Slashdot Mirror
Steganography with Flickr
yiangocy writes "Steganography
is not something new, there have been techniques and available programs for hiding data in pictures/audio files for a long time now. However, one step further is using popular online photo sharing sites, such as Flickr in hiding your data, successfully."
Nothing to see here. Please Move along.
Not exactly a new idea, goverments have been paranoid of "Terrorists" using stego on places like ebay for triggers.
More interesting projects, though off topic slightly; a method of obscuring your network communications and resolving key issues with stego (though I think the project stopped)
http://www.m-o-o-t.org/
They is also much more interesting uses for stego. in files, hdd slack space and this nice little project 4c.
http://dione.ids.pl/~shykta/
4c (or fourcrypt) is a multiple-file steganography program inspired by Michal Zalewski's twocrypt (2c) program, designed to be "subpoena-proof". It supports mixing between one and eight files with independent keys. The files are architecture-independant (tested on x86 and UltraSparc).
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
I don't know what data people would have to hide and then share on a public photo site.
The only and best use I can think of for this would be for terrorists or other evildoers to communicate surreptiously on the Internet. With the current state of affairs in the world, this is a very real and likely possibility.
I hope Flickr keeps their eyes open in case of any suspicious activity and report it to the authorities.
Wouldn't it be a lot easier to send the images to a gmail account?
--
Dreamhost superb hosting.
Kunowalls!!! Random sexy wallpapers.
Hosting 20G hd, 1Tb bw! ssh $7.95
So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.
Flikr could probably detect the changes anyway. When you do stego on Jpegs you do it by altering the coefficients on the waveforms. The problem is these coefficients usually conform to a gaussian distribution and by packing so much data in to the jpeg you're going to screw up that distribution.
To hide truly undetectable data in there is going to be difficult and the channel capacity wont be all too great. It's a clever idea but I'm against it. If you want storage, buy a web-hosting package and FTP it up tot there.
Simon
That data is not necessarily secure, however; if someone were to decrypt one of the files and you didn't use encyrption on it, your data would be their data. Also, perhaps there's something in the TOS for Flickr that says something about use of their site fofr purposes other than storage of images. I don't know, just a thought though...
Flikr (Yahoo!) supports bulk uploads - the whole process could be easily scripted, ditto gmail. So this issue is: who do you feel will be around for the long term? Heck - double up your backups and store data on gmail and>/b flikr.
Rich people are eccentric. Poor people are strange. Me, I'd be happy with odd.
owell, its probably goatse now, you guys should just put (NSFW) after all wikipedia links.
This is an interesting article, but it has nothing to do with Flickr, except for the fact that instead of saving the images on a local device, this guy uploaded them to Flickr.
Yaaaawn, -1: misleading.
there's no place like ~
Steganography is the art of hiding a secret message, often within a picture or other medium. So, does reflectoporn count?
Also, if part of the point is simply to save non-image file types into a seemingly unlimited Flickr storage space, what happens if you simply change the file extension to something like filename.pdf.jpg and upload that? Does Flickr actually validate file contents?
Here's what I do: Bitty Browser & Andromeda
Saddam's Weapons of Mass Destruction have finally been found inside pictures! Call Fox STAT!
I've contained a hidden ASCII goatse image within this post.
A couple of years ago newspapers and network news showed the cabin layout of a 747 shown inside the Mona Lisa, supposively used by terrorists. What supprised me was how little attention was payed to the fact that nobody was giving credit to Leonardo da Vinci for inventing the 747.
Woverly Harris Gooch, IV CTO American Fire and Bomb, LLC
I've not used Flickr myself but if it's like several other web based gallery systems I've known they all resize and resample the uploaded images to fixed sizes, the original file is then usually deleted. This means the data making up the image will have changed destroying the encrypted data.
What if someone else runs the data through stego to see if something is hidden. That way anybody can find the hidden data.
Ok, you can password protect it, but how good is stego in that? If gets really interesting to see if that is hackable.
My wife's sketchblog Blob[p]: Gastrono-me
Other similar techincs is hiding messages so it looks like a spam http://www.google.com/search?hl=en&lr=&q=hiding+me ssages+using+spam&btnG=Search
I've even read an article (can't find link right now) analizing some samples of the actual spam and concluding that they in fact used as an encripted communication medium by spam originators.
The page hasnt been edited today at all.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Dinosaurs could write? And in code? Boy, they must have had one heck of an intelligent designer.
I know it's a huge pain to actually read the linked article, but it can prevent you from making yourself look foolish. From the article,
"I've tested uploading the 'guinness-steg.jpg' to Flickr and then downloading it again, and the embedded PDF file stays intact."
Ho-hum. There are much better ways to back up your data for $25 a year.
This is a general "this can be used by terrists!" freak-out. Well, you know, this is an awfully stupid and ineffective way to pass information -- something Bruce Schneier likes to call "movie plot" vulnerabilities. Why bother with steganography when there are much better means to pass encrypted data between two people? Like, I don't know, DCC'ing a file over IRC, or just plain sending an email? If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet. Much less stupid than using a complex routine to hide data in an image, and then upload it to a central service like Flickr for all to see (it shows up immediately in the "recently uploaded" pool).
This is a fine idea for a movie plot, but utterly dumb for someone to actually try this. Thus, I assign the article a -1 Troll.
If you open yourself to the foo, You and foo become one.
stenography is easy.
I'm not sure I like the idea of offering up all my data to the public saying, "here, have a go at cracking this, you have the rest of your life to try - or wait for some undiscovered vuln". Especially when it seems so easy to check if a file is hidden in there (steghide info on 1000 jpegs?)
Now, if Flickr has something in their TOS about motivation for storing them...
"Our interests are to see if we can't scale it up to something more exciting," he said.
Flickr can have a simple solution to this, If they change a few random colour or other attributes on the uploaded pictures they would render the stego. worthless.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
This is an interesting story, but it has nothing to do with Iraq, except for the fact that instead of invading a different country, the US invaded Iraq.
Yaaaawn, -1: misleading.
Can you explain to me how "Flickr == remote file system" supposedly "has nothing to do with Flickr"? Or better yet, can you provide a hypothetical example of a story that WOULD have something to do with Flickr?
If you want to upload files for free, use http://www.gigashare.com/ or http://www.megaupload.com/. They are much faster than uploading modified pics to Flickr. Encrypt the file if you wish.
Attitudes make the difference between Space and Time: we want to MAX our temporal, and MIN our spatial extension.
"Honestly, though, I feel Flickr is an amazing service that I'd rather not see abused and lead to limit Pro account sizes."
Yes. I have just uploaded a photo of double penetration on the net open for everybody, but I dont want others to shag on it. Brilliant!
Yes, but would you want to upload pictures (stego or not) that are going to be modified by Flickr? If you are using Flickr as a backup and they modify the files, it is not exactly a great backup idea. I like my files to stay the away I uploaded them, and I am sure you would, too.
Somebody has the job of searching alt.binaries.pictures.erotica.blondes all day for steganographs. Nice work if you can get it.
Write Only Memory: Another pointless blog.
Not necessarily. The flipside of stegonography is "digital watermarking," which is the same thing, except used for copyright enforcement. There has been a lot of work done in creating watermarks which aren't too noticeable, but which are resistant to resampling etc.
some little naive decided to have fun with some of the words in the article. oh how cute to insert the word penis , oh my god grow up already. as for wiki do you really trust a info source that is so easilly hacked?
Running it through a filter, jpeg->jpeg (at the same compression level) wouldn't lose much, except maybe exif data.
Flickr doesn't advertise itself as a file backup service.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Would be to zip all your files together, encrypt them, then share them on Kazaa as "hot XXX teen pporn pr0n tryout mother daughter incest dog sex sex sex.avi." You data will never be lost completely ;-)
another great photo sharing site
Warning: this novel is a demanding read. It is a higher-brow---and markedly dystopian---treatment of the same themes as Neil Stephensen's Cryptonomicon. In writing it, Mr. Scholz seems to have received considerable help from insiders at the national laboratories.
With luck, the following link to Google Print will show you a sample page that is reasonably representative of the entire book.
http://print.google.com/print?id=kVP7pIA9TYUC&pg=P A382&lpg=PA382&dq=steganography&prev=http://www.go ogle.com/search%3Fclient%3Dsafari%26rls%3Den-us%26 q%3DRadiance%26ie%3DUTF-8%26oe%3DUTF-8&sig=-uyML9j p9G4JsUZOCa59fPI6YpM
So bad guys can communicate through even more opaque channels. Woop-dee-doo.
The too-often referenced 9/11 attack was not a failure of signals intelligence. Secret services whose job it is to capture communications did their job in this regard.
Information was not translated and/or acted upon.
Getting more sigint will lead to a panopticon society, without actually resolving the fundamental problem of our lack of human intelligence.
Information: "I want to be anthropomorphized"
As well as your mom's.
Any suggestions for a usable steganography tool to reliably hide more than one message?
I seem to be able to do it with steghide (using small files), but there doesn't seem to be much documentation on that sort of thing for steghide -(it's in the TODO though).
Example questions are: if an attacker is told (or finds) that there is one message, can the attacker figure out that there are more messages?
For example, given a naive algorithm, if error correction is used to improve robustness, 0 errors could mean that this is the only message OR the last message embedded. Whereas if there are errors, it _could_ mean the image has been altered after the message has been embedded - either because more messages were added or because of some other reason.
Whereas if you have a tool that's designed to add multiple messages with different passphrases, you might be able to have error correction AND still make it hard for the attacker to know how many messages are embedded.
Then again, maybe it's good steghide only supports one message officially. So what you do is you use steghide to put in a "throwaway" message AFTER embedding all your other messages (either with steghide or other programs). Don't forget to destroy the originals then.
That way if you really have to blab, blab about the throwaway message...
Maybe the best way to hide more than one message is to use a tool that's apparently designed to hide just one message. Heh.
would be to rename to the PDF from *.pdf to *.jpg. btw, jk.
After looking at millions of EBay images and USENET images for possible steg content, Niels Provos and Peter Honeyman found a grand total of ONE image with steg content "in the wild". That image was used by ABC News in a piece about.....steganography. Using Flickr represents no new threat vector. There really is nothing to see here. Oh, BTW, all the hip terrorists are Podcasting their stego. It's ueber-7eet!
Found another large collection of Flickr tools.
There is clearly going to be a tradeoff between the amount of data stored in a picture and its resistance to modifications to the image... e.g. if you just want to embed 20 bytes as a watermark, that can probably be a lot more change resistant than a 200,000 byte text file.
I thought stegonography was the measurement of the noble stegosaurus. That's not what stegonologists do?
You could use this to prove someone took your image and reposted it, possibly claiming it as his own. Personal and professional photographers and media outlets could really use this.
To-do List: Receive telemarketing call during a tornado warning. Check.
That is not how steganography works.
Steganography works by encoding data within visible pixels.
I ran the image through stegdetect and it came up with a "false possitive". This utility detects images encoded with jsteg, jphide, invisible secrets, outguess, F5(header analysis), AppendX, and Camouflage. Although, steghide is not listed, I have found that false possitives are shown with images that I know to have an embeded file.
I played around with steganography at one time and setup a script to create embed images via the web using Outguess
We've been doing photo sharing for a few years longer than Flickr, and had this problem for a while. We ended up writing some filters which score suspicious-looking jpeg files (things like image dimensions vs filesize for one).
;)
It wasn't uncommon for us to get a 200x200 jpeg which was about 10M in size, and find RAR headers in it. Given the volume of photos submitted it's a bit hard to scan everything but we score it and it works 99% of the time.
Of course, there's the pillocks who'll upload a photo called "winxp-sp2-cr4ck3d.r01.jpg", and oddly enough they're pretty easy to spot
Smegma.
What about posting PGP messages to newsgroups?
Not exactly hidden, but pretty safe and has been going on for years.
Get your Unix fortune now!
"No Big deal", "No problems". We're living in trying times and exposure to technogies and hacks within them will require a massive task force to ward of the determined. So take them seriously!
Java Oracle Linux Enthusiast
How soon before someone embeds DeCSS or OT III in an image?
Just because it CAN be done, doesn't mean it should!
During WW-II, there were whole squadrons of knitters who tried knitting patterns submitted to newspaper knitting columns to check if the to-be-printed coded patterns were legitimate and were not coded messages...
What absolute rot. Give your source for this absurd suggestion. While it is true that the art of stenography has been in extistance since Greek times (see Wikipedia article), the military and intigence services had much more important things on their mind than searching every possible stenographic message coming into the country. That would just be impossible.
Congratulations, you made up a 'fact', and you will now be modded down to the oblivion you deserve.
Can't you people see it? Vinci = 20 in italian, and 11+9 = 20!
Where is that guy who'd die defending what I had to say when I need him?
New Text Document.txt.jpg was not uploaded: File was not a recognised type or was unable to be decoded (we only support JPEG, PNG, non-animated GIF, BMP and TIFF)
Trolls lurk everywhere. Mod them down.
About -2 years, I say.
Telnet is not part of the web, and gopher and FTP aren't really, either. They may be part of the Internet, but not part of the web.
I call bullshit; I'm using Firefox and the link worked fine after warning me it needed to launch an externel app.
So what? I can bloat a file with no visible benefit? Been doing that for years.
Clippy: "It looks like you're trying to cram 24kb of text into a 3.2Mb
Don't trust anyone under thirty.
Lovely Firefox says telnet is not a registered protocol.
Good work Mozilla.org, your software doesn't even know what TELNET is.
Just take out support for everything but HTTP/1.1 and be done with it - you're already on that road, file urls don't work when clicked, gopher gives empty pages, telnet is unknown, just go whole hog., lose ftp, then anything but http, then version 0.9 (if you even support it), then 1.0 (since all the 31337 people use 1.1) then we can get on making it only work with Linux Apache sites...
An open web where everyone can participate?
Ha!
--
Just because it CAN be done, doesn't mean it should!
Just because it CAN be done, doesn't mean it should!