Slashback: Streamend, Stego, Patches 150
Getcher hot streams while they last ... jmoffitt writes: "In his post to the Vorbis list, Ciaran announced that the Ogg Vorbis BBC streams of Radio 1 and Radio 4 that we've enjoyed since early November would go offline as the test is ending. Everyone is encouraged to send their encouragement for these streams to continue to webweaver@bbc.co.uk. Also, as a special treat, the Radio 4 Ogg stream has been extended a week - just enough for all to catch the first episode of Lord of the Rings on Saturday at 1430 GMT."
Please mind the people interrupting your privacy. Matt Clauson writes: "Discussion list for the Qwest privacy issue and possible protest action has been set up -- send an email qwest-action-subscribe@dotorg.org to subscribe to it."
Plug, plug, plug ... timekillerj writes "Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now. An article on Yahoo has more info, including a short debate on w00w00 disclosing before getting a response from AOL."
Backstepping by any other name ... dagoalieman writes "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.
Nope, still don't see any. Niels Provos writes: "I just updated http://www.citi.umich.edu/u/provos/stego/usenet.php to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message.
I also released a new version of stegdetect.
The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...
Below my mail to the cryptography mailing list.
Thanks for the update, Niels!------- Forwarded Message
From: Niels Provos <provos@citi.umich.edu>
To: cryptography@wasabisystems.com
Subject: Stegdetect 0.4 released and results from USENET search available
Date: Fri, 21 Dec 2001 12:16:14 -0500
Sender: provos@citi.umich.eduI just released Stegdetect 0.4. It contains the following changes:
- Improved detection accuracy for JSteg and JPhide.
- JPEG Header Analysis reduces false positives.
- JPEG Header Analysis provides rudimentary detection of F5.
- Stegbreak uses the file magic utility to improve dictionary
attack against OutGuess 0.13b.You can download the UNIX source code or windows binary from
http://www.outguess.org/download.php
- -----
The results from analyzing one million images from the Internet Archive's USENET archive are available at http://www.citi.umich.edu/u/provos/stego/usenet.php.
[...]
After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis.
This page provides details about the analysis of one million images from the Internet Archive's USENET archive.
Comments and feedback are welcome. We have an FAQ at http://www.citi.umich.edu/u/provos/stego/faq.html"Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS. However, we have not found a single hidden message. [...]
So.... (Score:2, Interesting)
In plain English, does this mean that the whole 'warning' by the FBI was FUD, plain and simple?
Re:So.... (Score:4, Informative)
Is it just me... (Score:1)
The Reg [theregister.co.uk] actually defending Microsoft?
Thanks for the link. That was a really interesting read...
Re:So.... (Score:2, Informative)
Another thing they are discounting is XP's default Internet firewall function. When XP is initially configured, it asks you a question stated something like "Do you directly connect to the Internet (or not sure), or are you connected to a LAN?" If you select "directly connected," your adapter is automatically firewalled. Also, I noticed that the UPnP service does not start automatically, and last I checked it was listed as "Manual" startup and not enabled. So much for that.
Re:So.... (Score:3, Informative)
2) UPnP service is not the one with the vulnerability. It's the SSDP Discovery Service. It's also a manual startup, but it's started after boot on my box and every other xp box I've ever looked at (OK that's only about 5).
Re:So.... (Score:2, Informative)
Here is some more info... (Score:3, Informative)
Note to moderators: the following has to do with Windows XP (SatanOS 5.1), so don't let that influence your moderation.
PLEASE NOTE: There is a great deal of confusion being caused by Microsoft's non-obvious naming of the two UPnP services. This situation is exacerbated by the FBI's NIPC web site, which has unfortunately posted wrong information over the holidays. People are led to believe that disabling the service named "Universal Plug and Play Device Host" disables the UPnP system. But it does not. That service is not even running by default. The correct action is to STOP then DISABLE the service named "SSDP Discovery Service".
You can demonstrate this for yourself by issuing the command "netstat -an" at a command prompt. While the SSDP Discovery service is running, Netstat will show that TCP port 5000 is in the listening state and UDP port 1900 is accepting inbound datagrams. After the SSDP Discovery Service has been stopped those Netstat lines will disappear.
No jokers out there?? (Score:4, Funny)
Re:No jokers out there?? (Score:1)
Woohoo, isn't proving a negative all kinds of fun?
Re:No jokers out there?? (Score:1)
Re:No jokers out there?? (Score:1)
Re:No jokers out there?? (Score:2)
Basically, this kind of analysis constitutes an even weaker hypothetical effort than RC-56, or any of those distributed.net challenges, since it's not a given that the image is the sole medium for the message.
Stegan (Score:1)
umm, cat got your tongue? Unless the "hidden message" was "I hit submit too soon"...
Re:Pot/Kettle? (Score:1)
Punters (Score:1)
Ogg streaming is a step in the right direction (Score:5, Insightful)
Succesful experiences like the BBC one can change this.
Re:Ogg streaming is a step in the right direction (Score:2, Insightful)
Lack of advertising? No one uses it because MP3 is entrenched, so the network effect is in play: To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages. The WMA format has the exact same dilemma, but even with claims that it's 2x better at a given bitrate (I'm not claiming that: Just what I've heard), the entrenchment of MP3 still makes people go "Bah...not worth it".
Re:Ogg streaming is a step in the right direction (Score:2, Informative)
I think what you meant to say is that you haven't heard the audible benefits of using ogg. I have something in mind that might change your mind, its only one example but i think it will suffice. And keep in mind that the next release of the ogg encoder (RC4) will have even more improvements in the low bitrate range.
Try the following streams, one is ogg and the other mp3 , both broadcasting 32Kbps/mono.
ogg123 -d oss -vp 64 http://shoutcast.mediacast1.com:7000/32.ogg
mpg123 -b 64 -u a http://shoutcast.mediacast1.com:7005/32
If you believe the mp3 stream sounds better then I suggest you give a reputable otorhinolaryngologist in your area a visit... or talk to El Rusbo if that cooks your noodles.
Re:Ogg streaming is a step in the right direction (Score:1)
But then, much like the low bitrate Windows Media format claims, it's irrelevant to a large percentage of the people who use MP3s. When I stream radio I do so always at 128Kbps stereo, or at absolutely worst 96Kbps stereo. It is there where the difference between ogg and mp3 would matter to me. For stored MP3s of course the minimum the vast majority of people touch is 128Kbps.
Re:Ogg streaming is a step in the right direction (Score:3, Informative)
as for higher bit rates I suggest you play around a bit with it... _some_ have said nominal 128kbps ogg is better than 160K lame encodings...
use -q 3.75
Re:Ogg streaming is a step in the right direction (Score:2, Insightful)
Ah very good point indeed. Indeed to be honest if there was a way to get credible sounding streams with 64Kbps, then I'd use that as I feel a little guilty listening to DNA Lounge at 128Kbps. There is definitely a need for high quality, low bitrate solutions.
Re:Ogg streaming is a step in the right direction (Score:1)
Sure that word works too. By "network effect" I'm referring to the fact that "everyone else uses MP3s, so I will too". It's the same premise that keeps Windows on top year after year: People want to use what their friends and family are using.
Re:Ogg streaming is a step in the right direction (Score:1)
Get the DSK, write the patch... I'll listen to OGG, not a problem. I would even be willing to transcode all my MP3s to OGG, but unless I can carry them with me in my car (without using my laptop) You don't have a chance
Re:Ogg streaming is a step in the right direction (Score:1)
For sure it's a different scale, but it's the same premise: i.e. You're a internet broadcaster and you want to start streaming some media -> Unless you're an evangelist, you choose a format based upon the deployed base because it isn't reasonable to say "Come, listen to our music! Oh but download and install plug-in XYZ". You get away with that if the user who doesn't have it is the odd man out, but otherwise most users will just "change the channel".
Am I readintg this right (Score:4, Insightful)
``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.
Sorry if your organiuzation is too big to react that quickly...
Re:Am I readintg this right (Score:1)
only in english (Score:3, Insightful)
Re:only in english (Score:3, Insightful)
personally, I think that the best gimmick would be to encode a small picture of a message into another larger picture. That would mess up the search for plain text ;-)
Re:only in english (Score:1)
Good idea about making an image of the message and stegoing that into an image, except that the stego content is typically much smaller than the original file size. Encrypting before using stego should make it much less detectable. I would guess that any intelligent stego search would include checks for standard file headers.
Re:only in english (Score:2, Insightful)
in theory if you encrypt your message via any good standard method, it should result in something that even statistically looks like random garbage.
Re:only in english (Score:1, Interesting)
When stego hit the news before, a year ago, I posted a message to a binaries group a year ago with stego in it and not a single of these studies has found it. I invented the method, which seemed obvious to me, and they didn't find it. I don't expect them to.
It's not that my stego was smart, but that it was foreign, and there are a million more ways to stego than to encrypt it.
ps. My dumb method was to encode five paragraphs of shakespeare. Shuffle the letter placing ABC to CAB and add it to each [sq. root of PI]'th pixel so it would occasionally skip one. It was added to a picture, of course, of goatse.
Re:only in english (Score:2, Informative)
if you look at arabic you'll notice a lot of flowing lines and a more "cursive" appearance.
this is why your character coding is called "ROMAN" not "ARABIC".
Re:only in english (Score:1)
While it may have been stolen from the greeks, no one calls them greecian script.
Hmm... (Score:4, Funny)
Ok, i give up -- where did you steganographically hide the rest of that sentence?
stego (Score:2)
Just because you can't see it... (Score:4, Insightful)
Also, if I was going to try to send a message via steganography, I wouldn't be doing it with images on Usenet. I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them), and put my steg. image on there. Or, I would use a more primitive kind of steganography--code words embedded in seemingly innocent messages. There's a hell of a lot more spam on usenet than images, so it would be better concealed that way.
www.spammimic.com (Score:3, Informative)
Re:www.spammimic.com (Score:1)
Re:Just because you can't see it... (Score:2)
The problem with this is that assuming someone does find the hidden message in one of the images, then it is easy to install Carnivore, or similar and watch all traffic requesting the page. USENET gets distributed all over the place - that's why it gets used for things where people don't want a centralised log of the fact they downloaded it (pr0n, warez, contentious views).
Download some alt.binaries.images.erotica.* files, paste on a fake BBS ad, and embed your message. Repost. No-one will try and call the BBS, or be surprised if the details "don't work".
I agree that not finding messages doesn't mean they aren't there, however.
Re:Just because you can't see it... (Score:2, Informative)
Stegdetect checks for the signatures of three steg programs (JSteg, JPHide, and OutGuess .13b)(Research Paper [umich.edu]), and it does not detect new algorithms. Also, the effectiveness of stegdetect is determined by what steg program was used. It missed from 5% of JSteg stegs to 60% of OutGuess stegs. Finally, they did not try to detect stegs generated with OutGuess 0.2 because it has a better method of randomly selecting bits to change.
AOL did NOT fix the hole (Score:3, Insightful)
Big deal!!
Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.
They havn't changed the fact that there is a buffer overflow in the IM client. This means that AIM users (using the official client) are still vulnerable. AOL has simply made it a bit more obscure, and we all know that security through obscurity is not secure at all.
Re:AOL did NOT fix the hole (Score:1)
Now how many of you were hit with destructive worms/viruses thanks to Outlook? MIIS?
Point made. Yes, AOL's fix isn't ideal, but then were not being flooded with destructive code that way are we?
When AOL hits the top 10 methods of virus propogation, then you can lambast them for poor software design and closed standards.
Lee
Re:AOL did NOT fix the hole (Score:1)
Who knows? Maybe thousands of people are being hit every day, but don't have a clue as to where the computer's "problems" are coming from. Many people shrug off something unusual as "just one of those complicated computer things", and haven't a clue why when they power on the computer all they see is a blinking cursor.
Re:AOL did NOT fix the hole (Score:2, Insightful)
format?, fdisk? delete all their files?
no, that's what lame schoolkids do
real black hats don't trash your system, they try and keep it alive so they can use it for nefarious activities.
I don;t know much about the AIM one but with Sub7 which was an icq based virus the victim would maybe just have strange things happen occasionally (screen upside down, follow the white rabbit stuff etc.). Or the attacker would just take webcam pictures and download them without the victim's knowledge or consent. Read their email, read their icq log, look at their bookmarks, poke around for text files containing passwords, edit
Just because your PC isn't "broken" doesn't mean you're not infected. Only the lamest viruses are destructive for without hosts there is no life.
Re:AOL did NOT fix the hole (Score:1)
The truth is you're correct. But then if you had a 'black hat' back door planted on your system for use in some nefarious scheme to arrange attacks, don't you think it would eventually get used? And when it did, then it would be revealed? Example: the Denial Of Service attacks early last year.
Being paranoid is a good thing, and it's your choice not to run AOL/AIM. That's fine. But all in all, I'd rather spend my time worrying about already known, highly STUPID, well documented and frequently abused security risks that remain UNFIXED (read Outlook), than to conjecture about possible security attacks in a protocol that's at least been patched.
Yes it's a secret protocol, and that makes it unavailable for public inspection. But there remain many well documented public protocols that continue to be used, with known security issues. Even OpenSSH, a gem of a program I use regularly, had possible security exploits. Heck even my favorite software house, Apple, has "Airport" code which is subject to WEP exploits.
If you want to get on AOL's case for not being responsive to the original complaint, you might have a case. However, the message I responded was lambasting them for having 'patched' the problem in a a way the poster didn't approve of. Actually I think AOL was pretty quick in applying the patch, compared to some manufacturers (read REDMOND).
Finally, if I were a 'black hat', I use the obvious easy holes to plant nefarious difficult to detect code. Instead of wasting hours/days/weeks analyzing packet transfers on AIM to try to detect possible locations for buffer overflows, just to plant that same code. But that's me, and the last time I 'hacked' anything was on an Apple 2 with poke. [Ok, I did have to hack root access on some NeXT boxes, but I was the system admin of those boxes at the time, and it was work related.] Guess that makes me 'white hat'.
Lee
Re:AOL did NOT fix the hole (Score:1)
Oh, so THAT'S where I've been going wrong. I'll try electrical tape next time, thanks for the advice!
(It's a bad attempt at humor, mods. Laugh.)
Re:AOL did NOT fix the hole (Score:3, Insightful)
I think it's pretty much given that this is the most reasonable course of action - AOL is primarily for people who aren't that great with computers, and very well could have difficulties upgrading, if they decided to do so, so instead of forcing all of their millions of users to fix it themselves (that's basically what it would come across as to most users - they don't know what's really going on), so AOL can simply block it themselves and fix the client in the next round of upgrades. And that leaves out the cost of extra bandwidth, people rushing to upgrade before they get hit, etc.
Obscurity would imply that they hid it; what they in fact did was block the exploit completely.
Re:AOL did NOT fix the hole (Score:3, Informative)
Sure, they shut off the easy way to launch an attack, but I can still send that same message from another host, can't I?
Re:AOL did NOT fix the hole (Score:2)
Re:AOL did NOT fix the hole (Score:2)
That is incorrect. They've stopped people from sending the bogus messages through their servers. How long do you think it would take to write a program that scans IP ranges for clients that are STILL SUSCEPTIBLE and attack them directly? 5 minutes? 10 minutes for a Code Red for AIM? This is not a fix by any means.
Re:AOL did NOT fix the hole (Score:3, Insightful)
There are plenty of ways the problem can still be exploited. AOL has simply made it a bit more difficult, but not impossible.
One of the biggest problems in the world of computer security world is thinking that a problem isn't going to be exploited because of its difficulty or obscurity. This has been proven time and time again when the most obscure little security holes get exploited repeatedly.
Re:AOL did NOT fix the hole (Score:1)
Familiar with the concept of packet insertion?
C'mon now, there are tons of man-in-the-middle exploits out there. When you download everybuddy or whatever IM software it is you use, do you really check the PGP key?
Re:AOL did NOT fix the hole (Score:1)
They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.
The scary part here is that AOL has basically admitted that it has a back door into every system which runs AIM. I wonder how that law about music companies (Time Warner) breaking into the machines of suspected copyright violators is going.
Not to mention simple DNS attacks, attacks from someone working at AOL, attacks from someone who broke into AOL's servers.
Could even be the next new "I love you" worm. Send an html link containing a registry edit to change the IP address of the AIM server to the person sending the link. Then when the user reconnects to what it thinks is the AIM server (which you could probably force in some way), hack in, start up its own fake AIM server, and send the link on to everyone in the users buddy list.
Re:AOL did NOT fix the hole (Score:3, Insightful)
I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.
Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.
I dunno - that sounds pretty damn effective to me. Much stronger than latex, and it certainly won't slide off.
They havn't changed the fact that there is a buffer overflow in the IM client.
Obviously, you *can't* change the fact that a particular version has a bug, but you can release a new one. The problem is that it takes a long time to get everybody to update, so this is actually a pretty good fix, notwithstanding the issue of people using the software without the benefit of this filter.
It DOES run through a central server (Score:2)
I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.
Let me tell you how AIM, IRC, Jabber, and other popular real-time messaging systems work. Alice and Bob each send name, password, and client binary hash to server. Server responds with buddy list, including presence information. Alice wants to send message to Bob. Alice sends packets to server, which processes those packets and forwards them to Bob. Now, if Alice wants to send a packet containing a sploit, the server can clean up the packet before Bob gets it.
Re:It DOES run through a central server (Score:1)
I breifly looked at the exploit code and it looks like the cient and server may be using nonces to provide very week message integrity. However, as the poster implied, non-filtered IP networks are still vunerable.
Re:AOL did NOT fix the hole (Score:2)
Good thing everyone who reads slashdot uses Linux. And those who DO use windows would NEVER use AOL.
</sarcasm>
Re:AOL did NOT fix the hole (Score:2, Interesting)
This is not security through obscurity, it's taking a trivial exploit and making it nearly impossible. I should hope they're also working on fixing the actual buffer overflow, but for now, and for users who don't upgrade (or don't know how) once this is done, it's much less of a concern.
Re:AOL did NOT fix the hole (Score:1)
Re:AOL did NOT fix the hole (Score:1)
It's nearly impossible in that it's EXTREMELY hard to exploit now, whereas it was fairly simple before.
Strong passwords? (Score:3, Insightful)
Well perhaps some people use stego and might actually have used strong passwords that could not be guessed by a dictionary attack. If I were communicating secretly using the internet, I would first encrypt the message with pgp, then place the encrypted text into a large jpeg WITH a strong password, and post to a half dozen groups. How would any kind of attack (well any reasonable attack) be able to detect my message? Even if the dictionary attack worked, how would you know the result was the real message, since it would appear to be random garbage, just like all the incorrectly passworded dumps? Just doesn't seem like this is something you can do, its taking distributed.net several years to crack ONE message. How would you go about finding a needle in a haystack, and THEN decoding it? We are talking tens of millions of images. What is the point of this? I'm sure people use stego, for whatever reason, why wouldn't they? Some hacker group, or warez group, or terrorists or whatever, somewhere, at some time, posted stego'd images to usenet.
The Biggest Security Hole (Score:1, Flamebait)
AIM Bugs (Score:5, Interesting)
Does anyone know a faster way to contact the major software vendors about a severe security issue BESIDES letting them read about it on the front page of their favorite news portal?
(Note, I only said faster, not better)Re:AIM Bugs (Score:2)
Re:AIM Bugs (Score:3, Funny)
Re:AIM Bugs (Score:1)
step 2.) send an e-mail - subject: Hey Osama We're ready to blow up the Whitehouse Tomorrow
step 3.) let the FBI deal with it they carnivore captures the e-mail and puts it on their priority list to read.
Re:AIM Bugs (Score:1)
So that's who that fiery bastard was. (Score:5, Funny)
Basically, we all wanted to kick his ass, and now we know who he is. Unless I'm wrong... but I'll ignore that possibility, because it'd get in the way of a good wupin'.
Re:So that's who that fiery bastard was. (Score:1)
Not to mention that those clients are a bit nicer about not stealing cycles from user apps.
Re:So that's who that fiery bastard was. (Score:1)
Try GIMPS for the "find something some day" (they have actually found several of the largest known primes) and the results are mathematically sound and verifiable...
Re:So that's who that fiery bastard was. (Score:1)
Re:So that's who that fiery bastard was. (Score:1)
> I'd rather find some prize money than some
> really big but practically worthless number.
Well, that's a fine reason, but that's a lot different than doing it because it's more "useful" than this guy's steganography study.
BTW, the EFF has sponsored a very big reward for a 10 million digit prime. I'm not sure how your odds compare, but it's not *just* the number...
Re:So that's who that fiery bastard was. (Score:1)
Forget Seti@Home or RC5.
How about all those CPU cycles being used on a project that might actually find something one day... like a genetic algorithm that evolves a pr0n recognition filter.
Re:So that's who that fiery bastard was. (Score:1)
i also sent it to the university of michigan's dean of engineering. i suggest you get all your computer-related coursework done in a hurry, while you still have computing privileges.
nobody
Re:So that's who that fiery bastard was. (Score:2)
Re:So that's who that fiery bastard was. (Score:1)
so was mine
nobody
The point of Stego is that you can't see it. (Score:2, Interesting)
I suspect there are several reasons why they haven't found any Stegonography in Usenet pictures:
This Article seems to suggest that it isn't possible to hide info in gifs such that it is undetectable and that more research should be done on JPEGs. Anyone know the state of the art on this?
Unsurprising findings on the steg front... (Score:4, Interesting)
Really, even with a Beowulf cluster, processing that many images so soon makes it seem like they gave it only a cursory examination.
I tried stegdetect. (Score:2, Informative)
Making a small image that contains "first post" with jhsteg stegdetct fails to find it.
If i make a big picture jpsteg warns it fails to insert to complete file.
By simply resizing the picture(paint shop pro) it should hide in stegdetect says:(skipped)this is likely a false positive. just because the origin is blocky.
Blurring the orginal picture solves this problem and after 3 more ties i find a ratio the jpsteg program still allows to insert and at the same time makes stegdetect bark.
Now to insert it in usenet: sh*t no usenet access from this location, and a fail to find a free service to insert a picture. Ebay needs a credit card, so no luck inserting it in ebay.
well maybe later......
Steganography is just another excuse... (Score:5, Funny)
..."There must be a hidden message, let's just stare at it a little longer"...
-Wrexsoul
Re:Steganography is just another excuse... (Score:1)
Dunstan
Cable, DSL,, and Privacy (Score:4, Redundant)
My previous comment [slashdot.org] states:
Well Charter Cable customers now have the wonderous Tioga spyware installed on their systems. It's been posted to slashdot a few times and been rejected. Members from the MadLug (Madison, WI). Have noted that the new service listens on a specific port to monitor and "Assist".
The county board is also investigating this. The software is supposed to be a VNC-Type program that helps Service Reps service computers. Basically I see this as a way for them to not only monitor, but have their way with your system. Along with this software also comes a real annoying Internet Explorer with Charter MSN crap everywhere, diabling network shares, and reformating TCP/IP to their network. Basically everything you can do yourself, but they won't tell you because they want you to install their software.
The whole thing stinks and the company is hiding behind lawyers and PR reps to try and get the whole situation worked out. Basically they released a new service, and the MadLUG guys were on them in 2 days when they noticed weird activity.
Moral of the story ... don't screw with geeks ... we'll find you ... we know who you are :-)
Which is still the case and is still "required" to use their service or receive any help from their helpdesk.
I still think this stinks and is definantelly not neccessary for the service to be availalbe. I have taken screen captures of Linux, BSD, QNX, BeOS, Win95/98/NT/ME/2K/XP all running the software (even though they say it only runs on 98/2K/and XP). And I know from witnessed experience that it works on Mac OS 9&X ... basically any OS that can do TCP/IP and has DHCP support.
So not only is this software not neccessary but it seems to be some sort of ploy to promote WinBlows and crap on other OS's not just linux.
Shaw cable does the same (Score:1)
Re:Shaw cable does the same (Score:1)
Re:Cable, DSL,, and Privacy (Score:2, Informative)
If asked about WHY companies include spyware / trojans, they usually burp something wet and smelly up about how falling revinues from banner ads (blech) etc, aren't all there. Duhhh!!! Then they point out the fact that by clicking the "Agree" button you have agreed to anything they want to do to your computer, privacy, or anal orifice. Basically, I see that in the very near future, every windows program will have built-in spyware that phones home to mamma. Even right now, limewire, gnutella, kazaa, bearshare, any commercial game demo (except RTCW, thanks ID!!!), unregistered and maybe even registered opera, and a whole glut of software I am not aware of and could care less about already have it built in.
Maybe that's what Magic Lantern is: the spyware that is included by default in most new software.
Fuck all that shit in the ear.
Re:Cable, DSL,, and Privacy (Score:3, Insightful)
I'm just pissed they first deny the software is there and then don't tell you it's installed ... and always leave it on ... looks like an exploit just waiting to happen ... and looks like a real shady thing to do.
qwest deception (Score:2, Informative)
The response was that the agent had removed my authorization to share that information among the different parts of qwest. This was not specifically what I asked for. So I called that to his attention and he said he would do that. On questioning about why it had not happened when I first asked for it, he said that you had to specifically ask for it.
Note that in the end, he just said he would take care of it.
I am crankish about snail spam and make it point to do my best about getting off mailing lists and I have learned there a number of sleazy companies out there. For instance, you have to not only get off a mailing list, but specify that your name not be rented or sold. Most people I think would not have caught the qwest deceit.
A good source of information on what to do about snail spam is junkbusters [junkbusters.org]
Re: Stenography (Score:3, Funny)
jghgjklsdnmvxhjsohfweffhi
ueruioywerueyoryprqypwpwe
dieamericaninfidelsiwillb
ebackforthewhitehousesign
edosamabinladenjoiwejrorj
uytutuiyroiyquirywroqyiwr
rjweoirjeroewiroijwjrvvds
ewqbejrkqhrhuewqhrquirqow
uireqryupqtrghjgfhgfhjafa
keqjrbjrbuiewhruqiwurihuf
This ascii art is a conversion of a picture of the rubble at the world trade center, can anyone find the hidden message?
Re: Stenography (Score:1)
I fear that he's got better crypto people that /. has...
-- Multics
Re: Stenography (Score:3, Funny)
suhjrvbdeljeuysnfqbshbrde
wtutwxyfqazikuwfbusjrssuv
hrehvbljrehrlbelcedlcjcjr
qvrnzrevpnavasvqryfvjvyyo
ronpxsbegurjuvgrubhfrfvta
rqbfnznovaynqrawbvjrwebew
hlghghvlebvldhveljebdlvje
ewjrbvewrebrjvebvwjweiiqf
rjdorwexdueuhrjduedhvedbj
hverdelhcdgetuwtsutsuwnsn
xrdweoweohvrjuehdvjhevuhs
What version of MPACK do I have to use to see the naked Lewinsky JPEG?
Steno detection=NP Complete (Score:1)
Otherwise, how would they know I haven't used my own encryption key, then another different key, to hide images in encrypted images.
I know, I know, Troll.
Stego (Score:2)
Somebody should run stegdetect on color copies! (Score:3, Interesting)
Re:Somebody should run stegdetect on color copies! (Score:1)
No boss, I can prove that I didn't use any company resources. Check the dither on the yellow ink - I ran off copies of my ass at Kinkos #3361!
Re:Somebody should run stegdetect on color copies! (Score:2)
Okay, that's useful information, but the question is, what does the encoded information say? And is it possible to defeat it? If stegdetect can recover the string and it's unencrypted or badly encrypted, it would be a good start to copy the same image on multiple color copiers at the same Kinko's, see what bits change in the resulting signature.
How to do good steganography (Score:3, Insightful)
Could this be why no stego messages are being detected?
$1,000,000 stego challenge (Score:2)
The first person to locate the first level data will receive a public congratulations on the official challenge web site. The first person to locate and correctly identify the second level data will receive ONE MILLION DOLLARS!
The 32 bytes of the first level challenge consists of a string of zeros.
The 256 bytes of the second level challenge consists of white noise.
-
Re:$1,000,000 stego challenge (Score:1)
The 256 bytes of the second level challenge consists of white noise.
I hope that you will not get called on that. Many steganographic systems leave signatures and header information in the images that are completely independent of the data that you hide. That means you can detect such a steganographic system without knowing anything about the hidden data.
Furthermore, white noise in terms of randomness is something detectable, too. Most images do not exhibit random noise in their lower layers.
There is a paper by Westfeld and Pfitzmann that shows visual attacks that depend on the fact that steganographic systems leave white noise behind destroying visual structures in the lower layers.
Best excuse yet... (Score:1)
... for downloading alt.binaries.pictures.erotica