Stegdetect 0.4 released and results from USENET search available

[Arnold G. Reinhold]

At 2:47 PM -0800 12/28/01, Bill Stewart wrote:
>...
>So tracing a single transmission may be hard, but tracing an ongoing pattern
>is easier, unless there's a trusted Usenet site in some
>country where you don't have jurisdiction problems.
>That means that A.A.M + PGP is fine for an occasional
>"Attack at Dawn" message, but not necessarily for routine traffic.

A background stream of ordinary, unencrypted voice and e-mail to 
family and friends, plus some pre-established code phrases, is all 
one needs for the occasional "Attack at Dawn" message. From press 
reports, that appears to be what the September 11 cell used.

>
>So it helps to add an extra step - posting the anonymous message
>through a web2news gateway through an anonymizer,
>or a mail2news gateway from a webmail account from a cybercafe,
>or mail2news through an open relay somewhere in the world
>(since open relays are usually people who haven't bothered
>configuring their mail systems, and are less likely to keep logs
>unless that's the default, plus you can spread your messages
>among lots of different relays.)
>

I would assume cybercafes are prime targets for signal intelligence 
organizations and all e-mail traffic they generate is recorded. More 
generally, imagine you are a consultant to some nefarious 
organization and think about what it would take to convince them that 
the method you propose is safe, capable of being taught to their 
covert agents, and tolerant of the inevitable slip ups in the field 
(and remember their attitude toward warrantee disclaimers).

All this is fun speculation, but avoids the original question in the 
thread: is it possible to reliably detect stego use, given certain 
weakness in many widely available methods?


Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com