Slashdot Mirror
Secret Data: Steganography v Steganalysis
gManZboy writes "Two researchers in China has taken a look at the steganography vs. steganalysis arms race. Steganography (hiding data) has drawn more attention recently, as those concerned about information security have recognized that illicit use of the technique might become a threat (to companies or even states). Researchers have thus increased study of steganalysis, the detection of embedded information."
I think this is the way of the future with regards to encryption. You cant crack what you cant find.
This came out a long time ago with the idea of hiding child pornography in files containing what appeared to be pictures of art, or other benign picture files.
There was even an episode of Law and Order about this. Its nothing new, but I agree it does pose many questions about security. (Security through obscurity is really good if the level of obscurity is paramount.)
And they said zombies weren't real!
"illicit use [of steganography]"? I didn't realize encrypting stuff was illegal. Land of the free and all that.
[ home ]
Throw in a Stegosaurus and we've got a real Destroy All Monsters vibe going.
Run! It's Steganalysis!
3D Printing Tips and Tricks at Zheng3.com
But it's hidden
init 11 - for when you need that edge.
I thought the Steganalysis was extinct...that's public school education for you.
As if you can hide information in places that nobody would find, just doesn't seem like a plausible direction for security.
------
insert sig here,here, and here
Hide it on slashdot by posting at level 0. No one will think to look, and there's an unlimited storage potential.
I tinkered with this for a while. Start up gnucleus, do a search for *.jpg, and grab a bunch of files to scan. Not surprisingly, many of the images were porn (it's for research purposes, I swear!)
The biggest problems were 1. most (actually, all) of the images that came back as good candidates for having embedded images came back as false positives and 2. lack of a brute-force steg break utility.
number 2 is probably a result of poor searching on my part, but I honestly couldn't find a recent, (and free) tool that would do a brute force crack on embedded images. At the time (a few months back) I was using stegbreak and stegdetect.
So, is there anything better? anyone else have any luck?
There are some people that if they don't know, you can't tell 'em.
I can certainly see the use in espionage, hiding the real message in the static, as it were (Didn't a Tom Clancy book use this plot device? I think the message was sent in the connect noises for the modem). And NS's Baroque Cycle had some interesting steganographic bits in it (excessively long and boring letters about the nobility's obsession with fashion hiding an encrypted message for all to see). But on a day to day basis, I doubt this will affect most people.
Do not touch -Willie
Dear Friend , Your email address has been submitted .
to us indicating your interest in our newsletter
If you no longer wish to receive our publications simply
reply with a Subject: of "REMOVE" and you will immediately
be removed from our mailing list . This mail is being
sent in compliance with Senate bill 2116 , Title 3
; Section 304 ! This is different than anything else
you've seen . Why work for somebody else when you can
become rich within 56 MONTHS . Have you ever noticed
more people than ever are surfing the web and how long
the line-ups are at bank machines ! Well, now is your
chance to capitalize on this . We will help you decrease
perceived waiting time by 110% and SELL MORE . You
can begin at absolutely no cost to you . But don't
believe us ! Ms Simpson of Massachusetts tried us and
says "My only problem now is where to park all my cars"
! We are licensed to operate in all states ! We beseech
you - act now . Sign up a friend and your friend will
be rich too ! Thank-you for your serious consideration
of our offer !
SCO employee? Check out the bounty
I think thIs iS The way of the FutuRe
with regardS To encryPtiOn.
You've got a nicely steganographed "first post" there.
The suggestion is that if data is being hidden in the LSB of a photo then you can use statistical analysis to spot this anomoly.
The problem here seems to be that if you were to compress your hidden data prior to hiding it, then the data inserted would appear random and should thwart statistical analysis. You'd need some redundancy there if you intent to jpeg compress the image, but it might work.
I've toyed with the idea of hiding data in the vectors used in a mpeg file. Exploiting the nature of the compression algorithm rather than the source data.
actually this is a really good thing. not just on slashdot, but on other sites where you can search the documents for key words.
Heck, post as ac with a unique subject and post encrypted (gpg) ascii in multiple parts. the data will be here still next year or five (plausible) and you can retrieve it, and decrypt (assuming you have the public key or password if it's symmetric
I have done a small experiment in steganography using DCT coefficients and spread spectrum technique, spreading a 4 bit number in 4 high frequency coeficients in a DCT transformed image
It works pretty well.. but I did it in PHP+GD, so it's pretty slow...
if anyone is interested, I have a paper that describes the methods, the PSNR and everything else... you can reach me at my gmail server, under the dangil alias
I hide all my secret information in fake research papers on steganalysis. They never think to look there.
If I take a payload -- say a text file. If I compress the file, then encrypt the compressed data then finally hide it.
... and on and on...
Excecpt when I hide it I use the least significant bit of every n bytes where n is a 10 digit sequence.
[1,2,3,4,3,2,1,2,6,7]
the first source bit is stored in the lsb of the first image byte.
the second source bit is stored in the lsb of the [1+2] image byte.
the third source bit is stored in the lsb of the [1+2+3] image byte.
If the end of the image file is reached before the source file is embedded then wrap around and repeat using the second lest significant bit.
Using a unique noisy image source such as a crappy web cam taking a picture of a TV displaying white noise (to thwart a compressability test used for detecting images with hidden data), how could you detect this hidden message much less decode it without know specificaly how the algo works?
Because an encrypted stream is obviously hiding, it gives the attacker something to focus on. What a person might do instead with Steganography is embed encrypted information, so that the set of information is not only hard to detect in a field of dummy files, but that once the encrypted data is found one still has to decode it.
Reference [11] is for the F5 algorithm: Yet consider this paper: The abstract from Fridrich et al. says "... we present a steganalytic method that can reliably detect messages
So TFA article cites countermeasures from 2001, even though a method of defeating those countermeasures was published in 2002.
The above is just one example. Overall, TFA seems poor and out-of-date. This is a case where the F in "TFA" does not stand for "fine".
I'll put my money on the dinosaur
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Googlefight!
Steganography wins.
That doesn't serve the purpose of steganography, though. If someone is clued in to the possibility that you might be sending messages by posting them on Slashdot, it's fairly easy to check and find out that yes, in fact, you are sending messages. The idea behind steganography is not to make the message unrecoverable from the cover data, but to make it so that nobody detects that any communication is even going on.
I think that steg provides the opportunity to increase security of already existing crypto. Wouldn't it be plausable to take already encrypted data, and then hide it? Sure, it's not foolproof, but it's no worse than having the encrypted data sent as is.
At the same time however, it seems like steganography has some inherent flaws in it. That is to say, the more people use is, the quicker people will be able to determine patterns in the method. This would allow people/groups/countries/etc. to find the message faster. Doesn't sound like too reasonable of an idea.
Additionally....I'd be interested to see what DJB has to say about steganography...
Method: An image is built of bytes representing shades of colors. If you go through and change the least significant bit of each byte you can encode a message. Note: this is achieved without substantially changing the image.
Example: 10001000 becomes 10001001
Significance: If two people were to set up a system, like "go to site XYZ on every 3rd Friday and download the pic of the day," it would be nearly impossible to track them. An agent in the field checks the image, noting the value of the last bit of each byte. Stringing these values together he creates a message. Two individuals can communicate from across the world without anyone else suspecting.
This can be used for anything: 1) Terrorists coordinating timed attacks 2) Americans selling national security secrets to foreign powers. 3) Communication between intelligence community agents (ours or theirs).
Land of the free yes, but all three of the above uses are illegal.
Hiding ciphertext within pictures or sounds does not work. They are mathematical methods to detect that a picture or a sound contains encrypted data (unusual noise). There is currently only one steganographic method I am aware of that really works. It is hiding ciphertext within ciphertext. I know only of one open source and free program that realises this scheme: TrueCrypt. And here is how they do it.
"Two things inspire me to awe -- the starry heavens above and the moral universe within." - Albert Einstein
This reminds me of a concern that surfaced in the immediate wake of 9/11: that the bad guys were shunning traditional net-based communication (e-mail, forum/newsgroup postings, etc.) and might be using codes or signals embedded in images in common places (eBay, for example).
I seem to recall a distributed screen-saver type app that was being used to crunch through millions of hosted images. Not much to find online about this, but there are articles like this one at NewScientist.com suggesting that the effort was a washout. here are some more stats from a study that came up dry, but there always this reference to "first stenographic image in the wild" as reported by ABC back when.
Don't disappoint your bird dog. Go to the range.
The fact that this is happening in China suggests to me that this is being done on the behest of the socialist government, which is far more concerned about the threat of grass roots movements for freedom and democracy than anything else.
Make no mistake, the current chinese government may represent a "kindler, gentler" communist regime, but its mere existence is still a crime against humanity.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
hidden somewhere "in plain sight" in the code I turn in, is a program that actually works and has no bugs.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Using statistical methods, most steganography can be broken either now or in the near future if the steganalyst can spend a lot of time and computing resources on each candidate bit collection, and if you're hiding a lot of bits in each collection. The consequence: don't hide very many bits, and widen the search space by hiding your trees in a forest of significant size, so that the amount of CPU the analyst can use on any particular tree is low.
Key exchange is a great candidate for steganography. And to make sure the population of innocuous bit collections around yours is high, find a place where a lot of people around you are dealing in large quantities of bits: music collections at a university, or spam messages on an e-mail relay.
You can actually say a lot in plaintext without actually saying openly what you mean. Aleister Crowley was a master at this. The way this works is you talk directly to those who know the context in which you are speaking and it all just looks like mere verbiage to anyone not familiar with your topic. Or you refer to your predicates in such a way that the casual observer can't tell what your final conclusion refers to. This is not steganography per se, but goes to the origins of the concept. I have done this myself and it allows you to say things you wouldn't dare say outright for fear of retribution from certain third parties.
"Is this Winkhorst a nova criminal?" "No just a technical sergeant wanted for interrogation."
What strikes me as most curious is that the current debate about steganography is in itself an exercise in steganography--at least, in the sense of hiding important information in plain sight. Through the use of technical-sounding words, concerned parties manage to conceal what seems to be a genuinely frightening disrespect of the freedom of information.
Simply take "steganography" out of the equation. It's easy to scare the masses by using intimidating neologisms. But steganography is simply a manner to transmit information privately. So let's recast the sentence, "...illicit use of the technique might become a threat to the security of the worldwide information infrastructure." Let's simply say, "Individuals attempting to keep their private information private might become a threat to the security of the worldwide information infrastructure."
What used to be a preferred method for sending private information to a friend? The mail? Didn't we used to have a respect for the privacy of letters we sent via post? So how come no one said, "Sealing envelopes might become a threat to the security of the worldwide information infrastructure"?
What's being steganographically hidden in this debate is the reality that these days, quite a few people--many of them in power--simply no longer believe that a person has any right to private or personal information. Why would a technology such as this arise in the first place? Because we know that the first anthrax envelope made the private post public for everyone? Because we know our e-mail can be read, our servers can be hacked, our telephone calls recorded and our houses ransacked simply because fear of terrorists convinced us to sign over our civil liberties as if we no longer desired them?
This technology arose because some people realized that they were losing any pretense at privacy they might have had, and so were motivated to develop tools to maintain it. And now, we take the new word "steganography" and talk about how dangerous it is... perhaps because we're trying to conceal inside the hidden message that all privacy is dangerous, that anything you do, say or think should always be subject to review by the appropriate authorities.
What he wants is more important that what I want. What he wants is also more important that what you want.
You'll have to forgive me, I'm not the greatest cryptographer in the world. But let's say that Joe Shmoe takes a picture with his cheap 8-megapixel camera, with a very high ISO setting for lots of noise. Now, that's roughly 192 megabits of information.
Suppose he needs to encode a 1 kilobit message. that means that there's going to be one bit of signal for every 192 kilobits of image. Now, say he does the encoding to merely appear like more noise in the already noisy image.
Given that low of a signal-to-noise ratio, I really don't see how you could detect the message unless you had prior knowledge of the algorithm or locations.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
What's the message that's hidden in your post? :-)
Time flies like an arrow. Fruit flies like a banana.
If the govt found you sending plain text explanations of your terrorist plans, would they take it seriously or pass you off as a nut who's too incompetent to hide themselves?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
... and so's your mother! Sheesh, you thought I wouldn't catch that insult buried in your text?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
You've got a nicely steganographed "first post" there.
/users3 did Kubla Kahn A stately pleasure dome decree, Where /bin, the sacred river ran Through Test Suites measureless to Man Down to a sunless C.
Yeah, well thanks to this article, I'm trying to find hidden information in the fortune cookie at the bottom of this very same article:
In
So far all I've got is that either puns on computing terms or directions to asassinate Bill Gates while he sunbathes by a middle-eastern riverbank during a total eclipse of the sun.
"You cannot have a General Will unless you have shared experiences. You cannot be fair to people you don't know."