On Sun, 2002-07-14 at 13:19, Crispin Cowan wrote: > Shaun Savage wrote: > > > Here is an announcment for a new steganography software > > What do people think? > > I think that the best stego is where (say) the count of how many pounds > of explosives to use is equal to the number of open buttons on the > Japanese schoolgirl's uniform on underage-hentai-pr0n.com. No steg > detect software in the world will ever detect it. > > Not so great for bandwidth, but I conjecture that most applications that > requre stego are actually very low bandwidth. And this has been done for > years; cheesy old movies had WW II agents communicating by placing ads > in the London Times classified section. There is an even better method. People pay attention to hentai pr0n. They archive it. For this sort of message you want messages that will not only not be archived, but will be actively destroyed when found. The true stego opportunity is *spam*! Spam is actively ignored. It is not read. It is deleted without a thought. The instructions could be "When you get a chain letter from an Egyptian Travel company through the CRIME list, start the plan in motion.". Actually *anything* can be used to pass information of this sort. "One if by land and two if by sea." And there is *nothing* you can do about it without blocking all communication. Furthermore, it makes it easier to make your enemy paranoid by creating a bunch of false stegoed information. The assumption is if there is stegoed information there, it must mean something. Maybe it means you are wasting your time. (Encrypted data and random data look very similar, if you do it right. And random data is about as easy to create.) And the more you think about ways it could be done, the more you come up with and the more paranoid you become. The cycle feeds upon itself until you start ranting about "Digital Pearl Harbors occurring every day" and the ratio of coffee consumption to security professionals.
This archive was generated by hypermail 2b30 : Sun Jul 14 2002 - 20:28:41 PDT