Slashdot Mirror
Peekabooty, Camera/Shy Released
An anonymous (how appropriate) writer sends "Peek-a-Booty, a program designed to circumvent mechanisms (such as China's Great Firewall) limiting access to websites, has been open-sourced. It's listed as a "Beta" on SourceForge, but the Peek-a-booty website seems to encourage people to start using it." And Doug writes "PC World
reports about a new tool to encrypt text with a click of the mouse and bury
the text in an image. After posting an embedded image on a Web site, someone
can notify intended recipients by e-mail with code words such as 'Go to
this URL to see pictures from my birthday party.'"
what's so new about embedding text in images, thats been around for years
It's shame that software like this is even necessary, but with the way things are going, we'll soon need this software here in the good ol' US of A as well.
After posting an embedded image on a Web site, someone can notify intended recipients by e-mail with code words such as 'Go to this URL to see pictures from my birthday party.'"
This product must have already been released since I've been getting emails like that for months now. "I just turned 18! Click here for hot pictures from my 18th birthday party! You won't believe how wild my barely 18 year old friends and I got that night!"
How are the chinese going to circumvent their firewall to be able to get this program that enables them to circumvent their firewall?
I guess all those x10 ads were just a bunch of Chinese dissidents passing messages ICQ style.
With a name like that, who is more likely to find and use it - Chinese democracy hax0rs or childpornists? I'm serious.
Long ago, I tried hosting the images for a site on Geocities or Tripod or somewhere and the HTML page on my laptop and Ricochet modem. Worked OK, but I noticed one side effect that would seem to be relevant - these sites were re-compressing the images.
If you take a jpeg and encode some data steganographically and later the compression is changed, wouldn't that effectively remove the steganographic information? (Correct me if I'm wrong.)
Now, if I was trying to communicate with terrorists this way, pretty much the only safe way would be to put the 'birthday pics' up on a very popular free site - no way I'd post them anywhere that had my name connected to it.
I don't know if the compression thing is common, but couldn't something like that be put pretty transparently into "The Great Firewall"?
Cheers,
Jim in Tokyo
-- My Weblog.
From the description at the Peek-a-Booty site it seems to me that it is nothing more than open proxies running SSL. While I understand their stated goals, the whole project seems redundant.
First, the project assumes that the governments are using a NOT list. This is a big assumtion. I would think that control freaks like the Chinese government would more likely use an ALLOW list. A small list of governmet sanctioned sites. This would, of course, negate Peek-A-Booty.
If the government is in fact, using a NOT list, there are already countless open proxies continually popping up all over the place. This makes me think that the whole project is redundant.
don't you think that somebody who finds people to do suicide attacks could find someone who could operate one of the existing stego tools?
--
making up good sigs is a hard thing to do.
This "steganography tool" is no more than snake oil.
Rather than using a more advanced method of steganography, this tool packs data into the least significant bits of the image. Simple, easy, and incredibly obvious. This is to steganography what ROT13 is to encryption -- if you use it for anything important, people will laugh at you.
In fact, this is the worst kind of snake oil, because it is not only ineffective, but also dangerous. The administrators of the Great Firewall Of China (for example) could very easily detect files encoded with this software; using it would then be akin to waving a red flag and shouting "hey, I'm doing something I don't want you to know about". Bad steganography is worse than no steganography, because it highlights the fact that you're trying to hide something.
Tarsnap: Online backups for the truly paranoid
>uhm yeah, make it easy for the terrorists...
Cars make it pretty easy for terrorists to build a car bomb. Ryder trucks make it pretty easy for terrorists to fill one with ANFO. Should we stop making cars? Should we stop renting trucks? Buses make good targets for suicide bombers. Should our metropolitan areas stop offering bus service?
I don't mean to pick on you personally, but I'm getting damn tired of the argument that we shouldn't do this or that because it might make something easier for a terrorist. Just because there are assholes in the world doesn't mean there aren't people with legitimate uses for new technology.
need a list of nodes to use
they are anything but camera shy.
No, don't worry. Echelon is going to start downloading images from the internet now. Ha..the NSA is gonna end up with the biggest pr0n collection in the world...now, people, don't take that as a challenge.
Ok, now the entire world must first get American approval for every tecnology, to see if it could not be missused by someone else. Let's turn all airplanes illegal, because they can be misused by terrorists. Let's turn your computer illegal too. For now and forever you must use a DRM approved, key escrow enabled one.
go back into your cave, where no one can harm you. life IS risky and no actions (like outlawing something) or government or whatever can take this risk away from you. just face it...
DTABN
While it's good to have more and more foolproof encryption methods, the problem is there's an evil element out there that will make use of this for their planning.
Of course, it's not like it does us a lot of good even when we are able to intercept these messages, with the long-term ineptitude of the FBI and CIA.
I can see a growing need for this kind of thing in the USA, as we allow the Megacorp cartels like the RIAA/MPAA to chop off and "firewall" so to speak, the individual.
Remember the Napster trial? The infamous statement by a RIAA honcho "We will firewall them at their PC"? And then go read the story just below this one where AOLTW's RoadRunner is port blocking Kazaa.
I find it very interesting phinisophically, that the net result of "Big Government (Communist)" and "Big Business (Capitalist)", when left unrestrained by civil law that is supposed to protect and affirm the rights of the individual, produce the SAME RESULTS!
In the communist system, as China is, the governmment IS the corporation. It makes up "laws" as it goes along, always to benefit those in power. In the USA, we've allowed corporations to achieve similar results by the fact that our Congress and Presidents are passing and signing laws WRITTEN BY THEM, as the DMCA and CBDTPA are.
Unfortunately for the tyrants, both governmental and corporate, there are a lot of Thomas Paine's in the world, and they tend to be creative people. Hence this program that lets you circumvent firewalls.
Corporatism != Free Market
Has anyone found where to download Camera/Shy? I'm really interested in trying this software out but can't find it anywhere.
Help?
"Where is my mind?"
Camouflage can hide any file(eg mp3) inside any other file like a picture or a word document. The created file will look and act normal but might be a little big.
How about putting hidden messages in spam? Nobody bothers with those anymore, anyway.
Here's an example:
***SNORING KEEPING YOU FROM A GOOD NIGHT SLEEP ?***
tHIs proDuct has been featureD on national tv.doEs sNoring keep you up at night?
tired of having to sleep in separate rooMs bEcauSe of Snoring?
just tired of being tired becAuse of someone's snorinG?
tired of hEaring how your snoring kept someone up all night?
There is a safe, natural solution to your snoring problem...
And so on...
The steganographic schema could be a bit more advanced in the production version, but i think the basic idea is good enuff for a start.
Peek-a-booty seems to be simply reinventing the Crowds project. Why?
It would appear that Camera/Shy puts the "hidden" message in the least significant bits of an image. This is a terrible way to do steganography - researchers have long known that it is extremely easy to detect this method. For example, go to outguess.org for some software which can detect it, and links to papers describing how this works.*
Using this sort of software is worse than not using it at all - you are just attracting attention to the fact that you have something to hide! Whereupon you can expect the full might of the Echelon/Carnivore machines to be used against you. Don't be tempted by the easy UI. As someone else has already mentioned, LSB steganography is the equivalent of ROT13 encryption.
If you want to send truly secret messages, read some steganography literature - which will give you an idea of how difficult real steganography is. Best would be to wait 5 years until we have sorted out which, if any, steganography schemes are secure.
*The concept of how the detector works is not hard, but IMO these papers are rather badly written and you may find them hard to read. They don't really report their experiments fully. But believe me, LSB steganography is extremely poor.
I am confirming that the GFOC (Great Firewall of China) do not block the Peekabooty websites..... YET
Not that I really need this - I don't do anything that I need to hide from the Chinese government, Sure they block my access to Geocities and BBC but I don't see that as a bad thing.
- HeXa
Googling for "steganalysis" will yield several interesting places to look.
"Steganalysis of Images Created Using Current Steganography Software" gives some good information.
if you really want secrecy, you can move to things like "DriveCrypt", which makes containers you can mount as new drives. but these containers have no header, and being compressed and encrypted, it's impossible to distinguish them from purely random data unless you know the strong passphrase.
the idea of hiding data in the LSB of pictures (or mp3's for that matter) is old. just better hope that no one else has a copy of the original file! if you choose specific pictures where the LSB is statistically random enough, there is nothing that says you can't hide data there securely. the simplest way for short messages is to run MD5 (or some other hash) on your passphrase, and XOR the resulting digest on your message to produce your cyphertext. then just replace the LSB's in your image file.
just make sure you replace all your LSB's or else an attacker can detect that there is something hidden.
the only thing new about this particular tool is that it uses a browser plugin to decrypt the picture by double clicking on it. that sounds insecure to me.
drivecrypt lets you install the program entirely on removable media, so you don't have strange stego tools installed on your computer when the Red Police come busting down your door...
just my $.02.
muerte
ROT13 is old school, man. Nobody uses that tired old thing! The future is ROT26.
Wrong. See www.outguess.org.
(From a steg researcher, who gets rather irritated at everyone thinking they are an expert on this difficult subject.)
For Mac OS X Pict encrypt for free ......download at www.pariahware.com. It's a easy program, and requires no geeks. Hides text messages in gif and jpegs.
Ranger that someone mentioned here on /. in YRO: MPAA Goes After Its Customers is also doing this.
Take a look at their Government Solutions if you are interested.
IMO the sum total of all information gathering on the internet by private and corporate bodies may exceed that performed by governments.
Steganography is nothing new, I believe a program called Stego has been available for Mac for several years.
The article is also a bit confusing - first they say it encrypts files, then they 'can be protected with a password.'
Steganography is great for hiding encrypted stuff, but it only offers 'security through obscurity' alone. Also, if the encryption uses something like a fixed, unencrypted header or a magic number or PGP style header, it ought to be pretty easy to detect even if it cannot be decrypted. And that, of course defeats the whole purpose of stego.
Oh great, now there is actually a proper excuse to post such nonsense as: "go to blablalbla.com to check out some goatsex pictures..... But wait, there is a hidden message in them, honest!"
rm -rf sig
Heh, You really need to get with the program. This message is encrypted with rot-52... twice as strong as rot-26.
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
Seeing as how they've been merrily spamming us for a while now, we could just return the favor, spamming everyone in china with copies of this program. Worst case, the Chinese government comes up with a solution to the spam problem...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I saw in an article that terrorists have been using encrytped messages in pictures to communicate. The most interesting thing is they were (or are still?) putting them on ebay. With the million of auctions just on that site alone I imagine it would be pretty hard to track such a thing.
instead of drivecrypt I suggest you have a look at StegFS which does the same but is GPL'd
With visual steganography, even though we would be unable to decode a message, would it still be possible to detect it?
I would imagine that changing pixel tones ever so slightly would create at imbalance in the tone distribution, making solid-color areas slightly uneven. This may be undetectable to the naked eye, but software may be able to see it. And, wouldn't compression normalize like colors anyway?
If this is true (I don't know) I guess a way around it would be to embed smaller messages in larger images, placing only a single character in a given "color zone". Maybe an image with a more robust color scheme could be seen as suspicious.
And I suppose that since 911 I'm not supposed to close my envelopes shut anymore, because then I could be sending a letter with content that can not be read ? ...
Encryption exists and is necessary (think of using your credit card on the net).
Banning a technology doesn't avoid criminals to use it. I think they still have guns, terrorists make bombs,
When you hide an image in a pic, most stego tools take the last two bits of of the 8 bit color code and re-write them. Thus, 10010101 could become 10010100 or some other substitution. The net effect of this over the whole picture is usually to reduce the total number of colors. Simple tools can detect this color reduction pretty simply and reliably.
That doesn't mean you can get the missing data out, anyone going to the trouble using stego will probably encrypt their data.
Lets write some more utilities so that drug runners and crazies can send undetectible messages to eachother with great ease.
Currently Sourceforge and its mirrors are
banned by the Greatfirewall of China.
People didn't actually read the website ...
Users in countries where the Internet is censored do not necessarily need to install any software. They merely need to make a simple change to their Internet settings so that their access to the World Wide Web is mediated by the Peekabooty network.
Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
Jesus... someone mod this asshole down to a -2... this thing is a fucking book! The "War and Peace" of oral sex. I certainly hope this guy cut-n-paste (or maybe 'cunt-n-paste'?) this shit... otherwise he had WAY too much fucking time on his hands. (He probably had his dick in his hands too)
People keep saying "How can they get Peek-A-Booty if the firewall is already inplace?"
Users in countries where the Internet is censored do not necessarily need to install any software. They merely need to make a simple change to their Internet settings so that their access to the World Wide Web is mediated by the Peekabooty network.
About Peekabooty
Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
Another nice benefit of this tool will be the developement of secure, anonymous P2P networks. Look at all the shit in the news lately about how ISP's are cutting off KaZaa. And, how Ranger Online is tracking down Gnutella users. The RIAA/MPAA Gestapo is out to get us and take us down. New tools like Peekabooty and FreeNet will help to insure that these organizations will never, EVER shut down the free-flow of information on the Net. Peekabooty is a dagger that is aimed right at the heart of corporate America! It says: "You think you can take over the Net? Ha! Fuck you and the horse you rode in on!". This just proves to them that we can always defeat them with technology regardless of how much money they have!
Why would this necessarily reduce the number of colors in the picture? Wouldn't that depend on the data stream you are encoding into the picture? I mean if you decide to put each consequtive 2 bits of your data stream into the last two bits of each byte, then number of different colors would depend on the percentages of the 4 different combinations of two bits. All you have to do then is massage your data stream to be sufficiently random. Any good compression scheme should do that.
I had to go dig up my SANS notes for this one. I'm not a mathematician and I'm not some stego expert. I just attended the seminar.
According to what it says here, when you embed data in an image, you have to alter the color table and this increases the number of near duplicate colors. A normal bitmap has very few duplicates, a stego'd bitmap has many. In the example, a bitmap of a forest scene jumps from 2 duplicate colors to 1046 after being stego'd. Why? Ask an expert, I just work here. When the number of duplicate or near duplicate colors aproaches 50, usually there is a hidden file in the image.
Going to what you said, colors in an image are not randomized, and a random bit stream would stand out exactly for that reason.
This is an article on detecting stego I found on Google, want more info, ask the author.
I donated to peek a booty.
will my name show up if i grep the source code
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
You could use a wery high color image. And just pair the colors close to each other. That whould make it hard to spot(with encryption maby impossible) but that whould result in a wery low payload density.
FRA: STFU GTFO
Maybe he was just thinking that spamming everyone taints a person for life.
1) it was obviously a girl posting, not a guy. ;)
2) anyone know where I can get something this detailed about the penis?
there's a lot more stories on the slashdot frontpage, you big penis.
Would you really kill yourself? Or would you be like Ted Bundy and let the state eventually execute you for serial rape and murder? I hope you realize what pr0n does to you - you're not getting bored, you're being desensitized. Find help. You don't know what depths you'll reach until you hit them - and that might be far too late.
Unfortunately, this is slashdot, where 'prudish' views of sex and pr0n are laughed out the door...
For those who find that the Hacktivismo site is slashdotted, Camera/Shy is also available for anonymous download from:
a no graphy/camerashy/
http://www.mirrors.wiretapped.net/security/steg
or
ftp://mailprivately.com
Isn't half of sourceforge beta products that work pretty well? I am running alot of stuff from CVS that's not even beta, but nightly builds...
Just a thought
Tibbon
tibbon.com
is being released soon, according to Wired. It will be interesting to see how this works in conjunction with Peek-a-booty.