Secret Data: Steganography v Steganalysis

gManZboy writes "Two researchers in China has taken a look at the steganography vs. steganalysis arms race. Steganography (hiding data) has drawn more attention recently, as those concerned about information security have recognized that illicit use of the technique might become a threat (to companies or even states). Researchers have thus increased study of steganalysis, the detection of embedded information."

Can someone explain to me what is meant by...

[squarooticus]

"illicit use [of steganography]"? I didn't realize encrypting stuff was illegal. Land of the free and all that.

Re:Hmm

[PDAllen]

Suppose you == info security guy at $Company. When you see a string of seemingly random bits in a file marked crypto.txt leaving $Company, you may not be able to find out exactly what trade secret your local friendly spy was leaking, but you do know there was a leak and who sent it.

On the other hand, if you see a load of random pictures leaving $Company from lots of employees, then you have to find which picture has hidden data in it before you even know you have a problem.

The point of steganography isn't to pass a message that can't be read, it's to pass a message without alerting anyone to the fact that a message has been passed.

Re:Hmm

[AndyL]

It's also security through misdirection. (Ie: If you find someone's secret porn collection, you'll think you know why he's kept it secret. In truth it contains plans for an atom bomb.)

But your point is really what the article is about. A serious Steganography method must be good enough to pass automated searches (steganalysis) because if the enemy knows where your data is, then you almost might as well have not bothered.

And of course, what the other post said is implied.

Metasteganography

[Dylan+Thomas]

What strikes me as most curious is that the current debate about steganography is in itself an exercise in steganography--at least, in the sense of hiding important information in plain sight. Through the use of technical-sounding words, concerned parties manage to conceal what seems to be a genuinely frightening disrespect of the freedom of information.

Simply take "steganography" out of the equation. It's easy to scare the masses by using intimidating neologisms. But steganography is simply a manner to transmit information privately. So let's recast the sentence, "...illicit use of the technique might become a threat to the security of the worldwide information infrastructure." Let's simply say, "Individuals attempting to keep their private information private might become a threat to the security of the worldwide information infrastructure."

What used to be a preferred method for sending private information to a friend? The mail? Didn't we used to have a respect for the privacy of letters we sent via post? So how come no one said, "Sealing envelopes might become a threat to the security of the worldwide information infrastructure"?

What's being steganographically hidden in this debate is the reality that these days, quite a few people--many of them in power--simply no longer believe that a person has any right to private or personal information. Why would a technology such as this arise in the first place? Because we know that the first anthrax envelope made the private post public for everyone? Because we know our e-mail can be read, our servers can be hacked, our telephone calls recorded and our houses ransacked simply because fear of terrorists convinced us to sign over our civil liberties as if we no longer desired them?

This technology arose because some people realized that they were losing any pretense at privacy they might have had, and so were motivated to develop tools to maintain it. And now, we take the new word "steganography" and talk about how dangerous it is... perhaps because we're trying to conceal inside the hidden message that all privacy is dangerous, that anything you do, say or think should always be subject to review by the appropriate authorities.