Re: What about Traffic Analysis?

["Stephen P. Berry" <spb () meshuga incyte com>]

-----BEGIN PGP SIGNED MESSAGE-----


Ryan Russell <ryanr () sybase com> wrote:

> Bruce generally knows what he's talking about.
> I suppose the solution to that is to make sure
> you're known for sending out pictures of animals
> for years before you send the special giraffe
> picture, aka hiding in the crowd.
> This doesn't help if your mail admin only allows
> out cleartext english or some such, though.

...in which case a dedicated evildoer need only transmit using a code
rather than a cipher[1].  The particular scenario that strikes
my fancy, though, is of evidoer choosing a presumably innocuous-looking
text with a length equal to that of the secret text to be transmitted,
XOR'ing the two, and then sending the innocuous text in the clear and
getting the pad to the other end using some other mechanism[2].

Regardless of the actual mechanism involved, it is of course not only
technically feasible but in fact fairly trivially doable to get
arbitrary data (in unarbitary form) through any but the most Procrustean
content filters.

So pragmatically it appears that the net effect of such policies is
to marginalise more or less righteous lusers while making it only
slightly more difficult for the earnest evildoers to go about their business.
That is, if your net is a content filter, you're more likely to catch
nonhostile abuse of policy (i.e., folks sending 6.02e23 lightbulb jokes
to a couple score of their closest buddies) rather than agents of
industrial espionage or whathaveyou.

Granted, the case can be made that you want to catch the folks skirting
the outer edges of your acceptable use policy, but unless there is
some largescale technical issue (i.e., if the luser's activities are
chewing up a significant hunk of your outbound bandwidth or some such),
this strikes me as a discipline issue---and if the offender is otherwise
a productive and well-integrated office droid, it looks more and
more like a nonissue.

Mind you, in many cases making this evaluation will not be the call
of the technical folks who are presumably the primary audience of this
list.  The thing to keep in mind even in such cases is what it's going
to look like if you advocate and then impliment a content filtering
policy and then spend your days reporting tramissions of dirty email
or dumb jokes, perhaps resulting in disciplinary action against lusers
otherwise well-liked by their managers and cow-orkers.

It seems like the objection many folks raise to intrusion detection
systems is that most implimentations strongly resemble technically
ornate fishing expeditions.  Content filtering email seems, to me
at any rate, a much worse offender in this regard.






Stephen P. Berry

- -----
1     Although the distinction can be a bit muddy around the edges.
2     If our evildoer has lots of spare time, they could be sending
      snivelly little notes to a second drop account, ostensibly
      belonging to some online SO, containing the pad in the form:

         Snuggums, every time our eyes meet my toes tingle.
         I live for it.
         
         XOXXOOOXOX
         
         Evildoer


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNctBdyrw2ePTkM9BAQEzeAP/b72VqvsSi7FUlXoyyhFnSVI+ex1N61Bp
yjCNEYJkbEOTDBsUPXA0Zhmah2m5bC3zGctKct9FE4w00ZWaingDmxJEo2izTAam
54O5C9wHcb6WQNfhHGrtaUjmfFxuOvNNqB4rNP1JQoAvr9Hi2ra8jK88HVjKjHw9
SfA3ERlrP5A=
=OfSl
-----END PGP SIGNATURE-----