RE: CRIME Steganography software for the masses

From: Paul Farrier (PaulF@private)
Date: Sun Jul 14 2002 - 22:53:05 PDT

  • Next message: Alan: "RE: CRIME Steganography software for the masses"

    So wait a minute, how do we know that the message you just sent isn't
    stegoed?
    
    Maybe you could also tell us what Brazilian spam with what Nike jackets,
    Electric Ab machines and HP inkjet cartridges means??? ;) Ever seen this
    site?: http://www.spammimic.com/
    
    -Paul
    
    -----Original Message-----
    From: Alan [mailto:alan@private] 
    Sent: Sunday, July 14, 2002 5:55 PM
    To: Crispin Cowan
    Cc: Shaun Savage; Crime List
    Subject: Re: CRIME Steganography software for the masses
    
    
    On Sun, 2002-07-14 at 13:19, Crispin Cowan wrote:
    > Shaun Savage wrote:
    > 
    > > Here is an announcment for a new steganography software
    > > What do people think? 
    > 
    > I think that the best stego is where (say) the count of how many pounds 
    > of explosives to use is equal to the number of open buttons on the 
    > Japanese schoolgirl's uniform on underage-hentai-pr0n.com.  No steg 
    > detect software in the world will ever detect it.
    > 
    > Not so great for bandwidth, but I conjecture that most applications that 
    > requre stego are actually very low bandwidth. And this has been done for 
    > years; cheesy old movies had WW II agents communicating by placing ads 
    > in the London Times classified section.
    
    There is an even better method.
    
    People pay attention to hentai pr0n.  They archive it.  For this sort of
    message you want messages that will not only not be archived, but will
    be actively destroyed when found.
    
    The true stego opportunity is *spam*!
    
    Spam is actively ignored.  It is not read.  It is deleted without a
    thought.
    
    The instructions could be "When you get a chain letter from an Egyptian
    Travel company through the CRIME list, start the plan in motion.".
    
    Actually *anything* can be used to pass information of this sort.  "One
    if by land and two if by sea."
    
    And there is *nothing* you can do about it without blocking all
    communication.
    
    Furthermore, it makes it easier to make your enemy paranoid by creating
    a bunch of false stegoed information.  The assumption is if there is
    stegoed information there, it must mean something.  Maybe it means you
    are wasting your time.  (Encrypted data and random data look very
    similar, if you do it right.  And random data is about as easy to
    create.)
    
    And the more you think about ways it could be done, the more you come up
    with and the more paranoid you become.  The cycle feeds upon itself
    until you start ranting about "Digital Pearl Harbors occurring every
    day" and the ratio of coffee consumption to security professionals.
    



    This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 00:00:20 PDT