look at much PHP5 code. It looks like they addressed some of the more glaring language issues, but the platform still leaves a lot to be desired in my opinion. I could be wrong though, as I don't review a lot of PHP. I'd appreciate if any PHP wizards would identify errors in my assessment of the platform.

Re:Default PHP protections?

[Bogtha]

99% of these PHP problems are using external data without checking it.

And the main reason for that is the brain-dead magic quotes feature - i.e. not only is the grandparent wrong about no default security, but it's actually the default security that causes the problems he's complaining about.

Re:Default PHP protections?

[Christianfreak]

I code PHP for a living and I agree with everything you say. For logic/presentation seperation there is Smarty, but its definately not something a lot of PHP developers know about.

I haven't seen a whole lot of PHP 5 either, but from what i have seen they mostly concentrated on fixed a lot of the OO problems. Which is good but I was hoping they would address some of the more serious (IMHO) problems with the underlying language (adopting a standard naming scheme for functions, maybe creating some namespaces, having real arrays ... etc.)

Re:Default PHP protections?

[Doctor+Crumb]

It's not really PHP's *current* default settings that are the problem, it's the ones from as little as 2 years ago, which many, many web apps still require in order to work properly. I am of course talking about PHP_REGISTER_GLOBALS, which only recently started defaulting to OFF, and which must be left ON for many php apps. PHP does not go out of its way to let you write secure code. In fact, it is left up to the programmer to worry about security at every step along the way.

Perl allows you to use 'taint mode', which explicitly distrusts all user input. As far as I know, PHP does not have such a feature. Combined with 'use strict', which requires variables to be declared before you can use them, this will also help avoid the majority of stupid security holes in perl apps. You still need to avoid creating other security holes, but you can count on perl to watch your back.

Even ASP has "option explicit", which accomplishes much the same thing if used. While any language can have security holes, some make it far easier than others.

(note: I write PHP for a living, but I use perl for all personal projects).

Re:Default PHP protections?

[sigmund+lahn]

You should look into PDO,
database abstraction with preparation of statements et al ([code example])

Re:Default PHP protections?

[fluffy99]

Forcing programmers to use perl taint isn't a magic bullet either. It just forces them to untaint the variables and maybe think about it a tad more, but it doesn't force them to do a good job of untainting. About half the perl code I using taint, the author just does a quick regex expression or simply calls untaint.

Re:Default PHP protections?

[Enrico+Pulatzo]

That's interesting, and I can't say I've ever heard of it. How different is this from PEAR::DB?

Re:Default PHP protections?

[sigmund+lahn]

Well, PDO is written in C, using it's own database drivers, while PEAR::DB is a wrapper around the PHP database extensions, written in PHP.

Re:Default PHP protections?

[Doctor+Crumb]

Agreed, bad coders will write bad code in any language. My point is that perl at least provides the tainted/untainted concept; PHP does not even have that concept.

Is it

[manojar]

is it another way to backup more porn/mp3s online?

TinyDisk's inspiration

Gmail Filesystem

Solution for which problem?

['t+is+DjiM]

That's pretty much what I understood.

I adore the ingenuity (correct spelling?) of the hack but... I can't really find a problem this hack is a solution for.

As a way to distribute files, it's probably too slow. The pro's I see here: the file is not stored as one single file but it's stored as a distributed file (a set of Base-64 encoded clusters), making removal of the file hard. On the other hand, if one single segment drops out, the file will be destroyed (except if some redundancy exists, of which I did not find evidence).

If you want to send attachments in an e-mail, this is a very complicated way to do it. Every receiver must have the decoder program to re-assemble the file.

Moreover, if tinyURL builds in a check to see whether the submitted URL exists (not just some 404 page), the whole concept would probably break.

Anyways, very clever hack!

Re:Solution for which problem?

[acariquara]

Simple, guerrilla distribution of files that would be illegal but not immoral - DeCSS, anyone?

Also, it could be used for distributing small text files containing reports from warzones and other heavy-censored countries. EFF should have a blast on this one.

Re:Solution for which problem?

Five words: base dot google dot com

Re:Solution for which problem?

Is that an AYBATU joke?

Re:Solution for which problem?

[pclminion]

Simple, guerrilla distribution of files that would be illegal but not immoral - DeCSS, anyone?

Yes yes, and thermonuclear weapons were only invented to deter the Soviets.

Sorry, but moral questions DO come into this.

Re:Solution for which problem?

All your base are to us?
Now that _really_ doesn't make sense to me :-)

Re:Solution for which problem?

Sorry to burst your bubble but DMCA != Nukes

You could do this with blogs or any CMS

[tezza]

You could put this in an unapproved pending queue for Wikipedia, comments on Joel Spolsky's blog or wherever.

But overall 'WHY?' must be the question? Al Quaeda or The Real IRA? They still have their old working communication channels. Also who needs space like this? Space of this amount could be made redundant and available by using GoogleMail, Yahoo and Hotmail in synchrony. If none of those are available, presumably you'd have it on USB key as well.

Re:You could do this with blogs or any CMS

[Bogtha]

But overall 'WHY?' must be the question?

I've used something similar myself, and there are a few obscure reasons for hiding data in somebody else's web application.

For instance, Opera's UserJS (the inspiration for Greasemonkey) doesn't have a restriction-free XMLHttpRequest object, so the only information you can retrieve with it is from the original host. Stuffing data onto that host is sometimes the only way of making some features work.

Re:You could do this with blogs or any CMS

Oh I dont know, maybe someone trying to release to the public the laws under the Patriot act that are deemed secret. (Only terrorists want to know the laws) Someone wanting to release information that is hugely beneficial to humanity but will get them killed for it (another terrorist only use)

Re:You could do this with blogs or any CMS

[julesh]

But why would that host ever be tinyurl.com?

Re:You could do this with blogs or any CMS

[Bogtha]

Well this is just a neat trick, a proof of concept, isn't it? The same techniques can apply to most web applications, this is just demonstrating the principle. Don't get too caught up in which host was used for the example.

Re:You could do this with blogs or any CMS

[julesh]

Someone wanting to release information that is hugely beneficial to humanity but will get them killed for it (another terrorist only use)

I wouldn't trust tinyurl.com not to keep logs with enough info to identify me if somebody was that desparate to find me. Far better to go through a service that is, at least, supposed to be anonymous.

Re:You could do this with blogs or any CMS

[Spad]

Well why not?

Furthur Compression

[hoshino]

I noticed that the whole of Alice in Wonderland is compressed to just 20 clusters and each cluster is represented by the five-letter keys used by TinyURL. So is it not possible, using the same method, to reduce the entire metafile (which is merely a textfile of less than 1kB) into a single-line URL? Then you can have the program retrieve the metafile from the URL and the actual file from the metafile. So instead of sending people a metafile, you can just copy and paste them one line of URL.

Re:Furthur Compression

[grimJester]

Which makes it more like what it really is, hosting your file on someone else's web server. "Compression" my ass.

Re:Furthur Compression

[10101001+10101001]

Think about that for a second. The reason the metafile exists is to not only provide the url(s) of the file, the filename, and the filesize, but it also includes the encryption key. Ie, if you upload the metafile(1), you're going to need a metafile(2) with a key to get the metafile(1). Ie, no, it won't work.

Re:Furthur Compression

[Bazman]

"Furthur"? You ARE Cowboy Neal!

See here if that was indeed simply a typo!

Re:Furthur Compression

[dascandy]

You are implying that if you keep repeating it you can compress anything to one short URL?

The FBI has been warned, they're on the way to arrest you for [url=http://patft.uspto.gov/netacgi/nph-Parser?Sec t1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.h tml&r=1&f=G&l=50&co1=AND&d=ptxt&s1=5533051.WKU.&OS =PN/5533051&RS=PN/5533051]patent on infinite compression[/url] violation.

Page 3, line 34 of the patent states:

    A second aspect of the present invention which further enhances its ability
    to achieve high compression percentages, is its ability to be applied to
    data recursively. Specifically, the methods of the present invention are
    able to make multiple passes over a file, each time further compressing the
    file. Thus, a series of recursions are repeated until the desired
    compression level is achieved.

Page 27, line 18 of the patent states that the claimed method can compress
without loss *all* files by at least one bit:

    the direct bit encode method of the present invention is effective for
    reducing an input string by one bit regardless of the bit pattern of the
    input string.

Above two bits quoted from the comp.compression FAQ.

Re:Furthur Compression

[Man+Eating+Duck]

Are you sure your link shouldn't be pointing to http://tinyurl.com/a5m6m?

Just had to try tinyurl, I think it was designed for uses just like this :)

Re:Furthur Compression

[CorruptMayor]

Yes, you could using hash-trees. I'm surprised the creator of TinyDisk didn't do it himself.

This whole thing reminds me a lot of Venti.

Re:Furthur Compression

[Keybounce]

>>
Page 27, line 18 of the patent states that the claimed method can compress
without loss *all* files by at least one bit:

        the direct bit encode method of the present invention is effective for
        reducing an input string by one bit regardless of the bit pattern of the
        input string.
>>
Then it lies.

I have a file of 30,000 bits. I run your compression system, I get a file of 29,999 bits.

Ok, repeat 29,999 more times. Am I down to a single bit?

There has to come a point at which you cannot compress any farther. Furthur. Whatever.

Re:Furthur Compression

[dascandy]

There was a point I was trying to make with my reply and you completely missed it.

It's simple.

[TheSpoom]

If you want your online app to not be used by scripts such as this, implement a CAPTCHA. Sure, people could still use it if they wanted to input a bunch of letters for every single chunk of their file...

Re:It's simple.

[Smidge204]

Or better yet, validate all entered URLs by attempting to establish a connection to the server. If the URL is invalid then kick it back.

You wouldn't even need to do this with every URL added to the system. Spot-checking every 1 in 10 URLs or so will go a long way to preventing any sort of abuse.
=Smidge=

Re:It's simple.

[FidelCatsro]

That is a great idea . It would also double as a feature , incase anyone accidentally mistypes a URL or misses a chunk at the end during a copy/paste

Re:It's simple.

Or better yet, validate all entered URLs by attempting to establish a connection to the server. If the URL is invalid then kick it back.

But you put the payload as a query string to a page that didn't care, e.g. http://www.microsoft.com/?MYPAYLOAD, to get back a valid response.

Re:It's simple.

[Chi-RAV]

not really. as the author of the hack already proposed, you can add hosts of sites that have base64 encoded urls which means that you can get http://www.bleh.org/topic.php?= and then the prog will filter out the part for use in the decrypting... surely if you use big enough sites (amazon, google, again as the author proposed) you can circumvent this. The point of this "hack" isnt really to show how to break tinyurl but to create a different way of approaching networked file systems, using only HTTP POST/GET. I for one see great potential in this for the likes of Al Qaida (you know, where better to hide your building hitlist than on tinyurl).

Re:It's simple.

[Bogtha]

You wouldn't even need to do this with every URL added to the system. Spot-checking every 1 in 10 URLs or so will go a long way to preventing any sort of abuse.

Actually, that would only make things worse, as the filesystem code would simply have to resubmit 10% of queries, doing nothing but drive the load up further. Assuming, of course, that the trick suggested by the AC where all the data is stored in the query string is not used.

Re:It's simple.

[mrogers]

The user could just add http://google.com/search?q= to the beginning of all the URLs...

Re:It's simple.

[cavemanf16]

Even 1 in 10 would be overkill. From TinyURL's website:

"Making long URLs useable! More than 11 million of them. Over 200 million hits/month."

Let's assume that 11 million items = roughly 1 million items submitted each month. 'Spot-checking' only 2500 submitted URL's per month would get you within 99.98% accuracy of finding false URL's. In other terms: if you spot check 2500 URL's per month, you will catch at least one invalid URL each month, 99.98% of the time. That's hardly a noteworthy load on a server that's serving up 200M+ page hits per month, and I don't doubt they will indeed implement such a feature now that NanoURL has been released. What I do find quite interesting is how one (or many) smart people could use these types of wild ideas to continue to circumvent security measures in the future, and potentially no authority would be the wiser. But of course we should still check people's shoes for bombs before they board a plane. :-/

Re:It's simple.

Spot-checking every 1 in 10 URLs or so will go a long way to preventing any sort of abuse.

The you could just modify the filesystem to retry if it doesn't work the first time. Maybe TinyURL could cache the failed addresses so it could reject them on subsequent attempts without having to retry the server, but what if the address is valid and it was just a server hiccup? That could interfere with legitimate use. I don't think spot checking would effectively deter abuse.

Re:It's simple.

[orangesquid]

Interesting idea:
(1) create one tinyurl which contains encrypted data
(2) create another tinyurl which contains the decryption key

Never access them from the same IP nor around the same time, and nobody will ever know what you're hiding.

Re:It's simple.

[Pollardito]

i assumed that the OP was talking about TinyURL blocking submissions from someone that submits multiple bad IPs, so it wouldn't be just 10% resubmitted (or 11.1% repeating :P) you'd actually have to walk carefully.

Re:It's simple.

[nahdude812]

Visual captchas present a significant usability problem for blind users, and audio captchas have proven much easier to defeat in general than visual captchas (some of which are actually quite easily defeated).

Further, even the best visual captchas are easily overridden if the attacker is motivated enough; a common means to perform this action is to get other humans to voluntarily solve the captchas as they are encountered by offering, eg, free porn.

Basically, captchas aren't really the solution to preventing bots (there are no good solutions for this), they only deter casual botters.

Re:It's simple.

[Syberghost]

I for one see great potential in this for the likes of Al Qaida (you know, where better to hide your building hitlist than on tinyurl).

Oh, great; now we're all gonna have to remember "http://tinyurl.nsa.gov" instead of "http://tinyurl.com".

Re:It's simple.

[mlyle]

A quibble:

In other terms: if you spot check 2500 URL's per month, you will catch at least one invalid URL each month, 99.98% of the time.

This isn't true. The base rate of 'false URLs' matters. e.g. if all 11 million URLs are valid, checking 2500 urls finds you an invalid URL 0% of the time. If all are invalid, checking 1 finds you an invalid URL 100% of the time. If half are invalid, checking 1 finds you an invalid url 50% of the time, checking 2 finds you at least one invalid url 75% of the time, etc, or checking 12 finds you at least one invalid one 99.976% of the time.

Re:It's simple.

Or better yet, validate all entered URLs by attempting to establish a connection to the server. If the URL is invalid then kick it back.

That is easily defeated by changing the file data encoding slightly, to include a valid web server but with a bogus URL, for example:

htfp://www.microsoft.com/BOOYAH/d21e5918c7c1e1d52e 783beb295492b6

TinyURL successfully connects to Microsoft, so it thinks this is a valid URL.

Oh, you meant you want TinyURL to actually attempt to retrieve the supplied URL? Well now you have a worse problem, because what if that URL refers back to TinyURL itself? For example (forgive my lack of URL encoding):

htfp://tinyurl.com/create.php?url=http://tinyurl.c om/create.php?url=http://tinyurl.com?create.php [...]

This would cause TinyURL to continue to connect back to itself, create a new Tiny URL which would trigger it to connect back to itself, and create a new Tiny URL which would trigger it to connect back to itself, which would... Get the point?

And yes, I changed the initial "http" to "htfp" because Slashdot turns it into a REAL LINK otherwise (which is stupid, if I want a link I'll make it a link, dammit), and for God's sake DON'T DO THIS!

Re:It's simple.

[Kleedrac2]

Typical American Attitude (-1)

Re:It's simple.

[johansalk]

Won't validating each URL add to tinyURL's bandwidth costs? I think it would multiply their bandwidth usage many, many times over.

Re:It's simple.

[mysidia]

How about post-verification? Perform the spot check not during URL creation, but after the fact, i.e. spot-check 1-2% of the URLs in the database every day -- any URL that 404s is marked to be checked every few days, and if it doesn't start working within a certain amount of time is dropped.

Also, perform URL comparisons during spot checks. If a URL is a get form with a bunch of form fields, try dropping all the form fields, and fetch the page -- if the result is the same, then unify, and drop the unnecessary fields.

What these checks would do is ultimately punch holes in the data of people attempting to make "filesystems" on the data, making those filesystems useless and discouraging the practice..

Re:It's simple.

[cavemanf16]

Yes, it is true, and I was assuming that the base rate of "invalid URL's" is unknown, so the worst case scenario is to expect 10% of ALL URL's to be invalid. That would be a rather large volume of invalid URL's at this point in time (yes I know, another assumption), but it does yield a 99.98% success rate in detecting a minimum of 1 bad URL out of a random 2500 per month checked. (out of 1 million total URL's received per month) My math makes sense. I'm not sure where you came up with yours.

Yes it's true that checking 2500 random URL's when absolutely every single one is valid would still give you a "0% invalid" result, but you would ALSO still only be about 99.98% sure that all 1 million URL's received that month were indeed valid since you did NOT check all 1 million. Obviously the more you check, the more sure you get about how many invalid URL's you have per million units checked. You're confusing statistics with semantics. No, I can't say with absolute certainty that every single URL is invalid by checking only 2500, but I also won't waste nearly the amount of system resources as someone who would be checking every single URL. Fast, cheap, quality - pick two. I pick fast quality. (It costs some amount of money to implement the quality checking code and have it run on the server each month)

Re:It's simple.

[Reziac]

Or use it as a way to store and/or exchange keys, without any two users of said keys ever needing to be in direct contact.

Re:It's simple.

[Baricom]

Well, if people start trying to use TinyURL as a file system, it may be more cost-effective to do the validation than blindly accept the long URL. TinyURL could decide how much bandwidth to devote to checking URLs based on the payoff from eliminating a bad one.

Holy.. cool technology overload..

[jkind]

Encryption, clusters, nano.. Why don't they encode the tiny clusters to DivX while they're at it and embed it in the silences in movies... :)
This sounds like a very cool conference, are they going to distribute a conference program in pdf format, or is Phreaknic too underground for that, and require you to get it off torrent ??

Re:Holy.. cool technology overload..

It was alot of fun, and all of the speeches were recorded (and sent through the hotel over CCTV)

watch phreaknic.info for info, wilpig should be releasing it soon.

No.

[Colin+Smith]

That's what alt.binaries.* is for.

What does PHP have to do with it?

[miknight]

Sure, well all know PHP is far from synonymous with security, but this seems to be a case of exploiting a web app using only the mechanics intentionally made available, just in a novel way. Seems like some unfounded (though not necessarily undeserved) PHP bashing.

Re:Nifty hack, or antisocial behavior?

It is a nifty hack, but let's not kid ourselves and pretend this is anything new, or that it's even a good thing.

At its core, Tinyurl is just a write-once database. You add data and get back a key/pointer to said data. As with typical databases, the size of the pointer is logarithmic in the size of the input (* number of keys stored, not bytes; however, the number of bytes/key is bounded under some constant, so it's effectively the number of bytes).

This gives us a logarithmic compression scheme, where our compression ratio (N-logN)/N approaches 100% as N gets large. This kind of "infinite compression" is what makes the method attractive: you put in say a kilobyte of data and get out a (currently) 5 byte key. All you have to do is keep an index of the keys.

TinyDisk doesn't seem to do this, but you could then turn around and store the index as a key. Take 1000/5 = 200 keys and get back one key. Lather. Rinse. Repeat. In the end, you have a single key that points to the backup of your mp3 collection, all in one TinyUrl! Not too shabby. After all, it's free storage, right? Wrong. Someone ends up paying for the infinite compression. In this case, it's Tinyurl. If this kid had stopped to think for a few minutes before publishing his hack, he would have realized that he's actually doing a malicious, antisocial thing. I suspect there will be a dozen copycats in the wild before the end of the day.

Farewell TinyUrl, we knew ye well.

The end of TinyURL.

[tmroyster]

The end of TinyURL is in sight. Yes, this is (probably) a clever hack.
But this is a misuse of a really useful service.

When TinyURL's administrator has to either go out and buy his
second 2Terabyte disk array in a week or shutdown, which do
you think he will pick?

Re:The end of TinyURL.

>He could just ensure that any url posted actually resolves, or just pattern match it using a good url validator...

Google search always resolves. As a proof of concept, I made a tinyurl to a google search for "int main() { printf("hello, world!\n"); }," but I decided against posting the tinyurl because slashdotters have a bad case of the clickies. Anyway, it's very straightforward to encode your data as a google search. Then all you have to do is decode your data out of the search URL!

Re:The end of TinyURL.

[cbr2702]

He'll just restrict traffic by IP. Any legit user will not be making more than one request per second.

Re:The end of TinyURL.

[Slashcrap]

The end of TinyURL is in sight. Yes, this is (probably) a clever hack.
But this is a misuse of a really useful service.

You're scaremongering and being sensationalist. Have you considered a career as a Slashdot editor?

Seriously - this app encodes your data as URLs. Imagine splitting a DVD image into URL sized chunks and then submitting them one by one. Does that sound like a workable storage system to you?

And as for abusing TinyURL, you could do it with a tiny shell script generating and submitting random URLs. Much faster and more efficient and anyone could do it. So why do you think that this proof of concept code is more dangerous? Can you explain your reasoning? Or did you just get suckered by the Slashdot editors?

Re:The end of TinyURL.

[SFEley]

He'll pick option C, which is to not allow one address to create more than a few TinyURLs in one day, or option D, which is to start validating URLs more carefully.

TinyDisk is an abuse of the system, but it's an intentional one designed to point out that TinyURL could have been implemented with a bit more caution. The fixes to prevent this sort of abuse are easy.

Re:The end of TinyURL.

[Dr.+Evil]

Seriously - this app encodes your data as URLs. Imagine splitting a DVD image into URL sized chunks and then submitting them one by one. Does that sound like a workable storage system to you?

As a fully-distributed system for illegally distributed or illegal materials?

Absolutely.

The reason an abuse shell script wouldn't be as bad is because of motive. This is a way to abuse the system which is useful.

Re:The end of TinyURL.

This is far from fully distributed. In fact, it IS NOT distributed, and as another poster mentioned, is located on a host that has reason to look for and destroy any such data that it contains. In fact, there are multiple MORE ways that the host can do detection, both before and after the fact that nobody has bothered to mention, etc.
What this IS good for is anon. posting of smaller files to a public source for distrobution.
Why is this good? Because uncle sam is watching, and quite honestly he doesn't like me, or my type.

Video/Overview of Acidus's presentation

Here is a video of Acidus's presentation. If you haven't seen him present before (At Hope, O'Reilly's E-Tech, Toorcon, Phreaknic, Interz0ne, etc, etc) he puts on a good show.

The presentation was called: Layer 7 Fun: Extending web applications in interesting ways. He discusses how traditional web applications work -vs- "new" web ppas that use AJAX. He talks about writing extensions to web apps using an API supplied (ala Housingmaps.com, or chicagocrime.org). Finally he talks about writing an extension to a web app where you don't have access to an API. TinyDisk was a case study for writes these so-called "non-sanctioned" extensions. He has a funny little slide he goes back to about how to properly implement a web app (which TinyRUL fails to do). Things like "don't wallow users to uploaded arbitrary amounts of data directly into your database."

Funny Stuff. His upcoming talk at Shmoocon seems pretty cool too.

Re:Video/Overview of Acidus's presentation

The URL for this video should be presented as http://tinyurl.com/bn6k5 :)

Book names - Recommended Reading

[eltoyoboyo]

In the Recommended reading section this is stated:

There are definitive works in certain fields that online guides and HOWTOs cannot even approach in terms of detail or quality. It's a class of books that are so familiar people refer to them by nicknames instead of by full title.

Well maybe so, but I did not know them all, and in the interest of helping people along the path here they are:

Books like:
K&R, The C Programming Language by Brian W. Kernighan and Dennis M. Ritchie
The Dinosaur Book, Operating System Concepts by Abraham Silberschatz
Knuth's never-ending story, The Art of Computer Programming, but Donald Knuth
The White Book, Introduction To Algorithms by Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Cliff Stein
P&H, Computer Organization and Design The Hardware/Software Interface David Patterson John Hennessy
The Illustrated's. TCP/IP Illustrated Series (The Illustrated's) - W. Richard Stevens
The Rainbow series. U.S. DOD Computer Security Series

Re:Book names - Recommended Reading

[siliconjunkie]

You forgot "The big red book that doesn't fit on a shelf" :)

Re:Book names - Recommended Reading

[eltoyoboyo]

Ah yes
ISO 9945-1 Portable Operating System Interface (POSIX) -- Part 1: Base Definitions
"The Ugly Red Book That Won't Fit On The Shelf"
This one was not mentioned in the TinyURL Recommended reading. But there are many of these entries in the Jargon File.

Security isn't the issue; resource exploitation is

[rjamestaylor]

Sorry to be Mr. Obvious this morning, but I take issue with submitter's conclusion that TinyDisk illustrates a security issue on the part of tinyurl.com. It rather illustrates the ease of creating a leachable web app that resource pirates can abuse. Yes, I have a negative opinion of those using such a creative hack against others who provide services to the general public in good faith.

article defends PHP; no bashing

[brlewis]

The underlying message is that web application development is inherently difficult to secure, despite PHP's valiant attempts to protect programmers from themselves. This is the opposite of PHP bashing. It's PHP apologetics.

I disagree with the article's premise. It seems to me the same sort of mindset that attributes to "pilot error" aviation incidents that would better be attributed to poorly designed instrumentation.

Re:article defends PHP; no bashing

[miknight]

Sure, I agree. I wasn't very clear that I was referring to the article submitter's comment "...despite the default PHP protections."

Re:article defends PHP; no bashing

[sydb]

But TinyURL is equivalent to the instrumentation designer, while PHP is equivalent to the components from which the instrumentation is made. So the article is right.

Security is layered. PHP components can be secure, but in providing a general purpose language, anything can be built from those components, including insecure web applications.

To create a programming language or environment from which you cannot build an insecure application would require seriously compromising the flexibility which gives the language its usefulness.

Why not go further?

[SamSim]

Take the list of cluster URLs. Concatenate them into a single URL. Submit it again. Thus compressing literally ANY file to five characters.

At least, as long as the possibility space of five-character URLs isn't exhausted. It's very much first come, first served.

Re:Why not go further?

[guitaristx]

Let us not forget, we are NOT COMPRESSING ANYTHING.

We are simply addressing it. By your definition, a filesystem path (e.g. /usr/home/SamSim/foo.txt) is compressing the contents of foo.txt to the length of the path.

Re:Why not go further?

[John+Nowak]

I have no idea what you're talking about. Get a clue.

Okay, back to working on my perpetual motion machine!

Re:Why not go further?

[baadger]

You are aware that RFC valid URL's have a maximum length..right?

I can't be arsed to look it up but off the top of my head I think it's =256 characters.

Re:Why not go further?

[SamSim]

I didn't think there was a maximum specified length, and I've certainly seen longer URLs that 256 characters in working use. MSIE, for example, can handle URLs up to 2048 characters long. But it doesn't matter how big the file is or how long the maximum URL is. Suppose your file is four gigs. Split that up into 2097152 chunks of 2048 characters each, and reduce them all to five characters each, and you have a 10-meg file. Split that into 5120 chunks of 2048 characters and reduce them all again, and you have a 25-kilobyte file. After the next pass you're down to 63 bytes. Then you're down to five characters. Four passes, and the job is done. Takes a while to get all the info back from TinyURL, of course...

Re:Why not go further?

[baadger]

From RFC2616 (HTTP/1.0):

      The HTTP protocol does not place any a priori limit on the length of
      a URI. Servers MUST be able to handle the URI of any resource they
      serve, and SHOULD be able to handle URIs of unbounded length if they
      provide GET-based forms that could generate such URIs. A server
      SHOULD return 414 (Request-URI Too Long) status if a URI is longer
      than the server can handle (see section 10.4.15).

            Note: Servers ought to be cautious about depending on URI lengths
            above 255 bytes, because some older client or proxy
            implementations might not properly support these lengths.

Face the wrath of Tiny!

[elrous0]

Don't be fooled by the nickname. They break legs.

-Eric

From phreaknic to slashdot in 3 days

[wilpig]

Way to go Acidus!

Great Idea!

[Se7enLC]

I was looking for another way to store files online in such a way as to make them:

• Difficult to access
• Unreliable
• Split into many different pieces
• Under somebody else's control that has motivation to delete them

I guess once this goes down, I'll have to go back to posting UUencoded files in peoples blogs.

Re:Google and banks (MODS ON CRACK!)

[julesh]

PayPal UK used to use the same technique to validate you were the owner of a credit card: make a small reverse payment and ask you how much it was. Then they got proper integration with the banks and stopped doing it like that.

And WTF is this modded 'offtopic'?

Juggling With Packets

[pizza_milkshake]

looks like an implementation of Michael Zalewski's Juggling With Packets concept, the storing of data in buffers of publicly available services for use as a filesystem.

Re:Repeal the 19th ammendment

[Elad+Alon]

Death To women's Rights.

For the millionth time, Jerry, I apologize for sleeping with your wife! We were both drunk and we both regret it. It's been 20 years now, so for heaven's sake. Please, let it go!

Poor fellow

I wonder how much longer tinyurl will last once people start dumping gigs of porn and pirated movies onto it, broken into millions upon millions of fake urls.

Re:Poor fellow

[Profane+Motherfucker]

Count backwords from 10.

That's your answer.

Hyper Bowl?!

Sounds like fun! Where do I sign up?!

Where's the security issue?

Where's the security issue?

I could make a similar "file system" with any website that allows users to create accounts and post some information online. I could split a file in some packets, create a Slashdot account for each, and post the packet's content and some meta information in that account's journal.

It's not a file system

[danielsanII]

It's not a file system, because it doesn't even closely implement any POSIX semantics. It's more like P2P, without the P2P :)

Also, I don't really get what's so special about this. I mean, you could also UUEncode files and post them to a forum (or even different forums), and find some way to reassemble these files.

Re:It's not a file system

[milgr]

Why isn't it a filesystem? Filesystems have been around since long before Posix.

A filesystem stores and retrieves files.

Here are some exmaples of filesystems that undoubtably violate posix:
    FAT as shipped in DOS 1.0
        Had no subdirectories
        Had no notion of users
        Had no permissions
        Limited filenames to 8.3

    CD-R
        Doesn't allow data to be modified (or meta-data to be changed).

In addition, some filesystems allow remote access:
    NFS
    andrewfs
    Coda

In addition, some OS'es allow some things to be treated as filesystems:
    Linux has /proc filesystem - accessing in-memory data
    Hurd allows filesystem access to tar files, and ftp servers

So, why isn't it a filesystem?

Re:It's not a file system

[pclminion]

It's not a file system, because it doesn't even closely implement any POSIX semantics.

Whoa. In nearly the words of Babbage, "I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement." Only POSIX filesystems are filesystems?

Now make it RAID 10

[stuffduff]

Spread it across a bunch of servers, and as soon as you have enough parts rebuild the file. Maybe use a meta search engine to find the parts.

Re:Nifty hack, or antisocial behavior?

[qwijibo]

Only corporations should act malicious and antisocial? That doesn't seem very fair. Why are you picking on the little sociopaths? At least it's possible to do something about them. Once you get a large corporation interested in a new form of plundering, it's all over.

I don't really see this as abuse as much as the fundamental flaw in providing free services. If the cost to support the service is higher than the cost to the recipient, it's just a matter of time before someone finds a way to cut their costs by increasing someone else's.

This is simply vandalism

[hqm]

Someone sets up a nice public service, and some asshole has to come along to abuse it. This isn't clever, it's no different from any other act of mindless vandalism. Society is held together by an implicit contract that people not act like selfish pigs. The guy who releases this software is a selfish pig.

Re:This is simply vandalism

[slim]

Read the presentation and the FAQ. He's done his best to demonstrate the point without (his words) "being a dick".

What does PHP have to do with it

[PktLoss]

Yes, I RTFA, and looked at how things work, the fact that PHP is being used is immaterial.

The basic functionality of TinyURL, NanoURL or any other service is to accept a string (presumably a URI) and return a shorter string that will serve as a pointer to it. If you want your application to accomplish that it doesn't matter what it was written in, people can store things other than URLs in your database. The protections against this sort of use/abuse suggested in the article are also language independent.

Re:What does PHP have to do with it

[jlapier]

Don't you realize it makes you look smarter if you bash PHP for it's security? Scoffing at things is what seperates man from animal...


(seriously, I'd mod you up but I've not the points...)

Re:Nifty hack, or antisocial behavior?

He's acting antisocial by creating an untimely demise of a free service that others have thus-far been able to use cooperatively. Sure, TinyUrl could go to a CAPTCHA system without affecting its intended users, but will they? Or will they just shut down when they get a few GB of new URLs today? If his true intent was to get them to plug the hole, he should have gone to the admins of TinyUrl and explained to them the problem. Demonstrating it on a global scale is not a way to win friends. It's antisocial.

My slashdot CAPTCHA word is sadness. How apropos.

Greatest FAQ answer ever.

[jdludlow]

From the TinyDisk FAQ:

Q: This damn thing doesn't work on large files! #@%& You!
A: Did you not read the manual? Man I wish I could punch you in the face over TCP/IP! Change the config file's MaxSize line. By default the limit is 2 megs.

Re:Nifty hack, or antisocial behavior?

[ezzzD55J]

In the end, you have a single key that points to the backup of your mp3 collection, all in one TinyUrl! Not too shabby.

Sure, but I think it's a pretty dumb idea because of the large overhead (in time and data) of actually retrieving that data.. http request and response, encoding, etc. And the fact that tinyurl will (rightly) kick your ass off the service once he's on to you.

TinyDi......

oooooh TinyDISK..... nevermind

Re:Security isn't the issue; resource exploitation

[TheSync]

Is there an open source "human filter" for web aps (like the kind that makes you type what is in an image of noisy and/or distorted numbers and letters?

google fuck

[cjsteele]

I had a similar idea a number of years back basically masquerading uuencoded files inside of bogus html files that get crawled by Google's caching bot... the idea being that if you knew the names of the files you could query the cache and retrieve the UUEncoded bits.

At the time, no one else had written about such things. I just never got around to automating the process, so it never really materialized. Maybe some brave and time-rich soul would like to give it a go?

Slashdot FS

[Borf]

SDFS010101M5&AI2!$3D$@8G)O861C87-T3:6YG('-YW1E;2X@ ($1U8VLN"FAE`

Re:Security isn't the issue; resource exploitation

[Tidal+Flame]

Writing captchas is super easy in PHP. Well, depending on how complex you want the captcha to be, of course. You can make a basic one in 5 minutes, though. Those things don't really stop people, but they do make things much more difficult.

Re:Nifty hack, or antisocial behavior?

why don't you just go listen to the presentation. First of all, he's not just a kid... he does review of web app security as a job. Thanks for bringing in that honored tradition of ageism. Secondly, He beleives he already found someone else doing this because he stumbled across several random blocks of data during his tests. THIRD, storing large ammounts of data this way is highly impracticle because of the lantency of retrieving files like this.

This was the only presentation I got to catch most of because I was running my ASS off doing AV for the con this year ;P

He doesn't want to hurt tinyurl, but I doubt that there will be long term issues for that service because of it. It's simply too much of a pain in the ass to use for anything other than data hiding.

Can't they just filter?

[Kerosene]

Can't TinyURL just put a filter on input requiring a URL to be in the form of http://stuff.tld/stuff/stuff?

Easy to prevent

[The+Cisco+Kid]

If TinyURL didnt like this, seems like they could trivially add a check to see if URL's they are given actually exist by accessing them. If they get a 404, dont accept. For those sites that give a redirect instead of a 404, follow the redirects until they get to a page that actually answers, and use its URL instead.

Re:Nifty hack, or antisocial behavior?

[kevmo]

Perhaps you should have read the sentence immediately following the one you quoted:

After all, it's free storage, right? Wrong.

He wasn't suggesting it was a good idea to do it - he was giving a sample mindset of someone who would use TinyDisk to do stupid/malicious things.

commentary defends PHP; no bashing

[brlewis]

To correct myself: I'm talking about the submitter's commentary, not the cited article. TinyURL does not enter into the aviation accident analogy, because TinyURL has not been demonstrated insecure here. By design TinyURL allows anonymous entry of information that becomes publicly readable. They are correct in waiting until there's an actual problem before building anything to "defend" against this filesystem hack.

In my analogy the programmer is the pilot and the programming language is the instrumentation. The goal is not to create an environment from which you cannot build an insecure application any more than instrumentation's goal is to make it impossible to crash the plane. The idea is to make it easy to see if you're at low altitude, or in the case of web apps, to see if you're not checking your inputs, for example.

spot check this

[kpp_kpp]

http://www.yahoo.com/?weruiosahfsroiwehrfsafayewri uweiuryasuhfiudsahfiuyrfyeqwiuryiuwqyfdiusahdfsadh fguyyertqewrywiquyeriahsfhdsifgetryeqrriugsidfhgsa dgfhiuywiuegrfwtegfyags

not just like any other language out there

[brlewis]

If 99% of security problems come from using external data without checking it, wouldn't it make sense to have a syntax that enumerated your external inputs like BRL has had for the past 6 years? Or better, one shows how each input is validated like BRL has had for 2 years with define-input ?

This would have been a straightforward feature to copy/adapt into PHP if anyone were interested in making it a decent server-side web language.

Don't say "just like in any other language" when you're unaware of languages out there that are more suited to web applications.

Re:not just like any other language out there

[bobbyjack]

It's arguable how much of that BRL validation is 'built-into' the language and how much is utilisation of 'library' functions. No matter; any PHP programmer worth their salt will use a standard, generic method of validating their input, whether using a library function or their own, just as any programmer should.

I'm not trying to diss BRL, though ;) Languages encouraging secure programming is obviously a thing to be encouraged.

Trivial Solution to TinyURL URL validation

[merreborn]

If TinyURL didnt like this, seems like they could trivially add a check to see if URL's they are given actually exist by accessing them. If they get a 404, dont accept. For those sites that give a redirect instead of a 404, follow the redirects until they get to a page that actually answers, and use its URL instead.

Two flaws. (1) It is possible to create a loop of redirects. Of course, the solution on TinyURL's end would be to follow an arbitrary number of redirects, and declare anything that redirects more than that an invalid URL

(2) There are probably thousands of webapps that will give a valid response to URLs like the following: http://www.example.com/cgi-bin/script?ARBITRARYDAT AGOESHERE Rather than a 404

(2a) Barring that, why not just set up your own web server that returns a HTTP 200 for any URL? Hell, you don't even need to go that far, you could probably write a single line of perl that listens on port 80, and returns an HTTP 200 along with a small document in response to any HTTP request.

Valid URLs can be used

[douglips]

Simple solution, encode all your information as google searches, like
http://www.google.com/search?hl=en&q=four+score+an d+seven+years+ago
http://www.google.com/search?hl=en&q=our+fathers+b rought+forth+on+this+continent

Oh my god!

[douglips]

Slashdot has started automatically parsing URLs! Time for me to advance my calendar to 1999.

took a bit of work on OS X

[adpowers]

If you use OS X, it takes a little bit of work. I download Java 1.5 and installed it. Then you have to set your path variable in terminal to get it use the correct Java (the website didn't mention this, and the new Java Configuration Panel thing didn't make it work for the terminal). Anyway, after doing all that, I was able to make this file:

# TinyDiskFile - used to retrieve a file that has been stored in TinyUrl.com!
#
# By Acidus - Most Significant Bit Labs - Acidus@msblabs.org
Version: 1.0
Filename: hello.jpg
Size: 21324
Checksum Algorithm: CRC32
Checksum: 1707489058
Compression Algorithm: Deflate
Encryption Algorithm: AES, 128bit
Encryption Key: lyKYrF793XAIYYXXSYnRjg==
#
# Cluster Hashes
#
Clusters: 7
Cluster: 877ml
Cluster: 7pl84
Cluster: 9zxx6
Cluster: 8lr45
Cluster: ae5t7
Cluster: 77deo
Cluster: 8wp6q

Every time you run the program with the same parameters, it outputs a different set of URLs. This is unfortunate. It'd be nice if it would spit out the same set of URLs for each file, so that if two users upload the same file, it isn't duplicated in TinyURL.

Re:took a bit of work on OS X

[SamSim]

That has to be the most elaborate Goatse troll I've ever seen. Bravo!

Re:took a bit of work on OS X

[adpowers]

Well, it was the first file that came to my mind. Plus, it is a small file to test, I didn't want to abuse TinyURL too much. I ripped a movie into H.264 and it is 700 megs. I thought about uploading that, but that would be a little too mean.

The "default configuration" prevents abuse?

That would seem to imply that somebody could change the configuration to allow storing gigs of junk.

This pisses me off. Yeah, it's cute, but so what? Goodbye, TinyURL, I knew you well. Too bad you're about to be shitflooded into oblivion.

And...

it appears that tiny url has gone DOWN. Well, that was fun while it lasted...

WTF is this modded 'offtopic'?

Meta-mod to the rescue!