Peekabooty, Camera/Shy Released

An anonymous (how appropriate) writer sends "Peek-a-Booty, a program designed to circumvent mechanisms (such as China's Great Firewall) limiting access to websites, has been open-sourced. It's listed as a "Beta" on SourceForge, but the Peek-a-booty website seems to encourage people to start using it." And Doug writes "PC World reports about a new tool to encrypt text with a click of the mouse and bury the text in an image. After posting an embedded image on a Web site, someone can notify intended recipients by e-mail with code words such as 'Go to this URL to see pictures from my birthday party.'"

Birthday pics?

[ocbwilg]

After posting an embedded image on a Web site, someone can notify intended recipients by e-mail with code words such as 'Go to this URL to see pictures from my birthday party.'"

This product must have already been released since I've been getting emails like that for months now. "I just turned 18! Click here for hot pictures from my 18th birthday party! You won't believe how wild my barely 18 year old friends and I got that night!"

Re:uh yeah

[Peyna]

It's now available to the masses and very easy to use. This means that almost anyone can make use of it, and not have to know very much about it.

er...

[david_g]

How are the chinese going to circumvent their firewall to be able to get this program that enables them to circumvent their firewall?

Re:er...

[Peyna]

Since it is only 1.2 MB, it'll fit on a floppy, which would be very easy to slip through if needed, since I doubt they're going to destroy all incoming floppy disks in the mail. Or just disguise it like an AOL CD.

Re:er...

[warmcat]

Yeah, then the recipient can destroy it.

Re:er...

[paulbaranowski]

If someone sent you the IP address of a Peekabooty node (or any other proxy) to you, you could proxy through it to download Peekabooty for yourself. One of the main jobs of Peekabooty is to constantly find you new proxies to route through so that you dont have to constantly be getting IP addresses of proxies via email. So the bootstrap process requires a little manual labor, but after that it should require no intervention on your part.

That explains it!

[MxTxL]

I guess all those x10 ads were just a bunch of Chinese dissidents passing messages ICQ style.

Free sites already foil this, IIRC

[wirefarm]

Long ago, I tried hosting the images for a site on Geocities or Tripod or somewhere and the HTML page on my laptop and Ricochet modem. Worked OK, but I noticed one side effect that would seem to be relevant - these sites were re-compressing the images.
If you take a jpeg and encode some data steganographically and later the compression is changed, wouldn't that effectively remove the steganographic information? (Correct me if I'm wrong.)

Now, if I was trying to communicate with terrorists this way, pretty much the only safe way would be to put the 'birthday pics' up on a very popular free site - no way I'd post them anywhere that had my name connected to it.

I don't know if the compression thing is common, but couldn't something like that be put pretty transparently into "The Great Firewall"?

Cheers,
Jim in Tokyo

Re:Free sites already foil this, IIRC

[Beryllium+Sphere(tm)]

Some of the watermarking vendors claim that their watermarks can survive recompression.

Watermarks are like steganography in that both involve embedding information in a file that isn't immediately visible or audible.

Of course watermarks are supposed to be easy to find, which is a big difference. Ideal steganoraphy should be undetectable without a secret key.

Then there's the question of whether the watermarking vendors are, uh, exaggerating.

Wide use of stego technology could lead to a brand new kind of censorship. Any secret policeman could claim that any file contained contraband. "Attention all citizens! The file 'Los Angeles Police.mpg. contains encoded attack orders from Osama bin Laden! If you know anyone who has it, denounce them to your neighborhood committee immediately!"

Re:Free sites already foil this, IIRC

[joshki]

They're not exaggerating. Watermarking can survive printing and scanning in addition to many manipulations. I know I tried it once just to see -- it's a weird feeling to put a watermark in something, save it as a jpeg, print it out, wrinkle up the paper, recan it, and still be able to get the watermark out of it. I don't know about steganography, but if the process is similar your information should survive.

Re:Free sites already foil this, IIRC

[Vryl]

No, this is not neccessarily correct. Stego systems such as drm watermarking are designed to to withstand image manipulation and re-compression.

Exactly how well is open to much dispute.

Re:Free sites already foil this, IIRC

[realdpk]

FWIW, free sites do this because they're being abused. There are Japanese warez groups that upload fake JPGs and GIFs, with valid headers, that contain nothing but warez. They have some custom program that assembles the pictures and uncompresses them. I've yet to see the actual program, but I've seen the massive amounts of bandwidth this sort of thing costs.

Really, in a case I know about, warez ends up being about 30% of a "free hosting" site's traffic. (With naked kiddies taking up the rest of the majority).

Am I missing something?

[FreeLinux]

From the description at the Peek-a-Booty site it seems to me that it is nothing more than open proxies running SSL. While I understand their stated goals, the whole project seems redundant.

First, the project assumes that the governments are using a NOT list. This is a big assumtion. I would think that control freaks like the Chinese government would more likely use an ALLOW list. A small list of governmet sanctioned sites. This would, of course, negate Peek-A-Booty.

If the government is in fact, using a NOT list, there are already countless open proxies continually popping up all over the place. This makes me think that the whole project is redundant.

Re:Am I missing something?

[kawaichan]

Allow list would probably be way too much work, you mean people would just sit there visiting and decides whether these pages are gonna be allowed or not?

I always thought if you want information bad enough, you can just sign up for an ISP account offshore, sure long distance is gonna cost you, but then again, you can see access all the information you want.

Re:Am I missing something?

[helarno]

Last time I checked, they used a NOT list and it was a very small list. For mainstream use, you could pretty much access anything you wanted with the exception of a couple of news sites like CNN and sometimes, NYT. The blocking was erratic though ... some months the sites were reachable, other days, they were perfectly fine. Of course, I'm sure a few dissident sites are blocked, but since I don't view those on a daily basis, I wouldn't know.

But it's really a non-issue. Even 4 years ago, all the internet cafes I visited by default went through a proxy that pretty much allowed you to view whatever you wanted. Knowledge of how to circumvent the blocks were very common among the younger audience. I'm sure it's even more prevalent today. For China, at least, this project isn't really relevant.

Re:Am I missing something?

[nemesisj]

Their implementation of their current firewall is very loosely implemented as it is up to each carrier in each city to do the blocking. They are currently rolling out a much improved system that will enable them to completely control and/or replace content, as referenced by several stories on slashdot. The attractive thing about SSL proxies is that they either allow SSL or deny it completely - making this arrangement very attractive. Of course, there's nothing that will prevent them from declaring this product illegal, which, unlike the US has serious ramifications if you're found violating a state security law. Additionally, they could just deny all traffic that doesn't run through their proxies. China currently mandates that a site must have approval for a site to be hosted in China. It's a small step to require companies to buy an SSL cert from China in order to reach a quarter of the world's market in the coming years. Bottom line - it will be a constantly evolving war between the freedom seekers and the freedom takers.

Re:Am I missing something?

[Sverdlov]

From the peekabooty FAQ:

Do you think that your efforts to create Peekabooty will cause censoring countries to change their filtering policy from 'default-allow' to 'default-deny', that is, instead of blocking 'bad' sites it will instead only allow 'good' ones?

This is very similar thinking as to what happened prior to WWII. The good guys let Germany invade its neighbors because they didn't want something REALLY bad to happen. If an evil madman tells you that you have to choose which of two people he is going to kill, it is still the madman's fault that someone is dead no matter which one you choose. If a government switches over to an allow-only system, this helps the cause even further. What we want is an end to censorship. The only way that is going to happen is that the government stops censoring its own people. The people have to make that happen. Not only is censorship possible, but total 1984-style control and monitoring is possible, and China in particular is heading in that direction as fast as it can. One of the benefits of Peekabooty is that it is bringing awareness to thousands of people around the world about the issues.

In any event, a country has to overcome some major obstacles to switch to an allow-only system: 1) It's a lot of work with a lot of administration headaches (there are way more good web sites than bad ones), 2) the 'allow' list is bigger than a 'deny' list, which puts more strain on hardware that already cannot handle the load, 3) economic reasons (the cash doesn't flow if the commercial web sites are blocked), and 4) it will cause unrest.

Re:Am I missing something?

[mrbnsn]

I want to reemphasize the point made in the parent: "For China, at least, this project isn't really relevant." The "hactivist" crowd has never been any good at doing their homework, and this is just the latest example.

The Chinese government DOESN'T EVEN BLOCK THE GOOGLE CACHE. Any site that's blocked, you just look it up in Google, and hit the "cached" link. They did block Google, once, for about a week, until popular outrage made them give it up.

That should give you an idea of just how "terrified" they are by the so-called threat the Internet poses to their hold on power. What they're really afraid of are the tens of millions of affluent, educated, urban Internet users rising up in revolt if their favorite toy gets taken away from them.

That, and the hundreds of millions of undereducated, underemployed peasants and factory workers who don't have a future, and barely enough to eat, much less Internet access.

Re:Am I missing something?

[gorilla]

5) Sites which are considered 'good' can be quickly changed to be actually 'bad'. In other words, if you allow "pink fuzzy bunny's home page", after spending 6 months making sure it's not got any bad content and none of the images appear to contain messages, then the next day the owner can upload a picture of fuzzy bunny with a secret message.

Snake Oil

[cperciva]

This "steganography tool" is no more than snake oil.

Rather than using a more advanced method of steganography, this tool packs data into the least significant bits of the image. Simple, easy, and incredibly obvious. This is to steganography what ROT13 is to encryption -- if you use it for anything important, people will laugh at you.

In fact, this is the worst kind of snake oil, because it is not only ineffective, but also dangerous. The administrators of the Great Firewall Of China (for example) could very easily detect files encoded with this software; using it would then be akin to waving a red flag and shouting "hey, I'm doing something I don't want you to know about". Bad steganography is worse than no steganography, because it highlights the fact that you're trying to hide something.

Re:Snake Oil

[phaxkolumbo]

This might sound like a stupid question (but then again I'm no steganography expert), but how exactly is packing the data in LSB's obvious?

Doesn't that become obvious only after the inclusion of headers and such? I mean that the distribution of 1's and 0's in an image should be pretty much the same, regardless of any hidden data.

The article is pretty light on technical details, so no answers from there.

Re:hmm

>uhm yeah, make it easy for the terrorists...

Cars make it pretty easy for terrorists to build a car bomb. Ryder trucks make it pretty easy for terrorists to fill one with ANFO. Should we stop making cars? Should we stop renting trucks? Buses make good targets for suicide bombers. Should our metropolitan areas stop offering bus service?

I don't mean to pick on you personally, but I'm getting damn tired of the argument that we shouldn't do this or that because it might make something easier for a terrorist. Just because there are assholes in the world doesn't mean there aren't people with legitimate uses for new technology.

Re:hmm

[2g3-598hX]

No, don't worry. Echelon is going to start downloading images from the internet now. Ha..the NSA is gonna end up with the biggest pr0n collection in the world...now, people, don't take that as a challenge.

This stuff needed in USA

[WCMI92]

I can see a growing need for this kind of thing in the USA, as we allow the Megacorp cartels like the RIAA/MPAA to chop off and "firewall" so to speak, the individual.

Remember the Napster trial? The infamous statement by a RIAA honcho "We will firewall them at their PC"? And then go read the story just below this one where AOLTW's RoadRunner is port blocking Kazaa.

I find it very interesting phinisophically, that the net result of "Big Government (Communist)" and "Big Business (Capitalist)", when left unrestrained by civil law that is supposed to protect and affirm the rights of the individual, produce the SAME RESULTS!

In the communist system, as China is, the governmment IS the corporation. It makes up "laws" as it goes along, always to benefit those in power. In the USA, we've allowed corporations to achieve similar results by the fact that our Congress and Presidents are passing and signing laws WRITTEN BY THEM, as the DMCA and CBDTPA are.

Unfortunately for the tyrants, both governmental and corporate, there are a lot of Thomas Paine's in the world, and they tend to be creative people. Hence this program that lets you circumvent firewalls.

Re:This stuff needed in USA

[WCMI92]

"Why do we claim to be an enlightened nation, yet actively trade with China? They need us much more than we need them."

Two reasons:

1. The extreme on the left in this country, the ones who's religion is government, LIKE China and wish the USA were more like it...

2. The megacorporations, who's religion is cheap labor.

Yet another stunning example that the extreme right and extreme left produce the SAME results, ultimately.

BTW, I don't necessarily agree that Communism is extreme Republicanism, I think socialism/communism are left wing totalitarianism. Right wing totalitarianism would be something more akin to what exists in the middle eastern Islamic fundamentalist states.

Much as I am devoted to my religion (Christianity), I DO NOT want priests running the country, if you catch my drift.

But they both produce similar results, an oppressed people whom have no individual rights or choices.

"One of the slogans for communism is that with everyone equal, there is no slavery and no discrimination. If you look at it, all but those in the high levels of government are slaves. If you look at it, all but those in the high levels of government are discriminated against."

Communism is state slavery. Where there is no individual liberty, nor right of private property, the State owns everything, and therefore, everybody. Should it surprise anyone that in EVERY so called "egalitarian" system, which Marxist-Lenninism-Maoism purports to be, that some (the few elites) are "more equal than equal".

Our own system is the same way, looking at the easy access the rich have to legislation, but has the virtue of not having YET opressed the average individual to the extreme of a communist state.

YET being the operative word. Legislatively, we are headed there. Rapidly. Not at the behest of government, but at the behest of the CORPORATIONS...

I see things like Peakabooty as 21st century civil disobedience. Sooner or later, a rebellion of the individual against the collective WILL happen, or else we will become nothing more than uniformed drones in the collective.

You can also use a program called Camouflage

[asavage]

Camouflage can hide any file(eg mp3) inside any other file like a picture or a word document. The created file will look and act normal but might be a little big.

I propose a new form of steganography

[phaxkolumbo]

How about putting hidden messages in spam? Nobody bothers with those anymore, anyway.

Here's an example:
***SNORING KEEPING YOU FROM A GOOD NIGHT SLEEP ?***
tHIs proDuct has been featureD on national tv.doEs sNoring keep you up at night?
tired of having to sleep in separate rooMs bEcauSe of Snoring?
just tired of being tired becAuse of someone's snorinG?
tired of hEaring how your snoring kept someone up all night?
There is a safe, natural solution to your snoring problem...

And so on...

The steganographic schema could be a bit more advanced in the production version, but i think the basic idea is good enuff for a start.

Re:I propose a new form of steganography

[Tazzy531]

Already available: http://www.spammimic.com/ and talked about here: Wired

Re:I propose a new form of steganography

[Monkelectric]

That kind of steganography is called "hidden channel." Although in your case, its not that hidden :)

Reinventing "crowds"?

[merlyn]

Peek-a-booty seems to be simply reinventing the Crowds project. Why?

Re:Reinventing "crowds"?

[mlinksva]

Perhaps because the crowds software hasn't been updated since 1998, the server in the default configuration refuses connections and there's no support or development mailing lists nor public cvs. Crowds is "only" 3301 lines of Perl, entirely feasible to reimplement if they disagreed with some crowds design decision, didn't want the Perl dependency, or simply wanted to write it themselves. If crowds had a significant user base they should've thought about implementing its protocol, but it doesn't seem to. Perhaps someone should fork crowds and put it on sourceforge (after pinging the original authors).

Re:Reinventing "crowds"?

[mlinksva]

OTOH if peek-a-booty does take off, somebody should do a Perl implementation of that protocol.

Peekabooty website NOT blocked by the GFOC

[H3XA]

I am confirming that the GFOC (Great Firewall of China) do not block the Peekabooty websites..... YET
Not that I really need this - I don't do anything that I need to hide from the Chinese government, Sure they block my access to Geocities and BBC but I don't see that as a bad thing.
- HeXa

Snake Oil? Maybe... maybe not.

[muerte24]

there are many tools which allow you to hide things in images. there is already "Steganotools" (i forget the website) and programs like "Camoflage" that hide files inside of other files, or append them on the end as junk.

if you really want secrecy, you can move to things like "DriveCrypt", which makes containers you can mount as new drives. but these containers have no header, and being compressed and encrypted, it's impossible to distinguish them from purely random data unless you know the strong passphrase.

the idea of hiding data in the LSB of pictures (or mp3's for that matter) is old. just better hope that no one else has a copy of the original file! if you choose specific pictures where the LSB is statistically random enough, there is nothing that says you can't hide data there securely. the simplest way for short messages is to run MD5 (or some other hash) on your passphrase, and XOR the resulting digest on your message to produce your cyphertext. then just replace the LSB's in your image file.

just make sure you replace all your LSB's or else an attacker can detect that there is something hidden.

the only thing new about this particular tool is that it uses a browser plugin to decrypt the picture by double clicking on it. that sounds insecure to me.

drivecrypt lets you install the program entirely on removable media, so you don't have strange stego tools installed on your computer when the Red Police come busting down your door...

just my $.02.

muerte

Re:Sounds like....

[Myco]

I don't get it. Are you saying that people who appear in porn are ruining their chances to have worthwhile lives? That's a very sex-negative attitude.

Picture encryption

[fylloxera]

For Mac OS X Pict encrypt for free ......download at www.pariahware.com. It's a easy program, and requires no geeks. Hides text messages in gif and jpegs.

Re:Snake Oil -- ROT13? Old school.

[Kredal]

Heh, You really need to get with the program. This message is encrypted with rot-52... twice as strong as rot-26.

Well...

[Greyfox]

Seeing as how they've been merrily spamming us for a while now, we could just return the favor, spamming everyone in china with copies of this program. Worst case, the Chinese government comes up with a solution to the spam problem...

Re:excuse

[GigsVT]

What if goatse.cx has been used for passing stego messages all along? I mean why else would some guy put up a random sick picture on a domain, and people would constantly post links to it.

I bet there is a secret code in anonymous Slashdot posts that set off notification to pick up the newest version of gap.jpg off of goatse.cx.

For example:

Dirty Gnu Hippie: The plan is ready, go get new instructions.

BSD is dying: Abort mission, pick up new instructions from hick.org.

Alan Thicke: Mission sucessful, drinks in safe house tonight

After all, who is going to run checksums on something silly like the goatse guy? :)

Re:nodes?

[crisco]

People are posting nodes at the discussion site. Peekabooty apparantly needs some kind of gnutella style peer discovery or peer reflectors. Of course, those would then become blocked...

As Usual

[emkman]

People didn't actually read the website ...

Users in countries where the Internet is censored do not necessarily need to install any software. They merely need to make a simple change to their Internet settings so that their access to the World Wide Web is mediated by the Peekabooty network.

Re:Great...

[geekd]

Lets write some more utilities so that drug runners and crazies can send undetectible messages to eachother with great ease.

What's the difference between criminals and "legitimate" political dissidents? To the governments of the world, nothing.

I'm sure King George thought Washington and Jefferson were "crazies".

I'm sure the British government thought Ghandi was a criminal. They put him in jail several times.

The price of a truly free country is that "drug runners and crazies can send undetectible messages to eachother with great ease". This has to be so that future Ghandis and Mandellas can do so also.

Or we can just shut everybody up. Yeah, lets do that. Let's start with you.

As usual... everyone is missing the point.

[GuNgA-DiN]

Sure the Peekabooty website talks about free speech in China, blah, blah, blah.... Everyone here is arguing about whether the Chinese will block Peekabooty and whether it will be an effective tool for freedom of speech. But, the REAL point of this software isn't to help the Chinese -- it's to help us poor saps in the Good Ole US of A! Think about it: since 9/11 our Government has gotten more and more oppressive. They have taken away freedoms that we used to take for granted. But, if the developers of Peekabooty came right out and said: "this is used to circumvent the assholes in Homeland Security" they would get a visit from the NSA/FBI/CIA etc.. They picked an oppressive regime (like China) to talk about this tool. But, substitute the letters USA for CHINA and you will begin to see the truth.

Another nice benefit of this tool will be the developement of secure, anonymous P2P networks. Look at all the shit in the news lately about how ISP's are cutting off KaZaa. And, how Ranger Online is tracking down Gnutella users. The RIAA/MPAA Gestapo is out to get us and take us down. New tools like Peekabooty and FreeNet will help to insure that these organizations will never, EVER shut down the free-flow of information on the Net. Peekabooty is a dagger that is aimed right at the heart of corporate America! It says: "You think you can take over the Net? Ha! Fuck you and the horse you rode in on!". This just proves to them that we can always defeat them with technology regardless of how much money they have!

Re:Snake Oil - How It's Obvious

[GMontag451]

Why would this necessarily reduce the number of colors in the picture? Wouldn't that depend on the data stream you are encoding into the picture? I mean if you decide to put each consequtive 2 bits of your data stream into the last two bits of each byte, then number of different colors would depend on the percentages of the 4 different combinations of two bits. All you have to do then is massage your data stream to be sufficiently random. Any good compression scheme should do that.

Re:Sounds like....

[Turing+Machine]

They wouldn't be "ruining their chance to do anything worthwhile" if prudes didn't have the bizarre notion than sex under anything other than monogamous, heterosexual, church- and government-blessed circumstances tainted a person for life.

Re:Show me the money

[TRACK-YOUR-POSITION]

Maybe he was just thinking that spamming everyone taints a person for life.

Isn't half of...

[TibbonZero]

Isn't half of sourceforge beta products that work pretty well? I am running alot of stuff from CVS that's not even beta, but nightly builds...
Just a thought

6/4 anonymous proxy software (by cDc)

[scubacuda]

is being released soon, according to Wired. It will be interesting to see how this works in conjunction with Peek-a-booty.