Re: What about Traffic Analysis?

[Ted Doty <ted () iss net>]

At 03:28 PM 8/6/98 -0400, Adam Shostack wrote:

>       What about performing traffic analysis on the mail flow?
> Catching information by spikes in the places people send mail?
> Sending files to the competition?  Is this worthwhile?  (Assume
> trapping messages that hit some threshold.)

Traffic Analysis is still more art than science.  This doesn't mean that
much of it couldn't be captured in automated tools, but the cost of using
the tools will be high - lots of analysis and lots of false positives.
This is why it's mainly governments that use TA (they can stand the cost).

>       In a talk at Defcon this weekend, someone made the comment
> that sending pictures of giraffes to your freinds is calling attention
> to yourself, regardless of the ability of the screener to find the
> stego'd encrypted message in the picture.

Presumably you'd have more of a clue than to send random pix of Barney the
Dinosaur.  Even the random "You'll never believe THIS (I heard it on the
Internet)" that I get from all my Internet-newbie friends has lots of
bandwidth for hidden messages.

This is a classic covert channel analysis problem.  Trying to block covert
channels in an Internet world will make your hair fall out.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE