File change detection utility for Win 9X/ME

[Nick FitzGerald]

"A one-way hash function has many names: compression function,
contraction function, message digest, fingerprint, cryptographic
checksum, message integrity check (MIC), and manipulation detection code
(MDC). Whatever you call it, it is central to modern cryptography."

"MD4 is a one-way hash function"

"MD5 is an improved version of MD4" [1]

So you define something[1] by using a technical shorthand that obscures the
actual meaning?

Unlike my contribution, yours is not exactly helpful.

To a cryptographer, the expression "MD4 is a one-way hash function" is
perfectly meaningful and correct, but that is because cryptographers
understand, through their training and immersion in the associated
jargon that "one-way hash function" means something nearly totally
different from what a commonsense (i.e. not cryptographically expert)
interpretation of the term suggests.

Thanks for playing, but if your sense of clearing things up is to
further confuse them, please think twice before chipping in again...


--
Nick FitzGerald


[1] BTW, quoting Schneier out of context earns you a supreme tosser
award rather than brownie points...

 

[Nick FitzGerald]

ordinary checksumming will detect viruses for obvious reasons. ...

Actually, no...

Assuming by "ordinary checksumming" you mean simple CRC-like
approaches (otherwise I see no significance to your subsequent
differentiation between of "cryptographic hashing"), there are
some parasitic binary file infectors that pad their victims so
the infected file returns the same CRC as pre-infection.

Also, unless special measures are not take to prevent such
subterfuge, "ordinary checksumming" will not detect viruses that
employ various kinds of stealthing techniques.

... for
intrusion detection and file / system integrity verification, you really
need cryptographic hashing and secure storage of the hashes.

Oh no -- you need much more than that. Most crucially, you need
a verifiably "unaltered" I/O channell to the content to be checked
and to the recorded "pre-infection" state of the files.

tripwire is good.

For some things, but used naively (as you described in another
post) it can be as misleading as most of your comments in this
thread...

 

[Gnome de Plume]

For your information, formal technical terminology NEVER users such
terms as "dumb". At least in my day, such amateurish and derogatory
terms were frowned on.

md5 is not a dumb checksum, but that's a whole different thread.

however, this group is anti-virus, and other than threads on virus
coding, this is all applied science. thus informal words like "dumb
whatever" are perfectly valid. don't get a big head, just cause you
read Visual Basic in 24 hours.

"dumb terminal" ... "dumb modem" ... the list goes on and on.

michael

 

[Gnome de Plume]

To a cryptographer, the expression "MD4 is a one-way hash function" is
perfectly meaningful and correct, but that is because cryptographers
understand, through their training and immersion in the associated
jargon that "one-way hash function" means something nearly totally
different from what a commonsense (i.e. not cryptographically expert)
interpretation of the term suggests.

Thanks for playing, but if your sense of clearing things up is to
further confuse them, please think twice before chipping in again...

one-way has jack shit to do with the ability to brute force. this is
common sense, not an obscure, arcane crypto term. we will take DES as
an example. let's say we have the plaintext and the cryptotext. if DES
is cryptographically secure, we can't derive the key from the
aforementioned text. THAT is a ONE WAY or trapdoor ONE WAY function.

i'm going to have to write your post off as simple trolling. Schneier
writes books on APPLIED cryptography, i.e. crypto for the layman. it's
not a theoretical book like Koblitz's and books on crypto (which i've
read also).

i'd have to question whether you have ever taken a single college course
on number theory or other math. stop trolling, and start contributing.

<PLONK>

michael

 

[Zvi Netiv]

If you had brains enough to read the subject of this thread you would
have seen that it says "File change detection utility for Win 9X/ME".

I saw the subject, but to be honest, I couldn't resist the pleasure of pushing
your buttons. ;-)

Don't ASSume that others are as dumb as you are. Some may be astute
enough to understand that one mode of F-comp is indeed a type of
integrity checker. The other mode is not.

Now you are bragging. Since when do the probing for time-date and file size
constitute "integrity checking"? A simple find-first find-next call will get
you these!

That's the old fashioned and dumb way. Far better to include Help or
Info pages right in the program.

You are far too dumb to even understand how dumb your above statement is.

For your information, formal technical terminology NEVER users such
terms as "dumb". At least in my day, such amateurish and derogatory
terms were frowned on.

I understand that your bruised ego is speaking here.

It's a 16 bit DOS program written in QB 4.5 mixed with assembly
language.


It makes perfect sense if you have a clue. The interrupt services I
use to get the required detailed multiple file date information and
LFN info are not available in pure DOS.

Plain nonsense! Learn how to use Ralf Brown's interrupts list.

Good. That's what it's designed to do in the case of DOS. For those
who don't read subjects of threads like you, I'll probably add a
simple Windows version check as well.

Simpler, compile it as a DOS program. It will then run under both DOS and in
all Windows versions DOS box.

So according to Zvi, apps that don't run in plain DOS don't have any
value. Whatta clown

I see I touched a raw nerve ... ;-)

What's the "logic" of any program not designed for NT based OS? What
kind of a dumb question is that?

Not dumb at all. Why shouldn't your program run in XP's or W2K's DOS box too?
You provide the true answer below: You simply lack the knowledge of how to
write a real program

Windows allows you to kill DOS windows simply and easily, so you're
never "stuck". So fix your goddam mouse problem then

Rubbish. The true reason is that you have no clue how to handle keyboard
commands. ;-) BTW, my goddamn mouse is just fine.

Additional files? The number of files created is limited by the number
of file extensions chosen to check. Once both modes are used, there is
no further increase in the number of files created.

Not indended to be used in those ways. Period.

Crap. The true answer is that you don't have the slightest idea of one of the
most basic procedures in programming, namely handling errors! Ignorance is no
sin, but being both ignorant and pretentious is criminal.

Hey, you're the clown that was not that long ago in here pushing
informal Windows scanning methodology for NT based OS. I'll throw your
argument right back at you. If something works most of the time or at
least some of the time, then it's not valueless.

I still am pro informal scanning, and for what it's worth, informal scanning is
now the ruling method for cleaning. What would you call running Sysclean and
Stinger from safe mode, if not informal scanning? Or Spybot,S&D, AdAware,
HijackThis, etc.? As a matter of fact, informal scanning is the only way to
achieve full recovery for reasons that I explained elsewhere.

Yet YOU are inconsistent in your arguments. Are we (the readers) to deduce from
the above paragraph that you object to informal scanning? If so, then please
explain to us how should your silly program be run on a Windows 9x/ME platform
in formal scanning mode? (which is plain DOS!)

You finally got something right. I'm too old to be interested in
Wndows GUI programming and keeping up wirth the rat race. Been there
and done that.

Not being a kid myself, I don't buy that argument. I was well over 50 when I
wrote my first program, and that was a long time ago.

LOL! You don't have in mind your own products, Im sure

As a matter of fact, yes, one of the products is mine, but there are others too.

Regards, Zvi

 

[null]

md5 is not a dumb checksum, but that's a whole different thread.

No shit, Einstein.

however, this group is anti-virus, and other than threads on virus
coding, this is all applied science. thus informal words like "dumb
whatever" are perfectly valid.

Informal terms lack clarity and precision. Derogatory informal terms
are basically just a display of arrogance.

don't get a big head, just cause you
read Visual Basic in 24 hours.

Big head? Speak for your youself, sonny.

"dumb terminal" ... "dumb modem" ... the list goes on and on.

Yep. Anything without at least a microprocessor built in. But MD5 is a
mere software algorithm. So it must be "dumb" according to that
implied definition of "dumb". See my point? Geek-speak might sound
cool and "in" but it's actually for the birds


Art
http://www.epix.net/~artnpeg

 

[kurt wismer]

You should be a little more precise in your choice of language...

Ignoring suggested potential weaknesses in MD5, it is much more accurate
to say that MD5 is feasibly one way. That is, unlike with CRCs there are
no better (i.e. computationally less expensive) ways of finding collisions
than launching a brute-force attack. Clearly MD5 cannot be one-way unless
you are inclined to believe the totally preposterous notion that all
possible strings of all possible lengths can be uniquely represented
within the address-space of MD5's 128-bit digest.

you seem to be confused... if a hash function does have a uniqueness
property like the one you describe then it's trivial to get out the
original message using a (very large) precomputed lookup table...

on the other hand, when multiple messages map to the same hash value it
then becomes impossible to know which of those messages was actually
used in creating a particular hash value...

i *think* you're trying to express something that is referred to as
preimage resistance, but preimage resistance and one-way-ness are not
exactly the same...

and as far as i know the definition for "one way" does not require that
the inversion of a candidate one way function be impossible, only that
it be 'hard'... MD5 *is* considered a one way function in cryptographic
circles, to the best of my knowledge (though it's use has been
deprecated for a number of years now)...

 

[Gnome de Plume]

you seem to be confused... if a hash function does have a uniqueness
property like the one you describe then it's trivial to get out the
original message using a (very large) precomputed lookup table...

on the other hand, when multiple messages map to the same hash value it
then becomes impossible to know which of those messages was actually
used in creating a particular hash value...

i *think* you're trying to express something that is referred to as
preimage resistance, but preimage resistance and one-way-ness are not
exactly the same...

and as far as i know the definition for "one way" does not require that
the inversion of a candidate one way function be impossible, only that
it be 'hard'... MD5 *is* considered a one way function in cryptographic
circles, to the best of my knowledge (though it's use has been
deprecated for a number of years now)...

thank you for elaborating / correcting.

in addition, if it took 2^80 attempts to generate an identical hash of X
hash algo, that would be 2^40 seconds even at 2^40 (~ 1.1 trillion)
attempts/s. This would take 34,000 years. Clearly attacking the algo
itself is the answer, not brute forcing alone. Almost ALL of the
collision attacks use cryptanalysis, possibly in conjunction with a
limited brute force attack. In a similar vein, one attack on SHA-0 took
2^40 computations of algo, which is doable.

FWIW, Schneier questioned the security of MD5 way back in the
mid-nineties (although he may be biased).

michael

 

[null]

On Sun, 17 Oct 2004 16:39:51 +0200, Zvi Netiv

..>> If you had brains enough to read the subject of this thread you
would

I saw the subject, but to be honest, I couldn't resist the pleasure of pushing
your buttons. ;-)

You must be looking for the clown of the month award.

Now you are bragging. Since when do the probing for time-date and file size
constitute "integrity checking"? A simple find-first find-next call will get
you these!

You don't know what you're talking about. Obviously my program uses
find-first find-next interrupts. How else would it build the drive's
directory structure and find files in all folders?

The mode that creates a reference and allows the user to later run a
check against that reference for alterations in date-time and file
length is clearly a form of integrity checking.

Plain nonsense! Learn how to use Ralf Brown's interrupts list.

Exactly what I use. One of the calls is INT 21h service 71A6h
"Windows 95 - Long Filename - Get file info by handle".
Does not work in plain DOS.

Simpler, compile it as a DOS program. It will then run under both DOS and in
all Windows versions DOS box.

It is compiled as a DOS program fer gawdsakes. WTF do you think QB 4.5
is?

Not dumb at all. Why shouldn't your program run in XP's or W2K's DOS box too?
You provide the true answer below: You simply lack the knowledge of how to
write a real program

The real reason is a lack of interest and a reluctance to get my hands
on a NT based OS just for testing purposes. I just plain don't want
one (at least right now) for any purpose.

Rubbish. The true reason is that you have no clue how to handle keyboard
commands. ;-) BTW, my goddamn mouse is just fine.

What total crap. It's far simpler to design for the keyboard than for
a mouse. I just don't buy the idea that you must make provisions for
both.

Crap. The true answer is that you don't have the slightest idea of one of the
most basic procedures in programming, namely handling errors! Ignorance is no
sin, but being both ignorant and pretentious is criminal.

You speak of crap while writing total crap. Anyone who know anything
about programming knows that I must necessarily have error handling
all over the program for all kinds of conditions or it wouldn't work
smoothly at all.

I still am pro informal scanning, and for what it's worth, informal scanning is
now the ruling method for cleaning. What would you call running Sysclean and
Stinger from safe mode, if not informal scanning? Or Spybot,S&D, AdAware,
HijackThis, etc.? As a matter of fact, informal scanning is the only way to
achieve full recovery for reasons that I explained elsewhere.

Nah. It's just that you can often get away with it. That doesn't make
it the best way at all.

Yet YOU are inconsistent in your arguments. Are we (the readers) to deduce from
the above paragraph that you object to informal scanning?

Twist my remarks any way you wish. There's no doubt that formal
scanning is the best approach.

Anyway, back on topic. I doubt if anyone is much interested in this
useless exchange. Clearly, any av that relies on basic system data is
subject to being fooled by malicious code. That's why I don't think
(after some reflection) the idea of just av scanning on demand "newer"
files in order to cut down drastically on scan time is really sound.
Yet, I think my util (or one like it) along with other methods and
checks can be useful. After all, one heuristic often used on machines
suspect of infestations or infections is to look for recently written
or modified files. It's obviously just one of many "iffy" heuristics
that can't be trusted completely but it's sometimes a useful and
fruitful one.


Art
http://www.epix.net/~artnpeg

 

[Ant]

[snip]

I doubt if anyone is much interested in this useless exchange.

Ooh, I dunno. I like a good fight between regulars. Anyway, in the
process you've explained more what your program is about. Makes up
for the lack of a readme file in the zip (always a good idea to
have one of those to clarify any installation issues). Also it's
interesting to see what kinds of file checking are thought to be
useful.

 

[null]

[snip]

I doubt if anyone is much interested in this useless exchange.

Ooh, I dunno. I like a good fight between regulars.


Anyway, in the
process you've explained more what your program is about. Makes up
for the lack of a readme file in the zip (always a good idea to
have one of those to clarify any installation issues).

I suppose some users might "pull a Zvi" and put it on the desktop

Also it's
interesting to see what kinds of file checking are thought to be
useful.

Well, your posts suggest to me that you should have some good inputs
on that subject.

Y'know, I started with the idea of making comparisons to past file
dates and sizes, but the truth is that I really dislike using programs
of that kind. And I suspect most users consider them to be a PITA.
Nobody likes updating a reference from time to time. Later, I added
the top selection on the Start Menu, which is the check for newly
written and/or modified files. That's the check I like. I've expanded
the past days limit from 9 to 99 which the user can now key in.
Version 0.2 will be up soon. It also has a larger default file
extensions list. And just for you (but not Zvi) I'll add a readme.txt
file in the zip. The only thing I grudgingly did for Zvi is add a
program exit if the Windows version is not Win 9X/ME


Art
http://www.epix.net/~artnpeg

 

[Zvi Netiv]

You don't know what you're talking about. Obviously my program uses
find-first find-next interrupts. How else would it build the drive's
directory structure and find files in all folders?

The mode that creates a reference and allows the user to later run a
check against that reference for alterations in date-time and file
length is clearly a form of integrity checking.

Since you insist, then let me rephrase my original question: What is the point
in real-dumb "integrity checking" in an AV scenario?

Exactly what I use. One of the calls is INT 21h service 71A6h
"Windows 95 - Long Filename - Get file info by handle".
Does not work in plain DOS.

You should have said "thank you" on my post
<[email protected]> and use it to quietly fix and
correct your program's deficiencies, point by point. Instead, you get yourself
entangled deeper and deeper with ridicule excuses and claims and further expose
ignorance and pretentiousness.

The selection of that particular service was a bad choice and shows poor
engineering judgement. There is more than one way to do what you need, with DOS
services, uniquely. It just takes a little more work and brains. Besides, your
waving with "long filename" is a false excuse and eyewash for the simple reason
that the rest of your program, particularly the I/O functions which are DOS,
cannot handle long filename path-strings.

It is compiled as a DOS program fer gawdsakes. WTF do you think QB 4.5
is?

Control you temper, silly, and clean your source from services that are
exclusive to Windows. There are many ways to achieve the worthless
functionality of your program, based on DOS services, uniquely.

[...]

The real reason is a lack of interest and a reluctance to get my hands
on a NT based OS just for testing purposes. I just plain don't want
one (at least right now) for any purpose.

You are bullshitting again and I gave you the way how to graciously retreat from
wriggling. You don't need an NT based OS for testing that a program will work
under NT / W2K and XP. It suffices that a program runs under pure DOS to assure
that it will run under all Windows versions DOS box, NT based inclusive (with
just a couple of exceptions, but they do not concern you, only if your program
was data recovery). That simple!

[...]

What total crap. It's far simpler to design for the keyboard than for
a mouse. I just don't buy the idea that you must make provisions for
both.

Eyewash. Is that how you made decisions throughout your engineering career?
Are you sure you weren't fired?

[...]

You speak of crap while writing total crap. Anyone who know anything
about programming knows that I must necessarily have error handling
all over the program for all kinds of conditions or it wouldn't work
smoothly at all.

Typical to ignorance is to not know what you ignore. Here is how to fix that
error handling deficiency: First, learn what "exit code" and exit procedure
are. Then, add an exit procedure to your code, that will handle exit codes last
thing before exiting the program. The exit procedure is where to call the error
messages. You could then add a test in your program body to see if report files
can be created and set an appropriate exit code if not, and terminate. The exit
procedure would then fetch an error message that would say something like:
"Cannot write report to <specify drive or path here>. Program aborted!"

You don't have to be an engineer to realize that your program is simply
unacceptable the way it's implemented and that your claims are false,
unprofessional, and lack intellectual honesty.

[...]

Anyway, back on topic. I doubt if anyone is much interested in this
useless exchange.

On the contrary. From the e-mails I get, seems that many are interested in the
thread.

Regards, Zvi

 

[Zvi Netiv]

(e-mail address removed) wrote:

[...]

And just for you (but not Zvi) I'll add a readme.txt
file in the zip. The only thing I grudgingly did for Zvi is add a
program exit if the Windows version is not Win 9X/ME

You are making progress, ;-) and you would make better if you also fixed the
other flaws that I picked.

Cheers

 

[James Egan]

Anyway, back on topic. I doubt if anyone is much interested in this
useless exchange.

On the contrary it's quite interesting. My initial impression was that
f-comp created a hash of all the files (no I didn't read any readme I
just looked at the created files). That it doesn't probably means that
any amateur enthusiast can easily defeat it and thus its use is likely
to lull the average "user" into a false sense of security. Also,
because it (loosely) comes under the heading of integrity checkers, it
is bound to draw comparison with other software of that type. I can
understand why Zvi would be irritated by it.


Jim.

 

[James Egan]

It suffices that a program runs under pure DOS to assure
that it will run under all Windows versions DOS box,

I didn't think that was the case. Won't a program fail under NT based
OSes if a dos program (say) tries to grab hold directly of COM1 for
exclusive use?


Jim.

 

[Zvi Netiv]

I didn't think that was the case. Won't a program fail under NT based
OSes if a dos program (say) tries to grab hold directly of COM1 for
exclusive use?

You omitted the second part of my phrase "with just a couple of exceptions ...
etc.".

To your specific question on grabbing a COM port, you can try by running an old
comm program, like Telemate, under W2K or XP, and see. My guess is that there
is no problem there. What definitely fails under NT based OS is *hard drive*
direct access through interrupt 13h (same, but to floppies, will work!).

As for Art's case (filesystem services), the above is sound and dependable
advice.

Regards, Zvi

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I doubt if anyone is much interested in this useless exchange.

Are you kidding??? This is one of the BEST "useless
exchange(s)" we've had, here in a long time!

Keep it up, boys! ;-)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: MY PUBLIC KEY www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBQXOwbKRseRzHUwOaEQJkrwCgyD9QjJpoIsaIkDCv+qFMo8ohYAgAmwbs
6n1Q+Go7GK+dgOAnKCRd7Cr7
=oiAz
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

Usenet Flamewars:
http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[null]

On the contrary it's quite interesting. My initial impression was that
f-comp created a hash of all the files (no I didn't read any readme I
just looked at the created files). That it doesn't probably means that
any amateur enthusiast can easily defeat it and thus its use is likely
to lull the average "user" into a false sense of security.

Yes, I just recently gave thought to at least encrypting the reference
files it creates and making them read-only/hidden until they require
updating when they would then be unencrypted and re-written by the
program. That wouldn't prevent malicious code from changing the
attributes and deleting the files though. But that event could be
detected and a special message put up on the screen. However, an
attack on the data in the file system is quite another matter.

Also,
because it (loosely) comes under the heading of integrity checkers, it
is bound to draw comparison with other software of that type. I can
understand why Zvi would be irritated by it.

Screw Zvi. Who cares what he thinks?

I've not presented the program as a integrity checker, as such, even
though one of its modes does a file integrity check of sorts. As I
stated in a different post, I view the utility as one of many possibly
useful heuristic tools.


Art
http://www.epix.net/~artnpeg

 

[null]

On Mon, 18 Oct 2004 11:22:36 +0200, Zvi Netiv

You again?

Since you insist, then let me rephrase my original question: What is the point
in real-dumb "integrity checking" in an AV scenario?

What's the point in running a av scanner in a AV scenario?

You should have said "thank you" on my post
<[email protected]>

Thank you? For endlessly posting crap like this?:

Instead, you get yourself
entangled deeper and deeper with ridicule excuses and claims and further expose
ignorance and pretentiousness.

You've really got a serious problem, Zvi. Take your meds like a good
little boy, will you?

Control you temper, silly, and clean your source from services that are
exclusive to Windows. There are many ways to achieve the worthless
functionality of your program, based on DOS services, uniquely.

You're contradicting yourself again. If my program is worthless as you
say, why keep on coaxing me to improve it?

Typical to ignorance is to not know what you ignore. Here is how to fix that
error handling deficiency:

What error handling deficiency?

First, learn what "exit code" and exit procedure
are.

As if I didn't know.

Then, add an exit procedure to your code, that will handle exit codes last
thing before exiting the program. The exit procedure is where to call the error
messages. You could then add a test in your program body to see if report files
can be created and set an appropriate exit code if not, and terminate. The exit
procedure would then fetch an error message that would say something like:
"Cannot write report to <specify drive or path here>. Program aborted!"

Solution without problems are worthless

You don't have to be an engineer to realize that your program is simply
unacceptable the way it's implemented and that your claims are false,
unprofessional, and lack intellectual honesty.

Bullshit. I've made no claims, nor have I misrepresented my program in
any way. I leave that to you ... the ultimate professional at false
claims, unprofessionalism and a complete vacuum of honesty and
integrity of any kind.


Art
http://www.epix.net/~artnpeg

 

[null]

On Mon, 18 Oct 2004 11:22:36 +0200, Zvi Netiv

You again?

Since you insist, then let me rephrase my original question: What is the point
in real-dumb "integrity checking" in an AV scenario?

What's the point in running a av scanner in a AV scenario?

You should have said "thank you" on my post
<[email protected]>

Thank you? For endlessly posting crap like this?:

Instead, you get yourself
entangled deeper and deeper with ridicule excuses and claims and further expose
ignorance and pretentiousness.

You've really got a serious problem, Zvi. Take your meds like a good
little boy, will you?

Control you temper, silly, and clean your source from services that are
exclusive to Windows. There are many ways to achieve the worthless
functionality of your program, based on DOS services, uniquely.

You're contradicting yourself again. If my program is worthless as you
say, why keep on coaxing me to improve it?

Typical to ignorance is to not know what you ignore. Here is how to fix that
error handling deficiency:

What error handling deficiency?

First, learn what "exit code" and exit procedure
are.

As if I didn't know.

Then, add an exit procedure to your code, that will handle exit codes last
thing before exiting the program. The exit procedure is where to call the error
messages. You could then add a test in your program body to see if report files
can be created and set an appropriate exit code if not, and terminate. The exit
procedure would then fetch an error message that would say something like:
"Cannot write report to <specify drive or path here>. Program aborted!"

Solution without problems are worthless

You don't have to be an engineer to realize that your program is simply
unacceptable the way it's implemented and that your claims are false,
unprofessional, and lack intellectual honesty.

Bullshit. I've made no claims, nor have I misrepresented my program in
any way. I leave that to you ... the ultimate professional at false
claims, unprofessionalism and a complete vacuum of honesty and
integrity of any kind.


Art
http://www.epix.net/~artnpeg