1998-09-22 - Re: Stego-empty hard drives… (fwd)

Header Data

From: Sunder <sunder@brainlink.com>
To: Jim Choate <ravage@einstein.ssz.com>
Message Hash: 97a06b0d5787f582f54d5d66a4da2feecca81ee9642ababd1cdce6e2abe89c80
Message ID: <3607EB86.D71858FA@brainlink.com>
Reply To: <199809221546.KAA04142@einstein.ssz.com>
UTC Datetime: 1998-09-22 05:28:19 UTC
Raw Date: Tue, 22 Sep 1998 13:28:19 +0800

Raw message

From: Sunder <sunder@brainlink.com>
Date: Tue, 22 Sep 1998 13:28:19 +0800
To: Jim Choate <ravage@einstein.ssz.com>
Subject: Re: Stego-empty hard drives... (fwd)
In-Reply-To: <199809221546.KAA04142@einstein.ssz.com>
Message-ID: <3607EB86.D71858FA@brainlink.com>
MIME-Version: 1.0
Content-Type: text/plain

Jim Choate wrote:

> The point is that this is a weak approach with a variety of attacks open.

All stego methods are weak approaches at hiding data.  The point is to hide the
fact that there is hidden data and make it look like the notebook is a
perfectly normal unmodified notebook.  There's no perfect stego method that
cannot be detected by a determined analyzer.  You can hide all the data you
want in the low bits, but they naturally have biases (low entropy) that if not
present indicates stego (which has high entropy.)

> When one considers the amount of work required to collect BIOS'ed , reverse
> engineer them (unless you got lots of mullah), develop the crypto,
> develop the camouflage code, distribute the code, burn the ROM's, distribute
> the ROM's, cost of suitable TEMPEST monitors, etc. the benefit seems
> questionable at best.

Who the fuck is gonna run a tempest scanner on your notebook again?  Let's
stick to the scope of this: UK scans of your notebook using bootable floppies.
And tell me, if you were to modify your BIOS to get around this, WHY would you
need a tempest monitor?

Why would you need to collect BIOSes?  You only need to modify a single BIOS -
the one on >YOUR< notebook.  The camouflage code would be a few hundred bytes
at most unless you do something overly elaborate.

An EEPROM burner (which for flash upgradeable notebooks isn't needed) is fairly
cheap. JDR sold them for about $200 or less.  For flashable BIOSes this is

Disassemblers (debuggers) are fairly cheap. DOS and WIN95 come with a simple
one called debug.  BIOSes run in 16 bit mode since booting requires that PC's
run in 16 bit mode and there are plenty of books and info on 16 bit x86
programming.  You don't need to disasemble everything in the BIOS, you just
need to disable the checksum routine the bios uses on itself, and you need to
slightly modify the place that detects the size of the IDE drive to not go
beyond a certain number of pointers.

Further, PC bioses do support BIOS extensions, you generally wouldn't need to
modify the existing BIOS very much at all.  If you can add a BIOS extension,
the existing BIOS will happily run code from it.  This is how SCSI adapters
provide booting capabilities from SCSI disks.  Of course it's a bit harder in a
notebook computer, but it too can be done.

Back in the days of the Commodore 64 which had only mono sound, it was fairly
comon to piggy back and solder a second sound chip on top of the existing one
with the exception of a few of the pins, and turn your C64 into a stero
machine.  (One of the pins was an address pin, the other were sound out.)  A
similar thing might be done with an EEPROM.

The way BIOSes work is that they can be set to either detect the IDE drive size
always, or just once.  Set them to NOT detect.  They store the drive type
(0-47) and size params in the battery backed up CMOS.  

An easy, but less effective thing to do is to simply write over the CMOS data
that says X cylinders, Y heads, Z sectors/track, and modify the partition table
a bit.   You can do both from DEBUG.  You'll have to write a tiny bit of
assembly, but not much.

But again, if they bypass the BIOS and talk directly to the IDE controller,
none of these techniques - short of modifying the IDE controller or drive,
won't work.
> Even if they can't crack it in may places (eg France) such actions would
> be prosecutable in and of themselves.

You forgot to say "If you get caught." :)  With successful stego, nobody other
than the owner knows that it's there.

If you visit France and have a notebook computer, expect the Ministry of
Whatever to sneak in your hotel room when you're not there and copy your
notebook's hard drive anyway.  Such things have been reported as industrial
espionage.  (Talk to the folks on the spyking list about getting refrences.)

One thing all you fine folks are forgetting is that there are MANY MANY types
of notebooks out there.  My money says that if they can't scan Mac's they also
won't be able to scan Sparc books, Alpha Books, Newtons, Palm Pilots, and many
WinCE palmtops either.  Just buy something exotic.

You don't need to over engineer this, keep in mind: what they're using are
use-once floppies which are discarded.  A floppy at most holds 1.7Mb of code. 
This code is used to SCAN your disk for contraband.  I don't know what they
scan for, but they aren't going to be able to fit decoders for EVERY type of
file system and every file format out there.

So far the viable non-bullshit, non-fictional solutions in order of ease of

0. Don't go to the UK with a notebook computer.
1. Use FedEx.
2. Store the data on some other form of media (PC card disks, CD's, books, etc)
3. Use a non PC notebook that they can't scan, or one that can't use floppies
   or PCMCIA floppy drives in case they've got some around.
4. Modify the CMOS values in your notebook and your parition table.
5. Modify your BIOS to report a smaller disk
6. Same as 5 but prevent writes to the hidden space.
7. Have your BIOS not boot from floppies and boot only from the hard disk
   but make it look like it's booting normally, then run some sort of sandbox
   or emulator and let their software run under your code's control.
8. Modify your IDE controller or the controller card on the disk.

I say choice 0 is the best choice. :^)  Can we end this noisy thread or are
there other bright ideas?


.+.^.+.|       Sunder       |Prying open my 3rd eye.  So good to see |./|\.
..\|/..|sunder@sundernet.com|you once again. I thought you were      |/\|/\
<--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
======================= http://www.sundernet.com ==========================