Slashback: Streamend, Stego, Patches

The first Slashback of 2002 brings you updates on Ogg streaming (listen in while it lasts, and send feedback if you like it!), Qwest and your privacy, holes and patches for products from the MS-AOL-Time Warner Industrial Complex, and even more steganographic images failing to appear.

Getcher hot streams while they last ... jmoffitt writes: "In his post to the Vorbis list, Ciaran announced that the Ogg Vorbis BBC streams of Radio 1 and Radio 4 that we've enjoyed since early November would go offline as the test is ending. Everyone is encouraged to send their encouragement for these streams to continue to webweaver@bbc.co.uk. Also, as a special treat, the Radio 4 Ogg stream has been extended a week - just enough for all to catch the first episode of Lord of the Rings on Saturday at 1430 GMT."

Please mind the people interrupting your privacy. Matt Clauson writes: "Discussion list for the Qwest privacy issue and possible protest action has been set up -- send an email qwest-action-subscribe@dotorg.org to subscribe to it."

Plug, plug, plug ... timekillerj writes "Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now. An article on Yahoo has more info, including a short debate on w00w00 disclosing before getting a response from AOL."

Backstepping by any other name ... dagoalieman writes "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

Nope, still don't see any. Niels Provos writes: "I just updated http://www.citi.umich.edu/u/provos/stego/usenet.php to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message.

I also released a new version of stegdetect.

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...

Below my mail to the cryptography mailing list.

------- Forwarded Message
From: Niels Provos <provos@citi.umich.edu>
To: cryptography@wasabisystems.com
Subject: Stegdetect 0.4 released and results from USENET search available
Date: Fri, 21 Dec 2001 12:16:14 -0500
Sender: provos@citi.umich.edu

I just released Stegdetect 0.4. It contains the following changes:

- Improved detection accuracy for JSteg and JPhide.
- JPEG Header Analysis reduces false positives.
- JPEG Header Analysis provides rudimentary detection of F5.
- Stegbreak uses the file magic utility to improve dictionary
attack against OutGuess 0.13b.

You can download the UNIX source code or windows binary from

http://www.outguess.org/download.php

- -----

The results from analyzing one million images from the Internet Archive's USENET archive are available at http://www.citi.umich.edu/u/provos/stego/usenet.php.

[...]

After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis.

This page provides details about the analysis of one million images from the Internet Archive's USENET archive.

Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS. However, we have not found a single hidden message. [...]

Comments and feedback are welcome. We have an FAQ at http://www.citi.umich.edu/u/provos/stego/faq.html"

Thanks for the update, Niels!

So....

[cscx]

"It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

In plain English, does this mean that the whole 'warning' by the FBI was FUD, plain and simple?

Re:So....

[Henry+V+.009]

In plain English, does this mean that the whole 'warning' by the FBI was FUD, plain and simple?

Whoever moded this as a troll is on crack. According to this story in The Register, the FBI warning was not correct, and the steps they advocated for fixing the security hole did nothing. How's that for FUD?

Re:So....

Most machines are still unpatched, so it's still a threat, so it's no fud.

I suspect the quietly released bit is spin to make the FBI look bad (every story has to make someone look bad). They released their opinion of the patch with the same level of fanfare that their original opinion was given. It was the news organisations that took it further.

Re:So....

[cscx]

I'm not so sure. The FBI's response was something around the words of "Disable it! But we have no idea how..."

Another thing they are discounting is XP's default Internet firewall function. When XP is initially configured, it asks you a question stated something like "Do you directly connect to the Internet (or not sure), or are you connected to a LAN?" If you select "directly connected," your adapter is automatically firewalled. Also, I noticed that the UPnP service does not start automatically, and last I checked it was listed as "Manual" startup and not enabled. So much for that.

Re:So....

[benwb]

1) Internet firewall protects you from unicast attacks, but not multicast.
2) UPnP service is not the one with the vulnerability. It's the SSDP Discovery Service. It's also a manual startup, but it's started after boot on my box and every other xp box I've ever looked at (OK that's only about 5).

Re:So....

[cscx]

Wow... that is odd... it is listed as manual. But it's started nevertheless (make that 6). I need to read those descriptions more closely: ('Enables discovery of UPnP devices on your home network.') Reason for that being, well, I just patched it and kinda swept it under the rug for the time being. Aren't multicast attacks kind of hard to implement, though?

No jokers out there??

[RedOregon]

Kind of surprised no one uploaded a bunch of steg'd images just for laughs.. encrypted messages like "No, this isn't from a terrorist", "Windows/Bill Gates/Microsoft Blows", "steg _this_, buddy"... or "First Post!"

Re:No jokers out there??

[Miniluv]

Who says they didn't?
Woohoo, isn't proving a negative all kinds of fun?

Re:No jokers out there??

[noc]

I think their steganography breaking system just stinks. I've been party to stego'd image passing years ago, so I *know* they exist(ed) on usenet :-). On the other hand, the message was usually encrypted, too, so that might be tripping them up.

Re:No jokers out there??

[SClitheroe]

Who's to say that the message isn't somehow encoded in the filename, the file size, the MD-5 hash of the entire message, hell, even the Usenet group it was posted too. It's ironic that all that processing power was wasted on analyzing the image, when any of the aforementioned parameters might have constituted a public key or one time pad for the real message...

Basically, this kind of analysis constitutes an even weaker hypothetical effort than RC-56, or any of those distributed.net challenges, since it's not a given that the image is the sole medium for the message.

Re:No jokers out there??

[RedOregon]

I dunno... I could be wrong, but I got the impression that they were looking for *messages hidden via steganography* -- in other words, looking to see if *something* was there in the image. Whether or not it was an *encrypted* message shouldn't make a difference, just that *something* besides image data existed?

Re:No jokers out there??

The thing is, good encryption should be virtually indistinguishable from noise. (Read up on cryptographic resources if you need more background.) If you ran an encryption through another filter, like for instance a low-res graphics layer, it should look similar to CCD photon noise, and so very difficult to detect, even when comparing reference graphic images to each other.

Re:No jokers out there??

Who's to say that the message isn't somehow encoded in [...] the MD-5 hash of the entire message

Read your cryptography literature again.

Stegan

[20721]

Nope, still don't see any. I just updated http://www.citi.umich.edu/u/provos/stego/usenet.ph p to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message. I also released a new version of stegdetect. The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak

umm, cat got your tongue? Unless the "hidden message" was "I hit submit too soon"...

Pot/Kettle?

[DavidJA]

"Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now

Michael seems to think that anything that is not open source has to be insecure.

Re:Pot/Kettle?

[cscx]

I invite you to read this sarcastic piece of work.

Re:Pot/Kettle?

[rasactive]

Actually, last I checked, it was pretty insecure. There was a really popular DoS attack a little while ago that affected all AIM clients (even the Linux ones with semi-crippled functionality). And have you ever heard of punters?

Re:Pot/Kettle?

Well, from a security point of view, that makes good sense. If you can't verify that something is secure, then you have to assume it's compromised.

Is there ever any aspect of security where that rule of thumb doesn't apply?

Ogg streaming is a step in the right direction

[chrysalis]

The streaming test made by the BBC is definitely a good thing. It brings credibility to open source projects. Ogg Vorbis is really an amazing format, but nobody uses it because of the lack of advertisement.
Succesful experiences like the BBC one can change this.

Re:Ogg streaming is a step in the right direction

[ergo98]

Lack of advertising? No one uses it because MP3 is entrenched, so the network effect is in play: To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages. The WMA format has the exact same dilemma, but even with claims that it's 2x better at a given bitrate (I'm not claiming that: Just what I've heard), the entrenchment of MP3 still makes people go "Bah...not worth it".

Re:Ogg streaming is a step in the right direction

I believe you're referring to interia.

Re:Ogg streaming is a step in the right direction

[ergo98]

Sure that word works too. By "network effect" I'm referring to the fact that "everyone else uses MP3s, so I will too". It's the same premise that keeps Windows on top year after year: People want to use what their friends and family are using.

Re:Ogg streaming is a step in the right direction

[BobSoros]

To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages.

I think what you meant to say is that you haven't heard the audible benefits of using ogg. I have something in mind that might change your mind, its only one example but i think it will suffice. And keep in mind that the next release of the ogg encoder (RC4) will have even more improvements in the low bitrate range.

Try the following streams, one is ogg and the other mp3 , both broadcasting 32Kbps/mono.

ogg123 -d oss -vp 64 http://shoutcast.mediacast1.com:7000/32.ogg

mpg123 -b 64 -u a http://shoutcast.mediacast1.com:7005/32

If you believe the mp3 stream sounds better then I suggest you give a reputable otorhinolaryngologist in your area a visit... or talk to El Rusbo if that cooks your noodles.

Re:Ogg streaming is a step in the right direction

Except that the cost of switching operating systems (or word processors, etc) is very high compared to using a different media file format (ideally just a matter of upgrading your player). It's more the educational issue of "What's an OGG?", and "intertia" rather than a real network effect.

Re:Ogg streaming is a step in the right direction

[ergo98]

But then, much like the low bitrate Windows Media format claims, it's irrelevant to a large percentage of the people who use MP3s. When I stream radio I do so always at 128Kbps stereo, or at absolutely worst 96Kbps stereo. It is there where the difference between ogg and mp3 would matter to me. For stored MP3s of course the minimum the vast majority of people touch is 128Kbps.

Re:Ogg streaming is a step in the right direction

[ergo98]

For sure it's a different scale, but it's the same premise: i.e. You're a internet broadcaster and you want to start streaming some media -> Unless you're an evangelist, you choose a format based upon the deployed base because it isn't reasonable to say "Come, listen to our music! Oh but download and install plug-in XYZ". You get away with that if the user who doesn't have it is the odd man out, but otherwise most users will just "change the channel".

Re:Ogg streaming is a step in the right direction

WOW. So Ogg Vorbis is able to say that "Our crappy sound at a crappy bit rate is LESS crappy than Fraunhofer/MP3." What about higher bit rates?

Re:Ogg streaming is a step in the right direction

[BobSoros]

I dont think either of you quite get it, although the two of you might have no trouble listening to 128kbps streams, there are _millions_ still on dialup... both of those streams will work fine on a dialup link but if i had to choose the lesser of two evils I'd pick ogg anyday.

as for higher bit rates I suggest you play around a bit with it... _some_ have said nominal 128kbps ogg is better than 160K lame encodings...

use -q 3.75

Re:Ogg streaming is a step in the right direction

[ergo98]

Ah very good point indeed. Indeed to be honest if there was a way to get credible sounding streams with 64Kbps, then I'd use that as I feel a little guilty listening to DNA Lounge at 128Kbps. There is definitely a need for high quality, low bitrate solutions.

Re:Ogg streaming is a step in the right direction

Who has said that?

How does Ogg hold up newer versions of LAME and the -extreme switches?

Re:Ogg streaming is a step in the right direction

[wcb4]

I just bought a soul mp3 player. It has support for mp3 and wma files (which really do sound better at lower bitrates.. I'll put a 64kbps wma up against a 96kps mp3 any day, but not 2x better) the formware is upgradeable to support other formats..... give me a patch to use OGG files on it, and I will. Not because its better than WMA (which it is not, regardless of what you OSS zealots say) and not becuase I think everything MS is evil (WMA and WMV are fantastic formats) but because I don't want to see "windows only" as a standard for yet another anything.

Get the DSK, write the patch... I'll listen to OGG, not a problem. I would even be willing to transcode all my MP3s to OGG, but unless I can carry them with me in my car (without using my laptop) You don't have a chance

Am I readintg this right

[adamy]

OK w00w00 sends an Email to AOL, get's no response, and then publishes. to this, AOL said,

``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.

Sorry if your organiuzation is too big to react that quickly...

Re:Am I readintg this right

[MarkLR]

One e-mail during the holiday's. Its's irresponsible to release the details without giving AOL some time first to fix it. I hope this hacking group gets sued for aiding people in using this hole.

Re:Am I readintg this right

[teaserX]

I Seriously doubt they would have put forth the slightest effort to take care of the problem in a timely fashion had it not been disclosed *first*. They may have even 'swept it under the rug' to avoid the bad PR. Big Corps don't like it when the decisions get taken out of their hands like that. They tend to whine alot when it happens. I say kudos to w00w00 for lighting the fire under 'em!

only in english

[donhav]

What if the messages are not in english or god forbid use a non arabic script?

Re:only in english

[Alien54]

even if it was in unicode, you should be able to see a repeating pattern of something.

personally, I think that the best gimmick would be to encode a small picture of a message into another larger picture. That would mess up the search for plain text ;-)

Re:only in english

[oomcow]

i don't understand how people expect to detect encrypted messages that are then steganographically hidden in images anyways.

in theory if you encrypt your message via any good standard method, it should result in something that even statistically looks like random garbage.

Re:only in english

Exactly. Saying "we didn't detect any crypography" only shows that their methods are flawed.

When stego hit the news before, a year ago, I posted a message to a binaries group a year ago with stego in it and not a single of these studies has found it. I invented the method, which seemed obvious to me, and they didn't find it. I don't expect them to.

It's not that my stego was smart, but that it was foreign, and there are a million more ways to stego than to encrypt it.

ps. My dumb method was to encode five paragraphs of shakespeare. Shuffle the letter placing ABC to CAB and add it to each [sq. root of PI]'th pixel so it would occasionally skip one. It was added to a picture, of course, of goatse.

Re:only in english

[self+assembled+struc]

actually, we use arabic numerals. our script is roman based, as you can tell if you look at latin (which the romans spoke) and it consists of many similar letters as the 26-character alphabet we currently use.

if you look at arabic you'll notice a lot of flowing lines and a more "cursive" appearance.

this is why your character coding is called "ROMAN" not "ARABIC".

Re:only in english

Actually, the Romans used the Greek alphabet more than anything. The "Roman Alphabet" proper didn't come about until the middle ages or so. For what it's worth, if you ever see Arabic numerals, most of them resemble the numerals we use turned 90 degrees clockwise.

**Thanks for playing!**

Re:only in english

[self+assembled+struc]

while that is true, we refer to our character set as a roman character set, i seem to recall that the mac character set is called MacRoman.

While it may have been stolen from the greeks, no one calls them greecian script.

Re:only in english

[karlm]

Yeah, if the message wasn't ascii English, the stego findoer would still a pattern in the image. Unfortunately, they ran thier ~20,000 "suspect" images through a dictionary checker, with the implication being that the 1,800,000 words and phrases were all English ascii. This was their difinative test of the suspect images. In any case, they can't say anything about the suspect images containing conventioanlly encrypted messages. All they can say is that the images look like they're hiding info, but the hidden info looks like white noise.

Good idea about making an image of the message and stegoing that into an image, except that the stego content is typically much smaller than the original file size. Encrypting before using stego should make it much less detectable. I would guess that any intelligent stego search would include checks for standard file headers.

Re:only in english

BTW: Latin script, Arabic numerals. European languages don't use Roman (=Latin) numerals much. Arabic script is what Arabic is written in.

Hmm...

[Mike+Schiraldi]

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak

Ok, i give up -- where did you steganographically hide the rest of that sentence?

Re:Hmm...

[sar]

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...

thats what it said.

stego

[PhuCknuT]

If someone wanted to hide a message in images on newsgroups, they wouldn't put a plaintext msg that any newb running a dictionary based attack could find, unless they wanted it to be found. It would be trivial to add one more step of xor'ing the msg with a random key first, then putting the key in a second image, or evern better sending it through another conduit. I know if I was going to use something as lame as stenography to send an important msg, I would go to the trouble of not sending plaintext.

Re:stego

Errrrm, it's STEGANOGRAPHY - Stenography is something very different

I did.

[sideshow]

Nobody can defeat my supreme powers!

Bwwahaaahaaa!

Just because you can't see it...

[tbo]

...doesn't mean it's not there, does it? How confident are the makers of stegdetect that no steganographic images would slip past their program? Does their program simply work for all known steg. algorithms, or would it detect some or all kinds of new algorithms?

Also, if I was going to try to send a message via steganography, I wouldn't be doing it with images on Usenet. I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them), and put my steg. image on there. Or, I would use a more primitive kind of steganography--code words embedded in seemingly innocent messages. There's a hell of a lot more spam on usenet than images, so it would be better concealed that way.

Re:Just because you can't see it...

[Howie]

I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them),

The problem with this is that assuming someone does find the hidden message in one of the images, then it is easy to install Carnivore, or similar and watch all traffic requesting the page. USENET gets distributed all over the place - that's why it gets used for things where people don't want a centralised log of the fact they downloaded it (pr0n, warez, contentious views).

Download some alt.binaries.images.erotica.* files, paste on a fake BBS ad, and embed your message. Repost. No-one will try and call the BBS, or be surprised if the details "don't work".

I agree that not finding messages doesn't mean they aren't there, however.

Re:Just because you can't see it...

[ngg]

How confident are the makers of stegdetect that no steganographic images would slip past their program? Does their program simply work for all known steg. algorithms, or would it detect some or all kinds of new algorithms?

Stegdetect checks for the signatures of three steg programs (JSteg, JPHide, and OutGuess .13b)(Research Paper), and it does not detect new algorithms. Also, the effectiveness of stegdetect is determined by what steg program was used. It missed from 5% of JSteg stegs to 60% of OutGuess stegs. Finally, they did not try to detect stegs generated with OutGuess 0.2 because it has a better method of randomly selecting bits to change.

Re:Just because you can't see it...

I have looked for many hours through alt.binaries for stenographic text in picture but I have never seen any.

This is most likely due to the fact that I have gone blind due to all the w*nking

AOL did NOT fix the hole

[cr@ckwhore]

Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

Big deal!!

Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

They havn't changed the fact that there is a buffer overflow in the IM client. This means that AIM users (using the official client) are still vulnerable. AOL has simply made it a bit more obscure, and we all know that security through obscurity is not secure at all.

Re:AOL did NOT fix the hole

[freerangegeek]

How about perspective on this. Just how many slashdot users were hit with destructive worms/viruses thanks to AIM/AOL? Raise your hands!

Now how many of you were hit with destructive worms/viruses thanks to Outlook? MIIS?

Point made. Yes, AOL's fix isn't ideal, but then were not being flooded with destructive code that way are we?

When AOL hits the top 10 methods of virus propogation, then you can lambast them for poor software design and closed standards.

Lee

Re:AOL did NOT fix the hole

[Vegeta99]

Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

Oh, so THAT'S where I've been going wrong. I'll try electrical tape next time, thanks for the advice!

(It's a bad attempt at humor, mods. Laugh.)

Re:AOL did NOT fix the hole

[Zog]

They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.

I think it's pretty much given that this is the most reasonable course of action - AOL is primarily for people who aren't that great with computers, and very well could have difficulties upgrading, if they decided to do so, so instead of forcing all of their millions of users to fix it themselves (that's basically what it would come across as to most users - they don't know what's really going on), so AOL can simply block it themselves and fix the client in the next round of upgrades. And that leaves out the cost of extra bandwidth, people rushing to upgrade before they get hit, etc.

Obscurity would imply that they hid it; what they in fact did was block the exploit completely.

Re:AOL did NOT fix the hole

[seanadams.com]

Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.

Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

I dunno - that sounds pretty damn effective to me. Much stronger than latex, and it certainly won't slide off.

They havn't changed the fact that there is a buffer overflow in the IM client.

Obviously, you *can't* change the fact that a particular version has a bug, but you can release a new one. The problem is that it takes a long time to get everybody to update, so this is actually a pretty good fix, notwithstanding the issue of people using the software without the benefit of this filter.

Re:AOL did NOT fix the hole

[n6mod]

I admit that I haven't studied the details of the exploit, but you're implying that spoofing a malicious packet or packets won't work?

Sure, they shut off the easy way to launch an attack, but I can still send that same message from another host, can't I?

Re:AOL did NOT fix the hole

[brunes69]

Good thing everyone who reads slashdot uses Linux. And those who DO use windows would NEVER use AOL.

</sarcasm>

Re:AOL did NOT fix the hole

[rabidcow]

Yes, but you still need to get the packet in question processed in the right part of AIM. Previously, these could be sent normally through the service from another user. Now, you somehow have to slip it into the communication stream, afaik this means using some sort of packet sniffer to find and monitor the connection for a while at least.

This is not security through obscurity, it's taking a trivial exploit and making it nearly impossible. I should hope they're also working on fixing the actual buffer overflow, but for now, and for users who don't upgrade (or don't know how) once this is done, it's much less of a concern.

Re:AOL did NOT fix the hole

'Another host' still goes through AOLs servers, so no.

You can't just send a message to the AOL client from anywhere on the web. There's no point to that. It only accepts them from certain places.

Re:AOL did NOT fix the hole

[bconway]

Obscurity would imply that they hid it; what they in fact did was block the exploit completely.

That is incorrect. They've stopped people from sending the bogus messages through their servers. How long do you think it would take to write a program that scans IP ranges for clients that are STILL SUSCEPTIBLE and attack them directly? 5 minutes? 10 minutes for a Code Red for AIM? This is not a fix by any means.

Re:AOL did NOT fix the hole

[cr@ckwhore]

Familiar with the concept of packet insertion? Just for giggles, try a traceroute to your favorite AOL server and note the number of hops traversed. Any one of these can be used as a point of packet insertion.

There are plenty of ways the problem can still be exploited. AOL has simply made it a bit more difficult, but not impossible.

One of the biggest problems in the world of computer security world is thinking that a problem isn't going to be exploited because of its difficulty or obscurity. This has been proven time and time again when the most obscure little security holes get exploited repeatedly.

Re:AOL did NOT fix the hole

[ghastard]

When someone opens a suspicious e-mail, and it screws over their computer, it is easy to trace the problem back to the source. Or, if an IIS server's logs reveal something suspicious going on, an adept admin can figure this out in many cases. However, your typical AOL/AIM user often knows next to nothing about computers or the internet, let alone be aware of an attack.

Who knows? Maybe thousands of people are being hit every day, but don't have a clue as to where the computer's "problems" are coming from. Many people shrug off something unusual as "just one of those complicated computer things", and haven't a clue why when they power on the computer all they see is a blinking cursor.

Re:AOL did NOT fix the hole

[n6mod]

And how does it decide what sources to accept? Source address?

Re:AOL did NOT fix the hole

[DrSkwid]

Lee, if you had the ability to run code on peoples machines unnoticed what would YOU run?

format?, fdisk? delete all their files?

no, that's what lame schoolkids do

real black hats don't trash your system, they try and keep it alive so they can use it for nefarious activities.

I don;t know much about the AIM one but with Sub7 which was an icq based virus the victim would maybe just have strange things happen occasionally (screen upside down, follow the white rabbit stuff etc.). Or the attacker would just take webcam pictures and download them without the victim's knowledge or consent. Read their email, read their icq log, look at their bookmarks, poke around for text files containing passwords, edit /windows/hosts and try a CC / password scam. And this was wide scale (and probably still is) because Sub7 infecetd hosts advertise themselves on IRC as infected!

Just because your PC isn't "broken" doesn't mean you're not infected. Only the lamest viruses are destructive for without hosts there is no life.

Re:AOL did NOT fix the hole

[arodland]

"making it nearly impossible" is one of the things security through obscurity is all about though... sure... it's nearly impossible, until next wednesday, when someone finds out that if you push THIS button, and turn THAT knob, and set the 42nd bit, then the hole is back in plain view again. :)

Re:AOL did NOT fix the hole

TCP

Re:AOL did NOT fix the hole

[anthony_dipierro]

Familiar with the concept of packet insertion?

C'mon now, there are tons of man-in-the-middle exploits out there. When you download everybuddy or whatever IM software it is you use, do you really check the PGP key?

Re:AOL did NOT fix the hole

[anthony_dipierro]

They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.

The scary part here is that AOL has basically admitted that it has a back door into every system which runs AIM. I wonder how that law about music companies (Time Warner) breaking into the machines of suspected copyright violators is going.

Not to mention simple DNS attacks, attacks from someone working at AOL, attacks from someone who broke into AOL's servers.

Could even be the next new "I love you" worm. Send an html link containing a registry edit to change the IP address of the AIM server to the person sending the link. Then when the user reconnects to what it thinks is the AIM server (which you could probably force in some way), hack in, start up its own fake AIM server, and send the link on to everyone in the users buddy list.

Re:AOL did NOT fix the hole

[rabidcow]

but that's not how it is. The bug is still known, we still know how to exploit it, nothing is obscured. (well, maybe to the general populus, but the "hackers" are the important people here and they aren't gonna be fooled by this)

It's nearly impossible in that it's EXTREMELY hard to exploit now, whereas it was fairly simple before.

Re:AOL did NOT fix the hole

[freerangegeek]

Point taken, yes my Mac running OX could be harboring all sorts of nefarious code inserted by AOL/AIM. It's true, of course this particular bug only affected machines running Microsh*t brand OSes. There are advantages to being the 'minority, underused OS'.

The truth is you're correct. But then if you had a 'black hat' back door planted on your system for use in some nefarious scheme to arrange attacks, don't you think it would eventually get used? And when it did, then it would be revealed? Example: the Denial Of Service attacks early last year.

Being paranoid is a good thing, and it's your choice not to run AOL/AIM. That's fine. But all in all, I'd rather spend my time worrying about already known, highly STUPID, well documented and frequently abused security risks that remain UNFIXED (read Outlook), than to conjecture about possible security attacks in a protocol that's at least been patched.

Yes it's a secret protocol, and that makes it unavailable for public inspection. But there remain many well documented public protocols that continue to be used, with known security issues. Even OpenSSH, a gem of a program I use regularly, had possible security exploits. Heck even my favorite software house, Apple, has "Airport" code which is subject to WEP exploits.

If you want to get on AOL's case for not being responsive to the original complaint, you might have a case. However, the message I responded was lambasting them for having 'patched' the problem in a a way the poster didn't approve of. Actually I think AOL was pretty quick in applying the patch, compared to some manufacturers (read REDMOND).

Finally, if I were a 'black hat', I use the obvious easy holes to plant nefarious difficult to detect code. Instead of wasting hours/days/weeks analyzing packet transfers on AIM to try to detect possible locations for buffer overflows, just to plant that same code. But that's me, and the last time I 'hacked' anything was on an Apple 2 with poke. [Ok, I did have to hack root access on some NeXT boxes, but I was the system admin of those boxes at the time, and it was work related.] Guess that makes me 'white hat'.

Lee

Strong passwords?

[Suicyco]

Well perhaps some people use stego and might actually have used strong passwords that could not be guessed by a dictionary attack. If I were communicating secretly using the internet, I would first encrypt the message with pgp, then place the encrypted text into a large jpeg WITH a strong password, and post to a half dozen groups. How would any kind of attack (well any reasonable attack) be able to detect my message? Even if the dictionary attack worked, how would you know the result was the real message, since it would appear to be random garbage, just like all the incorrectly passworded dumps? Just doesn't seem like this is something you can do, its taking distributed.net several years to crack ONE message. How would you go about finding a needle in a haystack, and THEN decoding it? We are talking tens of millions of images. What is the point of this? I'm sure people use stego, for whatever reason, why wouldn't they? Some hacker group, or warez group, or terrorists or whatever, somewhere, at some time, posted stego'd images to usenet.

The Biggest Security Hole

[Renraku]

The Biggest Security Hole is stupid users. Since AIM is mostly comprised of AOL users (henceforth known as lamers), we can also assume that the service is quite insecure. However, the lamers don't really care, as they don't realize just how easy a bug would be to exploit (people make scripts, scripts give rise to script kiddies). So...AIM is bad.

AIM Bugs

[mESSDan]

I'm curious, I went looking on the AIM website for somewhere to send information about a SERIOUS bug like the one that was discovered, and of course I didn't find one. So, I'm not surprised when it said in the Yahoo article that they didn't receive a response back after a week, considering that if they submitted it using the "Found an Error" part of the website, it probably got mixed in with thousands of other messages.

Does anyone know a faster way to contact the major software vendors about a severe security issue BESIDES letting them read about it on the front page of their favorite news portal?

(Note, I only said faster, not better)

Re:AIM Bugs

If you are in the Prince William County, Va. or the Dulles, Va. area, I suggest going to the AOL headquarters for a little meeting.

Re:AIM Bugs

[Logic+Bomb]

Perhaps one should consider communication media other than email. :-) Most companies have a link to a 'corporate' area of their website. Just call their press line. :-)

Re:AIM Bugs

[iorange]

go here to search the SEC's Edgar archives and get corporate switchboard numbers. Call and ask to be connected to the office of the president/ a board member/ CTO/ whatever strikes your fancy. You will most likely be connected to their secretary. Tell the secretary what's going on, and she will do the legwork for you of figuring out who in the company needs to be contacted and hook you up with them. Works for me.

Re:AIM Bugs

[bababooey]

AOL is in Loudoun County... besides you wont get into the fortress without an ID. telling the guard that you found a gaping hole in AIM would get you a blank stare, then you would be asked to leaveasked to leave. Im going to venture a guess and say that the email/press contact would be a much better route.

Re:AIM Bugs

[kesuki]

step 1.) Connect to cable modem
step 2.) send an e-mail - subject: Hey Osama We're ready to blow up the Whitehouse Tomorrow
step 3.) let the FBI deal with it they carnivore captures the e-mail and puts it on their priority list to read.

So that's who that fiery bastard was.

[Chris+Burke]

I remember from last winter term some guy had a background process running on every single workstation in the CAEN labs. If you killed it (users logged in at the console can kill large/cpu hungry apps with a special script) it would just come back. It used lots of CPU cycles. It made it hard to get work done. It pissed us all off, and was made worse by his dismissive responses to requests to cut it out.

Basically, we all wanted to kick his ass, and now we know who he is. Unless I'm wrong... but I'll ignore that possibility, because it'd get in the way of a good wupin'.

Re:So that's who that fiery bastard was.

[Bargearse]

And to think that all those CPU cycles could have been used on a project that might actually find something one day.. like Seti@home or RC5 :)
Not to mention that those clients are a bit nicer about not stealing cycles from user apps.

Re:So that's who that fiery bastard was.

[Tom7]

How might RC5 find something useful some day? The key was generated by the people who run the contest. If you discover it, well, big deal -- they could have just not destroyed the key in the first place and that would set us ahead several hundred CPU-years!

Try GIMPS for the "find something some day" (they have actually found several of the largest known primes) and the results are mathematically sound and verifiable...

Re:So that's who that fiery bastard was.

[DickBreath]

And to think that all those CPU cycles could have been used on a project that might actually find something one day.. like Seti@home or RC5

Forget Seti@Home or RC5.

How about all those CPU cycles being used on a project that might actually find something one day... like a genetic algorithm that evolves a pr0n recognition filter.

Re:So that's who that fiery bastard was.

[QuasEye]

This reminds of a problem we had at work. A guy I know had a slight configuration problem where every file he created started out with execute permissions. Occasionally he would go to edit a .c file and forget the editor command (aliased to "n", so it only took missing one keystroke.)

Even though these were just ASCII text files, they'd actually execute, filling his terminal with garbage and making it beep continuously. What's worse, they'd start spawning child processes, and if you killed one, three more would pop up. Eventually the machine would get so bogged down that no one on it could save their work. The only way to fix it was to reboot the machine, necessitating a call to the IT department.

This was on HPUX on an HP-RISC machine - I'd never have believed it if I hadn't seen it.

Re:So that's who that fiery bastard was.

I'd rather find some prize money than some really big but practically worthless number. :)

Re:So that's who that fiery bastard was.

[Ziviyr]

I'm actually for beating the OGR in the RC5 client. Which has nothing to do with crypto that I know of offhand. It'd probably help space exploration, and it beats processing space-noise.

Re:So that's who that fiery bastard was.

[Tom7]

> I'd rather find some prize money than some
> really big but practically worthless number. :)

Well, that's a fine reason, but that's a lot different than doing it because it's more "useful" than this guy's steganography study.

BTW, the EFF has sponsored a very big reward for a 10 million digit prime. I'm not sure how your odds compare, but it's not *just* the number...

Re:So that's who that fiery bastard was.

Haven't used HP-UX for a while but I thought that the maximum UMASK for a file was 666 (777 for a dir).

i.e. a Umask of 022 would give newly created files the permission 644 (rw-r--r--). Therefore execute can never be set on a new file.

A bad workman always blames his tools....

Re:So that's who that fiery bastard was.

[nobody/incognito]

i forwarded your threat to the university of michigan's department of public safety, the campus cops. better start encrypting all that pr0n on your hard drive before they seize it.

i also sent it to the university of michigan's dean of engineering. i suggest you get all your computer-related coursework done in a hurry, while you still have computing privileges.

nobody

Re:So that's who that fiery bastard was.

[Chris+Burke]

Oh no! Good thing I graduated and moved across the country, or I'd be worried! :)

Re:So that's who that fiery bastard was.

[nobody/incognito]

so your threat was idle?

so was mine ;-)

nobody

www.spammimic.com

[fo0bar]

Dear Friend , Especially for you - this red-hot intelligence . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our mailing list . This mail is being sent in compliance with Senate bill 1622 ; Title 1 ; Section 307 ! This is not a get rich scheme ! Why work for somebody else when you can become rich within 60 days ! Have you ever noticed society seems to be moving faster and faster and nobody is getting any younger ! Well, now is your chance to capitalize on this ! WE will help YOU deliver goods right to the customer's doorstep and decrease perceived waiting time by 160% ! You can begin at absolutely no cost to you ! But don't believe us ! Mr Simpson of Connecticut tried us and says "My only problem now is where to park all my cars" . We are a BBB member in good standing . We beseech you - act now ! Sign up a friend and you'll get a discount of 60% ! Thank-you for your serious consideration of our offer ! Dear Professional , Thank-you for your interest in our letter ! If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our mailing list ! This mail is being sent in compliance with Senate bill 1620 ; Title 9 ; Section 306 . This is different than anything else you've seen ! Why work for somebody else when you can become rich in 37 days ! Have you ever noticed the baby boomers are more demanding than their parents & society seems to be moving faster and faster . Well, now is your chance to capitalize on this . WE will help YOU increase customer response by 170% and deliver goods right to the customer's doorstep . The best thing about our system is that it is absolutely risk free for you . But don't believe us ! Mr Ames who resides in Delaware tried us and says "I was skeptical but it worked for me" ! This offer is 100% legal ! We implore you - act now . Sign up a friend and your friend will be rich too . Thanks !

Re:www.spammimic.com

[epsalon]

Yes you are a terrrorist! Don't you know that only terrorists use steganography, and whoever uses steganography must be a terrorist?

Re:www.spammimic.com

Dear Friend ; We know you are interested in receiving
cutting-edge news ! This is a one time mailing there
is no need to request removal if you won't want any
more . This mail is being sent in compliance with Senate
bill 2216 ; Title 3 , Section 309 ! This is NOT unsolicited
bulk mail . Why work for somebody else when you can
become rich inside 14 days . Have you ever noticed
people love convenience plus people are much more likely
to BUY with a credit card than cash ! Well, now is
your chance to capitalize on this . We will help you
process your orders within seconds & deliver goods
right to the customer's doorstep ! You are guaranteed
to succeed because we take all the risk . But don't
believe us . Mr Jones who resides in South Dakota tried
us and says "Now I'm rich many more things are possible"
. We assure you that we operate within all applicable
laws . We IMPLORE you - act now . Sign up a friend
and your friend will be rich too ! Warmest regards
. Dear Web surfer , Thank-you for your interest in
our newsletter . We will comply with all removal requests
. This mail is being sent in compliance with Senate
bill 1624 , Title 6 ; Section 306 ! This is not a get
rich scheme ! Why work for somebody else when you can
become rich as few as 46 days ! Have you ever noticed
most everyone has a cellphone and nearly every commercial
on television has a .com on in it . Well, now is your
chance to capitalize on this . WE will help YOU SELL
MORE & use credit cards on your website ! You can begin
at absolutely no cost to you . But don't believe us
. Ms Ames of New Jersey tried us and says "Now I'm
rich, Rich, RICH" ! We assure you that we operate within
all applicable laws ! We beseech you - act now ! Sign
up a friend and you'll get a discount of 10% ! God
Bless .

A new Slashdot submission topic

Since Microsoft has been getting so many security holes found in their software lately, why not create a new topic dedicated soley to Microsoft Security Holes?

The point of Stego is that you can't see it.

[lowy]

For those who prefer clicking to cut-and-pasting, the Steganography update is here.

I suspect there are several reasons why they haven't found any Stegonography in Usenet pictures:

1. Very few people find it necessary to hide information in Usenet.
2. Of those who might find it necessary, few actually have heard of Steganography and know how to use it.
3. Those who know enough about Stego have encypted their messages first; you won't find these with dictionary attacks - the method the article suggests they used on "suspicious" images.

It is impossible to differentiate between random numbers (noise) and strong encryption. Are there not places within certain images where low order bits have noise that is completely random and thus a perfect hiding place for encrypted messages?

This Article seems to suggest that it isn't possible to hide info in gifs such that it is undetectable and that more research should be done on JPEGs. Anyone know the state of the art on this?

Unsurprising findings on the steg front...

[electricmonk]

I'm really not that surprised that they didn't find anything out of all the USENET images that they scanned. First of all, even considering that they had such immense computational power at their disposal, stegonography done right would probably elude detection by any software currently available. Secondly, they have probably not considered the fact that the messages that are hidden could be encrypted, thus thwarting any kind of dictionary attack against the image. This actually serves to strengthen the security of the message, since to brute-force the message they not only have to decrypt the message, but they have to find the right bits to decrypt in the first place.

Really, even with a Beowulf cluster, processing that many images so soon makes it seem like they gave it only a cursory examination.

Steganography is just another excuse...

[Wrexs0ul]

This was likely just a reason for the group to download and view millions upon millions of pr0n pics. Then again I was always knew pictures like that carried hidden messages :)

..."There must be a hidden message, let's just stare at it a little longer"...

-Wrexsoul

Re:Steganography is just another excuse...

[dunstan]

I still laugh at the idea of mixing gene splicing with steganography - "The Pigeon *is* the Message"

Dunstan

MEEPT!!

I'm afraid that the inside of your head is bad.

I can prove this by asking you to say the following:

"slapdown" is a loss center. We think it has been saved. We have been told that it's been saved. However, the truth is the opposite.

MEEPT!!

Bad reception @BBC?

I'm listening to BBC Radio4 Ogg and it's clicking and popping and giving me garbled up sound. It just sounds wrong. Is this an isolated case?

Is it just me...

[srvivn21]

...or did Hell really freeze over?

The Reg actually defending Microsoft?

Thanks for the link. That was a really interesting read...

Cable, DSL,, and Privacy

[SuperDuG]

I have posted before, but since my submission to slashdot was rejected on numerous occasions I will repost.

My previous comment states:

Well Charter Cable customers now have the wonderous Tioga spyware installed on their systems. It's been posted to slashdot a few times and been rejected. Members from the MadLug (Madison, WI). Have noted that the new service listens on a specific port to monitor and "Assist".

The county board is also investigating this. The software is supposed to be a VNC-Type program that helps Service Reps service computers. Basically I see this as a way for them to not only monitor, but have their way with your system. Along with this software also comes a real annoying Internet Explorer with Charter MSN crap everywhere, diabling network shares, and reformating TCP/IP to their network. Basically everything you can do yourself, but they won't tell you because they want you to install their software.

The whole thing stinks and the company is hiding behind lawyers and PR reps to try and get the whole situation worked out. Basically they released a new service, and the MadLUG guys were on them in 2 days when they noticed weird activity.

Moral of the story ... don't screw with geeks ... we'll find you ... we know who you are :-)

Which is still the case and is still "required" to use their service or receive any help from their helpdesk.

I still think this stinks and is definantelly not neccessary for the service to be availalbe. I have taken screen captures of Linux, BSD, QNX, BeOS, Win95/98/NT/ME/2K/XP all running the software (even though they say it only runs on 98/2K/and XP). And I know from witnessed experience that it works on Mac OS 9&X ... basically any OS that can do TCP/IP and has DHCP support.

So not only is this software not neccessary but it seems to be some sort of ploy to promote WinBlows and crap on other OS's not just linux.

Re:Cable, DSL,, and Privacy

I work for a large (350,000 + customers) ISP, and let me assure you, this is was done with good intentions.
Have you ever tried to take someone through reinstalling corrupt DLL's over the phone? You have? OK, how about someone who can't tell the difference between the 'left' and 'right' mouse buttons? See where this is going? Most people simply don't know what they're doing, and just want it to get done - most of our customer base would be delighted if we had VNC type access to their machines.

As far as 'requirements', our helpdesk only provides support for Windows and MacOS - and the fact that we do MacOS sets us apart from most out there. Besides, I don't really think anyone running Linux should need to call the helpdesk (that wasn't a troll - I'm serious; Linux just isn't that usable yet, you need a certain level of proficiency that the average helpdesk customer simply doesn't possess)

All in all, I'm just as opposed to BigEvilCompany[tm] as the next guy, but please, think of the helpdesk techs (please)

Re:Cable, DSL,, and Privacy

[SuperDuG]

Actually I work for a helpdesk that uses VNC on a regular basis. However we have it on a network drive and is ran by the user with their knowledge ... we don't just install it on their machines ... in fact it's ran off the network ... not even local. We're in-house helpdesk ... and we take calls from Solaris, BSD, Linux, Windows, MacOS ... and all kinds of other questions ...

I'm just pissed they first deny the software is there and then don't tell you it's installed ... and always leave it on ... looks like an exploit just waiting to happen ... and looks like a real shady thing to do.

Re:Cable, DSL,, and Privacy

[andrewski]

AT&T "deathstar" broadband does the same thing. In fact, I installed their cute virtual technician software and it ended up fucking my machine up a bit. Fixable, but still annoying.

If asked about WHY companies include spyware / trojans, they usually burp something wet and smelly up about how falling revinues from banner ads (blech) etc, aren't all there. Duhhh!!! Then they point out the fact that by clicking the "Agree" button you have agreed to anything they want to do to your computer, privacy, or anal orifice. Basically, I see that in the very near future, every windows program will have built-in spyware that phones home to mamma. Even right now, limewire, gnutella, kazaa, bearshare, any commercial game demo (except RTCW, thanks ID!!!), unregistered and maybe even registered opera, and a whole glut of software I am not aware of and could care less about already have it built in.

Maybe that's what Magic Lantern is: the spyware that is included by default in most new software.

Fuck all that shit in the ear.

qwest deception

[astar]

I read the linked message in the original post and saw the phone number to call. After waiting for their normal office hours, I called and talked to a human. I asked that they not rent or sell my personal information or calling patterns internally or with their marketing partners.
The response was that the agent had removed my authorization to share that information among the different parts of qwest. This was not specifically what I asked for. So I called that to his attention and he said he would do that. On questioning about why it had not happened when I first asked for it, he said that you had to specifically ask for it.

Note that in the end, he just said he would take care of it.

I am crankish about snail spam and make it point to do my best about getting off mailing lists and I have learned there a number of sleazy companies out there. For instance, you have to not only get off a mailing list, but specify that your name not be rented or sold. Most people I think would not have caught the qwest deceit.

A good source of information on what to do about snail spam is junkbusters

Re: Stenography

[t_allardyce]

fhuweioqrywrhlfasdofuoeqr
jghgjklsdnmvxhjsohfweffhi
ueruioywerueyoryprqypwpwe
dieamericaninfidelsiwillb
ebackforthewhitehousesign
edosamabinladenjoiwejrorj
uytutuiyroiyquirywroqyiwr
rjweoirjeroewiroijwjrvvds
ewqbejrkqhrhuewqhrquirqow
uireqryupqtrghjgfhgfhjafa
keqjrbjrbuiewhruqiwurihuf

This ascii art is a conversion of a picture of the rubble at the world trade center, can anyone find the hidden message?

Steno detection=NP Complete

[neoevans]

They've done it! They solved NP Complete!

Otherwise, how would they know I haven't used my own encryption key, then another different key, to hide images in encrypted images.

I know, I know, Troll.

Here is some more info...

[cscx]

grc.com has some more info on how the FBI messed up ... again.

Note to moderators: the following has to do with Windows XP (SatanOS 5.1), so don't let that influence your moderation.

PLEASE NOTE: There is a great deal of confusion being caused by Microsoft's non-obvious naming of the two UPnP services. This situation is exacerbated by the FBI's NIPC web site, which has unfortunately posted wrong information over the holidays. People are led to believe that disabling the service named "Universal Plug and Play Device Host" disables the UPnP system. But it does not. That service is not even running by default. The correct action is to STOP then DISABLE the service named "SSDP Discovery Service".

You can demonstrate this for yourself by issuing the command "netstat -an" at a command prompt. While the SSDP Discovery service is running, Netstat will show that TCP port 5000 is in the listening state and UDP port 1900 is accepting inbound datagrams. After the SSDP Discovery Service has been stopped those Netstat lines will disappear.

Re: Stenography

[Multics]

die american infidels i will be back for the whitehouse signed osama binladen

I fear that he's got better crypto people that /. has...

:-)

-- Multics

thats the point!

[Mr+44]

encrypted data is much more random than a normal image... You can detect it because its too random...

Re: Stenography

[sbeitzel]

I tried decrypting the "die american infidels" text through the extremely strong ROT13 cipher, but all I got was this junk:

suhjrvbdeljeuysnfqbshbrde
wtutwxyfqazikuwfbusjrssuv
hrehvbljrehrlbelcedlcjcjr
qvrnzrevpnavasvqryfvjvyyo
ronpxsbegurjuvgrubhfrfvta
rqbfnznovaynqrawbvjrwebew
hlghghvlebvldhveljebdlvje
ewjrbvewrebrjvebvwjweiiqf
rjdorwexdueuhrjduedhvedbj
hverdelhcdgetuwtsutsuwnsn
xrdweoweohvrjuehdvjhevuhs

What version of MPACK do I have to use to see the naked Lewinsky JPEG?

Stego

[crisco]

I need to post some stego'd pics just so these guys can find some stuff.

Somebody should run stegdetect on color copies!

[GlenRaphael]

According to many links in an earlier /. story, color Xerox copy machines currently embed a serial number in every copy they make. So has anybody tried making a color copy of something, scanning it, and using stegdetect on the result?

Re:Somebody should run stegdetect on color copies!

Supposedly its a different dither pattern on the yellow ink. Very subtle when on white paper.

Re:Somebody should run stegdetect on color copies!

[GlenRaphael]

[regarding the information hidden by color copiers to prevent forgeries]

Supposedly its a different dither pattern on the yellow ink. Very subtle when on white paper.

Okay, that's useful information, but the question is, what does the encoded information say? And is it possible to defeat it? If stegdetect can recover the string and it's unencrypted or badly encrypted, it would be a good start to copy the same image on multiple color copiers at the same Kinko's, see what bits change in the resulting signature.

Re:Somebody should run stegdetect on color copies!

[Zillatron]

According to many links in an earlier /. story, color Xerox copy machines currently embed a serial number in every copy they make.

No boss, I can prove that I didn't use any company resources. Check the dither on the yellow ink - I ran off copies of my ass at Kinkos #3361!

How to do good steganography

[DickBreath]

If the purpose of steganography is to conceal the very existence of a message; and, a tool (stegdetect) exists which attempts to spot concealed messages; then it seems to me that if you are trying to conceal a message into a picture on usenet and on the web that you would at least run all your images through stegdetect to be sure that it cannot detect the concealed message.

Could this be why no stego messages are being detected?

Punters

[Stone+Rhino]

Only ones I know of work in chat rooms. stuff like {S con/con

It DOES run through a central server

[yerricde]

I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.

Let me tell you how AIM, IRC, Jabber, and other popular real-time messaging systems work. Alice and Bob each send name, password, and client binary hash to server. Server responds with buddy list, including presence information. Alice wants to send message to Bob. Alice sends packets to server, which processes those packets and forwards them to Bob. Now, if Alice wants to send a packet containing a sploit, the server can clean up the packet before Bob gets it.

Re:It DOES run through a central server

[karlm]

You have ignored the posibility of the attacker using raw sockets to send messages directly to the victim with a source IP faked to look like the AOL Oscar servers.

I breifly looked at the exploit code and it looks like the cient and server may be using nonces to provide very week message integrity. However, as the poster implied, non-filtered IP networks are still vunerable.

They didn't completely fix it...

[Moderator]

You can still do a font crash on someone's client. I just did 5 mins. ago.

Re:Egg Troll is going on sabbatical

Please, no! Come back!

Shaw cable does the same

[RodeoBoy]

but after the tech set up my machine I just ran ipconfig to get the DHCP etc settings and reimaged my machine. I still get the same port scan from them on a regular basis and their DHCP server send a strange option to my client, but it works and they have not complained or tried shut me down.

Re:Shaw cable does the same

[DrSkwid]

presumably that would be forty

$1,000,000 stego challenge

[Alsee]

This is a two level challenge. I have steganographically hidden data in two pictures on E-bay. The first level picture contains 32 bytes of steganographicly embedded data. The second level picture contains 256 bytes of steganographicly embedded data.

The first person to locate the first level data will receive a public congratulations on the official challenge web site. The first person to locate and correctly identify the second level data will receive ONE MILLION DOLLARS!

The 32 bytes of the first level challenge consists of a string of zeros.
The 256 bytes of the second level challenge consists of white noise.

-

Re:$1,000,000 stego challenge

[gehirntot]

The 32 bytes of the first level challenge consists of a string of zeros.
The 256 bytes of the second level challenge consists of white noise.

I hope that you will not get called on that. Many steganographic systems leave signatures and header information in the images that are completely independent of the data that you hide. That means you can detect such a steganographic system without knowing anything about the hidden data.

Furthermore, white noise in terms of randomness is something detectable, too. Most images do not exhibit random noise in their lower layers.

There is a paper by Westfeld and Pfitzmann that shows visual attacks that depend on the fact that steganographic systems leave white noise behind destroying visual structures in the lower layers.

Best excuse yet...

[karot]

...search of hidden messages in USENET images...

... for downloading alt.binaries.pictures.erotica :)

I tried stegdetect.

[leuk_he]

In an effort to make a "first post" that would be found by stegdetect i failed so far:.

Making a small image that contains "first post" with jhsteg stegdetct fails to find it.

If i make a big picture jpsteg warns it fails to insert to complete file.
By simply resizing the picture(paint shop pro) it should hide in stegdetect says:(skipped)this is likely a false positive. just because the origin is blocky.
Blurring the orginal picture solves this problem and after 3 more ties i find a ratio the jpsteg program still allows to insert and at the same time makes stegdetect bark.

Now to insert it in usenet: sh*t no usenet access from this location, and a fail to find a free service to insert a picture. Ebay needs a credit card, so no luck inserting it in ebay.

well maybe later......

Re:Egg Troll is going on sabbatical

egg troll, you can't do this!!! you are the only reason i read slashdot!! please, don't hurt your fans like this.

p.s. can i suck your cock?