Study Finds Low Use Of Steganography On Internet

schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.

How do they know?

[andy@petdance.com]

How can they know that the 2E+09 images on eBay don't contain hidden messages? They might not have detected them, but that doesn't mean they're not there. Perhaps these damn terrorists (gasp!) made their own software!

And who says that you have to post images to send a message? Maybe posting a baseball card for sale means that a cell is to attack on the day that the auction closes. A Sammy Sosa card means we fly into the Sears Tower; a Thurman Munson card means the WTC. The starting bid is the price is the time at which it's to happen.

The whole point of steganography is that the outside world doesn't even know what your encoding system is, much less be able to decipher it.

This is naive

[scorbett]

According to the details of their study, they took images from Ebay and scanned them for steganographic content using statistical analysis. Out of the two million images they scanned from Ebay, they determined that about 17000 seemed to have steganographic content. They then used a dictionary attack to try and extract any encrypted messages that may be contained within. They failed on all 17000 images. Their report indicates one of three possible explanations for this:

1. There is no significant use of steganography on the Internet.
2. Nobody uses steganographic systems that we can find.
3. All users of steganographic systems carefully choose passwords that are not susceptible to dictionary attacks. (emphasis mine)

In response to number 3, I'd like to say, "well, duh". Anyone clever enough to transmit messages via steganography is not going to be stupid enough to potentially compromise themselves by choosing a simple password.

But beyond that, this search is limited to one small part (Ebay) of the entire Internet. There are certainly many other places where images can be transmitted inconspicuously (certain usenet groups come to mind).

To me, this seems like a "feel good" story designed to put people at ease. It has little actual merit.

Why Ebay?

[jandrese]

Ebay seems like a poor choice for stenography. First off, you have to actually sell something to get a picture on Ebay (IIRC), and I doubt the terrorists are going to want to bother with having buyers on their back all the time.

It seems to me like it would be much easier just to set up some random Geocities site with text like:
Hi, I'm Lisa Smith and this is my site about me and my 10 cats!
Then include several pictures of 10 different cats, including some with covert information. If you need new information you can reencode some of the pictures and reupload them. Other messages can be sent by subtly changing the HTML (adding and deleting extra spaces for instance).

I still can't figure out why they thought the images would be one Ebay.

e-Bay?

[gus+goose]

Apart from the fact that by default, good steganography should be undetectable, it appears that e-bay is a poor site to use. By default, the user posting a sale has to exist in some manner, unless a new identity is created for each item to be sold - which makes sense, but the bottom line is that it is a pain to keep creating e-bay accounts, and making up e-mail addresses.

Something on the newsgroups would be a much better place to look. the alt.binaries.pictures.* areas. Almost total anonymity.

If I were to want to communicate this way, I would avoid e-bay.

gus

Re:Isn't that the point?

[dachshund]

The whole point of stenography is that people CAN'T spot the fact that you're using it!

To elaborate... The whole point of good steganography is that people can't easily spot the fact that you're using it. If you use some common freeware steg. programs, people'll have no problem detecting it-- these programs make very little attempt to hide their trail if the files are carefully examined. In any case, except for the nefarious use by criminals, or a few people having fun, there's no reason to use steganography very much. The hope is not to be detected when you do use it.

As an aside, one imagines that with the hundreds of millions of dollars Bin Laden has access to, he can afford to create some half-decent steganography procedures... Perhaps using one-time-pads to conceal the data as noise.

Re:is it just me, or...

[Erasmus+Darwin]

"With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?"

You're comparing apples and oranges. Steganography isn't encryption -- it's concealment. If I send a PGP-encrypted message, regardless of whether or not they can break it, every eavesdropper knows that I just sent a PGP-encrypted message. If I use stenography to hide a message, an eavesdropper might miss the message, but would be able to decode it if it's discovered. If I use both, it's a win-win situation.

I can help

[ellem]

there has been speculation that Osama Bin Laden has hidden messages in pornographic images posted and swapped on Usenet

If they posted in alt.binaries.erotica.veils or alt.binaries.erotica.bondage.camels between 1990 and 2001 I have every .jpg, .mpg, .avi, .bmp, .pcx, .mov and .html file ever posted. Also I have every .txt, .doc file from alt.stories.erotica.camel.

Re:Face it

[Jerf]

'Half of slashdot posts are encrypted evil plots for mass destruction.'

Moderators, beware! That post decrypts to "fr15t p0st!!!" It's not a funny post, it's off-topic! Don't let your points be spent carelessly!