more reports of terrorist steganography
http://www.esecurityplanet.com/prevention/article.php/3694711 I'd sure like technical details... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: more reports of terrorist steganography
That's a pretty in-credible report. Emphasis on in-. It's disturbing to see Security Researchers so willing to trade on rumors in order to be quoted in the press. The conclusion is pretty confusing. Conclusion Internet-based attacks are extremely popular with terrorist organizations because they are relatively cheap to perform, offer a high degree of anonymity, and can be tremendously effective. Perhaps author Jeffrey Carr should stick to coverage of 'semantic and geospatial intelligence applications'. I'd sure like credible details... On Aug 20, 2007, at 10:59 AM, Steven M. Bellovin wrote: http://www.esecurityplanet.com/prevention/article.php/3694711 I'd sure like technical details... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: more reports of terrorist steganography
On 20 August 2007 16:00, Steven M. Bellovin wrote: http://www.esecurityplanet.com/prevention/article.php/3694711 I'd sure like technical details... Well, how about 'it can't possibly work [well]'? [ ... ] The article provides a detailed example of how 20 messages can be hidden in a 100 x 50 pixel picture [ ... ] That's gotta stand out like a statistical sore thumb. The article is pretty poor if you ask me. It outlines three techniques for stealth: steganography, using a shared email account as a dead-letter box, and blocking or redirecting known IP addresses from a mail server. Then all of a sudden, there's this conclusion ... Internet-based attacks are extremely popular with terrorist organizations because they are relatively cheap to perform, offer a high degree of anonymity, and can be tremendously effective. ... that comes completely out of left-field and has nothing to do with anything the rest of the article mentioned. I would conclude that someone's done ten minutes worth of web searching and dressed up a bunch of long-established facts as 'research', then slapped a The sky is falling! Hay-ulp, hay-ulp security dramaqueen ending on it and will now be busily pitching for government grants or contracts of some sort. So as far as technical details, I'd say you take half-a-pound of security theater, stir in a bucket or two of self-publicity, season with a couple of megabucks of goverment pork, and hey presto! Tasty terror-spam! BTW, I can't help but wonder if Secrets of the Mujahideen refuses to allow you to use representational images for stego? ;-) (BTW2, does anyone have a download URL for it? The description makes it sound just like every other bit of crypto snakeoil; it might be fun to reverse engineer.) cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: more reports of terrorist steganography
Dave Korn wrote: That's gotta stand out like a statistical sore thumb. The article is pretty poor if you ask me. It outlines three techniques for stealth: steganography, using a shared email account as a dead-letter box, and blocking or redirecting known IP addresses from a mail server. Then all of a sudden, there's this conclusion ... Internet-based attacks are extremely popular with terrorist organizations because they are relatively cheap to perform, offer a high degree of anonymity, and can be tremendously effective. ... that comes completely out of left-field and has nothing to do with anything the rest of the article mentioned. I would conclude that someone's done ten minutes worth of web searching and dressed up a bunch of long-established facts as 'research', then slapped a The sky is falling! Hay-ulp, hay-ulp security dramaqueen ending on it and will now be busily pitching for government grants or contracts of some sort. This struck me oddly as well. I cannot think of a single significant Internet attack which has been traced to any terrorist organizations. I would agree that this article seems to be designed to alarm rather than inform, and, no doubt, pick up a government contract. Additionally, the author seems to make a big deal about asymmetric encryption without considering how key exchange is accomplished. The logistics of key exchange remains one of the vulnerabilities any asymmetric encryption system. -- - [EMAIL PROTECTED] No one can understand the truth until he drinks of coffee's frothy goodness. ~~Sheik Abd-al-Kadir - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]