Slashdot Mirror
Study Finds Low Use Of Steganography On Internet
schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.
Half of slashdot posts are encrypted evil plots for mass destruction.
Je t'aime Stéphanie
The whole point of stenography is that people CAN'T spot the fact that you're using it!
i think the extinction of the dinosaurs wiped out steganography; the mysteries of how the stegasaurus learned to write with its' tail will never be known to any of us...
...does anyone else think that "steganography" is just the latest in annoying media-driven hysterics? Every month there's a new buzzword that exists simply to point out the "evils" of the internet...
MAYBE this is just another one of those words!! With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?
So does someone have a super-duper steganography-detection algorithm, or what?
Maybe they assume in color-discretized images that images having RGBs one-off of their surrounding pixels are steganographic? I gotta write a filter to induce 1-off color changes then, just to keep 'em busy. =)
Or are these people just freakin morons?
--- The reclining dragon deeply fears the blue pool's clarity.
"Study Finds Low Use Of Steganography On Internet"...
Duh.
We need to use this to OUR advantage to make sure that we, the citizens of the world, keep control instead of the Corporations and Governments.
Yea right, ebay, who would put images on ebay?
Have these guys check the porno groups on usenet,
they might get different results.
-lp
I had one..but I couldn't read it!
Steganography is supposed to hide messages as well as possible. That's the whole point. So wouldn't a study just find the use of bad steganography, that is, stego that is easy to detect?
And who says that you have to post images to send a message? Maybe posting a baseball card for sale means that a cell is to attack on the day that the auction closes. A Sammy Sosa card means we fly into the Sears Tower; a Thurman Munson card means the WTC. The starting bid is the price is the time at which it's to happen.
The whole point of steganography is that the outside world doesn't even know what your encoding system is, much less be able to decipher it.
Why did they think people would use Ebay to hide messages?
Just e-mail your buddy pics of you playing with your dog, or set up a geocities page, or break into Yahoo and alter their news pics.
obviously no deficiencies vs. no obvious deficiencies
From what I heard, not that I have any clue what I'm talking about other then what I've seen on the news and water cooler talk. But, they don't even use computers for the most part. Not only are they low-tech, they are no-tech. I don't see what the fear is other then some goverment officials taking advantage of the mass hysteria.
Why did they mainly scan Ebay? Why not take a look at the large free webhosting providers like geocities?
It seems like to me the terriorists like to keep a low profile, so why would they want to go through the trouble of getting a working account (and also have the need for a credit card) just to post some information on Ebay?
I patented screwing your mom. But it got revoked for "prior art."
Steganography in and of itself is fairly powerful. However, the real beauty lies when you combine it with encryption. Encrypt your strings of bytes, strip off headers and define the headers through some other mechanism and THEN you'll have truly clandestine communications. The best steganography is the kind no one even knows is there (as has been mentioned previously).
I know a group of guys who were literally taking all of the porn off of the alt.binaries newsgroups to look for hidden messages, but gave up do to the volune, the low chance of actually getting a hit, etc. In other words, it will be impossible to tell if the image you have is actually encoded.
An interesting look at what steganography is for beginners.
- There is no significant use of steganography on the Internet.
- Nobody uses steganographic systems that we can find.
- All users of steganographic systems carefully choose passwords that are not susceptible to dictionary attacks. (emphasis mine)
In response to number 3, I'd like to say, "well, duh". Anyone clever enough to transmit messages via steganography is not going to be stupid enough to potentially compromise themselves by choosing a simple password.But beyond that, this search is limited to one small part (Ebay) of the entire Internet. There are certainly many other places where images can be transmitted inconspicuously (certain usenet groups come to mind).
To me, this seems like a "feel good" story designed to put people at ease. It has little actual merit.
www.scorbett.ca
Putting restrictions on cryptography and steganography is akin to closing the barn door after the cow's run off.
Apologies for stating the obvious, but someone has to.
Yeah, if I was going to hide a message, I'd use commonly available tools already out there. *sigh*
Terrorists are not stupid. I would think a home-brew methods would be better in many circumstances.
These people aren't communicating with 45 meg Powerpoint Presentations outlining the plans. Short, concise messages could be encrypted with previously agreed upon one-time pads, hidden in a few bytes of an image, or even across 8 or 10 images across multiple sites. These people have time and a mountain of data to hide in.
So, how exactly did they determine this? I mean the whole idea is to hide the information, in theory one should not be able to determine if there's anything hidden in the image or not.
Ebay seems like a poor choice for stenography. First off, you have to actually sell something to get a picture on Ebay (IIRC), and I doubt the terrorists are going to want to bother with having buyers on their back all the time.
It seems to me like it would be much easier just to set up some random Geocities site with text like:
Hi, I'm Lisa Smith and this is my site about me and my 10 cats!
Then include several pictures of 10 different cats, including some with covert information. If you need new information you can reencode some of the pictures and reupload them. Other messages can be sent by subtly changing the HTML (adding and deleting extra spaces for instance).
I still can't figure out why they thought the images would be one Ebay.
I read the internet for the articles.
Apart from the fact that by default, good steganography should be undetectable, it appears that e-bay is a poor site to use. By default, the user posting a sale has to exist in some manner, unless a new identity is created for each item to be sold - which makes sense, but the bottom line is that it is a pain to keep creating e-bay accounts, and making up e-mail addresses.
Something on the newsgroups would be a much better place to look. the alt.binaries.pictures.* areas. Almost total anonymity.
If I were to want to communicate this way, I would avoid e-bay.
gus
.. if only.
This is important, because the FBI, NSA, CIA, etc. should definitely NOT be wasting its time looking into these crazy claims of hidden messages.
The cake is a pie
Someone pointed out these paragraphs to me, from the BBC's coverage of this story:
"No, really, we havehave to look at more pr0n now..."
GROGGS: alive and well and living in
I know people are joking about it being the whole point that you can't find it in use, but reading the article, this is not far from the truth. The researchers admitted that the method they used only hunted for known, commercially available techniques, and that there were other techniques available that would not have been spotted. Add in any totally novel methods people may have used themselves.
Still, if we're going to give these researchers funding...
I couldn't help laughing at the title. The first thing that popped into my head was, "How do you measure the amount of steganography on the internet?" Seems like the answer is that there should be a lot of nearly useless information, a low signal-to-noise ratio if you will. Which, I'm sorry to say, is a very accurate description of the internet. :P
:)
Okay, okay, now I'll go read the article.
Happy winnowing and chaffing!
Dave
It seems a bit sketchy to conclude that if something doesn't happen on e-bay, then it must not be happening anywhere else on the internet.
and, they only tested against three programs. anyone with a few hours on their hands can whip up an app to do this kind of data hiding - i did.
BFD.
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
I could easily encode a message into an image, and NOBODY could detect that one was there, even through careful examination... why would this study be accurate?
For example:
-take an original image as a reference
-encode a message into binary 1's and 0's (use encryption if you like, or just the binary ascii equivalent)
-go through the image in a certain direction, and change each pixel value by 1 to encode a binary "1", or leave it alone to encode a binary "0".
-distribute a "reference image" separately that can be used to decode the image (like a key)
-use a simple algorythm to compare the original and reference, which will give you a binary sequence
-decode the binary sequence using whatever method you used to encode it
Unless you have the reference image, you're screwed. Changing RGB values by 0 or 1 will not be detectable, and will easily blend in with the noise of most images.
The only thing you can't do is compress the image with JPEG or other "lossy" compression routines.
How could you detect this? How could you prevent it from being used? You can't, unless you know the reference image. I could post secret messages on the front page of CNN.com and nobody would know (ok, assuming I had access to CNN.com to post an image).
MadCow.
I used to have a sig, but I set it free and it never came back.
I'd LOVE to take all the pics of the 'great and good' on our companies website and hide 'john is a twat' or 'if its sunday call me jane' in there!
is like trying to prevent a germ warfare attack.
The truth is, that even if we had known about the WTC attack we could not have prevented it without causing an economic loss of millions of dollars in the city of New York that our current hero-mayor -- Rudy Giuliani -- would have prevented, to the accolades of his fellow citizens if an attack had not come.
You have to do so much alteration to the medium which you are trying to keep free of bad stuff, be it Internet porn or our daily lives, that the medium itself is changed beyond recognition. It's not worth it.
Unlike a specific cryptographic algorithm, steganography is a group of methods that take advantage of the huge volume of information that passes over the internet.
Unless you want to dramatically slow down the transfer of all information, making sure the file looks the same at each gateway it passes through, there is very little you can do to catch people who disguise information in this way.
ObL is a modern terrorist, using modern methods to operate and communicate. He want us to be afraid of our own modern trappings and conveniences in our lives; if we try to make it impossible for him to communicate, we give up far too much ourselves.
We must allow full encryption freedom, full steganography freedom, and all otehr lifestyle freedoms in the US and around the world.
Traditional deterrence methods, such as massive military response, should be used to stop terrorists; we need to stop them after their attacks, and instill fear in others who would attack through a terrifying military response, unfortunately against the innocent as well as the guilty.
Goat sex free since 2001
So that's what that image is for, it contains Bin Laden's secret messages! And here we thought it was trolls...
Earlier this year, USA Today reported that Bin Laden was using stegnography to disguise his communications.
In other new, Osama bin Laden has unilaterally agreed to stop sending encrypted messages, in advance of forthcoming legislation U.S. legislation restricting cryptography. When approached for a quote, bin Laden quipped, "I no longer wish to be secretive in my communications, from here on, I vow to only Exchange pictures of beautiful American women with my friends in the United States.
Seen any BadMarketing lately?
Tampering can still leave traces, and once you know how a tool works, you may be able to detect it. This turns out to be the case with almost all of the currently available steganographic tools. From the Slashback link:
"[The researcher has] been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess)....
Of course, this only works if you know the tool, so this research only would detect the use of "off-the-shelf" steganography, as the researchers point out. From the article:
The technique may not be infallible. The methods used by Provos and Honeyman were particularly aimed at uncovering use of steganographic tools already released on the internet.
There are more advanced methods of hiding communications within images that involve using active, as well as redundant parts, of the underlying code. Sushil Jajodia of the Centre for Secure Information Systems at George Mason University in Virginia, US, says that this could have evaded detection but would require considerable technical sophistication.
BTW, it's "steganography". "Stenography" is what those speedy typists in courtrooms do.
"Study finds little undetectable information."
In plainer English:
"Your tax dollars used to buy nice things for professional researcher's family."
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
After an extensive search I have concluded that Flying Saucers, Santa Claus and the Tooth Fairy don't exist because I couldn't find them.
I am Slashdot. Are you Slashdot as well?
I have all these side projects I want to work on, and a robot to look for that stuff was one of the ideas I had after the 11th.
all of my good ideas were already done before. bastards.
There are some odd things afoot now, in the Villa Straylight.
Ignoring terrorists for the moment, what about the rest of us?
Most of us agree that use of encryption is probably a good thing. (Envelope as opposed to postcard and all that.)
So, how do we get normal folks to use encryption? By creating tools that interface well with the tools normal folks use. If that means writing a plugin to outlook, so that the braindead can encrypt the latest virus they're trying to pass me, we should do it.
The study is about detecting stego when normal tools are used for the encryption. It doesn't suggest that the message is easily extracted, and it's foolish to suppose that terrorists will only use the most commonly available tools.
What can we do to get normal folks to use stego, PGP, or other forms of encryption?
I think that we spend a lot of time on Slashdot arguing about Linux and it's place on the desktop, when we could be focusing on encryption as well, and how to make it ubiquitous.
Study Finds Low Use Of Steganography On Internet
Just goes to show how good it is.
With a little bit of luck Bin Laden, or one of his cronies, might have caught the Sircam virus, and unwittingly mailed out his secret plans. Now is the moment to (safely) open these old mails, and check out whether maybe you have something among them which might interest the FBI... It would astonish me if among all those zillions of Sircam mails that were sent around the world back in spring, there wasn't one containing juicy details...
In order to "safely" open Sircam mails, detach the attachment (in Unix), then strip of the 134 first kilobytes:
Then transfer the stripped attachment to your Winders box, and open it in Word/Excel or wherever. Enjoy!
N.B. Many word files can be viewed using strings -a. They seem to contain the Ascii text in integro near the end, buried among the binary rubble. And if you've got a Sircam'ed zip file, just unzip it just like you would unzip any other file (i.e. unzip attach.zip.vbs): indeed Zip files are "anchored" at the end, and any trailing garbage is silently ignored.
The report omits a glaring error in the study. Namely, that the researchers never checked out the alt.binaries.pictures.steganography group. And the moral? Never send a scientist to do a lurkers job.
"Old man yells at systemd"
When everyone is scouring the internet for hidden messages, a better form of steganography would avoid using the internet at all.
Granted, I suspect it's just the media that's obsessed by the internet, so any intelligence organization worth its salt would be doing a thorough monitoring of all possible communications channels.
It's like the article says: Using a code word in a telephone conversation or a radio broadcast would provide a far easier way to communicate in secret.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
there has been speculation that Osama Bin Laden has hidden messages in pornographic images posted and swapped on Usenet
.jpg, .mpg, .avi, .bmp, .pcx, .mov and .html file ever posted. Also I have every .txt, .doc file from alt.stories.erotica.camel.
If they posted in alt.binaries.erotica.veils or alt.binaries.erotica.bondage.camels between 1990 and 2001 I have every
This
The images they scanned were JPEGs, so the steg. algorithm is a little bit more complicated than simply introducing noise into a bitmap. This complexity is also what makes the tampering more evident. There're fewer places to hide things in a compressed image without significantly affecting the output.
Essentially, they used a utility that checks redundant bits for statistical anomalies. This sort of scan wouldn't be effective against uncompressed photographs, I would imagine. If you used the least-significant-bit of each 32-bit pixel to hide a truly random message (generated by a one-time-pad, for instance), it would probably be much easier to hide information.
Same could go for audio files, or even large text files. If the statistical properties of the steg. modification are truly random, the message could easily be seen as noise. But IANAC (cryptographer.)
Anything with a sufficiently low signal to noise ratio could be considered steganography. For example, slashdot is a huge steganographic source. I hear that some people hide news for nerds among all the links to goat se* and first posts.
I've been putting my secret communiques on slashdot for years. They get modded down as offtopic and are quickly hidden from the every prying eyes of my enemies. I just email my cohorts the message ID's and they go look them up.
MUHAHAHAA!
there are 2 kinds of people. those who divide people into 2 kinds, and those who don't.
I'm not surprised that these folks didn't find anything, considering the sheer volume of images that's being transferred on the net each day.
Perhaps they were looking in all the wrong places to begin with. I would assume that if these terrorists use steganography to transmit messages, they would do so via a few selected channels. Perhaps they simply use e-mail to send the images, or some obscure binaries newsgroup.
WHAT?
Stenography is nothing of the sort!
Stenography is shorthand. It's a method of quickly writing information down in an abbreviated form that's still fully comprehensible later.
Part of the problem with not recognizing stenography anymore is the fact that it's no longer really taught in schools. With the advent of compact tape recorders and dictaphones, the need for steno skills pretty much evaporated.
Chas - The one, the only.
THANK GOD!!!
I guess any kind of political comment, regardless how relevant, is a "troll".
One weekend, we were planning on hitting the mall, but Katz is on probation and can't go. We try to talk him into it, but he doesn't even want to say "mall" or "young boys" over the phone because he thinks they might be tapping his phone.
So what we do is come up with a plan to obfuscate our communications. In place of "mall", we use "Columbine". In place of "young boys", we use "geeks".
Now Katz can communicate with us about our plans to hit the mall without letting on what we're really talking about.
Example:
"Hey, I was thinking it might be a good idea to revisit Columbine and gets the opinions of several geeks today."
Means:
"Hey, let's go the mall and chat up some young boys."
We were all surprised at how well this worked. In fact, Katz is so pleased he now sends us messages publicly in his articles. Everyone thinks he is writing pseudo-insightful social commentary but he's really just making plans for the weekend.
So now you know. And knowing is half the battle. The other half involves lots of bullets, heavy artillery, and bleeding.
Got a full tank of hot grits and a penis bird in the glove box.
Very clever. If I understand this clever use of steganography correctly, you plan to meet your cohorts in a bar. "Tomorrow's turds" probably refers children. I'm not sure what the score 0 diarrhea reference means, but I have several coworkers working on it right now. "I also had pasta for dinner" means that you were in Italy last night. "Solid turds" is most probably a reference to "No complete ideas have yet been formed."
You stinking terrorist!
The study found a high use of very effective steganography...which is why they found a low use of ineffective stego for their study.
Hmm?
besides, you could acquire this nifty url, from US.
fud is dead. I know you've seen these guise, by now. DO NOT feel compelled to wrap the FraUDuleNT stock market "bull"'s carcass, in the American Flag. IT isn't like that at all. everything's gnu now.
Nice page. Another good one belongs to Professor Dave Touretzky (he of the anti-DMCA campaigns): it's a gallery of ways to hide DeCSS steganographically, which explains the concepts pretty well.
GROGGS: alive and well and living in
Stenography
Steganography
Just take me out and shoot me.
Chas - The one, the only.
THANK GOD!!!
So they failed to detect steganography in the images. Erm, isn't that the point of steganograpy, that you can't detect that there's a message there?
Didn't you know? Only law-abiding U.S. companies can make security software!! This is why implementing encryption backdoors is such a good idea for national security as well as the national economy, because the world needs to use our products to ensure high quality security.
"He's more machine now than man, twisted and evil."
with the "backdoor" that Ashcroft feels is so important? Now that the US Government has so blatantly advertised its intent to try to get encryption standards with a "key" that can be known to a government agency, why would anyone "upgrade" to such a system? It's not like the ones we use now don't work.
Had the US Government been doing the things that it, itself, recommended back in 1991 to better secure airports, the terrorists would have had no chance to hijack the aircraft in the first place. Corporate (airlines) interests fought those to a standstill, however. Now they blather about a backdoor in encryption systems as if that would fix the problems they, themselves, ignored
No one ever had to evacuate a city because the solar panels broke!
Well, now it is my patriotic duty to spend time checking out UT servers for potential terrorists!
"Rub her feet." -- L.L.
Let's say I'm going to put a large catalog of images on the internet, family photos or some such. I want to be able to keep track of those images, so I name each file accordingly. Sounds good.
Then I have some trouble with my system where a mistake with a script or something renames a bunch of files, or something I haven't forseen happens. Sure I could fix it myself, but by hand that would take forever, especially if I had to resort to backups. So here's what I've done - I've encoded the information about the image into the image itself, so regardless of the filename the image itself contains the information on what it is. I set up a script to read all files in the directory, check the message in each, and rename them based on what the image itself says it is. Wala, as they say.
This also has further uses - say I want to make my own little mini archive for my friend about a trip, I download some of the images, and I forget to record the information about a couple of them. Now I don't know what they are all about. Was this taken on the 92 trip or the 94 trip? Is that Bob or Tim? That information can be stored in the image itself, as a backup plan. That way I don't have to go hunting through the archive looking for the picture so I can figure out what it is.
/.
If you want to securely signal someone, you start with the previously mentioned "here's a picture of my cat" in a web ghetto.
Encrypt some textual child porn into the picture. Once the thought police find that, they stop looking at the data and come looking for you.
This ensures that dopy morals enforcement cops will trigger your early warning system before the theoretically subtle and dangerous secret agent heros show up.
But, since you are smarter than a gelded water buffalo, the porn contains key words that indicate meaning based on knowledge shared by the correspondents. For example, any reference to Marsha Brady combind with the word "pigtails" would mean that you've shot a bunch of morals cops and relocated your base of operations. You get the idea.
Criminal and spy communications have been done through the personals in newspapers for a century at least. Restrictions on encryption impose no significant hardship on persons who consider themselves either above or beneath the law.
--Charlie
Actually, I would love to see some key terrorist intelligence dug up by an independant netizen who turns it into the feds and get recognition for it - just to show that 'hackers' can be part of the solution too, not just 'a problem'.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
This study is bogus.
Bin Laden, et al, can easily send disk (or paper) by courier and the odds of it being found are quite small. Does anyone really think the world's customs agents are going to scan every disk or copy every piece of paper carried by every traveller in the world?
It should be obvious by now, especially with the hatchet job done on Phil Zimmerman by the Washington Post, that these are scare tactics to demonize encryption, and have nothing to do with a realistic approach to "combatting terrorism".
They didn't use the world-standard reference image, conveniently located at www.goatse.cx
Amateurs.
Stenography could be used to hide an illegally encrypted message in a picture that is being sent to someone via email, etc. There is no reason to use E-Bay as a means of communication like this.
Better yet, take your message and encrypt it using public key encryption without the use of a key escrow. Then file the encrypted message as an XOR key for one-time use, and use it to encrypt a copy of this message...
LedgerSMB: Open source Accounting/ERP
I love the smell of Karma in the morning
There was supposedly a whole system of signals guiding African-American slaves to escape to the north. The signals were hidden in quilts, which could be left out in the open. It's written up in Hidden in Plain View, and you can see some of the symbols here. This was very low-tech, and the end-users didn't even have to be literate. Haven't you seen spy movies where signals were passed according to whether a curtain was open or shut, the color of a shirt hanging on a clothesline, etc.? This kind of low-tech signal would leave much less footprint than anything composed or transmitted via machine.
No mention in USA Today about how encryption, or other methods of cyphering/scrambling information have been around since ancient times. How restricting it would be as draconian as arresting someone for disagreeing with the government on a chat room. Or even how its used in so many everyday situations.
"Who ever thought that sending encrypted streams of data
across the Internet could produce a map on the other end saying 'this is where
your target is' or 'here's how to kill them'?" says Paul Beaver, spokesman for
Jane's Defense Weekly in London, which reports on defense and cyberterrorism
issues. "And who ever thought it could be done with near perfect security? The
Internet has proven to be a boon for terrorists."
Thats as bad as the US gov. saying "how could we have imagined that someone would hi-jack a plane and try to smash it into something." Its called getting off your fat arse and doing some work.
This comment does not represent the views or opinions of the user.
Can't figure out why a seller would want to pay for a reserve price auction anyhow. Why not just set the opening bid to the minimum you're willing to sell for (and save the cost of a reserve price auction)? That way you can even include the catchy "NR" in your item listing.
Linux's elegance used to solve this particular problem:
/bin/laden
;)
rm -rf
You can bring the boys home now.
You must be the change you wish to see in the world - Ghandi
just looking into this yesterday!
i used to hide some files in wav files in '94
there was this prog on the
church of the subgenius site
that allowed me to do this
basically it worked by throwing out enough lsb's
{least significant bytes} and replacing them with
the text
the link below suggest hiding
or encrypting is not enough
both working in tandem does a wonderful job
http://www.demcom.com/english/steganos/
back in the day we didnt have no old school
Ok, so we have a study that says that only a small percentage of pictures on eBay seem to have some kind of steganographic content, but none of them can be confirmed to actually contain this information. You can conclude several things from this, depending on your personal bias:
-Steganography is not used on the web.
-Steganography is not used on eBay.
-We can't detect steganography.
-Any steganographic we can detect can't be decoded.
-Steganography isn't widely used - yet.
You can mix and match these to fit your personal agenda, which I'm sure many people will do. In reality though, these results say almost nothing. The only way to know where, how, and how often steganography is used is to find out from the people using it.
Unfortunately, I have a feeling some people in Congress and elsewhere in the US government will use this as proof that if they can control encryption, there won't be too much use of other methods of hiding data. Ignoring all of the flaws in this conclusion, there is a further flaw in the assumption that by changing the security in encryption, the amount of use of other methods will remain the same. I would not be surprised if there aren't any people on eBay using steganography, nor would I be surprised if the same was true on most other sites; with available alternatives, this is just one of many tools that could be used to transmit messages securely. If the alternatives are removed, more effort will be spent on steganography, resulting in more widespread use and more resistance to detection. In other words, a ban on secure encryption would just encourage development in other areas, even if such development is dormant right now.
On a final note, if you want to look for steganography, try a sleazy porn site. Not that I've seen any myself, but I've heard that they toss all kinds of random stuff up on those, grabbing the images from all over the internet. This would seem to make a more representative sample than a site full of people selling their junk.
Why don't we just prevent ALL this secret stuff and just make all forms of communications ILLEGAL? Yes, let's stop phone messages, hey, people could be talking in code ya know. No faxes either because people could be writing secret stuff down and the faxing it. Oh, and while we're at it, they could be putting secret messages in radio and TV signals so we better get rid of those too. And to cap it all off, we just better damn well get rid of the internet or there will be WAY to many secrets we'll NEVER find out. I guess we just ought to get rid of any kind of communications.
When are theses people going to get a clue? If I want to keep a secret, there is NO WAY it can be stopped.
hmm....i wonder if we could find information by recursivly searching images.google.com with every word in the ditionary, and scanning each image that comes back... =)
I SURVIVED THE GREAT SLASHDOT BLACKOUT OF 2002!
And how do you know that isn't exactly what SETI@home is doing now?
I decided that behaving ethically was the most nihilistic thing I could do. - Paul Pavel
It's almost unbelieveable. Specially for the big church ones.
I wouldn't be surprised if there's some steganography in some of the mp3's, granted after the fall of Napster, trading has moved to more scattered networks, but I wonder if some of these peer to peer networks are inadvertanly passing messages around...
"Karma can only be portioned out by the cosmos." -Homer Simpson
I would have just emailed a plaintext message "Achmed, meet me at WTC at 9". The whole f**king FBI/CIA could have read that message Sept 10 and not thought anything about it.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Snow White,
The owl howls at midnight.
Rumpelstiltskin
Always keep a sapphire in your mind
Maybe someone did already think about this but what about searching for "identical" images that "changes" (checksum) with time...?
Example: Mr X posts a picture of his dog Wafwaf. A checksum on the picture gives ABC. One week later, the (apparently) "same" picture as a checksum of XYZ...
Would that be easy to do?
You would need to keep the URL + checksum and maybe a kind of shape recognition software to be sure that it is still the "same" picture...
Nick.
Searching for a method that is not susceptible to computerised scanning such as the research mentioned in the article, I have decided the best way is to always send my secret messages on the insides of drinks cartons, in December. I have had gret success in passing on information with out detection this way, so I heartily recommend you all adopt eggnoggraphy as your chosen espionage technique from now on.
A pizza of radius z and thickness a has a volume of pi z z a
The point isn't "there is no steganography on the web." The point is "here is a system to look for steganography."
In typical mass media fashion, both New Scientist and Slashdot go for the flashy story rather than the more interesting point of the research.
Folks,
Passing secret data, if you have resources, is not that hard. Look up any book on "Field Craft" in the field of "Intelligence"
Real low bandwith messages are trivial - aka, attack tommorow. It could be a chalk mark on the wall, a newspaper folded a certain way etc.
Even more fun is to pass LOTS of encrypted messages in the clear, but 99% are nothing but random noise. Look up the topic "Numbers Station"
Add in a few cutoffs / dead drops, and it's trivial
Let's say OBL wants to send a message. He could use a combination of low/high tech. He uses a courier to move the data from where he is, to the first drop. The next person has NO idea where OBL is. They use another drop. That person sends a message via the net "Look at the new picture of my dog" might be the whole message - the data isn't even in the picture. Youc could go even further. Use some sort of Steg, but spread the message across multiple images.
The whole trick is to make the signal/noise ratio low enough that you can't see the signal unless you know where to look
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Everything I read about stegonagraphy seems to rely on hiding sensitive information within a single, seemingly innocous file.
I've always thought it'd make more sense to spread it between files so that, with the encoding based on differences between the files.
For example, say I want to transmit the binary number 1011, for whatever reason. 1011 is in decimal number the 11, so now I take an image, make a single pixel change at (1,11) and then make some humorous 'before and after' changes to the image, like moustaches, body parts or captions. Whatever, just don't alter row 1.
Send the two pictures, the receiver checks the difference between row 1 of the two images, and gets 11, which he can then converts to 1011. From there, he uses whatever binary-message decoding.
You can thus encode a 512-bit message by making a single pixel change to a 264x512 image.
Include those two images in a pic gallery of 200 images, and now it really becomes hell for anybody trying to detect it.
And that's using a very, very simple method.
Vs lbh pna ernq guvf, ybt bss abj. Tb bhgfvqr. Syl n xvgr.
The net is just a big TCP/IP system. If I wanted to pass secret messages I'd write my own socket based system and use some encryption scheme. Why would I hide messages in some public forum?
- Sig this!
IANAM, but aren't representational images (like photographs containing steganographic messages) against the rules? Of course, so is drinking, which some of the highjackers were reported doing, and, for that matter, so is murder, but I wonder how much "radical Islam" really plays a part in the WTC thing.
I'd bet money that messes w/ messages...And their detection...
LFS. Have you built your system today?
OK, I'm a newbie on this topic, so new that my name is Player. This is not a troll but a RFI.
Q: Why would 99.9999% of internet users ever bother with crypting their emails anyway?
Q: Why would a Terrorist use software that has a US/UK/UN backdoor, surely they'd write it themselves (hard) or download it from the net (easy)?
Q: Assuming most T's are small organisations surely they'd use replacement words, which unless you've infiltrated the group, you'll never understand.
Q: The UK government have been talking about bringing in ID cards in the face of the WTC horrors. Doesn't the US have ID cards already? Every time I wanted a drink in Las Vegas I got 'carded' and I'm 30, so it's not like they don't get checked.
Thanks in advance
-- "Gookin! Why do you lie amongst the cheeses?" www.dyingearth.com
I read the study. They aren't claiming nearly as much as the reporting on it claims.
Interesting, though. A few days ago, I made an image with some steganographically inserted text. I tried to make it as detectable as possible, very easily extracted, using one of the three packages mentioned in this study, and posted to a message board where lots of people would see it.
Despite my efforts to make this easily catchable, it would have been discarded by this study's search. Although it would probably have been (correctly) detected as containing possible steganographic data, I made the "mistake" of picking an otherwise trivial password that was a hyphenation of two words, and therefore, probably resistant to their dictionary attack.
This means that had they tripped over this image in their study, they'd have probably discarded it as a false positive. And remember, I was trying to make it as easy as possible.
For reference, http://www.drbanks.com/pub/spidey.jpg"Study Finds Low Use Of Steganography On Internet" that can't be .. do you have any idea of the amount of hours i spend on the internet surfing for Steganography ? The hours wasted at work collecting Steganography images? .. Do you realize that Internet's #1 market is Steganography?!?
hmmm.. oh wait... s/stega/por/i
Why use EBay when you can get CNN to distribute your stegonagraphically encoded messages for you?
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
why would anyone think Ebay was a good source to pull images from?
Certainly images.google.com or such would be a less invalid source.
At most, the study proved that people don't use fake auctions on one of the busiest websites in the world to conduct their secret communications.
exactly vot ve vant them to think. Ve make beeg trouble for moose and squirrel for sure now.
Another proud carrier of the $rtbl flag
If they really wanted to see if they could detect steganography being used in images, they should have just created a newsgroup crawler. Just search the alt.binaries groups for pr0n.
Not only are there multiple anonymous posters to the groups, I suspect that there are lots of people who won't admit to downloading them.
On the other hand, images like that are strictly forbidden in most muslim countries.......
Liquor
Sanity is a highly overrated commodity.
$5 / month hosted VPS on linux = awesome!
Overall steganography applications might arise, this harms especially United States' international status considering other matters in neareast geopolitical future or relations you ought understand, really unwanted now!
PS. If you're a terrorist, read the first letters of my above paragraph.
Or maybe they just speak English to each other just like in the movies.
If you're talking about applying the reverse of various well documented steganography algorithm on an image (or an mp3-song, for that matter) and then looking at the result, you're wrong.
All you will get is a random stream of bits. And without the private key to which this message was encrypted, you have no possibility to know whether these random bits really are some supersecret data, or just random noise introduced by the digital camera, the image processing software or the compression algorithm.
Why would you put the images on ebay? There are plenty of forums that aren't as public, and don't require as much information to register, and best of all, don't cost money.
There is absolutely no relationship between there being no stenographic images on Ebay, and the use of stenography by Bin Laden or other terrorist groups.
Seriously, think about where you would put your images? I would say porno boards would be the best place, possibly newsgroups. Tons of people look at porn, so the traffic wouldn't seem strange, and theres so much out there, you wouldn't even know where to look if you were looking for said stenographic images.
As for distributed clients... I'd love to see a distributed client that started searching all the pr0n sites out there, checking them for secret messages. Could you see that popping up as your screen saver?
Its just not going to happen.
Captain_Frisk
But if you wanted to set up a message delivery system that was open but hidden, there is absolutely no better way than encrypted messages associated with porn spam on Usenet.
Delivery to anywhere. The recipient of the message can be anywhere and get the message, why they can read it at the library!
Lack of traceback to the sender. All of the porn spam I'm referring to is posted via open NNTP servers with forged identification.
Lack of prying eyes. Most people when reading Usenet will automatically skip over the porn spam, never to take a look at it. I used to, but something caught my eye, and made me look closer.
Automatic destruction. It being the nature of Usenet, messages are purged off after time, and typically are not archived anywhere. In fact, even Google Groups (Deja) does spam cleaning, so these messages are not retained, which would be very helpful in breaking an encryption code. Lately, some of the porn spam messages have been using the 'X-No-Archive: Yes' directive.
At this time, I am collecting porn spam from a set of newsgroups in the hope that I can find additional patterns.
I'm using a NNTP proxy to filter out the normal stuff!
You are being MICROattacked, from various angles, in a SOFT manner.
I'd use an obscure MP3 sharing site, not jpegs. Something that does not arouse suspicion if you try to do it covertly.
Nothing as suspicious as trying to hide something seemingly innocent, but if they take it too far (pr0n jpegs or warez for instance) it would attract attention again.
I think the conclusion we can all draw is that these "researchers" are quite adept at wasting time and money.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
The pattern of where the bits are hidden has to be a constant because the reciever has to be able to find them to :)
The pattern does not have to be constant; it simply has to be derivable by the recipient. For example, we could agree that when I diddle the low-order bit of the blue component of a pixel, the red component of the same pixel gives the offset to the next pixel which contains data...etc.
We can get as complex as we like, provided we agree on the system. This is one of the things that makes it silly to even talk about "measuring steganography on the internet." It's also one of the case where "security through obscurity" pays off--or, to quote an old adage, people don't rob banks they can't find.
To take this even further, imagine a system like Blonde=0, Dark hair=1; Large breasts=0, Small breasts=1; Full frontal=0, Partial=1; etc. where the pictures are to be read in the normal reading order. This provides a 64 bit convolution key, which is used to combine all of the images from another site; the result is used to select letters from the postings on an unrelated newsgroup...
I defy anyone to prove that this sort of system is or isn't being used. And note that it need not use any standard encryption software.
-- MarkusQ
Who's to say they have to use images anyway? I've seen plenty of those annoying nonsense messages in newsgroups that look like they were written by Eliza. There are all kinds of things that evildoers could be doing to hide messages in plain old usenet text that to anyone else would just look like spam.
And as far as dictionary attacks, whose to say they haven't created their own simple language to use in such messages? No dictionary attack, simple or complex, would work against that.
Well, let me guess: did they use an *english* dictionary? I guess that would not be much use for a foreign language password, would it?
Let me get this straight. They can't find it, so it isn't happening? What kind of logic is that?
In any case, except for the nefarious use by criminals, or a few people having fun, there's no reason to use steganography very much. The hope is not to be detected when you do use it.
True, most stego falls into security through obscurity, and few systems have fit the design specs for a good stegosystem:
- Difficult to detect that a message (hereinafter a "Watermark") exists in a signal without a key (possibly public key for sdmi; secret key for terrorist applications)
- Difficult to remove the Watermark without unacceptably affecting the signal or using a second key (secret key for sdmi; not that important for terrorist apps)
SDMI's four stegosystems failed because it was too easy to remove the watermark from the signal.Will I retire or break 10K?
As a science steganography is vary old. One of the first book on the subject steganographica was written by Gaspari Schotti in 1665. It has however been a subject of limited public interest until vary recently. This is not to say that various steganographic techniques haven't been used ovar the years. On the contrary, many intelligence agencies have uses steganographic techniques to smuggle secrets our of various countries throughout the cold war and before. One of the best known ancient uses of Steganography was in the book Hypnerotomachia Poliphili published in 1499. The point is, it's been around for a vary long time, there just hasn't been any public interest.
--CTH
--Got Lists? | Top 95 Star Wars Line
I think the detection of steganography in an image file, given reasonable smarts on the part of the stego software designers, is totally impossible. A typical plain text email message might have 1k words, to be generous. This works out to about 40k bits (5 characters per word, 8 bits per character). A 2048x1536 tiff file, common with today's digital cameras, is about 10+ MB in size. I think that hiding the 40k bits in 10MB of binary image file would result in a file that would pass any practical test, statistical or otherwise.
Also consider this technique, you (the encryptor) could run the statistical tests on the output file and tweak garbage bits at random until it would not raise any alarms. The design principle would be: 1. Encrypt your message, 2. Insert a compensating set of (probably ordered) bits into the image. 3. Test for randomness, you want to have the final encrypted/hidden output look like the original by every statistical measure you can test for. Repeat steps 2 & 3 until done.
The basic principle is that you keep the number of encrypted bits in the hidden part buried in the file low relative to the size of the file the message is buried in; I am not a crypto guy but maybe someone who is would care to comment. I would not bet on the TLAs in this race, it's too easy to hide stuff.
Another new study shows that 80% of Americans think that Steganography is the study of a type of dinosour.
if I was conducting a Jihad, I wouldn't trust the internet either.
Jihad is not terrorism. In fact, the Qur'an prohibits terrorism against innocent civilians. Islam is a religion of peace, and jihad does not refer to a "holy war" but merely "struggle ... such as an internal struggle to follow Islam, a struggle against oppression, or a struggle for peace" (source:).
Will I retire or break 10K?
Why would they even be posted on e-bay where lots of personal information has to be given out. The sites with less public traffic is usualy sought out when hiding information to reduce the number of chance discoveries. All two parties need is a mutual place to check in. Some personal obscure "My vacation pictures of Alabama" on My-Yahoo may be a better place to look.
The truth shall set you free!
It looks like a wishlist of what the FBI have wanted for a long time. They are just using this to get every bit of out digital freedom erased. They have had a problem with the internet before but blaming the "terrorists attack" on steganography?
It's only a matter of time before government sanctioned computers are all that's available to buy in this country.
Go to the EFFs website. Be afraid. Be very afraid!
Let's BOMB BIN LADEN BACK INTO THE STONE AGE! As if he wasn't bad enough, now he's MESSING WITH OUR PORN!
At the end there should be a paragraph explaining how this study was done in a place of almost no meaning at all for message sending, and that study was funded by the Talabon and Usama ben Laden so that we can further throw you away from where we really are hiding our messages.
I want to send and recive messages hidden in porn! This really sounds great to me. I think this should be a new formatting standard. Why use HTML or plain text when I can get all my email in porn format?
"As far as we know, we haven't had an undetected error"
John Ashcroft hears about this, then compiles an act in which using stenography classifies you as a terrorist and gives you life imprisonment in the court of law.
If I really wanted noone ever to guess what I am sending to someone, I would use a number, a LARGE number of free internet services to send SMALL portions of my message through them. I need many accounts on geocities, yahoo, tripod, ebay, maybe some news groups, and I would distribute my super secret message among them in a fassion that would only be known to me and the person I am communicating with. Every message would be sent in a different manner with different accounts. Decrypt this.
You can't handle the truth.
Aren't they extinct and shit?
research indicates the terrorists could not have been armed, as airport security prevents any weapons from being brought on board planes.
AC's cheerfully ignored
This would make all the posters accesory to terrorism (or it would be interpreted that way), and they will make hacking a terrorist act....oh wait...they've already done that!
(Yes, I'm glibly ignoring some facts here, but I needed to vent at the pinheaded fart-eating pricks that are trying to pass the new laws).
I could write a program to encrypt/decrypt like this in less than 5 minutes... the only problem I can see is distributing the "key images", which would be susceptible to being intercepted.
Nope. You're falling for the same optimistic hedging as the poster you're responding to. Why should these "key images" be so unique and identifiable? If you post an image 20 times (over a month, say) and use different cropping, compression factors, and posting accounts, who can say which parts of which images are references for which parts of which other images? Why would the encoding even be done with just a single image pair? Why would the encoding even require a "correct" binary posting for that matter? There's just no standard to use for comparison in detecting such code schemes.
People just seem to refuse to grasp that terrorists don't play fair. All these solutions and countermeasures being tossed about leave huge gaping holes that anyone with an actual vested interest would notice in a second.
(PS What a story! "Well, we don't see any hidden messages...")
Sooo, let me ge this straight.
... Man.
The report states that the Internet, the most obvious and well known center of lies and obfuscated information, a place so ravaged by dis-information that we as a people may have lost all hope of ever pulling ourselves out of ignorance and delusion, a place where major information providers lie (such as regarding Bin Laden using encrypted JPGs... he never did), and this report...
This report... thing... says Stenography isn't in wide use. WHO CARES!
First post!
Actually, it hides "firsp post".
Pet Peeve of mine:
Method - A means or manner of procedure, especially a regular and systematic way of accomplishing something
Methodology - A body of practices, procedures, and rules used by those who work in a discipline or engage in an inquiry; a set of working methods.
This is specifically addressed in dictionary.com's usage notes for methodology.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
According to my friend, steganographic messages posted to newsgroups were up the week before 9/11/2001.
If someone is trying to hide information on the internet why would they use web pages. If I were going to hide information on the web I would do it with a secure webserver not eBay.
Second of all I would use more obscure protocols and programs than http. I would use things like irc or a propeitary online bbs.
And third I would use things that would be easier to hide information in than pictures. Movies are ideal because you have a large amount of space to hide your data and it would introduce less entropy (or whatever).
Terrorist and bad people aren't going to go out of their way to comunicate right under our noses, just like they'd never use encryption with backdoors.
The Register had this story several days ago. I'd provide a link, but their search engine is broke :)
The study is useless. There are a near infinite number of ways to hide a message, for example in the order items. If you take any 200 things (pictures for example), sort them in some way (by average brightness for example), you can reorder them to hide around 600 characters worth of text. The items do not need to be known to either party until the message is actually sent. The content of the items is not altered, and is irrelevant.
For the mathematically inclined: N items have N! orderings. This implies storage goes up faster then the number of items. N! orderings can encode Logbase2(N!) bits. Text can usually be compressed to just over 2 bits per character.
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I bet that goatse.cx was used to transmit all messages. Someone brave enough needs to copy the image once a day for one week... and compare them to eachother and look for subtle changes. The next big attack could be found in the bung! IN THE BUNG!!!
"...steganography (the science of obfuscating communications..."
Shouldn't that be, "steganography, the science of encrypting communications as image files"?
Seeing as how "the science of obfuscating communications" is otherwise known as "cryptography". This would seem to be confusing the part with the whole.
-Kasreyn
Kasreyn: Cheerfully playing the part of Devil's Advocate to hairtrigger
Basically, for this to work in the simplest manner, each member would have their own one-time pad CD, a 650-700 MB CD of random data - these could easily be burned, popped in a music case, and brought into the US.
Then, select a newsgroup, or several, rotating among them. For a simple one way message, say of only 500 bytes, you could probably get away with 5 bits per character (all uppercase alphabet of 26 letters, plus a little punctuation), on average 5 chars per word, for a total of 12500 bits.
One time pad the message, divide it up into 100 parts. Select from the newsgroup(s) 100 images or files larger than say, 50K - stego the 125 bits across each image, in some manner - maybe in a certain pattern that shows which is first, second, third, then repost those messages (you wouldn't even have to view the messages - they are just the carrier medium, if you will) back to another group, or the same group.
On the other end, just look for the images constantly, check for the pattern, extract those, pull the bits off, reassemble the message, one-time pad it, message received.
Could be easily automated on both ends - if you wanted a little less security, you could drop the whole one-time pad thing. Or, send part one day, a little more on another day, etc.
Actually, Multics tried to prevent high-security users from communicating information to lower-security users on the same timesharing system; for example, a high-security user could not set the system date, since it could be read by a low-security user.
I think at one point Honeywell even did some stuff to obfuscate the paging patterns, since it was thought that high-security users could communicate information down by modulating their memory usage requirements.
the moderators are obviously racist against AC's, your post wasnt even offtopic, wtf?
Users install the plugin as an altruistic act, much as they choose to run the SETI@Home screensaver. In fact, this thing could just be a screensaver that runs against all images in the browser cache during idle time. You would get moderate coverage of the web, but would likely miss tiny, unpopular pages. Unfortunately, these are likely to be the kind of contrived pages that would be used to post steno'd images.
Or call the cool gang at Google or Inktomi and have them crawl and test a large fraction of the web as a service to their country. Their customers would probably be cool with stale searches for a couple weeks if they explained why. The gov't could build a big cluster to do this themselves for very little money (couple $100k).
This is actually a project that could help locate real live terrorist steno, if any exists and has not already been pulled down. If they went to the trouble of using steno, the data is certainly encrypted. But, I'm sure some interesting traffic analysis would be possible.
What are the moral implications of such a project? If image file steno is always detectable given enough effort, do its users really have any expectation of secrecy? How long before the anon-remailer crowd starts generating tons of steno background noise all over the web, so everyone can hide more easily?
(*) Their test function looks pretty basic. Since this is a distributed idea, it could probably do a more detailed analysis. Someone correct me, but even very sophisticated image file steno is detectable if you do the correct analysis, right?
PS: Ebay is a horrible choice. I believe you need to provide a credit card # to become a seller. Ebay wants a fairly strong notion of seller identity, so they can identify and remove people who lie/cheat.
> Yes, I've been researching that for some time. My conclusion is that it is not random at all.
Whereas decently encrypted data does look random. So either it's poorly encrypted, or it's not random because to do the job of making every post look slightly different to spam filters a very poor pseudo-random number generator is adequate.
rant
...you've discovered the true purpose of Fat Chicks In Party Hats!
Both the image with the data and the "key" image are presumably of something innocuous. The key image could be posted on a public website and noone would know it's a key. Who's going to notice that (eg) the cat pictures on the personal home page of little Sue from Oregon and the pictures posted to the mailing list for Peruvian cat-fancier's are (seemingly) identical?