Firewall Wizards mailing list archives

Re: What about Traffic Analysis?

From: Adam Shostack <adam () homeport org>
Date: Fri, 7 Aug 1998 09:45:23 -0400 (EDT)

Ted Doty wrote:
| At 03:28 PM 8/6/98 -0400, Adam Shostack wrote:
| 
| >     What about performing traffic analysis on the mail flow?
| >Catching information by spikes in the places people send mail?
| >Sending files to the competition?  Is this worthwhile?  (Assume
| >trapping messages that hit some threshold.)
| 
| Traffic Analysis is still more art than science.  This doesn't mean that
| much of it couldn't be captured in automated tools, but the cost of using
| the tools will be high - lots of analysis and lots of false positives.
| This is why it's mainly governments that use TA (they can stand the cost).

        Actually, there is a definite science to TA. The NSA has had
courses in it for long enough that Agean Park has old books available.
There has been some very interesting work done and not published by
various cypherpunks on TA in a remailer network.

        However, you're correct; it does lead to lots of manual
analysis and lots of false positives.  However, if you're going to
fail at the problem of understanding content, you may be more
interested in the problem of following message flows.

        Seeing lots of mail from a GM executive to Volkswagen shortly
before he leaves the company may be interesting even without the
content.  It also may be useful as a means of deciding what to do
content analysis on.

| >     In a talk at Defcon this weekend, someone made the comment
| >that sending pictures of giraffes to your freinds is calling attention
| >to yourself, regardless of the ability of the screener to find the
| >stego'd encrypted message in the picture.
| 
| Presumably you'd have more of a clue than to send random pix of Barney the
| Dinosaur.  Even the random "You'll never believe THIS (I heard it on the
| Internet)" that I get from all my Internet-newbie friends has lots of
| bandwidth for hidden messages.

        Presumption of clue on the part of the enemy makes the problem
harder than it often is. :)

| This is a classic covert channel analysis problem.  Trying to block covert
| channels in an Internet world will make your hair fall out.

        My question is not, can we catch everyone, its can we catch
some people, and is that a useful thing to do?

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

Current thread:

What about Traffic Analysis? Adam Shostack (Aug 06)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)
  - Re: What about Traffic Analysis? Ted Doty (Aug 07)
  - Re: What about Traffic Analysis? Henry Hertz Hobbit (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
  - Re: What about Traffic Analysis? Adam Shostack (Aug 07)
- <Possible follow-ups>
- Re: What about Traffic Analysis? Ryan Russell (Aug 07)
  - Re: What about Traffic Analysis? Stephen P. Berry (Aug 07)
- RE: What about Traffic Analysis? Jeff Sedayao (Aug 07)
- RE: What about Traffic Analysis? Peter Mayne (Aug 11)