Slashdot Mirror
Study Finds Low Use Of Steganography On Internet
schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.
...does anyone else think that "steganography" is just the latest in annoying media-driven hysterics? Every month there's a new buzzword that exists simply to point out the "evils" of the internet...
MAYBE this is just another one of those words!! With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?
So does someone have a super-duper steganography-detection algorithm, or what?
Maybe they assume in color-discretized images that images having RGBs one-off of their surrounding pixels are steganographic? I gotta write a filter to induce 1-off color changes then, just to keep 'em busy. =)
Or are these people just freakin morons?
--- The reclining dragon deeply fears the blue pool's clarity.
And who says that you have to post images to send a message? Maybe posting a baseball card for sale means that a cell is to attack on the day that the auction closes. A Sammy Sosa card means we fly into the Sears Tower; a Thurman Munson card means the WTC. The starting bid is the price is the time at which it's to happen.
The whole point of steganography is that the outside world doesn't even know what your encoding system is, much less be able to decipher it.
From what I heard, not that I have any clue what I'm talking about other then what I've seen on the news and water cooler talk. But, they don't even use computers for the most part. Not only are they low-tech, they are no-tech. I don't see what the fear is other then some goverment officials taking advantage of the mass hysteria.
Putting restrictions on cryptography and steganography is akin to closing the barn door after the cow's run off.
Apologies for stating the obvious, but someone has to.
Yeah, if I was going to hide a message, I'd use commonly available tools already out there. *sigh*
Terrorists are not stupid. I would think a home-brew methods would be better in many circumstances.
These people aren't communicating with 45 meg Powerpoint Presentations outlining the plans. Short, concise messages could be encrypted with previously agreed upon one-time pads, hidden in a few bytes of an image, or even across 8 or 10 images across multiple sites. These people have time and a mountain of data to hide in.
Apart from the fact that by default, good steganography should be undetectable, it appears that e-bay is a poor site to use. By default, the user posting a sale has to exist in some manner, unless a new identity is created for each item to be sold - which makes sense, but the bottom line is that it is a pain to keep creating e-bay accounts, and making up e-mail addresses.
Something on the newsgroups would be a much better place to look. the alt.binaries.pictures.* areas. Almost total anonymity.
If I were to want to communicate this way, I would avoid e-bay.
gus
.. if only.
is like trying to prevent a germ warfare attack.
The truth is, that even if we had known about the WTC attack we could not have prevented it without causing an economic loss of millions of dollars in the city of New York that our current hero-mayor -- Rudy Giuliani -- would have prevented, to the accolades of his fellow citizens if an attack had not come.
You have to do so much alteration to the medium which you are trying to keep free of bad stuff, be it Internet porn or our daily lives, that the medium itself is changed beyond recognition. It's not worth it.
Unlike a specific cryptographic algorithm, steganography is a group of methods that take advantage of the huge volume of information that passes over the internet.
Unless you want to dramatically slow down the transfer of all information, making sure the file looks the same at each gateway it passes through, there is very little you can do to catch people who disguise information in this way.
ObL is a modern terrorist, using modern methods to operate and communicate. He want us to be afraid of our own modern trappings and conveniences in our lives; if we try to make it impossible for him to communicate, we give up far too much ourselves.
We must allow full encryption freedom, full steganography freedom, and all otehr lifestyle freedoms in the US and around the world.
Traditional deterrence methods, such as massive military response, should be used to stop terrorists; we need to stop them after their attacks, and instill fear in others who would attack through a terrifying military response, unfortunately against the innocent as well as the guilty.
Goat sex free since 2001
Why even make the site 'public'? Restrict access, and don't have a link on your main page pointing to a hyper-secret-photo.
It's absurdly trivial to hide something, for a short time at least.
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
with the "backdoor" that Ashcroft feels is so important? Now that the US Government has so blatantly advertised its intent to try to get encryption standards with a "key" that can be known to a government agency, why would anyone "upgrade" to such a system? It's not like the ones we use now don't work.
Had the US Government been doing the things that it, itself, recommended back in 1991 to better secure airports, the terrorists would have had no chance to hijack the aircraft in the first place. Corporate (airlines) interests fought those to a standstill, however. Now they blather about a backdoor in encryption systems as if that would fix the problems they, themselves, ignored
No one ever had to evacuate a city because the solar panels broke!
Stenography could be used to hide an illegally encrypted message in a picture that is being sent to someone via email, etc. There is no reason to use E-Bay as a means of communication like this.
Better yet, take your message and encrypt it using public key encryption without the use of a key escrow. Then file the encrypted message as an XOR key for one-time use, and use it to encrypt a copy of this message...
LedgerSMB: Open source Accounting/ERP
There was supposedly a whole system of signals guiding African-American slaves to escape to the north. The signals were hidden in quilts, which could be left out in the open. It's written up in Hidden in Plain View, and you can see some of the symbols here. This was very low-tech, and the end-users didn't even have to be literate. Haven't you seen spy movies where signals were passed according to whether a curtain was open or shut, the color of a shirt hanging on a clothesline, etc.? This kind of low-tech signal would leave much less footprint than anything composed or transmitted via machine.
There hasn't been much need for steganography so far.
But if encryption is outlawed, then steganography will enjoy considerable growth as people find that the only way to secure their data is to hide the fact that they are doing so.
With regards to Bin Laden, I continue to maintain that his use of high tech is overstated. (But making such statements is probably a great way to get government funding for fun stuff, make it look like "we're doing something", etc.)
Low-tech means of infrequent verbal communications, not in Western language and frequently not conducted over electronic means, are more than sufficient to hide covert activities.
Yeah, I can just see ObL and his gang firing up the diesel generators in their rural Afghan camp, setting up their satellite cell phones to upload and download complicated set of instructions that have been steganographically encoded. Give me a break. There are easier ways for him to communicate that are far less risky.
"Provided by the management for your protection."
The point isn't "there is no steganography on the web." The point is "here is a system to look for steganography."
In typical mass media fashion, both New Scientist and Slashdot go for the flashy story rather than the more interesting point of the research.
Folks,
Passing secret data, if you have resources, is not that hard. Look up any book on "Field Craft" in the field of "Intelligence"
Real low bandwith messages are trivial - aka, attack tommorow. It could be a chalk mark on the wall, a newspaper folded a certain way etc.
Even more fun is to pass LOTS of encrypted messages in the clear, but 99% are nothing but random noise. Look up the topic "Numbers Station"
Add in a few cutoffs / dead drops, and it's trivial
Let's say OBL wants to send a message. He could use a combination of low/high tech. He uses a courier to move the data from where he is, to the first drop. The next person has NO idea where OBL is. They use another drop. That person sends a message via the net "Look at the new picture of my dog" might be the whole message - the data isn't even in the picture. Youc could go even further. Use some sort of Steg, but spread the message across multiple images.
The whole trick is to make the signal/noise ratio low enough that you can't see the signal unless you know where to look
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
The canonical answer is - for the same reason you put a letter in an envelope, not just write on a postcard every time. for a lot of things (particularly love letters and business negotiations) you don't want anyone but the intended recipient to read it.
Q: Why would a Terrorist use software that has a US/UK/UN backdoor, surely they'd write it themselves (hard) or download it from the net (easy)?
They wouldn't use broken software, and it is impossible to force them to without a 100% scan of all email.
Q: Assuming most T's are small organisations surely they'd use replacement words, which unless you've infiltrated the group, you'll never understand.
Or use steganography, yes.
Q: The UK government have been talking about bringing in ID cards in the face of the WTC horrors. Doesn't the US have ID cards already? Every time I wanted a drink in Las Vegas I got 'carded' and I'm 30, so it's not like they don't get checked.
It is sad, but all sorts of control freaks have come out of the woodwork, waving laws that got voted down last time they tried it with "terrorist" scribbled in at a few places to make them look a bit different. ID cards would do nothing against terrorism - it is likely we will never know the real names of the terrorists, given how many seem to have popped up and said "no, I am still alive here" when named.
-=DaveHowe=-
$5 / month hosted VPS on linux = awesome!
Why would you put the images on ebay? There are plenty of forums that aren't as public, and don't require as much information to register, and best of all, don't cost money.
There is absolutely no relationship between there being no stenographic images on Ebay, and the use of stenography by Bin Laden or other terrorist groups.
Seriously, think about where you would put your images? I would say porno boards would be the best place, possibly newsgroups. Tons of people look at porn, so the traffic wouldn't seem strange, and theres so much out there, you wouldn't even know where to look if you were looking for said stenographic images.
As for distributed clients... I'd love to see a distributed client that started searching all the pr0n sites out there, checking them for secret messages. Could you see that popping up as your screen saver?
Its just not going to happen.
Captain_Frisk
As a science steganography is vary old. One of the first book on the subject steganographica was written by Gaspari Schotti in 1665. It has however been a subject of limited public interest until vary recently. This is not to say that various steganographic techniques haven't been used ovar the years. On the contrary, many intelligence agencies have uses steganographic techniques to smuggle secrets our of various countries throughout the cold war and before. One of the best known ancient uses of Steganography was in the book Hypnerotomachia Poliphili published in 1499. The point is, it's been around for a vary long time, there just hasn't been any public interest.
--CTH
--Got Lists? | Top 95 Star Wars Line
I think the detection of steganography in an image file, given reasonable smarts on the part of the stego software designers, is totally impossible. A typical plain text email message might have 1k words, to be generous. This works out to about 40k bits (5 characters per word, 8 bits per character). A 2048x1536 tiff file, common with today's digital cameras, is about 10+ MB in size. I think that hiding the 40k bits in 10MB of binary image file would result in a file that would pass any practical test, statistical or otherwise.
Also consider this technique, you (the encryptor) could run the statistical tests on the output file and tweak garbage bits at random until it would not raise any alarms. The design principle would be: 1. Encrypt your message, 2. Insert a compensating set of (probably ordered) bits into the image. 3. Test for randomness, you want to have the final encrypted/hidden output look like the original by every statistical measure you can test for. Repeat steps 2 & 3 until done.
The basic principle is that you keep the number of encrypted bits in the hidden part buried in the file low relative to the size of the file the message is buried in; I am not a crypto guy but maybe someone who is would care to comment. I would not bet on the TLAs in this race, it's too easy to hide stuff.