Slashdot Mirror
Study Finds Low Use Of Steganography On Internet
schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.
The whole point of stenography is that people CAN'T spot the fact that you're using it!
i think the extinction of the dinosaurs wiped out steganography; the mysteries of how the stegasaurus learned to write with its' tail will never be known to any of us...
...does anyone else think that "steganography" is just the latest in annoying media-driven hysterics? Every month there's a new buzzword that exists simply to point out the "evils" of the internet...
MAYBE this is just another one of those words!! With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?
And who says that you have to post images to send a message? Maybe posting a baseball card for sale means that a cell is to attack on the day that the auction closes. A Sammy Sosa card means we fly into the Sears Tower; a Thurman Munson card means the WTC. The starting bid is the price is the time at which it's to happen.
The whole point of steganography is that the outside world doesn't even know what your encoding system is, much less be able to decipher it.
From what I heard, not that I have any clue what I'm talking about other then what I've seen on the news and water cooler talk. But, they don't even use computers for the most part. Not only are they low-tech, they are no-tech. I don't see what the fear is other then some goverment officials taking advantage of the mass hysteria.
- There is no significant use of steganography on the Internet.
- Nobody uses steganographic systems that we can find.
- All users of steganographic systems carefully choose passwords that are not susceptible to dictionary attacks. (emphasis mine)
In response to number 3, I'd like to say, "well, duh". Anyone clever enough to transmit messages via steganography is not going to be stupid enough to potentially compromise themselves by choosing a simple password.But beyond that, this search is limited to one small part (Ebay) of the entire Internet. There are certainly many other places where images can be transmitted inconspicuously (certain usenet groups come to mind).
To me, this seems like a "feel good" story designed to put people at ease. It has little actual merit.
www.scorbett.ca
people on slashdot think they're so clever, using that rot-26 encryption...
FreeBSD for the impatient.
Ebay seems like a poor choice for stenography. First off, you have to actually sell something to get a picture on Ebay (IIRC), and I doubt the terrorists are going to want to bother with having buyers on their back all the time.
It seems to me like it would be much easier just to set up some random Geocities site with text like:
Hi, I'm Lisa Smith and this is my site about me and my 10 cats!
Then include several pictures of 10 different cats, including some with covert information. If you need new information you can reencode some of the pictures and reupload them. Other messages can be sent by subtly changing the HTML (adding and deleting extra spaces for instance).
I still can't figure out why they thought the images would be one Ebay.
I read the internet for the articles.
Apart from the fact that by default, good steganography should be undetectable, it appears that e-bay is a poor site to use. By default, the user posting a sale has to exist in some manner, unless a new identity is created for each item to be sold - which makes sense, but the bottom line is that it is a pain to keep creating e-bay accounts, and making up e-mail addresses.
Something on the newsgroups would be a much better place to look. the alt.binaries.pictures.* areas. Almost total anonymity.
If I were to want to communicate this way, I would avoid e-bay.
gus
.. if only.
I could easily encode a message into an image, and NOBODY could detect that one was there, even through careful examination... why would this study be accurate?
For example:
-take an original image as a reference
-encode a message into binary 1's and 0's (use encryption if you like, or just the binary ascii equivalent)
-go through the image in a certain direction, and change each pixel value by 1 to encode a binary "1", or leave it alone to encode a binary "0".
-distribute a "reference image" separately that can be used to decode the image (like a key)
-use a simple algorythm to compare the original and reference, which will give you a binary sequence
-decode the binary sequence using whatever method you used to encode it
Unless you have the reference image, you're screwed. Changing RGB values by 0 or 1 will not be detectable, and will easily blend in with the noise of most images.
The only thing you can't do is compress the image with JPEG or other "lossy" compression routines.
How could you detect this? How could you prevent it from being used? You can't, unless you know the reference image. I could post secret messages on the front page of CNN.com and nobody would know (ok, assuming I had access to CNN.com to post an image).
MadCow.
I used to have a sig, but I set it free and it never came back.
is like trying to prevent a germ warfare attack.
The truth is, that even if we had known about the WTC attack we could not have prevented it without causing an economic loss of millions of dollars in the city of New York that our current hero-mayor -- Rudy Giuliani -- would have prevented, to the accolades of his fellow citizens if an attack had not come.
You have to do so much alteration to the medium which you are trying to keep free of bad stuff, be it Internet porn or our daily lives, that the medium itself is changed beyond recognition. It's not worth it.
Unlike a specific cryptographic algorithm, steganography is a group of methods that take advantage of the huge volume of information that passes over the internet.
Unless you want to dramatically slow down the transfer of all information, making sure the file looks the same at each gateway it passes through, there is very little you can do to catch people who disguise information in this way.
ObL is a modern terrorist, using modern methods to operate and communicate. He want us to be afraid of our own modern trappings and conveniences in our lives; if we try to make it impossible for him to communicate, we give up far too much ourselves.
We must allow full encryption freedom, full steganography freedom, and all otehr lifestyle freedoms in the US and around the world.
Traditional deterrence methods, such as massive military response, should be used to stop terrorists; we need to stop them after their attacks, and instill fear in others who would attack through a terrifying military response, unfortunately against the innocent as well as the guilty.
Goat sex free since 2001
Ignoring terrorists for the moment, what about the rest of us?
Most of us agree that use of encryption is probably a good thing. (Envelope as opposed to postcard and all that.)
So, how do we get normal folks to use encryption? By creating tools that interface well with the tools normal folks use. If that means writing a plugin to outlook, so that the braindead can encrypt the latest virus they're trying to pass me, we should do it.
The study is about detecting stego when normal tools are used for the encryption. It doesn't suggest that the message is easily extracted, and it's foolish to suppose that terrorists will only use the most commonly available tools.
What can we do to get normal folks to use stego, PGP, or other forms of encryption?
I think that we spend a lot of time on Slashdot arguing about Linux and it's place on the desktop, when we could be focusing on encryption as well, and how to make it ubiquitous.
The report omits a glaring error in the study. Namely, that the researchers never checked out the alt.binaries.pictures.steganography group. And the moral? Never send a scientist to do a lurkers job.
"Old man yells at systemd"
there has been speculation that Osama Bin Laden has hidden messages in pornographic images posted and swapped on Usenet
.jpg, .mpg, .avi, .bmp, .pcx, .mov and .html file ever posted. Also I have every .txt, .doc file from alt.stories.erotica.camel.
If they posted in alt.binaries.erotica.veils or alt.binaries.erotica.bondage.camels between 1990 and 2001 I have every
This
Moderators, beware! That post decrypts to "fr15t p0st!!!" It's not a funny post, it's off-topic! Don't let your points be spent carelessly!
"Rub her feet." -- L.L.
Well, now it is my patriotic duty to spend time checking out UT servers for potential terrorists!
"Rub her feet." -- L.L.
Stenography could be used to hide an illegally encrypted message in a picture that is being sent to someone via email, etc. There is no reason to use E-Bay as a means of communication like this.
Better yet, take your message and encrypt it using public key encryption without the use of a key escrow. Then file the encrypted message as an XOR key for one-time use, and use it to encrypt a copy of this message...
LedgerSMB: Open source Accounting/ERP
There was supposedly a whole system of signals guiding African-American slaves to escape to the north. The signals were hidden in quilts, which could be left out in the open. It's written up in Hidden in Plain View, and you can see some of the symbols here. This was very low-tech, and the end-users didn't even have to be literate. Haven't you seen spy movies where signals were passed according to whether a curtain was open or shut, the color of a shirt hanging on a clothesline, etc.? This kind of low-tech signal would leave much less footprint than anything composed or transmitted via machine.
Ok, so we have a study that says that only a small percentage of pictures on eBay seem to have some kind of steganographic content, but none of them can be confirmed to actually contain this information. You can conclude several things from this, depending on your personal bias:
-Steganography is not used on the web.
-Steganography is not used on eBay.
-We can't detect steganography.
-Any steganographic we can detect can't be decoded.
-Steganography isn't widely used - yet.
You can mix and match these to fit your personal agenda, which I'm sure many people will do. In reality though, these results say almost nothing. The only way to know where, how, and how often steganography is used is to find out from the people using it.
Unfortunately, I have a feeling some people in Congress and elsewhere in the US government will use this as proof that if they can control encryption, there won't be too much use of other methods of hiding data. Ignoring all of the flaws in this conclusion, there is a further flaw in the assumption that by changing the security in encryption, the amount of use of other methods will remain the same. I would not be surprised if there aren't any people on eBay using steganography, nor would I be surprised if the same was true on most other sites; with available alternatives, this is just one of many tools that could be used to transmit messages securely. If the alternatives are removed, more effort will be spent on steganography, resulting in more widespread use and more resistance to detection. In other words, a ban on secure encryption would just encourage development in other areas, even if such development is dormant right now.
On a final note, if you want to look for steganography, try a sleazy porn site. Not that I've seen any myself, but I've heard that they toss all kinds of random stuff up on those, grabbing the images from all over the internet. This would seem to make a more representative sample than a site full of people selling their junk.
Snow White,
The owl howls at midnight.
Rumpelstiltskin
Always keep a sapphire in your mind
The point isn't "there is no steganography on the web." The point is "here is a system to look for steganography."
In typical mass media fashion, both New Scientist and Slashdot go for the flashy story rather than the more interesting point of the research.
Folks,
Passing secret data, if you have resources, is not that hard. Look up any book on "Field Craft" in the field of "Intelligence"
Real low bandwith messages are trivial - aka, attack tommorow. It could be a chalk mark on the wall, a newspaper folded a certain way etc.
Even more fun is to pass LOTS of encrypted messages in the clear, but 99% are nothing but random noise. Look up the topic "Numbers Station"
Add in a few cutoffs / dead drops, and it's trivial
Let's say OBL wants to send a message. He could use a combination of low/high tech. He uses a courier to move the data from where he is, to the first drop. The next person has NO idea where OBL is. They use another drop. That person sends a message via the net "Look at the new picture of my dog" might be the whole message - the data isn't even in the picture. Youc could go even further. Use some sort of Steg, but spread the message across multiple images.
The whole trick is to make the signal/noise ratio low enough that you can't see the signal unless you know where to look
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
The canonical answer is - for the same reason you put a letter in an envelope, not just write on a postcard every time. for a lot of things (particularly love letters and business negotiations) you don't want anyone but the intended recipient to read it.
Q: Why would a Terrorist use software that has a US/UK/UN backdoor, surely they'd write it themselves (hard) or download it from the net (easy)?
They wouldn't use broken software, and it is impossible to force them to without a 100% scan of all email.
Q: Assuming most T's are small organisations surely they'd use replacement words, which unless you've infiltrated the group, you'll never understand.
Or use steganography, yes.
Q: The UK government have been talking about bringing in ID cards in the face of the WTC horrors. Doesn't the US have ID cards already? Every time I wanted a drink in Las Vegas I got 'carded' and I'm 30, so it's not like they don't get checked.
It is sad, but all sorts of control freaks have come out of the woodwork, waving laws that got voted down last time they tried it with "terrorist" scribbled in at a few places to make them look a bit different. ID cards would do nothing against terrorism - it is likely we will never know the real names of the terrorists, given how many seem to have popped up and said "no, I am still alive here" when named.
-=DaveHowe=-
Why would you put the images on ebay? There are plenty of forums that aren't as public, and don't require as much information to register, and best of all, don't cost money.
There is absolutely no relationship between there being no stenographic images on Ebay, and the use of stenography by Bin Laden or other terrorist groups.
Seriously, think about where you would put your images? I would say porno boards would be the best place, possibly newsgroups. Tons of people look at porn, so the traffic wouldn't seem strange, and theres so much out there, you wouldn't even know where to look if you were looking for said stenographic images.
As for distributed clients... I'd love to see a distributed client that started searching all the pr0n sites out there, checking them for secret messages. Could you see that popping up as your screen saver?
Its just not going to happen.
Captain_Frisk
As a science steganography is vary old. One of the first book on the subject steganographica was written by Gaspari Schotti in 1665. It has however been a subject of limited public interest until vary recently. This is not to say that various steganographic techniques haven't been used ovar the years. On the contrary, many intelligence agencies have uses steganographic techniques to smuggle secrets our of various countries throughout the cold war and before. One of the best known ancient uses of Steganography was in the book Hypnerotomachia Poliphili published in 1499. The point is, it's been around for a vary long time, there just hasn't been any public interest.
--CTH
--Got Lists? | Top 95 Star Wars Line
I think the detection of steganography in an image file, given reasonable smarts on the part of the stego software designers, is totally impossible. A typical plain text email message might have 1k words, to be generous. This works out to about 40k bits (5 characters per word, 8 bits per character). A 2048x1536 tiff file, common with today's digital cameras, is about 10+ MB in size. I think that hiding the 40k bits in 10MB of binary image file would result in a file that would pass any practical test, statistical or otherwise.
Also consider this technique, you (the encryptor) could run the statistical tests on the output file and tweak garbage bits at random until it would not raise any alarms. The design principle would be: 1. Encrypt your message, 2. Insert a compensating set of (probably ordered) bits into the image. 3. Test for randomness, you want to have the final encrypted/hidden output look like the original by every statistical measure you can test for. Repeat steps 2 & 3 until done.
The basic principle is that you keep the number of encrypted bits in the hidden part buried in the file low relative to the size of the file the message is buried in; I am not a crypto guy but maybe someone who is would care to comment. I would not bet on the TLAs in this race, it's too easy to hide stuff.
if I was conducting a Jihad, I wouldn't trust the internet either.
Jihad is not terrorism. In fact, the Qur'an prohibits terrorism against innocent civilians. Islam is a religion of peace, and jihad does not refer to a "holy war" but merely "struggle ... such as an internal struggle to follow Islam, a struggle against oppression, or a struggle for peace" (source:).
Will I retire or break 10K?
If I really wanted noone ever to guess what I am sending to someone, I would use a number, a LARGE number of free internet services to send SMALL portions of my message through them. I need many accounts on geocities, yahoo, tripod, ebay, maybe some news groups, and I would distribute my super secret message among them in a fassion that would only be known to me and the person I am communicating with. Every message would be sent in a different manner with different accounts. Decrypt this.
You can't handle the truth.