Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Slashback

Slashback: Streamend, Stego, Patches 150

Posted by timothy from the secnarf dept.
The first Slashback of 2002 brings you updates on Ogg streaming (listen in while it lasts, and send feedback if you like it!), Qwest and your privacy, holes and patches for products from the MS-AOL-Time Warner Industrial Complex, and even more steganographic images failing to appear.

Getcher hot streams while they last ... jmoffitt writes: "In his post to the Vorbis list, Ciaran announced that the Ogg Vorbis BBC streams of Radio 1 and Radio 4 that we've enjoyed since early November would go offline as the test is ending. Everyone is encouraged to send their encouragement for these streams to continue to webweaver@bbc.co.uk. Also, as a special treat, the Radio 4 Ogg stream has been extended a week - just enough for all to catch the first episode of Lord of the Rings on Saturday at 1430 GMT."

Please mind the people interrupting your privacy. Matt Clauson writes: "Discussion list for the Qwest privacy issue and possible protest action has been set up -- send an email qwest-action-subscribe@dotorg.org to subscribe to it."

Plug, plug, plug ... timekillerj writes "Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now. An article on Yahoo has more info, including a short debate on w00w00 disclosing before getting a response from AOL."

Backstepping by any other name ... dagoalieman writes "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

Nope, still don't see any. Niels Provos writes: "I just updated http://www.citi.umich.edu/u/provos/stego/usenet.php to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message.

I also released a new version of stegdetect.

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...

Below my mail to the cryptography mailing list.

------- Forwarded Message
From: Niels Provos <provos@citi.umich.edu>
To: cryptography@wasabisystems.com
Subject: Stegdetect 0.4 released and results from USENET search available
Date: Fri, 21 Dec 2001 12:16:14 -0500
Sender: provos@citi.umich.edu

I just released Stegdetect 0.4. It contains the following changes:

- Improved detection accuracy for JSteg and JPhide.
- JPEG Header Analysis reduces false positives.
- JPEG Header Analysis provides rudimentary detection of F5.
- Stegbreak uses the file magic utility to improve dictionary
attack against OutGuess 0.13b.

You can download the UNIX source code or windows binary from

http://www.outguess.org/download.php

- -----

The results from analyzing one million images from the Internet Archive's USENET archive are available at http://www.citi.umich.edu/u/provos/stego/usenet.php.

[...]

After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis.

This page provides details about the analysis of one million images from the Internet Archive's USENET archive.

Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS. However, we have not found a single hidden message. [...]
Comments and feedback are welcome. We have an FAQ at http://www.citi.umich.edu/u/provos/stego/faq.html"
Thanks for the update, Niels!
This discussion has been archived. No new comments can be posted.

Slashback: Streamend, Stego, Patches More

Slashback: Streamend, Stego, Patches

Comments Filter:

  • So.... (Score:2, Interesting)

    by cscx ( 541332 )
    "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

    In plain English, does this mean that the whole 'warning' by the FBI was FUD, plain and simple?

    • Re:So.... (Score:4, Informative)

      by Henry V .009 ( 518000 ) on Thursday January 03, 2002 @08:28PM (#2782480) Journal
      In plain English, does this mean that the whole 'warning' by the FBI was FUD, plain and simple?
      Whoever moded this as a troll is on crack. According to this [theregister.co.uk] story in The Register, the FBI warning was not correct, and the steps they advocated for fixing the security hole did nothing. How's that for FUD?

  • No jokers out there?? (Score:4, Funny)

    by RedOregon ( 161027 ) <redoregon AT satx DOT rr DOT com> on Thursday January 03, 2002 @08:07PM (#2782368) Homepage Journal
    Kind of surprised no one uploaded a bunch of steg'd images just for laughs.. encrypted messages like "No, this isn't from a terrorist", "Windows/Bill Gates/Microsoft Blows", "steg _this_, buddy"... or "First Post!"
    • Who says they didn't?
      Woohoo, isn't proving a negative all kinds of fun?
    • I think their steganography breaking system just stinks. I've been party to stego'd image passing years ago, so I *know* they exist(ed) on usenet :-). On the other hand, the message was usually encrypted, too, so that might be tripping them up.
      • I dunno... I could be wrong, but I got the impression that they were looking for *messages hidden via steganography* -- in other words, looking to see if *something* was there in the image. Whether or not it was an *encrypted* message shouldn't make a difference, just that *something* besides image data existed?
    • Who's to say that the message isn't somehow encoded in the filename, the file size, the MD-5 hash of the entire message, hell, even the Usenet group it was posted too. It's ironic that all that processing power was wasted on analyzing the image, when any of the aforementioned parameters might have constituted a public key or one time pad for the real message...

      Basically, this kind of analysis constitutes an even weaker hypothetical effort than RC-56, or any of those distributed.net challenges, since it's not a given that the image is the sole medium for the message.
  • Nope, still don't see any. I just updated http://www.citi.umich.edu/u/provos/stego/usenet.ph p to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message. I also released a new version of stegdetect. The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak

    umm, cat got your tongue? Unless the "hidden message" was "I hit submit too soon"...

  • Ogg streaming is a step in the right direction (Score:5, Insightful)

    by chrysalis ( 50680 ) on Thursday January 03, 2002 @08:08PM (#2782378) Homepage
    The streaming test made by the BBC is definitely a good thing. It brings credibility to open source projects. Ogg Vorbis is really an amazing format, but nobody uses it because of the lack of advertisement.
    Succesful experiences like the BBC one can change this.

    • Lack of advertising? No one uses it because MP3 is entrenched, so the network effect is in play: To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages. The WMA format has the exact same dilemma, but even with claims that it's 2x better at a given bitrate (I'm not claiming that: Just what I've heard), the entrenchment of MP3 still makes people go "Bah...not worth it".

      • To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages.

        I think what you meant to say is that you haven't heard the audible benefits of using ogg. I have something in mind that might change your mind, its only one example but i think it will suffice. And keep in mind that the next release of the ogg encoder (RC4) will have even more improvements in the low bitrate range.

        Try the following streams, one is ogg and the other mp3 , both broadcasting 32Kbps/mono.

        ogg123 -d oss -vp 64 http://shoutcast.mediacast1.com:7000/32.ogg

        mpg123 -b 64 -u a http://shoutcast.mediacast1.com:7005/32

        If you believe the mp3 stream sounds better then I suggest you give a reputable otorhinolaryngologist in your area a visit... or talk to El Rusbo if that cooks your noodles.

        • But then, much like the low bitrate Windows Media format claims, it's irrelevant to a large percentage of the people who use MP3s. When I stream radio I do so always at 128Kbps stereo, or at absolutely worst 96Kbps stereo. It is there where the difference between ogg and mp3 would matter to me. For stored MP3s of course the minimum the vast majority of people touch is 128Kbps.

  • Am I readintg this right (Score:4, Insightful)

    by adamy ( 78406 ) on Thursday January 03, 2002 @08:09PM (#2782383) Homepage Journal
    OK w00w00 sends an Email to AOL, get's no response, and then publishes. to this, AOL said,

    ``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.

    Sorry if your organiuzation is too big to react that quickly...
    • I Seriously doubt they would have put forth the slightest effort to take care of the problem in a timely fashion had it not been disclosed *first*. They may have even 'swept it under the rug' to avoid the bad PR. Big Corps don't like it when the decisions get taken out of their hands like that. They tend to whine alot when it happens. I say kudos to w00w00 for lighting the fire under 'em!

  • only in english (Score:3, Insightful)

    by donhav ( 41208 ) on Thursday January 03, 2002 @08:12PM (#2782399) Homepage
    What if the messages are not in english or god forbid use a non arabic script?

    • Re:only in english (Score:3, Insightful)

      by Alien54 ( 180860 )
      even if it was in unicode, you should be able to see a repeating pattern of something.

      personally, I think that the best gimmick would be to encode a small picture of a message into another larger picture. That would mess up the search for plain text ;-)

      • Yeah, if the message wasn't ascii English, the stego findoer would still a pattern in the image. Unfortunately, they ran thier ~20,000 "suspect" images through a dictionary checker, with the implication being that the 1,800,000 words and phrases were all English ascii. This was their difinative test of the suspect images. In any case, they can't say anything about the suspect images containing conventioanlly encrypted messages. All they can say is that the images look like they're hiding info, but the hidden info looks like white noise.

        Good idea about making an image of the message and stegoing that into an image, except that the stego content is typically much smaller than the original file size. Encrypting before using stego should make it much less detectable. I would guess that any intelligent stego search would include checks for standard file headers.

    • Re:only in english (Score:2, Insightful)

      by oomcow ( 229665 )
      i don't understand how people expect to detect encrypted messages that are then steganographically hidden in images anyways.

      in theory if you encrypt your message via any good standard method, it should result in something that even statistically looks like random garbage.

      • Re:only in english (Score:1, Interesting)

        by Anonymous Coward
        Exactly. Saying "we didn't detect any crypography" only shows that their methods are flawed.

        When stego hit the news before, a year ago, I posted a message to a binaries group a year ago with stego in it and not a single of these studies has found it. I invented the method, which seemed obvious to me, and they didn't find it. I don't expect them to.

        It's not that my stego was smart, but that it was foreign, and there are a million more ways to stego than to encrypt it.

        ps. My dumb method was to encode five paragraphs of shakespeare. Shuffle the letter placing ABC to CAB and add it to each [sq. root of PI]'th pixel so it would occasionally skip one. It was added to a picture, of course, of goatse.

    • actually, we use arabic numerals. our script is roman based, as you can tell if you look at latin (which the romans spoke) and it consists of many similar letters as the 26-character alphabet we currently use.

      if you look at arabic you'll notice a lot of flowing lines and a more "cursive" appearance.

      this is why your character coding is called "ROMAN" not "ARABIC".

  • Hmm... (Score:4, Funny)

    by Mike Schiraldi ( 18296 ) on Thursday January 03, 2002 @08:12PM (#2782401) Homepage Journal
    The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak

    Ok, i give up -- where did you steganographically hide the rest of that sentence?
  • If someone wanted to hide a message in images on newsgroups, they wouldn't put a plaintext msg that any newb running a dictionary based attack could find, unless they wanted it to be found. It would be trivial to add one more step of xor'ing the msg with a random key first, then putting the key in a second image, or evern better sending it through another conduit. I know if I was going to use something as lame as stenography to send an important msg, I would go to the trouble of not sending plaintext.

  • Just because you can't see it... (Score:4, Insightful)

    by tbo ( 35008 ) on Thursday January 03, 2002 @08:20PM (#2782447) Journal
    ...doesn't mean it's not there, does it? How confident are the makers of stegdetect that no steganographic images would slip past their program? Does their program simply work for all known steg. algorithms, or would it detect some or all kinds of new algorithms?

    Also, if I was going to try to send a message via steganography, I wouldn't be doing it with images on Usenet. I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them), and put my steg. image on there. Or, I would use a more primitive kind of steganography--code words embedded in seemingly innocent messages. There's a hell of a lot more spam on usenet than images, so it would be better concealed that way.

    • www.spammimic.com (Score:3, Informative)

      by fo0bar ( 261207 )
      Dear Friend , Especially for you - this red-hot intelligence . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our mailing list . This mail is being sent in compliance with Senate bill 1622 ; Title 1 ; Section 307 ! This is not a get rich scheme ! Why work for somebody else when you can become rich within 60 days ! Have you ever noticed society seems to be moving faster and faster and nobody is getting any younger ! Well, now is your chance to capitalize on this ! WE will help YOU deliver goods right to the customer's doorstep and decrease perceived waiting time by 160% ! You can begin at absolutely no cost to you ! But don't believe us ! Mr Simpson of Connecticut tried us and says "My only problem now is where to park all my cars" . We are a BBB member in good standing . We beseech you - act now ! Sign up a friend and you'll get a discount of 60% ! Thank-you for your serious consideration of our offer ! Dear Professional , Thank-you for your interest in our letter ! If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our mailing list ! This mail is being sent in compliance with Senate bill 1620 ; Title 9 ; Section 306 . This is different than anything else you've seen ! Why work for somebody else when you can become rich in 37 days ! Have you ever noticed the baby boomers are more demanding than their parents & society seems to be moving faster and faster . Well, now is your chance to capitalize on this . WE will help YOU increase customer response by 170% and deliver goods right to the customer's doorstep . The best thing about our system is that it is absolutely risk free for you . But don't believe us ! Mr Ames who resides in Delaware tried us and says "I was skeptical but it worked for me" ! This offer is 100% legal ! We implore you - act now . Sign up a friend and your friend will be rich too . Thanks !
    • I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them),

      The problem with this is that assuming someone does find the hidden message in one of the images, then it is easy to install Carnivore, or similar and watch all traffic requesting the page. USENET gets distributed all over the place - that's why it gets used for things where people don't want a centralised log of the fact they downloaded it (pr0n, warez, contentious views).

      Download some alt.binaries.images.erotica.* files, paste on a fake BBS ad, and embed your message. Repost. No-one will try and call the BBS, or be surprised if the details "don't work".

      I agree that not finding messages doesn't mean they aren't there, however.
    • How confident are the makers of stegdetect that no steganographic images would slip past their program? Does their program simply work for all known steg. algorithms, or would it detect some or all kinds of new algorithms?

      Stegdetect checks for the signatures of three steg programs (JSteg, JPHide, and OutGuess .13b)(Research Paper [umich.edu]), and it does not detect new algorithms. Also, the effectiveness of stegdetect is determined by what steg program was used. It missed from 5% of JSteg stegs to 60% of OutGuess stegs. Finally, they did not try to detect stegs generated with OutGuess 0.2 because it has a better method of randomly selecting bits to change.

  • AOL did NOT fix the hole (Score:3, Insightful)

    by cr@ckwhore ( 165454 ) on Thursday January 03, 2002 @08:28PM (#2782483) Homepage
    Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

    Big deal!!

    Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

    They havn't changed the fact that there is a buffer overflow in the IM client. This means that AIM users (using the official client) are still vulnerable. AOL has simply made it a bit more obscure, and we all know that security through obscurity is not secure at all.
    • How about perspective on this. Just how many slashdot users were hit with destructive worms/viruses thanks to AIM/AOL? Raise your hands!

      Now how many of you were hit with destructive worms/viruses thanks to Outlook? MIIS?

      Point made. Yes, AOL's fix isn't ideal, but then were not being flooded with destructive code that way are we?

      When AOL hits the top 10 methods of virus propogation, then you can lambast them for poor software design and closed standards.

      Lee
      • When someone opens a suspicious e-mail, and it screws over their computer, it is easy to trace the problem back to the source. Or, if an IIS server's logs reveal something suspicious going on, an adept admin can figure this out in many cases. However, your typical AOL/AIM user often knows next to nothing about computers or the internet, let alone be aware of an attack.

        Who knows? Maybe thousands of people are being hit every day, but don't have a clue as to where the computer's "problems" are coming from. Many people shrug off something unusual as "just one of those complicated computer things", and haven't a clue why when they power on the computer all they see is a blinking cursor.
      • Lee, if you had the ability to run code on peoples machines unnoticed what would YOU run?

        format?, fdisk? delete all their files?

        no, that's what lame schoolkids do

        real black hats don't trash your system, they try and keep it alive so they can use it for nefarious activities.

        I don;t know much about the AIM one but with Sub7 which was an icq based virus the victim would maybe just have strange things happen occasionally (screen upside down, follow the white rabbit stuff etc.). Or the attacker would just take webcam pictures and download them without the victim's knowledge or consent. Read their email, read their icq log, look at their bookmarks, poke around for text files containing passwords, edit /windows/hosts and try a CC / password scam. And this was wide scale (and probably still is) because Sub7 infecetd hosts advertise themselves on IRC as infected!

        Just because your PC isn't "broken" doesn't mean you're not infected. Only the lamest viruses are destructive for without hosts there is no life.
      • Point taken, yes my Mac running OX could be harboring all sorts of nefarious code inserted by AOL/AIM. It's true, of course this particular bug only affected machines running Microsh*t brand OSes. There are advantages to being the 'minority, underused OS'.

        The truth is you're correct. But then if you had a 'black hat' back door planted on your system for use in some nefarious scheme to arrange attacks, don't you think it would eventually get used? And when it did, then it would be revealed? Example: the Denial Of Service attacks early last year.

        Being paranoid is a good thing, and it's your choice not to run AOL/AIM. That's fine. But all in all, I'd rather spend my time worrying about already known, highly STUPID, well documented and frequently abused security risks that remain UNFIXED (read Outlook), than to conjecture about possible security attacks in a protocol that's at least been patched.

        Yes it's a secret protocol, and that makes it unavailable for public inspection. But there remain many well documented public protocols that continue to be used, with known security issues. Even OpenSSH, a gem of a program I use regularly, had possible security exploits. Heck even my favorite software house, Apple, has "Airport" code which is subject to WEP exploits.

        If you want to get on AOL's case for not being responsive to the original complaint, you might have a case. However, the message I responded was lambasting them for having 'patched' the problem in a a way the poster didn't approve of. Actually I think AOL was pretty quick in applying the patch, compared to some manufacturers (read REDMOND).

        Finally, if I were a 'black hat', I use the obvious easy holes to plant nefarious difficult to detect code. Instead of wasting hours/days/weeks analyzing packet transfers on AIM to try to detect possible locations for buffer overflows, just to plant that same code. But that's me, and the last time I 'hacked' anything was on an Apple 2 with poke. [Ok, I did have to hack root access on some NeXT boxes, but I was the system admin of those boxes at the time, and it was work related.] Guess that makes me 'white hat'.

        Lee
    • Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

      Oh, so THAT'S where I've been going wrong. I'll try electrical tape next time, thanks for the advice!

      (It's a bad attempt at humor, mods. Laugh.)
    • They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.

      I think it's pretty much given that this is the most reasonable course of action - AOL is primarily for people who aren't that great with computers, and very well could have difficulties upgrading, if they decided to do so, so instead of forcing all of their millions of users to fix it themselves (that's basically what it would come across as to most users - they don't know what's really going on), so AOL can simply block it themselves and fix the client in the next round of upgrades. And that leaves out the cost of extra bandwidth, people rushing to upgrade before they get hit, etc.

      Obscurity would imply that they hid it; what they in fact did was block the exploit completely.
      • I admit that I haven't studied the details of the exploit, but you're implying that spoofing a malicious packet or packets won't work?

        Sure, they shut off the easy way to launch an attack, but I can still send that same message from another host, can't I?
      • Obscurity would imply that they hid it; what they in fact did was block the exploit completely.

        That is incorrect. They've stopped people from sending the bogus messages through their servers. How long do you think it would take to write a program that scans IP ranges for clients that are STILL SUSCEPTIBLE and attack them directly? 5 minutes? 10 minutes for a Code Red for AIM? This is not a fix by any means.
      • Familiar with the concept of packet insertion? Just for giggles, try a traceroute to your favorite AOL server and note the number of hops traversed. Any one of these can be used as a point of packet insertion.

        There are plenty of ways the problem can still be exploited. AOL has simply made it a bit more difficult, but not impossible.

        One of the biggest problems in the world of computer security world is thinking that a problem isn't going to be exploited because of its difficulty or obscurity. This has been proven time and time again when the most obscure little security holes get exploited repeatedly.

      • They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.

        The scary part here is that AOL has basically admitted that it has a back door into every system which runs AIM. I wonder how that law about music companies (Time Warner) breaking into the machines of suspected copyright violators is going.

        Not to mention simple DNS attacks, attacks from someone working at AOL, attacks from someone who broke into AOL's servers.

        Could even be the next new "I love you" worm. Send an html link containing a registry edit to change the IP address of the AIM server to the person sending the link. Then when the user reconnects to what it thinks is the AIM server (which you could probably force in some way), hack in, start up its own fake AIM server, and send the link on to everyone in the users buddy list.

    • Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

      I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.

      Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

      I dunno - that sounds pretty damn effective to me. Much stronger than latex, and it certainly won't slide off.

      They havn't changed the fact that there is a buffer overflow in the IM client.

      Obviously, you *can't* change the fact that a particular version has a bug, but you can release a new one. The problem is that it takes a long time to get everybody to update, so this is actually a pretty good fix, notwithstanding the issue of people using the software without the benefit of this filter.

      • I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.

        Let me tell you how AIM, IRC, Jabber, and other popular real-time messaging systems work. Alice and Bob each send name, password, and client binary hash to server. Server responds with buddy list, including presence information. Alice wants to send message to Bob. Alice sends packets to server, which processes those packets and forwards them to Bob. Now, if Alice wants to send a packet containing a sploit, the server can clean up the packet before Bob gets it.

        • You have ignored the posibility of the attacker using raw sockets to send messages directly to the victim with a source IP faked to look like the AOL Oscar servers.

          I breifly looked at the exploit code and it looks like the cient and server may be using nonces to provide very week message integrity. However, as the poster implied, non-filtered IP networks are still vunerable.

    • Good thing everyone who reads slashdot uses Linux. And those who DO use windows would NEVER use AOL.

      </sarcasm>

    • Yes, but you still need to get the packet in question processed in the right part of AIM. Previously, these could be sent normally through the service from another user. Now, you somehow have to slip it into the communication stream, afaik this means using some sort of packet sniffer to find and monitor the connection for a while at least.

      This is not security through obscurity, it's taking a trivial exploit and making it nearly impossible. I should hope they're also working on fixing the actual buffer overflow, but for now, and for users who don't upgrade (or don't know how) once this is done, it's much less of a concern.
      • "making it nearly impossible" is one of the things security through obscurity is all about though... sure... it's nearly impossible, until next wednesday, when someone finds out that if you push THIS button, and turn THAT knob, and set the 42nd bit, then the hole is back in plain view again. :)
        • but that's not how it is. The bug is still known, we still know how to exploit it, nothing is obscured. (well, maybe to the general populus, but the "hackers" are the important people here and they aren't gonna be fooled by this)

          It's nearly impossible in that it's EXTREMELY hard to exploit now, whereas it was fairly simple before.

  • Strong passwords? (Score:3, Insightful)

    by Suicyco ( 88284 ) on Thursday January 03, 2002 @08:30PM (#2782487) Homepage

    Well perhaps some people use stego and might actually have used strong passwords that could not be guessed by a dictionary attack. If I were communicating secretly using the internet, I would first encrypt the message with pgp, then place the encrypted text into a large jpeg WITH a strong password, and post to a half dozen groups. How would any kind of attack (well any reasonable attack) be able to detect my message? Even if the dictionary attack worked, how would you know the result was the real message, since it would appear to be random garbage, just like all the incorrectly passworded dumps? Just doesn't seem like this is something you can do, its taking distributed.net several years to crack ONE message. How would you go about finding a needle in a haystack, and THEN decoding it? We are talking tens of millions of images. What is the point of this? I'm sure people use stego, for whatever reason, why wouldn't they? Some hacker group, or warez group, or terrorists or whatever, somewhere, at some time, posted stego'd images to usenet.
  • The Biggest Security Hole is stupid users. Since AIM is mostly comprised of AOL users (henceforth known as lamers), we can also assume that the service is quite insecure. However, the lamers don't really care, as they don't realize just how easy a bug would be to exploit (people make scripts, scripts give rise to script kiddies). So...AIM is bad.

  • AIM Bugs (Score:5, Interesting)

    by mESSDan ( 302670 ) on Thursday January 03, 2002 @08:31PM (#2782493) Homepage
    I'm curious, I went looking on the AIM website for somewhere to send information about a SERIOUS bug like the one that was discovered, and of course I didn't find one. So, I'm not surprised when it said in the Yahoo article that they didn't receive a response back after a week, considering that if they submitted it using the "Found an Error" part of the website, it probably got mixed in with thousands of other messages.

    Does anyone know a faster way to contact the major software vendors about a severe security issue BESIDES letting them read about it on the front page of their favorite news portal?

    (Note, I only said faster, not better)
    • Perhaps one should consider communication media other than email. :-) Most companies have a link to a 'corporate' area of their website. Just call their press line. :-)

    • Re:AIM Bugs (Score:3, Funny)

      by iorange ( 182311 )
      go here [sec.gov] to search the SEC's Edgar archives and get corporate switchboard numbers. Call and ask to be connected to the office of the president/ a board member/ CTO/ whatever strikes your fancy. You will most likely be connected to their secretary. Tell the secretary what's going on, and she will do the legwork for you of figuring out who in the company needs to be contacted and hook you up with them. Works for me.
    • step 1.) Connect to cable modem
      step 2.) send an e-mail - subject: Hey Osama We're ready to blow up the Whitehouse Tomorrow
      step 3.) let the FBI deal with it they carnivore captures the e-mail and puts it on their priority list to read.

  • So that's who that fiery bastard was. (Score:5, Funny)

    by Chris Burke ( 6130 ) on Thursday January 03, 2002 @08:36PM (#2782514) Homepage
    I remember from last winter term some guy had a background process running on every single workstation in the CAEN labs. If you killed it (users logged in at the console can kill large/cpu hungry apps with a special script) it would just come back. It used lots of CPU cycles. It made it hard to get work done. It pissed us all off, and was made worse by his dismissive responses to requests to cut it out.

    Basically, we all wanted to kick his ass, and now we know who he is. Unless I'm wrong... but I'll ignore that possibility, because it'd get in the way of a good wupin'.
    • And to think that all those CPU cycles could have been used on a project that might actually find something one day.. like Seti@home or RC5 :)
      Not to mention that those clients are a bit nicer about not stealing cycles from user apps.
      • How might RC5 find something useful some day? The key was generated by the people who run the contest. If you discover it, well, big deal -- they could have just not destroyed the key in the first place and that would set us ahead several hundred CPU-years!

        Try GIMPS for the "find something some day" (they have actually found several of the largest known primes) and the results are mathematically sound and verifiable...
        • I'm actually for beating the OGR in the RC5 client. Which has nothing to do with crypto that I know of offhand. It'd probably help space exploration, and it beats processing space-noise.
      • And to think that all those CPU cycles could have been used on a project that might actually find something one day.. like Seti@home or RC5

        Forget Seti@Home or RC5.

        How about all those CPU cycles being used on a project that might actually find something one day... like a genetic algorithm that evolves a pr0n recognition filter.
    • i forwarded your threat to the university of michigan's department of public safety, the campus cops. better start encrypting all that pr0n on your hard drive before they seize it.

      i also sent it to the university of michigan's dean of engineering. i suggest you get all your computer-related coursework done in a hurry, while you still have computing privileges.

      nobody
  • For those who prefer clicking to cut-and-pasting, the Steganography update is here [umich.edu].

    I suspect there are several reasons why they haven't found any Stegonography in Usenet pictures:

    1. Very few people find it necessary to hide information in Usenet.
    2. Of those who might find it necessary, few actually have heard of Steganography and know how to use it.
    3. Those who know enough about Stego have encypted their messages first; you won't find these with dictionary attacks - the method the article suggests they used on "suspicious" images.
    It is impossible to differentiate between random numbers (noise) and strong encryption. Are there not places within certain images where low order bits have noise that is completely random and thus a perfect hiding place for encrypted messages? [oltronics.net]

    This Article seems to suggest that it isn't possible to hide info in gifs such that it is undetectable and that more research should be done on JPEGs. Anyone know the state of the art on this?

  • Unsurprising findings on the steg front... (Score:4, Interesting)

    by electricmonk ( 169355 ) on Thursday January 03, 2002 @08:43PM (#2782548) Homepage
    I'm really not that surprised that they didn't find anything out of all the USENET images that they scanned. First of all, even considering that they had such immense computational power at their disposal, stegonography done right would probably elude detection by any software currently available. Secondly, they have probably not considered the fact that the messages that are hidden could be encrypted, thus thwarting any kind of dictionary attack against the image. This actually serves to strengthen the security of the message, since to brute-force the message they not only have to decrypt the message, but they have to find the right bits to decrypt in the first place.

    Really, even with a Beowulf cluster, processing that many images so soon makes it seem like they gave it only a cursory examination.

    • I tried stegdetect. (Score:2, Informative)

      by leuk_he ( 194174 )
      In an effort to make a "first post" that would be found by stegdetect i failed so far:.

      Making a small image that contains "first post" with jhsteg stegdetct fails to find it.

      If i make a big picture jpsteg warns it fails to insert to complete file.
      By simply resizing the picture(paint shop pro) it should hide in stegdetect says:(skipped)this is likely a false positive. just because the origin is blocky.
      Blurring the orginal picture solves this problem and after 3 more ties i find a ratio the jpsteg program still allows to insert and at the same time makes stegdetect bark.

      Now to insert it in usenet: sh*t no usenet access from this location, and a fail to find a free service to insert a picture. Ebay needs a credit card, so no luck inserting it in ebay.

      well maybe later......

  • Steganography is just another excuse... (Score:5, Funny)

    by Wrexs0ul ( 515885 ) <mmeier@rackni n e .com> on Thursday January 03, 2002 @08:45PM (#2782555) Homepage
    This was likely just a reason for the group to download and view millions upon millions of pr0n pics. Then again I was always knew pictures like that carried hidden messages :)

    ..."There must be a hidden message, let's just stare at it a little longer"...

    -Wrexsoul

  • Cable, DSL,, and Privacy (Score:4, Redundant)

    by SuperDuG ( 134989 ) <be@@@eclec...tk> on Thursday January 03, 2002 @09:37PM (#2782760) Homepage Journal
    I have posted before, but since my submission to slashdot was rejected on numerous occasions I will repost.

    My previous comment [slashdot.org] states:

    Well Charter Cable customers now have the wonderous Tioga spyware installed on their systems. It's been posted to slashdot a few times and been rejected. Members from the MadLug (Madison, WI). Have noted that the new service listens on a specific port to monitor and "Assist".

    The county board is also investigating this. The software is supposed to be a VNC-Type program that helps Service Reps service computers. Basically I see this as a way for them to not only monitor, but have their way with your system. Along with this software also comes a real annoying Internet Explorer with Charter MSN crap everywhere, diabling network shares, and reformating TCP/IP to their network. Basically everything you can do yourself, but they won't tell you because they want you to install their software.

    The whole thing stinks and the company is hiding behind lawyers and PR reps to try and get the whole situation worked out. Basically they released a new service, and the MadLUG guys were on them in 2 days when they noticed weird activity.

    Moral of the story ... don't screw with geeks ... we'll find you ... we know who you are :-)

    Which is still the case and is still "required" to use their service or receive any help from their helpdesk.

    I still think this stinks and is definantelly not neccessary for the service to be availalbe. I have taken screen captures of Linux, BSD, QNX, BeOS, Win95/98/NT/ME/2K/XP all running the software (even though they say it only runs on 98/2K/and XP). And I know from witnessed experience that it works on Mac OS 9&X ... basically any OS that can do TCP/IP and has DHCP support.

    So not only is this software not neccessary but it seems to be some sort of ploy to promote WinBlows and crap on other OS's not just linux.

    • but after the tech set up my machine I just ran ipconfig to get the DHCP etc settings and reimaged my machine. I still get the same port scan from them on a regular basis and their DHCP server send a strange option to my client, but it works and they have not complained or tried shut me down.
    • AT&T "deathstar" broadband does the same thing. In fact, I installed their cute virtual technician software and it ended up fucking my machine up a bit. Fixable, but still annoying.

      If asked about WHY companies include spyware / trojans, they usually burp something wet and smelly up about how falling revinues from banner ads (blech) etc, aren't all there. Duhhh!!! Then they point out the fact that by clicking the "Agree" button you have agreed to anything they want to do to your computer, privacy, or anal orifice. Basically, I see that in the very near future, every windows program will have built-in spyware that phones home to mamma. Even right now, limewire, gnutella, kazaa, bearshare, any commercial game demo (except RTCW, thanks ID!!!), unregistered and maybe even registered opera, and a whole glut of software I am not aware of and could care less about already have it built in.

      Maybe that's what Magic Lantern is: the spyware that is included by default in most new software.

      Fuck all that shit in the ear.

  • qwest deception (Score:2, Informative)

    by astar ( 203020 )
    I read the linked message in the original post and saw the phone number to call. After waiting for their normal office hours, I called and talked to a human. I asked that they not rent or sell my personal information or calling patterns internally or with their marketing partners.
    The response was that the agent had removed my authorization to share that information among the different parts of qwest. This was not specifically what I asked for. So I called that to his attention and he said he would do that. On questioning about why it had not happened when I first asked for it, he said that you had to specifically ask for it.

    Note that in the end, he just said he would take care of it.

    I am crankish about snail spam and make it point to do my best about getting off mailing lists and I have learned there a number of sleazy companies out there. For instance, you have to not only get off a mailing list, but specify that your name not be rented or sold. Most people I think would not have caught the qwest deceit.

    A good source of information on what to do about snail spam is junkbusters [junkbusters.org]

  • Re: Stenography (Score:3, Funny)

    by t_allardyce ( 48447 ) on Thursday January 03, 2002 @09:56PM (#2782845) Journal
    fhuweioqrywrhlfasdofuoeqr
    jghgjklsdnmvxhjsohfweffhi
    ueruioywerueyoryprqypwpwe
    dieamericaninfidelsiwillb
    ebackforthewhitehousesign
    edosamabinladenjoiwejrorj
    uytutuiyroiyquirywroqyiwr
    rjweoirjeroewiroijwjrvvds
    ewqbejrkqhrhuewqhrquirqow
    uireqryupqtrghjgfhgfhjafa
    keqjrbjrbuiewhruqiwurihuf

    This ascii art is a conversion of a picture of the rubble at the world trade center, can anyone find the hidden message?
    • die american infidels i will be back for the whitehouse signed osama binladen

      I fear that he's got better crypto people that /. has...

      :-)

      -- Multics

    • I tried decrypting the "die american infidels" text through the extremely strong ROT13 cipher, but all I got was this junk:

      suhjrvbdeljeuysnfqbshbrde
      wtutwxyfqazikuwfbusjrssuv
      hrehvbljrehrlbelcedlcjcjr
      qvrnzrevpnavasvqryfvjvyyo
      ronpxsbegurjuvgrubhfrfvta
      rqbfnznovaynqrawbvjrwebew
      hlghghvlebvldhveljebdlvje
      ewjrbvewrebrjvebvwjweiiqf
      rjdorwexdueuhrjduedhvedbj
      hverdelhcdgetuwtsutsuwnsn
      xrdweoweohvrjuehdvjhevuhs

      What version of MPACK do I have to use to see the naked Lewinsky JPEG?
  • They've done it! They solved NP Complete!

    Otherwise, how would they know I haven't used my own encryption key, then another different key, to hide images in encrypted images.

    I know, I know, Troll.

  • Stego (Score:2)

    by crisco ( 4669 )
    I need to post some stego'd pics just so these guys can find some stuff.

  • Somebody should run stegdetect on color copies! (Score:3, Interesting)

    by GlenRaphael ( 8539 ) on Thursday January 03, 2002 @11:12PM (#2783094) Homepage
    According to many links in an earlier /. story, color Xerox copy machines currently embed a serial number in every copy they make. So has anybody tried making a color copy of something, scanning it, and using stegdetect on the result?
    • According to many links in an earlier /. story, color Xerox copy machines currently embed a serial number in every copy they make.

      No boss, I can prove that I didn't use any company resources. Check the dither on the yellow ink - I ran off copies of my ass at Kinkos #3361!

  • How to do good steganography (Score:3, Insightful)

    by DickBreath ( 207180 ) on Thursday January 03, 2002 @11:19PM (#2783114) Homepage
    If the purpose of steganography is to conceal the very existence of a message; and, a tool (stegdetect) exists which attempts to spot concealed messages; then it seems to me that if you are trying to conceal a message into a picture on usenet and on the web that you would at least run all your images through stegdetect to be sure that it cannot detect the concealed message.

    Could this be why no stego messages are being detected?
  • This is a two level challenge. I have steganographically hidden data in two pictures on E-bay. The first level picture contains 32 bytes of steganographicly embedded data. The second level picture contains 256 bytes of steganographicly embedded data.

    The first person to locate the first level data will receive a public congratulations on the official challenge web site. The first person to locate and correctly identify the second level data will receive ONE MILLION DOLLARS!

    The 32 bytes of the first level challenge consists of a string of zeros.
    The 256 bytes of the second level challenge consists of white noise.

    -
    • The 32 bytes of the first level challenge consists of a string of zeros.
      The 256 bytes of the second level challenge consists of white noise.

      I hope that you will not get called on that. Many steganographic systems leave signatures and header information in the images that are completely independent of the data that you hide. That means you can detect such a steganographic system without knowing anything about the hidden data.

      Furthermore, white noise in terms of randomness is something detectable, too. Most images do not exhibit random noise in their lower layers.

      There is a paper by Westfeld and Pfitzmann that shows visual attacks that depend on the fact that steganographic systems leave white noise behind destroying visual structures in the lower layers.

  • ...search of hidden messages in USENET images...

    ... for downloading alt.binaries.pictures.erotica :)

Slashdot Top Deals

Anyone can make an omelet with eggs. The trick is to make one with none.

Close