Web-drop

I came up with this idea for a variant of the "dead-drop" idea using the
World-Wide Web.

Background: a dead drop is a well-known technique, long used in
espionage and other circles, to pass documents or other objects from one
person to another without them meeting face-to-face. The two parties
prearrange a place (e.g. a locker in a bus depot, hidden under a bush,
or perhaps even in a public rubbish bin, if the item isn't left there
for too long). One drops the article off at that place, then some time
(say a few hours or a few days) later, the other party drops by to pick
the item up.

My idea uses the Web to pass a secret message between two parties. It
doesn't depend on a prearranged place (Website); instead, it relies on a
prearranged search phrase. The assumption is that there lots of insecure
Web sites that one could break into without too much trouble, to make
surreptitious alterations to their pages. One could hide information in
an HTML comment, and provided it didn't make any significant difference
to the behaviour of the site, ordinary users of that site are likely to
be none the wiser. Anybody could see the addition if they used the "View
Source" function of their Web browser, but how many people do that as a
matter of course? Also, if the page was heavy with graphics that took a
long time to load, you could get away with quite a large addition to the
HTML without adding too much to the load time of the page.

Anyway, the message you inserted in the page would probably be
encrypted, using a prearranged encryption key. Along with the message,
you have to insert the prearranged search phrase, unencrypted. It should
be easy enough to arrange the format that an automatic system could be
written that, given the page contents, would recognize the presence of
the secret message and extract its contents.

After the first party has left the message, you then have to wait a
suitable time (perhaps 3-4 weeks) for your favourite search engine to
index the updated page. Then the second party does a search for the key
phrase, finds the message left at the hacked site, and picks it up.

The phrase needn't be anything too distinctive. Even if the search
returned, say, 1000 hits, it would be easy enough to write a script in
Perl or some such that systematically checked all the pages, looking for
the one containing the secret message. To guard against the chance of
someone deleting the message (either after discovering the hack and
repairing it, or inadvertently as a result of normal Website updates),
you could of course leave multiple copies on different Websites.

If you were really paranoid about someone watching the search engine,
looking for unusual searches, you could even break the search into two:
do the search for one part of the search phrase using one search engine,
and for another part using a different search engine. Then run a script
over the results, looking for links in common before actually fetching
those pages to look for the message.

Because of the time it takes for search engines to (re)visit pages, my
technique cannot be used for quick communication. It could still be used
to pass longer-term information, like plans for some operation months in
the future, or perarrangements for other, more immediate communication
methods for later use.

What do folks think? Has someone else already thought of this?

Lawrence D¹Oliveiro

boy, oh boy, too many people have too much time on their hands to be
thinking up of all these unscrupulous shenanigans!

oh, and by the way, thanks for giving potential terrorists more ideas/method
to facilitate communications with each other.

R. Green
--------------------------
Technical Service Advisor
www.wowsat.com
--------------------------


"Nick Marshall" <nick.marshall at tinyworld dot co dot uk> wrote in message
news:...
>
> "Lawrence D¹Oliveiro" <_zealand> wrote in message
> news:ldo-...
> > I came up with this idea for a variant of the "dead-drop" idea using the
> > World-Wide Web.
> >
> > Background: a dead drop is a well-known technique, long used in
> > espionage and other circles, to pass documents or other objects from one
> > person to another without them meeting face-to-face. The two parties
> > prearrange a place (e.g. a locker in a bus depot, hidden under a bush,
> > or perhaps even in a public rubbish bin, if the item isn't left there
> > for too long). One drops the article off at that place, then some time
> > (say a few hours or a few days) later, the other party drops by to pick
> > the item up.
> >
> > My idea uses the Web to pass a secret message between two parties. It
> > doesn't depend on a prearranged place (Website); instead, it relies on a
> > prearranged search phrase. The assumption is that there lots of insecure
> > Web sites that one could break into without too much trouble, to make
> > surreptitious alterations to their pages. One could hide information in
> > an HTML comment, and provided it didn't make any significant difference
> > to the behaviour of the site, ordinary users of that site are likely to
> > be none the wiser. Anybody could see the addition if they used the "View
> > Source" function of their Web browser, but how many people do that as a
> > matter of course? Also, if the page was heavy with graphics that took a
> > long time to load, you could get away with quite a large addition to the
> > HTML without adding too much to the load time of the page.
> >
> > Anyway, the message you inserted in the page would probably be
> > encrypted, using a prearranged encryption key. Along with the message,
> > you have to insert the prearranged search phrase, unencrypted. It should
> > be easy enough to arrange the format that an automatic system could be
> > written that, given the page contents, would recognize the presence of
> > the secret message and extract its contents.
> >
> > After the first party has left the message, you then have to wait a
> > suitable time (perhaps 3-4 weeks) for your favourite search engine to
> > index the updated page. Then the second party does a search for the key
> > phrase, finds the message left at the hacked site, and picks it up.
> >
> > The phrase needn't be anything too distinctive. Even if the search
> > returned, say, 1000 hits, it would be easy enough to write a script in
> > Perl or some such that systematically checked all the pages, looking for
> > the one containing the secret message. To guard against the chance of
> > someone deleting the message (either after discovering the hack and
> > repairing it, or inadvertently as a result of normal Website updates),
> > you could of course leave multiple copies on different Websites.
> >
> > If you were really paranoid about someone watching the search engine,
> > looking for unusual searches, you could even break the search into two:
> > do the search for one part of the search phrase using one search engine,
> > and for another part using a different search engine. Then run a script
> > over the results, looking for links in common before actually fetching
> > those pages to look for the message.
> >
> > Because of the time it takes for search engines to (re)visit pages, my
> > technique cannot be used for quick communication. It could still be used
> > to pass longer-term information, like plans for some operation months in
> > the future, or perarrangements for other, more immediate communication
> > methods for later use.
> >
> > What do folks think? Has someone else already thought of this?
>
> ---
>
> It appears that it SHOULD work, and - most probably - somebody, somewhere,
> is using it. Or a variation (why not use redundant bits in a JPEG for the
> message - then search for the picture!! That HAS been done!!). Or use an
> open place - such as a Newsgroup? - and put 'fake' PGP header/footer which
> is the data (encrypted, of course!). Just don't tell anyone - except the
> intended recipient of course!
>
> Nick
>
>

Redwop G