RE: Just Carnivore (was: Yahoogroups and Carnivore)

From: []
Sent: Monday, September 17, 2001 10:10 PM

> However, given mil-grade VPNs these days, there is no way
they can read what
> you sent. They can only tell that you sent something.
However, I just
> discovered the Steganography stuff in my SuSE Linux
distribution, hmmmmm.
> But, they still know where it came from and where it went.

As Bruce Schneier said, the problem with steganography is
that you need
a good cover story for why you're mailing JPG's of giraffes
back and forth...

I can actually see lots of applications for steganography; Stealth porn on a
public web-site, for example. But for purposes of clandestine communications
with and far-flung org, use a news content site that has pictures and imbed
messages in the news content pictures. A site like, for an
example, could be used to transmit messages in such a way.

Another method is to take advantage of a photo album sharing site like Whom is to know that a mega-pixel image isn't just an image
of the family dog? Photos are just the easiest thing, there are other
multi-media content vehicles. However, most folks aren't sufficiently
talented to be able to post original music. I imagine that the terrorist
population has no larger percentage of musical composers than the general
populous. Whereas, people generally take snapshots like crazy.

I am reasonably sure that Casper the friendly ghost has either thought of,
or used, most of them, at one time or another. I can't think that your
average terrorist scum-bag has any less of an imagination.

So, Bruce Schneier, when posing that problem, must have had his imagination
disengaged. There is more than adequate cover story for passing huge JPGs

No, he actually had his brain engaged. His point was that if you're trying
to use steganography to move data around under the nose of a government that's
actively trying to catch you at something, you can't just start sending
files around, because that would set off traffic pattern analysis warnings. for the whole story.


Hash: SHA1

You're assuming that you HADN'T established that pattern already.. I
think an excellent delivery method would be to embed in porn, and
post to a mailing list/yahoo group/what have you to which both people
are subscribed... Granted the FBI could track it down, but if you're
following your established pattern of sending porn, and knowing that
your recipient is on the distribution list, that's more than likely a
better way than any other form of person to person email..

Just my $0.02.


- --
Matt Levine
ICQ : 17080004

- -----Original Message-----