Slashdot Mirror
First Steganographic Image Found In The Wild
Niels Provos writes: "After months of searching for steganographic content on eBay and
elsewhere -- downloading millions of images, we were finally able to
find an image with a stegangraphic message hidden in it. Stegdetect and Stegbreak made short process with it. It took less
than a second to compute the secret key necessary to extract the
hidden message. Two commands at the prompt, and we found the hidden
message to be an image of B-52 scrapyard. Right off Terraserver."
That it was the planted image from ABC. This is not what I would call a real detection of "in the wild" Show me an image that wasn't part of a media company stunt, or other reporter activity on the very technology of stenaography. Any of the supposed bin-laden images? How about a simple script-kiddie or cracker/thief communication?
In the wild denotes actual use by thrid parties.. A virus in the wild means it's out there looking to do damage and infect, This image is the equilivant of a hello world program on a how to program website.
It's not in the wild, It's an example placed by ABC news.
Do not look at laser with remaining good eye.
Good stego should be undetectable -- first off, the hidden message should be encrypted, and therefore nearly indistinguishable from any other set of random numbers. Also, the message needs to be several orders of magnitude smaller than the carrier image -- if you want to hide a 1K message, you ideally want a ~1M image to put it in. Isolating 1K of signal out of 1M of noise would be very computationally difficult.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
but I'm kinda bothered by this sort of thing, not in the way some might think. I don't have any problem at all with the research being conducted (actually I support it, good stuff!), but I hate that gobs of bandwidth are wasted by this sort of thing.
I mean, how much bandwidth is taken from companies with large numbes of images on their sites (EBay for example) as a results of stuff like this? It's not exactly something you can say adheres to purely ethical use of their bandwidth.
There's got be lots of projects out there attempting this stuff, especially given recent press coverage on the topic. Who's picking up the tab for the network usage?
Perhaps a permission-based scheme would be better, or better yet a volunteer-supported test server pool dedicated to hosting images. That way, people could test out steganography techniques by posting their images to the pool for the community at large to take a crack at. Thoughts? Flames? Oranges?
No doubt a fair proportion of them contain spook words too.
Eventually they get told that yes, there is a steganographic image on ABC, and they look at it, and guess what? They prove that it is a steganographic image and they can really desteg it. Quel surprise!
Of course, this particular image was very simply constructed as an example for a mass entertainment news channel intended for a general, non-specialist, audience. It was not constructed by someone concerned about secrecy or desperate to conceal a secret message. On the contrary it was constructed using handy, freely available steganographic image tools, not special purpose custom written ones.
Great!
This doesn't prove that there aren't staganographic images on eBay which their software can't detect. It doesn't prove there aren't steganographic images on alt.sex.binaries.fluffy-bunnies. It doesn't prove there aren't steganographic images on your favourite pr0n site.
It doesn't even prove that some spook agency somewhere can't detect all these steganographic messages, desteg them, and read the payload. All it proves is that these two academics can only detect a steganographic image it they're told where it is and what it is, and even then only if it's produced with a small range of well known, freely available tools.
Incidentally, there is a steganographic payload in this post. Care to scan all Slashdot posts for steganographic payload? All Usenet? No, thought not.
I'm old enough to remember when discussions on Slashdot were well informed.
My only exception to stwilwebm's comment above is the phrase "quite possibly". IMNSHO, "not bloody likely" is the correct adverbial phrase.
Let's all stop and think about this for a meaning. I wish to send an important secret message to my evil henchmen on another continent. Do I send an encrypted letter? Do I send a human messenger by plane to carry the message? Do I phone them and use secret phrases with hidden meanings to convey the message to them?
Apparently not, if we are to believe the Security Experts who don't want us to hear Bin-Laden. Apparently the best way to send secret messages, is to tape yourself and hope that the corporate minions of the Great Satan will transmit your message, complete, clear (no poorly translated voice-overs, if you please) and in a timely fashion.
Am I the only one who thinks that if Bin-Laden really is that stupid, that we have little to worry about?
the reason they 'cracked' the key was obviously because it wasn't really encrypted.
Any real stego you wanted to hide would also be encrypted. Strongly. So all you would find is noise.
It's not implausible to assume that the terrorists were instructed to watch that channel to receive instructions after the first US attacks occured.
I think I'll stop here.
According to this, bin Laden is indeed using verbal codes to communicate with his people. What better way to get the message out than a public statement?
I'm still bitter it's not getting played on US tv stations; how can a video taped statement from public enemy number one not be "newsworthy"? They say it "might contain a message". Well one message I heard was "infidels out". Is that the message they don't want us to hear? That his main demand is for us to stop occupying his 'homeland' and whatnot?
Sure, there might be a hidden message too. But people waiting to get the hidden message will undoubtedly obtain it from some foriegn news source that DOES deem it "newsworthy".
Censorship will only hide the message from joe sixpack & friends, and I think thats exactly the goal.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
I just find it very strange that somebody tries to make us believe that Steganographic content is limited to pictures and will be found on eBay. _IF_ you really want to hide something you might want to embedd a message at a certain time (time synching is not a problem) into an ever changing stream of data (like a webcam or an Internet radio station). The content has to be spread out over a certain amount of time. Maybe only chunks of a message per hour. This is not exactly emergency communication, orders, information, etc. can be received over several hours if needed. Now you spread the content over a pre-defined sequence and maybe start with a "wakeup" message to indicate that a new block of cipher information is about to come. This would be impossible to detect, because you have nothing to compare against (like a picture of a busy street is never the same). So I personally think that this "we scan on eBay and the pictures are evil" is something to put people at ease, but is not really helping a lot. Other than people will be forced into more stealthier methods ...
But, eBay did grant permission for the download. Somebody's client said "GET http://www.ebay.com/image/something", and eBay said "OK, here it is, catch!". If they didn't want to spend the bandwidth to send it to you, they shouldn't have done so. At no point did eBay not have a choice.
What the agreement said was "prior expressed written permission", which the people conducting the study probably did not have.
Granting an HTTP request does not constitute "permisssion" to use the service for whatever purpose you want. By analogy, the fact that Yahoo's FTP server accepts porn you upload does not mean that they have given you permission to post porn on your web page. If you send out 100,000 get-rich-quick e-mails, you cannot assume that you have "permission" from your ISP to do so because their SMTP server accepted them. The key point is intended use -- which eBay does not know. That's why they have an AUP.
Given that image based steganography has been around for a while, and there are probably at least a few thousand people online experimenting with it, they should be turning up a lot of these. That doesn't even begin to factor in that criminal organizations all over the world are probably playing with the stuff, especially given recent coverage of steganography in the news.
What does this really mean? Perhaps finding well hidden messages is a hell of a lot harder than anyone expected- and it will only get harder. If criminals are using this to communicate, they may be justified in feeling safe doing so.
Of course, it is probably a bad idea to put stock in anything that comes from guys trying to grab the spotlight by reporting an image created by abc news as a steganographic image found "in the wild." If nothing else it reminds me of idiots who try to get attention reposting known securiuty vulnerabilities to BuqTraq.
Actually... it seems to me that this is a fine way to send a message. The "not bloody likely" part is the idea that censoring this will stop the information from getting to its intended recipients.
The message could be conveyed in something as simple as manner of dress or a key phrase. It could be "encoded" in where Bin Ladens gun rests in the background behind him in the shot.... or the even who sits to his right or left.
The plans were made a long time ago. Messages from Bin Laden to his people are likely of no more granulairty than "continue as planned" or "halt and wait" or "go with plan B"
Or even more specific... "transmit orders for plan B"... I think its very likely that Bin Laden, being a figurehead, has probably delegated the actual planning and coordination to someone else, so anything from him only has to be very very high level...which is where this sort of messahe excells.
That said... I think its silly to believe that they don't have operations setup such as to continue even if the communication channel is cutoff. All that censoring him does is stop americans from hearing what he has to say.
-Steve
"I opened my eyes, and everything went dark again"
Amazingly, showing Osama on the TV is not likely going to result in a massive outpouring of sympathy for him or his cause. A more likely result is a rise in TV repair business.
The media (as encouraged by the US government) has whipped the masses into a hateful frenzy, with Osama as the target.
Forget looking for the cause of his actions. Let's just label him a "mad man", and state that his goal is "the end of the free world".
Showing, or not showing his press releases is not going to make a whit of difference in this "war". Just like my posting my views is not going to change the mind of someone who wishes to believe the rhetoric and absolute crap that is spewing forth from the main stream media.
Overall, I enjoy being a U.S. citizen, but I am completely embarrassed, and even mortified by some of the actions that we (as a country) condone, and those that we perpetrate.
Granting an HTTP request constitutes permission for you to download the file you asked for.
No, it does not. It does not represent a decision by the computer's owner as to whether you had a right to request the file and whether they should supply it to you. If I walked up to your computer and started deleting files, would the fact that your computer deleted the files mean that I had your permission to do so? That's what you are arguing: That the computer has power of attorney for its owner.
If you enter a restaurant with self-serve soda dispensers, do you have "permission" to steal soda just because the automated machine will dole it out at the push of a button? Do you have "permission" to take all of the straws just because the dispenser will give them to you (Your honor, I had McDonalds' permission to take 2,372 straws because their machine gave me a straw each time I pushed the button...)?
If Yahoo posts porn for you on their web site, then they didn't even have to give you permission since they already went ahead and did it.
No one at Yahoo is posting the porn. They are not manually moves the files from the FTP server to the web site. It's an automatic process and does not mean that you have their permission to upload porn. A computer responding to a file transfer request is not equivalent to the company giving you permission to transfer the file.
Just figure out the technology to lock your property down like you want, rather than relying on a crowd of mostly-anonymous, undisciplinable Internet users to follow your rules.
Now you are arguing about the practicality of enforcing a policy rather than the legalities. The most effective way to get people to follow your rules is to identify someone who violated them, sue them for civil damages, and make an example of them.
You mean stuff like *gasp* SPEAKING? Oh my god!
Sorry, I used the wrong link before. I meant to link to the actual interview with bin Laden's son.
He says "My father believes American spies have joined the Taliban He talks in a code that even I can't understand".
It's not that he's speaking, it's that he's (likely) conveying another message besides the obvious one.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
If I did that in your office, then I would be trespassing. If you left your computer set up on a busy city street, with a big red "Delete" button to push, then it would appear to me and an average passerby that file deletion was OK with you. Thus also with files on servers on the 'net. Your machine does not have power of attorney, but if you set up an automatic file dispenser, you can't complain if people take files off of it, any more than you could complain if people took all the gumballs out of a free gumball machine that you set up. Of course, the eBay example is a little different than the gumball or "Delete" analogies, because eBay didn't run out of files, although they may have been marginally lower on server capacity and bandwidth at the time.
Ah, but that's exactly my point - one straw at a time is OK, it's the overall pattern of straw usage that McD's should worry about. They would want to either alter their straw dispensers, or more likely just toss you out if you started doing that. The dispensers themselves aren't labeled "only take what you need" - how many times have you seen people take twice as many napkins or packets of ketchup than they need?
If the company didn't want their machine to post the files, why didn't they just tell it not to? If they set up an automatic process that affects their property and is freely available to the public, why shouldn't they be liable for what happens to it?
I think of a server as sort of a secretary. If you told your secretary to accept file submissions and store them on a global bulletin board, and she didn't know any better than to take pr0n too, then the failure is really in your instructions. What is needed is a more sophisticated way to describe to a web server what access patterns are acceptable, just like you would tell your secretary to only accept files with a legitimate business purpose. You can continue to curse the pranksters that keep submitting polaroids of women with Shetland ponies, but in the end you can't track them all down. You have to fix the problem at the source.
You haven't been reading the news much, have you? MP3 trading continues, DeCSS can be had for a 2-second Google search, software piracy flourishes - plenty of examples haven't really helped those issues. These are situations where you can't police everybody in the world at once, if not due to the unending variety of local law, then due to the sheer expense that would be required to do so. The only way to solve an Internet-scale problem is with a distributed technological solution.
Your right to not believe: Americans United for Separation of Church and
Of course, the eBay example is a little different than the gumball or "Delete" analogies, because eBay didn't run out of files, although they may have been marginally lower on server capacity and bandwidth at the time.
Right. It's called a "trespass against chatels." It's a legal principle used by AOL for successfully suing spammers who send unwanted e-mail into their computer networks. Same principle. Open network, prohibited use.
Ah, but that's exactly my point - one straw at a time is OK, it's the overall pattern of straw usage that McD's should worry about. They would want to either alter their straw dispensers, or more likely just toss you out if you started doing that.
It's their property and I think that everyone, even you, recognizes that the dispenser giving you a straw when you press the button is not the same as McDonalds' corporation giving you permission to take 2,372 straws. Taking those would be theft -- a criminal matter -- regardless of the design of the straw dispenser or whether McDonalds employees caught you.
I think of a server as sort of a secretary.
Fine. When you are finished chasing your computer around the desk, consider the fact that computers do not have intelligence while people do.
If you told your secretary to accept file submissions and store them on a global bulletin board, and she didn't know any better than to take pr0n too, then the failure is really in your instructions. What is needed is a more sophisticated way to describe to a web server what access patterns are acceptable, just like you would tell your secretary to only accept files with a legitimate business purpose.
So how is the FTP server at Yahoo supposed to know that 123456.jpg is porn and 234567.jpg is a picture of a Corvette?
You need to get off of this juvenile kick that makes you claim that you are allowed to do anything to anyone else's computer unless they find a technical means to stop you. A company's computers are their property and they have every right to set the terms for the use of that property. Period. End of story.
eBay has a robots.txt file that is a no-trespassing sign for robots. They have an acceptable use policy link on their home page. The purpose of the site is clear -- buying and selling via online auction. It is not intended as free bandwidth for anyone wanting to do research.
It is not the responsibility of eBay, Yahoo, or any other firm to devise artificial intelligence systems to enforce their policies. McDonalds does not have to put retinal scanners and computerization into straw dispensers. There are long-standing legal principles that govern this and the basic fact is that people have a right to set the terms for the use of their property and services.