From: Tyler Durden <camera_lumina@hotmail.com> Sent: Dec 9, 2004 2:47 PM To: measl@mfn.org Cc: rah@shipwright.com, cryptography@metzdowd.com, cypherpunks@al-qaeda.net, osint@yahoogroups.com Subject: RE: Blinky Rides Again: RCMP suspect al-Qaida messages
...
NSA folks, on the other hand, I would assume have a soft version of a Variola Stego suitcase...able to quickly detect the presence of pretty much any kind of stego and then perform some tests to determine what kind was used. I bet they've been aware of Al Qaeda stego for a long time...that's probably the kind of thing they are very very good at.
Maybe, but I think it would be very hard to write a general-purpose stego detector, without knowing the techniques used for encoding the message. And if you know the distribution of your cover channel as well as your attacker, or can generate lots of values from that distribution even if you can'd describe it, you can encode messages in a way that provably can't be detected, down to the quality of your random number generator and the difficulty of guessing your key. I imagine this as something much like a virus scanner. Look for known stego programs, and also for signatures of known stegp programs. Really good programs might be impossible to find without doing, say, a password search. But it's worth noting that AQ has to do key management just like the rest of us, and that's hard when you are communicating with a lot of different people. If your stego is password-protected, some terrorist's laptop is going to have a post-it note on the screen with the password. ...
-TD
--John Kelsey