[I have my doubts about the reality of this description -- the entire
stego description seems like fantasy, especially given the low
bandwidths available into many countries, and the obviousness of the
whole thing. However, I'm forwarding it in spite of my bogometer
beeping... Caveat Lector... --Perry]
>>>>> Arnold Reinhold <[EMAIL PROTECTED]> writes:
> Security concerns aside, I'd question Solitiare's suitability for
> field use by human rights people. First of all it is very tedious
> to use and a single mistake can be difficult to recover
> from. Second, just receiving or attempting to transmit ciphertext
> could be enough to get you into serious trouble in some places.
We've done quite a bit of work with human rights groups and other NGOs
working in relatively hostile third-world countries.
Our approach has been to pack most email into MIME digests, which are
then PGP-encrypted. The obvious ASCII PGP start and end message lines
are removed, and the encrypted digest is stego'ed into the lower one
or two LSBs of topical but relatively innocuous JPEG/GIF/TIFF images,
which are attached to clear text email messages.
Our mail servers in Europe and the US look for stego'ed PGP messages
within image files bound for certain addresses. The PGP messages are
decrypted, the MIME digests are extracted from them, and the digests'
individual RFC822 messages (which can themselves contain MIME content
or personal PGP-encrypted messages) are automatically remailed.
Similarly, outbound messages are sent through our mail servers, which
packs them into MIME digests, PGP-encrypts them, and stego's them into
image or audio files, which are emailed to our overseas clients.
Since PGP-encrypted text messages are quite small, the image or audio
files don't have to be too big.
Most of the server processing is handled by extensively-modified
PGPdomo software (and procmail, of course). The clients use small
plug-ins (which we wrote in C) for Eudora and Pegasus. Digests are
time-stamped, and separate messages carry lists of digests sent and
received, so we know if messages get "lost" in transit.
This has worked quite well for us for over five years now, over a
variety of media -- FIDOnet, dial-up UUCP, small-aperture satellite,
shortwave packet radio, hand-carried floppies, and conventional
network connections.
Although the identity and location of our mail servers could be
determined, we have been able to rely upon physical security to deter
(and detect) tampering, and upon the political climates of our host
countries to avoid interference from LEOs.
