This lantern was built from recyclable goods. It’s a bit dangerous when used like the image above, but [The Green Gentleman] does give you a few other options in his build instructions which make for much safer operation.
The lantern enclosure is made from old cans and a glass jar. He screwed a couple of boards together at a right angle to act as a jig for cutting the glass. The V-shape created by the boards holds the jar on its side, giving his glass cutting tool something to rest upon. He then turns the jar to score it around the top, and then bottom. He alternated pouring boiling and chilled water on the score mark to shock the glass into breaking along the line.
This makes up the clear part of the enclosure which is later mated with metal top and bottom pieces. From there he adds either an LED, an alcohol lamp, or the Trimethyl Borate lamp seen above. The first two are relatively safe, but the latter burns at around 1500 degrees F. We have reservations about using a plain old glass jar as the enclosure for something burning this hot. It really should be heat resistant glass.
[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”
[photo: Jon Jacobsen]
Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.
The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.
The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.