Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacktivismo to Release Steganography Tool

Posted by ryuzaki0 on from the say-cheese-in-pig-latin dept.

Anonymonkey writes: "According to this story at , a group called Hacktivismo will release a steganographic tool called Camera/Shy at H2K2 this year. Apparently, it will make it easy for persecuted political groups to hide messages in images. The group has links to the Cult of the Dead Cow, which is, of course, working on Peek-a-Booty."

10 of 201 comments (clear)

  1. Traffic analysis by AgTiger · · Score: 5, Insightful

    Sometimes it isn't the content that gives you away, it's the fact that you're sending traffic between point A and point B, and B talks to C, D, and E.

    That can be enough to tip off the wrong someone.

    Likewise, if you start sending graphic files back and forth where you USED to be sending other types of traffic, whatever entity might be watching those transmissions is likely to catch on. Let's not even go INTO how you're sending MORE data rather than less. Me, I'd be shooting for a method that breaks the communication up, sends it in with a bunch of other garbage to multi-pointed destinations at random times, strongly encrypted en-route so sender and receiver are masked...

    Oh wait, that sounds a lot like a mixmaster remailer.

    And yes, I know, mixmaster and PGP are not an option for environments where the very use of same is enough to get you drawn and quartered.

    1. Re:Traffic analysis by user+no.+590291 · · Score: 2, Insightful

      Or use Usenet.

  2. Dumb, DUMB idea by splorf · · Score: 5, Insightful
    Steganography is a lot harder than it sounds. It's easy to hide a message in an image file and have the image still look normal on the screen to a casual observer. It's a hell of a lot harder to keep an opponent from detecting the message by analyzing the file knowing how your program works.

    I am afraid unless Hacktivismo is really careful and knows what they're doing, their program may get some human rights workers tortured and killed. By careful, I mean don't even mess with embedding messages in jpg images. It might be reasonably safe to embed them in audio or video streams at very low bit rates, like one bit per several seconds of 44 khz 16 bit PCM audio or mini-DV video. And even that would take sophisticated encoding to keep detection difficult.

    Reference: Security Engineering by Ross Anderson, reviewed on Slashdot a few months ago.

    1. Re:Dumb, DUMB idea by raytracer · · Score: 2, Insightful

      No, it isn't a dumb idea. It is a very very good idea, and one that carries few risks that aren't risks inherent whenever any citizen works outside the limits their government prescribes for them.

      It isn't hard for to come up with conventional cryptography that is robust against normal attacks. The technology is well understood and can be engineered to be robust against virtually any conventional cryptographic attack. Similarly, steganography is fairly well understood. Even if the government could detect that images or audio files were being used as a covert channel, they would be unable to break the underlying encryption. It would be vastly easier for them to just imprison and torture people into revealing their activities than to assume a technological attack.

      Individuals in these countries are exercising a form of civil disobedience, and it is important that they continue to do so. If oppressive governments are forced to spend all their efforts to detect and eliminate perceived threats, it divides their power and makes it more difficult to hide their clandestine misdeeds.

      --

      There is much pleasure to be gained in useless knowledge.

    2. Re:Dumb, DUMB idea by splorf · · Score: 3, Insightful
      Even if the government could detect that images or audio files were being used as a covert channel, they would be unable to break the underlying encryption. It would be vastly easier for them to just imprison and torture people into revealing their activities than to assume a technological attack.
      That's the point. In order to imprison and torture people you have to know who to imprison and torture (unless you do it to everyone). You torture people if they do things that attract your suspicion. So the idea of steganography is to avoid attracting suspicion. If the opponent figures out you're using it, you are toast.

      Cryptography is broken if the attacker can read a message, but steganography is broken if the attacker can detect the message. The consequences of either type of break are just as bad. So using detectable steganography is as bad as using weak cryptography.

      There are lots of strong cryptography programs like PGP out there, and well-informed users also know that there's a lot of cryptographic snake oil and understand what snake oil is. But many of the same people think they can blatantly mess around with GIF color tables (etc.) and not get noticed. They are wrong and they are asking for trouble. I haven't seen a steganography program yet whose use in messages isn't pretty easy to detect if you know how the program works. Steganography programs are almost all snake oil. I'd want to see very convincing evidence that the Hacktivision program isn't snake oil before letting anyone trust their life to it.

  3. This is misleading. by purpledinoz · · Score: 2, Insightful

    Apparently, it will make it easy for persecuted political groups to hide messages in images.

    Why just 'persecuted political groups'? (which I hope isn't another name for a terrorist organization). The article says that it is easy to use. Which means that you and I can communicate with each other securely, with no one eavesdropping. It's neither a good or bad thing, it's a tool. This tool can be used for good and bad.

    I really think that this post was implying that terrorists will take advantage of this tool. Drop this terrorism crap. Terrorists use many other mundane things to cause damage, why not make a big deal about those items too.

  4. You're absolutely right! by brooks_talley · · Score: 5, Insightful

    You're absolutely right. I find it dispicable that people would release programs that terrorists could possibly use, with the weak excuse that there might be other legitimate uses! I mean, if we got rid of Steganography, PGP, Linux, MS Word, AutoCAD, MS Project, Bablefish, Oracle, OpenOffice, Squid, Rogue Spear, Mathmatica, Apache, Cu-Seeme, and KSH... why, the world would surely be a safer place!

    Cheers
    -b

    1. Re:You're absolutely right! by teslatug · · Score: 2, Insightful
      There should be some limits though, by analogy:
      I mean, if we got rid of nuclear weapons, long range missiles, tanks, rifles, pistols, knives, spoons, tooth-picks, napkins... why, the world would surely be a safer place!

      Just an exageration meant to show that your argument does not necessarily hold. You can get rid of some things for the greater good, without infringing on regular people's rights. You don't always have to go by precedent, you can judge actions on their own merit.
  5. Re:Hm... by Anonymous Coward · · Score: 1, Insightful

    Now that the FBI is allowed to spy on domestic political groups again (not limited to terrorists), we can expect a lot more persecution of legitimate groups, as happened in the 70s under cointelpro. Political persecution by the state is, and always has been, a reality to anyone whose activism could pose a problem to the powers that be.

  6. Why Bother? by balloonhead · · Score: 2, Insightful
    I don't see the point. If I was a terrorist and posted a USENET / slashdot / other pre-arranged forum message with "big day on Sept 11, flying into NY with a few buddies on flight XXX", there is no way that any FBI / CIA / other agency guy would know what it meant if he saw it on Sept 10, even assuming he looked at it.

    There are just too many ways of sending unencrypted / unhidden messages; adding more work just seems like a big hassle for the sender and recipient - as was said after 11/9/01, the reason that messages were not intercepted was because they were low-tech / plain text / whatever. It is quicker and easier to make it innocent-sounding except to those who know already. Any agency screening emails / web pages / whatever would have a lot LESS work to do if it just had an image scanner that decided if there was any potential code, then concentrating on those. As another poster said, checking if a pic does or doesn't have steganography involved is easy (though you then have to decode it) - would it not then be easier to have an image of unencoded text which would be easily readable only if you look at it, on an obscurely titled web page? No automated searcher would be able to read it, no human would ever know where to look unless they alredy knew where it was.

    With email, text messaging, instant messaging, unlimited internet forums, the internet pages themselves, snail mail, telephone, telegraph, morse, hundreds of languages, and god-knows what other methods, there are just too may ways to transmit info to plough through these and find hidden messages.

    I just don't see the point.

    On another note - could terrorist emails be easily intercepted if the volume of traffic was reduced significantly? i.e. if spam was banned?

    --
    This idea was invented by Shampoo.