From: mccoy@communities.com (Jim McCoy)
To: cypherpunks@toad.com
Message Hash: 1a243ed997a02a21fcf870f9c367bd856742d43639732ede1417668200783d9a
Message ID: <v02140b00ad64feb0d70c@[199.2.22.124]>
Reply To: N/A
UTC Datetime: 1996-03-08 08:27:46 UTC
Raw Date: Fri, 8 Mar 1996 16:27:46 +0800
From: mccoy@communities.com (Jim McCoy)
Date: Fri, 8 Mar 1996 16:27:46 +0800
To: cypherpunks@toad.com
Subject: Re: TCP/IP Stego (was CU-SeeMe)
Message-ID: <v02140b00ad64feb0d70c@[199.2.22.124]>
MIME-Version: 1.0
Content-Type: text/plain
JonWienke@aol.com writes:
>>A tcp header contains quite a bit of useful information.. but most of it
>>wouldnt be easily manipulated (by me) to get a bit. [header checksum
>>twiddling...]
>
>This is a bad idea, because in addition to the extra processor overhead, it
>is an incredible waste of bandwidth. For a 512 byte packet, you are only
>getting .02% efficiency, because you wouldn't be able to use the actual data
>in the packet; otherwise someone would probably notice the increased error
>rate if you dink around with the checksum.
I think that the original poster meant twiddling some of the (relatively)
unused fields of the header which most routers and applications do not
care about, the type-of-service field or priority would good place to
start. This would have no effect on the data in the packet, particularly
if you fiddle at the IP level instead of TCP. While it is a low
bandwidth comm channel, it has a couple of advantages which you seem to
overlook:
-It can be applied by two routers which are in the middle
of the connection. The two endpoints of the TCP/IP
connection would not even notice. For example, if I control
a router "upstream" of a major connection point and the
site I wish to communicate with is in a similar position
then I can run the subliminal channel in a "spread spectrum"
mode across many connections and the packets can get reset
to their original settings by the other site. The user
whose stream we fiddled with does not even know that they
were used as carrier wave...
-While the per-packet information rate is low, such a system
has a _lot_ of packets to work with and a much larger choice
of endpoints. Your hypothetical .WAV file may pack more
information in, but there are a miniscule amount of such files
moving on the Internet; just by transmitting such a file you
could be suspect (honestly, how many soundfiles do you think
you could ship around before people get suspicious...) By
hiding the information in the lower layers of TCP/IP you also
make it less likely to be noticed; unless someone hooks up a
packet sniffer and filters at the IP level the stream will
go unnoticed, while a soundfile is an application-level
communication and much easier to watch. It is, in effect,
hiding the channel in the low-order bits of the comm channel
used to transmit your soundfile...
-An application encoding method (pictures,soundfiles, etc.)
also needs a "reason" for being sent. You can legitimately
send packets for no reason whatsoever, at least from the users
perspective (e.g. DNS lookups, ICMP messages, faked fragments,
etc.) A packet system also has a constant stream of traffic to
play with; you could run TCP/IP _on top of such a system_!
Passing soundfiles and images back and forth would not work
for interactive communication, it is UUCP at best.
jim
Return to March 1996
Return to “mccoy@communities.com (Jim McCoy)”
1996-03-08 (Fri, 8 Mar 1996 16:27:46 +0800) - Re: TCP/IP Stego (was CU-SeeMe) - mccoy@communities.com (Jim McCoy)