Tuesday, January 27, 2004

Re:As far as censorware go, fuggedaboutit

Slashdot posted to Removing Site from Spam Filters and ISP Blocks? as Re:As far as censorware go, fuggedaboutit:

I agree that the site in question will get the most benefit from moving their "clean" content to a new IP address, leave the porn content on the old IP.

The way that censorware works is that it blocks IP's, not domains.

This is not absolutely true -- while nearly all web filters have a list of IP addresses that are blocked, most block on both domain names and IP addresses.

As a result, other sites hosted on the same IP as a site with undesirable content as defined by some censorware's black list are also blocked.

Depends on the filter, and on the hosting site. Sometimes this is unavoidable, where the hosting company intentionally or unintentionally makes it easy to bypass domain name filters by going through another site hosted on the same IP address.

Not all web filtering software will block all sites hosted on an IP address that contains just one objectionable site.

This obviously has many serious problems -- the best writeup on the myriad issues with censorware is at Peacefire.

Asking Peacefire about web filtering software is like an "Ask Slashdot" about Microsoft software -- any answer you get is indelibly tinged with the fanatacism of the source.

There are some well-written web filtering applications, there are some legitimate reasons to install and use filters. But you'll never hear anything positive about "censorware" from Peacefire.

Sunday, January 11, 2004

Strong crypto should look not unlike random noise

Slashdot posted to USAF Wants To Find Steganographic Content as Strong crypto should look not unlike random noise :

Maybe statistical analysis can determine if a given image or other medium is possibly hiding information. But if that information is encrypted, doesn't it look like random data without the key?

Yes. One quick-and-dirty test of the strength of a cryptographic algorithm or hash function is that the output appears random, and a small change in the input results in a large change in the output.

If the steg'd data has obvious headers and block formatting, a weak algorithm could leave enough of a pattern in the output file to be detectable. And of course some applications of stego are used to embed cleartext data...

Without knowing the key or even the cipher used to encrypt it... how can it be shown to actually be information? "That's just random noise/corruption in my images your honor... I dont know what your talking about"

Proponents of stego sometimes suggest it's use in environments where even the suspicion of crypto is enough to risk persecution and/or prosecution.

The other "trick" to detecting stego is that "normal" JPG/BMP/WAV/MP3/AVI/MPEG files tend to not actually show a high degree of random noise -- the seemingly random data in the LSB tends to have a pattern imposed by the encoder used and the input device.

I'd guess that this problem is more of an issue on highly-processed information from clean sources. You wouldn't expect random noise on an MP3 file ripped off the latest pop album release, but it wouldn't be out of place on a .SHN "bootleg" recording of a TMBG live concert from a handheld DAT recorder...

cryptor3 replies:
Interesting... looking for things being too random...

So then to counter this, the steg programs need to encode data in such a way that the various nonrandom patterns originally present in the unaltered files.

It seems like this would become a mathematical arms race where, on one side, analyzers are developing new statistical tests for patterns, and on the other side, programmers for steg programs must keep patching their programs to account for these types of patterns.