20 comments

[ 4.5 ms ] story [ 45.8 ms ] thread
Hi, just wanted to say thanks for the idea. I setup canaries on both my wife and my own accounts after your article made the rounds.

So far no hits..

That's a really nice idea. I think my solution is better though. If an attacker manages to access my email account, all they're going to see are PGP encrypted emails.

https://grepular.com/Automatically_Encrypting_all_Incoming_E...

They wont be able to read password reset emails or anything else in there.

I might set up a canary though, as it sounds like a useful way of being made aware of a compromise.

It'd be interesting to see how your (and other's) setup have endured actual attacks. As someone non-versed in security, I think your approach sounds great. But how does it fare when someone comes knocking?

I wonder the same thing about my setups. I have a password manager with random passwords for every site/forum that I encounter. It'd be nice to know of the efficacy of this work - has it helped me in any way? I'll never know.

I don't like this because it only works if you enable remote loading of images on your own account, which feels like huge collateral damage to me. A ton of email you receive will attempt to use this technique against you, so I've always disabled that.
In gmail you can whitelist addresses from which you allow the loading of images.
I've been doing this for a while with http://trackmycv.com/ basically you can embed a transparent pixel in an MS word (or any other kind of MS office document) and get notifications whenever it's opened.
There is a much better (and older) idea: introduce subtle watermarks into the actual content of the document itself. Minor typos, changes of word order, maybe even different facts. Different people in your organization get access to those slightly different versions. Once a document emerges where it's not supposed to be, your knowledge about who might have leaked it increases.

I have heard (not confirmed) that mapmakers introduce small errors into their maps to detect competition copying their maps instead of the terrain.

While reading the blog post, I was thinking about steganographically inserting data into printed documents. It might be more difficult in this age of grammar and spell checkers, but sounds fun to play with.

It just occurred to me that stego could be applied at the word level to get around spelling and grammar corrections.

I think subtle forming and or font changes is probably the easiest approach.
I don't think it's unreasonable to think that a well-funded team of computational linguists could come up with enough equivalent grammatical/synonym permutations to render a very large number of versions of text.

Two problems: 1: When outlets learn this is the case, they just make sure never to publish the exact phrasing of any such leaked document. 2: This only helps you track down the leaker, not prevent him from leaking. The "phone home" document would presumably catch the leaker as he's collecting the documents.

There was a tool which was used to trace forum leaks/mirrors, it was made/used by an Eve Online Alliance of all things. (If you can find a 2010/2011 mirror of the "Pandemic Legion" forums there should be a description of it on there).

From what I read it would introduce subtle changes based upon some identifier (either IP address, user account or both).

The variation was generated by using unicode characters which were either invisible or very close substitutions to actual characters. This could be countered by anyone who knew it was there however.

There was also the ability to write a block of the post in multiple different ways. With 5 blocks written 5 ways each you can get 3125 different variations of a post.

There is probably some interesting mathematics relating the level of redundancy to the minimum number of documents that would be required to make an un-tracable version.

Then somebody mashes "reply all" and the scheme is ruined.
C'mon, classified documents should not even go anywhere near systems where you can just click "reply all". But in general, you are right - this schema obviously does not work in situations where potential leakers can compare the doc versions.
This would be easily done replacing a normal space with a non-breaking space. The content of the document would be virtually indistinguishable. (Yes, you might get some weird word wrapping)
Tom Clancy did that in 'The Cardinal of the Kremlin' back in '88.
The phone home mechanism is not necessarily on the client side in MS Word macros. It could be the file server logging access to the fake documents.