What surprises me is that a service like this isn't hardened from day one against the most obvious of flaws.
Of course it's wrong, but it is only really wrong when a billion or so people adopt it, and chances are that this will never see widespread adoption, it's just a guy saying 'see what I could do', not an army of people overrunning Flickr.
The cognitive dissonance of seeing a single person perform a neat little trick versus an army of people performing that same trick bringing down a service sits well in my head, I don't feel this is in any way destroying Flickr, nor do I think that it potentially will destroy Flickr.
It didn't happen with Gmail or any of the other services that were 'exploited' in this fashion before. In fact, those are now trying to get me to put as many files on their storage devices as possible (which I really don't want to, the cost of storage is so low I don't need an external service to host my files for me).
> This is kind of a dick move to use IMHO.
Didn't say anything about creating the script, just about using it. Possibly, using it at scale was even implied.
Creating this is a hacker move. Using it to store your server backups is a dick move (and also potentially a poor backup policy).
I also think in this case the hack is a little useless. But I've seen examples where they use it to transfer a lot of 3D data for use in WebGL. And the author of this script is also linking to a nice usecase where is is used for game data:
1) The overwhelming majority of Flickr users will never read these stories or even dream about uploading files;
2) Most people who read this POC will not try it, and of those who try it, most will use it only once;
This is a non-problem.
I don't mean literally that you're an asshole. I've always enjoyed your posts, and I get that you're not acting with malice, which is a cornerstone of being an asshole :) But this is one of the core tendencies that contribute to the perception that geeks and hackers are "socially inept".
Consider the following made-up scenario, even if it is contrived. Try to avoid the urge to pick it apart on a literal basis and focus on how this breeches basic social contracts. Then consider that normal people work at Flickr, and that those people are trying to do something good for users.
Me: This is my library. It's for storing books. You're welcome to store some of your books here as well.
You: <Starts bringing in boxes of random stuff and placing them on shelves.>
Me: Hey, what are you doing?
You: You didn't say I couldn't store random stuff here, and you haven't implemented any counter measures to prevent me from storing random stuff, so I figured it was ok.
Me: You're kind of an asshole. Did you know that?
I'm not saying the hack isn't cool. I'm not saying the hack shouldn't exist. I'm just saying that it's OK to point out that using it might be considered a dick move.
b.) imagery aside, more like stepping into a storage locker, saying "I could theoretically live here!", everybody having their minds blown, and then not living in the storage locker because that'd be just pointless and awkward.
How about this: a tool to put something into series of high-ISO photos via steganography (and allow it to be updated, too) which can't be detected without the correct key.
Hell, you could even write a utility to spuriously create HN accounts, stuff them full of comments that will be deaded but still accessible, and use that as a data store.
Whilst there is some "hacker spirit" to it, it is absolutely, totally a dick move. And yes, it is like shitting in the urinals, then smearing your shit all over the taps and the mirrors, because why the hell should the rest of us be able to use the facilities for what they were supposed to be used for, if you can have your fun for a few days?
We need a new name for this. It's not "Tragedy of the commons", it's more like "Tragedy of the common troll".
If you advertise a forum then people will do what they can with that forum, some will troll, some will try to advertise (even if they have to spend a lot of time to groom their audience) and some will do that much more outright (spam).
If you launch any service on the internet these days you have to start by analyzing it from the angles of possible abuse first. This is frustrating in a way but it is also inevitable, just like in life there are no niches that contain harvest-able energy without some life-form that takes advantage of that by adapting to it.
Storage, CPU, bandwidth are the currencies of the modern age, giving out any one of those currencies is asking for it, especially when it's done in large denominations.
I guess 'noise' does not a photo make.
Of course I doubt they will implement that kind of filtering, but this 'invention' is not that original/difficult/interesting, I guess.
The fact that the original designers did not say anything about this does not mean they did not envision it, by the way. Simply that they may very much either do not care or have a recovery plan.
EDIT: this is obviously easily circumvented with a lot of traffic going on but it is just a simple idea.
Hackernews isn't for people who hack stuff that is against the law or something like that. Why would PG want to create a site for criminals? Hackernews is for the other new generation 'hackers' (like growth hackers, design hackers) etc. Not for stuff like this.
Imagine, I rent you my apartment and you 'hack it' into a miniature casino or a drug dealership. When I rented you the apartment, I rented it to you in good faith that you wouldn't do these things. But now, you broke my trust and next time when I rent out my apartment, I would go take some extra steps like installing security cameras inside every single room of the apartment because I have to protect my apartment from unethical usage scenarios. That's the same case with Flickr.
So, clearly, this is something that is destructive to someone who gives you something with a good intent. Just because you can do it, doesn't mean you should.
Making a proof-of-concept of something to show what you could do is not as far as I know against the law, and if it is then it shouldn't be.
Using this - and breaking the terms of service - should lead to account termination, possibly banning but definitely not a brush with law enforcement.
I can imagine all you want but this is what it is, a simple hack to show a proof-of-concept, not an incitement or example of widespread abuse bringing down a popular service.
So clearly, it is not destructive, though in theory it probably could be used as such, but then again that goes for all the hammers in my toolbox too, including the plastic ones.
Just because you can build it does not mean you can't or shouldn't, it means that you shouldn't use it. Any home chemistry set could be used to make bombs (in fact, any supermarket with a reasonable assortment could be used to make bombs). You can demonstrate such by making a small one, and you can cross the line by either making a large one or actually using it against someone or some property.
Knowledge and ability, proof of concept versus actual malicious use, it's not such a hard line to draw.
> Hackernews isn't for people who hack stuff that is against the law or something like that. Why would PG want to create a site for criminals? Hackernews is for the other new generation 'hackers' (like growth hackers, design hackers) etc. Not for stuff like this.
That's a false dichotomy for one there are other kinds of hackers (the real ones, imo, instead of the ones that borrowed a term because it was cool, 'design hacker', 'growth hacker' as the target audience for HN? and you know this how?), and simply wrong besides.
What is legal and what is not depends on many things, intent for one and location second.
This doesn't fall onto that side of the fence. This is just using a gratis service creatively. Sure it might eventually get blocked if it becomes a common thing to do, but most things like this don't.
His speech was about how you develop something and people start using it completely different from what you imagined or even wanted. His tip: learn and take use of it.
Probably people like to have 1TB of free storage.
edit: sorry I must be on the wrong message board. Thought this would interest people. Guess I'll take my idea elsewhere.
But this thing with Yahoo isn't really the same. One is a security breach while the other is trying to abuse a service.
I like hacks and fun experiments. The idea of putting extra content in pictures is interesting but OP was talking about setting up a system around it to put it into wide spread use.
Maybe you could hack it together with owncloud or something? I'm sorta tempted to try doing something like this but I don't want to screw flickr over.
I wonder if there's a way for GD/ImageMagick to detect the image data and strip everything else. (And if EXIF data is needed for photographs, import all non-binary EXIF data into the system first.)
"According to a study by the International Press Telecommunications Council (IPTC), major social networks like Facebook, Twitter or Flickr remove copyright information and other useful embedded data from pictures posted by their users"
It also compresses big files though so I'm not sure if it can do it without effecting the image data and format itself.
But it won't help. You could just make your data a real image.
They could even implement that in their TOS: "whenever you upload a photo you agree to a random byte being modified on one of the pixels on the border."
Oh well, obvious 'exploit'. Wondering how Y! will react. They must've forseen this, right?
Question though, how large of a file can you hide with steganography in a 300mb picture?
Would that be big enough to hide an MP3?
On a side note, can you upload files to Flickr that have data appended after the end of the image data? Like people were doing on 4chan until moot removed that capability.
This is akin to key schedulers used in various cryptography schemes, I suppose. The idea is that you REALLY don't want to just shove your data all at the beginning of the file in order, as it becomes really easy to tease out the data with some cursory frequency analysis/bruteforcing. "Oh the first 20 pixels encode the first X bytes of <insert well known file type here>, BALEETED!"
Then you simply have each user pick their own key, stored locally, and have the cycle generated on the fly when encoding and retrieving data.