Discussion in 'Computer Security' started by Lawrence D¹Oliveiro, Jun 24, 2003.

  1. I came up with this idea for a variant of the "dead-drop" idea using the
    World-Wide Web.

    Background: a dead drop is a well-known technique, long used in
    espionage and other circles, to pass documents or other objects from one
    person to another without them meeting face-to-face. The two parties
    prearrange a place (e.g. a locker in a bus depot, hidden under a bush,
    or perhaps even in a public rubbish bin, if the item isn't left there
    for too long). One drops the article off at that place, then some time
    (say a few hours or a few days) later, the other party drops by to pick
    the item up.

    My idea uses the Web to pass a secret message between two parties. It
    doesn't depend on a prearranged place (Website); instead, it relies on a
    prearranged search phrase. The assumption is that there lots of insecure
    Web sites that one could break into without too much trouble, to make
    surreptitious alterations to their pages. One could hide information in
    an HTML comment, and provided it didn't make any significant difference
    to the behaviour of the site, ordinary users of that site are likely to
    be none the wiser. Anybody could see the addition if they used the "View
    Source" function of their Web browser, but how many people do that as a
    matter of course? Also, if the page was heavy with graphics that took a
    long time to load, you could get away with quite a large addition to the
    HTML without adding too much to the load time of the page.

    Anyway, the message you inserted in the page would probably be
    encrypted, using a prearranged encryption key. Along with the message,
    you have to insert the prearranged search phrase, unencrypted. It should
    be easy enough to arrange the format that an automatic system could be
    written that, given the page contents, would recognize the presence of
    the secret message and extract its contents.

    After the first party has left the message, you then have to wait a
    suitable time (perhaps 3-4 weeks) for your favourite search engine to
    index the updated page. Then the second party does a search for the key
    phrase, finds the message left at the hacked site, and picks it up.

    The phrase needn't be anything too distinctive. Even if the search
    returned, say, 1000 hits, it would be easy enough to write a script in
    Perl or some such that systematically checked all the pages, looking for
    the one containing the secret message. To guard against the chance of
    someone deleting the message (either after discovering the hack and
    repairing it, or inadvertently as a result of normal Website updates),
    you could of course leave multiple copies on different Websites.

    If you were really paranoid about someone watching the search engine,
    looking for unusual searches, you could even break the search into two:
    do the search for one part of the search phrase using one search engine,
    and for another part using a different search engine. Then run a script
    over the results, looking for links in common before actually fetching
    those pages to look for the message.

    Because of the time it takes for search engines to (re)visit pages, my
    technique cannot be used for quick communication. It could still be used
    to pass longer-term information, like plans for some operation months in
    the future, or perarrangements for other, more immediate communication
    methods for later use.

    What do folks think? Has someone else already thought of this?
    Lawrence D¹Oliveiro, Jun 24, 2003
    1. Advertisements

  2. Lawrence D¹Oliveiro

    Redwop G Guest

    boy, oh boy, too many people have too much time on their hands to be
    thinking up of all these unscrupulous shenanigans!

    oh, and by the way, thanks for giving potential terrorists more ideas/method
    to facilitate communications with each other.

    R. Green
    Redwop G, Jul 2, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.