Forgot your password?
typodupeerror
Encryption Security

Program Hides Secret Messages in Executables 250

Posted by timothy
from the ms-reveals-code-to-piglatinland dept.
DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."
This discussion has been archived. No new comments can be posted.

Program Hides Secret Messages in Executables

Comments Filter:
  • stenography (Score:5, Insightful)

    by JohnFluxx (413620) on Sunday March 02, 2003 @08:10AM (#5418011)
    > El-Khalil concedes that the method is imperfect -- an application that's been impressed with a secret message has considerably more "negative subtractions" than an unadulterated program, making it easy to pick out through a statistical analysis.

    Note that as far as I remember, stenography by definition is supposed to make it imposible to prove that there is data hidden there - one step further than normal encryption. It's not so much as about hiding the data as being able to deny its existance.
    One reason for this is if you have encrypted data on your disk, then courts can demand the password for it. Stenography allows you to insist there is no hidden data.
    • Re:stenography (Score:2, Informative)

      by gunne (14408)
      Steganography would be more precisely defined as "information hiding". It doesn't require that it is impossible to find the data hidden, but it tries to conceal the existence of the data.
      Cryptography on the other hand does not try to try to hide the existence of information, it just tries to hide what message is embedded in that information.
      Cryptography != Steganography, but they can be used in conjunction.
      • Re:stenography (Score:5, Informative)

        by JohnFluxx (413620) on Sunday March 02, 2003 @08:21AM (#5418042)
        er...

        Steganography requires that it is impossible to prove that data is being hidden there. (Without reference to other material, etc etc).

        From The Free On-line Dictionary of Computing (09 FEB 02):

        steganography

        Hiding a secret message within a larger one in such a way that others can not discern the presence or contents of the hidden message. For example, a message might be hidden within an image by changing the least significant bits to be the message bits.

        • Re:stenography (Score:4, Insightful)

          by sql*kitten (1359) on Sunday March 02, 2003 @08:41AM (#5418104)
          Hiding a secret message within a larger one in such a way that others can not discern the presence or contents of the hidden message. For example, a message might be hidden within an image by changing the least significant bits to be the message bits

          OK, but geeks forget that possible/impossible isn't a binary state, like 1 and 0. It's a about likelihood. Is there a 1% chance that this file contains a hidden message? Or is it more like 90%?

          One the police have "reasonable grounds", they can step up to the next level. You can deny it 'til you're blue in the face, but if they get a professor to testify that it's highly probable that there is a message there, and they have evidence that you have corresponded with other suspects ("exactly why did you send Mohammed bin Mohammed a picture of your kitten a day before al-Queda hijacked that airliner?") and suddenly your steganographic sK1Lz aren't worth so much.
          • Re:stenography (Score:5, Insightful)

            by Bunji X (444592) on Sunday March 02, 2003 @11:47AM (#5418579)
            "exactly why did you send Mohammed bin Mohammed a picture of your kitten a day before al-Queda hijacked that airliner?"

            None of your freaking business. Mohammed bin Mohammed is an old friend of mine, he wanted to see a picture of my new kitten.

            Freedom of expression, freedom of speech. No?

            Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.
            • Re:stenography (Score:5, Interesting)

              by sql*kitten (1359) on Sunday March 02, 2003 @12:55PM (#5418861)
              None of your freaking business. Mohammed bin Mohammed is an old friend of mine, he wanted to see a picture of my new kitten.

              You have a point. On November 12th, 2001, a 58-year old Australian woman resident in Helsinki, placed an obituary notice for Mohammed Atta in Finland's daily newspaper, Helsingin Sanomat. She was questioned by police. If I remember correctly, she had met him many years earlier, had no idea he was a hijacker, but had heard that he had recently died. But, when thousands of lives are at risk, suspicious events have to be followed up, even if it's only to eliminate them from enquiries.

              Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.

              Since you mention Freedom of Speech, a Constitutional right, I'll assume you're on the West side of "the pond". I suggest you look up Jose Padilla's story.
            • The picture had a caption that said, "Everytime you masturbate, God kills a kitten... and a plane full of infidels."
          • by Alsee (515537)
            exactly why did you send Mohammed bin Mohammed a picture of your kitten a day before al-Queda hijacked that airliner?

            Because he said something about wanting to get a little pussy before his trip...

            -
        • Re:stenography (Score:2, Insightful)

          by p3d0 (42270)
          And I suppose you made the leap from "can not" to "impossible"?
      • Re:stenography (Score:3, Informative)

        by jaavaaguru (261551)
        Stenography is the art of writing in Shorthand. :-)
    • El-Khalil concedes that the method is imperfect -- an application that's been impressed with a secret message has considerably more "negative subtractions" than an unadulterated program, making it easy to pick out through a statistical analysis.

      It should be easy enough to get around this. The statistical telltale is only due to the fact that El-Khalil consistently uses the same type of instruction to encode a certain bit value. Have Hydan XOR the hidden message with a secret key that produces the right distribution of ones and zeros prior to encoding the message and the problem disappears.
      • Re:stenography (Score:3, Informative)

        by Hank the Lion (47086)
        It should be easy enough to get around this. The statistical telltale is only due to the fact that El-Khalil consistently uses the same type of instruction to encode a certain bit value. Have Hydan XOR the hidden message with a secret key that produces the right distribution of ones and zeros prior to encoding the message and the problem disappears.

        I'm afraid this will not work.
        Problem is: 'normal' programs will do 'sub 50' instead of 'add -50'. If you don't want to be visible that a message is contained, you cannot change that. But if you don't change that (in about 50% of the cases), you can't hide the information! The only key that would work here would be as long as the message itself!

        The technique you propose will work to get a more even distribution of ones and zeros, but not the 'all zeros' (sub 50) distribution that is present in 'standard' programs.
    • Stenography is cool, but the outlay for one of those chording keyboards, and then the willingness to learn a whole new way of typing - is a little much. Though you do get to hear all the juicy details of a trial, you also have to worry about your job being taken by a computer with voice recognition.

      Now, Steganography, that's also cool, but in a very different and special way.

    • Re:stenography (Score:3, Informative)

      by amRadioHed (463061)
      All stenographic methods that I've heard of leave some signs of tampering. For instance, the common method of hiding information in an image file by fiddling with the least signifigant bits in the RPG values is completely undetectable to the eye, however a statistical analysis of those low bits will reveal an unnatural amount of randomness. Really this is unavoidable since most any innocent looking data is going to have some natural order to it.
  • Redundancy? (Score:4, Interesting)

    by Phroggy (441) <`moc.yggorhp' `ta' `3todhsals'> on Sunday March 02, 2003 @08:11AM (#5418015) Homepage
    It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions.

    Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy? Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?

    If a message is embedded in a binary with this method, can another message be embedded in the resulting binary the same way, or has the required redundancy already been eliminated?
    • Re:Redundancy? (Score:5, Informative)

      by brejc8 (223089) on Sunday March 02, 2003 @08:18AM (#5418037) Homepage Journal
      Some instructions have dont care bits in them.
      You could remove these bits in order to compress the file but they occur so rarely its not worth it.
      And yes the redundency would have been used up.
    • The meaning (Score:3, Informative)

      by Anonymous Coward

      It just means that you can encode certain stuff in equivalent ways (*). Like: mov eax, 0 xor eax, eax sub eax, eax are all equivalent in functionality to zero the eax register.

      * = Taking into account flags and instruction size restrictions, etc.

      The "redundancy" comes from these facts. So, it's not size redundancy as such, and you can't remove the redundancy. It's more like permutations of the instructions are equivalent (length stays the same).

    • Re:Redundancy? (Score:5, Informative)

      by sql*kitten (1359) on Sunday March 02, 2003 @08:19AM (#5418039)
      Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy? Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?

      It means that if you want to add 50 to a number, you can choose to do (+50) or (-(-50)). They both take up the same amount of space and do the same thing. But if you first process a program to ensure that all additions and subtractions are actually additions, then you can encode data into the list of additions by making some of them into subtractions.
      • Re:Redundancy? (Score:3, Informative)

        • It means that if you want to add 50 to a number, you can choose to do (+50) or (-(-50)).
        Actually on the x86, those two are not equivalent. They set the carry flag in opposite directions.
      • Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy?


      The x86 instruction set has some very convoluted encodings mostly due to the various addressing modes and sometimes assumed registers. Many of the common instructions have more than one way to be encoded. You can get more information at http://www.sandpile.org/

      I believe, in fact, that *most* x86 executable streams will expose a lot of this redundancy, and therefore there should be lots of potential for this. Of course it'll drive anti-virus checkers nuts ...
    • Re:Redundancy? (Score:5, Informative)

      by BenV666 (620052) on Sunday March 02, 2003 @08:29AM (#5418072) Homepage
      Can someone explain to me exactly what this means?
      It means exactly what it says, there is more than 1 road that leads to Rome.... combining instructions in different ways leads to the same results.
      Will all i386 executable binaries have unnecessary redundancy?
      Almost everything can be done in several ways. Consider these 2 pieces of asm:
      XOR DX,DX
      MOV AX,3
      MOV BX,4
      MUL BX
      verses
      MOV BX,4
      MOV AX,3
      XOR DX,DX
      MUL BX
      Same results, same size, different order :)
      Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?
      Often the binary can't get much smaller without having effect on efficiency of the code, as far as I trust compilers that is :) (ASM rules!!! :)) I.e.
      MOV AX,A000
      MOV ES,AX
      verses
      PUSH A000
      POP ES
      Same effect while the latter saves 1 byte in code.
      • Re:Redundancy? (Score:4, Insightful)

        by Ninja Programmer (145252) on Sunday March 02, 2003 @08:34AM (#5418089) Homepage
        In your examples, if there is are jump target in there somewhere they won't work. Remember that these are binary recompiler tools -- the source is not necessarily available, and it might not be decompilable to find all jump targets.

        The second example has the additional problem of having a different side-effect on AX and possibly stack faulting.
        • Yeah, even a simple piece of Z80 code (16 kilobytes) like the Pacman ROMs can take a few days for a human to decode properly getting out all the jump targets (which are cunningly held in various tables; executing the code with a tracer helps tell the difference between code and data but a lot of manual work is required), although compiler-generated code should be more tractable.

          If you have control of the linker though, you can on normal systems arrange the object files in n! ways which is enough to get going on (as I said online 15 years ago). That should be safe unless you have a linker bug or a really nasty address releated program bug (I hate those!).

      • Re:Redundancy? (Score:2, Informative)

        by erc (38443)
        PUSH/POP is significantly slower than two MOV instructions on an x86, though...
    • Re:Redundancy? (Score:5, Informative)

      by etcpasswd (641551) on Sunday March 02, 2003 @08:30AM (#5418078)
      From my understanding, it appears that he chooses a complentary pair of instructions: addition-subtraction. Then you designate "1" to addition instruction, and "0" to subtraction. So, if you look at only these instructions, your executable can contain a binary string (addition and subtraction instructions).

      Now what the author does is, alter the original binary string to that bit-string data of our interest (of the same length). This process requires flipping of instructions. For example, if some instruction is addition (1), but your data requires it to be (0) bit, you change the instruction to subtraction, and change the operand to a negative of the original value. Same applies to flipping a '0' to '1'.

      Addition-subtraction works because there are no overflow issues (atleast with signed ints). Since this is also a very common operation, your executable is likely to be large enough to "hold" sizeable data.

    • Re:Redundancy? (Score:3, Informative)

      by SomeGuyFromCA (197979)
      It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions.

      Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy? Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?


      You're confusing redundancy in the program (extra instructions executed) with redundancy in the instruction set (extra instructions available).

      The i386 set has add and subtract instructions where only one is strictly needed. From what I've read, this tool works by changing a sub 50 to an add -50, taking advantage of this. (Or a add 30 to sub -30.)

      The problem is, no person or complier would write code this way unless they had a particular reason to. Such as hiding something.
  • by rediguana (104664) on Sunday March 02, 2003 @08:14AM (#5418020)
    if you are using a relatively common binary. Then you just have to compare the MD5 checksums against a known-good (known-bad in MSFT's case ;P ) to identify a binary that could possibly contain encrypted data. Would it then be too much harder to go back through and disassemble the two and pick out the differences and hence identify the bits?

    Novel idea though!
  • How long... (Score:5, Funny)

    by ymgve (457563) on Sunday March 02, 2003 @08:17AM (#5418029) Homepage
    ...until somebody embeds "seineeW erA sreenignE epacsteN"?
  • by Anonymous Coward on Sunday March 02, 2003 @08:17AM (#5418032)
    Add -ldl to the LDFLAGS in the Makefile.
  • by Ninja Programmer (145252) on Sunday March 02, 2003 @08:17AM (#5418033) Homepage
    This is a well known technique that was used in the mid-80s by Eric Isaacson in his product "a86". See here: http://eji.com/a86/

    Eric Isaacson used the technique to mark executables, so that he could determine if they were created with an unregistered copy of a86.
  • by more fool you (549433) on Sunday March 02, 2003 @08:22AM (#5418048) Journal
    so how do i add my 6MB ogg to the 526K ls?
  • by Bender Unit 22 (216955) on Sunday March 02, 2003 @08:36AM (#5418091) Journal
    Hiding messages within messages are used often in many contexts, like the radio broadcasts in WW2 sending "birthday greetings" among other things [slashdot.org]
  • The most interesting and difficult part I get from this is how can you be sure that the modifications are not done in DATA or in executable format headers (ELF eg).

    I would recon you would need to be able to disassemble the whole thing before being able to make modifications. Otherwise you could touch static data (vars initialized in the code) or the executable format (some of the metadata about the executable, the ARCH field in and ELF binary eg).
  • Err. Presumably you can not actually sign the parts of the code that Hydan is changing (those integer additions), unless you convert all of them back to standard addition before doing the checksum.

    Then when verifying the signature, you have to *revert* all the negative subtractions back to additions before re-doing the checksum and comparing the results. Ouch.

    Unless you use a block checksum like rsync, of course. Imagine doing this on a huge executable - how big is word.exe anyway? Have not used it for years.

    Regards,
  • by nurb432 (527695) on Sunday March 02, 2003 @09:12AM (#5418152) Homepage Journal
    Just kidding, but you KNOW that's how it will be viewed by the 'outside'..

    I bet the get shut down, under the patriot act, before you can say 'what's that knock at the door'..
  • by CoderByBirth (585951) on Sunday March 02, 2003 @09:38AM (#5418190)
    ...but why?
    Why would I want to hide messages in my executable files?
    Because I'm a secret little squirrel who just in general likes to hide stuff, like INSIDE other stuff?
    • Human rights groups in countries with authoritarian governments are often persecuted, their computers confiscated to get the names of their informants. Generally encryption (PGP/GPG) is sufficient in these cases to protect their data - unless the government is evil enough to torture them to reveal their private key/passphrase. In cases such as this, steganography allows plausible deniability.

      For more information on the uses of encryption in human rights organizations, read these letters [mit.edu] to Philip Zimmermann [mit.edu] (the creator of PGP).
      • by peter (3389)
        Hydan doesn't give you any deniability, does it? I just read the artice; I haven't tried the program, but if you use a well-known method of embedding info, it's not very steganographic anymore. The bad guys can just run hydan on your executables and see what comes out.

        If you want deniability even in the face of torture, you want rubber hose [rubberhose.org] crypto. You might also want to use an authentication method more complicated than a password, so they'll have to torture you in the computer room instead of the dungeon, and they can't break your fingers or damage your higher brain functions.
    • It's a cure for Microsoft bloat. Microsoft has tried many things to make their file system work and their code fit on affordable machinery despite it's needlessly huge size. They've tried changing the file system itslelf, actually changing a few constants in their source code to make FAT into the 32 bit VFAT that is now most common. They even pulled out their old patented stand by NTFS, which they ordinarily reserved for "professional" use only. In their extreems, they even considered making the entire file system into a database but the database was just as swamped with M$ bloat and user ineficiencey and it worked even worse than before. Then it came to them.

      Redundancy was the problem and redundancy was the answer. Microsoft realized that their operating system was simply a 32 bit GUI bolted onto a 16 bit extention of an 8 bit OS. Their code, when viewed in this light was massivly redundant and users could fit their data inside the code itself! They could even fit code within code this way. So, in this way, the engineers have saved the company from the marketing department without confrontation.

      It's a joke, laugh.

  • I followed the readme file right up until the last item in Future Plans. Can someone explain this to me:
    - Replace length fields with two fields (length of length, and length) to avoid attacks on stream cipher.

    Attacks on stream cipher?

  • by racerx509 (204322) on Sunday March 02, 2003 @10:27AM (#5418323) Homepage

    I'm not so sure about hiding messages in executables, but there were two interesting messages hidden in the n64 game The new tetris [ign.com]. The messages were hidden in 00B8FF90 of the US ROM. They were also in the PAL rom about 2k further. Anyway, here it goes:


    ****START MARTIST RANT**** I must say, this was a fun time coming down to San Francisco to do The New Tetris. Allthough there were a few problems. First of all being our producer.. D*N, my god.. is this guy useless or what?? I don't hate you D*N.. but you SUCK, and I mean SUCK as a producer. You should go back to testing video games, but I doubt you could even manage that properly. I feel sorry for you. During this project you just sat around and played video games.. starcraft and everquest. Don't even deny that.. when you WERE working, it was making stupid Excel (tm) spreadsheets to try and tell me how many bugs I had left to fix on a graph.. like WTF is that??? who cares.. I have the bug list in front of me, like I need to see it in freaking technicolor. So D*N, I must say this.. hold onto, and fake your job while you can, because once they find out how truely useless you are, you will be out of a job. I cannot think of any skillset you would fit into in this industry, so you better hold on tight. (This guy thought I could save a name in 8.4 BITS.. like umm.. .4 BITS?? WTF is .4 BITS?? its either ON or OFF, not in between... anyhow, Enough about you though. To Nintendo.. It has been nice working with you.. Alot of you are great or were great. Tom 'Snoop Dog' Hertzog - you were great.. one of the nicest people I have ever met at Nintendo. You and your crews bug testing was outstanding and I commend you for the excellent work. Erich Waas - You know we have been friends a long time, but I must say this. After you had accepted the ART form for The New Tetris, and later on your higher ups said it was not UNISEX enough, you slapped the blame on H2O, Chris Bretz in particular. You did not have the balls to accept blame for your mistake, and stuck our entire team under IMMENSE stress and FRENZY. This to save your A$$ from getting in trouble at Nintendo. I still like you Erich, which is more than I can say for the rest of the team that you screwed because of this. But I guess your standing at Nintendo is more important than the friendships you had here. You always knew we had telent and you recognized that. I know you wanted to work with us again one day maybe outside of Nintendo, I think you screwed up those chances though. While I am screaming.. I might as well say this: Niel Voss.. your music is freaking KICK A$$.. you are one really damn talented boy. BUT, you are one of the laziest music guys I think there is You could go far if you wanted to, but you just lack the GO for it. It is a shame. I wish you all the luck and would reccomend you to ANYBODY just because even though everything is last minute, and like pulling teeth, the end result is AMAZING. I am leaving H2O after this project to work at 3DO. I hope this will be a good move for me. I love H2O, As amazingly disorganized of a company it is. I LOVE the people, I have so many good friends there. It will be hard to move on. Of course they will stay my friends. They were more than just co-workers.. they were FRIENDS. They were the people I lived with, spent my days and nights with.. went to bars with, camped with, drank with (alot), did other bad things with (wont elaborate ). They are true great friends, and I love them all and will miss them dearly. Allthough Vancouver is only a 2 hour flight away, I hope I can visit often. My best friends would include. Ross, Max, Scott, Jake, Bretz, Roland, Johnny, Sarah.. these are the people I love the most. And I wish you success. My 4.5 years at H2O were basically, making games.. drinking alot, playing pool alot, going to bars and raves and dancing while really screwed up in the head. THAT HAS TO BE THE MOST FUN I HAVE EVER HAD, and probably ever will. The good old days. These guys are in Vancouver right now because I got stuck finishing this project in San Francisco (Which by all means I LOVE and am staying (hence 3DO)) Well boys and girls, I just thought I would immortalize some thoughts I have at the moment into a rom which will be burned forever. This game sucks. The music is great but the game itself is not how we wanted it unfortunately. I mean, it is a good game, but some things could be polished, as well as sped up. Could use another month to finish this thing off AFTER all the bugs are fixed. oh well, woh is me. I would love to give special loves and kisses to the following. My Girlfriend Amy Bond, My Family (Joy, Allyson, Jon Pridie, Brant Sangster), My really really best old friends Selim Arikan, Cory Haberly, Jason Vasilash, Alfred Huger, Oliver Friedrichs. Goodbye H2O, it was a blast, and I mean that with all my heart. (C) 1999 July 1 David Pridie If you are reading this, you can obviously see this disclaimer. All this material belongs to David Pridie. If you find it and want to post it in ANY media format, you must get my permission or feel my wrath . This text if it is ever read, is intended to be read by hackers whom have dumped the contents of this rom and viewed it. That is ALL it is for. And maybe some of them will remember me from the C64 and PC days, Martial Artist of PE/TDT/RAZOR 1911/INC/FLT/TRN/FBR, I was in them all.. and I made trainers and intros mostly. I thank that scene for teaching me how to program, because without it I don't think I would be where I am today. Well that does it 4.5 years and Two games later (Tetrisphere and New Tetris). Unfortunately I wont be working on Nomans Quest.. but oh well. HAPPY CANADA DAY. ******END MARTIAL ARTIST RANT ******

    *****START LUPIN RANT FOR 50 MOST HATED THINGS*****1] Idiot teens hanging out in front of 7'11s, KFC, McDonalds, Jack In The Box etc... Your life REALLY SUCKS if that's the high point of your day...2] A$$holes who spit on the sidewalk.3] Drivers who don't know how to use a turn signal. I can reach mine with my pinky while driving. It's not that hard.4] Teens with their pants around their a$$.5] People with personalized licence plates.6] BMX bikes.7] People panhandling me. Get a job losers! McDonalds is always hiring!8] Bums with dogs. I'm sure the dog loves eating cheese from old pizza boxes.9] The cheeseheads from asia who take a Honda Civic, slap some stickers on it, put a muffler on it that makes it sound like a riding lawnmower, a ridiculous sized fin on the back and think they have a formula 1 racer. 'Devastating Power!' my a$$!10] The same idiots who then drive their 'hot' civic like they are in the Indy 500 through busy traffic.11] The huge complex hairdos on african american women, 5 layers, 6000 curls, 4 sprouting areas, 200 dangling bits, 6000 beads, air conditioning and enough hairspray in it that it wouldn't move if Hurricane George hit it.12] People with Kleenex, plants, knitted blankets, stuffed animals, or lacey things in their cars rear window. I should be allowed to pull over and shoot them.13] People on the bus who talk so loud your forced to hear about their pointless lives.14] Crappy parkers who park their car REALLY close to the painted line so that you have half a foot to get out.15] Those old cars (ie, Cadillacs, Lincoln Town Cars, etc...)usually white for some strange reason... with the acient driver who always drives WAY under the speed limit.16] People who write a cheque for a $2 bag of nachos at Safeway.17] Corvettes, Comaros and Firebirds. Come on, the 80s are OVER!18] A$$hole tailgaters.19] Idiots who think they can pedal a bike as fast as a car, so they ride in the middle of a traffic lane. You should be allowed to run them over, it looks like natural selection to me.20] Teenagers on television news reports expressing their opinions on something. If your under 18 I don't give a sh1t about what you have to say...21] The singer Brandy, Celine Dion, all the divas....22] Twits who wear a huge parka outside when its sunny and a mild 5-10 C. The same thing goes with the whole scarf thing.23] Muni busses that smell like urine. Which is most of them.24] Corporate Broadcasting logos in the corner of the channel your watching.25] Web pages that pop open other pages and windows and then disable your 'back' button.26] People who walk around with a huge 'portable' stereos blaring, sharing their music with everyone around them. Usually crap rap.27] Junk mail.28] Peice of sh1t cars that spew out huge noxious clouds behind them.29] People that throw out huge items on the curb expecting the garbage people to remove it. Like old dirty matresses. They don't of course, and it sits on the curb for weeks.30] Budweiser beer and the people who drink it. I'd rather suck the piss out of a pig... Its time to poison the bud.31] Drivers who turn onto the road RIGHT in front of you causing you to slam on the brakes, even though there is no one for hundereds of feet behind you.32] People who drive 3/4 in one lane and 1/4 in another... what the hell is that????33] Religous people who push their drivel on you when your walking down the street. Or come knocking on your door.34] Dead web page links and 'Document not found' errors.35] Racisist people and the crap they spew out.36] Those stupid add banners from Geocities on the Internet when you hit someones home page going through them...37] All country music.38] Minivans.39] People who spray paint their names on rocks, signs, trees etc, in national parks. Like I care that Bill graduated in 86.40] Small yappy 'feeder' dogs. Like little Yorkies, poodles, etc...41] People in the fast lane who drive just 2 km/hr faster than the guy in the 'slow' lane, dawdling along.42] Film crews making bad movies most people doent want to see blocking the streets and being annoying.43] Big fat bugs that splat on my windshield.44] Those really tight spandex cycling pants on men, they are usually sooooo tight, you can tell if they are cirumcised.45] Those really tight spandex cycling pants on 90% of the women. Big fat a$$es and *wiiiiiiiiiiiiiiiiiide* camel toes.46] Those really annoying commericals from Rogers Cable that tell you all about the 'evils' of satalite tv and how lucky you are to be getting cable for a mere $65 a month.47] Commercials that are SO bad on tv, you have to wonder about the sh1t for brains who thought them up. Like the Old Navy commericals, or the old as hell commercial for Sarah Lee, that is STILL ON THE AIR, 'let them eat cake' and 'But Patrick, I'm to old for life insurance.' Shoot them ALL!48] Losers that listen to totally cheezy radio stations and then slap dozens of their stupid stickers all over thier car.49] Lilith Fair. I say when they are all hugging, listening to the music, sharing tampons, and bitching about how evil men are, toss in a few hundered grenades while recording it on camera. Sell the video as a 'To Hot for TV' tape late at night.50] Cheap a$$ manufacturers of DVDs who list as 'features' chapters, interactive menues, and the time. These arent features. Thats like calling your computers keyboard a 'feature'. Lame a$$ marketing people.51] DVD manufactureres that sell their DVDs for $40 and up, just because they know people will pay for it. DVDs have actually become MORE expensive than when they first came out.52] Nintendo and everything about them.53] Old people who clog up the sidewalk walking super slow when you want to get somewhere.54] Looking at demo-reels at work that are so incredibly bad, that I just want to call them up and tell them to go f*ck their demo reel and to never EVER send another one out to anybody. EVER.55] Spiders. All spiders. Everyone of them.56] How on the Nintendo 64 game machine, half the damn titles for it are called 'miscvidgame 64'. Why not come up with a real name? Why is everyone just slapping a 64 on all the games?**********END LUPIN RANT******** I got these rants from dextrose [dextrose.com]

    • Wow... no wonder Nintendo went to a disc format. If two more employees decide to bitch they're not going to have any place to put the game.

      It's cool to see a scener in game development, though that's where I figured most of them settled. I'm not surprised with his discontent towards the development process; with the amount of ingenuity and dedication that goes into (went into?) intros/demos it's got to be a shock to hit a corporate environment and have somebody tell you "It's good enough as it is" when you're working on your project and ship it out the door.

    • Unfortunately, David Pridie, aka. Martial Artist, the programmer that wrote the first message, "passed away very suddenly on the morning of Friday, January 12, 2001. He died in his home, listening to music and playing a computer game. An attack of bronchial asthma was established as the cause, something which he had complained of the past week or so before. "

      "At the time he got himself and H2O in quite a bit of hot water with Nintendo. He figured it was his small piece of immortality"
      He was right

      http://www.pridie.org [pridie.org]
  • by Midnight Thunder (17205) on Sunday March 02, 2003 @11:07AM (#5418452) Homepage Journal
    This like any solution is not fool proof. The catch is if you have managed to get hold of both the orginal and the modified copy. A quick MD5 check will reveal that both are different and could lead someone to suspect that something has been done. Now which one is the modified version? You could do this using a statistical method, by finding out which occurrence appears more often on the net. So to achieve the trick correctly you need to make the modification to an executable that does not exist on the net.

    Another method to detecting an executable that contains hidden data is to work out whether the executable uses the most unusual method of implementing its assembly.

    Of course just like in the film 'A Beutiful Mind', you could just end up seeing encrypted data left right and center, whether or not it is really there.

    • Another method to detecting an executable that contains hidden data is to work out whether the executable uses the most unusual method of implementing its assembly.

      You're very close with your second paragraph -- this is basically the correct answer, but I'll just clarify it a bit:

      Compilers usually mark the executable with their name. I know GCC does this; I'm pretty sure it's part of the ELF standard. Knowing this, you can tell what code would be generated by the compiler and/or linked-in libraries; any other code in these regions would indicate tampering. Two examples:

      1. Check all library functions, including startup/exit and DLL-load functions. If these functions are different, then you've found a steg. Of course, some of these functions (usually those not in pure assembly) will change with compiler versions, so there are multiple non-steg possibilites.

      2. Check the function start-up code. If, for example, a compiler adjusts the stack by subtracting a fixed value, then if you ever see it add the negative value here you found a steg. This is so simple, it's unlikely to change between compiler versions.

      You could also check the above two regions for self-consistancy. If the function-start code varies between functions, then maybe you've found the steg.

      The big exception here is when code from different compilers is linked together. This usually happens only when you've got a closed source library. Summary: "unusual" is easy to detect for a given compiler.
    • Way back when, there were file-infector viruses that took care to ensure that they didn't alter checksums, to avoid "file has changed" virus checks; couldn't advanced steno do the same thing?

      Or could it fake a match to "what if this .EXE has been run thru some popular recompiler" ??

      • Not in this day and age, because everyone uses strong hashes. I suppose the error-detection code that they preserved was CRC-32, or an checksum (add up all the bytes). There is no known way to efficiently figure out how to change a file without changing its MD5 or SHA1 hash. Any cryptographically strong hash will make undetectable modification computationally infeasible.
    • by Reziac (43301) on Sunday March 02, 2003 @12:10PM (#5418670) Homepage Journal
      "Of course just like in the film 'A Beutiful Mind', you could just end up seeing encrypted data left right and center, whether or not it is really there."

      On second thought, I have another idea: make a huge file that is nothing but stenographic data. Hide an executable in it. ;)

      Actually, for stuff like DeCSS, that may not be so farfetched. :/

  • by Mostly a lurker (634878) on Sunday March 02, 2003 @11:35AM (#5418532)
    ...the Declaration of Independence in a single copy of Microsoft Word

    Surely, a declaration of independence should be stored in a non Microsoft product.

  • by zulux (112259) on Sunday March 02, 2003 @12:40PM (#5418795) Homepage Journal

    I hide all sorts of stuff in my C comments.
    Nobody can detect them in my executables.
    HA! I'm so sneaky!

  • Microsoft has been doing this [ganns.com] for ages

    ;)

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...