Comment by umvi
4 years ago
Turns out any site that allows users to submit and retrieve data can be abused in the same way:
- FacebookDrive: "Store files as base64 facebook posts"
- TwitterDrive: "Store files as base64 tweets"
- SoundCloudDrive: "Store files as mp3 audio"
- WikipediaDrive: "Store files in wikipedia article histories"
I wrote one of these as a POC when at AWS to store data sharded across all the free namespaces (think Lambda names), with pointers to the next chunk of data.
I like to think you could unify all of these into a FUSE filesystem and just mount your transparent multi-cloud remote FS as usual.
It's inefficient, but free! So you can have as much space as you want. And it's potentially brittle, but free! So you can replicate/stripe the data across as many providers as you want.
I was an eng manager on Lambda for a time, and we definitely knew people were doing this, and had plans to cut it out if it ever became a problem. :D
Yeah, you'd need to find some sort of auto-balancing to detect this kind of bitrot from over-aggressive engineering managers & their ilk and rebalance the data across other sources. I think the multiple-shuffle-shard approach has been done before, maybe we could steal some algo from a RAID driver, or DynamoDB.
Back in the day when @gmail was famous for their massive free storage for email, ppl wrote scripts to chunk large files and store them as email attachments.
I used this as a backup target for the longest time. Simply split the backup file into 10 MB chunks and send as mails to a gmail account. Encrypted so no privacy problems. Rock solid for years.
And as it was just storing emails it was even using gmail for it's intended purpose so no TOS problems..
Yup, did the exact same thing to back up all of the Wordpress installs on a free server I ran for friends.
People did this on AOL in the 90s as well!
Did you manage to get on the latest Mass Mail going out tonight?
With AOL, in the early 90’s you didn’t even need to do that. You could just reformat and reuse the floppy disks they were always sending you for free storage.
I know someone who published an academic paper on doing exactly this.
Doesn't sound very noteworthy tbh. It's obviously possible and the implementation is straightforward.
3 replies →
See also https://github.com/qntm/base2048. "Base2048 is a binary encoding optimised for transmitting data through Twitter."
Still need around 30,000 more unicode characters for this to work.
Sorry, I edited the post concurrently with your comment - it now points to Base2048, the link I meant to post, which actually should work - rather than https://github.com/qntm/base65536 (which I think you're commenting on).
> For transmitting data through Twitter, Base65536 is now considered obsolete; see Base2048.
Source: https://github.com/qntm/base65536
My friends and I had a joke called NSABox. It would send data around using words that would attract the attention of the NSA, and you could submit a FOIA request to recover the data. I always found it amusing.
There's a feature in Emacs that does that (unsurprisingly.)
It's called `M-x spook'. It inserts random gibberish that NSA and the Echelon project would've supposedly picked up back in the 90s.
spook.el was "introduced at or before Emacs version 18.52". And 18.52 was released in 1988. And spook.el in a comment says
So the things that the NSA and ECHELON would have picked up on back in the 1980s, not the 1990s :)
I've heard of the loic ion cannon dos tool described as a shortcut to getting sent to jail. This sounds similar.
Big difference. LOIC actually impacts a target.
This is pretty tame compared to some actual, practical ones such as https://github.com/apachecn/CDNDrive
For people who don't read Chinese: it encodes data into ~10M blocks in PNG and then uploads (together with a metadata/index file as an entry point) to various Chinese social media sites that don't re-compress your images. I knew people have used it to store* TBs after TBs data on them already.
*Of course, it would be foolish to think your data is even remotely safe "storing" them this way. But it's a very good solution for sharing large files.
What a great time to write botnets
I made a tool that lets you store files anywhere you can store a URL: https://podje.li/
Is there an import URLs button? Otherwise, how does one reassemble the original?
Click them, it's really for things that fit into one or two urls like small text files. I've used it for config files that were getting formatted incorrectly over corporate email that ate it as a attachment.
Github repos makes for a pretty good key-value store.
It even has a full CRUD API, no need for using libgit.
I wonder if we could use this technique at place which gov will censored senstive data upload to streaming site like mainland china or North Korea(they do have streaming site right?)
although for propganda use, shortwave / sat tv is a much much simpler way to distribute information to place like that, but I belive now its hard to get one SW radio for anyone.
Reminds me of when I tried to Gmail myself a zip archive, and it was denied because of security reasons iirc. I then tried to base64 it, and it still didn't work, same with base32, until finally base16 did work.
I found some pirates uploads video to Prezi so they get free S3 video hosting.
At one point there was a piece of software called deezcloud which exploited Deezer's user uploaded MP3 storage, allowing it to be used as free CDN cloud storage for up to 400GB of files. I don't think it works anymore, and I'm not sure if it ever worked well (I never tried it).
I wonder if access permissions would be easier to maintain using Facebook...
Until one day your base64 ciphertext just so happens to contain a curse word and you get banned for violating "community standards"
I think I've seen similar blog posts about doing the same with the DNS and BGP networks
or reddit: https://github.com/AncientEntity/PublicPyRedditStorage/
We need an HNShowDeadDrive
also Telegram