Cryptography-Digest Digest #102, Volume #14 Sat, 7 Apr 01 18:13:01 EDT
Contents:
How good is steganography in the real world? ("Gil Adamson")
Re: How good is steganography in the real world? (SCOTT19U.ZIP_GUY)
Re: Comment on SafeBoot's RC5 algorithm (Marc)
NSA is funding stegano detection (Frank Gerlach)
Lawful ?? (Frank Gerlach)
Re: How good is steganography in the real world? (Frank Gerlach)
Re: NSA is funding stegano detection (SCOTT19U.ZIP_GUY)
Other methods (Frank Gerlach)
Re: NSA is funding stegano detection (Frank Gerlach)
ECDSA implementation (Chenghuai Lu)
Re: How good is steganography in the real world? (George Weinberg)
Re: How good is steganography in the real world? (David A Molnar)
Re: How good is steganography in the real world? (Paul Rubin)
Re: patent issue ("B. E. Busby")
Re: How good is steganography in the real world? ((csbh@(TH+ESE)datahit.com)
(Coridon Henshaw))
Re: How good is steganography in the real world? (Paul Rubin)
Re: How good is steganography in the real world? (Marc)
Re: NSA is funding stegano detection (Marc)
Re: How good is steganography in the real world? (SCOTT19U.ZIP_GUY)
[NEWS] PGP broken (maybe) (Fight Boschloo)
Re: How good is steganography in the real world? (Frank Gerlach)
----------------------------------------------------------------------------
From: "Gil Adamson" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: How good is steganography in the real world?
Date: Sat, 7 Apr 2001 14:25:46 -0400
Hello, all. I've been doing a bit of research on cryptography and how
it might be applied to a scenario that our company has. I think I
understand some of the basic concepts, but I wanted to get more expert
opinions before I make any recommendations to our management.
I hope you'll excuse me if I leave out some of the specifics of our
situation below:
I'm a technology advisor for a small company that has operations in
several locations around the world, one of which is (believe it or not)
Iraq. For various reasons, it is sometimes important for our workers
to communicate fairly sensitive information to us via e-mail. Also for
various reasons, we can never be sure that our e-mail will not pass
through some centrally-located, government-controlled server.
Therefore we have to assume that ANY (or all) e-mail messages to/from
our employees there can be read.
Certainly it would be possible to encrypt the messages using some
strong cipher that we could be relatively certain would be unbreakable,
at least without great effort. However, our situation there is such
that the very *discovery* of an encrypted message, though
unbreakable, would itself raise unwanted suspicion.
The goal then is to send information in such a way that the very
existence of a private message cannot be seen or suspected.
Given that, I've focused my research on steganography. In particular,
I've been considering a product called S-Tools, mainly because it
supports GIFs and produces images that contain hidden data but are
almost imperceptibly different from the original GIF. (Plus the fact
that it supports Triple-DES and other strong ciphers). I couldn't find
a lot of information on stegananalysis (e.g. how easy is it to discover
a hidden message in images), but this article
(http://www.jjtc.com/ihws98/jjgmu.html) seemed to indicate that S-Tools
was better than most if not all image steganography packages.
I guess my question really boils down to, how safe a method IS this,
really? It would SEEM to me that it would be very unlikely that
someone could discover that a hidden message is being sent (much less
decrypt the message), but is that really true? Or would governmental
agencies in foreign countries have a greater ability to analyze and
identify steganographic images than one might think at first?
To put it another way, what criteria should we use when deciding
whether to use this technique or not? When management says "That looks
good, but what are the chances that someone will discover the images
contain hidden messages", what do I tell them? How do you quantify
risk?
There's no question that sending encoded messages in ANY form (well,
maybe other than with a one-time pad) poses some risk of discovery.
The question is, how MUCH of a risk would something like this be? I
know that's a hard thing to quantify, but is it possible to get it
within a factor of 10 or so? Is the chance of discovery 0.1%? 1%? 10%?
A lot is at stake for our company. If the risk of discovery is too
high, it might be best just to limit communication of any critical
information (inconvenient as that might be). But if the risk is very
small, the benefit might outweigh the risk.
Before I give me recommendations to management, I want to be sure I
have a clear understanding of what the risks are. So thanks very much
to anyone who can help.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 7 Apr 2001 18:53:25 GMT
[EMAIL PROTECTED] (Gil Adamson) wrote in
<9anm4c$q8$[EMAIL PROTECTED]>:
>I'm a technology advisor for a small company that has operations in
>several locations around the world, one of which is (believe it or not)
>Iraq. For various reasons, it is sometimes important for our workers
>to communicate fairly sensitive information to us via e-mail. Also for
>various reasons, we can never be sure that our e-mail will not pass
>through some centrally-located, government-controlled server.
>Therefore we have to assume that ANY (or all) e-mail messages to/from
>our employees there can be read.
>
Are we being set up. Reminds me of the time a "cute french girl"
requested help on IDEA and want me to send source to france. Though
she could get it her self. I don't trust govenments and since you
used the magic word IRAQ. I would have loved to give advice but I am
sure your local NSA representative would love to brief and provide a
way to send info to and from your workers in IRAQ. On second thought
Forget it some of your workers are bound to be CIA and have there own
way to get info out.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: Comment on SafeBoot's RC5 algorithm
Date: 7 Apr 2001 19:01:59 GMT
>>The interesting thing is that my P3-800 FSB133 does hardly even read
>>more than 110 MB/s from RAM.
>
>My old 200Mhz Ppro with EDO memory can manage up to about 250MB/sec
>reading from memory so there is something very wrong there.
How did you test it (or is it a theoretical figure)? I used
memt25.zip from http://reality.sgi.com/cbrady/memtest86
(The L1 cache performance was higher, about 1.5GB/s or 15GB/s don't
remember which of them)
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: NSA is funding stegano detection
Date: Sat, 07 Apr 2001 21:08:50 +0200
Steganography is not different from crypto: It's a cat-and-mouse game.
According to some press reports, the NSA funds research in stegano
detection. If they are your opponent, you will have a hard time. But this
might be just some dis-information, in order to discourage the use of
steganography.
In general, I would say steganography is in a much shakier state than
cryptography. Simple methods (e.g. using the least significant bits) are
easy to detect.
And if you are somehow in bed with uncle sam, NSA will most probably not
tell you what to use, in line with general COMINT policy...
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Lawful ??
Date: Sat, 07 Apr 2001 21:15:01 +0200
The local government might also be a little bit upset, to find a foreigner
using stegano. Could be part of the rope to hang your employees on
espionage reasons.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sat, 07 Apr 2001 21:25:56 +0200
It seems you are posting from UK. If you do anything Her Majesty's govt.
doesn't like, I would also not expect stegano to get a additional security
:-) GCHQ and NSA can be considered a *single* organization...
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: NSA is funding stegano detection
Date: 7 Apr 2001 19:31:39 GMT
[EMAIL PROTECTED] (Frank Gerlach) wrote in <[EMAIL PROTECTED]>:
>Steganography is not different from crypto: It's a cat-and-mouse game.
>According to some press reports, the NSA funds research in stegano
>detection. If they are your opponent, you will have a hard time. But this
>might be just some dis-information, in order to discourage the use of
>steganography.
>In general, I would say steganography is in a much shakier state than
>cryptography. Simple methods (e.g. using the least significant bits) are
>easy to detect.
I am not so sure its easy to detect. One can easily make a file
the length of bytes to match the number of LSB in a picture. All
you do is replace the set there with your set. If you take the
pictures your self and if resolution low. They can't prove the
picture has been modifed if they don't have the orginal.
You could even send the whole picture with all the data encoded
with random looking colored pixels not just the LSB call it abstract
art. Or one where if you stare at hard enough claim there is a hidden
3-D picture whatever.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Other methods
Date: Sat, 07 Apr 2001 21:54:37 +0200
Hiding something very non-linear (text) in very linear information
(images) seems to be un-intuitive to me. I would got for e.g.
-stegano as (allegedly) used by allied POWs in WW2
-using whitespace counts
-automatically generated code ("stegano-yacc")
If one is in the software business, setting up a bogus software
development team, which is geographically dispersed might provide for an
excellent hidden communication channel. Exchange source code in large
volumes often :-)
But even here, NSAGCHQ folks might question why only yacc-generated code
is transmitted, but not the yacc grammar itself..
Still, good enough against most third-world tyrants.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: NSA is funding stegano detection
Date: Sat, 07 Apr 2001 22:00:51 +0200
"SCOTT19U.ZIP_GUY" wrote:
> I am not so sure its easy to detect. One can easily make a file
> the length of bytes to match the number of LSB in a picture.
Might be true if the picture is sampled with a lot of noise in the LSBs.
Otherwise not.
> All
> you do is replace the set there with your set. If you take the
> pictures your self and if resolution low. They can't prove the
> picture has been modifed if they don't have the orginal.
> You could even send the whole picture with all the data encoded
> with random looking colored pixels not just the LSB call it abstract
> art. Or one where if you stare at hard enough claim there is a hidden
> 3-D picture whatever.
It's not about proving, its about not making the opponent suspicious. If the
latter happens, they might apply other, much more physical "methods"...
------------------------------
From: Chenghuai Lu <[EMAIL PROTECTED]>
Subject: ECDSA implementation
Date: Sat, 07 Apr 2001 16:06:31 -0400
Would anyone so kind to tell me where I can download the source code of
ECDSA implementation?
Thanks.
--
-Chenghuai Lu ([EMAIL PROTECTED])
------------------------------
From: [EMAIL PROTECTED] (George Weinberg)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sat, 07 Apr 2001 20:11:21 GMT
On Sat, 7 Apr 2001 14:25:46 -0400, "Gil Adamson"
<[EMAIL PROTECTED]> wrote:
>I guess my question really boils down to, how safe a method IS this,
>really? It would SEEM to me that it would be very unlikely that
>someone could discover that a hidden message is being sent (much less
>decrypt the message), but is that really true? Or would governmental
>agencies in foreign countries have a greater ability to analyze and
>identify steganographic images than one might think at first?
>
It's like this:
the technology is good enough that,
if you send a lot of gifs, an eavsdropper
will not be able to say for sure which if
any contain "secret" messages, much
less read them.
However, if it's perfectly obvious that the only reason
you're sending these gifs in the first place is as potential
cover for encytped messages, I think a totalitarian
government is likely to react to them in much the same way
that it would react to actual encrypted messages, or
alleged random blocks of data.
George
>
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 7 Apr 2001 20:02:19 GMT
In sci.crypt Gil Adamson <[EMAIL PROTECTED]> wrote:
> decrypt the message), but is that really true? Or would governmental
> agencies in foreign countries have a greater ability to analyze and
> identify steganographic images than one might think at first?
It's not just that - you have to consider the traffic analysis questions as
well. what sorts of GIFs are you going to use as covertext? and what
plausible reason will your contacts have for sending them?
Bruce Schneier had an excellent talk about this at DEF CON one year; I don't
know if he ever wrote it down (perhaps in one of the issues of the
CRYPTO-GRAM newsletter?). He made the point that if two people suddenly start
sending GIFs to each other, whereas previously they had not done so, this may
attract suspicion. especially if the GIFs are pretty silly looking things
like pictures of flowers. Enough suspicion and people come to your house with
rubber hoses...
As to your original question, you might be well served to take a look at the
proceedings of the Information Hiding Workshops held over the past few years
http://chacs.nrl.navy.mil/IHW2001/
to get an idea for what the state of the theory is. I don't know how S-Tools
fits into this, so won't render judgement on it.
The fact is, though, that even if you have perfect GIF stego - (or at least
good enough that the Iraqis can't prove that there's a message in it) - the
other question about peoples' practices is at least as important.
Unfortunately, I don't have any experience in this area, and beyond "reading
spy novels" I can't point to good sources for such experience. I can't even
recommend professional help, because I don't know who the professionals are
(besides the obvious 3-letter agencies).
You may already know all of this, but it bears repeating.
thanks,
-David
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 07 Apr 2001 13:43:13 -0700
I have reviewed some steganography products (including commercial
ones) at the source code level. I haven't seen one yet that couldn't
easily be detected by an opponent *if the opponent had reason to
believe that method was in use and specifically looked for it*.
So if your opponent is looking for steganographic messages, and if
S-Tools (which I've never heard of) is a well-known product, then chances
are S-Tools is on the opponent's list of things to look for.
Also, if your company is in the US, don't forget that bring such a
product into Iraq might run afoul of US crypto export regulations
(those regulations have eased up a lot except for exports to a handful
of countries, but Iraq is one of the handful).
I'm perplexed that you can't use ordinary encrypted email, or maybe a
webmail server secured by SSL that your workers can visit with a
normal web browser (you'd provide them with laptops so you'd know the
browsers weren't tampered with). It's normal for any company to want
to communicate with its workers. Therefore, when you say you need
steganography to keep even the *existence* of communication from being
detected, that suggests your company is conducting illegal activity in
Iraq (i.e. breaking Iraqi laws).
That's fine if you're running a spy operation, but a normal company?
What happens if the communications are perfectly secure but the
illegal activity is discovered anyway? What will the company do for
its workers if they're thrown into an Iraqi prison or tortured? Is
that part of their job description? I know that Bush is trying to
dismantle OSHA, but that's ridiculous.
I think you have much bigger questions to ask than how secure some
steganography program might be.
------------------------------
From: "B. E. Busby" <[EMAIL PROTECTED]>
Subject: Re: patent issue
Date: Sat, 7 Apr 2001 13:56:56 -0700
Actually, a US patent confers a "negative right," it's
"...the right to exclude others from making, using, offering for
sale, or selling the invention throughout the United States or
importing the invention into the United States, and, if the
invention is a process, of the right to exclude others from
using, offering for sale or selling throughout the United States,
or importing into the United States, products made by that
process, referring to the specification for the particulars
thereof."
There is no requirement (other than wnen ordered by a court in,
say, an antitrust action) to license the invention or to do so on
reasonable terms.
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> > The problem is when non-profit tasks require the device/algorithm etc...
>
> Is there supposed to be something sacred about a "need" when no profit
> is involved? You can contact the holder of the rights and request that
> he grant you free use; sometimes he will -- but the point of a *right*
> is that he gets to choose how to deploy his own invention. Patents in
> the US (at least) require that the invention be disclosed and reasonable
> licensing be made available, which is a condition imposed in exchange
> for the special protection made available under patent law.
>
------------------------------
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
From: (csbh<REMOVE>@(TH+ESE)datahit.com) (Coridon Henshaw)
Date: Sat, 07 Apr 2001 21:31:04 GMT
Paul Rubin <[EMAIL PROTECTED]> wrote in
<[EMAIL PROTECTED]>:
>Therefore, when you say you need
>steganography to keep even the *existence* of communication from being
>detected, that suggests your company is conducting illegal activity in
>Iraq (i.e. breaking Iraqi laws).
Given that Iraq is still under UN embargo, the simple act of doing business
with Iraq (and exchanging sensitive data with employees might very well
count as 'doing business') is a violation of international law. It seems
far more likely to me that the original poster is, or should be, concerned
about email interception by western security services. Bodies such as the
NSA, GCHQ and CSIS might get a little concerned about encrypted emails sent
to Iraq; they have no way of knowing if the plaintext is 'the dimensions of
the interwidget are 23x32x12mm' or 'the plutonium will be shipped
tomorrow.'
--
Coridon Henshaw -- http://www3.sympatico.ca/gcircle/csbh
"..To expect a good deal from life is puerile." -- D.H. Lawrence
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 07 Apr 2001 14:52:55 -0700
(csbh<REMOVE>@(TH+ESE)datahit.com) (Coridon Henshaw) writes:
> Given that Iraq is still under UN embargo, the simple act of doing business
> with Iraq (and exchanging sensitive data with employees might very well
> count as 'doing business') is a violation of international law. It seems
> far more likely to me that the original poster is, or should be, concerned
> about email interception by western security services. Bodies such as the
> NSA, GCHQ and CSIS might get a little concerned about encrypted emails sent
> to Iraq; they have no way of knowing if the plaintext is 'the dimensions of
> the interwidget are 23x32x12mm' or 'the plutonium will be shipped
> tomorrow.'
This is a good observation but doesn't change the conclusion that
much. If you're right, the company is putting its employees at risk
of being locked up in western jails instead of Iraqi jails. That
still doesn't sound like a viable business strategy.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 7 Apr 2001 21:53:13 GMT
>It's not just that - you have to consider the traffic analysis questions
>as well. what sorts of GIFs are you going to use as covertext? and what
>plausible reason will your contacts have for sending them?
One idea for this problem is to set up a webcam. The picture can always
carry the most recent message. No pictures without message are ever sent
so the adversary can not learn the natural noise characteristics of the
cam unless he has physical access.
The web server distributes the picture to everybody who requests it. If
placed on the principal page of a well-visited server it should be quite
easy to hide the daily "hot" download. With 30 clients set up all over
the US (for example), one can do daily downloads, and still no "hot" client
visits more often than once per month.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: NSA is funding stegano detection
Date: 7 Apr 2001 21:53:15 GMT
>> I am not so sure its easy to detect. One can easily make a file
>> the length of bytes to match the number of LSB in a picture.
>
>Might be true if the picture is sampled with a lot of noise in the LSBs.
>Otherwise not.
With a lot of _white-noise_.
I recall the difficulties to build true hardware random number generators
that do not exhibit bias throughout the whole voltage and temperature
range.
I believe that cheap CCD or CMOS camera chips _do_ generate a lot of
noise, but I doubt that this noise has the exact same characteristics
as the encrypted file you intend to send.
One should analyse the characteristics and map the encrypted file in
a way so that it remains invisible. This can turn out to be difficult
and possibly might even be impossible unless you know what type of
analysis the opponent will undertake (eg FFT). It might be possible
that he comes up with totally new methods of analysis (just like there
appear new attacks on ciphers every couple of years), and that your
stego mapping turns out to be strong or weak against it.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 7 Apr 2001 21:53:47 GMT
[EMAIL PROTECTED] (Gil Adamson) wrote in
<9anm4c$q8$[EMAIL PROTECTED]>:
>
>Hello, all. I've been doing a bit of research on cryptography and how
>it might be applied to a scenario that our company has. I think I
>understand some of the basic concepts, but I wanted to get more expert
>opinions before I make any recommendations to our management.
>
>I hope you'll excuse me if I leave out some of the specifics of our
>situation below:
>
>I'm a technology advisor for a small company that has operations in
>several locations around the world, one of which is (believe it or not)
>Iraq. For various reasons, it is sometimes important for our workers
>to communicate fairly sensitive information to us via e-mail. Also for
>various reasons, we can never be sure that our e-mail will not pass
>through some centrally-located, government-controlled server.
>Therefore we have to assume that ANY (or all) e-mail messages to/from
>our employees there can be read.
>
Another thought. We still have alot of people out of work here
you could hire some Navahos. And just let them communicate messages
to and from IRAQ. It worked in WWII. I doubt he has anyone there
fluent in it. Or pick some other small indian tribe to hire workers.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
Subject: [NEWS] PGP broken (maybe)
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
From: Fight Boschloo <[EMAIL PROTECTED]>
Date: Sat, 07 Apr 2001 22:06:15 GMT
NOTICE: This message may not have been sent by the Sender Name
above. Always use cryptographic digital signatures to verify
the identity of the sender of any usenet post or e-mail.
Sure Boschloo will announce that, now, to get some attention
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wanted
to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(when he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Sun, 08 Apr 2001 00:05:28 +0200
"csbh@(TH+ESE)datahit.com Coridon Henshaw" wrote:
> Paul Rubin <[EMAIL PROTECTED]> wrote in
> <[EMAIL PROTECTED]>:
>
> >Therefore, when you say you need
> >steganography to keep even the *existence* of communication from being
> >detected, that suggests your company is conducting illegal activity in
> >Iraq (i.e. breaking Iraqi laws).
>
> Given that Iraq is still under UN embargo, the simple act of doing business
> with Iraq (and exchanging sensitive data with employees might very well
> count as 'doing business') is a violation of international law. It seems
> far more likely to me that the original poster is, or should be, concerned
> about email interception by western security services.
Maybe german and french companies try to hide their illegal comunications with
Iraq and Libya in steganography :-) Let them continue to think this is useful.
Or make them thinking it is totally useless.
> Bodies such as the
> NSA, GCHQ and CSIS might get a little concerned about encrypted emails sent
> to Iraq; they have no way of knowing if the plaintext is 'the dimensions of
> the interwidget are 23x32x12mm' or 'the plutonium will be shipped
> tomorrow.'
>
> --
> Coridon Henshaw -- http://www3.sympatico.ca/gcircle/csbh
> "..To expect a good deal from life is puerile." -- D.H. Lawrence
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
