Ask HN: Is it just me, or could file conversion websites be a honeypot?
I'm interested in some thoughts on this. I have nothing to go on but a hunch... but is there any guarantee that popular "file conversion" websites aren't honeypots for sensitive or useful information?
The odds, to me, of some employee running random files through a file conversion website at some point seems terrifyingly high. And some (like https://fabconvert.com/) definitely seem more suspicious than others, lacking any legal entity or trademark I can find. If there were, or are, corrupt file conversion websites out there, it would be the perfect crime. So much so that, if I were running a business, I would not allow employees to touch any such service with a 10-foot-pole - but how often is that cited in training for preventing information leaks?
Thoughts?
59 comments
[ 3.1 ms ] story [ 112 ms ] threadI know people who work for Bloomberg and big banks have strict rules about what kind of software they can install on their laptops (one person at a big bank got permission to use a python package I wrote)
In an environment like that they'd treat using a file conversion web site the same way. But I'm sure somebody out there is running a file conversion site that's there for intelligence gathering and some fool uploads something they shouldn't every day.
I would assume... but the NHS was running Windows XP on thousands of computers, often with internet, as late as 2019. Finance? Well, Experian had a website which would not show credit information and redirect you if it couldn't verify your identity... unless you changed the URL to the regular report link. Then it would dump it all out.
Let's say I was an information gatherer, for say, the NSA or GCHQ. Or maybe I'm a Chinese PLA soldier. I'd corner the market with shell companies that offered online conversion of 3D files to other 3D formats. There's over a dozen formats to choose from, and you can tell a lot just by the format selected. DGN file? It's MicroStation, meaning its highway, bridges, and infrastructure information. Neat.
I mean, can you imagine how many photocopies an office needs in a day? Now imagine a single 9-5 medical imaging office, running every TIFF through a free website converter? Improbable.
A lot of formats can be converted locally.
And a lot of people (even technical ones) don't have the tools installed, the budget to buy them, or the inclination to spend time/money on a local solution when they can do it "free" in seconds elsehow
To use a silly example, I can install an image converter that will go from TIFF to PNG - but which one? Why that one? What about all the alternatives? Is it in policy for my work machine? Is it a risk to my personal machine? Why go through all that effort when I can go to super-super-image-converter-online.tld and be done in 10 seconds?
People rarely do anything for free, especially when it comes at a cost to them. Therefore, there is a significant likelihood something nefarious is happening.
On the other hand, there is a high probability the owner of the website would get caught eventually in a sting operation.
The only scenario I can imagine is the website is ad supported. At any rate, I have always avoided these websites out of a fear of the first possibility.
I'd say it's probably immoral for these sites to search through uploaded files for useful or interesting or private information, but I doubt it's illegal.
The use of these file conversion tools is very common and is often used on sensitive information. Heck I’ve seen health companies use these tools to upload god knows what.
Usually there is little to no data sovereignty rules that apply, in that by using the service for free that can own the file you upload and use it to glean information from.
Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution. You should then use broker tools to actually block these conversion sites, in the same way that you might block the use of Dropbox and other cloud solutions if these are unsanctioned.
Yes you’re absolutely right to question these services and organisations are having to deal with risk associated with using them. Which is only really an issue if it’s sensitive personally identifiable information.
Gives you all of those insights and the ability to block them.
As far as I understand, the usage of such tools is caused by the need to accomplish some goal that they don't know how to otherwise do. Therefore, wouldn't it be a good idea to self-host such a tool, even if it's not a part of any pre-existing platform that's in use for other business processes?
For example, for various data format related concerns, I've seen CyberChef be pretty good: https://github.com/gchq/CyberChef
As for some binary file format conversations, HRConvert2 seems viable: https://github.com/zelon88/HRConvert2
If self-hosting things is too much of a bother/risk, then I guess all that's left is local tools, such as Handbrake on Windows for video: https://handbrake.fr/ and maybe something like XnView for images: https://www.xnview.com/en/ and so on...
But then there's the risks of self-hosted or local software containing something malicious and needing to be audited etc. I recall that in my previous org, I helped develop a Wiki page listing many of the tools available within the company internally, so that anyone who needs to store files could immediately look at self-hosted Nextcloud (for example), as opposed to going for Dropbox or whatever. Of course, instructions alone probably aren't enough, restrictions are also necessary, but discoverability is always good!
Yes, you can’t just remove it you need to provide them with the capability to do it.
file conversion with corporate friendly terms.
charge a per seat license thats cloud based and easy to use. maybe offer a browser plugin that redirects to your site. go through security department of IT to get it approved.
Conversion between different work, excel, powerpoint, .PDF formats can be done natively by the software itself.
Heck even the built in image viewer in Windows can convert images between common formats.
The predominant problem is around user education and showing them how to use the tools they have available to them already.
Less worried than if Amazon ran one. They would know who it came from; what it means and how to use the information
The problem of shadow IT is very real and should best be countered with a healthy amount of education. And whitelisting instead of black listing as the default approach.
People are scared of the[unknown when the known is more likely
You don't know that. There's absolutely no reason why they need to run that way. They could be literally saving all of your upload files permanently, and running on Linux from 6 years ago with 17 backdoors, and there's no way to know that. There is nothing requiring them to run in a VM - they could easily be colocated bare metal. Dies when the request is finished? PHP works that way, but NodeJS doesn't, and either programming language can easily save your files to any other location like an S3 bucket. Dies when the request is finished is completely irrelevant here.
Bit warden has a good pw entropy checker.
I've spent a few years working in the information security space, and I'm quite certain that I wouldn't know which ones are "the good ones" and which ones aren't.
If you don’t trust them you’d have to check that they work 100% client-side every time you use such a site, and people don’t know how to do that.
That’s were tools you host yourself (on a server or by locally installing them) make a difference: you have to vet them only when you install or update them, not at every use.
Also, you can restrict the capability to install or update to qualified personnel who should do a better job at security evaluation than your regular employee working under a tight deadline.
Luckily sanity prevailed in that case. Who knows how often this kind of thing happens silently?
Pretty "genius" idea.
The only honeypot I am familiar with is a defensive security measure.
https://en.m.wikipedia.org/wiki/Honeypot_(computing)
I just assume that every three letter agency in the world will see the files as soon as I upload them, and they will be leaked to the public internet two hours later. But that's OK, because I just sent them a random cat I took picture of.
But I'm in no way saying that everyone should do as I do, I'm just saying that these online services are entirely optional. If anyone is nervous about them, the easy thing to do is to not use them.
On windows, these functions aren't included and for whatever reason, searching the web for tools leads to shady websites and downloads.
And RMS has been warning us about this for ages.