Make A Secret File Stash In The Slack Space

February 10, 2025 by Donald Papp 15 Comments

Disk space is allocated in clusters of a certain size. When a file is written to disk and the file size is smaller than the cluster(s) allocated for it, there is an unused portion of varying size between the end of the file’s data and the end of the allocated clusters. This unused space is the slack space, it’s perfectly normal, and [Zachary Parish] had an idea to write a tool to hide data in it.

The demo uses a usb drive, using the slack space from decoy files to read and write data.

[Zachary]’s tool is in Python and can map available slack space and perform read and write operations on it, treating the disparate locations as a single unified whole in which to store arbitrary files. A little tar and gzip even helps makes things more efficient in the process.

There’s a whole demo implemented on Linux using a usb drive with some decoy files to maximize the slack space, and you can watch it in action in the video embedded below. It’s certainly more practical than hiding data in a podcast!

Note that this is just a demo of the concept. The approach does have potential for handling secret data, but [Zachary] points out that there are — from a serious data forensics point of view– a number of shortcomings in its current form. For example, the way the tool currently structures and handles data makes it quite obvious that something is going on in the slack space.

[Zachary] created this a few years ago and has some ideas about how to address those shortcomings and evolve the tool, so if you have ideas of your own or just want to try it out, the slack_hider GitHub repository is where you want to go.

Continue reading “Make A Secret File Stash In The Slack Space” →

Screenshot of Linux in a PDF in a browser

Nice PDF, But Can It Run Linux? Yikes!

February 10, 2025 by Heidi Ulrich 21 Comments

The days that PDFs were the granny-proof Swiss Army knives of document sharing are definitely over, according to [vk6]. He has managed to pull off the ultimate mind-bender: running Linux inside a PDF file. Yep, you read that right. A full Linux distro chugging along in a virtual machine all encapsulated within a document. Just when you thought running DOOM was the epitome of it. You can even try it out in your own browser, right here. Mind-boggling, or downright Pandora’s box?

Let’s unpack how this black magic works. The humble PDF file format supports JavaScript – with a limited standard library, mind you. By leveraging this, [vk6] managed to compile a RISC-V emulator (TinyEMU) into JavaScript using an old version of Emscripten targeting asm.js instead of WebAssembly. The emulator, embedded within the PDF, interfaces with virtual input through a keyboard and text box.

The graphical output is ingeniously rendered as ASCII characters – each line displayed in a separate text field. It’s a wild solution but works astonishingly well for something so unconventional.

Security-wise, this definitely raises eyebrows. PDFs have long been vectors for malware, but this pushes things further: PDFs with computational power. We know not to trust Word documents, whether they just capable of running Doom, or trash your entire system in a blink. This PDF anomaly unfolds a complete, powerful operating system in front of your very eyes. Should we think lightly, and hope it’ll lead to smarter, more interactive PDFs – or will it bring us innocent looking files weaponized for chaos?

Curious minds, go take a look for yourself. The project’s code is available on GitHub.

Continue reading “Nice PDF, But Can It Run Linux? Yikes!” →

Basically, It’s BASIC

February 10, 2025 by Jenny List 36 Comments

The BASIC language may be considered old-hat here in 2025, and the days when a computer came as a matter of course with a BASIC interpreter are far behind us, but it can still provide many hours of challenge and fun. Even with our love of all things 8-bit, though, we’re still somewhat blown away by [Matthew Begg]’s BASIC interpreter written in 10 lines of BASIC. It’s an entry in the BASIC 10-liner competition, and it’s written to run on a Sinclair ZX Spectrum.

The listing can be viewed as a PNG file on the linked page. It is enough to cause even the most seasoned retrocomputer enthusiasts a headache because, as you might expect, it pushes the limits of the language and the Sinclair interpreter. It implements Tiny Basic as a subset of the more full-featured BASICs, and he’s the first to admit it’s not fast by any means. He gives a line-by-line explanation, and yes, it’s about as far away from the simple Frogger clones we remember bashing in on our Sinclairs as it’s possible to get.

We love it that there are still boundaries to be pushed, even on machines over four decades old, and especially that this one exceeds what we thought was a pretty good knowledge of Sinclair BASIC. Does this language still have a place in the world? We always look forward to the BASIC 10-liner competition.

Header: background by Bill Bertram, CC BY-SA 2.5.

Handy Online Metric Screw, Nut, And Washer Generator

January 31, 2025 by Donald Papp 18 Comments

For those times when you could really use a quick 3D model, this metric screw generator will do the trick for screws between M2 and M16 with matching nuts and washers. Fastener hardware is pretty accessible, but one never knows when a 3D printed piece will hit the spot. One might even be surprised what can be usefully printed on a decent 3D printer at something like 0.08 mm layer height.

Behind the scenes, [Jason]’s tool is an OpenSCAD script with a very slick web-based interface that allows easy customization of just about any element one might need to adjust, including fine-tuning the thread sizing. We’re fans of OpenSCAD here and appreciate what’s going on behind the scenes, but one doesn’t need to know anything about it to use the online tool.

Generated models can be downloaded as .3mf or .stl, but if you really need a CAD model you’re probably best off looking up a part and downloading the matching 3D model from a supplier like McMaster-Carr.

Prefer to just use the OpenSCAD script yourself, instead of the web interface? Select “Download STL/CAD Files” from the dropdown of the project page to download ScrewGenerator.scad for local use, and you’re off to the races.

Taylorator Makes Mischief On The Airwaves

January 29, 2025 by Tom Nardi 33 Comments

[Stephen] recently wrote in to share his experiments with using the LimeSDR mini to conduct a bit of piracy on the airwaves, and though we can’t immediately think of a legitimate application for spamming the full FM broadcast band simultaneously, we can’t help but be fascinated by the technique. Called the Taylorator, as it was originally intended to carpet bomb the dial with the collected works of Taylor Swift on every channel, the code makes for some interesting reading if you’re interested in the transmission-side of software defined radio (SDR).

The write-up talks about the logistics of FM modulation, and how quickly the computational demands stack up when you’re trying to push out 100 different audio streams at once. It takes a desktop-class CPU to pull it off in real-time, and eats up nearly 4 GB of RAM.

You could use this project to play a different episode of the Hackaday Podcast on every FM channel at once, but we wouldn’t recommend it. As [Stephen] touches on at the end of the post, this is almost certainly illegal no matter where you happen to live. That said, if you keep the power low enough so as not to broadcast anything beyond your home lab, it’s unlikely anyone will ever find out.

Continue reading “Taylorator Makes Mischief On The Airwaves” →

Prompt Injection Tricks AI Into Downloading And Executing Malware

January 26, 2025 by Donald Papp 8 Comments

[wunderwuzzi] demonstrates a proof of concept in which a service that enables an AI to control a virtual computer (in this case, Anthropic’s Claude Computer Use) is made to download and execute a piece of malware that successfully connects to a command and control (C2) server. [wonderwuzzi] makes the reasonable case that such a system has therefore become a “ZombAI”. Here’s how it worked.

Referring to the malware as a “support tool” and embedding instructions into the body of the web page is what got the binary downloaded and executed, compromising the system.

After setting up a web page with a download link to the malicious binary, [wunderwuzzi] attempts to get Claude to download and run the malware. At first, Claude doesn’t bite. But that all changes when the content of the HTML page gets rewritten with instructions to download and execute the “Support Tool”. That new content gets interpreted as orders to follow; being essentially a form of prompt injection.

Claude dutifully downloads the malicious binary, then autonomously (and cleverly) locates the downloaded file and even uses chmod to make it executable before running it. The result? A compromised machine.

Now, just to be clear, Claude Computer Use is experimental and this sort of risk is absolutely and explicitly called out in Anthropic’s documentation. But what’s interesting here is that the methods used to convince Claude to compromise the system it’s using are essentially the same one might take to convince a person. Make something nefarious look innocent, and obfuscate the true source (and intent) of the directions. Watch it in action from beginning to end in a video, embedded just under the page break.

Continue reading “Prompt Injection Tricks AI Into Downloading And Executing Malware” →

Brick Layer Post-Processor, Promising Stronger 3D Prints, Now Available

January 23, 2025 by Tom Nardi 45 Comments

Back in November we first brought you word of a slicing technique by which the final strength of 3D printed parts could be considerably improved by adjusting the first layer height of each wall so that subsequent layers would interlock like bricks. It was relatively easy to implement, didn’t require anything special on the printer to accomplish, and testing showed it was effective enough to pursue further. Unfortunately, there was some patent concerns, and it seemed like nobody wanted to be the first to step up and actually implement the feature.

Well, as of today, [Roman Tenger] has decided to answer the call. As explained in the announcement video below, the company that currently holds the US patent for this tech hasn’t filed a European counterpart, so he feels he’s in a fairly safe spot compared to other creators in the community. We salute his bravery, and wish him nothing but the best of luck should any lawyer come knocking.

So how does it work? Right now the script supports PrusaSlicer and OrcaSlicer, and the installation is the same in both cases — just download the Python file, and go into your slicer’s settings under “Post-Processing Scripts” and enter in its path. As of right now you’ll have to provide the target layer height as an option to the script, but we’re willing to bet that’s going to be one of the first things that gets improved as the community starts sending in pull requests for the GPL v3 licensed script.

There was a lot of interest in this technique when we covered it last, and we’re very excited to see an open source implementation break cover. Now that it’s out in the wild, we’d love to hear about it in the comments if you try it out.

Continue reading “Brick Layer Post-Processor, Promising Stronger 3D Prints, Now Available” →