Slashdot Mirror
Hiding Secrets With Steganography On FreeBSD
BSD Forums writes "Bad guys in the movies all keep their wall safes hidden behind paintings. Is there a metaphor in there for your sensitive files? OnLamp's Dru Lavigne explores steganography, or hiding secret messages in images or sounds, with the outguess and steghide utilities on FreeBSD."
Try seeing the message hidden in this image. It may take a few moments.. Please don't post the message here, let others figure it out for themselves.
Good luck!
Trolling is a art,
fp!
How many secret ways do you need to say "*BSD is dying"?
This is a thr0d p1st. There are many like it, but this one is mine. So suck it down negroes.
fuck you.
I hide a picture of myself in the login bitmap on my school network
~ Maintainer of the Skajake Projects
...people just think it is because it hides itself very well. ;-)
Makes you wonder what the demon is hiding
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
Please do not read this text.
I'd be interested to know if this is just a BSD thing or if I can run these apps on Linux or Windows.
I used to use this kind of thing to hide certain, ahem, suspect images on the Acorn machines at school.
:o)
Of course being an adult now it's not as required, but I suppose it might be able to hide offensive pr0n images inside more innocent ones - so that anyone looking finds pretty mild things and stops there, without being able to find things that would get you looked at oddly in church
Beep beep.
I've been using it for years, posting messages like "allah is great" on Fark photoshop contests.
Just raising the background chatter to a dull roar.
my problem wrt steganography is that it 'feels' more like security through obscurity than an actual cryptographic regime (ala gpg encrypted attachments, etc). Other than that, neat stuff.
Sometimes people just have to learn and adapt to change, it is one of the requirements of being a living thing.
don't tell anyone! /too late i guess
...is that no one else knows where to look to find things that might be sensitive. You can literally hide things in plain sight, but with the amount of crud stacked everywhere physically, and the amount of data strewn about with no apparent labelling (except for the porn of course), no one can actually tell what is important and what isn't.
Of course, dates don't seem to understand the logic of living in an apartment that already looks like it's been rifled through.
Do not look into laser with remaining eye.
How you are able to handle being african-american and homosexual, without the firm, guiding hand (and other appendages!) of the GNAA.
(suck it down, negroes)
I use steg sometimes to pass messages i dont want out in plaintext or overtly encrypted, but it has to be passed in such a way that it isnt apparent that a message is there (i.e. email to brother 'See these pics of grandma!'). It is not a foolproof method, but its very useful when you realize you cant trust the encryption itself to hide the message.
BSD is mentioned 3 times in the post, while the utilities that actually do the work are only mentioned once? This is like titling a post "Processing Images with Filters on Mac OS X" and only mentioning once that you use Photoshop.
"And this is my boy, Sherman. Speak, Sherman." "Hello." "Good boy."
No, bad guys in movies walk into the Rich Dude's house, immediately realize where the safe is, pull the painting away and get whatever's in the safe. How many times have we said that security through obscurity isn't security, and now we're all clamoring about obscuring data to make it safer.
Data-wise, it seems like you'd need to be hiding a relatively small amount of data. Otherwise, you're like an elephant trying to blend in at an LA cocktail party.
Please help metamoderate.
Why should I have to risk screwing up my system using an unproven, unstable potentially dangerous system like FreeBSD? Why can't you just provide binaries for Linux, the industry standard for security.
And FreeBSD zealots, as much as this simple truth hurts, please don't mod this -1,troll or -1, flamebait, that is known as denail.
This was my first exposure to a steganopraphy demo....Written by the author of a bunch of books on Computer Networks and Operating Systems... http://www.cs.vu.nl/~ast/books/mos2/zebras.html
To myself I won't be lying,
that Free B S D isn't dying.
All the BAD GUYS hide their safes behind pictures? Is the metaphor you're trying to paint that BAD GUYS use steganography? The government propaganda wars are working. Newspeak is ingrained.
Every citizen of these modern times is a criminal, and because everyone is a criminal, everyone should use steganography. Most criminals are not BAD GUYS, but instead, good loving parents, patriots, and friends to society. It no longer makes sense to equate criminal to BAD.
fifth sigma, inc.
I am thinking spy stuff now because this trend you have that critical file excahnged without detection (yeah right). Or you can hide your critical data in one of these just a thought
Get Movie Posters
- jsteg,
- jphide (unix and windows),
- invisible secrets,
- outguess 01.3b,
- F5 (header analysis),
- appendX and camouflage.
Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.First time I read the headline, I thought it was implying that there are secret messages in the icons/images that are part of the freeBSD installation. Which brings me to wonder: what prevents people from putting messages hidden in the KDE or Gnome icons and such?
(Maybe a "If you can read this, you're too paranoid" sort of message in the Redhat splash picture?)
alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
Simply rename its extension to .dll. It will fit right in to the gigs of OS files.
I have yet to see a good treatment of the necessity of hiding the fact that one may have knowledge of or tools capable of implementing steganography. While hiding data is a nifty thing, it's not of much practical use unless you can also hide the code - the tools that you use to embed and deembed your steganographically hidden files.
Adding hooks to libraries and hiding executable code in data areas and coming up with slick ways of calling into that code when you actually do some stega processing is an area ripe for exploration. It may be more challenging than data hiding as well, especially when you consider the huge libraries of md5sums for all known executables and libraries that are maintained and distributed by computer forensics people.
Why should I have to risk screwing up my system using an unproven, unstable potentially dangerous system like FreeBSD? Why can't you just provide binaries for Linux, the industry standard for security.
And FreeBSD zealots, as much as this simple truth hurts, please don't mod this -1,troll or -1, flamebait, that is known as denail. I am reposting this because some deluded zealot modereted it down. I have plenty of proxies thanks to comprimized BSD boxes, and I will keep on posting this until it gets a 5, insightful.
Why should I have to risk screwing up my system using an unproven, unstable potentially dangerous system like FreeBSD? Why can't you just provide binaries for Linux, the industry standard for security.
And FreeBSD zealots, as much as this simple truth hurts, please don't mod this -1,troll or -1, flamebait, that is known as denail. I am rereposting this because some deluded zealot modereted it down. I have plenty of proxies thanks to comprimized BSD boxes, and I will keep on posting this until it gets a 5, insightful.
I can hide my entire pr0n collection in a single gigpixel image?
Seriously, though, I read a news article some time ago describing how the FBI are onto such data hiding techniques after discovering terrorists (ok, "Arabs") had been posting stego encrypted messages in images posted to various popular terrorist (there I go again!) websites.
Don't know to what extent they're "onto" it (they never say, do they?), but I imagine looking for secret clues can be a full-time job.
What happens if you edit the file in a graphic utility? Does it alter the hidden info? Destroy it? Do different actions (hue shift, paining-on-top) affect the outcomes?
harmonious design
Why do we get articles about tools that are what? 3 years old?
There is enough new and interesting (and better) stuff around. For example, rubberhose would've been much more interesting to read about.
Assorted stuff I do sometimes: Lemuria.org
grub is a known troll who has already posted a goatse link on this same article! Don't give him any karma!
Why should I have to risk screwing up my system using an unproven, unstable potentially dangerous system like FreeBSD? Why can't you just provide binaries for Linux, the industry standard for security.
And FreeBSD zealots, as much as this simple truth hurts, please don't mod this -1,troll or -1, flamebait, that is known as denail. I am rereposting this because some deluded zealot modereted it down. I have plenty of proxies thanks to comprimized BSD boxes, and I will keep on posting this until it gets a 5, insightful. So don't waste your mod points, just reply nicely, as you know, if I did s/FreeBSD/Windows/g I wouldnt need to tell you not to mod it down.
I can't tell a difference in the audio quality, which, granted, I've never found that great for .wav files anyway.
Fucking fool..
OK, I know this is very much OT but a busy site such as Slashdot should be able to help me out here. Bear in mind that I'm not trying to start a flamewar or anything; just want some good reasoned responses. Right...
Why should I use FreeBSD over Linux?
The reason I'm asking is this: despite having used Linux for many years, I'm constantly being told by FreeBSD fans to switch to their favourite OS. Some make pleasant suggestions, others act with great zealotry and tell me things I know aren't true. The way I see it is as follows:
Stability - Various BSD fans have told me that it's "more stable" and "crashes less". I can safely say that my Debian and Slackware boxes have _never_ crashed or kernel panicked in five years of use; yes, in comparison to a bleeding edge desktop distro such as Mandrake, FreeBSD is bound to be more solid, but proper, well-designed and thoroughly tested distros like Debian and Slackware are totally rock-solid.
Performance - I've been told by FreeBSD users that their OS is much faster than Linux. To make this judgement myself, I performed a few benchmarks with FreeBSD 4.8 and Linux 2.4.20, and also FreeBSD 5.1 and Linux 2.6.0-test. The differences were negligible, although on my 2-CPU box Linux was the clear winner. 2.6.0-test also showed more responsive behaviour on the desktop.
Hardware support - I had troubles getting FreeBSD running on my laptop. Linux supported the hardware much better, and has a significantly broader range of x86 support.
Software support - It's so much easier to find software that will compile natively on Linux. Yep, Ports are good, but they're nowhere near as tested and integrated as, say, Debian's stable repositories.
Security - Both OSes are pretty secure by modern standards, but I can't see the value in FreeBSD's updating method. With Debian, one simple "apt-get" command is needed to get the latest security fixes. With FreeBSD, a tiresome chore of CVSuping, compiling and installing is required, which is doubly annoying on lots of boxes.
Community - Even when I've researched my problem and read up on the docs, I've had BSD fans act incredibly obnoxiously towards me. That's not good at all.
Long term support - FreeBSD only supports each release for 12 months; this means that users have to upgrade. And although upgrading isn't too difficult, the end result is a slightly different system and difficult to target apps against (new features/bugs/changes is newer Ports releases etc). Meanwhile, Debian has over 2 years support for each release, and Red Hat offer 5 - perfect for corporate adoption.
So those are the criteria I judge an OS on, and while many BSD fans keep telling me to use FreeBSD, I can't see what it offers in the real-world over Linux (subjective licensing issues aside).
What concrete benefits does FreeBSD offer? Serious question. It appears that Linux wins in the above areas, but any input would be good to hear.
Steganography is new to me (as a science). All i can say is i'm RTFA'ing and it's badass cool :o)
Does this disqualify me as a slashbot?
do() || do_not();
Posts/books/whatever that say "My webserver is Linux" (No it is not. It is Apache) "How to use LInux to serve Windows files" (No, you are using SAMBA and LDAP.) "Robot runs on Linux" (No, its some custom code that runs ON the GNU/Linux environment)
Where have YOU posted objecting to abuses like the above?
Well?
Moderators are selected from the Slashdot community, and so have the same biases. Six months ago I would have said that the Slashdot BSD section had a trolling problem. I think it's pretty clear now that Slashdot itself is a good part of the problem.
Slashdot has taken the attitude that the BSD community is responsible for cleaning up the problem via moderation, and failure to do so means that the community doesn't care. Since the community doesn't care enough, the reasoning goes, BSD really is, in some sense, dying and not worth saving. But this makes two assumptions that are easily shown to be false:
This ignores the asymmetry of the situation. A crapflooder with a dialup connection and an idle hour or two can post dozens of messages. For this, several community members have to use up all of their weekly (if they're lucky) mod points, knowing full well that the same misfit can come back and do it again minutes later.
There aren't that many more trolls or crap flooders in the more popular sections but there are a lot more moderators, so no one has to blow their entire allotment of mod points dealing with miscreants. (And I might note that all the complaints about trolls and crapflooding here indicate a community that would deal with the situation if it had the mod points to do it.)
The fallacy of this belief was brought home to me not long ago when I was metamoderated "unfair" twice in succession for down-moderating obvious trolls in the BSD section. And, as many of us have noted lately, there are an increasing number of irrelevant postings and even blatant trolls getting positive mods. Once again, the supposed self-correcting nature of moderation fails for lower-trafficked sections.
This is actually just the tip of an iceberg which threatens to smash Slashdot into a chaotic free-for-all; I don't think the BSD section is likely to be an isolated case for long (if this is even the case now). Just skim through the postings on nearly any technophile (i.e. geeky) subject, and see how little interest there is for true "News for Nerds" any more. At least the half the posts will be "Who the hell thinks this is interesting enough for an article?" or "Hasn't this been done before?" There is little moderation and it can take some time before the trolls and crapfloods get mopped up.
On the other hand, each tidbit from the SCO or RIAA affairs gets many hundreds of highly-moderated "Ain't it awful" posts, and at least for the first several hours obvious trolls get squashed in minutes. (This despite the fact that very little is newly Insightful or Informative any more on thse subjects, or even much left that is Interesting.) I'm sure that Slashdot gets loads of ad impressions when they run these stories, however, and perhaps the cynics who claim that this is the reason Slashdot runs them are right. But that's irrelevant; the fact is that as a result of these stories Slashdot's content is getting softer and softer, and therefore the average Slashdotter is more likely to be only a camp follower of the technophile community, driven by peer influence rather than an actual passion for computers and technology.
This is all grossly off-topic (except in the sense that Slashdot is a proper topic for a posting on Slashdot), and I expect some Offtopic moderations as a result. But over the years I've seen Slashdot becoming a bloated caricature of its former self, and this seemed as good a time as any to speak up.
--
alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
Yes, I'm ENTIRELY SURE that users will believe your box has been up since the Paleolithic period. If you're going to fake uptimes at least make it believable.
http://www.xs4all.nl/~marcone/bsdversuslinux.html
Why should I have to risk screwing up my system using an unproven, unstable potentially dangerous system like FreeBSD? Why can't you just provide binaries for Linux, the industry standard for security.
And FreeBSD zealots, as much as this simple truth hurts, please don't mod this -1,troll or -1, flamebait, that is known as denail. I am rereposting this because some deluded zealot modereted it down. I have plenty of proxies thanks to comprimized BSD boxes, and I will keep on posting this until it gets a 5, insightful. So don't waste your mod points, just reply nicely, as you know, if I did s/FreeBSD/Windows/g I wouldnt need to tell you not to mod it down.
It is a good read.
Lies, Deceipt, and Trickery
The rest of the hack does everything it can to hide itself. There are two major components to the disguise: the "fake" hack, and the JPEG image of Tux.
Firstly the fake hack. The fake hack begins at offset 0xD00 in the game save. If you disassemble the game save, you are likely to notice that some interesting stuff begins there. It appears to be getting it's own address, turning off write protection in memory, patching the kernel, and calling XLaunchNewImage. There is some branching logic which seems to imply that it is patching the kernel in different ways, depending on the value of location 0x8001FFFF in memory. The patches even resemble those that certain modchips perform, some are even at the same offsets. The path to the linux xbe is noticeable as well, at offset 0xFD5.
Upon initial inspection this code seems very plausible. When you look at it closer, there are a lot of inconsistencies. Firstly, the value being tested at 0x8001FFFF does not match up to any known kernels that I know of anyway. Secondly, a lot of the patches to the kernel are junk code and don't make any sense. Thirdly, there is no call to IoCreateSymbolicLink in order for the call to XLaunchNewImage to work. XLaunchNewImage checks to make sure that the path to the executable resides on the 'D:' drive to prevent applications being launched from the hard drive, and therefore only from the DVDROM drive. Without remapping \Device\Harddisk0\Partition1 to 'D:' using IoCreateSymbolicLink, there is no way for the kernel to find the default.xbe as specified.
Secondly there is the Tux JPEG. Starting at offset 0x1080 in the game save is a JPEG image. This is obvious from the text JFIF which is present in all JPEG headers. If you extract out this block, you get a nice little picture of Tux. Seems like a harmless little addition by a linux fanatic. It is typical of linuxheads to stick stuff like this everywhere. In reality, the real hack is encrypted and stored in this image. The practice of storing data in images is known as steganography. Perhaps this doesn't count, as it stores the data in the header and not in the actual image data. It's still rather devious. We'll come back to the contents of the hidden data in a moment.
I am having trouble figuring out what the image is, there appears to be some sort of mongoose or other small mammal and perhaps a can of pudding... ?
Maybe if I hide a picture of Bill Gates on my BSD box it will keep crashing.
post it on www.kuro5in.org though... slashdot sucks.
I've been staring at this pictures of Jenny McCarthy for years now, trying to discover the steganographically hidden messages.
That's what I told my girlfriend.
OK, I know this is very much OT but a busy site such as Slashdot should be able to help me out here. Bear in mind that I'm not trying to start a flamewar or anything; just want some good reasoned responses. Right...
Why should I use FreeBSD over Linux?
The reason I'm asking is this: despite having used Linux for many years, I'm constantly being told by FreeBSD fans to switch to their favourite OS. Some make pleasant suggestions, others act with great zealotry and tell me things I know aren't true. The way I see it is as follows:
Stability - Various BSD fans have told me that it's "more stable" and "crashes less". I can safely say that my Debian and Slackware boxes have _never_ crashed or kernel panicked in five years of use; yes, in comparison to a bleeding edge desktop distro such as Mandrake, FreeBSD is bound to be more solid, but proper, well-designed and thoroughly tested distros like Debian and Slackware are totally rock-solid.
Performance - I've been told by FreeBSD users that their OS is much faster than Linux. To make this judgement myself, I performed a few benchmarks with FreeBSD 4.8 and Linux 2.4.20, and also FreeBSD 5.1 and Linux 2.6.0-test. The differences were negligible, although on my 2-CPU box Linux was the clear winner. 2.6.0-test also showed more responsive behaviour on the desktop.
Hardware support - I had troubles getting FreeBSD running on my laptop. Linux supported the hardware much better, and has a significantly broader range of x86 support.
Software support - It's so much easier to find software that will compile natively on Linux. Yep, Ports are good, but they're nowhere near as tested and integrated as, say, Debian's stable repositories.
Security - Both OSes are pretty secure by modern standards, but I can't see the value in FreeBSD's updating method. With Debian, one simple "apt-get" command is needed to get the latest security fixes. With FreeBSD, a tiresome chore of CVSuping, compiling and installing is required, which is doubly annoying on lots of boxes.
Community - Even when I've researched my problem and read up on the docs, I've had BSD fans act incredibly obnoxiously towards me. That's not good at all.
Long term support - FreeBSD only supports each release for 12 months; this means that users have to upgrade. And although upgrading isn't too difficult, the end result is a slightly different system and difficult to target apps against (new features/bugs/changes is newer Ports releases etc). Meanwhile, Debian has over 2 years support for each release, and Red Hat offer 5 - perfect for corporate adoption.
So those are the criteria I judge an OS on, and while many BSD fans keep telling me to use FreeBSD, I can't see what it offers in the real-world over Linux (subjective licensing issues aside).
What concrete benefits does FreeBSD offer? Serious question. It appears that Linux wins in the above areas, but any input would be good to hear.
YOu might want to check out Peter Wayner's website for his book, Disappearing Cryptography . There are several applets that let you hide information in a list of disco songs or even in the order of letters in a word.
Steganography http://www.staff.uiuc.edu/~ehowes/soft11c.htm for all your needs.
By raising the background chatter, he is making it difficult to find any true use of stego. Pictures with messages like "Donald Rumsfeld can eat my ass with gravy as a sidedish" or "GEORGE BUSH SHOULD DIEt (He's getting chubby)" waste resources which would normally be spent reading YOUR email.
He's making himself a target so you don't have to. Ass.
1) .Wav files are not compresed
2) If you don't like .wav files you must REALLY hate cds.
Hiding secrets with steganography on Windows, Red Hat, SuSE, and... oh yeah, FreeBSD...
pb Reply or e-mail; don't vaguely moderate.
In some countries you can go to prison for using cryptography, in other more enlightened countries you can go to prison for not handing over the keys when asked by the guys in jack boots or for talking about the fact that you've been raided.
Government of the people, by corporate executives, for corporate profits.
Fuck1ng R3t4r|). "Lavaface" ? Cock-face more like. Fucking cocksucker.
Any discussion of steganography is incomplete without this:
http://www.mcdonald.org.uk/StegFS/
This concept is lost to most people. And i agree it just proves how effective slow media manipulation of peoples attitudes is.
.Or 'the SUV killed.. ' in time people begin to belive it with out realizing it...
Just like calling downloaders 'pirates' and 'theft'.
---- Booth was a patriot ----
If I was your roommate, I'd start rotating your bottles of beer. Or did you also unobtrusively mark them?
My strategy with mooching roommates was simply to make sure I kept stuff in the fridge that I liked and others couldn't stand. Exceptionally spicy food works wonders there.
It's the same trick as the fake rock holding your house key.
As for hiding valuables in the house, the best "safe" is something that thieves not only don't want, but actively avoid. Like an empty box of my wife's tampons.
-Looking for a job as a materials chemist or multivariat
Good idea, I wish I had thought of something that clever.
I apply that to how I approach my daily job, all the insults and petty fights and powerplays the other people play. It makes me strong.
There was an interesting project that won the Intel Science Talent Search a few years back about DNA steganography - hiding text and information in base pairs in a strand of DNA. I'm not sure if they went the extra step in terms of decoding enzymes ... the only problem I could see with that is that it seems you'd want to flag the message, which would defeat the purpose of hiding; otherwise, might be easy to lose a few words of data among billions of base pairs.
I'm curious, why put the encrypted data in the comment blocks for jpeg pictures? By placing scrambled data in these sections you make it pretty obvious that there is a 'hidden' message in there.
Why not make the data truly hidden by using the least significant bit within each of the RGB values for a 24 bit color image? 8 bytes of image data can hide 1 byte of data.
If you can repeat the hidden message enough times you might even be able to use this within a jpeg image and have the message survive recompression of the image or slight image manipulation. When reconstructing the message collect the bits of the repeated message and select the bits that repeat the most.
I'll have to try to write something quick and dirty up in Python to test this out.
because, dead men tell no tales!!
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Prett catchy, huh? It would definitely encourage lots of people to try it out!
Manipulate the moderator system! Mod someone as "overrated" today.
I keep mine in topsecret.txt.
They actually had this on Navy:NCIS a couple weeks ago. A terrorist was hiding messages inside of porn images.
"See these naked pics of grandma!"
Roving Web-Teleoperated Robot
December 6, 2003 -- Struggling 2004 Democratic wannabe John Kerry fires an X-rated attack at President Bush over Iraq and uses the f-word - highly unusual language for a presidential contender - in a stunning new interview with Rolling Stone magazine.
Sen. Kerry (Mass.) used the undeleted expletive to express his frustration and anger over how the Iraq issue has hurt him because he voted for the war resolution while Democratic front-runner Howard Dean has soared by opposing it.
"I voted for what I thought was best for the country. Did I expect Howard Dean to go off to the left and say, 'I'm against everything'? Sure. Did I expect George Bush to f - - - it up as badly as he did? I don't think anybody did," Kerry told the youth-oriented magazine.
Brookings Institution presidential scholar Stephen Hess said he can't recall another candidate attacking a president with X-rated language in a public interview.
"It's so unnecessary," Hess said. "In a way it's a kind of pandering [by Kerry] to a group he sees as hip . . . I think John Kerry is going to regret saying this."
Kerry was accurately quoted in Rolling Stone, said spokesman David Wade, adding the X-rated language reflects the fact that Bush's Iraq policy "makes John Kerry's blood boil."
Kerry yesterday angrily cited his war record in Vietnam when asked by a New Hampshire student about charges that it's unpatriotic to attack the commander-in-chief, fuming: "I left some blood on a battlefield that President Bush never left anywhere."
Two polls this week showed Dean leads Kerry by a landslide 3-1 in key New Hampshire.
Waaaa!!! Poor baby!
I seem to recall a "stop the MPAA" gif that floated around the internet when 2600 was being sued for distributing DeCSS. The gif had the DeCSS tarball embedded in the file past the EOF marker.
Modify it first!
If attacker gets original picture and picture with some data hidden within it, it becomes very easy to get data from it.
Didn't Kevin Nealon hooker already perfect this technique useless on Saturday Night boring Live?
__________
[Big Brick Wall]
Now I take the encrypted bits of the message (which already look a lot like random noise) and hide them inside the least significant bits of a bitmap file. Lets assume that I'm using a half-decent steganography tool here, and it distributes the bits of the message throughout the image in a psueudo-random fashion.
So now we've got a stream of encrypted bits, which more or less resembles a stream of psueodo-random numbers. And we've sprinkled these bits all over the place inside the image, so they don't even appear together or in order.
How does one go about detecting that there's a message in there, reliably? What distinguishes the [pseudo]randomly-distributed [psuedo]random-bits of the encrypted message from the background noise of the image?
(I am assuming, of course, that the message we're trying to hide is relatively small - at most, 1 bit per byte in the image is modified. Much more than that is like trying to hide a tractor trailer behind a go-kart)
...ironically, the better algorithms we get for compressing stuff, the more difficult it is to hide something. It gets really obvious if you start sending around BMPs or WAVs.
Steganography detection is doing rather well - it simply realizes when the compression is "wrong", that is, if it would have been compressed better if there wasn't hidden info in the image.
By the way, for legal purposes it might be just as efficient to use something like Bestcrypt's hidden container - it's a very smart, yet "dumb" form of steganography. You create an encrypted container, which has a key. Then you create a hidden container inside the encrypted container, with a different key. There's no way to detect the presence of a hidden container - it looks like random data in a container full of random data.
If required by law to provide a key, provide the key to the outer container. When asked about a hidden container, go "What hidden container?" Even if it is very likely that there is one, there's no proof of that. Even the wackiest RIP bill doesn't require you to provide decryption keys to things that doesn't provably exist.
Kjella
Live today, because you never know what tomorrow brings
...a passphrase in your ogg, or are you just happy to see me?
Ideally the software would only need to be pointed to a directory or a wildcard, given a passphrase and be able to just "mount" those files. I.E.
This is like in the movies, where to find the secret code you need the exact page of a specific book and then pull out 10 words from page 12, paragraph 3, words 3,19,12 and 42...etc. The book is hidden somewhere in the library of congress, know the title of the book and the code is revealed. I guess cryptography has come full circle, whats next, anograms with carrier pidgeons? I guess the old tricks are still the best tricks.
Just put some visible plain text on a picture of the goatse.cx man! Sure, people can see it, but they will be so traumatized that they will forget!
Due to a new Michigan law (Super DMCA), the legality of my research or these web pages is currently unclear. Felten provides additional information about the resulting restrictions on technology and research.
The web pages will be reinstated once the situation has been resolved.
OutGuess 0.2 - Source Code Currently, unavailable. See above.
Source: (http://www.outguess.org/download.php)
My Systems
When they come up with a way to steg my pics into a text file, then we'll have something.
Bad guys in the movies all keep their wall safes hidden behind paintings.
Excuse me. Us good guys keep their wall safes behind paintings too you know.
"Do not stand at my hard disk and forever weep.
I am not there; I do not sleep.
I am a thousand winds that blow.
I am the diamond glints on snow.
I am the sunlight on ripened grain.
I am the gentle autumn's rain.
When you reboot in the morning's hush
I am the swift uplifting rush
Of quiet birds in circled flight.
I am the soft stars that shine at night.
Do not stand at my hard disk and forever cry.
I am not there. "
Just that- the obvious. You see, in the movies, the bad guys went for the safe because they knew it was the safe, and they knew that there was probably something of value inside. The very fact that it IS a safe makes this apparent. The reason your analogy falls short is that with steganography, you can't even tell if it's a safe. It could be a chair, a wall, a coating of dust on a floorboard, a cobweb up in the corner, a pile of dirt, etc. It allows a very effective way to fly under the radar while still accomplishing your objective (though it does have limitations). Yet one more reason that TIA is TRASH.
_d8b____________________d8b_______d8,
_?88____________________88P______`8P
__88b__________________d88
__888888b__.d888b,_d888888________88b_.d888b,
__88P_`?8b_?8b,___d8P'_?88________88P_?8b,
_d88,__d88___`?8b_88b__,88b______d88____`?8b
d88'`?88P'`?888P'_`?88P'`88b____d88'_`?888P'
______d8b________________________d8b
______88P________________________88P
_____d88________________________d88
_d888888___d8888b_d888b8b___d888888
d8P'_?88__d8b_,dPd8P'_?88__d8P'_?88
88b__,88b_88b____88b__,88b_88b__,88b
`?88P'`88b`?888P'`?88P'`88b`?88P'`88b
...that would have to be the Pentagon mainframe. You know, the one from "War Games" ;)
Kjella
Live today, because you never know what tomorrow brings
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead
1. You can not play games on it.
2. It cannot be used by my grandma.
3. It lacks a GUI of any note.
4. There is no support available for it.
5. It is an assortment of fragmented OSes.
6. It cannot be run on the x86 platform.
7. You have to compile everything and know C.
8. Support for the latest hardware is always poor.
9. It is incompatiable with GNU/Linux.
10.It is dying.
I do not have the web page here but somebody can certainly search in slashdot and find it. How to detect it ? The guys which made the thesis/program show that even if the lowest bits seems random, in reality if you take only red / blue or green component you see "forms" appears. And thus on steganographied image you see those form disappear, whereas on non stenographied they appear. Note that you can avoid that. So people using some of those program think they are safe, but instead a third party can show that they are exchanging secre. And knowing you are sending something hidden in some case can put you in a bad position. Even in the US.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
...hiding your secrets in an image? Just write them in Perl!
file * | grep JPEG
"Rub her feet." -- L.L.
Of course, if I lived in China and was plotting a demonstration, I'd need to hide that info. Or bank heist details.
Currently, encryption is used freestanding by people with something to hide - and is viewed by 'the masses' as a terrorist/theft/dishonest tool. Why isn't encryption used in *everything*? I appreciate the need for encryption, but until it is everywhere and easy to use, it will have a black cloud hanging over it. Which makes it much easier for those who would like to abuse their powers (cough *Ash*cough) to pass laws restricting the use. Thereby reinforcing its reputation as a tool for people who have something (bad, ohohoh very bad) to hide.
Can't I take bmp files, each from the same unknown original bmp, but steg'ed with different messages, get their binary diffs, and find the blowfish'ed data? Seems like two different messages in the same envelope destroy the value of the envelope entirely (although decrypting the obtained encrypted message is still just as hard).
--
make install -not war
Hi all, we have recently published a paper about hiding data in gzip compressed files. For those interested, check out http://www.cs.ucr.edu/~stelo/stego/ Regards, Stefano
Just encrypt that with PGP. Duh!
__________
[Big Brick Wall]
Anyone else find it ironic that if you want to download the source from the OutGuess website, you can't because of a Michigan Super DMCA law?
If he lives in Michigan, maybe he should move his computer to Canada and distribute from there.
Bureaucracy loves company.
Stganography makes you look at all those nude erotica pictures you downloaded ever more closely now... look for the hidden message, Luke...
Use reversable compression. Encrypt the cleartext, package it in a container (subcontained if desired), stga that into the BMP or WAV, compress using GIF/PNG/FLAC as required. Ship product to receiver, they uncompress (since the compression is lossless, no bits lost there), de-steg, decrypt, decrypt, viola recipe for brownies.
Also tends to confuse the detectors, as they are not trying all (n) possible ways the file could have been compressed to look for steg data in the raw file, only looking at the compression errors in the current format.
For every scheme, a crack, for every crack, a new scheme. What fun the merry go round is!
You can have it fast, accurate, or pretty. Pick any 2.
I saw an image on a website that was yellow flowers but when you highlighted it you could see a pr0n image. Does any one know what that's called? I would like to be able to do that. Not to send pr0n but just to mess around with. It kind of like the article but less secure.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
This is all well and cute, but realistically speaking, no implementation of steganography is all that secure. Detection is fairly easy, and then a dictionary attack against the encrypted contents is used. [Link]
Its a twofold problem as I see it.
1. The hiding of encrypted data/images/text/whatever inside of an image file is based on the notion that security through obscurity raises the bar. Anyone who studies security knows that this is just not true. Since suspicious images are simple to detect, this layer of obscurity offers no real data protection than just encrypting the file and naming it "this-is-secure-data.blowfish". Its just a matter of what encryption method is used to secure the contents. Which brings me to my second point.
2. Since the basis of steganography is to hide information inside an image without disturbing the visual image, the size of the data contained within, from my understanding, is severely constrained. Thereby limiting the effectiveness of this technique in all but very large, suspicious, and still easily scanned images.
SO, by hiding one's data inside an image with this technique, one is left with a picture of a table that is just screaming to be scanned for its suspicious content.
--Nuintari
slashdot : where an opinion can be wrong.
You simply exploit the fact that any information, however encrypted, stored in the "least significant bits" - i.e. the dead space in a jpeg, will affect the statistical distribution of you being a fucking cock whore in the image file. This can be detected bya simple chi-squared analysis of your momma's fat ass. Many systems implement this today, including steg-crack, and john.steg.
" Now witness the firepower of this fully armed and operational observatory!" THINK YOUR FUNNY? WHORE! ASS FUCKER! You people make me sick.
FUCK YOU, CockMASTER
The holiday, the heat and the champaign had made me really hot for a stiff cock and I rested on the bed to signalize THEPYRO, what I would like to do now. He seemed not to notice it, so I simply grabbed his buttocks as he passed the bed the next time and opened the zipper of his bermudas. Even when he's not the guy who usually made the first step, he immediatly reacted on my attack'. I hadn't pulled out his cock completely as I felt he was rock-hard and I enjoyed to lick the first drop of precum from its tip. Ahh...CMDRTACO" he moaned and his hand stroked through my hair. Meanwhile I had his entire cock in my mouth and stroked his heavy balls with my hand. Mmmhhh they feel as if they were cum-filled" I purred and smiled to him naughtily. even after I emptied them yesterday night." He enjoyed when I talked dirty and I felt his greedy fingers pulling up my dress. Nice panties" he hissed and I heard he had already trouble to control his voice.
YOU SUCK COCK, ASSMASTA
I remember seeing an omni movie about sharks that found a school of fish, and ate them all. One at a time.
I thought the strategy behind the school of fish was: if there are 500 fish, and I am one of them, then my odds of me getting eaten during an attack is 0.2% The larger the group, the lower the chance that *I personally* get singled out.
I don't think the predator cares about going after a certain fish. Unless if finds one that has really cute eyes. It just wants a fish.
An obvious use for steganography is reliable digital watermarking, but does anyone know how well current techniques last against hefty sessions of image cropping, audio/video transcoding, and all those other things one would commonly do with such files..?
If a DVD-screener, for example, contained a watermarked serial number, would the number still be there and be readable after ripping, cropping, rendering subtitles on top, and transcoding?
It's a nice idea, but I'm still on the side that believes that multimedia data should not be altered (and hence quality thrown away), even if the loss of quality in human perception is supposedly unnoticable.
Why not hide stuff -IN- FreeBSD. It wouldnt be that hard to write a utility that inserted "typos" into comments that when decoded could be used to pass messages or even hide images.
fgdfgdfnbsd dsfty fgsh sg
It'll tell you to worship satan, and steal music. Quickly, to the music mobile darl! We must shut down these "steriograhophonicalwhazitmakallits" before they destroy our nation's families by making them all into crack smoking criminals!
Candy-Coated Knowledge
... the real advantage is that if done properly, nobody can even prove you sent a message.
While this is true, in fact it is the definition of good steganography, I'm not aware of any steg that actually achieves this. For a while, there were no public methods that break Outguess, but that was broken over a year ago, and I don't think there are any stego schemes still standing. The problem is that the last bit of your WAV file or GIF isn't very random in a real picture, not nearly as random as you might guess. This makes it quite difficult to make a scheme which hides there effectively.
I hereby place the above post in the public domain.
...is if it included an actually USEFUL form of steganography, like the steganographic/encrypted filesystem Rubberhose, which is related in spirit to good old stegfs.
Unfortunately both of these are too old and crufty to have support beyond linux 2.2... implementing 2.6 support or freebsd or openbsd support might be interesting.
Time to step it up. I've completely desensitized my taste buds. Hence, I now eat habaneros on my pizza and the hottest chicken wings known to man, and I love it! Now let's see the mooching bastards try THAT.
-Looking for a job as a materials chemist or multivariat
Espically not of live shows. People are big on recording live concerts and then distributing them. Since these tend to be the hardcore types, they want it done lossless and generally FLAC is the format of choice. Now these have additonal benefits:
1) They are often recorded and compressed in 24-bit. Well even good 24-bit converters have a noise floor well above the theoritical limit, leaving plenty of low level white noise naturally. Cheap ones can even have a noise floor only around 17 or 18 bits.
2) Live shows tend to be reocrded with lower quality equipment. It's actually pretty good, all things considered, but it's portable stuff, not a studio setup. Hence more inherant noise.
3) Live shows are noisy anyhow. It's not the pure random white noise, but still plenty to mask what you're doing espically on top of the recording noise.
So, get yourself some nice 24-bit recordings of live shows. Insert your data in there. If you're really parinoid, keep in down in just the lowest 4 bits. FLAC it back up and then swap it with buddies. Looks like you're just another live show swapper (and for bands that permit this, it's 100% legal) and unless your stego program is done, you can't detect it.
I'm pretty sure they have to prove that the picture actually contains encrypted data, which can be through e.g. compression flaws introduced by the steg program. They can't go around jailing people for having a picture that maybe contains something else, they haven't gone that totalitarian yet.
On the other hand, they don't have to prove it's your data (since it's encrypted, they can't know). You might not have a clue about that, never had a decryption key, and it's "Go straight to jail - do not pass go". Nevermind that you downloaded it because you thought it was just a pretty picture, and had no clue there was a smaller pedo picture hidden in it (or whatever else you don't want to imagine).
That's where BestCrypt does it so well... because there's no way to find the hidden container. It's (pseudo)random data hidden in the empty space of the outer container, which is also filled with random data. Which is exactly how it would be if you didn't have a hidden container either. To find random data in random data is like like chasing icebears in a snowstorm on the North Pole.
Kjella
Live today, because you never know what tomorrow brings
security by obscurity is not security at all.
BeauHD. Worst editor since kdawson.
Check out Peter Wayner's Mimic Functions. Using Mimic Functions you can hide information in anything, not just images and sound files. This is done by grammar to statistically "mimic" what you'll be hiding your data in. This could be an image or a sound file, but it could also be, as in Wayner's example, a baseball game commentary. The effectiveness of the stego is only limited by your creativity in working out the grammar.
You're missing the point.
The main reason to use steganography is that it hides the fact that you are hiding something. If you use straight encryption, it is obvious that you have something sensitive that you want to encrypt (most people don't go to the trouble of encrypting things otherwise). Steganography helps you fly under the radar and send encrypted data without people knowing that you are sending encrypted data in the first place.
If someone is already suspicious of you, then of course they can analyze your communications and perhaps notice any steganographic attempts. But if not, you may be able to escape notice longer by exchanging seemingly innocuous data than by exchanging industrial-strengh encrypted data.
Steganography has been around since the days of the ancient geeks, er greeks. :)
l
http://www.webopedia.com/TERM/S/steganography.htm
"Steganography (literally meaning covered writing) dates back to ancient Greece, where common practices consisted of etching messages in wooden tablets and covering them with wax, and tattooing a shaved messenger's head, letting his hair grow back, then shaving it again when he arrived at his contact point."
I feel sorry for the messenger who's tattoo ended in "Destroy this message after receiving." We can't have male pattern baldness exposing classified information!
Everyone is entitled to their own opinion. It's just that yours is stupid.
... ths kids that want Ice Cream.
What did you think my porn was for? I have very sensitive data to protect...
If you've got a bit of maths under your belt, or even a bit of coding would suffice, there is a link on this page to some Matlab code used to detect steggafied images.
... and then there were none
PNG perhaps, as it's lossless.
JPG, however... if you steg something into a source file and then convert to JPG, your message will, more than likely, be lost as JPG is a lossy compression scheme. Which is not very beneficial if minute changes to pixel's colors is important.
There's watermarking techniques that take a smaller string for author identification purposes that -are- suited for use in JPEG, however. But that won't help you send across a long message.. unless your image is 10MP
Joshua, a class mate of mine at Rio Rancho High School located in Rio Rancho, New Mexico, recently wrote a software program using C++ designed to hide encrypted text within a .gif file without changing the file size of the image or the picture quality. The program is called Ghost and the FBI has taken interest in it. When he presented his project at the school science fair last week 3 members of the FBI came to talk to him about his project. More information here http://www.abqjournal.com/riorancho/117131rioranch o12-03-03.htm.
It is common knowledge that *BSD is dying. Everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.
Fact: *BSD is dying
Unless you like sausage in your dropbox, stay out of San Francisco!
is for the standard version of mkfs to fill empty disk blocks with random data (from /dev/urandom) BY DEFAULT instead of zeroing them. That way you can run a stego file system in the unused blocks and it will be indistinguishable from ordinary randomized free blocks. If every BSD (and ideally every GNU/Linux) distro shipped with that feature turned on, there would be no way to tell a stego user from a non-user.
- BSD is dying
- BSD is fragmented
- BSD has no commercial support
- BSD is slow
- BSD is dying.
There you have it.The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead
Have you ever seen an animal backed into a corner and fighting for its life? That is the situation FreeBSD finds itself in. The FreeBSD fans are in a state of desperation, and even the mildest criticism of their hobby horse results in wild and paranoid outburts from the faithful. They will find an alibi and excuse for everything. Truth has nothing to do with it
It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.
It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral. FreeBSD is dead.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see, Fact: *BSD is dying
What We Can Learn From BSD
By Chinese Karma Whore, Version 1.0
Everyone knows about BSD's failure and imminent demise. As we pore over the history of BSD, we'll uncover a story of fatal mistakes, poor priorities, and personal rivalry, and we'll learn what mistakes to avoid so as to save Linux from a similarly grisly fate.
Let's not be overly morbid and give BSD credit for its early successes. In the 1970s, Ken Thompson and Bill Joy both made significant contributions to the computing world on the BSD platform. In the 80s, DARPA saw BSD as the premiere open platform, and, after initial successes with the 4.1BSD product, gave the BSD company a 2 year contract.
These early triumphs would soon be forgotten in a series of internal conflicts that would mar BSD's progress. In 1992, AT&T filed suit against Berkeley Software, claiming that proprietary code agreements had been haphazardly violated. In the same year, BSD filed countersuit, reciprocating bad intentions and fueling internal rivalry. While AT&T and Berkeley Software lawyers battled in court, lead developers of various BSD distributions quarreled on Usenet. In 1995, Theo de Raadt, one of the founders of the NetBSD project, formed his own rival distribution, OpenBSD, as the result of a quarrel that he documents on his website. Mr. de Raadt's stubborn arrogance was later seen in his clash with Darren Reed, which resulted in the expulsion of IPF from the OpenBSD distribution.
As personal rivalries took precedence over a quality product, BSD's codebase became worse and worse. As we all know, incompatibilities between each BSD distribution make code sharing an arduous task. Research conducted at MIT found BSD's filesystem implementation to be "very poorly performing." Even BSD's acclaimed TCP/IP stack has lagged behind, according to this study.
Problems with BSD's codebase were compounded by fundamental flaws in the BSD design approach. As argued by Eric Raymond in his watershed essay, The Cathedral and the Bazaar, rapid, decentralized development models are inherently superior to slow, centralized ones in software development. BSD developers never heeded Mr. Raymond's lesson and insisted that centralized models lead to 'cleaner code.' Don't believe their hype - BSD's development model has significantly impaired its progress. Any achievements that BSD managed to make were nullified by the BSD license, which allows corporations and coders alike to reap profits without reciprocating the goodwill of open-source. Fortunately, Linux is not prone to this exploitation, as it is licensed under the GPL.
The failure of BSD culminated in the resignation of Jordan Hubbard and Michael Smith from the FreeBSD core team. They both believed that FreeBSD had long lost its earlier vitality. Like an empire in decline, BSD had become bureaucratic and stagnant. As Linux gains market share and as BSD sinks deeper into the mire of decay, their parting addresses will resound as fitting eulogies to BSD's demise.
FreeBSD is D E A D
SCO users are flocking to BSD ...or anything else.
I am the unwilling control for my Origin.