Slashdot Mirror
Evidence of Steganography in Real Criminal Cases
ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"
Who calls USB keys "USB"s like one of my computer illiterate friends. Or is this some new kind of slang that I am not aware of.
which is totally what she said
This was advertised in the film "the core" when the 'hacker kid' sends a message to a pilot within some other data... Great. It's also in use CONSTANTLY by conspiracy theorists, how many people have received that stupid email about the number 911 and the wingdings font... *yawn*.
Steganography is also in use by some media producers, I've heard cases where demo tracks have included some randomness that is later detectable to find the source of whoever leaked the track (each person on the initial review got a different copy of the randomness).
Why UNIX?
Maybe this really means that the software available for this type of use just doesn't work very well?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
What is a free point-and-click free tool?
How do you take a USB? People are actually ripping the USB controller out of their machine and taking it with them? What's the point? There isn't any data in the USB.
Kids,
To those versed in statistics or the scientific method, find the flaw in this statement (as taken from the article):
"with the little data we have so far, we are finding that there's a strong correlation between criminal activity and at least the installation of steganography programs on those [confiscated] computers"
With the little data I have so far, I think the researchers are pulling our leg.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
http://en.wikipedia.org/wiki/Van_Eck_phreaking
Came across this in Cryptonomicon. It blew my mind. If people can do shit like this Steganography doesn't actually sound that hard.
Installation of steganography tools != using those tools in practice. If someone is looking to conceal data, they may be grabbing anything out there that stands a remote chance of being helpful. Sort of like how in the early days students would have all kinds of music players and point-to-point file exchange programs, looking for ones that would do what they wanted or had what they wanted.
James Wingate, director of the steganography analysis & research center at Backbone Security, and a vice president there, says the use of steganography is on the rise, and it could be used for things like transporting malware.
"Some would call me 'Chicken Little,' but I fervently and passionately believe criminal activity is being conducted with steganography... We do know it's being used to conceal child pornography," Wingate says. "
When someone "fervently and passionately" believes something, particularly something related to a day-to-day project where one's institution stands a good chance of increased funding if what you believe is true, that's a good indication that you need to look hard for real, reproducible evidence that will stand up to rigorous peer review. Nor should concealing those types of images be surprising - unfortunately there seem to be a large number of sickos out there with this stuff, and probably every data-concealing program ever written has been used to conceal it (or try to). More to the point, is it in WIDE use?
I agree that a USB stick is a much more plausible attach vector for a company insider (no "hey what was that huge surge of email traffic with images?" signatures for IT to poke their noses into, just for starters.) If someone wants to hide data on their machine, I would think any of the various harddrive encryption techniques would both be simpler and much more effective.
I remember looking around at steganography tools some years back for other purposes (watermarking images people were considering contributing to a collectibles website) and my conclusion was that the most practical use of the techniques was to store information one WANTED to be found - another way to put metadata into an image so you could later figure out additional information about it (say, for a baseball card certified by a company you could add the certification information using steganography to ensure later availability of the information even without the website context, unless the image was compressed or otherwise distorted. It didn't and doesn't strike me as anything that can be used for anything uniquely evil or even uniquely practical (real image metadata is most likely a better place for useful info, and hiding information in it is an iffy proposition at best.
Remember, just because non-government researchers can't cover all 800+ programs doesn't mean someone like the NSA with large funding and budgets couldn't throw resources at it until they had all of them covered. Somebody will probably use it, but someone will use virtually every possible technique to do something at least once in the vastness of the Internet so that's not a very interesting statement. The interesting question is will a lot of people use it, and I just can't see it being worth the trouble.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
First, legislatures pass bullshit laws about cryptography despite warnings that they are going to be ineffective because of steganography. Now, they claim that the sky is falling because people are using it.
Right now, police can still detect the steganography tools, but those will start to be hidden as well. Encrypted, hidden data can be added to MP3s, MPEG4s, PDFs, scans, executables, random leftover noise on the disk. It can be hidden on microSD cards, printed on paper, and hidden on DVDs.
There is no way governments or companies can stop covert communications of data. Get over it and stop making laws that are unenforceable but give police and governments ever more tools to abuse their powers.
New Purdue University research shows steganography, long considered a minor threat, may be on the rise
OCTOBER 18, 2007 | 6:00 PM
By Kelly Jackson Higgins Senior Editor, Dark Reading
Until recently, steganography, the stealth technique of hiding text or images within image files, has mostly been considered too complex -- and conspicuous -- to be much of a threat. But some forensics experts now worry that the bad guys are starting to use the tactic more frequently, especially in child pornography and identity theft trafficking.
There are an estimated 800 or so steganography tools available online, many of them free and with user-friendly graphical user interfaces and point-and-click features. This broad availability making steganography more accessible and easier to use for hiding and moving stolen or illicit payloads, experts say.
Security experts to date have mostly dismissed steganography as a mainstream threat, relegating it to the domain of spooks and the feds. Their skepticism has been well-founded: The few studies that have searched for images hiding steganographic messages have come up empty-handed.
Just because it is an inefficient and poor method does not mean it will not be used.
Criminals are know for their poor work ethic. Why do a bunch of skull drudgery and research, when they can just grab the first thing that comes along.
Another reason it might be attractive is it's over complication itself. One of the main reasons frequently given for people to become real spies is pure excitement. They want to do "spy stuff". Someone like that is going to go not for the best method, but for the most high tech, convoluted, spy movie type stuff they can get ahold of. There was a famous American double agent years ago with just this issue. He began demanding weird and unnecessary communication equipment from them just so he could have it. the adrenaline rush of dangerous behavior frequently leads to even more. Grander crimes, more complicated plans. Increased risk.
"D-" for results. Clearly you have too much time on your hands.
Bruce Schneier didn't agree, so why did you post it?
Floating face-down in a river of regret...and thoughts of you...
"Oh, hi Peter, sorry to bother you, but we have a suspicion that someone from the inside might be leaking sensitive information to our competitors. Do you mind if we have a quick look at your USB stick?"
Would you rather be caught with:
a) All the company's secrets
b) Pictures of your daughter
And yeah, you could be encrypting all that information, but even an encrypted file would be more suspicious than a picture of your cute daughter.
One thing I really don't get about steganography is why hiding a message *in* a picture is preferable to sending the picture as a message.
For example, if "teh terrist" wanted to send a message like "attack now", why couldn't the message be given via a pre-arranged signal -- say the image shows Osama wearing a silver watch for "It's go time", and a gold watch for "wait out the Americans". No one can detect a "hidden message" because there is none.
You could do the same for other things even if you don't use USB (which would probably be easiest in a workplace). How about plain old pencil and paper? Just write down the information, put it in a device called an "envelope", write down the physical address of the guy you're sending it to, and drop it off in the post office. It's virtually untraceable, and would work even if the IT guys turn off the USB ports.
... Zep already started it. Stairway to Heaven, backwards. That funny 'reverse' knob on the tape deck sure was fun to play with!
I'm an infovore...
In fact people like Guillermito has regularly showed that a lot point'n'click stegano softs are just completely useless. They either don't work at all (fail to transport data) or store the data in nearly not hidden at all way (payload stored as-is past the end of the file, or zero-padded and used for the least significant bit of the file without any encryption).
Specially if the marketing blurb mentions "military grade" (translation : triple AES is used to store the password. The reader software inputs a password from the user and if it matches the hash... the soft proceeds extracting the otherwise clear, non crypted and un-obfuscated payload).
So while it *is* possible to design actually working steganography, if a would-be pedo-terrorist-criminal tries to google for stenographic software, he'll most likely land on useless software.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Once they've planted the idea in the public's head that child pornographers hide kiddie porn in innocent images, then they can start embedding child porn in all sorts of things, so that when they feel like arresting you, there's a good chance there will be child porn on your computer and your ISP will have server logs of you downloading it. Or maybe I'm just being paranoid.
I'm awake! The answer is BONK!
Drone: There was nothing; just some pics of his 11 year old daughter playing at the pool.
Boss: Damn. But...Peter doesn't have any kids...
How big is that picture of your daughter? I seen a real world example of it. A 4mb image, that somehow only seemed to result in a small photo of about a 100x100 pixels. Yeah, that ain't suspicious AT ALL. Doesn't set of any alarm bells. Nope.
That is the entire problem with the idea, how do you get enough information inside and still not raise suspicion. It is different for coded messages, keep the code small and it can easily fit but to leak information, you need to start including megabytes of documents in image files that are typically less then a 100kb or do you think nobody will find it odd if you keep a 10megapixel uncompressed image of your daughter on your stick?
Remember, if it is a small amount of data you can get it out easily, memorize it. But if you are talking industrial espionage you are talking blueprint, documents, databases.
The researcher claimed that he found traces of the programs in question. TRACES. Meaning they were removed. Now think about this, why does someone remove software. Because they want to hide it OR because they tried it and found it useless?
Sure, there are uses, but as said, only for situations where the data is small enough to logically fit inside. Child porn image nesting in a harmless image seems about the most logical use, you could easily create a site that serves "harmless" wallpapers but are really childporn. Except one tiny problem, how do you distribute it? Open access, bit risky getting the highly illegal content out there, who knows who might be bored and start snooping. Limited access? Then who are you hiding from?
The problem with the child porn idea is that it ain't going to fool anybody for long. Contrary to popular believe the police ain't stupid, if they suspect childporn and find nothing but a large collection of regular images that ALL seem to be just a bit too large, then just maybe, they are going to investigate further.
As for use in distribution, encryption is far easier, if I know you then I can just send the file encrypted and nobody will be the wiser. If I don't know you and post it blindly on a public site, how are you going to know how to get the content out?
I know that the idea is that one of the elements of hiding is NOT to increase the filesize, but unless I am missing something, if you want to hide 1mb of data, you are going to need at least 1mb of other data to do the hiding in. For a nice database dump, that is a LOT of pictures of your daughter.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Don't 4chan users already do this all the time by putting books inside jpgs?
I believe the technique is you open the jpg with winrar and it ignores everything before the start of the zip file, so ignores the jpg but still reads the zip fine.
If little kids making penis jokes can do it with so much ease I very much doubt it's "too complex" to be useful in other ways. All it takes is the knowledge and you can hide stuff in broad day light, or at least make it very difficult for people to find that zip of (lets go with the emotional response) child porn hidden among your 500 holiday snaps to the south of France.
I like muppets.
"I don't have a USB stick"
Now what?
Amen, brother. In this part of the world there is a minority that behaves pretty much exactly the way the furries do... the Fenno-Swedes. You know, the 5,5% of Finnish citizens who speak Swedish as their mother tongue and believe it's some sort of God's gift to all humanity, or at least the rest of their countrymen.
:)
Your description of furries fits them spot on. They've chosen a lifestyle of pretending they're some holier than thou remnant of the sacred Swedish kingdom of the middle ages that represents all that is good and civilized about the country, and damn you if you don't agree with them. Their minority group represents an identity that needs to be protected at all costs... and guess what? Everyone else gets to protect them by becoming them, because obviously their identity doesn't matter!! And after all, they're just giving you the GIFT of getting to be Swedish! Great, huh? You'd probably love it if some furry insisted that you SHARE their fetish in order just to prove you're open-minded!
They want to take your kids early on so they can brainwash them into believing they're Swedes too (this would raise a hell of a protest if it was tried on Åland which has the constitutional right to be racist towards Finns, but of course the same rules do not apply -- only they are "special"), and then they want all kinds of totally ludicrous language requirements everywhere so that they have the right to be "served in Swedish" where-ever they go -- even outside their little reservations along the coastline. If you dare point out that this smacks of manipulation, you hate the minority and are a nazi.
Think of it -- furries putting your kids into furry-school in order to advance tolerance and understanding, and then educating in the fetish all the way through school, requiring a furriness test before they can graduate university, and then making them get all jiffy with a furry whenever one walks up to you and wants to share the gift of the wonderful, mind-expanding fetish!
The sad part is that this is not even a complete troll, it's all factual...
4chan has been using a similar thing for a while - it's easy to hide a zip/rar archive in a jpg as these formats ignore everything but the markers indicating the start and end of the archive. For example, hiding a e-book .pdf in a .zip, then appending it to a .jpg means that it shows up as a valid jpg with the cover or whatever in a browser, etc, but when renamed .zip it functions as a proper archive.
Not exactly what's in TFA, but pretty cool nonetheless!
The Coward is laughing out loud out loud out, after a plate of egg and bacon.
A point to note is that the criminals using stenography are probably not using it to transfer large quantities of information, but merely communicating small very private messages. This might include links to web servers, credit card numbers or meeting/payment instructions. It is unlikely to require more than a few hundred bytes of data.
While Schneier is correct that corporate theft is best accomplished with USB drives or even your corporate laptop, the criminals using stenographic software are probably not using it for their bulk transfers of information, but rather pointers or encryption keys to information transfered by other means.
Comparing the number of web pages against the number of child pornographers who might be hiding stenographic in online images makes Purdue's attempt to crawl the web in search for stenographic data seem futile.
Data transfers by stenography have to be pre-arranged in advance by some other communication method, otherwise how would sender and receiver know how to encrypt/decrypt their messages? If your interest is in stopping crime, then this is the weakest link and should be the focus of your detective work.
---- It won't be as bad as you fear or as good as you hope, but it will take twice as long as you plan.
Why wouldn't the criminals just go for a ride with the universal serial bus?
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
The first ste is to not let people know from whom your recieved anything or to who you are sending things.
So how can this be done? Easy, post it on Usenet. That way there is no link between the sender and the reciever. I post it on a server in Belgium and somebody else can read it on a server anywhere in the world.
Obviously you need to be on-topic, othewise you can draw unwated attention on yourself. So you start to look for ways to do that. Binary groups can be ideal for this. Add Stegography and gpg and you have an ideal way of sending messages to anybody. Each person could be using a different group and/or gpg key.
That way everybody can see your message and perhaps even can find out you are actualy using Stegography, but they will not be able to figure out who it was for or, even if they would be able to hack the information.
e.g. if you post to news:alt.binaries.pictures.wallpaper daily (Please not more then 50 per person per day) daily, as I do I can once in a while add extra information if I so desire as I did today.
The advantages over other ways of comunication, like email or websites, is that there is no way to make a link between people directly. This is nothing more then braodcatsing "Jaques has a grand moustage, I repeat, aques has a grand moustache."
Sure peaople would know that is was send, but they did not know what it ment or whom it was for.
Don't fight for your country, if your country does not fight for you.
I think it's silly. Stego is well known for not being very effective at truly obfuscating the fact that there's hidden data in a photo. Open the file in a hex editor and it's blatantly obvious there's data in the photo. Anyone with a modicum of knowledge could detect the presence of data, uh, with the possible exception of your local border security (sorry, oblig.). I'm suspicious about the study. If you wanted to hide data in a file, why would you then post that image to the web for all to see? Why not just email it to one or two ... million people all spam-like and make sure at least one goes to your target? Most people will delete your spam without even suspecting anything. Then there are the few that would be curious. So, well, not a great idea either. I just don't think stego is what it could be, or what criminals expect it should be.
___
Bruce Schneier can divide by zero
"something the bad guys won't use, because it's too cumbersome/difficult/whatever."
That's the **AA version of "security"...
And yeah, you could be encrypting all that information, but even an encrypted file would be more suspicious than a picture of your cute daughter.
Except for the fact that the little 320 x 240 pic is 512MB...
Seven puppies were harmed during the making of this post.
Now what?
(slammed against the wall)
"Bro don't tase me, don't tase me! Br-clickclickclickclickclick"
Welcome to the NEW America.
Seven puppies were harmed during the making of this post.
We'll mop up those cowardly confederates at Antienam...
Those Japanese are too stupid to make it through the jungle at Singapore, and certainly don't have the logistics to sustained forward fleet operations...
It will be at least a decade before the Russians get the atomic bomb...
The United States has a comfortable lead in rocket technology...
A bunch of stupid arabs couldn't put together a complex terrorist attack against the USA....
We've just about got this insurgency licked...
And now..!
Thiefs are too stupid to use advanced technology....
This is my sig.
Yeah... because as we all know that bad guys are concentrated on sacks of money with dollar signs printed on the sides.
And that they all wear black eye-masks, green hats, red shirts and blue pants.
http://upload.wikimedia.org/wikipedia/en/d/d1/Beaglefamily.png
Mit der Dummheit kämpfen Götter selbst vergebens
copypasta, also, gb2youknowwhere
Seven puppies were harmed during the making of this post.
Well USB "key" is one term I'd like to see discontinued for USB devices that function only as a storage medium. In this case it isn't a "key" to anything, it's a storage device. Drive is okay - shows up with a drive letter or as a /dev/sdb? but key? No - it's not unlocking anything, folks. Therefore it is not a key.
Please look at these images and tell me exactly what in the hex dump makes it "blatantly obvious" that one is stegged.
First the program takes the target JPG (which you want to be very large), and treats it as random noise. Simply a field of random zeros and ones. Then, within that vast field, the program selects a pattern or frequency to place variations in the noise pattern.
The variations in the noise pattern act as a beacon - sort of a signal that the payload is coming. Common variations include mathematical pulses at predictable intervals - say something that would easily be recognizable by a 5th-grader, like say a pattern of prime numbers.
Then it layers in a second layer, nested within the main signal. Some bits are bits to tell how to interpret the other bits. Use a gray scale with standard interpolation. Rotate the second layer 90 degrees. Make sure there's a string break every 60 characters, and add an auxiliary sideband channel. Make sure that the second layer is zoomed in sufficiently, and using a less popular protocol language, so that upon first glance it's not easily recognizable.
Here's the magical part: It then adds in a third layer. Sort of like in ancient times when parchment was in short supply people would write over old writing... it was called a palimpsest. Here you can catalog over 10,000 "frames" of data, which can communicate any message that you want.
Further details on this method can be found here.
in the entire prison break series we have had enough of steganography. so isnt it enuff to prove the worth?
Neal-Stick
the Technology Without An Interesting Name...
Best Slashdot Co
It looks like someone didn't get their invitation to the Furries v. Klingons bowling tournament, and is pouting about it.
http://www.boingboing.net/2007/09/25/furries-vs-klingons.html
Who doesn't know that Bruce Schneier is in fact a very reputable, actual expert.
Schneier says steganographic images are just too obvious, anyway, which renders the technique useless. "If I'm in Burma and trying to send out human rights documentation and hide it in a picture of a giraffe," it's going to look suspicious, he says. "For it to work, you need to have a plausible cover story."
Like, you're sending pictures of your family to relatives overseas?
Steganography is just a new way to mix up the classic techniques of prearranged obscure and innocent signals with ciphers, and these kinds of signals are well known and have a long history of being used by all kinds of people for purposes both innocent and otherwise. Paul Revere's "one if by land, two if by sea". Coded messages in classified advertisements. Kipling's raised hand. They've even been appropriated and turned into normal and expected parts of games, like signals in baseball, or bidding in contract bridge.
On some imageboards (which shall remain anonymous), a common trick is to password-protect a RAR file and append it to a an image (cat foo.jpg bar.rar > baz.jpg). Most RAR utilities skip right over the image data and only extract the RAR file.
ROMANES EUNT DOMUS
The viewer or reciever doesn't need to have a constantly updated password. They just need to know, say, a half dozen file names and passwords in advance, maybe years in advance, and try them against the image. It is trivially easy to hide a hashed text file in a compressed image file and it doesn't take special software to do it. A simple HEX editor is enough. It's pretty easy to detect but it wouldn't matter if the text data is hashed with strong encryption. There is a misconception that important data must be large to be worthwhile. 20 to 30 KB of text is one heck of a lot of data if it contains, say, user names and passwords and that's pretty easy to hash and then compress to 8 or 12 KB. So, yes, compressed image files are a pretty good carrier and can be used effectively when preparations are made well in advance. There is no such animal as invisible stenography. It's going to be dead obvious something is going on the instant the file is "HEXed" but the hashed data still has to be decrypted. Obsfucation and encryption - no reason for that not to work and work well.
No ideas, no results, just big claims.
It would seem that distributing steganography software software would immediately make it useless. Steganography is based on hiding information in such a way that other people can't find it unless they know EXACTLY where it is (eg if every other prime-numbered byte in a raw image produces a text file when appended in a certain order, it is unlikely anyone will find it). When software like this is distributed, however, anyone who receives it may potentially figure out where/how it hides the files, and once one person figures it out anyone can then find any files hidden that way, rendering that method of steganography useless. This means that only individuals/groups that can develop their own form of steganography will be able to use it with any effectiveness.
Using a second stick is not beyond the wit of man. The problem that the logs may show you copying files to your stick, but then they would also most likely show you using stenography in that case as well.
Whooptie fucking doo. My secretary uses stenography on all my dictation, I must be a fucking James Bond villain.
*yes, I know the difference.*
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
If Steganography software was any good it wouldn't look like Steganographic software. Time to write that MP3 player / word processor / web browser that hides data in the MP3s / documents / web sites it accesses.
...and that's why stego is typically combined with crypto (to make the payload look more like random noise and prevent it from being decrypted even should it be found) and other techniques to hide the payload from statistical analysis (ie. making it look less like random noise, and more like the noise that legitimately appears in images' low-order bits).
Done right, stego can be resistant to analysis, even by someone who knows the algorithm. Of course, it's a cat-and-mouse game between those working on analysis software and those improving steganography techniques.
Yes, there are a tremendous number of stupid criminals out there, just like there are a tremendous number of stupid people out there.
But we chronically underestimate what people are capable of. I know a bit about O-chem, and with a bit of research could probably manufacture meth fairly easily. It's really not much more complicated than setting up a moonshine still. Out of the reach of some? Sure. But the fact remains that tens of thousands of strung-out hoopleheads manage to do it every day.
We complain about them damn young kids sailing the high seas of Internet and maliciously raiding commerce vessels trading in MP3s, and yet many judges seem baffled by even simple concepts like IP addressing and server logging.
These steganography tools are fairly easy to use. So why, again, are we surprised that criminals can point and click?
Message contains 1 attachment: spam.gif
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Apparently what a lot of people do not realize is the common, off-the-shelf freeware stego tools insert signatures of the program used into the file itself. Thus, by examining a JPEG image with a suitable steganography detection tool it will reveal that such a program was used.
.EXE file. Of course, it leaves a signature so it can determine if there is anything included in any given .EXE file.
This utterly removes the utility of steganography in one pass. If the program leaves a signature, there is no longer a reason for using it.
And pictures are not the only thing. There is a tool that will embed data into a Windows
Pointless. Sure you can encrypt the data you are hiding, but the point of hiding is to remain hidden. With a signature it is obvious there is something hidden there. Do you not believe there are people checking USENET posts and picture exchange sites for this sort of thing? OK, I can post a picture of a dog with some child porn hidden in it. I would then publically offer the password/location/etc for $10 via e-Gold. Of course I'm not going to get caught but the picture will get taken down. Probably before I get paid. This stopped being a good way to exchange pictures of abused children several years ago.
This is only true for weak forms of steganography in much the same way that it is true for weak forms of cryptography.
With strong steganography, the correct key is necessary to recover the message or to even prove that the message exists. Hiding the specific algorithm is not a required for security.
Some spread spectrum communication techniques (but not all) have this property as well. If the received signal is significantly below the received noise level, then recovery or even detection is not possible without the correct spreading sequence.
While the article states that more instances of stenographic programs were found, it notably does not say that any actual obscured data was found hidden with them. This much more suggests that while these suspects may have gotten a copy of the program, they too have not been using the programs.
Have we all forgotten that TFA was about stego?!?!? Holy shit, I could just see you guys at a conference, you would have everyone so confused they would not know what they had just attended!!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Chuck Norris' roundhouse kick is so powerful, it can be seen from outer space by the naked eye.
Eh, fucker deserved it. Everyone should have a USB stick to avoid this exact situation!
Interestingly, the Captcha for this post is "Pacified"
The ResearchBuzz blog has proposed "nerdstick". I've standardized on that for my own use.
QUOTE: Goldman says he later realized that they had been going at the research all wrong. "The probability of finding anything wasn't that high, and I started to feel like we were looking in the wrong place, and jumping too far into it. Trying to find these steganographic files in the wild seemed impossible."
Instead, the Purdue researchers decided to first try to prove whether criminals were using steganography tools at all. "Never mind finding the evidence of what they are sharing or the secret message, but just proving they use it," he says. "This is the first time this has been done, I think.
This is the same as saying that because you own a gun, you are a killer.
WTF? I moderated that "Funny". How did it come out as "Troll"?
Posting to undo my modding.
Like the guy in the article said, people'll put it on a USB. And they said they'd never be able to detect the images "in the wild" anyhow as the "signatures" aren't known! So, who cares, if there's nothing to be done "in the wild" anyhow?
Hey man, the article is about steganography, not stenography. ;)
Well I say don't underestimate the criminals mind. There's nothing surprising about criminals taking advantage in using steganography. If it brings benefits to them, they would definitely try it. Anyone has potential to become a crimal which makes it not impossible for certain criminals to know how to use steganography. Although expert Schneier dismisses the idea, there's still a chance that he may be wrong. After all, experts are still humans and no matter how good they are at what they are doing, they bound to make mistakes one way or another, sooner or later.
"With strong steganography, the correct key is necessary to recover the message or to even prove that the message exists."
;) ).
Not if you leave the lower noise original "carrier" (photo/sound file) around and a copy of steganographic software that isn't installed by default.
People might find the software and the original and then ask you some questions. In the UK or similar countries they might then start asking you for your keys, which you are required by law to hand over.
Same thing goes for the usual crypto software.
A possible solution is:
https://bugs.launchpad.net/ubuntu/+bug/148440
Sure that'll make it convenient for criminals. But it'll make it convenient for non-criminals too.
The last I checked, there are numerous cases of people being considered criminals in one country but considered decent or even exemplary people in another. In some cases the person doesn't change but the government/laws change and suddenly the person is now a criminal.
Sometimes such a person is indeed an evil person, but if he is evil enough there is usually plenty of other evidence or ways to get him (the Tax Dept comes to mind
And if an evil person somehow keeps his evil actions and thoughts to the limits of his mind and mind prosthetic and behaves in a reasonably decent manner otherwise, then who are we to judge or cast the first stone?
If they don't find evidence of a steganographic or cryptographic application on your hard drive, it means nothing that you have a few hundred wallpapers containing child-pornography. If the wallpapers were publicly downloadable, then how would they go about proving someone was aware that they contained the child porn? If they do find steg/crypto software on your PC, you simply point them to your folder of holiday snaps and give them the keys to unlock your family recipe for swedish meathballs or bank account details or whatever. The police can suspect and investigate all they like, but if the crypto is up to it, they won't get anywhere beyond supposition and circumstantial evidence...
What if the person you are sending to no longer has control of their machine because they've been arrested? The police now know that you sent an encrypted message to a suspected criminal. If the message was encrypted and stuffed inside an image, you have plausible deniability. "Why officer, I had no idea the other members of my photography club were drug dealers! I've just been innocently swapping my large uncompressed nature pictures with them! I am *shocked*!"
Even the strongest steganographic (or cryptographic) algorithm can be defeated through user incompetence.
If I am creating my own continuous tone and likely compressed images and relying on them for steganographic data transmission, why would I keep the originals?
I anticipate the day UK authorities use this provision to hold and/or persecute someone for reasons having nothing to do with withholding cryptographic keys. I suppose they could learn a lesson from US law enforcement and tie this in with property seizure although I suspect the former could teach a thing or two to the later.
* Oddly enough, I have had problems recently with passwords being rejected for being too good. Apparently, 128 bit randomly generated hexadecimal numbers are insecure in some way I do not understand.
Umm, Has anyone ever considered the fact that terrorists (or ordinary criminals) might use steganography to hide useful information in porn? I mean, if I was a terrorist from a highly sexually repressed culture that forbid any public display of sexuality (or drinking), the first thing I would do is find a valid excuse to get at some porn (Basic human nature doesn't change much between cultures).
So if the terrorist (or just criminal) generate the porn they hide the messages in, there is no unaltered original to compare against. It also isn't very obvious, porn is the Internets "dirty little secret", a large fraction of Internet users download porn. They certainly would not be using COTS software, even if they are non state actors, they certainly have enough resources and contacts among the universities and friendly governments that they could get non signature bearing steganographic tools. And they would not get into trouble with their own group, after all, they are viewing porn "for the good of the cause".
Hmm... I wonder if NSA is hiring?
Why risk getting caught sneaking data out in little chunks on USB drives? Just put a copy on your company laptop so you can 'work at home'. Then report the laptop stolen.
Have gnu, will travel.
RearShowseat onePronographyminoron the riseJacksHeadww wbad guysc mochild pornfickingorgytoolfreeusefacesThis broad availabils, exexperts to datestreamingmassagescomehand
My god!