Slashdot Mirror
Hiding Secrets With Steganography On FreeBSD
BSD Forums writes "Bad guys in the movies all keep their wall safes hidden behind paintings. Is there a metaphor in there for your sensitive files? OnLamp's Dru Lavigne explores steganography, or hiding secret messages in images or sounds, with the outguess and steghide utilities on FreeBSD."
...people just think it is because it hides itself very well. ;-)
Don't click on it! It's an animated GIF... and the second pic has serious problems...
Makes you wonder what the demon is hiding
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
I'd be interested to know if this is just a BSD thing or if I can run these apps on Linux or Windows.
I used to use this kind of thing to hide certain, ahem, suspect images on the Acorn machines at school.
:o)
Of course being an adult now it's not as required, but I suppose it might be able to hide offensive pr0n images inside more innocent ones - so that anyone looking finds pretty mild things and stops there, without being able to find things that would get you looked at oddly in church
Beep beep.
I've been using it for years, posting messages like "allah is great" on Fark photoshop contests.
Just raising the background chatter to a dull roar.
my problem wrt steganography is that it 'feels' more like security through obscurity than an actual cryptographic regime (ala gpg encrypted attachments, etc). Other than that, neat stuff.
Sometimes people just have to learn and adapt to change, it is one of the requirements of being a living thing.
...is that no one else knows where to look to find things that might be sensitive. You can literally hide things in plain sight, but with the amount of crud stacked everywhere physically, and the amount of data strewn about with no apparent labelling (except for the porn of course), no one can actually tell what is important and what isn't.
Of course, dates don't seem to understand the logic of living in an apartment that already looks like it's been rifled through.
Do not look into laser with remaining eye.
I use steg sometimes to pass messages i dont want out in plaintext or overtly encrypted, but it has to be passed in such a way that it isnt apparent that a message is there (i.e. email to brother 'See these pics of grandma!'). It is not a foolproof method, but its very useful when you realize you cant trust the encryption itself to hide the message.
BSD is mentioned 3 times in the post, while the utilities that actually do the work are only mentioned once? This is like titling a post "Processing Images with Filters on Mac OS X" and only mentioning once that you use Photoshop.
"And this is my boy, Sherman. Speak, Sherman." "Hello." "Good boy."
No, bad guys in movies walk into the Rich Dude's house, immediately realize where the safe is, pull the painting away and get whatever's in the safe. How many times have we said that security through obscurity isn't security, and now we're all clamoring about obscuring data to make it safer.
Data-wise, it seems like you'd need to be hiding a relatively small amount of data. Otherwise, you're like an elephant trying to blend in at an LA cocktail party.
Please help metamoderate.
This was my first exposure to a steganopraphy demo....Written by the author of a bunch of books on Computer Networks and Operating Systems... http://www.cs.vu.nl/~ast/books/mos2/zebras.html
All the BAD GUYS hide their safes behind pictures? Is the metaphor you're trying to paint that BAD GUYS use steganography? The government propaganda wars are working. Newspeak is ingrained.
Every citizen of these modern times is a criminal, and because everyone is a criminal, everyone should use steganography. Most criminals are not BAD GUYS, but instead, good loving parents, patriots, and friends to society. It no longer makes sense to equate criminal to BAD.
fifth sigma, inc.
- jsteg,
- jphide (unix and windows),
- invisible secrets,
- outguess 01.3b,
- F5 (header analysis),
- appendX and camouflage.
Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.First time I read the headline, I thought it was implying that there are secret messages in the icons/images that are part of the freeBSD installation. Which brings me to wonder: what prevents people from putting messages hidden in the KDE or Gnome icons and such?
(Maybe a "If you can read this, you're too paranoid" sort of message in the Redhat splash picture?)
alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
Simply rename its extension to .dll. It will fit right in to the gigs of OS files.
I have yet to see a good treatment of the necessity of hiding the fact that one may have knowledge of or tools capable of implementing steganography. While hiding data is a nifty thing, it's not of much practical use unless you can also hide the code - the tools that you use to embed and deembed your steganographically hidden files.
Adding hooks to libraries and hiding executable code in data areas and coming up with slick ways of calling into that code when you actually do some stega processing is an area ripe for exploration. It may be more challenging than data hiding as well, especially when you consider the huge libraries of md5sums for all known executables and libraries that are maintained and distributed by computer forensics people.
I can hide my entire pr0n collection in a single gigpixel image?
Seriously, though, I read a news article some time ago describing how the FBI are onto such data hiding techniques after discovering terrorists (ok, "Arabs") had been posting stego encrypted messages in images posted to various popular terrorist (there I go again!) websites.
Don't know to what extent they're "onto" it (they never say, do they?), but I imagine looking for secret clues can be a full-time job.
What happens if you edit the file in a graphic utility? Does it alter the hidden info? Destroy it? Do different actions (hue shift, paining-on-top) affect the outcomes?
harmonious design
Why do we get articles about tools that are what? 3 years old?
There is enough new and interesting (and better) stuff around. For example, rubberhose would've been much more interesting to read about.
Assorted stuff I do sometimes: Lemuria.org
Posts/books/whatever that say "My webserver is Linux" (No it is not. It is Apache) "How to use LInux to serve Windows files" (No, you are using SAMBA and LDAP.) "Robot runs on Linux" (No, its some custom code that runs ON the GNU/Linux environment)
Where have YOU posted objecting to abuses like the above?
Well?
It is a good read.
Lies, Deceipt, and Trickery
The rest of the hack does everything it can to hide itself. There are two major components to the disguise: the "fake" hack, and the JPEG image of Tux.
Firstly the fake hack. The fake hack begins at offset 0xD00 in the game save. If you disassemble the game save, you are likely to notice that some interesting stuff begins there. It appears to be getting it's own address, turning off write protection in memory, patching the kernel, and calling XLaunchNewImage. There is some branching logic which seems to imply that it is patching the kernel in different ways, depending on the value of location 0x8001FFFF in memory. The patches even resemble those that certain modchips perform, some are even at the same offsets. The path to the linux xbe is noticeable as well, at offset 0xFD5.
Upon initial inspection this code seems very plausible. When you look at it closer, there are a lot of inconsistencies. Firstly, the value being tested at 0x8001FFFF does not match up to any known kernels that I know of anyway. Secondly, a lot of the patches to the kernel are junk code and don't make any sense. Thirdly, there is no call to IoCreateSymbolicLink in order for the call to XLaunchNewImage to work. XLaunchNewImage checks to make sure that the path to the executable resides on the 'D:' drive to prevent applications being launched from the hard drive, and therefore only from the DVDROM drive. Without remapping \Device\Harddisk0\Partition1 to 'D:' using IoCreateSymbolicLink, there is no way for the kernel to find the default.xbe as specified.
Secondly there is the Tux JPEG. Starting at offset 0x1080 in the game save is a JPEG image. This is obvious from the text JFIF which is present in all JPEG headers. If you extract out this block, you get a nice little picture of Tux. Seems like a harmless little addition by a linux fanatic. It is typical of linuxheads to stick stuff like this everywhere. In reality, the real hack is encrypted and stored in this image. The practice of storing data in images is known as steganography. Perhaps this doesn't count, as it stores the data in the header and not in the actual image data. It's still rather devious. We'll come back to the contents of the hidden data in a moment.
I've been staring at this pictures of Jenny McCarthy for years now, trying to discover the steganographically hidden messages.
That's what I told my girlfriend.
Hiding secrets with steganography on Windows, Red Hat, SuSE, and... oh yeah, FreeBSD...
pb Reply or e-mail; don't vaguely moderate.
In some countries you can go to prison for using cryptography, in other more enlightened countries you can go to prison for not handing over the keys when asked by the guys in jack boots or for talking about the fact that you've been raided.
Government of the people, by corporate executives, for corporate profits.
Any discussion of steganography is incomplete without this:
http://www.mcdonald.org.uk/StegFS/
This concept is lost to most people. And i agree it just proves how effective slow media manipulation of peoples attitudes is.
.Or 'the SUV killed.. ' in time people begin to belive it with out realizing it...
Just like calling downloaders 'pirates' and 'theft'.
---- Booth was a patriot ----
I'm curious, why put the encrypted data in the comment blocks for jpeg pictures? By placing scrambled data in these sections you make it pretty obvious that there is a 'hidden' message in there.
Why not make the data truly hidden by using the least significant bit within each of the RGB values for a 24 bit color image? 8 bytes of image data can hide 1 byte of data.
If you can repeat the hidden message enough times you might even be able to use this within a jpeg image and have the message survive recompression of the image or slight image manipulation. When reconstructing the message collect the bits of the repeated message and select the bits that repeat the most.
I'll have to try to write something quick and dirty up in Python to test this out.
I keep mine in topsecret.txt.
They actually had this on Navy:NCIS a couple weeks ago. A terrorist was hiding messages inside of porn images.
"See these naked pics of grandma!"
Roving Web-Teleoperated Robot
Why is it so hard to make real, clickable links? WHY, Mr Anderson???
Here's the link
Didn't Kevin Nealon hooker already perfect this technique useless on Saturday Night boring Live?
__________
[Big Brick Wall]
Now I take the encrypted bits of the message (which already look a lot like random noise) and hide them inside the least significant bits of a bitmap file. Lets assume that I'm using a half-decent steganography tool here, and it distributes the bits of the message throughout the image in a psueudo-random fashion.
So now we've got a stream of encrypted bits, which more or less resembles a stream of psueodo-random numbers. And we've sprinkled these bits all over the place inside the image, so they don't even appear together or in order.
How does one go about detecting that there's a message in there, reliably? What distinguishes the [pseudo]randomly-distributed [psuedo]random-bits of the encrypted message from the background noise of the image?
(I am assuming, of course, that the message we're trying to hide is relatively small - at most, 1 bit per byte in the image is modified. Much more than that is like trying to hide a tractor trailer behind a go-kart)
...ironically, the better algorithms we get for compressing stuff, the more difficult it is to hide something. It gets really obvious if you start sending around BMPs or WAVs.
Steganography detection is doing rather well - it simply realizes when the compression is "wrong", that is, if it would have been compressed better if there wasn't hidden info in the image.
By the way, for legal purposes it might be just as efficient to use something like Bestcrypt's hidden container - it's a very smart, yet "dumb" form of steganography. You create an encrypted container, which has a key. Then you create a hidden container inside the encrypted container, with a different key. There's no way to detect the presence of a hidden container - it looks like random data in a container full of random data.
If required by law to provide a key, provide the key to the outer container. When asked about a hidden container, go "What hidden container?" Even if it is very likely that there is one, there's no proof of that. Even the wackiest RIP bill doesn't require you to provide decryption keys to things that doesn't provably exist.
Kjella
Live today, because you never know what tomorrow brings
Ideally the software would only need to be pointed to a directory or a wildcard, given a passphrase and be able to just "mount" those files. I.E.
I do not have the web page here but somebody can certainly search in slashdot and find it. How to detect it ? The guys which made the thesis/program show that even if the lowest bits seems random, in reality if you take only red / blue or green component you see "forms" appears. And thus on steganographied image you see those form disappear, whereas on non stenographied they appear. Note that you can avoid that. So people using some of those program think they are safe, but instead a third party can show that they are exchanging secre. And knowing you are sending something hidden in some case can put you in a bad position. Even in the US.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
...hiding your secrets in an image? Just write them in Perl!
Of course, if I lived in China and was plotting a demonstration, I'd need to hide that info. Or bank heist details.
Currently, encryption is used freestanding by people with something to hide - and is viewed by 'the masses' as a terrorist/theft/dishonest tool. Why isn't encryption used in *everything*? I appreciate the need for encryption, but until it is everywhere and easy to use, it will have a black cloud hanging over it. Which makes it much easier for those who would like to abuse their powers (cough *Ash*cough) to pass laws restricting the use. Thereby reinforcing its reputation as a tool for people who have something (bad, ohohoh very bad) to hide.
Hi all, we have recently published a paper about hiding data in gzip compressed files. For those interested, check out http://www.cs.ucr.edu/~stelo/stego/ Regards, Stefano
Use reversable compression. Encrypt the cleartext, package it in a container (subcontained if desired), stga that into the BMP or WAV, compress using GIF/PNG/FLAC as required. Ship product to receiver, they uncompress (since the compression is lossless, no bits lost there), de-steg, decrypt, decrypt, viola recipe for brownies.
Also tends to confuse the detectors, as they are not trying all (n) possible ways the file could have been compressed to look for steg data in the raw file, only looking at the compression errors in the current format.
For every scheme, a crack, for every crack, a new scheme. What fun the merry go round is!
You can have it fast, accurate, or pretty. Pick any 2.
This is all well and cute, but realistically speaking, no implementation of steganography is all that secure. Detection is fairly easy, and then a dictionary attack against the encrypted contents is used. [Link]
Its a twofold problem as I see it.
1. The hiding of encrypted data/images/text/whatever inside of an image file is based on the notion that security through obscurity raises the bar. Anyone who studies security knows that this is just not true. Since suspicious images are simple to detect, this layer of obscurity offers no real data protection than just encrypting the file and naming it "this-is-secure-data.blowfish". Its just a matter of what encryption method is used to secure the contents. Which brings me to my second point.
2. Since the basis of steganography is to hide information inside an image without disturbing the visual image, the size of the data contained within, from my understanding, is severely constrained. Thereby limiting the effectiveness of this technique in all but very large, suspicious, and still easily scanned images.
SO, by hiding one's data inside an image with this technique, one is left with a picture of a table that is just screaming to be scanned for its suspicious content.
--Nuintari
slashdot : where an opinion can be wrong.
Terrorists aren't the only ones who want encryption any more than shipping departments are the only ones who want box-cutters. Maybe we should blame the USPS and airlines for also aiding terrorism. Paper-shredder manufacturers too. They helped Enron break the law, didn't they?
Before you knock FreeBSD for supporting a form of encryption (encryption being something that every law-abiding citizen should be entitled to in order to protect his or her privacy), maybe you should tell us what OS YOU use so we can check to make sure it doesn't support encryption tools like the ones you're faulting FreeBSD for.
I remember seeing an omni movie about sharks that found a school of fish, and ate them all. One at a time.
I thought the strategy behind the school of fish was: if there are 500 fish, and I am one of them, then my odds of me getting eaten during an attack is 0.2% The larger the group, the lower the chance that *I personally* get singled out.
I don't think the predator cares about going after a certain fish. Unless if finds one that has really cute eyes. It just wants a fish.
Why not hide stuff -IN- FreeBSD. It wouldnt be that hard to write a utility that inserted "typos" into comments that when decoded could be used to pass messages or even hide images.
... the real advantage is that if done properly, nobody can even prove you sent a message.
While this is true, in fact it is the definition of good steganography, I'm not aware of any steg that actually achieves this. For a while, there were no public methods that break Outguess, but that was broken over a year ago, and I don't think there are any stego schemes still standing. The problem is that the last bit of your WAV file or GIF isn't very random in a real picture, not nearly as random as you might guess. This makes it quite difficult to make a scheme which hides there effectively.
I hereby place the above post in the public domain.
You're missing the point.
The main reason to use steganography is that it hides the fact that you are hiding something. If you use straight encryption, it is obvious that you have something sensitive that you want to encrypt (most people don't go to the trouble of encrypting things otherwise). Steganography helps you fly under the radar and send encrypted data without people knowing that you are sending encrypted data in the first place.
If someone is already suspicious of you, then of course they can analyze your communications and perhaps notice any steganographic attempts. But if not, you may be able to escape notice longer by exchanging seemingly innocuous data than by exchanging industrial-strengh encrypted data.
The only question you may be asking yourself is "why use such a utility?" Probably the most common use is to safeguard passwords. We all know that we should use different passwords for various tasks. For example, you should use a different password to log into your computer, another to retrieve email, another for online banking, and yet another for when you create an account on a web server. It can be very handy to make a text file of each password and its usage, and to safeguard that file by hiding it in a place no one would suspect to look.
Ok, so you're a law-abiding citizen. And you have no need. So obviously, no one else who is law-abiding has a need, and the only the Bad Guys do? C'mon.
/home/scott/topsecret/passwords.tgz or instead in /home/scott/junk/pics/mycat.jpg ? If someone somehow accessed my account, they'd know exactly what file to grab and could then make a concentrated effort to crack into it. While if I disguise the file as something it isn't, they'll pass over it. Why isn't this a legitimate use?
You say you "fail to see legitimate uses". Very well. Would you have a legitimate use for a safe? I will assume "yes"... we all have valuables. So let me ask you this: does it make more sense to put the safe in the middle of a wide open room, standing out, maybe even with a sign that says "The safe is here!" Or maybe instead, hide it somewhere. At least in the closet. Or behind a fake wall panel. Buried in the basement? Recessed in the wall behind a dresser?
Steganography is the equivalent of hiding the safe somewhere where it wouldn't be located or expected. If I have passwords on my computer... even if I encrypt them, does it makes sense to store them in
Steganography is neither in itself good or bad. It's a tool which can be used for good or bad. Like a steak knife. Don't condemn it just because all you can think of are the bad uses.
is for the standard version of mkfs to fill empty disk blocks with random data (from /dev/urandom) BY DEFAULT instead of zeroing them. That way you can run a stego file system in the unused blocks and it will be indistinguishable from ordinary randomized free blocks. If every BSD (and ideally every GNU/Linux) distro shipped with that feature turned on, there would be no way to tell a stego user from a non-user.
Now if we were going just by technical merits (or even moral merits) something like Apple should have died its righteous death a long time ago. But, I guess people need to worship on the altar of 'alternative', even if they are getting robbed blind for it. IMO, Apple is the worst monopolist ever (well, aside from someone truly attrocious like DeBeers).
Manipulate the moderator system! Mod someone as "overrated" today.