Slashdot Mirror
Study Finds Low Use Of Steganography On Internet
schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.
PGP, and most encryptions are 'obvious'. There's a large PGP header denoting version, user name, et al.
The point of stego is to conceal the fact that something is being sent.
Stego works best in conjunction with crypto. Hide encrypted data in an image, or song.
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
>>>>The whole point of stenography is that people CAN'T spot the fact that you're using it!
Yes, to the naked ear/eye. But by analysing the bits (low significant ones) it can be detected wether the bits are randomly distributed (no information) or has some sort of order (stenography detected).
Of course encryption followed by stenography would be difficult to detect since the encrypted data, I've been told, is more random in distribution.
For example the xor'ing of a random data string with any other string, will result in a new random data string. The original string can be recovered by a xor'ing again.
Nice page. Another good one belongs to Professor Dave Touretzky (he of the anti-DMCA campaigns): it's a gallery of ways to hide DeCSS steganographically, which explains the concepts pretty well.
GROGGS: alive and well and living in
I don't agree with you, actually...
If binary "1"s are encoded as "different than original image, and 0's are "same as original image", you could change the pixel value by +/- 1 to suit the general area of the image.
If you look closely at any scanned or digitally captured image, there's always a "noise factor", from sensor gain, etc. A value change of 1 would not be detectable due to a noise level of at least 1 pixel value.
You could also triple your data density by encoding the R, G, and B channels separately. This could potentially be a little more noticable, but not by much. You could also encode them in different orders (rgbrgb... rrrrggggbbbb, whatever order you want) to further encrypt it.
The only images that do not have noise are digitally created images (i.e. rendered, or drawn in a computer). Just JPEG compressing an image causes noise of more than 1 value.
I could write a program to encrypt/decrypt like this in less than 5 minutes... the only problem I can see is distributing the "key images", which would be susceptible to being intercepted. You could always distribute them on a hard medium (CD), and trust that noone is a spy in your group. I'd probably distribute a few hundered "refrence images".
MadCow.
I used to have a sig, but I set it free and it never came back.
20 January 2017: the End of an Error.
You are so wrong. This is just like encryption: Intuitively, everyone thinks it is easy to scramble information, but eventually, cryptanalysis got sophisticated, and we learned that only mathematically sophisticated, rigorously reviewed cryptography has a chance at being safe. Similarly, amateur steganography schemes are probably worthless.
-go through the image in a certain direction, and change each pixel value by 1 to encode a binary "1", or leave it alone to encode a binary "0".
Of course the method you describe isn't detectable to the naked eye. But it would be trivial to detect it statistically. Just look at the gradients in adjacent pixels. In you image, they will be jumpier than in a normal image. Go check out stegdetect to see some of their techniques and results.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Why even make the site 'public'? Restrict access, and don't have a link on your main page pointing to a hyper-secret-photo.
Because that would defeat the whole point of using steganography. The idea is that terrorists can talk to each other without the government knowing that they're even talking to each other. If only one person visits the site, you might as well just email the encrypted data.
If 10,000 people all view the picture, how do you know which one is actually receiving the information? It's just one more layer of "security".
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Their report indicates one of three possible explanations for this
Perhaps we could add:
4. They are detecting simple watermarks generated by normal image processing tools such as Photoshop.
Is this a fourth possibility? After all, the watermarks are effectively embedded using steganographic methods, and the 'encrypted content' would simply be the creator's identification.
Although the study notes that watermarking is similar to steganography, but is generally embedded in a 'more robust manner', nowhere does it imply that they tried to determine whether the their detection tools were falsely detecting normal watermarking, or if they were allowing for the 'random bits' that would be created by watermarking. Indeed, they admit that a watermark will affect many of the same things that steganographic content will.
Nowhere in the study does it imply that they actually tried to check for watermarking in order to allow for or eliminate the watermarked images, just checking for data that seemed to fit the format for 'released steganographic tools'.
In addition, they note that verifying that an image has hidden content requires attempting to decrypt the hidden content using one of the 3 tools that they were testing for - and failed on all of the tests - so I take this as further evidence that they didnt' check for simple watermarks.
And a lot of posters on ebay will simply grab an image from a manufacturers site - and those images may well be watermarked.
To me, this seems like a "feel good" story designed to put people at ease. It has little actual merit.
I agree.
Liquor
Sanity is a highly overrated commodity.
If you're talking about applying the reverse of various well documented steganography algorithm on an image (or an mp3-song, for that matter) and then looking at the result, you're wrong.
All you will get is a random stream of bits. And without the private key to which this message was encrypted, you have no possibility to know whether these random bits really are some supersecret data, or just random noise introduced by the digital camera, the image processing software or the compression algorithm.
if I was conducting a Jihad, I wouldn't trust the internet either.
Jihad is not terrorism. In fact, the Qur'an prohibits terrorism against innocent civilians. Islam is a religion of peace, and jihad does not refer to a "holy war" but merely "struggle ... such as an internal struggle to follow Islam, a struggle against oppression, or a struggle for peace" (source:).
Will I retire or break 10K?
Users install the plugin as an altruistic act, much as they choose to run the SETI@Home screensaver. In fact, this thing could just be a screensaver that runs against all images in the browser cache during idle time. You would get moderate coverage of the web, but would likely miss tiny, unpopular pages. Unfortunately, these are likely to be the kind of contrived pages that would be used to post steno'd images.
Or call the cool gang at Google or Inktomi and have them crawl and test a large fraction of the web as a service to their country. Their customers would probably be cool with stale searches for a couple weeks if they explained why. The gov't could build a big cluster to do this themselves for very little money (couple $100k).
This is actually a project that could help locate real live terrorist steno, if any exists and has not already been pulled down. If they went to the trouble of using steno, the data is certainly encrypted. But, I'm sure some interesting traffic analysis would be possible.
What are the moral implications of such a project? If image file steno is always detectable given enough effort, do its users really have any expectation of secrecy? How long before the anon-remailer crowd starts generating tons of steno background noise all over the web, so everyone can hide more easily?
(*) Their test function looks pretty basic. Since this is a distributed idea, it could probably do a more detailed analysis. Someone correct me, but even very sophisticated image file steno is detectable if you do the correct analysis, right?
PS: Ebay is a horrible choice. I believe you need to provide a credit card # to become a seller. Ebay wants a fairly strong notion of seller identity, so they can identify and remove people who lie/cheat.