From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
To: Matt Thomlinson <phantom@u.washington.edu>
Message Hash: bf16a595071b7913fd47b30adda816eda78a11a13799d6228ede726ec4b8f8f0
Message ID: <Pine.3.89.9402232157.A2157-0100000@delbruck.pharm.sunysb.edu>
Reply To: <Pine.3.89.9402231855.A22264-0100000@stein3.u.washington.edu>
UTC Datetime: 1994-02-24 02:57:04 UTC
Raw Date: Wed, 23 Feb 94 18:57:04 PST
From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Wed, 23 Feb 94 18:57:04 PST
To: Matt Thomlinson <phantom@u.washington.edu>
Subject: Re: STEALTH OCEANS
In-Reply-To: <Pine.3.89.9402231855.A22264-0100000@stein3.u.washington.edu>
Message-ID: <Pine.3.89.9402232157.A2157-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain
On Wed, 23 Feb 1994, Matt Thomlinson wrote:
> I originally mailed this response to your suggestions on the cpunk list
> about two weeks ago. You must've missed it.
>
Yes, I must have. Thank you for mailing it to me!
> dos stego:
>
> I don't think the current discussion is taking into account the fact that
> if someone suspects you of using steganography they're going to check.
> If what you are describing becomes a popular way of steganography, you're
> out of luck -- they'll check that first.
>
It would be alright if someone checks the deleted sectors. They would indeed
find your "noise" file; but, it would be embedded in rest of the noise
surrounding it (which would be provided by the other deleted files on the
disk).
Thus, the original problem (ie. how to keep "noise" files inconspicuous) is
solved.
> Think about it: your 'bad-sector' stego or 'wiped-filespace' stego begins
> gaining popularity. Wouldn't you think they'd check for funny bad sectors if
> they were going to check your computer for contriband info?
>
>
They would. But, combined with "Stealth PGP" (ie. encryption without
telltale headers) searching through all the deleted noise (which could be
legitimate for all they know) would be futile.
> Another thing that has bothered me: if you didn't have the sectors marked,
> you'd need to remember where they were (so you could protect them from
> writes). You wouldn't necessarily want to do this on the computer; it'd be
> there for the picking. How to do it?
>
Simple. You would take note of the starting address of the file. And,
the length of the file.
> Someone suggested you just use the end of the wiped filespace (use norton
> or other utility to defrag the disk and move empty space to the end of the
> disk, then use portion of disk furthest away from being written to. This
> might work, except for the fact that fragmentation _does_ go on, and when
> you were to write files to the drive (heck, I do every time I start up
> windows and write a huge temp swapfile) you're going to be playing
> roulette with your data.
>
This problem is solved by simply using a utility that writes directly to the
disk (exactly in the specified sectors, in the specified order), instead
of letting DOS fragment your disk.
>
> I think the point about the blank track (the one linux uses) is
> interesting; then again, once your method becomes well-known, it is no
> longer useful.
>
I am not familiar with the blank track you speak of; but, of course, if
everyone keeps hiding their data in the same location it will not remain
hidden for long.
>
> Just thoughts; I wish I had more answers. Heck, ANY answers would be nice.
>
> mt
>
> Matt Thomlinson Say no to the Wiretap Chip!
> University of Washington, Seattle, Washington.
> Internet: phantom@u.washington.edu phone: (206) 548-9804
> PGP 2.2 key available via email or finger phantom@hardy.u.washington.edu
>
>
>
Thanks for sharing your thoughts, Matt!
Sergey
Return to February 1994
Return to “Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>”