This is kind of a dick move to use IMHO. Clearly they are not giving you the space to store arbitrary stuff. It's a neat hack and props to the author but if enough people use this it will not only cause Yahoo! to have to build countermeasures but will also set an ugly precedent for Yahoo! product managers to consider before doing nice things like they did today.
Please don't try to imply that the rest of us here agree with you in any way just because we're on this site. Hanging out on a site called HackerNews and having a basic sense of right and wrong are things that plenty of us can do simultaneously.
There hasn't been a storage facility labeled get 'x' bytes,Kilobytes,Megabytes,Gigabytes or even Terabytes free that did not result in people wondering about if they could use it for general purpose storage.
What surprises me is that a service like this isn't hardened from day one against the most obvious of flaws.
Of course it's wrong, but it is only really wrong when a billion or so people adopt it, and chances are that this will never see widespread adoption, it's just a guy saying 'see what I could do', not an army of people overrunning Flickr.
The cognitive dissonance of seeing a single person perform a neat little trick versus an army of people performing that same trick bringing down a service sits well in my head, I don't feel this is in any way destroying Flickr, nor do I think that it potentially will destroy Flickr.
It didn't happen with Gmail or any of the other services that were 'exploited' in this fashion before. In fact, those are now trying to get me to put as many files on their storage devices as possible (which I really don't want to, the cost of storage is so low I don't need an external service to host my files for me).
I remember playing with storing files in gmail years ago. Unfortunately, they rate limit how quickly you can "upload" emails via IMAP (or at least they did), which prevents you from using it as a general purpose filesystem. Also, it's dog slow, but that was always going to be the case.
Jacques, please consider for a moment that you can be right, and be an asshole at the same time. I don't consider being an asshole a cornerstone of hacking.
I don't mean literally that you're an asshole. I've always enjoyed your posts, and I get that you're not acting with malice, which is a cornerstone of being an asshole :) But this is one of the core tendencies that contribute to the perception that geeks and hackers are "socially inept".
Consider the following made-up scenario, even if it is contrived. Try to avoid the urge to pick it apart on a literal basis and focus on how this breeches basic social contracts. Then consider that normal people work at Flickr, and that those people are trying to do something good for users.
Me: This is my library. It's for storing books. You're welcome to store some of your books here as well.
You: <Starts bringing in boxes of random stuff and placing them on shelves.>
Me: Hey, what are you doing?
You: You didn't say I couldn't store random stuff here, and you haven't implemented any counter measures to prevent me from storing random stuff, so I figured it was ok.
Me: You're kind of an asshole. Did you know that?
I'm not saying the hack isn't cool. I'm not saying the hack shouldn't exist. I'm just saying that it's OK to point out that using it might be considered a dick move.
The problem with Jacquesm is that he doesn't understand the term 'hacking' in general. Hopefully, I will try to explain what I know.
Hackernews isn't for people who hack stuff that is against the law or something like that. Why would PG want to create a site for criminals? Hackernews is for the other new generation 'hackers' (like growth hackers, design hackers) etc. Not for stuff like this.
Imagine, I rent you my apartment and you 'hack it' into a miniature casino or a drug dealership. When I rented you the apartment, I rented it to you in good faith that you wouldn't do these things. But now, you broke my trust and next time when I rent out my apartment, I would go take some extra steps like installing security cameras inside every single room of the apartment because I have to protect my apartment from unethical usage scenarios. That's the same case with Flickr.
So, clearly, this is something that is destructive to someone who gives you something with a good intent. Just because you can do it, doesn't mean you should.
> Hackernews [sic] isn't for people who hack stuff that is against the law or something like that. [...] Imagine, I rent you my apartment and you 'hack it' into a miniature casino or a drug dealership.
This doesn't fall onto that side of the fence. This is just using a gratis service creatively. Sure it might eventually get blocked if it becomes a common thing to do, but most things like this don't.
Thanks for making it personal, I will refrain from a response on that level.
Making a proof-of-concept of something to show what you could do is not as far as I know against the law, and if it is then it shouldn't be.
Using this - and breaking the terms of service - should lead to account termination, possibly banning but definitely not a brush with law enforcement.
I can imagine all you want but this is what it is, a simple hack to show a proof-of-concept, not an incitement or example of widespread abuse bringing down a popular service.
So clearly, it is not destructive, though in theory it probably could be used as such, but then again that goes for all the hammers in my toolbox too, including the plastic ones.
Just because you can build it does not mean you can't or shouldn't, it means that you shouldn't use it. Any home chemistry set could be used to make bombs (in fact, any supermarket with a reasonable assortment could be used to make bombs). You can demonstrate such by making a small one, and you can cross the line by either making a large one or actually using it against someone or some property.
Knowledge and ability, proof of concept versus actual malicious use, it's not such a hard line to draw.
> Hackernews isn't for people who hack stuff that is against the law or something like that. Why would PG want to create a site for criminals? Hackernews is for the other new generation 'hackers' (like growth hackers, design hackers) etc. Not for stuff like this.
That's a false dichotomy for one there are other kinds of hackers (the real ones, imo, instead of the ones that borrowed a term because it was cool, 'design hacker', 'growth hacker' as the target audience for HN? and you know this how?), and simply wrong besides.
What is legal and what is not depends on many things, intent for one and location second.
a.) flickr is a photo sharing site, no? the UI certainly seems to be optimized for mediocre or even pretty photos, not random noise. If I started pasting huge blocks of mime64 in HN comments to store encrypted personal stuff, or unencrypted cat pictures, would that be in the spirit of hacking, too? Or rather in the spirit of laming? (also notice the fact that I know better than to actually DO this even just ONCE, just to prove a point, because one never knows what random thing might incur a hellban)
b.) imagery aside, more like stepping into a storage locker, saying "I could theoretically live here!", everybody having their minds blown, and then not living in the storage locker because that'd be just pointless and awkward.
How about this: a tool to put something into series of high-ISO photos via steganography (and allow it to be updated, too) which can't be detected without the correct key.
Arguably, you could use HN as a storage mechanism because it just marks comments as dead, it doesn't actually delete them.
Hell, you could even write a utility to spuriously create HN accounts, stuff them full of comments that will be deaded but still accessible, and use that as a data store.
Whilst there is some "hacker spirit" to it, it is absolutely, totally a dick move. And yes, it is like shitting in the urinals, then smearing your shit all over the taps and the mirrors, because why the hell should the rest of us be able to use the facilities for what they were supposed to be used for, if you can have your fun for a few days?
We need a new name for this. It's not "Tragedy of the commons", it's more like "Tragedy of the common troll".
If you advertise freestorage you can't really complain when people wonder what else you can store there.
If you advertise a forum then people will do what they can with that forum, some will troll, some will try to advertise (even if they have to spend a lot of time to groom their audience) and some will do that much more outright (spam).
If you launch any service on the internet these days you have to start by analyzing it from the angles of possible abuse first. This is frustrating in a way but it is also inevitable, just like in life there are no niches that contain harvest-able energy without some life-form that takes advantage of that by adapting to it.
Storage, CPU, bandwidth are the currencies of the modern age, giving out any one of those currencies is asking for it, especially when it's done in large denominations.
IIRC, he was responsible about the hole by telling the company first and trying to work with them to get it fixed. He released the info after they were unresponsive. I think that's proper way to handle that.
But this thing with Yahoo isn't really the same. One is a security breach while the other is trying to abuse a service.
I like hacks and fun experiments. The idea of putting extra content in pictures is interesting but OP was talking about setting up a system around it to put it into wide spread use.
You'd probably need a VPS to do that. What you could do is have it pull files based off a database on the server, stick them in a cache, then convert them to what they really are (I assume the utility in the OP just adds a PNG header, so the VPS could just strip that) and then stream it.
Maybe you could hack it together with owncloud or something? I'm sorta tempted to try doing something like this but I don't want to screw flickr over.
"According to a study by the International Press Telecommunications Council (IPTC), major social networks like Facebook, Twitter or Flickr remove copyright information and other useful embedded data from pictures posted by their users"
I have a wee bit of Stego experience as I've written a couple of implementations. Generally for it to be "undetectable", you shouldn't go with more than 25% of an image file, assuming 24-bit color, being data, as it quickly becomes apparent that there is something fishy going on. Your best bet is to create a kind of "keyed stegonagraphy" where you generate a series of keyed nodes, creating a cycle (in the graph theoretic sense) of nodes, each node corresponding to a pixel, and the entire cycle determined entirely deterministically from the key.
This is akin to key schedulers used in various cryptography schemes, I suppose. The idea is that you REALLY don't want to just shove your data all at the beginning of the file in order, as it becomes really easy to tease out the data with some cursory frequency analysis/bruteforcing. "Oh the first 20 pixels encode the first X bytes of <insert well known file type here>, BALEETED!"
Then you simply have each user pick their own key, stored locally, and have the cycle generated on the fly when encoding and retrieving data.