Forensics on PDAs, notes from the field

Major Variola (ret) mv at
Thu Aug 12 19:39:08 PDT 2004

Quoth Thomas Shaddack <shaddack at>

> Obvious lesson: Steganography tool authors, your programs
> should use the worm/HIV trick of changing their signatures
> with every invocation.  Much harder for the forensic
> fedz to recognize your tools.  (As suspicious, of course).

It should be enough to do that at the installation time. The adversary
this model gets to analyze the file only once, and we want to make sure
that nobody tampered with the file as a protection against other, more
"active" threat models. What we want is to have a file and its hash, so
can make sure the file content is unchanged, but the hash has to be as
globally-unique as possible.

> The NIST CDROM also doesn't seem to include source code amongst its
> sigs, so if you compile yourself, you may avoid their easy glance.

A cool thing for this purpose could be a patch for gcc to produce unique

code every time, perhaps using some of the polymorphic methods used by

Just adding a chunk of data to make the hash unique will work against
current generation of the described tools. But we should plan to the
future, what moves the adversary can do to counter this step.

Dear TS: you have very good ideas.

More information about the cypherpunks-legacy mailing list