Digital Voices From Rogue Nations?

Over the past five years, we have watched the Internet shrink distances and bridge the gaps between the international community of nations. Never before has it been easier for a physicist in Zaire to communicate and share ideas with such a diverse group as a professor from UC Berkeley and a computer scientist from Berlin. However, despite this social benefit from what is the world's growing global network, there are still places where the boon that is Internet communcation is frowned upon, even dangerous. What would you do if you had to privately communicate with people in countries like China or Iran where communications are possibly monitored and knowledge of what you are discussing could get the person on the other end in trouble with his or her own government? Is it possible to quietly and privately use the Internet to communicate with these people?

cscrutinizer asks: "I have a friend in Iran who is producing a Web site newsletter (in English) that advocates women's rights there. She is looking for ways to fund her operations and was wanting to add a donation section as well as a section to sell e-books of some Iranian authors who can't get their stuff out to the rest of the world. As we started to talk about how to do it, a myriad of issues came up with regards to credit card transactions, the transfer of funds, the use of encryption, where to host (currently in the U.S.), copyright laws, how to avoid political reprisals, etc. What is the best path for someone living in an embargoed nation?"

BillEGoat writes "A friend of ours is visiting China to do some work that is not in keeping with their government's ideals. We need to know the kinds of e-mail interception techniques China's government and universities use, and if encrypted e-mail will get detected or blocked. Obviously the idea is to communicate without anyone knowing. The real risk is arrest and detention or deportation of our friend if caught. What encryption techniques can we use that are hard to detect and break?"

Steganography

[jabber]

BillEGoat, take a look at some steganography tools out on the net.

For those unaware, steganography is the embedding of useful information in other data, for example encoding text in the least-significant-bit(s) of an image.

As a hypothetical: Your friend wants to send email with sensitive information. He encrypts it (just to be extra safe) and then burries the ciphertext in a large TIFF file of the Chinese Wall. He compresses the image with ZIP and attaches it to an innocuous e-mail "Having a great time, wish you were here"...

The government spooks intercept, decode and conclude ' another happy tourist spending dollars '.

You receive the message, reverse the process and learn that the attack is being launched at dawn.

Steganography is *not* the answer

[rjh]

Everyone here who's been advising you to use steganography is well-intentioned, but missing the point. If the secret police suspect your target of receiving subversive information, then they'll likely look for steganography.

It's not hard to flip the low-order bit in an image file. In fact, it's trivial. They'll be expecting that and they'll intercept it. Don't try it.

Encryption is also not the answer. In Iraq and Syria, for instance, using encryption is a capital offense. Sure, your communications with your friend might remain secure, but your friend would be executed--whoops!

Another naieve way to handle things is to encrypt your steganography. "It'll look like random noise!", they claim. Well, yes... and that's exactly what it must not look like. You'd have to find some bizarre cipher with outputs specifically tailored to match the statistical patterns of image files. I don't know of any which can do this.

One possibility--and I am not reccommending this without a heck of a lot more peer review--is to start an email dialogue about esoteric mathematics. Include a big ol' table of random numbers and do some real mathematical analysis of it. If the email gets intercepted, the secret police will check the table for randomness (it's random, all right--passes every test!), they'll check your email to see if it's sensible (yep--you're doing actual mathematical research!), etc.

Of course, your friend knows that it's a one-time pad. (Not really a one-time pad--if you and your friend both have a cipher, a shared key and a shared IV, you can run the cipher in OFB mode to generate a lot of statistically random data. You generate the random data, then use it as a one-time pad for your message; your friend re-generates the one-time pad on his/her end, then reverses the one-time pad. Strictly speaking, this is just OFB encryption, not a OTP.)

Of course, the secret police will know that it's an encrypted message... but they won't be able to prove it. Whether or not that stops them depends on just how totalitarian the state is. Some states will just shoot you in the back of the head and get it over with. Others, such as China, must at least make an attempt at a fair trial in order to soothe Western critics.

Hide it by hand

[bluGill]

Back about 3 or 4 years ago someone on the Scary Devil Monastery got mad at all the lusers posting with line lenghts longer then 72 charicters. So he made all the line lenghs of his next few posts exactly that. The neat thing was he did it by hand, without inserting extra spaces. Those posts made gramitical sense and were intellegent.

So with practice you should be able to set up a low bandwidth code based on line lenghts. Shorter then 72 is a 0, longer is a 1 (or maybe encode 2 bits in a line...)

Of course the point is that you need to communicate without rasing suspition. Thus you need a pen-pal that you can write long letters to often, on innocent subjects. (Talk about your girl friend, go into detail about your date at a restaruant - someplace they can quickly verify that you really were in). If keep sending pictures of the mona-lisa around slightly altered, then you better be talking a email class on gimp filters. (This is what I came up with when doing a blur to the nose - and then embed your message in the least significant bits of the nose area only.)