
Show HN: Destructible.io – Self-destructing, human-readable file storage - a12k
https://destructible.io/
======
highCs
> However, although there are nearly a billion possible auto-generated urls
> for the download link and they generally only last a short time

Not enough. One leak can potentially ruin your reputation. So now, I fire
dozens of thousand requests per minute and over a couple of hours I'll get
something -- assuming there is dozens thousand of files at any given moment.

~~~
a12k
How many would you recommend for better security? The thought was that these
links wouldn't last long, and the files are deleted upon expiration. But of
course trusting obscurity for security is a flawed concept in itself. But
looking for a good middle ground.

~~~
throw309490
reCAPTCHA and throttling after suspicious number of failed attempts by an IP.

Four digit PIN prompt that gets displayed even when requesting invalid URL.
Make PIN verification backend request include some nonce associated with
original request, and force nonce to be regenerated if PIN verification fails.
PIN is also as easy to communicate verbally as URL.

------
nautical
All file points to
[https://destructibleio.s3.amazonaws.com/media/uploads/{FILEN...](https://destructibleio.s3.amazonaws.com/media/uploads/{FILENAME}).

~~~
a12k
Seems to be working for me at the moment. Are you saying it's not functional
for you, or that it shouldn't be uploaded to Amazon?

edit: Just to update, changed up the file upload structure so it's randomized
with an appended uuid.

------
mplewis
This only works if you trust the owner of destructible.io.

~~~
tjbiddle
This is the same with Github, Dropbox, Google, Apple, Bitbucket, Any email
provider... Shall I go on?

You _always_ have a risk when you're storing your data at a 3rd party. Yes,
some are new and have less reputation, others are old and have a terrible
reputation, others are old and have a great reputation - but none of that
stands for anything because your data is in the hands of someone else in every
case.

If you don't want that, don't use it.

~~~
nickpsecurity
You don't have the risk if you store it cryptographically. My first use of
Dropbox was moving stuff in Truecrypt volumes. I found even laypeople could be
taught to do that as it was somewhat tedious rather than difficult. For
implementers, CompSci keeps cranking out all kinds of ways for one to use 3rd
party storage in untrusted fashion. Just gotta clone one of them with OSS
code.

~~~
tjbiddle
Oh, I completely agree! I have probably 5 separate TrueCrypt volumes in my
Google Drive. That said, that's only maybe 15GB of my storage, and around 80GB
is unencrypted.

It's all about what level of convenience you're willing to expose yourself
for. I keep anything I want private in TrueCrypt, anything I don't mind
"public" (Or at least exposed to Google / NSA) unencrypted as then I can
access it so much easier from my phone, etc.

------
known
Does it comply with
[https://en.wikipedia.org/wiki/National_Security_Agency](https://en.wikipedia.org/wiki/National_Security_Agency)

------
DarkLinkXXXX
This feels like a more advanced fork of cocaine.ninja.

