Slashdot Mirror
Security Through Obscurity - Spam Mimic
ragnar! writes "Ingenious. Not just strewing spam-speak between the words of your message, actually does some kind of character/word -> phrase conversion.
Interesting concept - check out Spam Mimic." I tested it out - looks pretty darn cool.
security though obscurity Does Not McGurk!!!
Not true - presumably they have multiple boxes on multiple networks that can coordiante and see if more than one of the message was received. In fact, this is most likely the way they do spam detection, not by looking at phrasing.
-Alison
Now, we have SPAMGANOGRAPHY to hide the meaning of life from Echelon....
--
I think you'll find that with 70s technology, it would be pretty much impossible to analyze natural speech well enough to pick up certain words from a conversation. Whatever Echelon is, it's not an automatic eavesdropping machine.
Can everybody please post examples for how their short message was ballooned into wordy spam? I just got a new mouse with a scroll wheel and I'd like to try it out.
Oh, you've done that already. Thanks.
...and I got:
I really like this direct marketing thing. I failed in life as a salesperson, but I belive everyone loves my ideas so they will buy my crappy ideas if I send this stuff out in volume. Come on, send me the cash. I am broke because I invested in all these pyramid schemes that I thought would work, and that penis enlargement? It did not help. Hell when I signed up for those XXX sites all they gave me was a link to goats.cx. Come on buy my crap and help out a poor spammer!
Try to hack my 31337 firewall!
Actually, SPAMming coded messages to thousands of people has the benefit of obscuring which one of them is the intended recipient. Analyzing where the data goes and when is an important part of breaking codes, as anyone who's read Cryptonomicon (and who here hasn't?) should know. So encoding messages in junk mail and sending them to thousands of people is an excellent scheme for getting secrets to the people who need them. You can even send a copy to the head of the CIA directly, and he or she will probably throw it out :-)
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
--
This is a good method of steganography, but if it pretends to be good encryption by itself, that's bull.
What would really work well is a random spam generator that takes any random stream of bytes as input. Then you do the following:
Plaintext -> PGP/GPG -> cyphertext ->SpamMimic -> cyphertext which looks like spam
Then, it would be secure and would not attract attention. There are some interesting pitfalls tho:
o It could be deleted by a computer rejecting spam based on a text signature
o Your friend would have to know ahead of time to expect your message or he'd delete it. Of course, then he could no longer ignore any of his spam. If he automates the process, this could be avoided because normal spam would not decrypt to anything and the checksum would fail and it would be tossed automatically.
o Somebody could invoke an anti spam law to sue your ass when you were simply sending them a message. Then, you'd have to prove it wasn't spam.
Vidi, Vici, Veni
The codec was (re)designed so that most actual spam would decode into a message, even if it was gibberish? Would certainly improve the steganography aspect, I think.LI>
The codec was (re)designed so as to be irreducibly computationally expensive to decode messages, thus making scanning difficult, but on a modern machine decoding
Admittedly I'm not an expert on spamming methods, but it seems to me like most spam appears to be addressed to one recipient anyway, so I don't think the 'one recipient therefore fake spam' correlation holds, as some have suggested.
Honestly, if these ideas were to be implemented (well, the first two, anyway), I don't think they would need to open source the program. That is, one could just as easily be made up with those goals in mind, since a complete rewrite would be necessary anyway.
To me, this seems like a potential way to produce 'ubiquitous encryption.' If the codec was remade so that it was computationally expensive and regular spam decodes without errors, then it would dramatically improve the percentage of encrypted mail.
Or, better yet, since regular spam would decrypt to 'gibberish,' why not have the decrypted output be code for use with an actual cypher? Suddenly I imagine a PGP->Spam encoder and decoder...imagine, every spam message is potentially a PGP message! That'd really mess up carnivore/echelon. It'll probably never happen, though. But the possibility is certainly tantalizing...
This idea is essentially stenography.
They're taking your email, and encoding it to look like spam. Hence, evesdroppers will filter it out as junk instead of examining it. (Or evesdroppers will be forced to pay attention to spam.)
This is very similar to stenography--hiding information in a way that you can't prove that it's there unless you already know how to decrypt it.
Even if spammimic only gets 2 hits a day; the fact that it's here might force the snoops to process terabytes of spam -- making them spend a
little less time on other mails.
Unless, of course, they can convince the general public that now, not only is spam annoying, it's actually a threat to national security -- nay, an open INVITATION to have a middle eastern terrorist bomb the public library in your home town. This could be the end of legal spam!
And if it's not, then we get cool steganography! Either way, we win!
('course, if they can get the public to buy that, they can get the public to buy pretty much anything, and we might be in big trouble.)
--
Tweet, tweet.
Ahh, if only you could mirror CGIs more easily :)
This is a neat idea. But I would bet that one could come up with a statistical model to detect such an encoded message. A human can easily detect that this is not "typical" spam, so with a little work an algorithm could too.
But the trouble with such a system is that you have to build a brand new set of rules to have any sort of security. You can't just generate a new set of keys, you have to build a new grammar and phrasebook for the spam text.
Of course, it also runs the risk of your friend discarding the email because he runs a smart spam filter, too. (BTW, John - YHM).
--
--
E_NOSIG
The biggest problem I have seen with this is that you must use a website to encode/decode the message. Hey, this is no big deal. Anyone can write a program. The best option though would be to actually encrypt the message with your typical encryption scheme, then use a filter to convert the encrypted text into spam or whatever medium you like. The first stage will protect the message. The second stage will conceal the encryption. If the actual filtering process was key based, then only the reciever would be able to determine if the spam was actually spam or concealing another message.
-Restil
Play with my webcams and lights here
Think about it. PGP just turns a message into "gibberish"; a spamified PGP would turn it into (admittedly rather long) halfway intelligible spam messages, only decodable by the recipient.
Now THAT would be cool...
cya
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
That depends on what you mean by "admits". If you look through the Received: headers, specifically the last non-forged one, it's extremely frequent to find the uu.net IP addrs. For example:
Return-Path: <jcrand1975@implus.at>
Delivered-To: no@spam.com
Received: from ntserver.kvadro.ee (mail.kvadro.ee [213.168.23.75]) by shackman.divisionbyzero.com (Postfix) with SMTP id CEAABB9F48 for ; Sat, 18 Nov 2000 12:12:34 -0800 (PST)
Received: from bungee5 (unverified [63.24.141.248]) by ntserver.kvadro.ee (EMWAC SMTPRS 0.83) with SMTP id ; Sat, 18 Nov 2000 21:25:45 +0200
Date: Sat, 18 Nov 2000 21:25:45 +0200
To: jcrand1975@implus.at
From: jcrand1975@implus.at
Comments: Authenticated sender is <jcrand1975@implus.at>
Reply-To: jcrand1975@implus.at
Subject: New - 15-Million Fresh E-Mail Addresses
Message-Id:
You'll notice the last Received: header points to a 63.* addr. Hello uu.net.
By "major isp's", I was referring to ISP's that serve a lot of private cutomers... AOL, Juno, Qwest, MSN, etc. etc. not spine providers and business-centered ISP's like uu.net and mr.net
Plenty of spam can be traced back to AOL dialup IP addrs, and uu.net owns many of the IP addrs that small ISPs use.
This is not to mention the proliferation of non IP logging relaying SMTP servers from major ISPs, most notably @home. Or all the people running relaying sendmail on their redhat boxen.
Huh. Most of my spam comes from uu.net.
and spoofs the recipient's ID into the From: field,
What's to stop this software from doing the same?
it seems to me that the fake spam would be fairly easy to spot.
It would look just like real spam unless you specifically checked for the type of mangling done by this program (assuming it does leave some kind of fingerprint).
If it looks like spam, but comes from a major ISP, and is delivered to only one person, it is a fairly good guess that it is really a coded message.
No, it's not a good guess. Major ISPs (especially uu.net) send out massive amounts of spam. As for delivered to only one person, most spam forges the To: header, so there isn't any clue in the email itself as to how many people are receiving it. Unless the sniffing system kept a queryable database across all it's nodes, it wouldn't be able to detect the multiple connections from the originating mailserver to it's target mailservers.
Even if there was such a database, the whole point was to make carnivore/echelon apply more logic than just "basic" spam detection. If you make the FBI/NSA have a queryable database of all active tcp connections on the entire internet at all times, then you're achieved your goal.
I'll bet Slashdot offers an even better substrate than spam. Carefully chosen variants of comments about how MS/Microsoft/Microsloth sucks/sux/blows/bites could easily be used to encode a message. Ditto for other "hot words" such as Linux, BSD, JonKatz, Natalie Portman, goatsex, etc. With a little creativity we could probably get something like Spam Mimic working, but with a much more favorable compression ratio. What's even better is that you don't even have to use your own storage. Just post the encoded version to Slashdot and your friend can pick it up any time, while it remains totally indistinguishable from all the other random garbage people (including me) post here.
Slashdot - News for Herds. Stuff that Splatters.
We have an amazing opportunity waiting for you. Because your server has been slashdotted,
we have a special offer just for you at FBNHOSTING.COM. FlyByNite hosting guarantees
uninterrupted web hosting with no possibility of DOS/DDOS/SlashDotting attacks.
Act now! This offer is time limited. Already, your precious users are turning away and surfing
on to your competitor.
W.E. Zell, manager
FBNHOSTING
---
I am a scam artist trying to defraud you of your hard-earned money.
---
THAT would be cool. I'd almost overlook the whole big brother thing if they did that :)
Rader
that will propose that all Slashdot headlines make some semblance of sense without having to read the external site to see what its talking about.
This reminds me of how Simon Templar talked to his clients in The Saint.
You just came up with an amazing idea. Disguise your emails as Jon Katz rants. That way, nobody would WANT to read your intercepted email.
The problem that I see with this is that it's too easy to intercept in an automated fashion. It doesn't take any secret or anything to be able to determine whether or not the data is there. You simply decode it and you get the hidden message. In fact, if you give it something that isn't an encoded message, it will tell you that it can't decode it. This makes it trivially easy for the carnivore's (et al) to automatically detect this type of obfuscation. They simply have to add a step to their spam filtering code to try deobfuscating before deleting.
The real value would be if this thing would take any garbage and translate it into something - of about equivalant length garbage. Thus it could be coupled with an encryption format that looked like garbage, to effectively obfuscate your communication.
PGP/GPG does not do a good job as the encryption format. It's got these nice, easy to read, headers that show you that it's a GPG encrypted message. What you need is something that will take in what looks for all the world like garbage and spit out the clear text if you got the right key.
This is a great first step, tho.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I thought that Steganography was the art of being a dinosaur with big heat-dissipating plates and a spiked tail.
- Mike
Funny, you'd mention AOL in a context of "major ISP who doesn't send spam"...
Say no to software patents.
(Well not in the implementation listed in this story, but this implementation sucks anyways: who says the site is not run by the NSA? And it doesn't even use https for its encode/decode pages, making it actually easyer to snoop cleartext of any message shrouded this way!)
Say no to software patents.
And, did you use up-to-date maps?
Say no to software patents.
This reminds me of a method to foul up wiretapping in the 1970's, when anyone who ever said the phrase "Peace, Love, etc" had their phone tapped.
Person A, who is being tapped, calls person B, also being tapped. Then person A puts the phone next to a radio with music that would not appeal to the average FBI agent, or a tape loop containing a pro love, anti war message. Then both go away for a weekend, a week etc.
Pity the poor SOB who has to monitor all the tape recorded during that time.
This also assumed that you had a flat rate phone service.
Actually spam people with the message! Encrypt something, than encrypt it again into spam. Send it out to 200,000 email addresses combed from usenet posts, and the real recipient in the mess, and the governments will never be able to find the real recipient.
Or cause them to monitor all traffic to this site and others like it.
This is a manual virus. Copy it to your sig and help me spread!
Come in handy for terrorists. Set up a spam service in libya and not only direct your operatives, you could piss off many americans (And make a few bucks off a few more) in the process.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A fun form of security is good and all, but they actually have higher aims than that. They want to keep Big Brother busy by forcing him to read spam that might contain whatever naughtiness they're supposed to be watching for.
Their site continues, linking to: Jam Echelon Day and Jam Echelon Day descends into spam farce
Who moderates the meta-moderators?
No, it's pretty much established fact that they Carnivore and Echelon exist for exactly this purpose. How effective they are is questionable. I don't think that's lunatic fringe in any way.
So what you are telling me is that I now can no longer just delete Spam on site? I now have to run it through this SpamMimic to make sure I'm not missing a top-secret message?
ARRRRRRRRRRGGGGGGGH!
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Come on, I can't be the only one here who bothered to follow the link and actually read the damn thing.
-Legion
However, since you have to use the same website to send and recieve the message, it would be much eaisier to generates a random spam, and use the hash of that message to store your real text in a database (a dictionary or map) then when you come back with your e-mail to "decrypt" it could rehash the text and retrieve the message you typed in.
My .02 cents
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
But really folks...what's wrong with PGP?
--
Wooden armaments to battle your imaginary foes!
Which creates a market opportunity: offshore servers that automatically convert ESMTP input into fake spam. Except that to avoid attracting attention, they'd have to rely on open relays, just like real spamsters. And they'd probably also need to generate some real spam themselves....
__________________
If that's true, this is not a very secure form of encryption. Codebreaking is usually based on searching for the patterns introduced into messages by the linguistic habits of the correspondents. If the encryption key is itself a linguistic pattern, the codebreaker's job is just that much easier. The message is secure only as long as the codebreaker doesn't know which messages are encrypted -- and traffic analysis will tell him that.
__________________
A couple of years ago, the New York Times' Cybertimes section had a similar encoder/decoder. In their case, it encoded to a description of a phoney baseball game. If one's going to really encode and send a message, the phoney spam approach seems much more likely to survive scrutiny than several pages of nonsensical baseball coverage. Very cool.
Try parsing the meaning of what I was saying, instead of making knee-jerk reactions.
Information wants to be anthropomorphized.
If it looks like spam, but comes from a major ISP, and is delivered to only one person, it is a fairly good guess that it is really a coded message.
The only way to avoid your message being parsed out from somebody who is really looking for it would be to actually spam a few thousand people though the usual spam channels... which means we can all expect lots more messages advertizing pyramid schemes and satelite TV systems in the near future, just so Bin Laden can chat with his pen-pals.
That's just swell.
Information wants to be anthropomorphized.
I would probably continue using PGP (or don't send stuff through email at all you wouldn't want to be known by others).
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
This is only cool until someone builds the encoder/decoder into an email app that gains popularity.
Then the Spooks this attempts to confound will build its' functionality into their DCS1000's and Echelon apps, putting us right back where we started, except that the spooks will be using a little more processing power and wait a split second longer to see our mail.
This is a nice toy, but not a long term security measure. That's the problem with obscurity- if it has functionality, it can gain popularity. If it gains popularity, the obscurity quickly fades away, rendering it useless.
A host is a host from coast to coast, but no one uses a host that's close
When you get a message encoded with Spam Mimic, you'll assume it's spam and delete it. Great idea though.
It's brilliant! With a little refinement to the CGI form (ie., reading decoded text in the Encoding box is inconvenient at best), it's good enough to be a commercial service, IMHO.
The other problem is that when Carnivore et al. start to see spam coming from legitimate, otherwise in use e-mail addresses, then they can start sniffing.
I'm sure the algorithm is fairly simple. Maybe ROT13 letters placed as the first character of every third word or something like that. It's terrifyingly effective, too.
Fire and Meat. Yummy.
So they've come up with a couple stupid "spammy" sounding messages. They're adding a few random numbers to it, making an MD5 hash out of it, storing that in a database, along with the message you originally entered. Then when you decode it, they're just getting the hash ( or whatever they're using) and do a lookup in the database to retrieve your original message.
Since when is 3rd-party storage ingenious technology.
Just what the world needs,
Now when we see "Enlarge Your Penis Now" posts on Usenet we won't be fooled - we all know it's anonymous terrorist communications.
--nick
ALL THESE WORLDS ARE YOURS EXCEPT EROS. ATTEMPT NO LANDINGS THERE. USE THEM TOGETHER, USE THEM IN PEACE.
Maybe SETI has been approaching this all wrong?
Reading the explanation on their site, there seems to be an awful lot of suppositions:
It's widely believed that Western governments read (and decrypt) a great deal of Internet mail through systems called Echelon, Carnivore and others. Presumably they have filters which discard spam. Possibly, due to the existence of this little website, they can no longer ignore spam. Even if spammimic only gets 2 hits a day; the fact that it's here might force the snoops to process terabytes of spam -- making them spend a little less time on other mails.
I've been cutting-and-pasting the contents of my "SPAM" mail folder into the "decode" page, but haven't gotten anything intelligible yet, except this:
Don't hurt Jon Katz.
I'm not really sure what that means. Will report back if I find further information.
Your mom loves it when I send her stuff like that. You'd better not be trying to move in on my action.
Cunning linguists
The future is looking bright.
Burn Hollywood Burn
The only problem is when you get your email address blacklisted by ORBS for being a spammer... "dude, it's encrypted"
As if we couldn't guess...
Your spam message Dear Friend , Your email address has bee... decodes to:
First Post
Well, kind of a joke, anyway. I really don't think this thing will see wide use, for a variety of reasons, not least of which is that it provides no real security, and requires the user to give them the plaintext of every message.
OK,
- B
--
http://www.bradheintz.com/
- updated
WORK AT HOME! FREE RED HOT AMATEUR PUSSY! LOSE 50 LBS IN 10 MINUTES! FREE WEB HOSTING! ACNE CURE! HOT STOCK TIPS! EXTREME FISTING HOUSEWIVES! MAKE MONEY FAST! BISEXUAL COED BITCHES! ACHEIVE (sic) FINANCIAL INDEPENDENCE!
OK,
- B
--
http://www.bradheintz.com/
- updated
Regardless, I think you've hit on the point - it's not so much the hiding of information, but more like a denial of service attack, raising the resource threshold for effective large-scale eavesdropping. If they have to watch everything, including the spam, it gets that much harder.
OK,
- B
--
http://www.bradheintz.com/
- updated
As usual, I want to let everyone know that the source code for the mimic functions is available if you just ask. Send me some email. You can get it in C, Pascal or Java flavor. Each of these versions reads the same generic grammar file. So you can create your own grammar for encoding messages. I've written one that uses the voice over to a baseball game. The folks at SpamMimic wrote their own using Spam as an inspiration. I would love to see some more. Incidentally, writing and modifying the grammars is one way to "key" the output. Only someone with the right grammar can decode a message. Another way is to use a number of mechanisms to scramble the grammar for each message. These are all explained in Disappearing Cryptography . Please write with questions and comments. -Peter p3@wayner.org
The spies could just as easily closely watch the spammimic site and intercept all incoming messages and outgoing encodes. The ip can be traced to the sender, and the outgoing encodes could be cross-refererenced against intercepted emails to figure out who the sendee. The website isn't even secure. Since people have to go through this website, that's the weak point in the whole scheme.
A believable stand-alone spammimic encrypter, coupled with a PGP-type encryption scheme, would be the most effective. A PGP encrypted message looks like gibberish (making it easily detected), but could then be SMed into fake spam. If a spy intercepted the message and de-SMed it he would be left with unintelligible encrypted gibberish. More importantly, if a spy tried to de-SM a real spam he would also get unintelligible gibberish. Thus he would have to somehow figure out whether a message was an SMed encryption or not, and even if successful he couldn't decode it.
Therefore spammimic needs to make their encodes indistinguishable from real spam email to prevent detection. The decoding algorithm should also produce an output for any input (no error messages), and the output for real spams should be indistinguishable from PGPed messages (both look like gibberish, but only one can be decrypted, and only if you have the proper key). The SMed messages also need to be able to accomodate longer messages, and you should be able to use the encrypter on your own machine for privacy.
Of course, smart spies know most people don't send each other spam, so they could still pick people out that way. There ought to be a "Long-inane-rambling" or "shallow political discussion" mimic ^_^
cryptochrome
---If you can't trust a nerd, who can you trust?
In their feedback they explain that spammimic isn't super secure because your foe might just take your message and paste it to spammimic's decode box.
Well, duh.
The FBI/CIA/NSA/NRO/HUD can just filter spam into a spammimic pipe and use spammimic's own cpu to circumvent spammimic's value.
Imagine how useful it will be when a terabyte a minute is being pumped into the decode box. Then they get free help spying on your messages and a DoS against spammimic.
You could overcome this by changing the selector pads but then you'd have to have sender and receiver sync on the pad in use, which would have to be sent by some other encryption or channel, which brings back the original problem of not having a super-convenient shrouding method.
--Blair
"This is not a crypto for money transaction."
When you get a message encoded with Spam Mimic, you'll assume it's spam and delete it. Great idea though.
I tried to send her some email encrypted with this and look what it sent her. -Hi sexy, looking for a good time? I am just one of many available hot males and females seeking fun and enjoyment on the net. The link at the bottom of this email will take you to my own virtual pleasure house.- I don't think she'll ever look at me the same way again.
-I fear the easter bunny.