Blinky Rides Again: RCMP suspect al-Qaida messages

[Tyler Durden]

>Maybe, but I think it would be very hard to write a general-purpose stego 
>detector, without >knowing the techniques used for encoding the message.  
>And if you know the distribution of your >cover channel as well as your 
>attacker, or can generate lots of values from that distribution even if 
> >you can'd describe it, you can encode messages in a way that provably 
>can't be detected, down >to the quality of your random number generator and 
>the difficulty of guessing your key.

Well, the first thing to remember is that Arabic more or less has a built-in 
method for distributing covert information...kind of like Hebrew, an Arabic 
word can be viewed in terms of a subset of consonants...for specific 
groupings there are lots of well-known associated words with the same 
letters. I'd bet a careful examination of bin Laden communiques will reveal 
the existence of pointers to such special words...the initated will know how 
to pull out those words and use them as passwords, etc...

As for the sophistication of Al Qaeda software, remember we're probably not 
talking about a very centrally-organized group. Their members are scattered 
in all sorts of socio-eco-bandwidth environments so that off-the-shelf 
(where shelf=internet) stuff is going to be common.

Remember too that broad categories of Stego can apparently be detected by 
FFT (someone here posted a link to a paper describing that). Put that and 
all sorts of other routines looking for specific Stego signatures inot a 
Variola suitcase and I bet they (NSA, though not police) can pull out 
practically anything they want to. BUT...that probably doesn't do them a ton 
of good...the plaintext will be in Arabic, it will speak symbolically, and 
maybe use some even more clever techniques for info obfscuration.

As for the 'semaphore' theory I consider that likely...lots of info will be 
sent out-of-band (ie, verbally) and Stego'd info will perhaps be triggers or 
possibly meeting coordinates. Maybe an account number every now and then 
(VERY easy to hide using Arabic letter-numerals).

-TD


>
>I imagine this as something much like a virus scanner.  Look for known 
>stego programs, and also for signatures of known stegp programs.  Really 
>good programs might be impossible to find without doing, say, a password 
>search.
>
>But it's worth noting that AQ has to do key management just like the rest 
>of us, and that's hard when you are communicating with a lot of different 
>people.  If your stego is password-protected, some terrorist's laptop is 
>going to have a post-it note on the screen with the password.
>
>...
> >-TD
>
>--John Kelsey