Article "breaking standards" paru dans 2600 Magazine, printemps 2018 - non traduit

Breaking standards

by bartitsu59

Greetings from France. I think I've always wanted to write this article. Maybe because I'm very tall (6 feet 7 inches), and got mocked about that, or maybe because I grew up more and more as a hacker with a non-traditional view of the world.
From early on, I got pissed when everyone, back in the nineties, embraced a flawed machine called the PC, leaving behind them more beautifully engineered machines (like the Atari ST, the Commodore Amiga, or The Acorn Risc Machine).

Now, even with the Mac back in the landscape (which shows anyway a very similar hardware), we are bound by a number of standards without even thinking about it.


A bit of historical context

Maybe you don't know about it, but in 2014, the Carnegie Mellon University spent several months to extract the data and retro engineer the original drawing software from 20 years old amiga floppy disks. On those disks were exclusive digital drawings from Andy Warhol.
This story gave me a lot of insights. Not only was it quite funny and interesting to read about, but it made me realize also that using old technology, or at least a non-standard one, was a good way to conceal your data.
After all, most of us, prudent hackers, have USB keys with, at the bare minimum, encrypted files, or VM images.
Yet, putting someone else's USB key in any modern computer will reveal the nature of the data stored, with the file extension plus a beautiful icon.
For the most concealed files, say, one with no extension, a quick look at the first bytes (the signature of the file) would leave no much doubts on what kind of data is in there.
If the nature of the file is still unknown for you, then you can rely on several forensics software, for example Apache Tika, which will happily identify a thousand file formats.

But it will fail with some...
How many of us know the Magic Shadow Archiver format, used on exotic OSes for the now vintage Atari line of computers?
It's a practical format used for archiving Atari ST floppy images, supported by most Atari ST emulators.
Those fun facts can lead us to creative solutions to hide our data.

Out of sight, Out of mind

Imagine now that you write your password vault on an emulated ST, in a simple text file, and store it on an emulated floppy disk. Ideally, you would have chosen a compressed MSA floppy image (with .MSC extension, or no extension to complicate things).

Another option, I have on my desk a beautiful gray box called a "MiST Computer". This beast has a FPGA inside and can dynamically adapt its hardware behavior, depending on the selection of a soft core (programmed using a Hardware Description Language) copied on a SD card. Basically, I can switch from a 100% accurate hardware replicate of an Atari ST, to an Amiga, an Amstrad, a Spectrum (see the link at the end of the article for the numerous possibilities) ...
So, I could also store my password vault into a disk partition of this little machine, which is furthermore offline, and shares the same screen of my regular computer (which makes it easily available).
Alternatively, the floppy image trick will work as well, since this retro-modern machines do support those images as well.
With no physical access to the network, and an uncommon file structure on the machine mass medium (in my case, a SDCard), I don't see how one could get his hands on my sensible data.

Don’t expect to be limited by the apparent lack of power of those options. Back in the days those machines were able to cope with mundane tasks (like playing, writing, drawing, budgeting), with a few MHz and Mbytes. First, because most applications were written in assembly, but also because the operating systems were far simpler than the ones we are used to today, thus letting all the horsepower for the user land (Most were stored in ROM, so the RAM was left untouched).  

Of course, this applies to any decent emulator or FPGA based computer. A nice example of an emulator, in fact a true Virtual machine (that makes use of the full power of the host machine), is ARANYM (Atari Running On Any Machine). Amiga forever and RPCemu are also very good picks that will offer you tons of options to store your data, with the ease of use of any regular PC Virtual Machine.
In any case, you are strongly advised to use a hard disk image. Saving your data in this image will obfuscate it quite a bit.

If you are a PC addict, and don’t want to learn about alternative architectures (poor you), you could still rely on long forgotten file formats, using no longer supported old softwares, such as : Wordstar, Ashton-Tate Framework, or DataPerfect.
To use them, I would suggest to download DOSBox, a very accurate DOS emulator.

Using Steganography

The icing on the cake consists in using steganography on an old image format.
For this use case, I will use an image format called "Degas Elite" (a well-known Atari ST drawing software), in its extended flavor.
Indeed, Degas Elite was only able to handle the three standard resolutions of an Atari ST: low, medium and high, for which the .PI1, .PI2, and .PI3 file extensions were respectively defined.
When more powerful Atari computers arrived on the market, some other drawing software (FuckPaint) extended the Degas file format to handle superior resolutions.
So, our image will be in PI9 format, with a resolution of 320x240 and a palette of 256.
You will see that this image is quite abstract, which is nice, since this technique will alter the palette.

https://i.servimg.com/u/f98/20/10/45/65/colour10.gif

The technique I will use is kept ridiculously simple to just give you a primer on how steganography works. At the end of this article, you will find a link to a website describing a file format used by a fantasy console (pico8), on which I took inspiration.
The PI9 file format is really simple: you have first 256*3 bytes describing the palette in RGB format, the rest of the file contains the bitmap uncompressed.
With only a few Unix commands, we will take a user:password couple, swap each couple of bytes (so that it does not appear in clear in a hex editor), and replace the first color declarations with it.
In our case, very simple with 10 characters in total, we will then replace the four first colors with our data. Of course, the longer the data, the more the rendering will be altered. That's why I'm advising to take an abstract scene, for which a change of colors will not be seen as suspicious.
For longer data to store, you need something more evolved, such as the technique used by pico8 and its special PNG format.

# First encode our user@password in hexadecimal, swap the byte of each 16bits word
# reverse the xxd command and write back to a 'header' temporary file
echo -n "2600@rules" | xxd -p | sed 's/\(.\)\(.\)/\2\1/g' |  xxd -r -p > header
# A PI9 file has a constant size of 77824 bytes, our user@password couple is 10 characters long
# so write the whole source file minus ten bytes into a 'body' temp file
tail -c 77814 COLOURF.PI9 > body
# concatenate 'header' and 'body' to get the resulting image with the first 4 colors altered (each color takes three bytes)
cat header body > COLOURB.PI9

I'm then using the online version of a tool called “recoil” to check that my image is: first, not corrupted, then, that it is properly shown with at most a minor impact on the palette.
In our case I'm seeing no difference between the original image and the new one.
With the same image, I was able to store 3 user:password couples, for a total of 71 characters, with no visible difference. This is explained by the fact that this image does not use the 24 first colors of the palette (24*3 color components = 72 bytes).
To retrieve the password, you proceed with a reverse approach:

$ head -c 10 COLOURB.PI9 | xxd -p |  sed 's/\(.\)\(.\)/\2\1/g' | xxd -r -p
2600@rules

With simple steganography techniques like this one, I recommend to learn the commands by heart and to clear your shell history to let no visible clue of your manipulation. Of course you need to properly delete your temporary files too.

I think you get the main idea: breaking the norm and standards, or using exotic or long forgotten ones, can conceal our intention and make the reconnaissance phase far more difficult for potential malevolent people.
The key is to think out of the box. After all, many hacks are based on the assumption that 99% of us are using the same predictable tools.

As I'm writing this article, I'm receiving more and more corporate emails assessing the potential impacts of the Meltdown and Spectre security holes on the infrastructures of our customers. To make it simple, every modern computer with a superscalar microprocessor architecture is concerned, so hiding sensible data on simpler (emulated) computers might well be a safer choice after all.

All you need is just to accept to get your hands a bit dirty, and learn some strange operating systems or applications you may have never heard of before, but that’s part of the fun, don’t you think?


https://www.warhol.org/exhibition/warhol-and-the-amiga/
https://tika.apache.org/
https://github.com/mist-devel/mist-board/wiki
https://aranym.github.io/
https://www.amigaforever.com/
https://marutan.net/rpcemu/
https://www.dosbox.com/
http://pico-8.wikia.com/wiki/P8PNGFileFormat
http://fileformats.archiveteam.org/wiki/Extended_DEGAS_image
http://recoil.sourceforge.net/html5recoil.html