Mastodawn

Kyle Ireton Dec 17, 2022

TIL: There is a cursed color in the Kodak ProPhoto RGB color space which, when converted to sRGB using pre-August-2020-Security-Update Android's image conversion routines, causes an integer overflow and a crash due to a rounding error. Some dude accidentally created an image (https://www.flickr.com/photos/gaurav_agrawal/48746079687/) which contains the cursed color on a single pixel. In 2020 if you set this image as your desktop on a Google or Samsung device, the device would brick & lose all onboard data https://www.youtube.com/watch?v=iXKvwPjCGnY

Prolific sunset at St Mary Lake, Glacier National Park

Flickr

mcc Dec 14, 2022

There was an actual IRL SCP / machine basilisk in the world and it remained effective for almost a year

mcc Dec 14, 2022

The most amazing part of the video is where the author is trying to figure out if the file was maliciously crafted so he recreates the image from scratch and accidentally kills his phone

mcc Dec 14, 2022

This is making me think about making an "irl-basilisks" Github repo containing the Excessively Loud Sunset, Janet Jackson's "Rhythm Nation" and a copy of the EICAR test file. Probably a bad idea because sometime in 2026 I'd wind up including "entirely innocuous image that incorrectly trips neural network CSAM scanners" and then I'd get banned from Github https://mastodon.social/@miah@hachyderm.io/109513848856267780

mcc Dec 14, 2022

The more I think about this the funnier I am finding it because I'm realizing it would be entirely reasonable to include a text file containing only the word "Memphis"*

* During Mar. 14 2021, Twitter instabanned anyone who posted the word "Memphis" (thread: https://twitter.com/mcclure111/status/1371170131477401604)

mcc on Twitter

“The account is back now, but as far as I can tell, only because he deleted the tweet that said M-- that said-- that said the name of the city in Tennessee that Twitter bans people for talking about ?!??! ?”

Twitter

mcc Feb 28, 2023

It is happening again !!! https://gizmodo.com/google-pixel-crash-youtube-app-alien-6-6a-7-pro-1850163854

Google Pixels Are Crashing After Watching This Alien Clip on YouTube

A specific 4K clip from the movie Alien seems to be a real menace on Google Pixel 7 and 6 devices.

Gizmodo

Doug Orleans Feb 28, 2023

@mcc works fine on my Pixel 7 Pro 🤷🏻‍♂️

johnwhitley Feb 28, 2023

@mcc Another day, another time my inner infosec child screams ZERRROOO DAAAAAAYYYY!!!!!!!

lbsa71 Dec 14, 2022

@mcc just take my money already.

Shanya (Over at BlueSky)Dec 14, 2022

@mcc Photos of sand dunes

A file with just the number 1

A file whose filename ends in a space

Ysegrim Dec 14, 2022

@mcc From The Big List Of Naughty Strings Pull Requests:
https://www.opencve.io/cve/CVE-2017-9212
https://github.com/minimaxir/big-list-of-naughty-strings/issues/197
https://github.com/advisories/GHSA-6gmw-hfp8-7f52
Etc

CVE-2017-9212 - OpenCVE

Wren Dec 14, 2022

@mcc this was extremely funny because of the soccer player Memphis Depay, who, if I remember right, caused a lot of people to get banned that day because he scored a bunch or something

Taco Dave Dec 15, 2022

@mcc I HEARTILY endorse your proposed museum of cursed media/data. It would be such a fun concept to bring to life as a pop up, let alone collect in a git repo.

Darren Dec 15, 2022

@dave @mcc welcome to the museum. Pictures encouraged

Taco Dave Dec 15, 2022

@mcc two more submissions, both Mazda-related:

- an image file with no extension, which sent as an HD radio signal will brick some Mazda infotainment systems (https://www.youtube.com/watch?v=F0YW43JYUwE)
- the podcast 99% Invisible, whose title contains %I which caused issues with string replacement in some Mazdas as well, leading them to put out a separate Mazda-friendly podcast stream (https://99percentinvisible.org/episode/the-roman-mars-mazda-virus/)

Why Hundreds of Mazdas Tuned to 94.9 Broke Simultaneously

YouTube

wuest Dec 15, 2022

@mcc I love this idea. It's so perfectly in line with your whole ethos
mcc, what does the cursed computer

herchenroder Dec 15, 2022

@mcc that is really incredible. Reminds me of the time in the beginning of my web development career I simply renamed a .gif file to a .jpg (instead of converting it in PhotoShop) and Netscape crashed trying to load it.

Ellarien Dec 15, 2022

@mcc This one wasn't permanently fatal, but I once (circa 1997) wrote an English sentence that, when submitted to Word 6's grammar check, would hang not only Word but the Windows 95 it was running on to the point of needing a reboot. My guess is that it was involved enough to overflow a buffer somewhere.

mcc Dec 15, 2022

@ellarien "Wenn ist das Nunstück git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput!"

Jernej Simončič �Dec 15, 2022

@ellarien @mcc Reminds me of editing a collection of homeworks in Word (I think 97) – when I pressed Enter (to simply insert a new paragraph) in a certain place, it removed all numbering from the complete document and destroyed the undo buffer. Luckily I saved frequently, so I didn't lose much, and I could recreate the same problem in the same place afterwards.
I don't remember how I worked around the problem.

0x10f/kalle/qalle Dec 31, 2022

@ellarien @mcc "B5-92, initialize factory reset. Authorization gamma-7-1-epsilon."

Benji Smith Dec 15, 2022

@mcc I remember hearing about a bug in Google Docs where if you typed in __proto__ into a doc the web page would break. I searched around and apparently it affected a few websites:
https://2ality.com/2012/11/proto-breaks-webapps.html

The text “proto” can break a webapp

[This post is part of a series on the special property __proto__] The text “__proto__” can still break webapps if it appears somewhere in the content, as I was reminded of today, via Domenic Denicola and Peter van der Zee.

Professor Fig dies all endings Dec 16, 2022

@mcc 🎶 Walking in M-place

Martin Carpella Dec 17, 2022

@mcc and don't forget to include 42.zip :-)

mark Dec 14, 2022

@mcc …hang on, the excessively loud *what*?!

mcc Dec 14, 2022

@auditorydamage *points upthread* A guy from San Diego took a photo of a sunset in which, coincidentally, one single pixel is so bright that it crashes pre-August-2020 Android phones

mcc Dec 14, 2022

@auditorydamage Too Much Sunset Error

mark Dec 14, 2022

@mcc oh, whoops! my bad, didn’t follow the links.

Tim Panton Dec 14, 2022

@mcc do you remember the cursed glyph combination that crashed any iPhone that tried to render it? Setting it as the title of a group chat zapped the whole group’s phones.
https://serhack.me/articles/crash-iphone-telugu-character-en/

You could use that in the repos name :-)

How to Crash the iPhone with a Single Telugu Character

Let’s take a look at the Telugu symbol “jñā” that causes Apple software to crash.

SerHack - Security Researcher

mcc Dec 14, 2022

@steely_glint Oh god I do remember this

Tim Panton Dec 15, 2022

@mcc What I found so special was that it took out the kernel because that's where font rendering happens.

It took me back to when I worked on the ill fated Pixel80G in the late 80s. It had a hardware blitter which rendered glyphs onto video ram, but only during CRT interlace. You could queue blits up the rest of the time and they'd happen when interlace came around again.
Mess it up and you had a dead computer.

Craig Dec 14, 2022

@mcc @steely_glint Ah, you just answered a question I’ve been lowkey carrying around for a few years — why we had a fuzz test that just spammed Telugu runes.

Tim Panton Dec 14, 2022

@craigm @mcc It really should have been in the readme...

Craig Dec 14, 2022

@steely_glint @mcc To be fair, I just never got around to asking any of our test automation leads about it, so it got filed in the “Huh, that’s an odd choice” brain bin until right now. 🙂

Tim Panton Dec 14, 2022

@craigm @mcc low, low key then.

The Duality of Xan Dec 15, 2022

@steely_glint @mcc This is like some kind of eldritch horror but for electronics జ్ఞా

Mans R Dec 15, 2022

@XanIndigo @steely_glint @mcc Haven't there also been cases of magic SMS messages crashing phones?

lbsa71 Dec 14, 2022

@mcc would still be totally worth it tho

arborelia Dec 14, 2022

@mcc I love this idea and I submit the string "+d,+6t,+vu8-", an erroneous UTF-7 string that Python used to happily convert to erroneous Unicode and even erroneous UTF-8.

Python 2 gist from 2014: https://gist.github.com/rspeer/7559750

deadbeef_character.py

GitHub Gist: instantly share code, notes, and snippets.

Gist

Meg Dec 14, 2022

@arborelia @mcc why on earth does python even have a utf7 decoder? May as well have utf-1 while it's at it. (Please tell me it doesn't have a utf1 decoder too)

arborelia Dec 14, 2022

@megmac @mcc thankfully no.

Though it does support ISO 2022, and as I understand it, the unsuccessful pitch for UTF-1 was "at least it's not ISO 2022"

Andreas K Dec 15, 2022

@megmac @arborelia @mcc who knows if the line we are working with is 8-bit clean?

@arborelia @mcc reminds me of a bug in old windows notepad where certain combinations of letters & spaces would load as the wrong charset

https://en.wikipedia.org/wiki/Bush_hid_the_facts

Bush hid the facts - Wikipedia

9th level spell slut Dec 14, 2022

@mcc http://www.enjoythemusic.com/magazine/rickerinterview/ricker8.htm

this one isn't digital, but if you ctrl-f "killer disks" there's an audio engineer talking about a vinyl recording of the 1812 overture with actual real cannons that's so loud it would fuck up speakers and record players.

here's a shot of the vinyl :D

Enjoy the Music.com Stan Ricker Interview

Enjoy the Music.com Review Magazine

mhoye Dec 14, 2022

@mcc It's sort of great that if you're a computer, Langford's Basilisk is real.

Dag Ågren ↙︎↙︎↙︎Dec 14, 2022

@mcc Thanks for reminding me of The Criminal.

@WAHa_06x36 @mcc going to secretly patch mastodon to give you a 24 hour ban if you post this image exactly

Waylon Jeggings Dec 14, 2022

@mcc oh! May I nominate

https://arstechnica.com/cars/2022/02/radio-station-snafu-in-seattle-bricks-some-mazda-infotainment-systems/

Radio station snafu in Seattle bricks some Mazda infotainment systems

The problem was a broadcast containing image files with no extensions.

Ars Technica

stilescrisis Dec 15, 2022

@mcc Plus a file containing "And. And. And. And. And." https://www.engadget.com/google-docs-and-and-and-and-and-bug-213609808.html

Engadget is part of the Yahoo family of brands

Jernej Simončič �Dec 15, 2022

@mcc Let me nominate the string Invoke-Mimikatz. If you name your WiFi that, it used to break Windows WiFi stack on connection, and if you use it as your computer name, it breaks a bunch of other things.

Kristobal Sannsynlig-Navn Dec 15, 2022

@mcc remember to include a folder or file named "aux" to mess with Windows users

Iain McSneezyFace Dec 15, 2022

@mcc I found a repeatable hard freeze in C sharp on VS Mac when typing an empty string literal inside an interpolated string; it looked like a fork bomb once I removed irrelevant method calls etc. I suspect it was actually recursively trying to syntax highlight or something.

ersatzmaus Dec 15, 2022

@mcc What's going in the README?

This is not a place of honour…

For whom the Taco Bell tolls Dec 14, 2022

@mcc incredible

osmote Dec 14, 2022

@mcc flawless

Heath Borders Dec 15, 2022

@mcc I lolled IRL at this

Dominic Dec 14, 2022

@mcc this is the most concerned I've felt about my phone being uhh not super up to date

mcc Dec 14, 2022

@barometz don't set the Flickr sunset as your desktop image

Brad Dec 21, 2022

@mcc Potential basilisk: M1 Macs appear to output a video signal that somehow causes some external 4K monitors to go haywire and display vertical lines, flickering, and image retention. The monitor continues to display these symptoms after after unplugging the video source or changing inputs.

https://mastodon.social/@bk1e/109549008585751376
https://forums.macrumors.com/threads/m1-air-ghosting-flickering-with-external-display.2271670/

M1 Air ghosting, flickering with external display

My M1 MacBook Air has a serious problem with external displays. Pinging the brains here in case there are any ideas more convenient than sending back to Apple. Connecting directly via a known-good USB-C to DisplayPort cable, my Dell U2713HM (1) flickers, (2) shows vertical lines, and (3) mixes...

MacRumors Forums

Renée Dec 14, 2022

@mcc I love this but also I hate this 🤷

joy larkin 🌺✨Dec 15, 2022

@reneestephen @mcc This is the appropriate response.