Secret Data: Steganography v Steganalysis

gManZboy writes "Two researchers in China has taken a look at the steganography vs. steganalysis arms race. Steganography (hiding data) has drawn more attention recently, as those concerned about information security have recognized that illicit use of the technique might become a threat (to companies or even states). Researchers have thus increased study of steganalysis, the detection of embedded information."

Hmm

[Sparr0]

I think this is the way of the future with regards to encryption. You cant crack what you cant find.

Re:Hmm

You cant crack what you cant find.

Or in the case of "The Bible Codes", you find what you want to find.

Re:Hmm

[rindeee]

Future? Steg. has been used for quite some time. I know that it was actively used during the US Civil War, and I'd imagine that it dates back much further than that.

Re:Hmm

Isn't stenography just more "security through obscurity", like using an odd ip-port to hide a service?
I recall that idea not being very popular with the slashdot crowd.

Re:Hmm

[wwest4]

I'm not neccessarily commenting on it's practical effectiveness but isn't this really the past in terms of encryption? As in, Caesar-cipher era - i.e. the method is the key.

Re:Hmm

[EasyComputer]

http://www.jjtc.com/Steganalysis/ ----------------------Good Link on Steganalysis, with some examples of information hidden in pictures.

Re:Hmm

[jamsessionjay]

Security through obscurity? Look how well it's worked for Microsoft.

Any sufficiently advanced neural net should be able to deterministically find changes in common data communication where information can be hidden. And do you truly think that your data is not being checked by big brother?
[puts on tinfoil hat]

Re:Hmm

[dr_dank]

Who says a steg message has to be plaintext?

Re:Hmm

[50000BTU_barbecue]

I guess that extra apostrophe in "its" is really a devious form of steganography? That explains a lot of posts around here!

Re:Hmm

[l4m3z0r]

What you mean to say is that this was the way of the past and now that now we know that security through obscurity is ultimately too risky for crucial data.

It needs to be plainly shown once and for all that this model of "encryption" is too dangerous to be used and thus force the government to encourage open standards that can be tried and found true.

Re:Hmm

[SlayerofGods]

I've thought the same thing.
The only way steganography will work is if you keep the way you hide it a secret because if it's public knowledge how your steganography program works it's trivially easily to tell if a message is hidden in something (even if you can't read it) which defeats the purpose of hiding it in the first place.
Seems kind of hypocritical unless someone would care to explained to me why this makes more sense to keep secret then a standard cryptoalgorithm. /shrug

Re:Hmm

[rokzy]

so what? just because it was a used in the past doesn't mean the original poster didn't have a point.

it may have been used for some time, but it isn't so common now. recently there's been more focus on encrypting the data, not hiding where it is.

the original poster was saying (AFAIK) that he thought it would be popular again, not popular for the fist time ever.

I think he's right with regards to encrypting data in static, passively observed things like photos. transmitted data will probably use quantum techniques.

Re:Hmm

[PDAllen]

Suppose you == info security guy at $Company. When you see a string of seemingly random bits in a file marked crypto.txt leaving $Company, you may not be able to find out exactly what trade secret your local friendly spy was leaking, but you do know there was a leak and who sent it.

On the other hand, if you see a load of random pictures leaving $Company from lots of employees, then you have to find which picture has hidden data in it before you even know you have a problem.

The point of steganography isn't to pass a message that can't be read, it's to pass a message without alerting anyone to the fact that a message has been passed.

Re:Hmm

[rokzy]

people making the point you made totally miss an important point. what if you don't want someone to know the data even exists?

for example, sending a message to someone your government doesn't like:

-you: "ha! it's encrypted really strongly! suck my balls!"
-government: "we don't give a flying fuck - even talking to them is a crime. off to jail for you, numbnuts!"

Re:Hmm

[4of12]

Any sufficiently advanced neural net should be able to deterministically find changes in common data communication where information can be hidden. And do you truly think that your data is not being checked by big brother?

I doubt there's enough computational resources for a sufficiently advanced neural net.

If chunks of known ciphertext in something like AES-256 can't be broken in times measured in universe ages, then I can't foresee much success in wholesale scanning of all information, searching for embedded secret strings which, if properly encrypted, should be indistinguishable from random noise.

An old Slashdot story mentioned one of the most fertile fields for laying down stego messages: within spam.

Re:Hmm

[AndyL]

It's also security through misdirection. (Ie: If you find someone's secret porn collection, you'll think you know why he's kept it secret. In truth it contains plans for an atom bomb.)

But your point is really what the article is about. A serious Steganography method must be good enough to pass automated searches (steganalysis) because if the enemy knows where your data is, then you almost might as well have not bothered.

And of course, what the other post said is implied.

Re:Hmm

[bentcd]

Steganography is typically used within a closed group. It is typically not used between strangers. Therefore, you don't need to publicize your steganographic protocols beyond a small group of people.
Furthermore, if you take the trouble to hide your data with steganography chances are that you will also encrypt it. In this scenario, the two accomplish different goals. Steganography ensures that no-one realizes that you have communicated at all and cryptography ensures that even if the steganography is compromised, they cannot tell what it was you were sending.
Steganography is gold to any mole in need of transmitting information from inside a hostile organization to his people on the outside. So long as the hostile org cannot tell that he is communicating, he is safe. Once they figure out, he is busted.
Or for anyone transmitting information across an untrusted medium for that matter. If you use PGP to protect your Internet mail, the Feds are going to know that you have _something_ going on and that they might want to keep extra tabs on you. If you also use steganographic techniques, you'll never show up on their radar in the first place.

Re:Hmm

[bentcd]

Cryptography is also security through obscurity in that case. The only thing protecting your information is the fact that you haven't properly documented your private key :-)

Re:Hmm

[uberdave]

The problem with "Security Through Obscurity" is that the decryption algorithm is secret. Once the algorithm is known, any message can be decrypted. Both the sender, and the receiver need to know the secret algorithm, and need to trust each other to not reveal it.

In other encryption techniques, such as Public Key Encryption, the decryption algorithm is public. The algorithm works like a box with two keyholes. One keyhole locks the box, the other unlocks it. Each person selects two keys, one is public, the other is private. If the sender wants to send a message, she locks the box with the receiver's public key. Once locked, the box can only be opened with the receiver's private key. If the Larry decides to leak his private key, it doesn't compromise the security of messages sent to other people. Heather can still send messages to Jim, using his public key, confident that the messages will remain private because they are encrypted with Jim's public key, not Larry's.

Re:Hmm

[maotx]

Isn't stenography just more "security through obscurity", like using an odd ip-port to hide a service?

No, it is not. You can put any data you want in there and then password protect it.
However, if the original image is obtainable then it is possible to compare the two to decipher the data.
But then again, who says your hidden data can't be an encrypted, compressed file?

Re:Hmm

[Sir+dies+alot]

I am not sure if the two are entirely the same, with the Caeser cipher, a message was obviously being sent, you just couldn't read it. This is referred to as a symmetric encryption method, as it was usualy a simple substitution cipher. (offset of 3 IIRC) This is not quite the same thing as steganography, which is the art of hiding the fact that the message was sent at all. The two are very similar, but with the cipher you secure the data by assuring that others can not read it, while with steganography you secure it by making it difficult for someone to know there is something to read. In addition, steganography is used quite extensively today, though probably not in the way that many assume. (ie data transfer) A form of steganography is digital watermarking, where a digital signature is embedded within the actual digital media. This is very common with audio files as there is plenty of space for the watermark to be stored that will not noticably affect the audio quality.

Re:Hmm

[Minna+Kirai]

As in, Caesar-cipher era - i.e. the method is the key.

No. Caesar-cipher looks like "jebsb kysal". Get caught with that, and even if they can't read it, you're obviously trying to hide something. Primitive steganography is like "Buy 7 bananas and 3 oranges on next Monday", which has plausible deniability as a grocery list, even though it's logging the movement of enemy naval units out of port.

Re:Hmm

[SlayerofGods]

But if someone has reason to be monitoring your transmissions in the first place then they are most likely going to be screening any data you may send out and if that is the case then steganography become nothing more then security through obscurity.
There are so many encrypted transmissions now a days that simply sending one us unlikely to draw any undue attention.
Worse then that is if someone detects that your using steganography your screwed. Sending encrypted transmissions is easily explained away as not wanting someone to monitor your communication, but there is legitment reason that you didn't want someone to know you made that communication in the first place. So in fact using steganography might lead to more problems then simply encrypting your communication.

Re:Hmm

[EEDAm]

I went to a City (think "The Street" but for the UK financial services industry) information security session with the head honcho for the government e-Office (try and hang on to your cookies and not hurl them over your keyboard but obviously you get the nature of the job). The bloke was pretty savvy and the government obviously pay an enormous amount of attention to safeguarding the UK's financial institutions so the talk was professional and properly pitched. Anyway, after a couple of references to PGP during the presentation over coffee out of ear-shot I said to the bloke "come on seriously - are you really telling me PGP's still a problem?" to which he stirred his coffee and said "fair enough no not PGP that's all done but the points the same for what's coming next". So anyway, probably not news to any crypto-hounds but if the Feds know you're using PGP then the Feds know what you're saying.

Re:Hmm

[wwest4]

That's what I was getting at - that steganography is not encryption, at least not in a modern sense.

Re:Hmm

I think this is the way of the future with regards to encryption. You cant crack what you cant find.

This doesn't even make sense. It's like saying I'll substitute a boot for the eggs when making my omlet. Hiding imformation is different from encryption. Also, for it to be secure, you would have to use encryption. Relying solely on obscurity. You might as well run around outside naked depending on hiding behind trees as your only means of clothing.

Re:Hmm

[bentcd]

For many employers, "you are an employee" is sufficient reason to monitor your communications. This surveillance is, however, very superficial in most cases. Superficial surveillance is unlikely to spot a half-decent steganographic effort and so such is likely to offer some protection.
If ever they develop the notion that you require extra special treatment, they might catch on to your hidden messages, of course (or perhaps not). If they do, then I agree they have all the more reason to suspect you of foul play. It's something of a trade-off.

Re:Hmm

[vettemph]

Don't forget to hide a decoy in your steg. Once your sick stalker/oppresser cracks the easy message they will stop looking into file for the real message. Of course the decoy needs to be believable.

Re:Hmm

[SlayerofGods]

I guess in smaller scales, like offices, where there are significantly fewer transmissions that an admin would need to watch would be a good reason to use steganography.
Of course the ability to commit corporate espionage probably isn't the best justification to do research in this area ;)
But I definitely see your point now, thanks for the clarification.

Re:Hmm

[wwest4]

Agreed, there is a difference in the intended application of crypto and steganography - I was just pointing out that steg is not terribly advanced when applied as an encryption, and hence not the "future of encryption" as proposed by OP.

It's exhausting enough being a pedant without having to deal with others :P

Re:Hmm

[droopycom]

No, you just missed the point of Steganography.

The point of steganographie is not "You cant read my secret writings" but "You dont know that I have secret writings"

I some countires keeping secret is enough to get shoot. You want to hide them too.

Security though obscurity is indeed very usefull for storage or transmission.

Re:Hmm

[Xcott+Craver]

Steganography is typically used within a closed group. It is typically not used between strangers. Therefore, you don't need to publicize your steganographic protocols beyond a small group of people.

Says who?

No, no, relying on obscurity is no different in stego than it is in crypto. It is not wise to home-brew either of these things; making a genuinely good cipher, or a genuinely good stego algorithm, is genuinely hard.

And by the way, if stego really was used typically in a closed group, how would you know?

Xcott

Re:Hmm

[Xcott+Craver]

The only way steganography will work is if you keep the way you hide it a secret because if it's public knowledge how your steganography program works it's trivially easily to tell if a message is hidden in something (even if you can't read it) which defeats the purpose of hiding it in the first place.

There are plenty of stego algorithms which use a secret key, and it is not "trivially easy" to detect some stego algorithms.

There are bad algorithms that can be detected by various statistical tests, and I suppose stego has not reached the level of security we expect in crypto, where we may expect an attack success rate of 2^-128 per attempt.

However, it is a common misconception that steganography equals obscurity. I guess laypeople confuse the literal obscurity of data hiding, with the utterly unrelated obscurity of relying on a secret algorithm. But there is no reason why you can't have a good stego algorithm that can be published.

Xcott

Re:Hmm

[jhoffoss]

This is not totally accurate. Steg (using hydan, say) works this way: you run hydan, specifying a file to hide, a message/file to hide, and the output filename. You'll be prompted for a password to use (ala PGP passphrase/key) and the message is encrypted with the bluefish encryption algorithm. While it's not quite as strong as PGP with a 1024b key, there's no rule saying you couldn't actually use a PGP key to do this, public or private. It's just that the same phrase must be used on both ends.

From hydan-0.10 README:

Hydan [hI-dn]: Old english, to hide or conceal.

Intro:
Hydan steganographically conceals a message into an application.
Features include:

• Application filesize remains unchanged
• Message is blowfish encrypted with a user-supplied passphrase before being embedded

Embed a message:

./hydan /bin/ls <msg> ls.stegged

Decode the message:

./hydan-decode ls.stegged

Note: Don't use commonly available applications like /bin/ls to conceal your message! It would be trivial for an attacker to realize that there is something hidden in your copy of ls, as the md5sum would differ. Checkout the README.details for more info about implementation and attacks.

Re:Hmm

[bentcd]

I never said to homebrew it. You need to use algorithms developed by professionals. This means you either use custom algos developed by your organisation's maths geeks, or you use publicly available algos. Whichever it is, you will want one that can easily be hidden in a data stream that is otherwise indistinguishable from noise so that your noise-like encrypted messages can't be spotted for what they really are. Finding such a noiseful channel to utilize is another task for the maths geeks.
An alternative to finding a noiseful channel would be to find one that is never monitored by anyone anyway so it doesn't matter that your added noise is alien to it. As an example, if I knew that the local security people don't for some reason monitor nor log ICMP, I could ping some other box in a pattern that encodes my message.
The reason that steganography has typically been used within closed groups is that it has traditionally been symmetric in the sense that if you knew how to write the message, you would also know how to read it and vice versa.

Re:Hmm

[wfberg]

Suppose you == info security guy at $Company. When you see a string of seemingly random bits in a file marked crypto.txt leaving $Company, you may not be able to find out exactly what trade secret your local friendly spy was leaking, but you do know there was a leak and who sent it.

There are two problems with this bold assertion

a) usb sticks
b) https://webmail or e-banking.

Sure, you can prohibit either, but your users will bitch and moan and set fire to your newborn child.
Besides, people can also (*gasp*) walk out of the building with information in their brain...

Now, the armed forces may have these stringent restrictions in place but really, stego is no concern in the civilian world. Though it's fun trying to spot which personals ads in the local paper might be encoded messages from terrorists and kidnappers. (I dearly hope the majority is; given the contents of most personals it would reflect better on humanity).

Re:Hmm

[SlimFastForYou]

"In other encryption techniques, such as Public Key Encryption, the decryption algorithm is public."

Don't you mean the _encryption_ algorithm is public?

Re:Hmm

[Zoinks]

The advantage of steganography is that if done right, it can give you plausible deniability. For a really interesting read, check out the papers describing StegFS ,a steganographic file system for Linux.

Re:Hmm

[JeffTL]

Decoying a steganographic message -- i.e., putting your real backup copy of your password and also your mother's maiden name steganographicaclly into a file -- seems to be a pretty good way of going about things. Kind of like overt vs. covert safes. If you have a safe in plain view or an obvious location with $25, your thesis on a Zip disk, and your Social Security card in it, the $1,000,000 collection of heirloom diamond jewelry kept in a more covert location, a floor safe under the stairs or something. Why? It's human nature to look for "the safe" or "the message," particularly if the decoy is itself tricky to find and access.

Re:Hmm

[Zoinks]

If you use PGP to protect your Internet mail, the Feds are going to know that you have _something_ going on and that they might want to keep extra tabs on you. If you also use steganographic techniques, you'll never show up on their radar in the first place.

This is true. The problem with steg is that generally, you must hide the message in something else that is not message. The higher the ratio of chaff to message, the harder to find the message, but also the larger the steg messages you must exchange. At some point *this* becomes suspect.

Re:Hmm

[SlayerofGods]

Do you have an example of such an algorithm?
I don't read the steganography news letter or anything like that, but I've never heard of one that couldn't be detected if you knew what your looking for.

Re:Hmm

[uberdave]

Both the encryption and decryption algorithms are public. The word "Public" in Public Key Encryption refers to the keys, not the algorithm. One could rephrase it: "Encryption using Public Keys".

Re:Hmm

[quarkscat]

These Chinese researchers MUST be working on
a (PRC) government grant. By announcing their
findings, they are letting the opposition (like
Falun Gung) know that they are onto them. And
since the PRC has adopted IPv6 (and largely
banned IPv4 and NAT), they have a really good
idea of who the "perps" are. So don't try
slipping hidden messages through the Great
(Internet Fire)Wall of China, okay?

Your PRC overlords and Google/Yahoo lacky
allies thank you to mind your own business.

Now go away. There's nothing to "see" here.

Re:Hmm

[julesh]

If chunks of known ciphertext in something like AES-256 can't be broken in times measured in universe ages, then I can't foresee much success in wholesale scanning of all information, searching for embedded secret strings which, if properly encrypted, should be indistinguishable from random noise.

The problem is that most of the places where steg is currently used (at least in techniques widely known to those of us who only follow the field with amateur interest) the 'apparently entirely random' encrypted data replaces data that is frequently systematic noise -- that is, each bit is _not_ independent of other bits within it.

Sure, if you know what you're doing you could analyse the data you're embedding in and come up with an algorithm that makes your hidden data fit whatever analysis you've applied, but then when somebody analyses it in a different way you're still in trouble...

Re:Hmm

[Paul+Crowley]

What you (and the other reply) describe is using steganography for its intended purpose. That's reasonable. What the person I replied to describes is using steganography because you fear that once your ciphertext is discovered, the cipher will be broken. That's ridiculous - if you fear that, use a strong cipher.

It's especially ridiculous that such nonsense gets to be the first 5 in the comments, but that's Slashdot for you...

Re:Hmm

[Threni]

> Security through obscurity?

Steganography isn't security through obscurity if you use steganography to hide something which is strong encrypted.

Re:Hmm

[arman86]

Public key steganography has been proposed in academic literature.The only thoughts you should be having should be have a system that matches the entropy levels of your message to that of whatever medium you are using.

Re:Hmm

[AndyL]

I only keep my important documents around to hide my porn.

Already was an issue

[Sierpinski]

This came out a long time ago with the idea of hiding child pornography in files containing what appeared to be pictures of art, or other benign picture files.

There was even an episode of Law and Order about this. Its nothing new, but I agree it does pose many questions about security. (Security through obscurity is really good if the level of obscurity is paramount.)

Re:Already was an issue

[Abcd1234]

Just to be clear, steganography is not security through obscurity, at least not as it's traditionally thought about. The latter is the practice of having security policies, but not divulging them, with the hope that lack of knowledge will make those policies harder to crack. The former is the practice of hiding communications in apparently-innocuous data, so people don't know you're communicating in the first place.

Re:Already was an issue

[dxxt]

I agree. In fact, some steganographic techniques are actually keyed. Should it still be called security through obscrurity.

Steganalysis has a dim future, IMHO

[fejikso]

I believe that information can be arbitrarily well obfuscated and hidden and therefore I find it difficult to imagine that there can be an effective and feasible technique to counter attack stenographic messages.

Re:Steganalysis has a dim future, IMHO

The larger problem is not how to find it but how to know where to find it. You simply have to scan all material, including material which doesn't have anything embedded. Different with cryptography where usually it is quite clear that there is something encrypted to concentrate on.

Re:Steganalysis has a dim future, IMHO

[dhasenan]

But since they often co-occur, you have a *lot* more trouble--you have to determine whether something's encrypted, hidden data or white noise. Is that an MD5 hash in your JPEG, or are you just happy to see me?

Re:Steganalysis has a dim future, IMHO

[Seigen]

I agree, if you have a competant cryptographer designing your data embedding algorithm and everything is nicely done with appropriate cryptography and the rest your probably never going to notice that there is anything hidden in whatever your hiding it in. That is, as long as you keep your message reasonably short with respsect to the total data. Consider also the massive amount of data on the internet these days. I just don't see it being possible to realistically find such things unless you find out about the message embedding in some other way.. Of course even if one were to find them, AFAIK 128bit AES hasn't been broken to say nothing of more elaborate methods..

Re:Steganalysis has a dim future, IMHO

[lastbukowski]

Agree, it has a dim future. For instance take the case of hiding under the picture. There are techniques for hiding which if the person does not know, it is impossible to find the hidden data in a deterministic sense. Well, this just increases problem for people

Can someone explain to me what is meant by...

[squarooticus]

"illicit use [of steganography]"? I didn't realize encrypting stuff was illegal. Land of the free and all that.

Re:Can someone explain to me what is meant by...

[eln]

I think they mean the use of steganography to hide illicit materials, like child pornography. At least, I hope that's what they mean.

Re:Can someone explain to me what is meant by...

[Danimoth]

I belive it is refering to the use of steganography for illicit material, child pornography for example.

Re:Can someone explain to me what is meant by...

[PDAllen]

If the stuff you encrypt is illegal, like for example child porn...

Re:Can someone explain to me what is meant by...

[PDAllen]

I bet if you were in court on that you'd be done for duplicating the illegal material, as well as possessing it.

In any case, why are you defending a hypothetical child porn distributor?

Re:Can someone explain to me what is meant by...

[Bagels]

*cough* Chinese researchers. Perhaps not illegal in the US, but almost certainly extremely illegal over in our favorite semi-communist autocracy...

Re:Can someone explain to me what is meant by...

[AndyChrist]

If I had mod points every one of you in this little line would get Redundant.

GOURANGA!

Re:Can someone explain to me what is meant by...

[GeorgeMcBay]

*reads the other responses* Child porn.. child porn.. child porn..

Heh, there's some fuckers with dirty minds posting today...


I'm going to guess they've just had this line beaten into their heads from the "think of the children" PR machine behind funding for things like steganalysis.

Honestly, how many pervs do you think are out there hiding their child porn with methods such as this? I'd guess very close to zero. I'm not saying there aren't weirdos out there who like to collect this sort of thing, I'm just guessing it is a lot more likely to be sitting there unprotected in some directory on their harddrive or at MOST on some encrypted volume... I find it hard to believe they'd set up some fancy steganography system to hide it.

Steganography is an ultimate emperor's new clothes technology to get funding for. There's no solid proof anyone is using it to do anything illegal, but the people who want to be funded to research this bullshit can just say "well, of course there's no proof, because it is hidden in images! Images that TERRORISTS or CHILD PORNOGRAPHERS might be trading as we speak!!!"

Re:Can someone explain to me what is meant by...

[iminplaya]

I didn't realize encrypting stuff was illegal.

Give 'em time. The day is young.

Re:Can someone explain to me what is meant by...

[js7a]

HTTPort has got to be the best steg browsing solution out there. I hear it's very popular in Saudi Aribia, which is much worse than China.

Great movie title!

[Guano_Jim]

Secret Data: Steganography v Steganalysis

Throw in a Stegosaurus and we've got a real Destroy All Monsters vibe going.

Run! It's Steganalysis!

/crushes Tokyo

Re:Great movie title!

[CptNerd]

Your mother wants you to stop saying that!

This reply is funny, inciteful and informative

[Silver+Sloth]

But it's hidden

Extinct?

[Chappy01]

I thought the Steganalysis was extinct...that's public school education for you.

Hiding data ...pfft

[pronobozo]

As if you can hide information in places that nobody would find, just doesn't seem like a plausible direction for security.

Re:Hiding data ...pfft

[justforaday]

I don't get it...Could someone please tell me what the secret message is?

Re:Hiding data ...pfft

[Darth_brooks]

There's some truth to the idea of a hidden message in comic strips.

During the 50's and 60's the air force used a particular comic strip ("smokey stover" i think. http://www.toonopedia.com/smokey.htm, also the origin of "foo" and "foo fighter") to train recon. photo interpreters. The artist would hide his wife's name somewhere in every strip, and the new recruits would have to find it.

Re:Hiding data ...pfft

[bhamm]

I don't get it...Could someone please tell me what the secret message is? i am we todd did =)

Re:Hiding data ...pfft

[jafac]

. . . wasn't the same true for the "hidden-bunny" on the Playboy Magazine covers?

Re:Hiding data ...pfft

It was Al Hirshfeld, and the hidden name was that of his daughter, Nina.

Re:Hiding data ...pfft

[mikecarrmikecarr]

Of course, that's doubly clever as you didn't bold the 's' in places. To those who aren't reading the message, it reads: "i am tupid"

Re:Hiding data ...pfft

[jhoffoss]

Quoth Anonymous Coward: Be sure to drink your Ovaltine.

Thanks, I couldn't read that. I shot my eye out last Christmas with a damn BB gun.

Re:Hiding data ...pfft

[Darth_brooks]

thank you. I tried to google it, but couldn't come up with the right search terms to get a hit.

Re:Hiding data ...pfft

[jerw134]

Look again. He did bold the 's' in places. Now who's the one lacking intellectual fortitude...

Re:Hiding data ...pfft

[mikecarrmikecarr]

oh... well, in the "feature not a bug" line, i'd like to say that my original comment was irony. that's the ticket ;)

Re:Hiding data ...pfft

[fingerfucker]

No one is saying that a message passed on using a steganographic technique couldn't be encrypted.

You use steganography to pass a message without alerting anyone that a secret message is being passed, not to conceal the message!!

Then, you use encryption to conceal the content of that message.

An easy way to hide information

Hide it on slashdot by posting at level 0. No one will think to look, and there's an unlimited storage potential.

Re:An easy way to hide information

[Soporific]

I hide my data in a deep, moist place.

Your basement? :)

~S

Re:An easy way to hide information

[rcamans]

post it on /. at any level, no thinking person will look.

Re:An easy way to hide information

[zcat_NZ]

Always a fun thing to do. As a special bonus, you can sometimes get free backup copies this way. I have two!

Re:An easy way to hide information

[Country_hacker]

Nah, my money's on the goatse guy.

(Well, not literally...) :-O

Re:An easy way to hide information

[WWWWolf]

Hide it on slashdot by posting at level 0. No one will think to look, and there's an unlimited storage potential.

Already been done. Didn't someone already write a "Slashdot file system" program that posted files as comments and retrieved them from there?

fun stuff

[Darth_brooks]

I tinkered with this for a while. Start up gnucleus, do a search for *.jpg, and grab a bunch of files to scan. Not surprisingly, many of the images were porn (it's for research purposes, I swear!)

The biggest problems were 1. most (actually, all) of the images that came back as good candidates for having embedded images came back as false positives and 2. lack of a brute-force steg break utility.

number 2 is probably a result of poor searching on my part, but I honestly couldn't find a recent, (and free) tool that would do a brute force crack on embedded images. At the time (a few months back) I was using stegbreak and stegdetect.

So, is there anything better? anyone else have any luck?

Re:fun stuff

[carlmenezes]

Well, how do you know that what you found wasn't more hidden information? Double-layer steganography maybe? I mean, what better way to hide info than as a false positive?

Re:fun stuff

[SlayerofGods]

It's hard to brute force something when you don't know how it was hidden in the first place.
You can only design a brute force attack once you know how it was hidden in the first place. And the amount of different ways to do that right now precludes such an attack.
Maybe once a standard for steganography is agreed on we can get started on ways to crack it ;)

Re:fun stuff

[Darth_brooks]

I should have been a little more clear on that. Steg detect would decide that an image may have had something embedded using one of the programs that it looked for.

But, using stegbreak, you could only do a dictionary attack against the image even though you had an idea of what what used to embed the file.

Re:fun stuff

[shawn(at)fsu]

speaking of JPG's I once saw a picturew of flowers that if you selected the picture in say a web page (or highlighted it) you could see a hidden image (pr0n. I would love to know how to do this.
Anyone know what I'm talking about.

Re:fun stuff

[blueg3]

If there was a standard for steganography, it wouldn't be steganography any more.

It's kind of like hiding your key under the doormat. Everyone knows that's where people hide keys, so nobody hides keys there because it's useless now.

Unfortunately, the problem of coming up with such a generic pattern-finding algorithm that it'd be truly useful for trying to detect steganography in general is not an easy problem. It should be quite possible to try a lot of popular methods, though.

Re:fun stuff

[PDAllen]

Being as you can encrypt your data before steg'ing it, you're not likely to find a steg-breaking utility, or at least not one that works reliably with any serious attempt to make it hard.

Re:fun stuff

[SlayerofGods]

Moderation +1
100% Funny
Well at least one person got it ;)

Re:fun stuff

[BillyBlaze]

Don't know what you're talking about, but I remember when graphics hardware used to suck, and the most common way to make something selected was to overlay it with a halftone of blue. So what you would do is, figure out where that halftone would go, and in the pixels that remain exposed, mix in your porn image, at say about 25% opacity. Now, on the pixels that are obscured by the halftone, mix in the inverse of your porn image at the same opacity. When the halftone is gone, it would be hard to notice the change - the most you would notice is a subtle checkerboard effect where the porn was contrasting with the flowers. But when the halftone obscured the negative that previously was balancing the positive porn image in adjacent pixels, you would see the porn in much higher contrast.

Re:fun stuff

[SlayerofGods]

Probably not what you want, but it works ;)
<img src="flowers.jpg" onclick="this.src='porn.jpg'">

Re:fun stuff

[javatips]

Double layer staganography will not be very practical. When you hide someting, you need a lot more data than what you are hiding. For example, if you can hide 1 byte of data within 8 bytes of data, your will require 64 bytes of data to hide the same information in two layers.

It far more practical to encrypt the data you want to hide (making it look random), then you hide it use steganography. This has the added benefit of making it more difficult to find a pattern (encrypted data should appear random) in the data that hides your secret.

Re:fun stuff

[soupdevil]

Um, a false negative?

Re:fun stuff

The files header, gives clues about the signal to noise numbers, and what photoeditor saved the image. Remove or alter it.

Mobile phone and digital cameras picture sizes are original and getting bigger, and some software is cleaning up interpolation errors and signatures, meaning you could hide messages in an image(s).
So if you use steno, muck with the file headers using and obsolete model camera whose last driver stopped at NT4, and photograph natural events like beaches and waves, or colored beads, for inconclusive pictures.

Re:fun stuff

[Tablizer]

speaking of JPG's I once saw a picturew of flowers that if you selected the picture in say a web page (or highlighted it) you could see a hidden image (pr0n. I would love to know how to do this.
Anyone know what I'm talking about.

I think I know what you mean. In Internet Explorer, when you select an image, such as dragging the cursor with mouse button down, it forms a kind of small checkered pattern over such images. One could probably use this checkered pattern to put in a hidden image.

Re:fun stuff

[blazin]

Stuff like
this?

Not sure how well this method works, since I haven't tried it yet.

Re:fun stuff

[shawn(at)fsu]

Thank you, I've been looking for a tutorial for this effect for a long time. Thanks again.

No not for pr0n but that was the example I saw.

Passwords

[White+Roses]

I played around with this for a time. Stored all my various passwords in one of my desktop pictures at work. In the end, while it was certainly interesting, I didn't see a personally practical use for it. Perhaps integration with a keyring type of application? A replacement for the DB file that is used to store the passwords? I send so few iamges to my friends that a sudden influx of images being sent back and forth with hidden communications would draw more attention to anyone seriously interested in my boring life. I feel secure because I am obscure.

I can certainly see the use in espionage, hiding the real message in the static, as it were (Didn't a Tom Clancy book use this plot device? I think the message was sent in the connect noises for the modem). And NS's Baroque Cycle had some interesting steganographic bits in it (excessively long and boring letters about the nobility's obsession with fashion hiding an encrypted message for all to see). But on a day to day basis, I doubt this will affect most people.

Re:Passwords

[pjt33]

Stego can also be used for storage. You may not send many images, but you probably have some sitting around - or if not images then PDFs or something. (I don't know how good PDF is for stego, but I suspect they're usable. Throw in an unncessary font definition or something).

Finding hidden messages?

[wfberg]

Dear Friend , Your email address has been submitted
to us indicating your interest in our newsletter .
If you no longer wish to receive our publications simply
reply with a Subject: of "REMOVE" and you will immediately
be removed from our mailing list . This mail is being
sent in compliance with Senate bill 2116 , Title 3
; Section 304 ! This is different than anything else
you've seen . Why work for somebody else when you can
become rich within 56 MONTHS . Have you ever noticed
more people than ever are surfing the web and how long
the line-ups are at bank machines ! Well, now is your
chance to capitalize on this . We will help you decrease
perceived waiting time by 110% and SELL MORE . You
can begin at absolutely no cost to you . But don't
believe us ! Ms Simpson of Massachusetts tried us and
says "My only problem now is where to park all my cars"
! We are licensed to operate in all states ! We beseech
you - act now . Sign up a friend and your friend will
be rich too ! Thank-you for your serious consideration
of our offer !

Re:Finding hidden messages?

[Mitchell+Mebane]

-----BEGIN PGP MESSAGE----- Charset: ISO-8859-1 Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org VGhhbmtzISBJIG5lZWQgYWxsIHRoZSBsdWNrIEkgY2FuIGdldC 4gOkQ= -----END PGP MESSAGE-----

Re:Hmm (cracked)

[product+byproduct]

I think thIs iS The way of the FutuRe
with regardS To encryPtiOn.

You've got a nicely steganographed "first post" there.

Problem with statistical analysis

[grahamsz]

The suggestion is that if data is being hidden in the LSB of a photo then you can use statistical analysis to spot this anomoly.

The problem here seems to be that if you were to compress your hidden data prior to hiding it, then the data inserted would appear random and should thwart statistical analysis. You'd need some redundancy there if you intent to jpeg compress the image, but it might work.

I've toyed with the idea of hiding data in the vectors used in a mpeg file. Exploiting the nature of the compression algorithm rather than the source data.

Re:Problem with statistical analysis

[wirelessbuzzers]

The suggestion is that if data is being hidden in the LSB of a photo then you can use statistical analysis to spot this anomoly.

The problem here seems to be that if you were to compress your hidden data prior to hiding it, then the data inserted would appear random and should thwart statistical analysis.

The problem is, the LSBs of a photo do not appear to be random; there are many subtle correlations between them, some of them human-visible and some of them computer-visible. A given known machine-visible one can be foiled with enough statistics (see Outguess), but when a new one comes along the steg will be broken (as is Outguess).

In any case, it is assumed that you are compressing the data to save space and protect your cipher, and then encrypting it (stripping any headers added by your encryption program) to give data that would be difficult to prove non-random. The question remains how to find places in the file which appear sufficiently random to hide your data.

You'd need some redundancy there if you intent to jpeg compress the image, but it might work.

No, you'd just fudge the low-order bits (after quantization) of the coefficients of the discrete cosine transform. Of course, these also have correlations that you'd have to watch out for.

Re:Problem with statistical analysis

[blueg3]

That's only true if the original data in the LSB plane was also random. However, chances are that it isn't exactly random. Data, encrypted or no, may have different statistical characteristics than the original data.

There's a good story on something vaugely related that has to do with the frequency of digits in measured numbers. (That is, it isn't equally probable to see every digit -- earlier digits in a number favor lower digits, like "1".) People who were falsifying accounting records were caught because the numbers they used were "too random". This occurs also in people who are trying to make a string of random ones and zeros -- they'll tend to have much shorter strings of the same digit than a sequence that's actually randomly generated. (Four zeros in a row? That's not very random!)

Re:Problem with statistical analysis

[frakir]

You can always use another picture to encrypt/decrypt your message. Like xor both corresponding LSBs

Re:Problem with statistical analysis

[pclminion]

You're assuming the LSB of each pixel of image data is perfectly random to begin with. In practice there are usually correlations between the subbands in image data (at least, any data which isn't pure noise). Inserting random data changes the degree of correlation between subbands, revealing the hidden message.

Re:Problem with statistical analysis

[Dracolytch]

I've done some of my own research in this area... Basically put, the LSB isn't nearly as random as people would like to think it is... If you hide a compressed/encrypted file in the LSB of an image, you'll still be able to look at a b&w LSB map, and tell that there's data hidden there. For example: A picture with a black cat should leave ~most~ of that cat with the same LSB. If you extract JUST the LSBs, and the cat shows up totally random, you know something is wrong.

Also, if you're doing LSB hiding, you can't use lossless compresion like jpgs

~D

Re:Problem with statistical analysis

[Kjella]

There's a good story on something vaugely related that has to do with the frequency of digits in measured numbers. (That is, it isn't equally probable to see every digit -- earlier digits in a number favor lower digits, like "1".) People who were falsifying accounting records were caught because the numbers they used were "too random".

Actually, here the fault is that they didn't understood the target. Expenses have no "natural" size, they're likely to be scale invariant. Basicly, you're looking for a distribution where C*f(x) = f(x). If you took 1..9, try C=2: 2,4,6,8,10,12,14,16,18... suddenly you have 5 leading 1s.

Turns out the right distribution is following Benford's law:

30.1% 17.6% 12.5% 9.7% 7.9% 6.7% 5.8% 5.1% 4.6%

The second example you have is that the human "RNG" is flawed.

A computer doesn't really suffer from this problem. The stenagography problem is really this.

1. Find randomness in source data
2. Replace random data with pseudorandom data

Of course, if you overwrite non-random data, you're doing it wrong. If you're going to use the LSB, you need to verfiy that it is random, or find the portion of it that is random (which is kinda what you're doing when you pick the LSB from a pixel anyway).

The biggest problem is really to hide it in a "reasonable" way.

Perfect steganography should replace all randomness with noise.

Perfect compression should eliminate all randomness.

In other words, steganography operates on the thin slice between good compression (jpg, mp3, divx) and perfect compression. It's much easier to hide information in bmp, wav, uncompressed avi, but it also looks damn obvious.

Kjella

Re:Problem with statistical analysis

[blueg3]

Thanks. The name I was looking for is Benford's Law, which is a scale-invariant digit distribution, as any such distribution must be (as well as being applicable to bases other than 10).

Yes, in order to do good steganography you have to replace something that already looks random with something else that looks equally random.

The problem with what was referred to originally is that the least significant bits of an image are not necessarily uncorrelated to (a) position in the image (b) values of neighboring LSBs (c) values of more significant bits at that point. You can bet that a very random-seeming message (eg. an encrypted one) is going to be uncorrolated to these three things, so if your original LSB plane was slightly correlated, you may be able to detect the change by statistical analysis.

Re:Problem with statistical analysis

[saderax]

Hiding data in the LSB is only one of several methods. Other methods include data hiding (stenography) in other domains, such as the Fourier domain. This distributes one change in the Fourier domain across many many pixels in the image domain, and vice versa.

Re:Problem with statistical analysis

[Jeff+DeMaagd]

There is a subsection of JPEG where it allows you to make lossless JPEG files. It is rarely used though, and I think support is hard to find. I don't know how support and file sizes compare against PNG though.

Re:Problem with statistical analysis

[Dracolytch]

Bah, that's what I meant... Damn fingers.

It's hard to hide data in the LSBs if you do a lossy compression afterward... You'd basically have to write a custom JPG routine to keep your LSBs in tact.

~D

Re:Problem with statistical analysis

[Abcd1234]

Perfect compression should eliminate all randomness.

Okay, you lost me here, or maybe I've forgotten the little bit of information theory I once knew. Shouldn't perfect compression generate something which appears perfectly random?

Re:Problem with statistical analysis

[Theatetus]

Amen. And also people get hung up on the current fad of changing bits in binary files that are sent directly from point A to point B. But that's not the only model; a message could be delivered through, say, character frequencies in a classified ad or a slashdot post. Or in those "random" phrases in spam (for all we know they already are).

The point of steganography is that it hides the message's routing information. In World War II, the US Navy managed to gain a lot of operational information about the Japanese Navy simply by analyzing message traffic and routing. A steganographic message can just be placed somewhere publicly accessible and no routing information would ever be traced. The English composer Byrd did this, actually: he hid messages to pro-Catholic English rebels in his music (or so some modern musicologists say). These motets were sung all over the place, and anyone with ears to hear it, heard it. Everybody else just thought it was a pretty song.

Re:Problem with statistical analysis

[awolk]

>>>>Perfect compression should eliminate all randomness.
>>Okay, you lost me here, or maybe I've forgotten the little bit of information theory I once knew. Shouldn't perfect compression generate something which appears perfectly random?

It eliminates randomness in so far that it finds a pattern a replaces the file with the pattern.
By finding patterns you reduce the file-size and also eliminate (some) randomness. Of course the result looks random, but it is a description of more data than it contains in itself (But not together with the algorithm).

It is however theoretically impossible to write a compression-algorithm that is able to reduce the size of all files.

Re:Problem with statistical analysis

[Abcd1234]

also eliminate (some) randomness.

No, you eliminate some redundancy, thus *increasing* the randomness. The whole point is, with compression, if your output is less than perfectly random, then you must be able to compress more, as there are additional patterns that can be eliminated. Or, at least that was my understanding. :)

In support of this is fact that you can't compress a perfectly random data stream. Why? Because there is no redundancy to eliminate. And a perfect compression algorithm should output data which isn't further compressible... meaning it's indistinguishable from perfectly random noise.

Re:Problem with statistical analysis

[julesh]

No, you eliminate some redundancy, thus *increasing* the randomness

Actually, randomness is orthogonal to redundancy. The message "fish babble warg" is no more or less random if I compress it with an adaptive huffman coder or send it in ASCII art letters fifteen rows high.

Re:Problem with statistical analysis

[Abcd1234]

Yeah, I noticed that after I hit the submit button... I really meant "patterned", or something to that effect...

Re:An easy way to hide information (PART 2)

[zoloto]

actually this is a really good thing. not just on slashdot, but on other sites where you can search the documents for key words.

Heck, post as ac with a unique subject and post encrypted (gpg) ascii in multiple parts. the data will be here still next year or five (plausible) and you can retrieve it, and decrypt (assuming you have the public key or password if it's symmetric

DCT + spread spectrum

[dangil]

I have done a small experiment in steganography using DCT coefficients and spread spectrum technique, spreading a 4 bit number in 4 high frequency coeficients in a DCT transformed image

It works pretty well.. but I did it in PHP+GD, so it's pretty slow...

if anyone is interested, I have a paper that describes the methods, the PSNR and everything else... you can reach me at my gmail server, under the dangil alias

stegnography is security through obscurity

[user317]

as soon as a method for stegnography is discovered it basically looses any advantage. the only way it could work is if the number of methods would increase at a exponential or higher rate. otherwise any interested party can just brute force your data for every possible stegnoraphy method. even if one that you use hasn't been discovered yet they can store that data and check it later. in either case if you got something to hide from they you are screwed. a much better way for secure communication is http://www.xelerance.com/mirror/otr/

Re:stegnography is security through obscurity

[sobachatina]

If they (the bad guys) know that you are hiding something then you have basically failed already.

The goal is not to prevent them from finding or understanding your message but rather to prevent them from knowing that there was a message at all.

If you are downloading an innocuous image that has your message hidden in it from a webserver it is not going to raise any red flags for anyone.

Re:stegnography is security through obscurity

[PDAllen]

Not the point...

If you personally are paranoid and want to stop people reading your stuff, you can do perfectly well with RSA using a stupidly large pair of primes.

But anyone interested can still see that you've sent a big encrypted file somewhere. If you are, for example, working in a high-tech research company and you did it from work, then that is probably grounds for immediate dismissal (it'll be in the contract). Whereas if you send a couple of pictures of you+gf, to a mate, it's not suspicious; because lots of people are emailing pictures that are just pictures, anyone trying to brute-force check for steganography has a lot of stuff to work through.

Re:stegnography is security through obscurity

[halleluja]

as soon as a method for stegnography is discovered it basically looses any advantage. the only way it could work is if the number of methods would increase at a exponential or higher rate. otherwise any interested party can just brute force your data for every possible stegnoraphy method.

No. For example, the El-Gamal signature scheme allows for subliminal messages. You never know whether it's there and if it is, it won't help you either.

Re:stegnography is security through obscurity

[pjt33]

Eh? If you can transmit a signed and encrypted message, you can use stego with a signed and encrypted message. If the encryption's any good, your data should be indistinguishable from noise.

Secret Stuff

I hide all my secret information in fake research papers on steganalysis. They never think to look there.

Re:Secret Stuff

[kiore]

But wouldn't the authorities be suspicious if somebody actually started reading research papers?

how is this possible?

If I take a payload -- say a text file. If I compress the file, then encrypt the compressed data then finally hide it.

Excecpt when I hide it I use the least significant bit of every n bytes where n is a 10 digit sequence.

[1,2,3,4,3,2,1,2,6,7]

the first source bit is stored in the lsb of the first image byte.

the second source bit is stored in the lsb of the [1+2] image byte.

the third source bit is stored in the lsb of the [1+2+3] image byte. ... and on and on...

If the end of the image file is reached before the source file is embedded then wrap around and repeat using the second lest significant bit.

Using a unique noisy image source such as a crappy web cam taking a picture of a TV displaying white noise (to thwart a compressability test used for detecting images with hidden data), how could you detect this hidden message much less decode it without know specificaly how the algo works?

Re:how is this possible?

[B1ackDragon]

If I compress the file, then encrypt the compressed data then finally hide it.

I will try every possible algorithm I know

Ok, so you've found the data from the noise, not an easy task by itself. Then what? Brute force the encryption?

Steganography isn't "security through obscurity," its just obscurity. Which can be useful when not only do you need security, but you don't want people (easily and obviously) knowing you are needing the security. I know the world shouldn't work this way, but sending an encrypted message out in the open screams "I've got a secret," and sometimes even that is enough to get you noticed and in trouble.

Re:how is this possible?

[p3d0]

Using a unique noisy image source such as a crappy web cam taking a picture of a TV displaying white noise (to thwart a compressability test used for detecting images with hidden data), how could you detect this hidden message much less decode it without know specificaly how the algo works?

I'd start by running a scan on all web cam pictures of TVs displaying white noise.

Re:how is this possible?

[Dimble+ThriceFoon]

i have used infostego in the past combined with a dekart drive; cumbersome but very obscure. > put 'secret data' in a dekart drive called: pr0n.bmp > put dekart drive into an image called pr0n.bmp with infostego even if the steganalyst thinks their is something wonky about pr0n.bmp, all he can extract is another file called pr0n.bmp.

Re:how is this possible?

[beelsebob]

I can't think of a way off the top of my head, but the thought strikes me, if I start with a 10 character sequence

['h', 'e', 'l', 'l', 'o', 'w', 'o', 'r', 'l', 'd']

and I pass it through a plugboard that has trillions of different combinations, and then through a set of 4 rotors which can be started from trillions of starting points, have many different internal wiring patterns, move in different ways and can be started from different positions each time and light up a new letter each time.

How do I decode it without knowing specifically which rotors were used, how many rotors were used, where they were positioned, which plug board settings were used and which message key was used?

What I'm saying through this analogy is that cryptographic problems appear at first to be impossible to break, but they all have weaknesses (which we may or may not have spotted). It's very very plausible that stenagraphic algorithms have weaknesses too and we just need to direct enough research effort at them.

Re:how is this possible?

[mudimba]

I think the basic idea is that the LSB is not always completely insignificant. In many pictures you are going to have certain areas that are fairly monochromatic. In these areas the LSB is not going to have a completely random distribution (the article showed a picture made from just the LSB, and you could see clumping in the monochromatic areas). After you hide a message in the image, these areas will no longer show the expected clumping.

It occured to me that you could simply tweak your algorithm so that it skips pixels if its non-LSB bits were identical to its neighbors. This, of course, would just get around one of the steganalysis attacks described.

Re:how is this possible?

[Cyberax]

It's possible to analyze random distribution of noise (Fourier transformation is a basic method), so presence of encrypted content will be fairly easy to detect.

Decrypting hidden message is, of course, another task.

Layered Implementation

[Kobun]

Because an encrypted stream is obviously hiding, it gives the attacker something to focus on. What a person might do instead with Steganography is embed encrypted information, so that the set of information is not only hard to detect in a field of dummy files, but that once the encrypted data is found one still has to decode it.

Re:Layered Implementation

[ediron2]

IANBS (I Am Not Bruce Schneier), but Strong Encryption beats steg plus encryption, based on my (limited, but relevant) practical experience.

That runs counterintuitive, so let me scratch the why/how:

Steg: it's incredibly hard to really hide stuff. If you stick data into the unimportant pixelbits of A/V data, statistical analysis of the sort of data that is created by the source (camera, scanner, etc) makes it *trivial* to detect that stuff is being hidden. The better you hide it, the more you sacrifice signal to noise.

Steg plus encryption: easily detected, and steg limits the data pipe. If you have a lot of steg data, creating enough host data to mask it becomes a huge damn PITA.

Strong encryption: data compresses, not expands. Detection and break costs can be reasonably calculated, and algorithms can be picked that achieve an acceptable break cost. And there are mechanisms like dvd-length one-time pads that can make the data flow utterly unassailable as long as it remains encrypted. All that you're left with is attacks outside that space (bribery, extortion, threats, wiretaps, and so on become the cheapest win).

Incidentally, W.A.S.T.E. has an design aspect that does a great job of balancing steg and encryption: encrypt everything with an algorithm that is computationally expensive to brute-force, then shove copious amounts of probably-not-significant data down the encrypted channel. It's like the shortwave number-reader frequencies: by creating a perpetual, huge stream of junk code, you get rid of the above-mentioned weaknesses, and gain the advantage of creating an encrypted and steg'd stream.

Re:Layered Implementation

[Em+Adespoton]

However, until everyone is using strong encryption to store and send all data, steganographed encrypted data is necessary. You see, often it is just as important to hide the fact that you've got something to hide as it is to secure the data. With steganographed encrypted data, you can plausibly deny that it was you who hid the data in the first place.

Re:Layered Implementation

[Total_Wimp]

What a person might do instead with Steganography is embed encrypted information, so that the set of information is not only hard to detect in a field of dummy files, but that once the encrypted data is found one still has to decode it.

Exactly. Even if you play the record backwards, no one knows exactly what the hell the message means. Satan wants you to something, but you can only really tell if you have the code book.

TW

Re:Layered Implementation

[myowntrueself]

As A.Crowley once wrote "double and triple meanings which must be combined in order to fully understand".

Its possible to steganographically hide more than one piece of data inside something else.

The cryptographers problem then is a decision problem; even if you find something concealed, do you stop looking for more? When do you stop expending resources?

How do you know that the piece that you found wasn't the data that you were *intended* to find? So that you'd stop looking for more.

Or perhaps there are multiple encrypted data sets, concealed side by side which all need to be found, decrypted and combined before it all makes sense? And which appear to make sense by themselves...

Ultimately, I suspect that steganography is (in general) *uncomputably* hard to break, just like the platen code.

Re:Layered Implementation

[Minna+Kirai]

IANBS (I Am Not Bruce Schneier), but Strong Encryption beats steg plus encryption, based on my (limited, but relevant) practical experience.

They shouldn't be directly compared, because steganography and encryption reach towards different goals. One conceals the fact that you're hiding information, the other protects information from someone who already knows to look for it.

In limited circumstances, each can perform the other's effect: steganography makes encryption irrelevant if they can't find the material, and encryption makes steganograph irrelevant if and only if a substantial portion of non-suspected people are also using encryption for daily correspondence.

There are governments today, however, that will rape you with a machinegun if they see you passing coded messages around, so steganography has immediate utility.

Re:Layered Implementation

[jhoffoss]

The other part of this that I started to hit on in another post, but never quite made it: Hydan (the most popular version of steg/de-steg software I've seen so far) uses bluefish. There's no rule saying you couldn't tie this into GPG, though, so you could wind up with both edges of the sword: steganographically-hidden, strongly-encrypted data.

And someone else commented on finding enough data to hide a sizeable file. Well, the other side to that coin is a text file doesn't require much space, but there are infinite times in all walks of life where a few lines of well-written text, if sent to the right person, can have great influence. Of course, the other side to thatcoin is that you could [potentially] use a DVD movie to hide a larger amount of data. Put that on a burned DVD, slap a bootlegged-like label on it, and if anyone discovered that there was data stegged on it, and it's "I don't know what you're talking about, I bought it off some dude in Central Park when I was in NY last month." Just remember not to leave the key you used sitting on the disk!

Or better yet, steg it in the cover image! Or not...

Re:Layered Implementation

[chialea]

>statistical analysis of the sort of data that is created by the source (camera, scanner, etc) makes it *trivial* to detect that stuff is being hidden.

There is in fact Real Stego, made by real cryptographers, with real security guarentees (based on standard assumptions or in a information-theoretic model). It is, however, true that you'll have to have a certain amount of entropy in your channel to move data. If you're interested in lower bounds for that, I can refer you to a paper.

BTW, in some places, encryption is not legal, or will bring unwanted attention. In these cases, you really want steganographic security.

Lea

Re:Layered Implementation

[nacturation]

Satan wants you to something, but you can only really tell if you have the code book.

Yeah, he wants you to insert the word do between "to" and "something".

Re:Layered Implementation

[sacrilicious]

it's incredibly hard to really hide stuff. If you stick data into the unimportant pixelbits of A/V data, statistical analysis of the sort of data that is created by the source (camera, scanner, etc) makes it *trivial* to detect that stuff is being hidden.

What if that 'stuff' is basically random? Random data is essentially the output of programs like zip. If I encrypt information, zip it, scramble the zip output, and encrypt one more time, I cannot imagine how even knowing there's information there could lead to deciphering it. I'm not saying it's flat out impossible, and I admit I'm a layperson not a crypto guy, but I'm pretty skeptical. Anyone who knows about cryptanalysis case to enlighten me?

Re:Layered Implementation

[Minna+Kirai]

If you have difficulty understanding why steganography can be important, remember to visualize a different class of enemy than in cryptography: instead of a spy tapping your phone line, it's the secret police of your own government, with full powers of search, arrest, and tortorous interrogation.

Random data is essentially the output of programs like zip. If I encrypt info

That absolutely won't work for steganography. The data stream from a zip is mathmatically quite random, but it's also easy to tell that something's been hidden there: simply try to decrypt it, and it reports as totally corrupted. Then the police start asking "Why do you have so many invalid zip files? What are they REALLY?"

The only way steganography can work is if it changes the original file so slightly that it still looks normal when viewed.

I cannot imagine how even knowing there's information there could lead to deciphering it.

Because they know there's information there, 6 to 9 strong guys with machine guns break into your house in the middle of the night. They chain you in their basement for a punching back for 2-3 weeks, and eventually you tell them the encryption code to decipher it.

Re:Layered Implementation

[sacrilicious]

If you have difficulty understanding why steganography can be important

I fully understand why steganography is important. Didn't mean to imply otherwise.

The data stream from a zip is mathmatically quite random, but it's also easy to tell that something's been hidden there: simply try to decrypt it, and it reports as totally corrupted.

So I've zipped data to increase randomness, swizzled the resulting bits around a bit, and stuck these bits into a steganographic picture. You say it's easy to tell the picture has data because decryption attempts produce garbage. How is that result different from the garbage produced by trying to decrypt information from a picture that in fact has no hidden message?

[Deciphering a message is enabled if] they know there's information there, 6 to 9 strong guys with machine guns break into your house in the middle of the night. They chain you in their basement for a punching back for 2-3 weeks, and eventually you tell them the encryption code to decipher it.

Touche, but I meant "decipher by breaking the code", not "figure out what's there using George Bush methods". If I *anonymously* post a stego picture with unbreakable encryption, then breaking into my house is not an option, even if they figure out the picture is a stego. If swinging clubs is the smartest thing someone can come up with to break encryption, our intelligence community is up the creek without a paddle.

Re:Layered Implementation

[Minna+Kirai]

How is that result different from the garbage produced by trying to decrypt information from a picture that in fact has no hidden message?

I already specifically answered that, so I shouldn't expect that repeating the answer again will help. Nevertheless:

The difference is that there is a plausible explanation for why the police can't find a hidden message in the picture: because the suspect isn't hiding any messages- he just likes to trade pictures of flowers and kittens. What possible excuse could a suspect use to to explain why he repeatedly transmits invalid zip files? "Well, officer, I like to transmit corrupted files to... uh... test my bandwidth, yeah, that's what it's for". Talk like that will get you thrown in the pit.

but I meant "decipher by breaking the code", not "figure out what's there using George Bush methods".

But if you were thinking about people deciphering the code, then you weren't looking at the kind of problem steganography is meant to solve. That's what I tried to explain by pointing out the different classes of notional opposition used in each discipline. The cryptographer's enemy is sneaky and smart, and can read/modify your mail, telephone, and internet signals. But the stegnographer's enemy is brutish and strong, and aside from reading (not editing) your transmissions, will also be bursting into your home for unannounced searches.

If you're truely believe your physical security is unassailble, and no tough men with guns could ever scare you by banging at the door at 3:00 AM, then you don't need stegaongraphy. But for everyone who fears the government, the mob, or some other boogyman, there may be a need for stego.

If I *anonymously* post a stego picture with unbreakable encryption, then breaking into my house is not an option, even if they figure out the picture is a stego.

If the government has the power to abduct citizens for lengthy torture, they also can enforce access logging at the ISP level, so you weren't actually anonymous when you posted. (And no, you can't use any kind of mass-anonymizing proxy system, because just distributing or executing such an application is enough reason to get dragged off in the night)

In fact, if you did have a way to make (and read) that posting anonymously, then concealing it with steganography was pointless. You may as well have left a blatant encrypted message with "Attention Fellow Terrorists" in the header.

Re:Layered Implementation

[sacrilicious]

I already specifically answered that, so I shouldn't expect that repeating the answer again will help.

It's always good to try. I'm dense, but repetition sometimes makes it stick. :)

The difference is that there is a plausible explanation for why the police can't find a hidden message in the picture: because the suspect isn't hiding any messages- he just likes to trade pictures of flowers and kittens. What possible excuse could a suspect use to to explain why he repeatedly transmits invalid zip files?

Firstly, they wouldn't be recognizeable as zip files because they'd been randomly rearranged, after being encrypted, after being zipped. But more to the point, the scenario I'm proposing is that this zipped then encrypted then swizzled data would then be steganography-ied by (say) putting its bits into the low bits of a picture. I think perhaps this part of my intent did not transmit, which would explain why you think I may not appreciate steganography (I do) and why you think the police would be questioning me about invalid zip files (they'd have no basis to even think zip data existed).

If the government has the power to abduct citizens for lengthy torture, they also can enforce access logging at the ISP level, so you weren't actually anonymous when you posted. (And no, you can't use any kind of mass-anonymizing proxy system, because just distributing or executing such an application is enough reason to get dragged off in the night)

Distributing such a program is not a draggable-off-in-the-night offense everywhere, clearly, so not to put too fine a point on it but I think what you mean is that IF one lives in a police state where there is no anonymity then one has no anonymity. Agreed. For the record I happen to not live in such a police state. I'd concede that perhaps my musings are the luxury of those like myself who don't live in such a state, but on the other hand I'm not really trying to address utter totalitarianism. But even in such a state, if one successfully downloads an anonymizing program, then said download may not have been anonymous, and the distributor of said program may be about to experience much pain, BUT once the program is downloaded, subsequent posts of data are, well, anonymous.

Re:Layered Implementation

[Minna+Kirai]

Firstly, they wouldn't be recognizeable as zip files because they'd been randomly rearranged, after being encrypted, after being zipped.

Right, and that's exactly the problem. If they dont' appear to

I'm proposing is that this zipped then encrypted then swizzled data would then be steganography-ied by (say) putting its bits into the low bits of a picture.

That goes back to a more subtle issue of detectability of steganography. What ediron2 said is that if the investigators are familiar with the manner in which the source images were produced (like a bias or repetitive pattern in the scanner collecting the pictures), then noticing a disturbance in that pattern will give them a clue as to steganography's presence.

I personally feel that's a little farfetched, as it implies both flawed hardware, and the investigator having serious insight into those flaws- but regardless, the fact that the hidden data is unbiased itself (random) doesn't hinder their utilization of this technique: "Hey, there's supposed to be a distinctive sawtooth pattern in the chromaticity FFT, but some kind of random noise is blurring it out! Arrest that guy". Implausible, I think, but no less so.

then said download may not have been anonymous, and the distributor of said program may be about to experience much pain, BUT once the program is downloaded, subsequent posts of data are, well, anonymous.

No. Anonymizing programs don't work that way. They work according to a "they can't arrest ALL of us" theory. A person logging at your ISP can see that you're sending out encrypted messages to an anoymizing service, which might be either an individual proxy server, or a randomly-selected other user executing the anonymizing program. The anonymizing concept only works so long as many other non-suspected people are also anonymizing. (That is, it only works in the same kind of situation where ubiquitous cryptography renders stegaongraphy irrelevant). Both (non-stegan obfuscated) cryptography and anonymizer programs will not work under a regime that decides to outlaw their operation.

Is this really a good article on steganalysis?

[Sara+Chan]

From the conclusion of TFA:

... countermeasures against steganalysis are also emerging [11].

Reference [11] is for the F5 algorithm:

11. Westfeld A. (2001), "F5-Steganographic algorithm: High capacity despite better steganalysis", Lecture Notes in Computer Science 2137 289-302 (Springer-Verlag).

Yet consider this paper:

Fridrich J., Goljan M., Hogea D. (2002), " Steganalysis of JPEG Images: Breaking the F5 Algorithm", 5th Information Hiding Workshop 310-323 (Noordwijkerhout, The Netherlands).

The abstract from Fridrich et al. says "... we present a steganalytic method that can reliably detect messages ... hidden in JPEG images using the steganographic algorithm F5".

So TFA article cites countermeasures from 2001, even though a method of defeating those countermeasures was published in 2002.

The above is just one example. Overall, TFA seems poor and out-of-date. This is a case where the F in "TFA" does not stand for "fine".

Re:Is this really a good article on steganalysis?

[Em+Adespoton]

I always interpret the F in [R]TF* as standing for either Full or Faulty, depending on the context :)

v Stegosaurus!

[Mustang+Matt]

I'll put my money on the dinosaur

Re:v Stegosaurus!

[corngrower]

They're still around, you know. They happen to hide very, very well. c.f. Bob in the Dilbert comic strip.

Googlefight

Googlefight!

Steganography wins.

Re:An easy way to hide information (PART 2)

[blueg3]

That doesn't serve the purpose of steganography, though. If someone is clued in to the possibility that you might be sending messages by posting them on Slashdot, it's fairly easy to check and find out that yes, in fact, you are sending messages. The idea behind steganography is not to make the message unrecoverable from the cover data, but to make it so that nobody detects that any communication is even going on.

Possibilities

[grandmstrofall]

I think that steg provides the opportunity to increase security of already existing crypto. Wouldn't it be plausable to take already encrypted data, and then hide it? Sure, it's not foolproof, but it's no worse than having the encrypted data sent as is.

At the same time however, it seems like steganography has some inherent flaws in it. That is to say, the more people use is, the quicker people will be able to determine patterns in the method. This would allow people/groups/countries/etc. to find the message faster. Doesn't sound like too reasonable of an idea.

Additionally....I'd be interested to see what DJB has to say about steganography...

Encryption^2

[Lycestra]

Sounds like an extension of normal encryption/cryptanalysis techniques to me. The only difference is the ciphertext appears to be an unrelated plain text rather than random. To oversimplify, its a matter of finding patterns within other patterns, rather than patterns within pseudo-chaos. Still, seeing deeper than the obvious is not easy to do.

Explanation: Espionage

[Bonhamme+Richard]

Many posters have addressed the idea of child pornography, but it's not just a matter of images hidden inside of images. By going through the 1s and 0s that make up an image a written message can be composed.

Method: An image is built of bytes representing shades of colors. If you go through and change the least significant bit of each byte you can encode a message. Note: this is achieved without substantially changing the image.

Example: 10001000 becomes 10001001

Significance: If two people were to set up a system, like "go to site XYZ on every 3rd Friday and download the pic of the day," it would be nearly impossible to track them. An agent in the field checks the image, noting the value of the last bit of each byte. Stringing these values together he creates a message. Two individuals can communicate from across the world without anyone else suspecting.

This can be used for anything: 1) Terrorists coordinating timed attacks 2) Americans selling national security secrets to foreign powers. 3) Communication between intelligence community agents (ours or theirs).

Land of the free yes, but all three of the above uses are illegal.

Re:Explanation: Espionage

[myowntrueself]

"noting the value of the last bit of each byte."

This makes me wonder if it might even be possible to *find* pre-existing images (eg) that satisfy the requirements of the code without any modification at all.

If that were possible then good luck finding it with steganalysis...

Think I've seen this movie before....

[SoCalEd]

Steganography vs. Steganalysis

Wasn't this the sequel to Godzilla vs. Mothra?

I'm quite certain...

[Kjella]

...that this has already been used, at least to get around free website restrictions. Many of them rejected uploads of zip/rar/.001-.00X etc. types of files, often even with header checks. Make it a picture gallery and well... what can you say, it's a popular gallery ;)

Kjella

A stego method that actually works

[Synli]

Hiding ciphertext within pictures or sounds does not work. They are mathematical methods to detect that a picture or a sound contains encrypted data (unusual noise). There is currently only one steganographic method I am aware of that really works. It is hiding ciphertext within ciphertext. I know only of one open source and free program that realises this scheme: TrueCrypt. And here is how they do it.

Remember the post 9/11 image-messaging concern?

[ScentCone]

This reminds me of a concern that surfaced in the immediate wake of 9/11: that the bad guys were shunning traditional net-based communication (e-mail, forum/newsgroup postings, etc.) and might be using codes or signals embedded in images in common places (eBay, for example).

I seem to recall a distributed screen-saver type app that was being used to crunch through millions of hosted images. Not much to find online about this, but there are articles like this one at NewScientist.com suggesting that the effort was a washout. here are some more stats from a study that came up dry, but there always this reference to "first stenographic image in the wild" as reported by ABC back when.

Re:Remember the post 9/11 image-messaging concern?

[Webmoth]

I've often wondered if this is the purpose of spam. (Not SPAM the luncheon meat product, but spam the unsolicited commercial email product.)

It's simple -- hide your message in what appears to be an advertisement, send it to billions of people (including your intended target). Because it looks like spam, anyone monitoring a suspect's mailbox will assume it's spam and ignore it completely. The monitor probably got an exact copy of the same message in his inbox, so obviously it's spam, right? Only the true recipient will know it for what it is.

Re:Remember the post 9/11 image-messaging concern?

[ScentCone]

Too clever by half! Of course, the bad guys would have to use an ISP that doesn't filter spam...

Remember Tiananmen Square

[leereyno]

The fact that this is happening in China suggests to me that this is being done on the behest of the socialist government, which is far more concerned about the threat of grass roots movements for freedom and democracy than anything else.

Make no mistake, the current chinese government may represent a "kindler, gentler" communist regime, but its mere existence is still a crime against humanity.

Lee

Re:Remember Tiananmen Square

[aiken_d]

I agree with all of your points, but have a minor quibble with your terminology.

I think you want "totalitarian" where you used "socialist." There are plenty of democratic socialist countries (Sweden, for instance, and some would say Canada). And you could have a democratic communist country; "democracy" is a political system, whereas "communism" is an economic system.

Sure, in point of fact, most communist governments have been totalitarian. But it doesn't necessarily have to be that way. And socialism certainly doesn't correlate with dictatorships or totalitarian regimes.

Not a huge big deal; it's just that that confusion of terms is a pet peeve of mine.

Cheers
-b

Re:Remember Tiananmen Square

[tarkas]

While it may be technically possible to have a democratic communism, it seems very unlikely. Communism as defined requires an overarching central government to act as absolute the mediator of the ecomony and in fact "own" everything. That degree of control cannot be separated into purely economic and polital spheres, never mind how society functions- it demands a defacto totalitarian scheme.

Further, I'm unwilling to accept your central premise, that communism is merely an ecomnomic system. That is not true; communism assumes that the functioning of society (government, economy, the whole social contract thing is re-written)is a single object, subject to the "will of the proletariet" (snicker) Who ever the hell they are. Oh ya, sort of like an athiest's version of Divine Right. (bwaaahahaha).

Even assuming the dichotmy is real, can you really imagine a populace actually voting in a government that advocates a communist ecomonic plan? Or re-electing it after surviving the attendant disaster? With out first taking some potent hallucinogen?

Never the less, any system that grants the government wholesale control over the economic funtioning of the country (socialism and communism are different shades on the same spectrum) will necessarily be at odds with the notion of a free society. How can it be otherwise?

-Me

Re:Remember Tiananmen Square

[leereyno]

This is one of the current arguments of communist apologists, that communism is compatible with freedom and democracy. Now I'm going to give you the benefit of the doubt and assume that this is something you've been led to believe, possibly by one or more of your professors in college. The alternative requires either malice or dishonesty on your part, probably both.

If you want to understand communism and the effect it has upon any system of government where it exists, take a look at this book:

http://www.amazon.com/exec/obidos/ASIN/189355445 7/ qid=1107852099/sr=2-1/ref=pd_ka_b_2_1/002-4981621- 1528822

The Road To Serfdom by Hayek would also be a good book to read, and it is far shorter:

http://www.amazon.com/exec/obidos/ASIN/022632061 8/ qid=1107852402/sr=2-1/ref=pd_ka_b_2_1/002-4981621- 1528822

Here's a good site for general information on the education, or lack thereof, as presented in our colleges and universities:

http://www.studentsforacademicfreedom.org/

The main problem with communism/socialism is that both are founded upon a false premise, the idea of group rights. In other words the idea that groups of people somehow have rights that are not an aggregate of the rights of the individuals who make up that group. Don't ask me to explain it, since I can only barely fathom it myself. A good example of this attitude in this country is affirmative action, or other special rights and considerations extended to groups of people based upon their membership in that group, whatever it may be.

Under communism and socialism you as an individual have no rights. Rather "the people" have rights. The communists and socialist may not be very vocal or explicit about this point but it is an inherent and fundamental tenet of their ideology.

Another problem with communism especially is the idea that human nature is malleable, that human beings can be molded and shaped through education or indoctrination into whatever it is that society wishes them to be. This is fundamentally false. It is certainly possible to influence someone, and to encourage them to act and think in certain ways, but only within the constraints imposed by human nature itself. The other mistake they make is that they deny the role that individuals play. Einstein came along and revolutionized our understanding of the universe. If he's been hit by a train, some would argue that someone else would have made the same discoveries. Well probably, eventually, someday. The point is that his making those discoveries when he did had tremendously vast and far reaching consequences. The same is true in any field or endeavor, and politics is no exception. Communism denies this fundamental truth. Due to this denial of the influence of individuals, and their denial of human nature, communist regimes tend to fall under the control of individuals that epitomize the worst that human nature is capable of. Lenin, Stalin, Pol Pot, Castro, Kim, etc, etc. It is not a coincidence that these madmen came to power when and where they did. Had the forces of freedom and democracy prevailed in the stead of communism and oppression, these men would either be in prison for other crimes, or locked up in a loony bin somewhere.

In any case that is all the time I have to talk about these issues. Sleep calls and I must obey.

Lee

Let's try that again...

[Mitchell+Mebane]

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

VGhhbmtzISBJIG5lZWQgYWxsIHRoZSBsdWNrIEkgY2FuIGdl dC 4gOkQ=
-----END PGP MESSAGE-----

I have used this technique for decades!

[museumpeace]

hidden somewhere "in plain sight" in the code I turn in, is a program that actually works and has no bugs.

Application more important than Technique?

[Clod9]

In the past I've focused my thoughts primarily on techniques, but reading this article, it occurred to me that the most important part of using steganography is using it the right way, and constructing the right cover -- not necessarily the technique itself.

Using statistical methods, most steganography can be broken either now or in the near future if the steganalyst can spend a lot of time and computing resources on each candidate bit collection, and if you're hiding a lot of bits in each collection. The consequence: don't hide very many bits, and widen the search space by hiding your trees in a forest of significant size, so that the amount of CPU the analyst can use on any particular tree is low.

Key exchange is a great candidate for steganography. And to make sure the population of innocuous bit collections around yours is high, find a place where a lot of people around you are dealing in large quantities of bits: music collections at a university, or spam messages on an e-mail relay.

correct you are!

[zoloto]

I was only replying to the somewhat offtopic comment. And I know what stenography is. I've used it myself through websites that let you use "avatars" or post pictures such as fark.com photoshop contests. It is fun, is it not?

*cheers*

Re:correct you are!

[Webmoth]

You said "stenography" (taking notes). Di you really mean to say "steganography" (hiding data)?

How does this have to do with Dinosaurs?

[Torontoman]

I got excited I thought this was all about the Stegasaurus.

Re:An easy way to hide information (PART 2)

[YrWrstNtmr]

Heck, post as ac with a unique subject and post encrypted (gpg) ascii in multiple parts. the data will be here still next year or five (plausible) and you can retrieve it, and decrypt (assuming you have the public key or password if it's symmetric

ahhh...so THAT's what all that incessant GNAA crap is.

multiple channels

[new+death+barbie]

It would be interesting to investigate the use of steganography to provide for multiple channels for your encrypted message -- for example, you could divide the bits of your message across more than one image on a website. Harder to detect, and if detected, harder to decrypt.

Just a thought...

Re:Hmm (cracked)

[iminplaya]

(paraphrased)"There is no baby. She wasn't even pregnant.", was the way the lack of nukes in WW2 Germany was described, I think. There's just so many way to hide comunications. No computer required. For example: If you see somebody looking for a 1972 Ford Pinto in the classifieds, they're probably terrorists trying to hide a message. They plan on backing the thing into a building.

Steganographed DeCSS?

[Spy+der+Mann]

I was just reading the DeCSS Haiku noticing how the guy managed to use a mnemonic encryption of PI (words with 3,1,4,1,5,9,2,6,5 length), and I wondered.

How about doing the same thing like say... encoding the full DeCSS source code in plaintext steganography, using words' length?

For example:
a) Encode to octal. 010205000506030102
b) Add 1. 2/3/6/1/6/4/2/3
c) Encode. "My fav. mangas: I wonder what is erm..." etc.

Just a thought.

Re:Wasn't that his point? MOD PARENT DOWN

[Winkhorst]

You can actually say a lot in plaintext without actually saying openly what you mean. Aleister Crowley was a master at this. The way this works is you talk directly to those who know the context in which you are speaking and it all just looks like mere verbiage to anyone not familiar with your topic. Or you refer to your predicates in such a way that the casual observer can't tell what your final conclusion refers to. This is not steganography per se, but goes to the origins of the concept. I have done this myself and it allows you to say things you wouldn't dare say outright for fear of retribution from certain third parties.

But has it ever actually been detected?

[dpbsmith]

I know there was a big fuss about these possibilities a couple of years ago--IIRC there were assertions that Al Qaeda was using it--and I thought some researchers had done a careful study and found no evidence for it whatsoever.

Is steganography in multimedia images really being used, or is it just a paranoid fantasy?

(Yes, I know--if it has never been detected, thatproves that it works....)

Real Application

[Gyorg_Lavode]

While steganography is wonderful and all applied to images and music, it really isn't applicable to most of our work.

What I want to know is how is steganography, (and more importantly steganalysis), applied to network communication? If I have a network that has very defined traffic, how could someone embed their own data in our normal traffic. And how could I detect it?

Difference in application

[Kobun]

Interesting points.

With lots of steg info, I can see where it quickly turns into a problem. I was considering more of the situation where I have ONE really important piece of information to hide (a .doc with all of my financial accounts, for example) and considered the idea of stuffing it into a forest of innocuous files.

I am no expert, so I welcome modifications to this method, but here goes:
1. Take small piece of highly valuable information and encrypt it with a stong encryption method.
2. Download large amount of random data (pictures of kittens from 450 different websites, lotsa grainy ones)
3. Make strange modifications to pictures (lens flare!)
4. Apply favorite steg method and hide encrypted document.

Please discuss, I am quite interested now.

Metasteganography

[Dylan+Thomas]

What strikes me as most curious is that the current debate about steganography is in itself an exercise in steganography--at least, in the sense of hiding important information in plain sight. Through the use of technical-sounding words, concerned parties manage to conceal what seems to be a genuinely frightening disrespect of the freedom of information.

Simply take "steganography" out of the equation. It's easy to scare the masses by using intimidating neologisms. But steganography is simply a manner to transmit information privately. So let's recast the sentence, "...illicit use of the technique might become a threat to the security of the worldwide information infrastructure." Let's simply say, "Individuals attempting to keep their private information private might become a threat to the security of the worldwide information infrastructure."

What used to be a preferred method for sending private information to a friend? The mail? Didn't we used to have a respect for the privacy of letters we sent via post? So how come no one said, "Sealing envelopes might become a threat to the security of the worldwide information infrastructure"?

What's being steganographically hidden in this debate is the reality that these days, quite a few people--many of them in power--simply no longer believe that a person has any right to private or personal information. Why would a technology such as this arise in the first place? Because we know that the first anthrax envelope made the private post public for everyone? Because we know our e-mail can be read, our servers can be hacked, our telephone calls recorded and our houses ransacked simply because fear of terrorists convinced us to sign over our civil liberties as if we no longer desired them?

This technology arose because some people realized that they were losing any pretense at privacy they might have had, and so were motivated to develop tools to maintain it. And now, we take the new word "steganography" and talk about how dangerous it is... perhaps because we're trying to conceal inside the hidden message that all privacy is dangerous, that anything you do, say or think should always be subject to review by the appropriate authorities.

Re:Metasteganography

[Iainuki]

The difference between this technology and all previous technologies is that with modern cryptography, there are a priori limits on how easy it is to crack. In the past, an organization with great resources (like a government) could crack any conceivable form of information protection: envelopes can be opened, phone lines tapped, and so forth. However, with modern cryptographic algorithms, unless the government can exploit some heretofore undiscovered weakness in the algorithm, you can rest assured that the contents of your message will remain secret until computers reach a certain speed or someone develops a new technology like a quantum computer, risks that you can manage (by using a key size appropriate to the length of time you need to keep the secret, for instance). I suspect that the idea of perfect secrets terrifies some individuals in the government. They didn't act in the past because they were confident they could uncover any secret and because the secrets were often less valuable than they are now (because technology has made secrets more valuable and because people are more willing to entrust secrets to provably good encryption). Neither of these things is true anymore.

The framers of the US Constitution tried to craft a set of limitations on the government that would keep it from abusing and subjugating its citizens. However, despite these precautions, the government has at various times and places done exactly the things the framers tried to prevent. In a sense, even for nominally restricted and democratic governments, citizens possess rights only at the sufferance of their government. Modern cryptography is taking one of those rights (the right to conduct confidential communications) and transforming it from a right granted at the sufferance of the government, to be taken when away "national security" or what have you is threatened, to a right that can't be violated without overwhelming restrictions on citizens' freedoms. That's why the opposition to it has been so strong, I think.

give it up, guys

[jeif1k]

If the embedded data rate is low enough, it's completely impossible to detect even if it was constructed using simple steganographic techniques.

Governments, companies, and everybody else simply have to get used to the fact that if anybody cares, they can hide and transmit information to anyone. I'm not sure that's a good thing--it also interferes with things like whistleblowing--but it's just the way it is.

Re:give it up, guys

[Flyboy+Connor]

If the embedded data rate is low enough, it's completely impossible to detect even if it was constructed using simple steganographic techniques.

This is absolutely true. If you want to hide a 1Kb message, and you use a 300Mb movie to store it in, it is completely undetectable. That is, unless you use a movie that is publicly available, then a simple comparison can do the trick. But pick a home movie, and you're in the clear. Even better, if you just generate a file with 300Mb of noise, you don't even have to go through the trouble of taping a one-hour movie. One drawback with that: it is easy to recognise by an outsider that you are transmitting absolute nonsense, so they might suspect something fishy is going on. But the message will never be found.

Re:give it up, guys

[arose]

One time pad encrypted message, padded with noise, inside a movie.

...which is base64 encoded for ...

[mccrew]

$ echo -n VGhhbmtzISBJIG5lZWQgYWxsIHRoZSBsdWNrIEkgY2FuIGdldC 4gOkQ=|mimencode -u
Thanks! I need all the luck I can get. :D

Re:An easy way to hide information (PART 2)

[DJCF]

Wasn't there an (unencripted) mountable filesystem that stored its data by posting as AC? (Can't find it at the mo...)

Detection?

[NerveGas]

You'll have to forgive me, I'm not the greatest cryptographer in the world. But let's say that Joe Shmoe takes a picture with his cheap 8-megapixel camera, with a very high ISO setting for lots of noise. Now, that's roughly 192 megabits of information.

Suppose he needs to encode a 1 kilobit message. that means that there's going to be one bit of signal for every 192 kilobits of image. Now, say he does the encoding to merely appear like more noise in the already noisy image.

Given that low of a signal-to-noise ratio, I really don't see how you could detect the message unless you had prior knowledge of the algorithm or locations.

steve

Re:An easy way to hide information (PART 2)

[zoloto]

not sure, look around for me since you seem to have a better (albiet vague) notion of what it is.

One time pad

[arose]

Good luck finding steganographed, one time pad encoded messages.

"Sir, I found some noise here..."

songeconguronge

[amrust]

Wonge hongavonge hongidongdongenong yourong pongacongkongetongsong. You wongilonglong nongevongerong congrongakong ourong alonggongorongitonghongmong!!

Re:songeconguronge

[WillerZ]

Wongronongg.

Coincidence?

[FirstTimeCaller]

Ok, I this is the second article that I've read (within 5 minutes of each other!) that, while unrelated, both contain the word steganography.

This can't be a coincidence... there must be a hidden meaning... I'll get back to you once I discover what it is...

PS: Don't wait up.

New use for flickr...

[Abcd1234]

... or other online photo-posting websites. Create/select a known tag, and post what appear to be appropriate images there, which also happen to contain a steganographically hidden payload...

OK I give up

[fbform]

What's the message that's hidden in your post? :-)

Plain text

[shish]

If the govt found you sending plain text explanations of your terrorist plans, would they take it seriously or pass you off as a nut who's too incompetent to hide themselves?

Re:Plain text

[Boricle]

If the govt found you sending plain text explanations of your terrorist plans, would they take it seriously or pass you off as a nut who's too incompetent to hide themselves?

Irrespective of the truth, they would probably treat you as an ideal candidate for a PR exercise in convincing the masses that the threat is real...

Re:Wasn't that his point? MOD PARENT DOWN

[nacturation]

... and so's your mother! Sheesh, you thought I wouldn't catch that insult buried in your text?

reactionary: not exactly what you think it means

[ediron2]

I agree with almost all of what you say: Getting caught with encryption could be a death sentence, encryption and steg have different goals, they can supplant one another in a reciprocity sort of way, etc. But let me say this again: it is so damn hard to do steg well, that anyone living in an area where coded transmissions are life-risking acts, should think twice. Me, I'd stay *clear* the fsck away from steg.

Steg isn't just *hard*, like encryption (where one can get good encryption, or carefully implement a published, trusted algorithm and be safe). It's harder. Each implementation has to be robust against all sorts of preliminary cryptanalysis techniques, plus you're dealing with stuff beyond your control (like machine-specific traits in scanner or camera output). Stuff that is *beyond your control* can reveal steg being used. For hiding data in photos, for example, all it sometimes takes is *looking* at histograms of the bytes found in normal images off a device vs. the histograms of bytes found in steg'd ones. Try it! The graphs nearly scream 'STEG!!!' at you (because each consumer device will have some characteristic 'gap' or overloading in the range of possible values, or because of compression algorithms in the device, if they save to jpg or mpeg).

I'm still not claiming expertise, but if but my life depended on this stuff, I'd tend toward lower-tech: I'd hide the info somewhere boring and plausibly-deniable.

Re:Hmm... Actually

[uberdave]

Stenography is another word for shorthand.

The human "RNG" is flawed.

[SaberTaylor]

2 points:

1.) The Noosphere (the glass machine of ideas) is finite, albeit in weird ways. This means that like the discussion about Knuth progresses, authors tend to be strange attractors within the glass spheres, with wow pretty colors, look!

2.) In the Impire of Newtonian Reality, the flaws are what make the Imps fix what isn't broke. For example, if you have _ in a move-walk path, then an imp's algorithm will not make him avoid _.

What's interesting in a steganographic sense, is that for best results, that modules within the imp are not allowed to know that his move-walk algorithm is broken. So he keeps stepping in _. Which matures the modules that are being kept information-scarce by the force of nature.

Re:An easy way to hide information (PART 2)

[DJCF]

It was a mountable filesystem that stored files by posting on /. as AC. Example:

slashmount /mnt/slash
cp textdocument /mnt/slash/textdocument

File "textdocument" would then be broken up into chunks of maybe 2500 characters, posted on slashdot as AC on the first story on the main page, and the comment UID recorded.

vi /mnt/slash/textdocument
Would then retrieve each post using the previously stored comment UIDs, merge them together in order, and spit back your original text file.

Completely pointless, but I thought it was a cool idea.

Wow! I can hide my porn

[HermanAB]

in my porn!

Re:Hmm (cracked)

[waveclaw]

You've got a nicely steganographed "first post" there.

Yeah, well thanks to this article, I'm trying to find hidden information in the fortune cookie at the bottom of this very same article:

In /users3 did Kubla Kahn A stately pleasure dome decree, Where /bin, the sacred river ran Through Test Suites measureless to Man Down to a sunless C.

So far all I've got is that either puns on computing terms or directions to asassinate Bill Gates while he sunbathes by a middle-eastern riverbank during a total eclipse of the sun.

slashcode bug?

[ediron2]

Where the heck did 'reactionary: not exactly...' come from!? All I did was hit reply, and people above/below me in the thread got the re: Layered Implementation.

Wierd.

Stego in HTML by reordering attributes

[jasonjacks0n]

Those of you who find stego interesting might enjoy reading about one person's explorations of the topic on the Code Project site .. I found the idea of reordering HTML attributes to encode information especially inspired:

http://www.codeproject.com/csharp/steganodotnet13. asp

The same author has written a number of other stego-related articles, usually with C# code .. plus she's kinda cute. ;-)

Enjoy.