[Cryptography] GHCQ Penetration of Belgacom

Nico Williams nico at cryptonector.com
Mon Dec 15 15:01:38 EST 2014

On Mon, Dec 15, 2014 at 12:28:25PM -0500, Jerry Leichter wrote:
> On Dec 13, 2014, at 9:21 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> > The damn Regin thing builds an entire encrypted virtual file system
> > inside the NTFS metadata.
> The idea of hiding stuff in NTFS extended attributes - not really
> metadata - is old.  I remember doing it years ago.  There are standard
> command line programs that come with Windows that can do it.  People
> used to Unix file system semantics tend not to think of this stuff,
> but both Windows and MacOS have long had file systems that supported
> stuff beyond the "a file is just a stream of bytes" concept for years.
> It's never been widely used on Windows, and it's been getting less and
> less use in MacOS for a while now - but there's nothing new here.

Most Unix-ish OSes have something like it (for some it's just "xattrs"
with smallish payloads, either way, it's easy to overlook).

And who ever bothers looking in lost+found?

Hiding places are not in short supply.

> > "Each VFS has a structure that is very similar to a real disk file
> > system such as FAT.  The VFS files start with a header that provides
> > basic information required to operate the file system.  The header
> > is followed by the bitmap of used/ free sectors and then by the file
> > table."
> Again, not much really new here.  In fact, SOP for many complex files
> in Windows:  [...]

And elsewhere.  Archive files, SQLite3 files, ... it's all roughly
equivalent to "a filesystem" comparable to that used here.  Encrypting
it is easy too.


More information about the cryptography mailing list