PHP Inside Image Files

Interesting new hack in the wild – embedding PHP (or other*) code inside an otherwise valid image file. And why would anyone do that? Think of a site that allows users to upload avatars or icons or other images, then displays those images back to the public. If the site isn’t taking sufficient precautions during the upload and display stages, a hacker could create an image file with PHP embedded in the byte stream, then name their file myfile.gif.php. A site that then sloppily displayed whatever images were uploaded to it would then display the image inline, and its embedded code would be executed.

The kicker is that even if your site is doing common checks to verify that it’s dealing with a standard image file, such as running the getimagesize() function on it first, those tests may yield a false positive, since the first n bytes check out just fine. You need to verify the filename extension as well, and not serve images from a directory that’s PHP-interpreted. Other suggestions in the article at PHP Classes.

* There’s no reason this same hack wouldn’t work with .ASP or .NET or ColdFusion sites as well, or with image formats other than GIFs.

Music: Tom Verlaine :: Rings

Spectacular Failure

News that the HD-DVD encryption algorithm has been cracked and published all over tarnation is a two-pronged story.

First, that the AACS’ vigilance in preventing HD-DVDs from being copied and openly traded is on its way towards spectacular defeat even while the technology is still in its infancy, battling with Blu-Ray for supremacy.

Second, that this has occurred in the era of Web 2.0 and user-generated content. Digg.com’s battle to prevent users from posting stories containing the algorithm was also a spectacular failure.

Digg’s attempt to weed out posts containing the algorithm turned into an endless game of Whack-A-Mole, despite the fact that Digg faced legal action from the AACS if they didn’t get the stories removed – action that could get Digg shut down. But Digg users (or at least a subset of them) apparently cared more about getting the algorithm widely published than they did about Digg getting nailed. Eventually, Digg creators threw up their hands.

“You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be,” [Digg’s Kevin] Rose wrote … If we lose, then what the hell, at least we died trying.

Looks like Google and WordPress.com may also be busting similar takedown moves.

When you bake user-generated content features into your site, you stand the risk of users posting content that could be threatening to your very existence. So which way do you go? Allow the public to speak through the megaphone you built just for them? Or protect yourself? I think this could set a very bad precedent for traditional publications just now warming to the power of UGC.

Music: Lou Reed and John Cale :: Nobody But You

Flickr Maps

Late to the party, just realized that Flickr provides an interface for “geotagging” photos — associating images or sets of images with points on the globe, overlaid on Yahoo! Maps. Here are a few of my sets in the context of their location on earth:

With more care and precision, you can get much more detailed, e.g. I could drag each of the Albany Bulb images to the exact spot on the bulb where the sculpture was found.

Music: Dave Van Ronk :: Death Letter Blues

Sanoodi

Miles and I tracked down our first geocache today – less than a mile from our house. Most caches are tucked deep in the wilderness, but a surprising number are stashed right under your nose; you could walk by them a thousand times and never have a clue. Hardcore geocachers look down on caching in residential areas, but wanted to start easy. M scored a pair of super-bouncy balls and left a Matchbox tow truck. Think he was a bit disappointed – “surprise” may have meant “new Lego set” in his mind. Opportunity to talk about the pleasures of discovery. Have heard of some caches containing opera tickets, c-notes, world peace, etc. Reality is probably that most will contain key fobs and hair clips.

Nabbed an account on Sanoodi, a regretfully named Web 2.0-ish site that lets users upload XML (.gpx) track output from GPS devices, which it maps directly onto Google maps to share with other hikers/bikers/runners. I’ll be using the site to store tracks for posterity. Started with my bike route along the Ohlone Greenway from home to UC Berkeley.

Thanks Patrick Cates

Music: União Black :: “Yeah Yeah Yeah”

Famous Hackers

IT Security has posted its list of the Top 10 Most Famous Hackers of All Time.

Hackers are a very diverse bunch, a group simultaneously blamed with causing billions of dollars in damages as well as credited with the development of the World Wide Web and the founding of major tech companies. In this article, we test the theory that truth is better than fiction by introducing you to ten of the most famous hackers, both nefarious and heroic, to let you decide for yourself.

Looked promising, but shockingly, I didn’t make the list.

Music: Caetano Veloso :: Rai Das Cores (Array of Colors)

I Bought Votes on Digg

Interesting example of how what looks like a nice, friendly democratic socialism on the surface can be easily corrupted with an elixir of money and a non-critical voting populace.

For Wired, Annalee Newitz describes her social experiment in gaming social news ranking site digg.com by purchasing votes through an external service.

I spent several days creating a blog intended to be as random and boring as possible. Built from templates, My Pictures of Crowds exhibits all the worst aspects of blogging. There’s an obsessive theme — photographs of crowds — but no originality and absolutely no analysis. Each entry is simply an illogical, badly punctuated appreciation of a CC-licensed picture taken from Flickr. Also, there are a lot of unnecessary exclamation points!

Digg claims that its algorithms are able to detect patterns reflective of vote purchasing, and that it shouldn’t be possible for popularity to be bought and sold on the open market. But there was more at work here — only some of the diggs received were bought – many more came from non-bought diggers “jumping on the bandwagon” — digging the story just because others were doing so. Newitz was able to goose the site with purchased votes just enough for it to rise through the ratings until it hit the tipping point, at which point critical mass took over and the site became a minor hit.

So, the magic mixture seems to be a just-right blend of pimps and lemmings.