From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Wed, 23 Feb 94 18:57:04 PST
To: Matt Thomlinson <phantom@u.washington.edu>
Subject: Re: STEALTH OCEANS
In-Reply-To: <Pine.3.89.9402231855.A22264-0100000@stein3.u.washington.edu>
Message-ID: <Pine.3.89.9402232157.A2157-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain




On Wed, 23 Feb 1994, Matt Thomlinson wrote:

> I originally mailed this response to your suggestions on the cpunk list 
> about two weeks ago. You must've missed it. 
> 

Yes, I must have.  Thank you for mailing it to me!

> dos stego:
> 
> I don't think the current discussion is taking into account the fact that 
> if someone suspects you of using steganography they're going to check. 
> If what you are describing becomes a popular way of steganography, you're 
> out of luck -- they'll check that first. 
> 

It would be alright if someone checks the deleted sectors.  They would indeed
find your "noise" file; but, it would be embedded in rest of the noise
surrounding it (which would be provided by the other deleted files on the 
disk).

Thus, the original problem (ie. how to keep "noise" files inconspicuous) is
solved.

> Think about it: your 'bad-sector' stego or 'wiped-filespace' stego begins 
> gaining popularity. Wouldn't you think they'd check for funny bad sectors if 
> they were going to check your computer for contriband info? 
> 
> 

They would.  But, combined with "Stealth PGP" (ie. encryption without 
telltale headers) searching through all the deleted noise (which could be 
legitimate for all they know) would be futile.

> Another thing that has bothered me: if you didn't have the sectors marked,
> you'd need to remember where they were (so you could protect them from
> writes). You wouldn't necessarily want to do this on the computer; it'd be
> there for the picking. How to do it?
> 

Simple.  You would take note of the starting address of the file.  And, 
the length of the file.

> Someone suggested you just use the end of the wiped filespace (use norton
> or other utility to defrag the disk and move empty space to the end of the
> disk, then use portion of disk furthest away from being written to. This 
> might work, except for the fact that fragmentation _does_ go on, and when 
> you were to write files to the drive (heck, I do every time I start up 
> windows and write a huge temp swapfile) you're going to be playing 
> roulette with your data. 
> 

This problem is solved by simply using a utility that writes directly to the
disk (exactly in the specified sectors, in the specified order), instead 
of letting DOS fragment your disk.

> 
> I think the point about the blank track (the one linux uses) is
> interesting;  then again, once your method becomes well-known, it is no
> longer useful. 
> 

I am not familiar with the blank track you speak of; but, of course, if 
everyone keeps hiding their data in the same location it will not remain
hidden for long.

> 
> Just thoughts; I wish I had more answers. Heck, ANY answers would be nice.
> 
> mt
> 
> Matt Thomlinson                               Say no to the Wiretap Chip!
> University of Washington, Seattle, Washington.
> Internet: phantom@u.washington.edu      	    phone: (206) 548-9804
> PGP 2.2  key available via email or finger phantom@hardy.u.washington.edu
> 
> 
> 

Thanks for sharing your thoughts, Matt!


Sergey