Slashdot Mirror
Slashback: Subterfuge, Rejoinder, Caution
Good things come in hidden pictures. Intrepid strongman Dug Song writes, in reaction to the "fairly thin" piece earlier today on Steganographic anlysis:
"The only cutting edge, practical work being done today in steganalysis and steganography is by Niels Provos, who gave a talk at HAL2001, and is also presenting at the USENIX security symposium tomorrow: He's been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess), crawl (which he's used to download 2 million jpeg's from eBay to analyze), discern (his distributed computing platform), etc."
Hushing up is not such a good answer sometimes ... Reader Brian McWilliams <brian@pc-radio.com< notes regarding the thread on Slashdot about the costs of full disclosure, "you might want to add an update linking to this story Newsbytes did a couple days ago about the Richard Smith posting. Contains responses from eEye & full disclosure advocates, as well as some more ammo from Smith."
Smith doesn't take kindly to being blamed for damages caused by security holes he publically aired.
So you want to patent "bacon and eggs"? I guess that's OK then. You recently read about the McAffee patent on a seemingly overbroad stretch of computing transactions. Well, it's raised quite a few eyebrows among people interested in a fair computing marketplace. geoa points to this article in which "Neil McAllister in The Gate takes too long to say we shouldn't let another monopoly in the playpen."
It was soooo old ... For everyone enjoying the recent upswing in retro computing interest, Silicon Avatar writes with another tidbit: "Although not necessarily new news, I found a link today when someone mentioned Roland MT-32 to me. Starting with Space Quest IV, Sierra games were written to use either the Adlib soundcard or the Roland MT-32 'soundcard.' Quest Studios seems to have repository of MANY of those songs, including the 'lounge tape' I once had but lost!"
Put that in your souped up underclocked emulator and smoke it.
If you're looking for more than Sierra game music, check out the Videogame Music Archive for other 8,000 midis for NES, SNES, Genesis, and more. :-) Now that is nostalgia!
Actually, if you're really into the music from the Nintendo, Super Nintendo and other old console games, you really should check out Zophar's Domain.
You can download music rips from the actual games and download special players (many come in the form of a Winamp or even an XMMS plug-in :)
Join the TWIT army now!
Yeah, and I'm sure he downloaded them just to see if they used steganography...
sulli
RTFJ.
Oh, come on. I bet only 35% of those were pornographic. You can't fault a researcher for having 600,000 porn pix, it's his job.
Expanding a vast wasteland since 1996.
Patents like this one, they ought to take the costs of challenging them out of the salary for the idiot patent examiner who approved them. Unfortunately, he'd be in the hole for 10,000 years...
His argument basically boils down to "Security through Obscurity"; and anyone who has delt with security knows that this leads to no security at all.
Yes, there is "one hell of a price tag". Chalk it up to the hidden price tag of Windows.
What in the world do you expect of an architecture where blatant security flaws are deliberately ignored? What do you expect from a company which has publically stated that "security gets in the way"? And what do you expect from a company where the average time to release a security patch is about 60 days?
One expects problems - serious problems. And Smith's argument is an attempt to cover these problems up. This hinders how bad the situation really is. While some people might like to stick their head in the sand and not know the truth, this does not make our infrastructure stronger.
Quite frankly, given how insecure Microsofts' software has been historically, I would expect a strong attempt by them to try to do away with Full Disclosure. It is certainly a lot cheaper than having to fix the problems properly in the first place. While I would not accuse Mr. Smith of being a Microsoft shill, I would certainly say that he is misguided here.
Full Disclosure helps keep Microsoft honest. Anything less is an attempt to gloss over the fact that Windows is flawed; and that anyone who uses it has to pay an additional hidden tax due to its serious security flaws.
Please let us deal with the truth, and stick to the truth. Anything less is deceitful; nor will it stop experienced pros from exploiting the existing flaws. Lack of full disclosure will however, lull people into a false sense of security.
And as we have seen with the Code Red worm, the price of a false sense of security can be very expensive.
Wouldn't their estimate also include (a) average hourly rate of administrators fixing the problem multiplied by average number of hours required to correct the problem, (b) productivity loss due to downtime of systems? We rely on our NT server at work pretty heavily (SourceSafe etc), when it goes down half of our programmers either can't work, or can work but in an impaired way that wastes quite a lot of time. And programmers aren't that cheap :) If you have twenty people getting paid 20$/hour, and they all can't work for two hours, thats $800 lost, not to mention that you're probably ending up further behind on a project that was already running late anyway. Another factor is that when the server is down, people often find it a convenient excuse to take a break. Yet another thing is that for many companies, it usually takes something like CR to get the management to realise that they *need* to spend money on things like antivirus software, and you need to have someone keeping the server patched etc. Management often think they're saving money here and there, until something like this happens. So some companies may end up hiring an administrator. And often, not only will an antivirus be installed on the server, but on everyone's systems (hmm .. this is pretty much what happened at our company a few weeks back with SirCam). Installing on everyones systems takes yet more time and money and productivity loss. And of course, you need meetings - you have to have one of those meetings where everyone is present, where everyone has explained to them (by managers who now think that all email attachments should be banned, because they don't understand the technology) the dangers of using email attachments, or running unmanaged web servers, how to keep their antivirus software up to date etc. Many companies are also probably going to go purchase firewall software now too, after CR. Heck, I wouldn't be at all surprised if the cost did approach $2600. I mean, if a large company with 500 desktops suddenly decides to install antivirus software on all 500 desktops just because their server was hit with CR, thats expensive. Professional firewall software can be very expensive too, as well as the training and time required by the administrator(s) to set up and install all the stuff.
You can't base your assumptions as to what would infringe and what doesn't based on the abstract; you have to read the exact wording of the patent itself. The abstract is just a 'summary' designed to quickly let you know generally what the patent is about.
I have to disagree. I want to buy *internet service* period. Charge me for extra bandwidth if you want (if I use it).. but don't tell me i "can't have listening TCP sockets'.
The internet is about connecting computers, not about 'consumers' and 'servers'
Well, that's a start, but is there anywhere that I can buy videogame or demo music in Redbook format?
Alex Bischoff
HTML/CSS coder for hire
Arcade Tones
I'm not related to it, but it was the only place I could find the Megablast by Bomb the Bass from Xenon 2. Now all I need is someone to call me. Call, damnit!!
DD
"You can justify anything by putting it in quotes, adding a famous name and making it a sig" - Albert Einstein
My father-in-law just gave me his old (but working!) Kaypro. I'm in retro heaven. CP/M is a hoot. :D
The point is, this article and others have been doning some amazing work on provably good steganography and making some strides in really making stego fit to the information theory model in good ways.
A lot of the papers cited are less "practical" experiments in steganography but rather information theory which has similar issues. The two most interesting were "writing on dirty paper" and "capacity of memory with errors". These were all about similar problems in VERY different areas.
The great thing about theory is that it finds connections you'd never imagine.
If you want to talk about this, my email is dbentley at stanford (it's a university, guess what the TLD is)
Full disclosure, although it sounds like a dangerous idea, is perhaps the most effective manner for preventing attack.
It becomes a double-edged sword, when you release a vulnerability, who will get to it first, the vendor or the crackers?
Scenario 1: Crackers take charge. OK, for the sake of argument, let's say eEye discovers a remote root in IIS. They release the vulnerability specifics, and as soon as they do so, a cracker creates an exploit, and before you know it, it's the hottest thing on Packetstorm. The attacks spread rampant, but by this time, Microsoft has gotten wind of the threat, and released a patch. Thousands of boxen are patched by admins who keep up with the news, however thousands remain unpatched, and many have been cracked. Over the course of a few months, things get ironed out, cracked boxes get fixed, security patch is propogated everywhere.
Scenario 2: The Secret Vulnerability The same vulnerability, discovered by eEye, instead of being released to the public, is released to Microsoft only. Microsoft creates a patch, and puts it on the internet. Few admins apply it, because there is no huge hype about a massive attack wave. This leaves a massive amount of servers open to attack. Then, out of the blue, a cracker discovers the same exploit, and writes the code to exploit it. Script kiddies everywhere are rooting IIS boxen. The threat spreads vigorously, all the while, MS claims plausibly deniability, because they already released a patch.
The Skinny: Why one is better The second scenario is somewhat similar to the CodeRed situation. MS released a patch for the bug long before the worm spread, and people never expected it. When the wave hit, many admins flocked to the MS update site, and patched their boxen. It uses the media to propogate information about the vulnerability.
This is why CodeRed spread so fast, because there were fewer patched boxes. If more boxes had been patched, the spread would be less severe.
The point I am trying to make here is that we must sacrifice a certain amount of servers to any given bug before it is eliminated. The patching-frenzy is triggered by the massive infection. Such a necessity for a patch must be created for it to be propogated fully.
I hope this is understandable, for I still may be an idiot, I have yet to confirm.
--Ted
On Wednesday, Computer Economics, an information technology cost research firm, put the total economic pricetag of the Code Red worm at more than $2 billion, based on an estimate that 760,000 computers worldwide were infected.
So, let me see, that makes it about $2600 per computer - I never knew that McAfee Virus Shield had gone up in price so much.
Does Newsbytes have no fucking editor or what?
Hehe. Some people really have too much time/computing power to waste
<tounge-in-cheek>
I think it's a good thing that they haven't found anything yet, but not because I'm concerned about terrorists communicating over the Internet. Imagine some of the comments in the mainstream media: "Terrorists use Internet to send hidden messages to children!!" and "Popular Internet site taken over by terrorists!!". This would fit in nicely with senators learning about the dangers in things like file-sharing programs. Terrorists/pornographers/that sleazy guy across the road could be using Gnutella to communicate to other shady characters this very minute!
</tounge-in-cheek>
Porn isn't just for masturbation anymore, you can collaborate with fellow terrorists while fulfilling your sexual needs.
I got plenty of "Code Red" attempts in my web log from the speakeasy.net domain. Maybe they should've blocked port 80!
Here is a quick sound timeline:
1987 AD-LIB soundcard released. Not widely supported until a software company, aito, released several games fully supporting AD-LIB - the word then spread how much the special sound effects and music enhanced the games. Adlib, a Canadian Company, had a virtual monopoly until 1989 when the SoundBlaster card was released.
1989 Release of Sound Blaster Card, by Creative Labs, its success was ensured by maintaining compatibility with the widely supported AD-LIB soundcard of 1987.
1989 World Wide Web invented by Tim Berners-Lee
1990 MPC (Multimedia PC) Level 1 specification published by a council of companies including Microsoft and Creative Labs. This specified the minimum standards for a Multimedia IBM PC. The MPC level 1 specification originally required a 80286/12 MHz PC, but this was later increased to a 80386SX/16 MHz computer as an 80286 was realised to be inadequate. It also required a CD-ROM drive capable of 150 KB/sec (single speed) and also of Audio CD output. Companies can, after paying a fee, use the MPC logo on their products.
1991 Linux is born
1992 Introduction of Windows 3.1
1992 Wolfenstein 3D released by Id Software Inc.
1992 Sound Blaster 16 ASP Introduced.
1993 MPC Level 2 specification introduced This was designed to allow playback of a 15 fps video in a window 320x240 pixels. The key difference is the requirement of a CD-ROM drive capable of 300KB/sec (double speed). Also with Level 2 is the requirement for products to be tested by the MPC council, making MPC Level 2 compatibility a stamp of certification.
1994 Doom II released - Command & Conquer released - Netscape 1.0 released - Linux Kernel. version 1.0 released
- - -
White House Selected Vegetables Coffee Mug
"It is a greater offense to steal men's labor, than their clothes"
(Joke, joke, thank you Mr. Modstick)
I wonder how far into the ground they will bash Napster before giving up; perhaps they just don't want to have to admit that there are hundreds of other P2P networks out there, and that they cannot stop them all...
Security through promiscuity is no better than security through obscurity.
Funny this should be brought up, I just finished getting my shoutcast stream working that plays exclusively Gameboy MIDIs. Tune in.
Watashi wa Amerika-jin desu.
Why when I was a kid we did'nt have these fancy laptop computers and tiny digital memory cards.. Nosir, we had punchcards, and we liked 'em.. If you wanted to type up a business proposal you had to punch it up on paper cards using a hydraulic press operated by connecting cables on a patch bay ..
And if you ever wanted to read one of those proposals you had to spread the cards out on your big-ol conference table-top and get way up on ladders to be able to read it all.. Yep.. Then some smart sumbitch invented the pneumatic chair which could get you up there to read the punchcards without the ladder.. yep. those were the days..
I think I'm gonna go down in the basment and bang on my altair..
air and light and time and space
Does this mean... that if i dont go there with an internet browser, i "worked around" the patent ? Lets take Microsoft and their .NET software... If I'm not totally wrong here, the idea there is to provide these types of services. You run programs of the servers, and maybe pay per use. So, Microsoft just integrates a .NET browser, (instead of an internet browser), a client software that can search the MS.NET for .NET applications out there.
Or the open-source approach ? Use a peer2peer-style software. You start GnAppliTella, enter search for "word processor", and voila, you have a bunch of servers providing you with an online word processor. And.. since the patent seems to require some password authentication, what if you provide these online software services for free ?
What I'm trying to point out, is that this patent is only useful if you use an "internet browser". I dont really think the online future lies within the restrictions of a web browser of todays style. They are big, sometimes filled with advertisements, they crash, they have security flaws, etc etc etc. Perhaps this patent seems like a big deal right now, but my guess is that tomorrow will tell different.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
Yeah, and I'm sure he downloaded them just to see if they used steganography...
So when he was complaining about the "hidden bits" in the photos, he was talking about steganography? Silly me...
Speaking of old MIDI stuff always made me wonder: Just how did Creative Labs become the de facto standard of sound cards back in the days of DOS gaming? Maybe I don't remember clearly, but it's not as if there was a huge gaming population back then (back then, yeah way back in the early 90's...cripes I feel old). Was music more of less an afterthought back then? Seems you'd want to make the gameplay independent of the music (not like movies, where the score plays an integral part in the emotion of the moment) just because there would be a good possibility the user wouldn't have a compatible sound card or perhaps not even a sound card at all.
Perhaps like all things in PC gaming, the sound card only became a necessity because of Leisure Suit Larry and Wolfenstein 3D. You've either got to have it to hear sleazy softporn sounds or the screaming deaths of Nazis.
My sigs always suck.
Most of the later Squaresoft rpgs were released with full soundtracks, as well, most of which you can probably find on ebay.
---
NovAurora used to have a ton of rips from PC games, mostly MP3s and MIDI. Unfortunately, the owner of the site shut down the server and sold the domain name.
Fortunately I snarfed the archive before it went away. Between that collection, other game music sites on the web, and things I've ripped myself I have about 2GB of game music.
Anyone want to volunteer a server to host it?
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Would that be "Lynx"? Even IE lets you use links.
This next song is very sad. Please clap along. -- Robin Zander
Holy crap. Is it also called steganography when you hide communications by presenting them as yellow text on a blue and red spiral background?
Edward Tufte would not be impressed.
-- Bob
And the slashback gets it wrong on smith, he's whingeing that news should be kept 'leet until the fixes are out there. How the hoi polloi are supposed to install fixes for bugs that they think don't affect them is beyond me, but, please "could have saved big companies a lot of money"???!!!! WTF!?!?!?!?! So we should keep information secret so that the big boys get their asses covered while admins of smaller sites get no information and get victimized? Fuck off and die, now, you brownosing crybaby.
And tell stileproject to read bugtraq. I saw the 'sploit, i verified that it worked, i upgraded my machine toot sweet even tho i don't run telnet. Boo hoo for them.
Expanding a vast wasteland since 1996.
Links is a text only web browser like Lynx but with a different feature set. See http://artax.karlin.mff.cuni.cz/~mikulas/links/ for more details.
Difficult to find enough machines:
Cool stuff. Alternatives are always good.
This next song is very sad. Please clap along. -- Robin Zander
Here's an ethical question for you:
/y \inetpub" instead?
Currently, I run a script "default.ida" that, when hit, logs into the attacker's back door and reboots his server.
What would be the ethics of making it do "deltree
2 million jpegs? He's got my collection beat.
Odd for me to have seen much of the bones of his story already discussed at length in The Register, on the day before McWilliam's posted his Newsbytes contribution.
Still; I'm sure the slashdot effect will please his employers & increase his marketability.
Here, meanwhile, is what TheReg thinks of mcWilliams and his half-assed understanding of things technical.
""
Ouch! You better take that tounge out of your cheek!
It's 10 PM. Do you know if you're un-American?
Just move your services to different ports
-- @rjamestaylor on Ello
In fact, I'm beginning to believe that the TOS should be enforced: no public servers on non-business broadband connections. Why? Because securing your computer is a serious job that is more than the @"lookie I've got a web site"Home user can/will handle.
Of course, I'm using my home system as a temporary back-up server (our main hosting service is experiencing trouble) while a new product gets demonstrated to potential investors/customers. I'm on an AT&T Broadband cable modem connection (fast enough for the demos) so when they filtered port 80 I reconfigured Apache to listen on 8081. No big deal. Oh, they also left 443 open, so those home users running ecommerce web apps at home (!) should have not even noticed the change. TOS? What TOS?
On second thought, restricting a whole class of Internet users to read-only violates the Internet Way. Toss the TOS.
-- @rjamestaylor on Ello