Firewall Wizards mailing list archives
Re: What about Traffic Analysis?
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Fri, 07 Aug 1998 11:17:21 -0700
-----BEGIN PGP SIGNED MESSAGE----- Ryan Russell <ryanr () sybase com> wrote:
Bruce generally knows what he's talking about. I suppose the solution to that is to make sure you're known for sending out pictures of animals for years before you send the special giraffe picture, aka hiding in the crowd. This doesn't help if your mail admin only allows out cleartext english or some such, though.
...in which case a dedicated evildoer need only transmit using a code rather than a cipher[1]. The particular scenario that strikes my fancy, though, is of evidoer choosing a presumably innocuous-looking text with a length equal to that of the secret text to be transmitted, XOR'ing the two, and then sending the innocuous text in the clear and getting the pad to the other end using some other mechanism[2]. Regardless of the actual mechanism involved, it is of course not only technically feasible but in fact fairly trivially doable to get arbitrary data (in unarbitary form) through any but the most Procrustean content filters. So pragmatically it appears that the net effect of such policies is to marginalise more or less righteous lusers while making it only slightly more difficult for the earnest evildoers to go about their business. That is, if your net is a content filter, you're more likely to catch nonhostile abuse of policy (i.e., folks sending 6.02e23 lightbulb jokes to a couple score of their closest buddies) rather than agents of industrial espionage or whathaveyou. Granted, the case can be made that you want to catch the folks skirting the outer edges of your acceptable use policy, but unless there is some largescale technical issue (i.e., if the luser's activities are chewing up a significant hunk of your outbound bandwidth or some such), this strikes me as a discipline issue---and if the offender is otherwise a productive and well-integrated office droid, it looks more and more like a nonissue. Mind you, in many cases making this evaluation will not be the call of the technical folks who are presumably the primary audience of this list. The thing to keep in mind even in such cases is what it's going to look like if you advocate and then impliment a content filtering policy and then spend your days reporting tramissions of dirty email or dumb jokes, perhaps resulting in disciplinary action against lusers otherwise well-liked by their managers and cow-orkers. It seems like the objection many folks raise to intrusion detection systems is that most implimentations strongly resemble technically ornate fishing expeditions. Content filtering email seems, to me at any rate, a much worse offender in this regard. Stephen P. Berry - ----- 1 Although the distinction can be a bit muddy around the edges. 2 If our evildoer has lots of spare time, they could be sending snivelly little notes to a second drop account, ostensibly belonging to some online SO, containing the pad in the form: Snuggums, every time our eyes meet my toes tingle. I live for it. XOXXOOOXOX Evildoer -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNctBdyrw2ePTkM9BAQEzeAP/b72VqvsSi7FUlXoyyhFnSVI+ex1N61Bp yjCNEYJkbEOTDBsUPXA0Zhmah2m5bC3zGctKct9FE4w00ZWaingDmxJEo2izTAam 54O5C9wHcb6WQNfhHGrtaUjmfFxuOvNNqB4rNP1JQoAvr9Hi2ra8jK88HVjKjHw9 SfA3ERlrP5A= =OfSl -----END PGP SIGNATURE-----
Current thread:
- What about Traffic Analysis? Adam Shostack (Aug 06)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Henry Hertz Hobbit (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Adam Shostack (Aug 07)
- <Possible follow-ups>
- Re: What about Traffic Analysis? Ryan Russell (Aug 07)
- Re: What about Traffic Analysis? Stephen P. Berry (Aug 07)
- RE: What about Traffic Analysis? Jeff Sedayao (Aug 07)
- RE: What about Traffic Analysis? Peter Mayne (Aug 11)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)