Hiding Executable Javascript in Images That Pass Validation

Here’s an interesting proof-of-concept that could be useful or hazardous depending on the situation in which you encounter it. [jklmnn] drew inspiration from the work of [Ange Albertini] who has documented a way to hide Javascript within the header of a .gif file. Not only does it carry the complete code but both image and the Javascript are seen as valid.

With just a little bit of work [jklmnn] boiled down the concept to the most basic parts so that it is easy to understand. Next, a quick program was written to automate the embedding of the Javascript. Grab the source code if you want to give it a try yourself.

Let’s get back to how this might be useful rather than harmful. What if you are working on a computer that doesn’t allow the browser to load Javascript. You may be able to embed something useful, kind of like the hack that allowed movies to be played by abusing Microsoft Excel.

Unwrapping images of cylindrical objects

unwrapping-images-of-cylindrical-objects

Here’s an automated setup that lets you create flat images of cylindrical objects. The example shown above takes a creamer¬†and lets you see what the painted pattern looks like when viewed continuously.

The image capture rig is similar to turntable photography setups that allow you to construct animated GIF files or 3D models of objects. The subject is places on a stepper motor which allows precise control when rotating the object between frames. The EiBotBoard (which we’ve seen in at least one other project) is designed for the EggBot printer. But it is used here to interface the motor and capture equipment with the Raspberry Pi.

We’re a little uncertain if the RPi actually handles the image manipulation. The project uses ImageMagick, which will certainly run on the RPi. There is a mention of the Raspberry Pi camera¬†joing the rig as a future improvement so we do expect to see a fully-automatic revision at some point.

[via Adafruit via EMSL]

Smile, your face is on the Internet

[Kyle McDonald] is up to a bit of no-good with a little piece of software he wrote. He’s been installing it on public computers all over New York City. It uses the webcam found in pretty much every new computer out there to detect when a face is in frame, then takes a picture and uploads it to the Internet.

We’ve embedded a video after the break that describes the process. From [Kyle’s] comments about the video it seems that he asked a security guard at the Apple store if it was okay to take pictures and he encouraged it. We guess it could be worse, if this were a key logger you’d be sorry for checking your email (or, god forbid, banking) on a public machine. Instead of being malicious, [Kyle] took a string of the images, adjusted them so that the faces were all aligned and the same size, and then rolled them into the latter half of his video.

Continue reading “Smile, your face is on the Internet”

From cinema to stills, camera lens gets new life

[Timur Civan], with a beautiful merge of past and present, has taken a 102 year old camera lens (a 35mm F5.0 from hand cranked cinema cameras) and attached it to his Canon EOS 5D. While this is not the first time we’ve seen someone custom make a camera lens or attach a lens to a different camera, such as when we brought you plumbing tilt shift or iPhone camera SLR or Pringles can macro photography, the merge of old tech with new warms our empty chest cavities hearts. Catch some additional shots of 1908/2010 New York City after the jump.

Continue reading “From cinema to stills, camera lens gets new life”

Three pendulum harmonograph

Just the other day we were thinking “You know what we need more of around here? Harmonographs!” And our requests were answered when [Paul] sent in his three pendulum harmonograph. For those unaware, it’s a mechanical device that draws Lissajous curves or “really cool circles” to quote some of our staff.

[Paul] includes all the plans necessary to make your own harmonograph and begin drawing today. If you can’t wait, there’s a video of the three pendulum harmonograph etching a masterpiece after the jump. Continue reading “Three pendulum harmonograph”

Beer can pinhole camera

When [Justin Quinnell] sent in his beer can pinhole camera, we were just floored. The parts are easy to obtain, and the process for building and ‘shooting’ with the camera are near effortless.

The really impressive part of this hack is letting your camera sit for 6 months facing the sun. Yes, you read that correct, a 6 month exposure. Check out after the break for one of his astonishing shots, and trust us, its well worth the click. Continue reading “Beer can pinhole camera”

The GIFAR image vulnerability


Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.

The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.

The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.