[mdlug] The new "surface" computer

Joseph Vartanian jvartanian at gmail.com
Tue Jul 17 14:01:24 EDT 2007 

On 7/17/07, Robert Adkins <radkins at impelind.com> wrote:
> -------- Original Message  --------
> Subject: Re:[mdlug] The new "surface" computer
> From: Morris, Tim <tmorris at ugs.com>
> To: MDLUG's Main discussion list <mdlug at mdlug.org>
> Date: Tuesday, July 17, 2007 12:50:57 PM
> > Nothing new. It's called marketing. Don't you guys remember when
> > Microsoft "invented" the symbolic link?
> >
> > Words have no meaning these days.
> >
> > --  Tim Morris - UGS PLM Software
> >
>     Their "symbolic link" isn't even a real "symbolic" link. It's some
> binary crap that contains information about where the real file is.
> This, for some bizarre reason, sometimes comes across as a complete
> surprise to even instructors of computer science classes who are
> familiar with how UNIX Symbolic links function.
>
>     MS does some really crappy things when they copy an original
> idea/concept.
>
>     Did you know that there is a method in the NTFS file system to truly
> and effectively hide files? I forgot the exact name of the feature, I
> believe it's called "slip" something. What it does is allows you to
> "hide" files by filling in the remaining bits of a cluster that aren't
> fully used by the real/visible file. It's slipping a file into/under an
> existing file and it supposedly completely hides the file.
>
>     I have no idea why anyone would consider that a "good" feature that
> would be acceptable in a "secure" environment, since one could use that
> feature to sneak secrets out of a computer network within an otherwise
> benign file.


That NTFS feature is called "alternative data streams".  Play with it
a little...it's actually interesting.  You can do something like
create a 1 KB text file, and then hide a 500 KB executable in it.  The
thing still looks like a 1 KB text file that you can open and use like
any regular text file, but you can also run the executable hidden in
it with a simple command.  Some spyware and trojan writers have
learned to utilize alternative data streams to hide their files.  Many
anti-spyware and anti-virus programs don't search for alternative data
streams.  Windows also does not come with any tool to let you find
alternative data stream in your filesystem.  If you want that, you
have to download tools like Sysinternals' Streams (now owned by
Microsoft).  From what I understand Apple has something similar in
their OS, but I'm not much into Apple.

-Joseph

More information about the mdlug mailing list