Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacktivismo to Release Steganography Tool

Posted by ryuzaki0 on from the say-cheese-in-pig-latin dept.

Anonymonkey writes: "According to this story at , a group called Hacktivismo will release a steganographic tool called Camera/Shy at H2K2 this year. Apparently, it will make it easy for persecuted political groups to hide messages in images. The group has links to the Cult of the Dead Cow, which is, of course, working on Peek-a-Booty."

4 of 201 comments (clear)

  1. Traffic analysis by AgTiger · · Score: 5, Insightful

    Sometimes it isn't the content that gives you away, it's the fact that you're sending traffic between point A and point B, and B talks to C, D, and E.

    That can be enough to tip off the wrong someone.

    Likewise, if you start sending graphic files back and forth where you USED to be sending other types of traffic, whatever entity might be watching those transmissions is likely to catch on. Let's not even go INTO how you're sending MORE data rather than less. Me, I'd be shooting for a method that breaks the communication up, sends it in with a bunch of other garbage to multi-pointed destinations at random times, strongly encrypted en-route so sender and receiver are masked...

    Oh wait, that sounds a lot like a mixmaster remailer.

    And yes, I know, mixmaster and PGP are not an option for environments where the very use of same is enough to get you drawn and quartered.

  2. Dumb, DUMB idea by splorf · · Score: 5, Insightful
    Steganography is a lot harder than it sounds. It's easy to hide a message in an image file and have the image still look normal on the screen to a casual observer. It's a hell of a lot harder to keep an opponent from detecting the message by analyzing the file knowing how your program works.

    I am afraid unless Hacktivismo is really careful and knows what they're doing, their program may get some human rights workers tortured and killed. By careful, I mean don't even mess with embedding messages in jpg images. It might be reasonably safe to embed them in audio or video streams at very low bit rates, like one bit per several seconds of 44 khz 16 bit PCM audio or mini-DV video. And even that would take sophisticated encoding to keep detection difficult.

    Reference: Security Engineering by Ross Anderson, reviewed on Slashdot a few months ago.

    1. Re:Dumb, DUMB idea by splorf · · Score: 3, Insightful
      Even if the government could detect that images or audio files were being used as a covert channel, they would be unable to break the underlying encryption. It would be vastly easier for them to just imprison and torture people into revealing their activities than to assume a technological attack.
      That's the point. In order to imprison and torture people you have to know who to imprison and torture (unless you do it to everyone). You torture people if they do things that attract your suspicion. So the idea of steganography is to avoid attracting suspicion. If the opponent figures out you're using it, you are toast.

      Cryptography is broken if the attacker can read a message, but steganography is broken if the attacker can detect the message. The consequences of either type of break are just as bad. So using detectable steganography is as bad as using weak cryptography.

      There are lots of strong cryptography programs like PGP out there, and well-informed users also know that there's a lot of cryptographic snake oil and understand what snake oil is. But many of the same people think they can blatantly mess around with GIF color tables (etc.) and not get noticed. They are wrong and they are asking for trouble. I haven't seen a steganography program yet whose use in messages isn't pretty easy to detect if you know how the program works. Steganography programs are almost all snake oil. I'd want to see very convincing evidence that the Hacktivision program isn't snake oil before letting anyone trust their life to it.

  3. You're absolutely right! by brooks_talley · · Score: 5, Insightful

    You're absolutely right. I find it dispicable that people would release programs that terrorists could possibly use, with the weak excuse that there might be other legitimate uses! I mean, if we got rid of Steganography, PGP, Linux, MS Word, AutoCAD, MS Project, Bablefish, Oracle, OpenOffice, Squid, Rogue Spear, Mathmatica, Apache, Cu-Seeme, and KSH... why, the world would surely be a safer place!

    Cheers
    -b