Slashdot Mirror
Steganography with Flickr
yiangocy writes "Steganography
is not something new, there have been techniques and available programs for hiding data in pictures/audio files for a long time now. However, one step further is using popular online photo sharing sites, such as Flickr in hiding your data, successfully."
Nothing to see here. Please Move along.
Not exactly a new idea, goverments have been paranoid of "Terrorists" using stego on places like ebay for triggers.
More interesting projects, though off topic slightly; a method of obscuring your network communications and resolving key issues with stego (though I think the project stopped)
http://www.m-o-o-t.org/
They is also much more interesting uses for stego. in files, hdd slack space and this nice little project 4c.
http://dione.ids.pl/~shykta/
4c (or fourcrypt) is a multiple-file steganography program inspired by Michal Zalewski's twocrypt (2c) program, designed to be "subpoena-proof". It supports mixing between one and eight files with independent keys. The files are architecture-independant (tested on x86 and UltraSparc).
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Wouldn't it be a lot easier to send the images to a gmail account?
--
Dreamhost superb hosting.
Kunowalls!!! Random sexy wallpapers.
Hosting 20G hd, 1Tb bw! ssh $7.95
So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.
Flikr could probably detect the changes anyway. When you do stego on Jpegs you do it by altering the coefficients on the waveforms. The problem is these coefficients usually conform to a gaussian distribution and by packing so much data in to the jpeg you're going to screw up that distribution.
To hide truly undetectable data in there is going to be difficult and the channel capacity wont be all too great. It's a clever idea but I'm against it. If you want storage, buy a web-hosting package and FTP it up tot there.
Simon
That data is not necessarily secure, however; if someone were to decrypt one of the files and you didn't use encyrption on it, your data would be their data. Also, perhaps there's something in the TOS for Flickr that says something about use of their site fofr purposes other than storage of images. I don't know, just a thought though...
Flikr (Yahoo!) supports bulk uploads - the whole process could be easily scripted, ditto gmail. So this issue is: who do you feel will be around for the long term? Heck - double up your backups and store data on gmail and>/b flikr.
Rich people are eccentric. Poor people are strange. Me, I'd be happy with odd.
owell, its probably goatse now, you guys should just put (NSFW) after all wikipedia links.
This is an interesting article, but it has nothing to do with Flickr, except for the fact that instead of saving the images on a local device, this guy uploaded them to Flickr.
Yaaaawn, -1: misleading.
there's no place like ~
What should and will happen is that the millions of pairs of eyes browing Flickr may notice something odd and they should "report it" (to whom is another question - I can't see my local PD being the slightest bit interested in "a cute looking dog that may contain encrypted data that may be plans for a terrorist attack"
Rich people are eccentric. Poor people are strange. Me, I'd be happy with odd.
Are you Republican or just one of the huddled masses that buys into the "everything is a terrorist plot against us" bullshit? For Pete's sake, please give up on all this fear mongering. We have agencies (however good or bad) to deal with those threats -- if they fail to detect terrorist activity, you certain never will and it won't matter if they use stenography or post-it notes.
For once, "Anonymous Coward" is very fitting!
Seriously, do you want to live the rest of your life in a carboard box because it's the only "techology" the terrorists can't co-opt? If so, then to use a cliche - the terrorist will have won.
Stop being a "terrorism curmudgeon" and realize that everything from a table knife to a disposable camera can be co-opted for wrongdoing in certain hands. If you would have no problem with a technology in a world without terrorism, then don't have a problem with it in this one.
Also, if part of the point is simply to save non-image file types into a seemingly unlimited Flickr storage space, what happens if you simply change the file extension to something like filename.pdf.jpg and upload that? Does Flickr actually validate file contents?
Here's what I do: Bitty Browser & Andromeda
Saddam's Weapons of Mass Destruction have finally been found inside pictures! Call Fox STAT!
A couple of years ago newspapers and network news showed the cabin layout of a 747 shown inside the Mona Lisa, supposively used by terrorists. What supprised me was how little attention was payed to the fact that nobody was giving credit to Leonardo da Vinci for inventing the 747.
Woverly Harris Gooch, IV CTO American Fire and Bomb, LLC
Except for the fact that Flickr allows you to download the original image as well as a variety of resampled/resized versions...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
You should probably try out Flickr then. They allow you to download the original size images.
http://www.flickr.com/help/photos/#89
Actually, this is just another step towards proving that information wants to be free. If enough accounts embed enough bogus files into enough places, who's to stop any of this? you can hide information in images, code, etc - zillions of file formats.
And in fact, this is what people said about any public access to data storage. The internet is full of enough buckets to hide stuff - amd those buckets are dynamic enough - that no single agency or entity is going to find all of it.
The best way to combat "evildoers" should be preventing their physical acts, just like we don't prevent hate speech until it converts to (certain) actions. Otherwise you're on a very slippery slope about what cannot be communicated, and I'd like to see us error on the side of free speech, completely free.
Other similar techincs is hiding messages so it looks like a spam http://www.google.com/search?hl=en&lr=&q=hiding+me ssages+using+spam&btnG=Search
I've even read an article (can't find link right now) analizing some samples of the actual spam and concluding that they in fact used as an encripted communication medium by spam originators.
The page hasnt been edited today at all.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Dinosaurs could write? And in code? Boy, they must have had one heck of an intelligent designer.
Ho-hum. There are much better ways to back up your data for $25 a year.
This is a general "this can be used by terrists!" freak-out. Well, you know, this is an awfully stupid and ineffective way to pass information -- something Bruce Schneier likes to call "movie plot" vulnerabilities. Why bother with steganography when there are much better means to pass encrypted data between two people? Like, I don't know, DCC'ing a file over IRC, or just plain sending an email? If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet. Much less stupid than using a complex routine to hide data in an image, and then upload it to a central service like Flickr for all to see (it shows up immediately in the "recently uploaded" pool).
This is a fine idea for a movie plot, but utterly dumb for someone to actually try this. Thus, I assign the article a -1 Troll.
If you open yourself to the foo, You and foo become one.
stenography is easy.
Why you are right there is NO legitimate use for this.
Only terrorists would use it to get information out like proof that GW bush knew there was no WMD's. or a secret Oval office taping that has "... I don't care the cost in american lives, I need to get saddam for daddy! You do not disrespect a bush! and he said bad things about my mommy..." or maybe those secret laws that are passed that you can not even be told about... Yes only TERRORISTS would get that information out so that the populace knew the truth...
as we all know the truth only supports terrorism! Be a good american! Join the Bush youth league! REport all unamerican activities to your local Homeland Security officer!
All hail bush! All hail bush!
A free mind is a dangerous mind!
posting anon to avoid being turned in for unamerican thought.
I'm not sure I like the idea of offering up all my data to the public saying, "here, have a go at cracking this, you have the rest of your life to try - or wait for some undiscovered vuln". Especially when it seems so easy to check if a file is hidden in there (steghide info on 1000 jpegs?)
Now, if Flickr has something in their TOS about motivation for storing them...
"Our interests are to see if we can't scale it up to something more exciting," he said.
Flickr can have a simple solution to this, If they change a few random colour or other attributes on the uploaded pictures they would render the stego. worthless.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
too bad im outta mod points
I have mod points and I am not afraid to use them.
If you want to upload files for free, use http://www.gigashare.com/ or http://www.megaupload.com/. They are much faster than uploading modified pics to Flickr. Encrypt the file if you wish.
Attitudes make the difference between Space and Time: we want to MAX our temporal, and MIN our spatial extension.
What if someone else runs the data through stego to see if something is hidden. That way anybody can find the hidden data.
Programs like Steghide (the one used in the article) need the correct passphrase to even detect the existence of hidden data. Enter a wrong passphrase, and Steghide will tell you there is no embedded data.
Yes, but would you want to upload pictures (stego or not) that are going to be modified by Flickr? If you are using Flickr as a backup and they modify the files, it is not exactly a great backup idea. I like my files to stay the away I uploaded them, and I am sure you would, too.
http://www.reflectoporn.com/
Somebody has the job of searching alt.binaries.pictures.erotica.blondes all day for steganographs. Nice work if you can get it.
Write Only Memory: Another pointless blog.
Not necessarily. The flipside of stegonography is "digital watermarking," which is the same thing, except used for copyright enforcement. There has been a lot of work done in creating watermarks which aren't too noticeable, but which are resistant to resampling etc.
some little naive decided to have fun with some of the words in the article. oh how cute to insert the word penis , oh my god grow up already. as for wiki do you really trust a info source that is so easilly hacked?
Running it through a filter, jpeg->jpeg (at the same compression level) wouldn't lose much, except maybe exif data.
Flickr doesn't advertise itself as a file backup service.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Would be to zip all your files together, encrypt them, then share them on Kazaa as "hot XXX teen pporn pr0n tryout mother daughter incest dog sex sex sex.avi." You data will never be lost completely ;-)
Warning: this novel is a demanding read. It is a higher-brow---and markedly dystopian---treatment of the same themes as Neil Stephensen's Cryptonomicon. In writing it, Mr. Scholz seems to have received considerable help from insiders at the national laboratories.
With luck, the following link to Google Print will show you a sample page that is reasonably representative of the entire book.
http://print.google.com/print?id=kVP7pIA9TYUC&pg=P A382&lpg=PA382&dq=steganography&prev=http://www.go ogle.com/search%3Fclient%3Dsafari%26rls%3Den-us%26 q%3DRadiance%26ie%3DUTF-8%26oe%3DUTF-8&sig=-uyML9j p9G4JsUZOCa59fPI6YpM
So bad guys can communicate through even more opaque channels. Woop-dee-doo.
The too-often referenced 9/11 attack was not a failure of signals intelligence. Secret services whose job it is to capture communications did their job in this regard.
Information was not translated and/or acted upon.
Getting more sigint will lead to a panopticon society, without actually resolving the fundamental problem of our lack of human intelligence.
Information: "I want to be anthropomorphized"
After looking at millions of EBay images and USENET images for possible steg content, Niels Provos and Peter Honeyman found a grand total of ONE image with steg content "in the wild". That image was used by ABC News in a piece about.....steganography. Using Flickr represents no new threat vector. There really is nothing to see here. Oh, BTW, all the hip terrorists are Podcasting their stego. It's ueber-7eet!
Same with Photobucket free. As of about 6 months ago you could upload any file and it wouldn't be resampled unless it exceeded 250kB. I never actually did a binary comparison to test if it was exactly the same though.
Obviously you could get bigger photo sizes with paid accounts, and obviously it created a lot of resampled (downsized) products too. You could always get the full size one though.
Damn, I already moderated this topic. Now I'll have to log in with my sock puppet to comment.
You could use this to prove someone took your image and reposted it, possibly claiming it as his own. Personal and professional photographers and media outlets could really use this.
To-do List: Receive telemarketing call during a tornado warning. Check.
That is not how steganography works.
Steganography works by encoding data within visible pixels.
I ran the image through stegdetect and it came up with a "false possitive". This utility detects images encoded with jsteg, jphide, invisible secrets, outguess, F5(header analysis), AppendX, and Camouflage. Although, steghide is not listed, I have found that false possitives are shown with images that I know to have an embeded file.
I played around with steganography at one time and setup a script to create embed images via the web using Outguess
We've been doing photo sharing for a few years longer than Flickr, and had this problem for a while. We ended up writing some filters which score suspicious-looking jpeg files (things like image dimensions vs filesize for one).
;)
It wasn't uncommon for us to get a 200x200 jpeg which was about 10M in size, and find RAR headers in it. Given the volume of photos submitted it's a bit hard to scan everything but we score it and it works 99% of the time.
Of course, there's the pillocks who'll upload a photo called "winxp-sp2-cr4ck3d.r01.jpg", and oddly enough they're pretty easy to spot
Smegma.
What about posting PGP messages to newsgroups?
Not exactly hidden, but pretty safe and has been going on for years.
Get your Unix fortune now!
How soon before someone embeds DeCSS or OT III in an image?
Just because it CAN be done, doesn't mean it should!
BTW, it is possible to create a file consisting of two encrypted messages, with two keys, interleaved such that you can retrieve the one or the other. If the one message is innocent and the other not, then you can give the Police the innocent key and the other message remains deniable. This is described in Applied Cryptography.
Oh well, what the hell...
Can't you people see it? Vinci = 20 in italian, and 11+9 = 20!
Where is that guy who'd die defending what I had to say when I need him?
New Text Document.txt.jpg was not uploaded: File was not a recognised type or was unable to be decoded (we only support JPEG, PNG, non-animated GIF, BMP and TIFF)
Trolls lurk everywhere. Mod them down.
In other news, the war in East Asia has nearly come to a conclusion.
Well to be fair he did say they "tried".
What I'm worried about are parks. People there can easily hold conversations at such a distance from other people that noone can hear what information they are exchanging.
The only and best use I can think of for that would be for paranoid right-wingers planning to take away all my freedoms in a futile attempt to soothe their own fear, when in fact of course they by so doing will only feed it. Given the current climate I'd say this is pretty much happening for sure.
I hope park wardens are keeping an eye out and reporting any suspiciously paranoid conversations to the authorities.
sudo ergo sum
However, relations with Eurasia have ground to a halt due to the assasination of Oceania's ambassador.
The road to hell is paved with good intentions.
So what? I can bloat a file with no visible benefit? Been doing that for years.
Clippy: "It looks like you're trying to cram 24kb of text into a 3.2Mb
Don't trust anyone under thirty.
Not 100% correct, you can use a program called StegDetect which will give a probability of hidden data in a file, this has been very useful for me in the past
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks