MD5 (was Re: Antivirus software will ignore FBI spyware: solutions)

[Bill Stewart]

>> > Some interesting tips (bottome of this message) for detecting FBI/SS
>> > snoopware that NAI/McAfee is now assisting the FBI in installing.
>> > I especially like the idea of "type hundreds of random key strokes and
>> > see which files increase in size." (Or just look for any file size
>> > changes, as most of us type tens of thousands of keystrokes per day.)

Especially on Microsoft OSs, it's too easy to create logging
that doesn't look like a regular file for which you can watch
size or checksum changes.  Hidden files are trivial to use,
though many utilities ignore their hiddenness,
but with more work any good virus-writer can do a better
job of hiding a file.  Or you can find things that are
always changing for obscure Microsoftish reasons,
or look like devices that can't be checksummed.

Or you can store the data in the "unused" space at the end
of the last block in a file - especially as disks get larger,
disk blocks also get larger, so there's more space at the ends,
and any utilities that are checksumming files won't notice,
because it's not in the file.  Or you can store the data
in "unused" disk blocks, if you can keep the file system from
reaping them, though diskwipe utilities will occasionally catch these.
The unused block space _might_ sometimes be hidden or overwritten
by encrypted file systems, if you're using them; YMMV.

At 12:45 PM 12/03/2001 +0000, Gil Hamilton wrote:
>What techniques could be used to do this?  MD5 has some weaknesses,
>but creating collisions still is not trivial.  Unless you know
>something I don't.

Hans Dobbertin's work a couple of years ago makes MD5 sounds pretty shaky,
but you could also use SHA-1 for your checksums,
or your favorite non-crypto fast checksum.
But that's more work than the Fedz will bother with;
much easier to hide stuff on Windows than to hack checksums.