
CursedFS – Disk image that is simultaneously ext2 and FAT - codezero
https://github.com/NieDzejkob/cursedfs/blob/master/README.md
======
gdavisson
IIRC Apple used to do something like this on their installer DVDs (back when
they shipped the OS on DVDs). The Mac OS X installer was on an HFS+ volume
pointed to by an Apple Partition Map (which would only be recognized by Mac OS
X and the Mac's boot firmware), but the DVD also had an ISO 9660 header
(that'd be recognized by Windows) pointing to Windows-compatible drivers for
the Mac hardware. Completely separate volumes, with completely separate
content.

~~~
kalleboo
Hybrid discs were common back in the CD-ROM era for games and multimedia
discs. There'd be an ISO partition for PC executable installer and a Mac
partition for the Mac version, and both partitions would have have pointers
into a single copy of the large game data/video files that there wouldn't have
been space to have 2 copies of on the disc.

[https://en.wikipedia.org/wiki/Hybrid_disc](https://en.wikipedia.org/wiki/Hybrid_disc)

~~~
AlyssaRowan
The concept happened way before that too. Even though the Atari ST and
Commodore Amiga had different floppy disk formats (and were bitter rivals),
because they shared their main processor (MC68000) a great deal of games and
software were available for both.

Occasionally, that happened on the same floppy disk, via a horrific sector
format interleaving trick invented by Rob Northen (who did a lot of copy
protection stuff at the time). Notably, the Future Publishing magazines ST
Format and Amiga Format started out as the combined ST/Amiga Format and the
"coverdisk" was exactly that - readable by both, with different files on each
machine.

~~~
NieDzejkob
This reminds me that one of the filesystems that could probably be added into
the polyglot is Amiga's Fast File System, as the superblock is in the middle.
Rumor has it that this minimised seek times from anywhere else on the floppy,
but I would think that one doesn't need to read the superblock that often.

------
tambourine_man
When Apple created HFS+ they did a similar hack that would show the disk with
a TeachText read me file named “where did all my files go?” if you tried to
mount it as HFS.

That means, Macs with older versions of the OS would deal gracefully with a
format they were never intended to run.

I remember thinking it was the coolest thing ever.

------
roywiggins
For extra fun, fill them up with polyglot files!

[https://medium.com/swlh/polyglot-files-a-hackers-best-
friend...](https://medium.com/swlh/polyglot-files-a-hackers-best-
friend-850bf812dd8a)

------
crazygringo
So the suspense is killing me :) ...if you insert a memory stick formatted
this way into a Linux box, which one will show up?

(Forgive my ignorance if the answer is obvious -- I've only ever used Linux as
servers, never as a desktop.)

And are there any other OS's that can read ext2? Neither Windows nor macOS
seem to be able to, out of the box.

~~~
NieDzejkob
I actually didn't try to let it autodetect... until now.

    
    
        ~/cursedfs% sudo mount cursed.img mountpoint/
        mount: /home/kuba/cursedfs/mountpoint: more filesystems detected on /dev/loop0; use -t <type> or wipefs(8).
    

It's too smart :/

~~~
andrewflnr
Props to whoever thought to check for the case of fricking polyglot filesystem
images, though. Probably intended for something boring like corruption, but
still, nice.

~~~
NieDzejkob
Apparently one could create something like this by accident in the early days
of Linux:
[https://twitter.com/makomk/status/1217542964995678209?s=20](https://twitter.com/makomk/status/1217542964995678209?s=20)

------
makomk
I'm pretty sure I managed to create one of these by accident when first using
Linux, though with much messier results. Same root cause though: the ext2 and
FAT superblocks didn't overlap, and back in the day some of the filesystem
creation tools weren't so good at making sure to overwrite conflicting
superblocks.

------
NieDzejkob
Author here, happy to answer any questions.

~~~
cesarb
Can you add ISO 9660 and/or UDF to the mix? Both do not use the first several
kilobytes of the volume (hybrid CDs created by genisoimage use that trick to
combine HFS with ISO 9660).

~~~
NieDzejkob
From a quick look at the specs, it would seem like it is possible to add
either of those, but probably not both. I'll probably add this in "v2.0" \-
I'm planning to redo this in a way that actually interleaves the filesystems,
which would also allow the ext* part to be larger than 32 MB.

------
gbin
This is cool as a computer forensics exercise: the FS could look empty on one
side but hide a lot of structured informing the other.

~~~
AnIdiotOnTheNet
I have yet to meet any filesystem forensic software that wouldn't immediately
identify this. Pretty much everything I've ever used would just tell you that
it found multiple filesystems and show you both. Recovering files is often
possible even without any filesystem metadata at all.

~~~
JNRowe
To make that point with an example, my go to for any new disk image or real
drive is disktype¹ which produces:

    
    
        --- cursed.img
        Regular file, size 4 MiB (4194304 bytes)
        FAT12 file system (hints score 4 of 5)
          Volume size 3.916 MiB (4106240 bytes, 2005 clusters of 2 KiB)
        Ext2 file system
          UUID 2D74B033-E8A6-4738-98B2-02BCC3F0D98E (DCE, v4)
          Last mounted at "/home/kuba/cursedfs/mountpoint"
          Volume size 64 KiB (65536 bytes, 64 blocks of 1 KiB)
    

1\. [http://disktype.sf.net](http://disktype.sf.net)

------
ComputerGuru
The filesystems aren’t synchronized, though. Quite misleading! I’m not sure
there’s a technical reason why they couldn’t theoretically be synchronized
(either in real-time via a custom fs layer or as cron task, etc).

~~~
saurik
I don't know if the title has changed, but "disk image that is
simultaneously..." made it very clear to me that this would imply a static
state carefully crafted file, not some synchronized dynamic file system
driver.

------
fctorial
Should be called pornfs, you can use it to hide porn.

------
nickik
Seems pretty cool. Not sure where I personally would use it, but when
interacting with legacy this could make things much easier.

~~~
NieDzejkob
I didn't envision a usecase, I just found the question of whether this is
possible interesting. If I had to guess, this will break more things than it
will help with - the filesystems are independent, not "synchronized".

~~~
tyingq
Add encryption support for the ext2 part and it's a decent upper "security
through obscurity" layer. If the wrong person finds your USB stick, they will
likely only ever notice the FAT filesystem. Like for a spy dead drop use case.

~~~
tedunangst
This seems about as likely to work as hiding emails in the draft folder and
not sending them. Computer forensics have looked at all the bytes on the disk,
not just the active files reachable from the root directory, for decades.

~~~
tyingq
I mentioned it as an additional layer. And it's not always a sophisticated
adversary that might find it.

Snowden fooled everyone with an sd card inside a Rubick's cube.

~~~
kohtatsu
Snowden did suggest that scene in the movie, but didn't say he'd actually
smuggled anything like that.

[https://www.vulture.com/2016/09/edward-snowden-snowden-
rubik...](https://www.vulture.com/2016/09/edward-snowden-snowden-rubiks-
cube.html)

> “First of all, I just wanted to say that none of us know [how it happened],”
> Stone said at the Q&A, when asked about how they came up with it.
> “[Snowden]’s the only one who knows, and one day he may reveal it. And
> number two, it was his idea — it was a suggestion that we responded to and
> ran with.”

I'd imagine they would have done forensics if he was caught with an sd card at
a checkpoint, but I'm not sure one would set off a metal detector in the first
place. It's more likely a security org would epoxy the sd and usb slots on
computers with confidential data, or have audits for any usb devices the hosts
encounter.

~~~
tyingq
Some more context...

 _" He [Snowden] said that the Rubik’s cube was put in for the film and he
wouldn’t be divulging how he smuggled out information. However, he added,
everyone in the office did have a Rubik’s cube. “So they were floating around
and coming in and out all the time,” he said."_

[https://heavy.com/entertainment/2016/09/snowden-rubiks-
cube-...](https://heavy.com/entertainment/2016/09/snowden-rubiks-cube-what-
really-happened-how-did-he-to-smuggle-out-information-security-guard-movie-
accurate/)

To me he's at least suggesting a similar glaring shortfall in CIA processes
that let him smuggle it out.

