Re: Forensics on PDAs, notes from the field (your teenage son's homemade porn)

2004-08-13 Thread Major Variola (ret)
At 10:07 PM 8/13/04 +0200, Thomas Shaddack wrote: >On Fri, 13 Aug 2004, Tyler Durden wrote: > >> And it seems to me to be a difficult task getting ahold of enough photos >> that would be believably worth encrypting. > >Homemade porn? Your 16 year old son's homemade porn. [google on Heidl & rape;

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Major Variola (ret)
>On Fri, 13 Aug 2004, Thomas Shaddack wrote: >> In the world of industrial espionage and divorce lawyers, the FedZ aren't >> the only threat model. At 03:06 PM 8/13/04 -0400, Sunder wrote: >Right, in which case GPG (or any other decent crypto system) is just fine, >or you wouldn't be looking for s

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Major Variola (ret)
At 02:11 PM 8/13/04 -0400, Sunder wrote: >If you're suspected of something really big, or you're middle eastern, >then you need to worry about PDA forensics. Otherwise, you're just >another geek with a case of megalomania thinking you're important enough >for the FedZ to give a shit about you. Pe

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Major Variola (ret)
At 01:46 PM 8/13/04 -0400, John Kelsey wrote: >>From: "Major Variola (ret)" <[EMAIL PROTECTED]> >>Obvious lesson: Steganography tool authors, your programs >>should use the worm/HIV trick of changing their signatures >>with every invocation. Much harder for the forensic >>fedz to recognize your to

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Thomas Shaddack
On Fri, 13 Aug 2004, Tyler Durden wrote: > And it seems to me to be a difficult task getting ahold of enough photos > that would be believably worth encrypting. Homemade porn?

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Tyler Durden
IL PROTECTED]" <[EMAIL PROTECTED]> Subject: Re: Forensics on PDAs, notes from the field Date: Fri, 13 Aug 2004 14:11:36 -0400 (edt) On Fri, 13 Aug 2004, Morlock Elloi wrote: > The purpose would be that they do not figure out that you are using some > security program, so they

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Sunder
Right, in which case GPG (or any other decent crypto system) is just fine, or you wouldn't be looking for stego'ing it inside of binaries in the first place. --Kaos-Keraunos-Kybernetos--- + ^ + :"Our enemies are innovative and resourceful, and so are we

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Thomas Shaddack
On Fri, 13 Aug 2004, Sunder wrote: > If you're suspected of something really big, or you're middle eastern, > then you need to worry about PDA forensics. Otherwise, you're just > another geek with a case of megalomania thinking you're important enough > for the FedZ to give a shit about you. I

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Sunder
On Fri, 13 Aug 2004, Morlock Elloi wrote: > The purpose would be that they do not figure out that you are using some > security program, so they don't suspect that noise in the file or look for > stego, right? > > The last time I checked the total number of PDA programs ever offered to public > i

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread John Kelsey
>From: "Major Variola (ret)" <[EMAIL PROTECTED]> >Sent: Aug 11, 2004 9:21 PM >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >Subject: Forensics on PDAs, notes from the field ... >Obvious lesson: Steganography tool authors, your programs >should u

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Thomas Shaddack
On Fri, 13 Aug 2004, Morlock Elloi wrote: > > A cool thing for this purpose could be a patch for gcc to produce unique > > code every time, perhaps using some of the polymorphic methods used by > > viruses. > > The purpose would be that they do not figure out that you are using some > security

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Morlock Elloi
> A cool thing for this purpose could be a patch for gcc to produce unique > code every time, perhaps using some of the polymorphic methods used by > viruses. The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file o

Re: Forensics on PDAs, notes from the field

2004-08-13 Thread Thomas Shaddack
On Thu, 12 Aug 2004, Thomas Shaddack wrote: > > The NIST CDROM also doesn't seem to include source code amongst its > > sigs, so if you compile yourself, you may avoid their easy glance. > > A cool thing for this purpose could be a patch for gcc to produce unique > code every time, perhaps usi

Re: Forensics on PDAs, notes from the field

2004-08-12 Thread Major Variola (ret)
Quoth Thomas Shaddack <[EMAIL PROTECTED]> > Obvious lesson: Steganography tool authors, your programs > should use the worm/HIV trick of changing their signatures > with every invocation. Much harder for the forensic > fedz to recognize your tools. (As suspicious, of course). It should be enoug

Re: Forensics on PDAs, notes from the field

2004-08-11 Thread Thomas Shaddack
On Wed, 11 Aug 2004, Major Variola (ret) wrote: > Obvious lesson: Steganography tool authors, your programs > should use the worm/HIV trick of changing their signatures > with every invocation. Much harder for the forensic > fedz to recognize your tools. (As suspicious, of course). It should b

Forensics on PDAs, notes from the field

2004-08-11 Thread Major Variola (ret)
Saint John of Cryptome has a particularly tasty link to http://csrc.nist.gov/publications/drafts.html#sp800-72 which describes the state of the art in PDA forensics. There is also a link to a CDROM of secure hashes of various "benign" and less benign programs that the NIST knows about. Including