Web-drop

Discussion in 'Computer Security' started by Lawrence D¹Oliveiro, Jun 24, 2003.

  1. I came up with this idea for a variant of the "dead-drop" idea using the
    World-Wide Web.

    Background: a dead drop is a well-known technique, long used in
    espionage and other circles, to pass documents or other objects from one
    person to another without them meeting face-to-face. The two parties
    prearrange a place (e.g. a locker in a bus depot, hidden under a bush,
    or perhaps even in a public rubbish bin, if the item isn't left there
    for too long). One drops the article off at that place, then some time
    (say a few hours or a few days) later, the other party drops by to pick
    the item up.

    My idea uses the Web to pass a secret message between two parties. It
    doesn't depend on a prearranged place (Website); instead, it relies on a
    prearranged search phrase. The assumption is that there lots of insecure
    Web sites that one could break into without too much trouble, to make
    surreptitious alterations to their pages. One could hide information in
    an HTML comment, and provided it didn't make any significant difference
    to the behaviour of the site, ordinary users of that site are likely to
    be none the wiser. Anybody could see the addition if they used the "View
    Source" function of their Web browser, but how many people do that as a
    matter of course? Also, if the page was heavy with graphics that took a
    long time to load, you could get away with quite a large addition to the
    HTML without adding too much to the load time of the page.

    Anyway, the message you inserted in the page would probably be
    encrypted, using a prearranged encryption key. Along with the message,
    you have to insert the prearranged search phrase, unencrypted. It should
    be easy enough to arrange the format that an automatic system could be
    written that, given the page contents, would recognize the presence of
    the secret message and extract its contents.

    After the first party has left the message, you then have to wait a
    suitable time (perhaps 3-4 weeks) for your favourite search engine to
    index the updated page. Then the second party does a search for the key
    phrase, finds the message left at the hacked site, and picks it up.

    The phrase needn't be anything too distinctive. Even if the search
    returned, say, 1000 hits, it would be easy enough to write a script in
    Perl or some such that systematically checked all the pages, looking for
    the one containing the secret message. To guard against the chance of
    someone deleting the message (either after discovering the hack and
    repairing it, or inadvertently as a result of normal Website updates),
    you could of course leave multiple copies on different Websites.

    If you were really paranoid about someone watching the search engine,
    looking for unusual searches, you could even break the search into two:
    do the search for one part of the search phrase using one search engine,
    and for another part using a different search engine. Then run a script
    over the results, looking for links in common before actually fetching
    those pages to look for the message.

    Because of the time it takes for search engines to (re)visit pages, my
    technique cannot be used for quick communication. It could still be used
    to pass longer-term information, like plans for some operation months in
    the future, or perarrangements for other, more immediate communication
    methods for later use.

    What do folks think? Has someone else already thought of this?
     
    Lawrence D¹Oliveiro, Jun 24, 2003
    #1
    1. Advertising

  2. Lawrence D¹Oliveiro

    Redwop G Guest

    boy, oh boy, too many people have too much time on their hands to be
    thinking up of all these unscrupulous shenanigans!

    oh, and by the way, thanks for giving potential terrorists more ideas/method
    to facilitate communications with each other.

    R. Green
    --------------------------
    Technical Service Advisor
    www.wowsat.com
    --------------------------


    "Nick Marshall" <nick.marshall at tinyworld dot co dot uk> wrote in message
    news:...
    >
    > "Lawrence D¹Oliveiro" <_zealand> wrote in message
    > news:...
    > > I came up with this idea for a variant of the "dead-drop" idea using the
    > > World-Wide Web.
    > >
    > > Background: a dead drop is a well-known technique, long used in
    > > espionage and other circles, to pass documents or other objects from one
    > > person to another without them meeting face-to-face. The two parties
    > > prearrange a place (e.g. a locker in a bus depot, hidden under a bush,
    > > or perhaps even in a public rubbish bin, if the item isn't left there
    > > for too long). One drops the article off at that place, then some time
    > > (say a few hours or a few days) later, the other party drops by to pick
    > > the item up.
    > >
    > > My idea uses the Web to pass a secret message between two parties. It
    > > doesn't depend on a prearranged place (Website); instead, it relies on a
    > > prearranged search phrase. The assumption is that there lots of insecure
    > > Web sites that one could break into without too much trouble, to make
    > > surreptitious alterations to their pages. One could hide information in
    > > an HTML comment, and provided it didn't make any significant difference
    > > to the behaviour of the site, ordinary users of that site are likely to
    > > be none the wiser. Anybody could see the addition if they used the "View
    > > Source" function of their Web browser, but how many people do that as a
    > > matter of course? Also, if the page was heavy with graphics that took a
    > > long time to load, you could get away with quite a large addition to the
    > > HTML without adding too much to the load time of the page.
    > >
    > > Anyway, the message you inserted in the page would probably be
    > > encrypted, using a prearranged encryption key. Along with the message,
    > > you have to insert the prearranged search phrase, unencrypted. It should
    > > be easy enough to arrange the format that an automatic system could be
    > > written that, given the page contents, would recognize the presence of
    > > the secret message and extract its contents.
    > >
    > > After the first party has left the message, you then have to wait a
    > > suitable time (perhaps 3-4 weeks) for your favourite search engine to
    > > index the updated page. Then the second party does a search for the key
    > > phrase, finds the message left at the hacked site, and picks it up.
    > >
    > > The phrase needn't be anything too distinctive. Even if the search
    > > returned, say, 1000 hits, it would be easy enough to write a script in
    > > Perl or some such that systematically checked all the pages, looking for
    > > the one containing the secret message. To guard against the chance of
    > > someone deleting the message (either after discovering the hack and
    > > repairing it, or inadvertently as a result of normal Website updates),
    > > you could of course leave multiple copies on different Websites.
    > >
    > > If you were really paranoid about someone watching the search engine,
    > > looking for unusual searches, you could even break the search into two:
    > > do the search for one part of the search phrase using one search engine,
    > > and for another part using a different search engine. Then run a script
    > > over the results, looking for links in common before actually fetching
    > > those pages to look for the message.
    > >
    > > Because of the time it takes for search engines to (re)visit pages, my
    > > technique cannot be used for quick communication. It could still be used
    > > to pass longer-term information, like plans for some operation months in
    > > the future, or perarrangements for other, more immediate communication
    > > methods for later use.
    > >
    > > What do folks think? Has someone else already thought of this?

    >
    > ---
    >
    > It appears that it SHOULD work, and - most probably - somebody, somewhere,
    > is using it. Or a variation (why not use redundant bits in a JPEG for the
    > message - then search for the picture!! That HAS been done!!). Or use an
    > open place - such as a Newsgroup? - and put 'fake' PGP header/footer which
    > is the data (encrypted, of course!). Just don't tell anyone - except the
    > intended recipient of course!
    >
    > Nick
    >
    >
     
    Redwop G, Jul 2, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bardeban

    google search web box drop down menu

    bardeban, Jul 23, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    824
    °Mike°
    Jul 23, 2004
  2. jim evans

    Drop Shadow on Web Page

    jim evans, Feb 18, 2004, in forum: Digital Photography
    Replies:
    1
    Views:
    500
    Lucas Tam
    Feb 18, 2004
  3. Edge
    Replies:
    0
    Views:
    411
  4. Edge
    Replies:
    1
    Views:
    475
  5. freezea
    Replies:
    0
    Views:
    1,412
    freezea
    Aug 13, 2009
Loading...

Share This Page