Forensics on PDAs, notes from the field
Major Variola (ret)
mv at cdc.gov
Thu Aug 12 19:39:08 PDT 2004
Quoth Thomas Shaddack <shaddack at ns.arachne.cz>
> Obvious lesson: Steganography tool authors, your programs
> should use the worm/HIV trick of changing their signatures
> with every invocation. Much harder for the forensic
> fedz to recognize your tools. (As suspicious, of course).
It should be enough to do that at the installation time. The adversary
in
this model gets to analyze the file only once, and we want to make sure
that nobody tampered with the file as a protection against other, more
"active" threat models. What we want is to have a file and its hash, so
we
can make sure the file content is unchanged, but the hash has to be as
globally-unique as possible.
> The NIST CDROM also doesn't seem to include source code amongst its
> sigs, so if you compile yourself, you may avoid their easy glance.
A cool thing for this purpose could be a patch for gcc to produce unique
code every time, perhaps using some of the polymorphic methods used by
viruses.
Just adding a chunk of data to make the hash unique will work against
the
current generation of the described tools. But we should plan to the
future, what moves the adversary can do to counter this step.
--------
Dear TS: you have very good ideas.
More information about the cypherpunks-legacy
mailing list