Re: [Full-disclosure] Re: Case ID 51560370 - Notice of ClaimedInfringement

From: Scott Edwards (supadupa_at_gmail.com)
Date: 04/09/05

  • Next message: Paul Laudanski: "[Full-disclosure] Re: [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12"
    Date: Fri, 8 Apr 2005 21:18:41 -0600
    To: full-disclosure@lists.grok.org.uk
    
    

    On Apr 8, 2005 10:50 AM, Jason <security@brvenik.com> wrote:
    [snip]

    > I think that entirely depends on the format the file is distributed in.
    > You could take a zipfile and pad it in non critical areas to change the
    > MD5 without creating a substantial difference in the deliverable
    > content. You could do the same with gzip or bzip formatted files. You
    > could also pad any embedded jpeg images to engineer a collision. There
    > are quite a few opportunities where this method could be used to twiddle
    > the new MD5 without materially changing the content.
    >
    > Here is the case I am thinking about.
    >
    [snip]

    You can always use steganography
    [http://en.wikipedia.org/wiki/Steganography]* for purposes of causing
    the MD5 to change. There doesn't even have to be valid data to hide
    in what I'll just reference as the "steganography metadata stream".
    The key is to allow both copies to appear to operate the same, but are
    clearly different when compared byte for byte. bitmaps, lossless or
    lossy, just modify a few pixels. Find something that's not being
    utilized, and modify it so the data type is still ok, but the data is
    ever-so slightly different. Just think about crafty viruses like CIH
    that relocated itself in unused areas in the executable.

    After this, you'll have a hard time discerning between the origionals
    and the fakes. You'll have more ground that'll need to be researched
    to see if every varying signature is liable as a claimed infringment.
    Even if it's distorted, it's still plausible as a protected work - but
    to what degree I can't say ** (how much milk does plain water need to
    be to become milk? at what point isn't it water anymore?). Granted,
    exclusive use of tainting the signature weakens P2P, as this is a
    relative dependency.

    Aside from all this, it's best to avoid the appearance of evil. I
    won't vouch for anyone else's actions, but *do* exercise caution.
    (caveat emptor, no two ways about it).

    * Edit+Improve this article if you can.
    ** That's right, it's a security/disclosure mailing list - not an open
    legislative discussion one.

    I hope you've enjoyed my comments - and if not, no loss for me.

    Thanks,

    Scott Edwards
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Paul Laudanski: "[Full-disclosure] Re: [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12"

    Relevant Pages

    • Re: OO confusion
      ... Would you mind explaining further or pointing me to further reading ... you the MD5 of the data "foo". ... addfile method call. ...
      (perl.beginners)
    • Re: [Full-disclosure] Motorist wins case after maths whizzes break spe ed camera code (fwd)
      ... Blog this morning: ... A team of Chinese maths enthusiasts have thrown NSW's speed cameras system into disarray by cracking the technology used to store data about errant motorists. ... The MD5 Defense ...
      (Full-Disclosure)
    • Re: gtar failing, please help!
      ... > btw, I wonder how many tape unit users get burned by the fact that ... and have it md5 the file going onto the CD then md5 it off ...
      (freebsd-questions)
    • Re: [Full-disclosure] Re: Case ID 51560370 - Notice of ClaimedInfringement
      ... > could also pad any embedded jpeg images to engineer a collision. ... > the new MD5 without materially changing the content. ... File B is *not* under our control, and has a known fixed MD5 hash. ...
      (Full-Disclosure)
    • Re: http attack
      ... drumstik writes: ... > I don't think it's always necessary to do a complete re-install. ... but someone with the right knowledge (and known-good MD5 ...
      (comp.os.linux.security)