The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a part of the generic TLD category, which was expanded to allow applications for custom TLDs. Google has led the charge, applying for 101 such new TLDs, with .zip being one of the interesting ones. Public registration for .zip domains has been open for a couple weeks, and some interesting domains have been registered, like update.zip, installer.zip, and officeupdate.zip.
Except, take a look at that last link. Looks like it has slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t, it goes to Bing. You may have guessed, it’s Unicode shenanigans again. Those aren’t slashes, they’re U2215, the division slash. And that means that a .zip TLD could be really sneaky, if the apparent domain is one you trust. Continue reading “This Week In Security: .zip Domains, Zip Scanning”→
Trouble In Paradise (TIP) was a popular Windows-only tool for troubleshooting Iomega Jaz and Zip drives way back when. The drives have fallen out of favor with PC, but the drives are still highly prized amongst classic Mac collectors, who use the SCSI versions as boot disks for the vintage machines. Thus, [Marcio Luis Teixeira] set about porting the TIP tool to the platform.
It all came about because running the original TIP recovery tool became difficult in the modern era. One must dig up a old Windows 98 machine and SCSI adapters in order to use it with Macintosh-compatible Zip or Jaz drives. This inspired [Marcio] to reach out to the developer, [Steve Gibson], who provided the original x86 assembly code for the tool.
[Marcio] then ported this line-by-line into C and compiled it with a retro Macintosh compiler to get TIP up and running on the classic Mac platform. Now, it’s possible to check and test Zip and Jaz drives and media on your old Mac without having to mess around with a vintage Windows machine.
It took plenty of effort, and the generous donation of code from [Steve Gibson], and all involved should be applauded for their work. It’s not every day we see such an impressive port, but they come along every now and then.
Meanwhile, if you’ve been tinkering on your own projects with Iomega’s classic removable storage, don’t hesitate to let us know! Video after the break.
Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.
What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.
The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.
Sometimes we see projects that are so clever while being remarkably simple, that we can’t help thinking: Why didn’t I think of that! Take [Haresh Karnan]’s zipper robot, for example. It’s a well-designed 3D-printed shell with two geared motors for traction, that can both undo and do up zippers. Behind that seemingly simple design probably lies a huge iterative design process to arrive at a shape perfect for the job, but the end result is so elegant that even [Haresh]’s write-up and Hackaday.io page for the project are short and to the point. Download the STL file, snap in the motors, apply to a zipper, and away you go. He suggests rubber bands as a traction aid, but that’s pretty much it.
The results can be seen in the video below the break. While we might be tempted to make jokes about the terminally lazy using this device to save unnecessary labour after a toilet break, we can see that it might have a real application. If you have any friends with restricted dexterity you will understand how having an automated helper with such a fiddly task as a zipper could be an extremely useful accessibility aid.
Polyglots, in computing terms, are files have multiple valid meanings. We’ve seen some amazing examples of polyglot files in releases of The International Journal of PoC||GTFO. One example: a PDF that is also a ZIP, HTML file, and BPG image.
[Vi Grey] was inspired by PoC||GTFO’s release of a PDF/ZIP/NES ROM hybrid file for issue 0x14. Using a different method, [Vi] created a file which is both an NES ROM and ZIP, where the full contents of the ZIP are stored in the NES ROM.
When PoC||GTFO created their NES ROM polyglot, they stuck most the information outside the bounds of the NES ROM. While the file is valid, you’d lose the ZIP archive if it was burnt to a cartridge.
[Vi]’s polyglot is different. Rip it from a real NES cartridge and you get a ZIP file. Unzip it, and you get the source. Compile that source, and you get a valid ZIP file containing the source. Burn that to a cartridge and… hopefully you grok the recursion at this point.
The source and scripts to mangle the polyglot together are up on Github.
Look around yourself right now and chances are pretty good that you’ll quickly lay eyes on a zipper. Zippers are incredibly commonplace artifacts, a commodity item produced by the mile that we rarely give a second thought to until they break or get stuck. But zippers are a fairly modern convenience, and the story of their invention is one that shows even the best ideas can be delayed by overly complicated designs and lack of a practical method for manufacturing.
Try and Try Again
Ideas for fasteners to replace buttons and laces have been kicking around since the mid-19th century. The first patent for a zipper-like fastener was issued to Elias Howe, inventor of the sewing machine. Though he was no slouch at engineering intricate mechanisms, Howe was never able to make his “Automatic, Continuous Clothing Closure” a workable product, and Howe shifted his inventive energies to other projects.
The world would wait another forty years for further development of a hookless fastener, when a Chicago-born inventor of little prior success named Whitcomb Judson began work on a “Clasp Locker or Unlocker.” Intended for the shoe and boot market, Judson’s device has all the recognizable parts of a modern zipper — rows of interlocking teeth with a slide mechanism to mesh and unmesh the two sides. The device was debuted at the Chicago World’s Fair in 1893 and was met with almost no commercial interest.
Judson went through several iterations of designs for his clasp locker, looking for the right combination of ideas that would result in a workable fastener that was easy enough to manufacture profitably. He lined up backers, formed a company, and marketed various versions of his improved products. But everything he tried seemed to have one or more serious drawbacks. When his fasteners were used in shoes, unexpected failure was a mere inconvenience. If a fastener on a lady’s dress opened unexpectedly, it could have been a social catastrophe. Coupled with a price tag that was exorbitantly high to cover the manual labor needed to assemble them, almost every version of Judson’s invention flopped.
It would take another decade, a change of company name, a cross-country move, and the hiring of a bright young engineer before the world would have what we would recognize as the first modern zipper. Judson hired Gideon Sundback in 1901, and by 1913 he was head designer at the Fastener Manufacturing and Machine Company, newly relocated to Meadville, Pennsylvania after a stop in Hoboken, New Jersey. Sundback’s design called for rows of identical teeth with cups on the underside and nibs on the upper, set on fabric tapes. A slide with a Y-shaped channel bent the tapes to open the gap between teeth, allowing the cups to nest on the nibs and mesh the teeth together strongly.
Sundback’s design had significant advantages over any of Judson’s attempts. First, it worked, and it was reliable enough to start quickly making inroads into fashionable apparel beyond its initial marketing toward more utilitarian products like tobacco pouches. Secondly, and perhaps more importantly, Sundback invented machinery that could make hundreds of feet of the fasteners in a day. This gave the invention an economy of scale that none of Judson’s fasteners could ever have achieved.
Putting Some Teeth into It
The machinery that Sundback invented to make his “Separable Fastener” has been much improved since the early 1900s, but the current process still looks similar, at least for metal zippers. Stringers, which are the fabric tapes with teeth attached, are formed in a continuous process by a multi-step punching and crimping machine. For metal stringers, a coil of flat metal is fed into a punch and die to form hollow scoops. The strip is then punched again to form a Y-shape around the scoop and cut it free from the web. The legs of the Y straddle the edge of the fabric tape, and a set of dies then crimps the legs to the tape. A modern zipper machine can make stringers at a rate of 2000 teeth per minute.
Plastic zippers are common these days, too, and manufacturing methods vary by zipper style. One method has the fabric tapes squeezed between the halves of a die while teeth are injection molded around the tape to form two parallel stringers. A sprue connected the stringers by the teeth breaks free after molding, and the completed stringers are assembled later.
Zippers have come a long way since Sundback’s first successful design, with manufacturing improvements that have eliminated many of the manual operations once required. Specialized zippers have made it from the depths of the oceans to the surface of the Moon, and chances are pretty good that if we ever get to Mars, one way or another, zippers will go with us.
[pdp] provides someperspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”