Slashdot Mirror

← Back to Stories (view on slashdot.org)

Peekabooty, Camera/Shy Released

Posted by michael on from the carnivore-go-home dept.

An anonymous (how appropriate) writer sends "Peek-a-Booty, a program designed to circumvent mechanisms (such as China's Great Firewall) limiting access to websites, has been open-sourced. It's listed as a "Beta" on SourceForge, but the Peek-a-booty website seems to encourage people to start using it." And Doug writes "PC World reports about a new tool to encrypt text with a click of the mouse and bury the text in an image. After posting an embedded image on a Web site, someone can notify intended recipients by e-mail with code words such as 'Go to this URL to see pictures from my birthday party.'"

11 of 156 comments (clear)

  1. Free sites already foil this, IIRC by wirefarm · · Score: 4, Informative

    Long ago, I tried hosting the images for a site on Geocities or Tripod or somewhere and the HTML page on my laptop and Ricochet modem. Worked OK, but I noticed one side effect that would seem to be relevant - these sites were re-compressing the images.
    If you take a jpeg and encode some data steganographically and later the compression is changed, wouldn't that effectively remove the steganographic information? (Correct me if I'm wrong.)

    Now, if I was trying to communicate with terrorists this way, pretty much the only safe way would be to put the 'birthday pics' up on a very popular free site - no way I'd post them anywhere that had my name connected to it.

    I don't know if the compression thing is common, but couldn't something like that be put pretty transparently into "The Great Firewall"?

    Cheers,
    Jim in Tokyo

    --
    -- My Weblog.
    1. Re:Free sites already foil this, IIRC by joshki · · Score: 2, Informative

      They're not exaggerating. Watermarking can survive printing and scanning in addition to many manipulations. I know I tried it once just to see -- it's a weird feeling to put a watermark in something, save it as a jpeg, print it out, wrinkle up the paper, recan it, and still be able to get the watermark out of it. I don't know about steganography, but if the process is similar your information should survive.

      --
      I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
    2. Re:Free sites already foil this, IIRC by Anonymous Coward · · Score: 1, Informative
      In that case, can you suggest some clever software to steg stuff into JPEGs? Preferably PGP compatible?

      I know of no software available which could truthfully be called "industrial strength". But Outguess is alright, and may evolve into something better as time goes by.

      Sure, if we FFT the data (or the like) it will survive the transform of one compression, but what about when it is recompressed at a lower ratio? Is there anything we can do about this (like using the lowest frequency coefficients)? Or should we submit our graphics uncompressed and let Tripod compress them once?

      You'd have to alter the DCT coefficients by a greater amount. As long as the amount each coefficient is altered is more than the quantization level which Tripod or whatever uses, the data is preserved. I don't know if you can alter this parameter in Outguess.

      The problem here is that if you modify the DCT coefficient too much, you can start to see the distortion with the naked eye. That's always going to be a problem when lossy compression schemes are used to combat steganography -- the steganography will (probably) have to cause visible distortion of at least the same level that the lossy compression causes.

      Also, inserting the steg into DCT coefficients won't achieve robustness against other compressions, eg JPEG2000. If you want a really robust scheme, you will have to settle for tiny bandwidth - read up on watermarking technologies, as they aim to insert of the order of 10-50 bytes into an image, in such a way that one really has to mangle the image to destroy the data.

  2. Snake Oil by cperciva · · Score: 5, Informative

    This "steganography tool" is no more than snake oil.

    Rather than using a more advanced method of steganography, this tool packs data into the least significant bits of the image. Simple, easy, and incredibly obvious. This is to steganography what ROT13 is to encryption -- if you use it for anything important, people will laugh at you.

    In fact, this is the worst kind of snake oil, because it is not only ineffective, but also dangerous. The administrators of the Great Firewall Of China (for example) could very easily detect files encoded with this software; using it would then be akin to waving a red flag and shouting "hey, I'm doing something I don't want you to know about". Bad steganography is worse than no steganography, because it highlights the fact that you're trying to hide something.

    --
    Tarsnap: Online backups for the truly paranoid
  3. Re:I propose a new form of steganography by Tazzy531 · · Score: 4, Informative

    Already available: http://www.spammimic.com/ and talked about here: Wired

    --


    _______________________________
    "I'm not Conceited...I'm just a realist..."
  4. Peekabooty website NOT blocked by the GFOC by H3XA · · Score: 2, Informative

    I am confirming that the GFOC (Great Firewall of China) do not block the Peekabooty websites..... YET
    Not that I really need this - I don't do anything that I need to hide from the Chinese government, Sure they block my access to Geocities and BBC but I don't see that as a bad thing.
    - HeXa

  5. Picture encryption by fylloxera · · Score: 2, Informative

    For Mac OS X Pict encrypt for free ......download at www.pariahware.com. It's a easy program, and requires no geeks. Hides text messages in gif and jpegs.

  6. Re:Am I missing something? by nemesisj · · Score: 3, Informative

    Their implementation of their current firewall is very loosely implemented as it is up to each carrier in each city to do the blocking. They are currently rolling out a much improved system that will enable them to completely control and/or replace content, as referenced by several stories on slashdot. The attractive thing about SSL proxies is that they either allow SSL or deny it completely - making this arrangement very attractive. Of course, there's nothing that will prevent them from declaring this product illegal, which, unlike the US has serious ramifications if you're found violating a state security law. Additionally, they could just deny all traffic that doesn't run through their proxies. China currently mandates that a site must have approval for a site to be hosted in China. It's a small step to require companies to buy an SSL cert from China in order to reach a quarter of the world's market in the coming years. Bottom line - it will be a constantly evolving war between the freedom seekers and the freedom takers.

    --

    $45 per U Colocation Special
  7. As Usual by emkman · · Score: 2, Informative

    People didn't actually read the website ...

    Users in countries where the Internet is censored do not necessarily need to install any software. They merely need to make a simple change to their Internet settings so that their access to the World Wide Web is mediated by the Peekabooty network.

    --
    Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
  8. Re:er... by paulbaranowski · · Score: 2, Informative

    If someone sent you the IP address of a Peekabooty node (or any other proxy) to you, you could proxy through it to download Peekabooty for yourself. One of the main jobs of Peekabooty is to constantly find you new proxies to route through so that you dont have to constantly be getting IP addresses of proxies via email. So the bootstrap process requires a little manual labor, but after that it should require no intervention on your part.

  9. Re:Reinventing "crowds"? by Anonymous Coward · · Score: 1, Informative

    If you look at 'crowds', you'll see that, in addition to being incomplete (things like implementation of proper initialization vectors were not done, stream cipher is untested homebrew, etc.) and unmaintained, it's not available outside the US and Canada, nor is it designed for environments like China.

    Crowds is not anti-censorware, and has no provisions to allow for blocked URLs, nor does it have any way of working with nodes which are in any way blocked. It also assumes that you can trust everyone in your crowd -- messages are decrypted to plaintext at every node. While this might be tolerable within the AT&T workplace, the trust model breaks down when spies might be admitted to the network, or when users and their machines might be captured by hostile parties.

    That's why 'crowds' wouldn't cut it.