Steganography with Flickr

yiangocy writes "Steganography is not something new, there have been techniques and available programs for hiding data in pictures/audio files for a long time now. However, one step further is using popular online photo sharing sites, such as Flickr in hiding your data, successfully."

Never a more apt Message

[hawkeye_82]

Nothing to see here. Please Move along.

not very groundbreaking

[towaz]

Not exactly a new idea, goverments have been paranoid of "Terrorists" using stego on places like ebay for triggers.

More interesting projects, though off topic slightly; a method of obscuring your network communications and resolving key issues with stego (though I think the project stopped)
  http://www.m-o-o-t.org/

They is also much more interesting uses for stego. in files, hdd slack space and this nice little project 4c.

http://dione.ids.pl/~shykta/

4c (or fourcrypt) is a multiple-file steganography program inspired by Michal Zalewski's twocrypt (2c) program, designed to be "subpoena-proof". It supports mixing between one and eight files with independent keys. The files are architecture-independant (tested on x86 and UltraSparc).

Re:not very groundbreaking

[Pig+Hogger]

Not exactly a new idea, goverments have been paranoid of "Terrorists" using stego on places like ebay for triggers.

It was even before e-bay... During WW-II, there were whole squadrons of knitters who tried knitting patterns submitted to newspaper knitting columns to check if the to-be-printed coded patterns were legitimate and were not coded messages...

How many messages to dormant agents were sent though classified ads like "purple sofa, $145"???

Re:not very groundbreaking

[towaz]

Actually even before that :)

using wax tablets in greece.

http://www.jjtc.com/stegdoc/sec202.html

"In ancient Greece, text was written on wax covered tablets. In one story Demeratus wanted to notify Sparta that Xerxes intended to invade Greece. To avoid capture, he scraped the wax off of the tablets and wrote a message on the underlying wood. He then covered the tablets with wax again. The tablets appeared to be blank and unused so they passed inspection by sentries without question."

I'm against this

[Ckwop]

So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

Flikr could probably detect the changes anyway. When you do stego on Jpegs you do it by altering the coefficients on the waveforms. The problem is these coefficients usually conform to a gaussian distribution and by packing so much data in to the jpeg you're going to screw up that distribution.

To hide truly undetectable data in there is going to be difficult and the channel capacity wont be all too great. It's a clever idea but I'm against it. If you want storage, buy a web-hosting package and FTP it up tot there.

Simon

Re:I'm against this

[LiquidCoooled]

Post Removed

I'm Sorry, the posting you just made is against the Slashdot posting terms.
We believe you are a terrorist trying to hide data within your non-conformist post text.

After a detailed analysis of the contents of your posting, the waveform coeficients do not conform to standard slashdot thinking, more precisely, your posting failed to contain the phrases "first post", "in soviet russia" or "hot grits".

Please remove the hidden message and try again.

Re:I'm against this

[Ckwop]

Rather than worry about trying to detect stegnography, any image posting service could just arbitrarily set all of the least significant bits of jpgs to "1" as part of the image posting process. It might slightly degrade the image, but it would also erase any potential encoded messages.

Not really, the best stego packages use error correcting codes to help mitigate this kind of attack. Some stego packages don't work by using the LSB but by swapping adjacent pixels. The cleaning of the LSB would have no real impact on this type of stego.

Simon

Re:I'm against this

[chronicon]

So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

Why would this be immoral? There has been a lot of noise about possibly violating the TOS but has anyone actually bothered reading them? (There are two, one for pre-Yahoo! accounts and one for Flickr after aquisition by Yahoo!--which everyone will be required to abide in 2006.)

Both TOS say pretty much the same thing. You are responsible for your images, and don't upload destructive code. Don't help terrorists. Don't break copyright law (or other laws)...

As a 'digital artist' wouldn't you expect to be allowed to manipulate your work in whatever ways you saw fit before uploading--obvious, subtly, or non-obviously?

I don't have any strong opinion on the matter. The only thing I might be interested in is GPG encrypting my password list and then embedding it in an image with steganography, in case I ever lost it. Mass data storage? No.

Immoral? No, not in general. Not IMO. But, if you are using it to break the law or harm society, then yes.

...you, and not Yahoo!, are entirely responsible for all Content that you upload, post, email, transmit or otherwise make available via the Service. Yahoo! does not control the Content posted via the Service and, as such, does not guarantee the accuracy, integrity or quality of such Content.

again?

[thegoogler]

you guys linked another wikipedia article on the front page without notifying them so that it could be locked

owell, its probably goatse now, you guys should just put (NSFW) after all wikipedia links.

Re:again?

[imsabbel]

Yeah yeah.
Besides the usual trolling, there is some truth in the parent.

Maybe just put a link to the (then current) revision, and not to the general article? That way, everybody will get the same article that excisted before the ./ story went online.

nothing to do with Flickr

[Petronius]

This is an interesting article, but it has nothing to do with Flickr, except for the fact that instead of saving the images on a local device, this guy uploaded them to Flickr.
Yaaaawn, -1: misleading.

Re:Gmail?

[Gudlyf]

Easier? Sure, but a Flickr Pro account has unlimited storage.

Shifting types & saving content to a remote se

[turnstyle]

Seems the blog post is partly about saving one file type within other, which reminds me of Baudio, a goofy script I made that converts any file to a .WAV

Also, if part of the point is simply to save non-image file types into a seemingly unlimited Flickr storage space, what happens if you simply change the file extension to something like filename.pdf.jpg and upload that? Does Flickr actually validate file contents?

So THAT'S where the WMD are...

Saddam's Weapons of Mass Destruction have finally been found inside pictures! Call Fox STAT!

stegnography in Mona Lisa

[woverly]

A couple of years ago newspapers and network news showed the cabin layout of a 747 shown inside the Mona Lisa, supposively used by terrorists. What supprised me was how little attention was payed to the fact that nobody was giving credit to Leonardo da Vinci for inventing the 747.

Re:Probably won't work

[FS]

You should probably try out Flickr then. They allow you to download the original size images.

http://www.flickr.com/help/photos/#89

Hiding in the spam

[S3D]

Other similar techincs is hiding messages so it looks like a spam http://www.google.com/search?hl=en&lr=&q=hiding+me ssages+using+spam&btnG=Search I've even read an article (can't find link right now) analizing some samples of the actual spam and concluding that they in fact used as an encripted communication medium by spam originators.

Re:Gmail?

[TheRaven64]

No. Sending to a gmail account is directed. If the receiver or sender is compromised then they can quite intercept the message. It may take them a while to decrypt it, but since they already know it's there then it's possible. Even if an attacker does not understand message, they gain information from the timing of it and the recipient. Posting to a flickr account means that it is impossible to track the recipient. Posting a random picture every day, eventually including a message, means that it is very difficult for an attacker to get any information.

Movie Plot Vulnerability

[Mr_Icon]

Ho-hum. There are much better ways to back up your data for $25 a year.

This is a general "this can be used by terrists!" freak-out. Well, you know, this is an awfully stupid and ineffective way to pass information -- something Bruce Schneier likes to call "movie plot" vulnerabilities. Why bother with steganography when there are much better means to pass encrypted data between two people? Like, I don't know, DCC'ing a file over IRC, or just plain sending an email? If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet. Much less stupid than using a complex routine to hide data in an image, and then upload it to a central service like Flickr for all to see (it shows up immediately in the "recently uploaded" pool).

This is a fine idea for a movie plot, but utterly dumb for someone to actually try this. Thus, I assign the article a -1 Troll.

Re:Movie Plot Vulnerability

[Incadenza]

If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet.

Notice the word 'if'. If you *do not* own both the sending and receiving servers the story is different. For instance if you do not know where your agents are, who they are or when they are on line. The GIA once used an open for all mailing list (or was it usenet?) on football to send orders from Algeria to Paris. There is so much nonsense on this lists (and on Flickr too) that some odd remarks do not catch any attention - except by the one waiting for the message,

Re:Oh Great

Why you are right there is NO legitimate use for this.

Only terrorists would use it to get information out like proof that GW bush knew there was no WMD's. or a secret Oval office taping that has "... I don't care the cost in american lives, I need to get saddam for daddy! You do not disrespect a bush! and he said bad things about my mommy..." or maybe those secret laws that are passed that you can not even be told about... Yes only TERRORISTS would get that information out so that the populace knew the truth...

as we all know the truth only supports terrorism! Be a good american! Join the Bush youth league! REport all unamerican activities to your local Homeland Security officer!

All hail bush! All hail bush!

A free mind is a dangerous mind!

posting anon to avoid being turned in for unamerican thought.

Re:Shifting types & saving content to a remote

[towaz]

Flickr can have a simple solution to this, If they change a few random colour or other attributes on the uploaded pictures they would render the stego. worthless.

Re:Shifting types & saving content to a remote

[Penguin+Follower]

Yes, but would you want to upload pictures (stego or not) that are going to be modified by Flickr? If you are using Flickr as a backup and they modify the files, it is not exactly a great backup idea. I like my files to stay the away I uploaded them, and I am sure you would, too.

Re:Shifting types & saving content to a remote

[timeOday]

Not necessarily. The flipside of stegonography is "digital watermarking," which is the same thing, except used for copyright enforcement. There has been a lot of work done in creating watermarks which aren't too noticeable, but which are resistant to resampling etc.

A much better solution

[mdarksbane]

Would be to zip all your files together, encrypt them, then share them on Kazaa as "hot XXX teen pporn pr0n tryout mother daughter incest dog sex sex sex.avi." You data will never be lost completely ;-)

Steganography in recent fiction

[sidles]

Steganography is central to Carter Scholz's recent novel Radiance. In brief, complete engineering descriptions of all US nuclear weapons tests are smuggled out of the US national labs, steganographically conceiled in pornographic *.gif files.

Warning: this novel is a demanding read. It is a higher-brow---and markedly dystopian---treatment of the same themes as Neil Stephensen's Cryptonomicon. In writing it, Mr. Scholz seems to have received considerable help from insiders at the national laboratories.

With luck, the following link to Google Print will show you a sample page that is reasonably representative of the entire book.

http://print.google.com/print?id=kVP7pIA9TYUC&pg=P A382&lpg=PA382&dq=steganography&prev=http://www.go ogle.com/search%3Fclient%3Dsafari%26rls%3Den-us%26 q%3DRadiance%26ie%3DUTF-8%26oe%3DUTF-8&sig=-uyML9j p9G4JsUZOCa59fPI6YpM

we need humint, not sigint

[danharan]

So bad guys can communicate through even more opaque channels. Woop-dee-doo.

The too-often referenced 9/11 attack was not a failure of signals intelligence. Secret services whose job it is to capture communications did their job in this regard.

Information was not translated and/or acted upon.

Getting more sigint will lead to a panopticon society, without actually resolving the fundamental problem of our lack of human intelligence.

Re:we need humint, not sigint

[quarkscat]

"...without actually resolving the fundamental problem of our lack of human intelligence."

Amen!

In spite of all efforts to thwart the creation of the 9-11 Commission, and then to stonewall on making available government files regarding "who knew what, and when" to the Commission, the truth slowly but surely does surface eventually. Not only did the FBI have information on some of the 9-11 highjackers taking commercial aviation flight instruction pre-9-11, but it also turns out that DoD intelligence had pinpointed a part of the Al-Queda terrorist cell more than a year ahead of time.

It would appear that most of our alphabet soup of government intel and investigative agencies are not only bureaucratic but also oxymoronic in nature. Considering the DHS focus on toenail clippers and boxcutters, instead of seaport and border security, it would seem that far too little has changed, with the exception of the US Patriot Act torpedoing the US Constitution and Bill of Rights.

Stegdetect

[BCTECH]

I ran the image through stegdetect and it came up with a "false possitive". This utility detects images encoded with jsteg, jphide, invisible secrets, outguess, F5(header analysis), AppendX, and Camouflage. Although, steghide is not listed, I have found that false possitives are shown with images that I know to have an embeded file.

I played around with steganography at one time and setup a script to create embed images via the web using Outguess

Re:Gmail?

[sanx]

Would open up a whole new advertising channel for Google, wouldn't it:

From: Joe
To: Michelle
Subject: No stego here
<attachment: cutedoggy.jpg>

Adwords by Gooooooogle
Terrorists are using the Internet to send secret information.
www.paranoia.gov

Can't find your WMDs? Buy some more
www.dod.gov

Suspicious emails? Let us examine them
www.noprivacy.gov

Looking for Cute Doggies?
www.sexwithcutedogs.com

Re:Hiding more than one message?

[HermanAB]

BTW, it is possible to create a file consisting of two encrypted messages, with two keys, interleaved such that you can retrieve the one or the other. If the one message is innocent and the other not, then you can give the Police the innocent key and the other message remains deniable. This is described in Applied Cryptography.

Re:Shifting types & saving content to a remote

[Gudlyf]

No, simply changing the extention does not work:

New Text Document.txt.jpg was not uploaded: File was not a recognised type or was unable to be decoded (we only support JPEG, PNG, non-animated GIF, BMP and TIFF)