VoIP Numbers Stations were Social Experiment

IO ERROR writes "The mysterious phone number stations appearing on Craigslist for the last three months, which resembled their shortwave radio cousins, and which Slashdot reported on in June, were an experiment devised by security researcher Strom Carlson and a group of Los Angeles hackers to determine if encrypted messages could be passed using unwitting third parties to foil traffic analysis by hostile intelligence agencies. Carlson and the hackers presented their findings at DEFCON earlier today and gave away CDs with "Make your own Mein Fraulein station" kits and posted one final number station for people to try to decrypt."

Another matter

[Anonymous Coward]

Okay, and who's behind HELLO WORLD [wikipedia.org]? It's been running in stops and starts since April 2005.

Re:Another matter

[razvedchik]

It reminds me of Enigma ciphers where they repeat the initial settins twice at the beginning of the message. They are encrypted, but because they are given twice, it becomes easier to attack the crypto system.

http://en.wikipedia.org/wiki/Cryptanalysis_of_the_ Enigma [wikipedia.org]

And at one time, I was trained to transcribe 5-digit numbers from another language. That was a different time and place, though.

Interesting stuff.

One Time Pads

[tradecraft1]

You just have to love the simplicity. There were so many amatateur cryptananlysts thowring all sorts of methods at these messages. A sound implementation of a OTP is a formidable foe. --Chris

Stenography Encryption

[QuantumFTL]

I think we're moving to a society where just being suspected of a crime will be so bad (in terms of government harassment like no-fly lists, wiretapping, etc) that the most important thing will not be to make sure that the government can't read what you communicate, but rather have no reason to suspect you're doing anything they don't like. With current advances in data mining, it's going to be an arms race - the stenographers against the miners. I for one am fascinated by both technologies, and frankly rather terrified of how they each may be used. It was be interesting to see, but one thing is for sure - encryption will no longer be enough.

Re:Stenography Encryption

[hcob$]

Of course, if you are visible as a "citizen" through credit card purchases, debit cards, atms, banks, etc. and all your other traffic is encrypted... It might make a case for a visual tail to be attached to you. Warrants are only required for searches... not observations in public areas.

Re:One Time Pads

[tradecraft1]

I was referring to the crypto-system behind OTP, not the implementatio per se. --Chris

Re:One Time Pads

[QuantumFTL]

Oh, I don't disagree with you at all... In fact if I ever try to do something like this, you better believe I'll be using OTP. I just worry that some people perceive this to be a "magic bullet," which it most definitely is not. In another post [slashdot.org] that even attracting attention with encrypted messages (especially those the government cannot break) could soon be an unacceptable risk for many people, and unfortunately OTP can't help with that.

Re:One Time Pads

[X0563511]

Better method:

1. Encrypt data with OTP.
2. Hide this encrypted data in some false information (stenography)
3. Encrypt the result with something that can be broken (but not too easily)

This way, even if they managed to extract the original data from the stenography, they would just get what looks like random junk. It would actually be quite hard to even realize what you have extracted was real (rather than an error)

Re:One Time Pads

[X0563511]

Oops, forgot to specify:
The data you hide the OTPed data in, does not have to be text. You could use an audio file (notch out a frequency on the edge of the sample range, and then use very small amplitudes to put the data in) or an image, or even a video. You could even put this data out on P2P (encrypted data in porn? who would bother to look?) and simply email an ED2K link or something to the intended recipient. Hmm, porn-link swapping; fairly benign behavior.

Re:What was the point again?

[Dachannien]

A post containing the actual encoded message might get deleted from Craigslist due to its content (or lack thereof). A cleverly disguised reference to a phone number where the message can be retrieved fits in with the natural flora of Craigslist.

It's like doing the same thing on a restroom stall. "For a good time, call 202-555-3988" will probably get passed over as graffiti, but a large block of cryptic-looking numbers looks unusual enough to attract attention.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Stenography Encryption

[Kadin2048]

All very true. Which makes it more important -- if you're up to some sort of "no good" (where 'no good' is defined by the people with the most guns in the vicinity) -- that you maintain a passable facade of normalcy, at least as far as the government/credit bureau databases are concerned.

If you're the only person on your block using encrypted email, and using it for all of your email, you're an obvious red flag for some form of side-channel attack (i.e. they just sneak into your house when you're away and bug your keyboard). So if you did want to use encrypted communications, not only would you have to hide said communications in other things, but you'd also have to maintain the regular volume of unencrypted traffic from your email accounts so as not to arouse suspicion.

Email use is a trivial example, but it extends to anything else that can be tracked. The exact same thing goes for purchasing patterns: if you're spending large wads of dough (in cash) buying things that the government doesn't want you to have (*cough*recreational drugs*cough*), then you had better make sure that the rest of your purchasing habits aren't affected, so that nobody can find out how much money you're diverting into your illicit hobbies, just by looking at the difference between your income and your creditcards+savings+retirement accounts.

I, too, see this as becoming a cat and mouse game; as the authorities become better and better about mining information, people are going to start to become more clever and more aware about not only limiting the information they give out, but about putting out patently false information in order to create a semblance of "Joe America" when in reality they could be the Shah of Iran.

Puzzles = High entropy

[Kadin2048]

Actually a while back I was talking to someone who was writing a little steganographic program (not sure if he ever completed it) that was designed to make "word find" puzzles out of encrypted or encoded text. So the result would be a block of letters that you could print up as a trivial word-find puzzle, the ones where you look for the words printed vertically, horizontally, diagonally, etc., but then if you actually analyzed the letters (I think he was using some sort of trivial cipher that could be broken via distribution analysis) it contained a message.

I thought that was pretty neat; "puzzles within puzzles" and all that. When you think about places where you can hide messages though, there are lots of opportunities when you have puzzles, because people expect a certain amount of randomness there. In a newspaper, there aren't a whole lot of other places where you can just have a whole block of random letters and not arouse suspicion; if you find someplace where there is already expected to be high entropy, then you can sneak in your encoded material much more easily.

Sudoku puzzles and crosswords could also be good candidates, but there are even ways you could probably work them into more subtle things if you had a predetermined scheme for encoding the message. I'm sure you could probably work the chess puzzles if you knew what you were doing.

Re:What I want to know is...

[sdeath]

I'm frankly surprised that nobody has mentioned the #1 noise source and probable steganographic message carrier out there: spam. It's ubiquitous, customarily comes with a shitload of SEEMINGLY random strings whose purpose is ostensibly to confuse hash-based and keyword filtering (but which could contain God-knows-what), is easy to do, and doesn't raise any eyebrows. What do most people do with spam? Throw it in the trashcan, of course, they can't hardly get rid of it fast enough. You can scatter it across millions of email address, camouflaging the one you're really sending it to. And only for those with the secret decoder ring would the funny strings have any meaning...

Re:Traffic Analysis

[Incadenza]

Exchanging data in the way mentioned above is a way that an interested third party is unable to work out who's sending, and who is receiving the message - if lots of people can receive it then it becomes harder to tell out of those who can receive it, who is able to read it, or make anything of it

But you have to make sure that your receiving mode is exactly the same as Joe Average's. A Dutch extertionist once used a classified ads site (the biggest list of second hand cars in the Netherlands) to have his funds transferred to him, by having bank account details embedded in the picture of one of the cars (with steganography). Sounds perfect.
However, the guy accessed the page through an American anonymiser (surfola.com) instead of through a normal Dutch ISP (as all the other page viewers did). Dutch police contacted the FBI, FBI contacted surfola, surfola gave FBI the guy's CC details, Dutch police arrested the guy. Ten years jail sentence for being too paranoid.