Security Through Obscurity - Spam Mimic

ragnar! writes "Ingenious. Not just strewing spam-speak between the words of your message, actually does some kind of character/word -> phrase conversion. Interesting concept - check out Spam Mimic." I tested it out - looks pretty darn cool.

Wonderful

[rcp]

Can everybody please post examples for how their short message was ballooned into wordy spam? I just got a new mouse with a scroll wheel and I'd like to try it out.

Oh, you've done that already. Thanks.

Used real spam in the decoder

[Stavr0]

I copy-pasted a spam from my inbox into this thingy and it decoded to this:

I am a scam artist trying to defraud you of your hard-earned money.
---

Re:No Secret Messages So Far

[British]

You just came up with an amazing idea. Disguise your emails as Jon Katz rants. That way, nobody would WANT to read your intercepted email.

good start, but need more.

[mjh]

The problem that I see with this is that it's too easy to intercept in an automated fashion. It doesn't take any secret or anything to be able to determine whether or not the data is there. You simply decode it and you get the hidden message. In fact, if you give it something that isn't an encoded message, it will tell you that it can't decode it. This makes it trivially easy for the carnivore's (et al) to automatically detect this type of obfuscation. They simply have to add a step to their spam filtering code to try deobfuscating before deleting.

The real value would be if this thing would take any garbage and translate it into something - of about equivalant length garbage. Thus it could be coupled with an encryption format that looked like garbage, to effectively obfuscate your communication.

PGP/GPG does not do a good job as the encryption format. It's got these nice, easy to read, headers that show you that it's a GPG encrypted message. What you need is something that will take in what looks for all the world like garbage and spit out the clear text if you got the right key.

This is a great first step, tho.

MAKE BIG $$$ IN YOUR SPARE TIME!!!

[Golias]

Since most real spam originates from some ".backwater" national domain, and spoofs the recipient's ID into the From: field, it seems to me that the fake spam would be fairly easy to spot.

If it looks like spam, but comes from a major ISP, and is delivered to only one person, it is a fairly good guess that it is really a coded message.

The only way to avoid your message being parsed out from somebody who is really looking for it would be to actually spam a few thousand people though the usual spam channels... which means we can all expect lots more messages advertizing pyramid schemes and satelite TV systems in the near future, just so Bin Laden can chat with his pen-pals.

That's just swell.

Get Your Own Source Code Here

[peterwayner]

As usual, I want to let everyone know that the source code for the mimic functions is available if you just ask. Send me some email. You can get it in C, Pascal or Java flavor. Each of these versions reads the same generic grammar file. So you can create your own grammar for encoding messages. I've written one that uses the voice over to a baseball game. The folks at SpamMimic wrote their own using Spam as an inspiration. I would love to see some more. Incidentally, writing and modifying the grammars is one way to "key" the output. Only someone with the right grammar can decode a message. Another way is to use a number of mechanisms to scramble the grammar for each message. These are all explained in Disappearing Cryptography . Please write with questions and comments. -Peter p3@wayner.org