Domain: xtdnet.nl
Stories and comments across the archive that link to xtdnet.nl.
Comments · 25
-
Snake oil vendors?
Borderware has more than one said things along these lines then pointed out they sell a product that solves all the problems. The little thing they forget to mention, SIP can run over TLS or not. When it is running over TLS, SIPtap and others like it don't work. This is the same as imap, pop, and http. If you don't run them over TLS (or SSL as it used to be known), well someone with a sniffer can read it. I'd like to point out that Cox would like to take credit for this but there has been a program that does exactly this for many years called vomit. (See http://vomit.xtdnet.nl/). Now the media can also be encrypted or not encrypted - SRTP is used to encrypt the media. There are open source implementation of all of this.
-
old news
is this really news? vomit has been out since 2001 and etherreal has been doing this since about 2003...
-
This "threat" is as old as...stegosauri
After looking at millions of EBay images and USENET images for possible steg content, Niels Provos and Peter Honeyman found a grand total of ONE image with steg content "in the wild". That image was used by ABC News in a piece about.....steganography. Using Flickr represents no new threat vector. There really is nothing to see here. Oh, BTW, all the hip terrorists are Podcasting their stego. It's ueber-7eet!
-
Remember the post 9/11 image-messaging concern?
This reminds me of a concern that surfaced in the immediate wake of 9/11: that the bad guys were shunning traditional net-based communication (e-mail, forum/newsgroup postings, etc.) and might be using codes or signals embedded in images in common places (eBay, for example).
I seem to recall a distributed screen-saver type app that was being used to crunch through millions of hosted images. Not much to find online about this, but there are articles like this one at NewScientist.com suggesting that the effort was a washout. here are some more stats from a study that came up dry, but there always this reference to "first stenographic image in the wild" as reported by ABC back when. -
Remember the post 9/11 image-messaging concern?
This reminds me of a concern that surfaced in the immediate wake of 9/11: that the bad guys were shunning traditional net-based communication (e-mail, forum/newsgroup postings, etc.) and might be using codes or signals embedded in images in common places (eBay, for example).
I seem to recall a distributed screen-saver type app that was being used to crunch through millions of hosted images. Not much to find online about this, but there are articles like this one at NewScientist.com suggesting that the effort was a washout. here are some more stats from a study that came up dry, but there always this reference to "first stenographic image in the wild" as reported by ABC back when. -
Here's an ineresting little
paper (pdf) on detection of steganographic messages based on simple statistical analisys of the image. It seems to work well against 2 of the 3 major steganographic endodings they tried.
-
Re:stego wrapped pgp
Maybe statistical analysis can determine if a given image or other medium is possibly hiding information. But if that information is encrypted, doesn't it look like random data without the key? Without knowing the key or even the cipher used to encrypt it... how can it be shown to actually be information? "That's just random noise/corruption in my images your honor... I dont know what your talking about"
Statistical analysis can indeed detect where hidden information is placed into an image, usually by noticing that the balance of the image is off. In fact, using encrypted data is more likely to stand out because images are not usually populated with statistically random data.
Here's a piece on scanning Usenet for hidden images. As a broadcast medium you'd expect it to be most frequently used as you can anonymously post material and it is well-nigh impossible to locate the intended recipient. -
steganography isn't secure at all
This is all well and cute, but realistically speaking, no implementation of steganography is all that secure. Detection is fairly easy, and then a dictionary attack against the encrypted contents is used. [Link]
Its a twofold problem as I see it.
1. The hiding of encrypted data/images/text/whatever inside of an image file is based on the notion that security through obscurity raises the bar. Anyone who studies security knows that this is just not true. Since suspicious images are simple to detect, this layer of obscurity offers no real data protection than just encrypting the file and naming it "this-is-secure-data.blowfish". Its just a matter of what encryption method is used to secure the contents. Which brings me to my second point.
2. Since the basis of steganography is to hide information inside an image without disturbing the visual image, the size of the data contained within, from my understanding, is severely constrained. Thereby limiting the effectiveness of this technique in all but very large, suspicious, and still easily scanned images.
SO, by hiding one's data inside an image with this technique, one is left with a picture of a table that is just screaming to be scanned for its suspicious content. -
More than 50%!?!?
What? All my Email Accounts, along with the accounts of most everyone I know recieve around 75-90% Spam.
Only my account that subscribes to bugtraq and some other security focus lists doesn't have such a ratio.
Anybody who subscribes to those lists (should be almost everybody B-)) Knows that that doesn't say mutch though, with 20 messages a day from some of those lists, it's crazy.
But I degress, one account I've had for around 4 years now would be broken due to spam if it wasn't for yahoo's nice filters, now I don't see a drop of it. But my 'Bulk Mail' folder will fill up my 4meg account often in about a week, and I only maintain about 100-200k of saved stuff in there. Oh well, I did a little research for other people paying attention to their ammounts of spam (maybe blatent karma whoring, but who cares hehe):
spamfryer?
Spam Cop
Why spam is bad - Apparently a personal spam site
HiWaay - Alabama ISP, keeping records and real time graphs.
Other Interesting stuff:
MyRealBox - Test bed for Novells Mail server development, checkout the license agreement to get a free mail box, seriously, apparently you must pay $10 for every piece of spam you recieve in the box... Please correct me if you see it differently.
The Cost of Spam
sites from google and SpamCon. -
The use and state of DNSSECDNSSEC is long overdue. We not only need to secure our domains, we also need a secure placeholder for cryptographic information that's hierarchical. DNSSEC is the answer for that.
If you think DNSSEC is vapourware, your information is outdated. As I presented in various talks this year at BlackHat, DefCon and CCC this year, DNSSEC is ready to be deployed, and IS deployed.
We are currently running over 150 domains in DNSSEC, using bind9 and some perl tools written by RIPE. We are using this to accomplish IPsec Opportunistic Encryption, which means massive deployment of IPsec tunnels by using secured DNS information for key material.
Please see:
- The Dutch SECREG
- Opportunistic Encryption
- My OpenOffice or PowerPoint presentation on deplying DNSSEC and OE.
DNSSEC is not vapourware. It will happen, and you want it to happen. Think about VOIP using the ENUM dnszone without DNSSEC. Do you WANT your phonecalls to be hijacked? - The Dutch SECREG
-
The use and state of DNSSECDNSSEC is long overdue. We not only need to secure our domains, we also need a secure placeholder for cryptographic information that's hierarchical. DNSSEC is the answer for that.
If you think DNSSEC is vapourware, your information is outdated. As I presented in various talks this year at BlackHat, DefCon and CCC this year, DNSSEC is ready to be deployed, and IS deployed.
We are currently running over 150 domains in DNSSEC, using bind9 and some perl tools written by RIPE. We are using this to accomplish IPsec Opportunistic Encryption, which means massive deployment of IPsec tunnels by using secured DNS information for key material.
Please see:
- The Dutch SECREG
- Opportunistic Encryption
- My OpenOffice or PowerPoint presentation on deplying DNSSEC and OE.
DNSSEC is not vapourware. It will happen, and you want it to happen. Think about VOIP using the ENUM dnszone without DNSSEC. Do you WANT your phonecalls to be hijacked? - The Dutch SECREG
-
DNSSEC mini HOWTO
Paul Wouters from the FreeSWAN project spoke at DefCon 11 on DNSSEC... he has some materials online at: http://www.xtdnet.nl/paul/dnssec/
-
Great Application Name
One of the apps that use this is named VOMIT which seems to take a libpcap style dump of an Internet Telephone conversation and convert it to a wave. I'd love for some covernmetn spook to use this in a court of law. "Yeah, we got a phone tap, we're gonna use VOMIT".
-
Re:it only bothers the unknowing honest.
it's called hiding in a sea of garbage.
to be more precise steganography. more info here if you're not in the u.s. -
Cool!
Now I can listen in to all those phone calls in Best Buy with a laptop full of Vomit!
-
Depends on your setup
Encryption? Privacy? There's always VOMIT!
-
If you're interested...
You too can listen in to VOIP with voice over misconfigured internet telephones or vomit for short. It only works for Cisco IP phones, but I hear that this Cisco company may become a medium to large business in the networking industry.
-
Spam archive and statsIf you're looking for 5+ years of archived spam and plots of spam volume versus time, check out this guy's site.
His page of graphs shows the exponential growth of spam over the past few years.
-
Spam archive and statsIf you're looking for 5+ years of archived spam and plots of spam volume versus time, check out this guy's site.
His page of graphs shows the exponential growth of spam over the past few years.
-
Bayes Rule spam implemention *and* seedingEric Raymond has written Bogofilter that implements Paul Graham's idea. I've created a Badwords list for use with bogofilter seeded with my entire spam collection of four years.
Leto
-
Linux version of this program looks bogus to meI read the CNN article and went to the download site. I downloaded the file from thaiware.com.
I created a "testuser", chmod a+rw
/dev/dsp* and ran the thing. It seems like it's doing absolutely nothing. Though I'm curious was the experts can say about the straceMakes you wonder what the Windows version does. Too bad. I could use a working solution
:( -
Re:heh.. Security of calls?niels provos already wrote one: http://vomit.xtdnet.nl/.
nobody
-
Xenu not out of the woods yet
-
Xenu not out of the woods yet
-
Scientology, the money-making cult
The original web page in question, found at http://xenu.xtdnet.nl/ is entitled "Support the Dutch Action against the Church of $cientology." Put that with the fact that the information is supplied in a downloadable tarball, and, well, this guy has got to be a faithful Slashdot reader.
Then again, what more would you expect from an organization with figures like John Travolta and Tom Cruise...