BitTorrent's Bram Cohen Unveils New Steganography Tool DissidentX

Sparrowvsrevolution writes "For the last year Bram Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a tool he calls DissidentX, a steganography tool that's available now but is still being improved with the help of a group of researchers at Stanford. Like any stego tool, DissidentX can camouflage users' secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment. But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego. And it also makes it possible to encode multiple encrypted messages to different keys in the same cover text."

Bram Cohen

[vikingpower]

deserves a medal.

Re:Bram Cohen

Yeah, I like that Dracula book.

Re:Bram Cohen

[TeknoHog]

*sigh* It's not Bram Cohen who wrote the Dracula...

..it's Leonard Cohen.

Re:Bram Cohen

[aergern]

0/~ Everybody knooooowwsssss 0/~ it was Bram STOKER. ;)

Svefg cbfg!

[Grantbridge]

Svefg cbfg!

Re:Svefg cbfg!

YBY!

Re:Svefg cbfg!

[Thanshin]

I almost modded that as Troll, but maybe it's insightful if decoded with a different key.

Re:Svefg cbfg!

ROT13 -> First Post!

Re:Svefg cbfg!

[EngineeringStudent]

First post in Rot13? Not entirely informative. Also not first.

Re:Svefg cbfg!

On a binary ROT 13 wheel, 1 becomes 0, which is first. What's really going to bake your noodle later on is how the poster managed to come up with that in time to be the exact second post.

Re:Svefg cbfg!

[girlintraining]

I almost modded that as Troll, but maybe it's insightful if decoded with a different key.

Iway on'tday inkthay it'sway anway encryptionway emeschay, utbay away ewnay anguagelay. Avehay ouyay iedtray unningray itway oughthray Ooglegay?

Re:Svefg cbfg!

V frr jung lbh qvq gurer!

Who the hell needs this?

I could see state level espionage, perhaps smugglers or mafia, drug dealers, etc. But normal people do not need this - it's completely loony-tunes.

Re:Who the hell needs this?

People who want to increase the chances that something will stay secret? People who want to reveal the crimes of their governments?

Re:Who the hell needs this?

[nurb432]

Need is relative. Even if all i want to do is have my wife send me a note to pick up milk on the way home, its not the governments business. So in reality, *yes* i do have something to hide. It doesn't mean i'm a criminal. Its called personal privacy.

Re:Who the hell needs this?

[Thanshin]

People who live in a country with a security force that can make you disappear and torture you to death for posting the wrong message unencrypted.

Re: Who the hell needs this?

I think you are missing the point here. 1) You do not have a wife, & 2) Why are you letting her boss you around?

Re:Who the hell needs this?

[gstoddart]

I could see state level espionage, perhaps smugglers or mafia, drug dealers, etc. But normal people do not need this - it's completely loony-tunes.

I see it as more of a big "screw you" to the people who want to watch everything we do.

I'm not committing any crime, and you have no reasonable basis to believe I am. It's still my right to communicate and keep some things private.

But if you're going to insist on tracking everything we do, we're going to make your job harder.

Expect to see lots of products intended to give end-user security.

If you're willing to allow the government to spy on everything you do (clearly not the case since you posted as AC), that's your problem.

Since the whole planet is being spied on by the US, denying them the information is the best response.

Re: Who the hell needs this?

You seem confused about which way you want to troll this one. I admire the thought that maybe you could embrace the power of AND and go both ways, but, sometimes that doesn't work out. This is one of those times.

Re: Who the hell needs this?

Not that I disagree with you. But posting AC only hides us from you.

Re:Who the hell needs this?

[wonkey_monkey]

But normal people do not need this - it's completely loony-tunes.

Normal people shouldn't need this. What's completely loony-tunes is that they do.

Re:Who the hell needs this?

Yes, but other than that ... and a run-away / out of control government, the USA is not so bad!

Re: Who the hell needs this?

[dkman]

1) Whether he has a wife or not is the government's business. He notifies them every time he files taxes (married and filing jointly/separately)

2) She can request that he buys milk on the way home. It's a sign of working as a team.

I could also say that he is likely to do it because he enjoys being married, but I think that's a bit sensationalist.

Re:Who the hell needs this?

Perhaps people who live in countries where information is censored by the government.

Re:Who the hell needs this?

[mcneely.mike]

Yes, but other than that ... and a run-away / out of control government, the USA is not so bad!

Not so bad!?! They bribed Celine Dion away from us Canadians... the trigger happy Americans are wonderful! (There is a nudge nudge, wink wink somewhere in there...) :)

Re: Who the hell needs this?

[Goaway]

He got you, didn't he? I'd call that a success.

Re: Who the hell needs this?

Innocent People residing in a land with a security agency of questionable legality in its practices? In other words, 90+% of Americans?

Re: Who the hell needs this?

Amen!

Re:Who the hell needs this?

[Charliemopps]

Today, that's pretty much all of them.

Re:Who the hell needs this?

[Tom]

But normal people do not need this

You are not thinking creatively enough. I can see a dozen uses for this, some playful, some serious, some a bit geeky, some artistic.

Re:Who the hell needs this?

[aergern]

You ARE the problem. You've been conditioned to believe this since 9/11 and it's wrong. Us old folks remember when our lives were private unless WE divulged the information. They've trained millennials to SHARE everything and quite a few of us older folks think we have to change with the times. Well, no. Fuck that.

Re:Who the hell needs this?

[dryeo]

Just how old are you? America started spying on its citizens during the civil war by intercepting the telegraph, ramped it up during WWI when national security started to be used to justify removable of what were apparent rights such as free speech and not much later the rule of J. Edgar Hoover, based on having dirt on everyone, started.

Re:Who the hell needs this?

Your argument is neutered by the fact the Internet now makes privacy impossible.

Re: Who the hell needs this?

[coolsnowmen]

Or he fake trolled himself, the real troll, to get you?

I've still not finished "Gödel, Escher, Bach: An Eternal Golden Braid", so I don't know the answer yet.

First

Yeah, I win!

Actual Link

[steamraven]

Come on guys! At least post a link to the project.

https://github.com/bramcohen/DissidentX

Re:Actual Link

[gstoddart]

Now there's going to be some download logs closely scrutinized by intelligence agencies.

Because, if you have nothing to hide you have nothing to fear, right? So if you've got something to hide, you must be guilty of something.

*sigh*

Re:Actual Link

[Penguinisto]

...so grab the thing via BitTorrent at the nearest McDonald's WiFi and be done with it.

(...geez - do I have to think of *everything*? ;) )

Re:Actual Link

...so grab the thing via BitTorrent at a randomly chosen McDonald's WiFi and be done with it.

(...geez - do I have to think of *everything*? ;) )

Fixed that for you. ;)

Re:Actual Link

[Impy+the+Impiuos+Imp]

Come on, nerds only go thru the drive thru late at nite.

Re:Actual Link

[StripedCow]

I'm curious what the actual "expansion ratio" is. I.e., if you want to encrypt N bytes in a cover-message of M bytes, how many bytes do you actually need to store/transmit?

Re:Actual Link

Go during the day ... to obfuscate the traffic with a lot of instagrams from the shepple

Re:Actual Link

And leave your cell at home!

Re:Actual Link

I'm curious what the actual "expansion ratio" is. I.e., if you want to encrypt N bytes in a cover-message of M bytes, how many bytes do you actually need to store/transmit?

It would be M bytes.

Perhaps you meant the optimal ration of M/N such that M is large enough to hide N in while still being as small as possible.

Re:Actual Link

[godel_56]

I'm curious what the actual "expansion ratio" is. I.e., if you want to encrypt N bytes in a cover-message of M bytes, how many bytes do you actually need to store/transmit?

From TFA:

"Even with Cohen’s clever hashing trick, the cover text for a secret message must be much larger than that message itself. Cohen suggests a file five hundred times as large as the secret message to encode communications without raising suspicions."

Brave

It's probably better to work on this kind of thing in silence until it's released...

Re:Brave

[Thanshin]

It's probably better to work on this kind of thing in silence until it's released...

Or even beyond that point.

I released a similar tool two years ago and I'm still eagerly waiting for someone to discover it.

Re:Brave

[wonkey_monkey]

I released a similar tool two years ago and I'm still eagerly waiting for someone to discover it.

I sent you an email to say thanks but it would have looked like a letter from a Nigerian diplomat.

Re:Brave

[Thanshin]

I did receive it, but I didn't disclose its existence to protect your identity.

Once again, in cryptography, the user was his own worst enemy.

I originally read headline as

[Ukab+the+Great]

"Baron Cohen Unveils New Steganography Tool DissidentX"

Proprietary software...

If you're a whistleblower and use proprietary software, you're braindead. Might soon all dead...

The problem...

...If you're looking for a tool to protect your privacy from N*A, C*A, or any other A*holes monitoring teh Internets is that it would surprise me if they don't have automated tools to spot steganography. (i.e. They know exactly what the formatting of say a Word document should be, and should have the capability to automatically flag traffic which has nonstandard information in the headers or data.) And *that* will call their attention to you far more quickly than if you just store/send in clear.

So, that I post this with something like 46 75 63 6b 20 79 6f 75 20 4e 53 41 21 on a regular basis... I'll bet it's flagged for some human being's attention. And that information (the flow of the traffic) may be more important than the message proper.

Re:The problem...

[mlts]

There are tools to spot obvious steganography, especially if the de-stegged picture is already on the Internet somewhere. I remember reading something on /. where a researcher did a mass scan of Web pictures, and found almost no stego whatsoever.

Stego is a useful tool for transporting provided the de-stegoed document never, ever winds up on the Internet, but for storing data, it would be a lot better to use something like TrueCrypt or PhonebookFS.

Re:The problem...

Proper steganography where the data is first encrypted (which should make it indistinguishable from random noise) and then shaped to fit the statistical profile of the data it is being embedded in, which should be slightly noisy in itself, is virtually impossible to detect as long as the embedding rate is kept low. A short text message in a 500 K JPEG is extremely unlikely to be discovered.

Re:The problem...

[Penguinisto]

...what sibling said.

If you post a unique picture to, say, Instagram, then there's not going to be anything to compare against, especially if you're using something non-obvious and intelligent. If you post a unique Excel document with lots of formulas/macros in it, then that's obviously going to bork-up any attempt at finding steganography by way of algorithm. Even in your example of MS Word? one custom font, embedded picture/graph, macro and suchlike will happily help your document evade detection if the encryption lives within the image data.

That said, there are certainly means of testing against it by taking an image and meticulously deconstructing the thing, but that takes processing power and time (even if that time is measured in microseconds, it's still time, especially when you factor in download, data storage, IOPS, weeding out mis-named file extensions, etc - multiplied by the # of files processed.)

Also, I noticed something in your post - you mention posting something on a regular basis. Err, why bother using the same images over and over again? Upload each image/message once, and if it's pr0n (say you sketch the stuff and then photograph it, or make some unique screenshot and pass that around), your recipient would be only one of a mass of people downloading the thing.

Re:The problem...

[mlts]

There are simpler ways as well, depending on what one's forseen adversary is. In a past life, I had to deal with a third party whose E-mail server refused to allow any E-mail attachments whatsoever except Acrobat, and AutoCAD files were needed to be exchanged fairly quickly. So, when sending the DXF file, I ended up embedding it as an attachment in a password-protected PDF, and this did the trick.

Re:The problem...

Stego is a useful tool for transporting provided the de-stegoed document never, ever winds up on the Internet

Just make sure vast numbers of multiple "similar but not exactly the same" pictures like that one you're using are already on the internet. What did you think all those funny cat meme pictures were for?

Re:The problem...

[cellocgw]

In a past life, I had to deal with a third party whose E-mail server refused to allow any E-mail attachments whatsoever except Acrobat, and AutoCAD files were needed to be exchanged fairly quickly. So, when sending the DXF file, I ended up embedding it as an attachment in a password-protected PDF, and this did the trick.

You probably went to a lot of unnecessary work. Just rename your file "sekritdrawing.dxf.PDF" and it'll get past the server's filter just fine.

Re:The problem...

[sexconker]

it would surprise me if they don't have automated tools to spot steganography. (i.e. They know exactly what the formatting of say a Word document should be, and should have the capability to automatically flag traffic which has nonstandard information in the headers or data.)

Have you seen the formatting of Word documents that come out of your typical user?
You don't hit the "enter" key to make space, you jackasses. That creates a new fucking paragraph. Edit the paragraph's spacing if you want space below it. If you want an actual newline+carriage return, hit shift+enter. Stop using tab without first defining your tab stops to control where you want shit to be. Why are you using tabs to make columns anyway? Why are you trying to make columns (incorrectly via tabs) when what you want is a table? That's it, you're getting party vanned.

Re:The problem...

[MightyYar]

I have a macro that removes tabs, double newlines, and double spaces after periods among other things. I don't really fault users - most people learned word processing by simply dicking around with the software.

The worst one for me is when they don't set the tab stops and so resort to hitting tab and then space a few times until the text lines up approximately where they want. No (easy) way to automate that out!

Re:The problem...

So you do have the delusion that steganographically hidden texts can reliably be found by using some generic algorithm that needs not to have specific information about at least the absolute basics of the applied method of embedding the message?

Note: I've hidden a (very short) message in the above sentence. I didn't even encrypt it. How would an algorithm detect that?

Re:The problem...

[kagerato]

That is proper modern steganography, yes. It's a relatively new development compared to the long history of steganography. The key question, though, is if you're going to use encryption on your source data anyway, why go so far as to hide the cipher text inside a special, different container? Presumably, the answer has something to do the relative amount of work of detection. However, it seems like it would be easier and more effective to hide the encrypted data in a large sea of entropy (on whichever storage device). That will be harder to sort through than any mere individual file.

As far as I can tell, the only real advantage of steganography is that if no one is looking for it, they won't find anything odd. With encrypted data, the high entropy state appears to be gibberish when interpreted by any normal means, and thus looks out of the ordinary on computer systems full of low entropy data.

Re:The problem...

You could always encrypt your data with a large throwaway key and store that in the images. As long as you have access to your photo collection, you know which pics in which order are needed to extract your key.

Re:The problem...

[david_thornley]

I don't understand. If I put a message in some seemingly random data, either it stays on my system or I look suspicious for sending it to somebody else. If I use my phone to get JPEGs of my cats looking cute, and embed messages in them, and send them around, and never reuse a photograph, I'm not doing anything suspicious. (Selfies would also work, but I personally don't like sending all sorts of photographs of me around.)

Everyone cashing in on this NSA spying shit

Everyone has a new product out to stick it to the man. Not that the NSA scandal is anything to ignore, but a bunch of tinfoil hatters will buy some shit like this, money will be pocketed and the stuff will never really be used.

How about adding some anonymity and security to bittorrent?

Re:Everyone cashing in on this NSA spying shit

[Penguinisto]

*ahem* - apparently this little project costs the end-user $0.00 to acquire.

Not seeing much profit going on with this one...

Re:Everyone cashing in on this NSA spying shit

You don't think the group of researchers at Stanford are working with, or for, some grant money? Not seeing a donation link?

Get real.

Brilliant

[guttentag]

To the typical user it just looks like a random bunch of ones and zeros.

01101110 01101111 00100000 01101101
01101111 01110010 01100101 00100000
01110011 01100101 01100011 01110010
01100101 01110100 01110011

Re:Brilliant

[VortexCortex]

To the typical user it just looks like a random bunch of ones and zeros.

01101110 01101111 00100000 01101101
01101111 01110010 01100101 00100000
01110011 01100101 01100011 01110010
01100101 01110100 01110011

Nah, only morons openly represent encoded stuff exposed. Concealing real encodings takes stenography...

FTFY.

Re:Brilliant

"FTFY" ?

Ah, took me a minute, but I got it: The first letter of each word matches the binary ASCII codes above.. You used stenography to re-encode their message.

Steganography has always one big problem

If you can make the diff of the documents, you can demonstrate that something is hidden, and therefore you are broadcasting "i have something to hide". Does it matter really if the encryption is more obfuscated ? All you need is a good enough encryption. The rest are sprinkle on the cake. All the other side needs to know is that you have something to hide, and depending on the level of society you live on, water boarding, lead pipes, or court order to make you divulge what it is.

Re:Steganography has always one big problem

[guttentag]

All the other side needs to know is that you have something to hide, and depending on the level of society you live on, water boarding, lead pipes, or court order to make you divulge what it is.

Unsophisticated societies use lead pipes to force people to divulge information.
Sophisticated societies use court orders.
Modern societies use waterboarding.
Postmodern societies use facebook.

Think about it.

Re:Steganography has always one big problem

[Urza9814]

If you can make the diff of the documents

1) take photo
2) do steno stuff to hide data
3) delete original

Ideally you wanna get a digital camera with a ton of megapixels and a very crappy sensor -- ie, one with a very noisy image. I've got a Canon SX100IS that should do nicely, particularly if you use dim lighting...

found it.

The whole code for the project is actually embedded in the Slashdot front page today.

tool?

This does not even have tests. Barely any project-like organization. Just a bunch of python scripts hobbled together. Seriously, this is barely v0.1 material.

Call it a proof-of-concept, an experiment, anything. But not a tool.

Re:tool?

[dotancohen]

From the first lines of the first file on Github:

def x(m1, m2):
                assert type(m1) is bytes
                assert type(m2) is bytes
                return (int.from_bytes(m1, 'big') ^ int.from_bytes(m2, 'big')).to_bytes(len(m1), 'big')

assert x(x(b'abc', b'def'), b'def') == b'abc'

Maybe that was added after you posted. Note that it ostensibly has a 'test' (assert) but with functions named h(), x(), I find the code very unfriendly indeed.

Re:tool?

[XcepticZP]

I had a look at the rest of the code. Granted, it's a tad better than what you posted, but it is still ridiculously amateurish... He should definitely submit some of it here.

Re:tool?

Q. Your code is horribly inefficient and can be optimized in all kinds of ways.

A. That's why it's called 'reference' code.

FAQ:

Re:tool?

Bunch of scripts? So was Bittorrent, when he started it.

Re:tool?

[XcepticZP]

I wasn't talking about the "inefficiency" of the code. There's more to code than just how fast it runs. That has it's place, but most of the time, it is dwarfed by more important factors to consider.

Steganography?

[JustOK]

What is it with all the dinosaur porn lately? Stenography probably predates the first man-cave, and was probably responsible for early advances in inter-cave communication.

Leak Tracking

[guttentag]

But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego.

I think steganography is far more likely to be used to track the people who leak information. When information gets out that was apparently available to multiple people, the leaker may not realize that his copy had a specific steganographic signature that identifies him as the source. It could be a pattern of extra spaces or line breaks in the code of document that he doesn't even see. The increased availability of the technology will likely mean smaller companies or government agencies will use it to suppress leaks.

Re:Leak Tracking

[milesy20]

Wouldn't this concern be nullified if the original leaked documents are even slightly changed prior to release? From what I understand, any modification would render any encrypted messages unreadable...

Re:Leak Tracking

[MobyDisk]

No necessarily, because guttentag is really talking about watermarking, not steganography. You can watermark a document in such a way that the reader cannot detect the watermark (unless the compare theirs to the original). The watermark is retained even during (most) modifications. For example, a misspelling can be a watermark. Even if it is modified, so long as one or more misspellings remain, the watermark can be identified.

Re:Leak Tracking

[guttentag]

You would have to know where the signature was. If the document was distributed to a few dozen people, a single character could be used to identify which one leaked the document. It could be a punctuation "mistake" or any number of other minor things you wouldn't think to change. It could be a different thing that is changed in each version (in John's copy there is an extra space after the end of the first sentence, but in Jane's copy there is an extra space after the second sentence, etc.).

Re:Leak Tracking

[StripedCow]

You can nullify that by doing an N-way merge of the document with the N people that received it.

Re:Leak Tracking

[kaiser423]

That then requires N people to be in on the leak, making the bar to anonymously leak information even higher. Still doesn't stop a Snowden though :)

Re:Leak Tracking

[StripedCow]

An authority like Wikileaks can do the N-way merge for you.
Just upload the document to Wikileaks.
And supply the parameter N (meaning you don't want it published if the merge uses less than N documents).

Of course, you should then trust that the others uploading the document are not working against you.

Re:Leak Tracking

[Monoman]

What about converting to another file format before passing along the data?

jpg ---> png
doc ---> pdf
pdf --> screenshot ---> ?

Re:Leak Tracking

[girlintraining]

I think steganography is far more likely to be used to track the people who leak information.

You've got the right idea, but you're not connecting all the pieces of the puzzle to answer how. Allow me: You know that massive data center the NSA is building to basically "download the internet"? Well, as it turns out, the overwhelming amount of traffic on the internet is just a copy of something else. Translation: If you compressed it you'd get some amazing compression rates. Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this. Plausible deniability goes right out the window.

The increased availability of the technology will likely mean smaller companies or government agencies will use it to suppress leaks.

This is something separate from steganography. What you're talking about is watermarking, and it's something color printers already do -- the serial number, username, time, etc., is encoded in yellow microdots on all pages. It was originally implimented to assist in anti-counterfeiting measures, but has since expanded to cover "national security" interests. And by that, I mean tracking down political undesireables and neutralizing them.

Re:Leak Tracking

I think steganography is far more likely to be used to track the people who leak information.

You've got the right idea, but you're not connecting all the pieces of the puzzle to answer how. Allow me: You know that massive data center the NSA is building to basically "download the internet"? Well, as it turns out, the overwhelming amount of traffic on the internet is just a copy of something else. Translation: If you compressed it you'd get some amazing compression rates. Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this. Plausible deniability goes right out the window.

Why would you use something already public as the carrier? Just encode your secret payload into a video you just made of your cat playing with a piece of string, and then delete the original video. Now nobody can diff your carrier file.

Re:Leak Tracking

[kagerato]

That would remove nearly all steganography during the encoding phase, since the encoder doesn't care much about seemingly insignificant bits (like the low-order, high-entropy bits of an RGB image).

As the person you replied to pointed out, tracking is more about clever watermarking. Watermarks will not necessarily be removed by encoding to a new format. For text, patterns of spelling or mis-spelling will be preserved. Whitespace may or may not be preserved, depending on the source and target formats. Image watermarks will tend to be preserved, unless they are so subtle that they were very close to the noise of the image in the first place.

Metadata from the source format may or may not be preserved; that depends on the compatibility of the source and target formats and the options used during conversion. For example, ID3 tags are roughly comparable with the OGG metadata tags, but that doesn't guarantee they will be preserved in translation. It's a similar situation for metadata in video files.

The lesson here is not to rely on steganography for tracking purposes, since educated people will be able to work around it and even the ignorant may evade it simply by chance conversions.

Re:Leak Tracking

[kagerato]

Your first point/paragraph is why steganography can't replace good encryption as a data hiding technique. Steganography is much older than strong cryptographic encryption, but likewise it is much more limited in its capacities. When one relies on steganography, that person is taking a gamble that the method of data obscuration is never discovered. With encryption, assuming the algorithm is actually cryptographically sound, the discovery of the algorithm and even its specific implementation is not a big concern. It was often already known ahead of time anyway.

The whole trick to encryption, of course, is figuring out how to hide the keys where the user can reach them, but no one else can. There's no perfect solution to that problem. Any key that can be remembered is likely to be vulnerable to dictionary or other types of pattern attacks, and some even to brute force evaluation. Keys that can't be remembered need to be recorded, and then that requires defending a particular physical setting (place and time) essentially indefinitely against unknown adversaries of potentially great capability.

As to your second point, yeah. It sounded like a conspiracy theory when I first read about it, but many (if not most) printers do in fact leave watermarks in nearly everything they produce. I believe (but I'm not sure) that the method is actually usually implemented in the the printer firmware or even the hardware mechanism itself, rather than the driver. If so, it's extremely difficult to bypass. As for what the FBI and others may be using it for (beyond tracking counterfeiting), these days it's really anyone's guess. The FBI, much like the CIA and the NSA, suffers from a extreme case of mission creep.

Re:Leak Tracking

[VortexCortex]

Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration.

Bullshit. Useless to try hampering all the stenographic wrapper resources. Origin's not generally your only usecase. Lossy artifacts may encode representations.

Well, how about that? A stenographic insult lays lexically yet most other readings offer none.

Re:Leak Tracking

[Tom]

Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this.

If you are stupid, yes.

If you are not stupid, you copy the image, crop it a bit, apply some filter and re-encode it. There goes your programmatic detection.

Re:Leak Tracking

[vux984]

That's why I always leak someone else's copy.

Re:Leak Tracking

[david_thornley]

It's simple. First, come up with a type of picture that you can plausibly send around. Ideally, acquire cats. Second, take your own pictures. Third, embed your message in the picture. Fourth, send out the picture that contains the message. Make sure the original never leaves your own possession, and never ever reuse a picture. Find different cute positions for your cats instead.

Re:Leak Tracking

But that's wrong you lamer. What a silly moron.

Clever girl.

We need a higher level of functionality

[Tangential]

I'd like to see someone come up with a steganographic RAID-ish storage volume. I'd like a driver that scattered encrypted data throughout my media files but presented that data as an updateable storage volume. It would need enough redundancy to survive the loss of some of the files (hence the RAID-ish part.) If I could hide writeable encrypted data throughout my iTunes, Photo, Video files and access/update it without actually changing the size, mod dates, etc of the files it would be very handy and reasonably hard to detect.

Re:We need a higher level of functionality

hanging out on slashdot was pretty poor return already, imagine if all of these forum discussions
contained synthesized slices of text holding little bits of some larger filesystem ..wait..

Re:We need a higher level of functionality

Wait, how would you cram data into existing files without changing their size...?

Re:We need a higher level of functionality

This is typically done by storing it in files where slight changes to the data doesn't affect the use of the file, e.g. images. If the pixels of an image are slightly bluer or redder or greener you probably won't notice, same with music files and other things like that. You store the information in the least significant parts of the information.

Re:We need a higher level of functionality

[swb]

I was thinking of something similar.

The idea that popped into my head was a virtual volume whose backing store was a directory full of image files with the data spread out across the image files using a distributed parity system. Ideally it would be encrypted prior to being stored steganographically in the image files.

With the right automation you could have the storage system dynamically use something like Google image search to grab new images to use as stego storage targets.

Re:We need a higher level of functionality

[Insightfill]

I'd like to see someone come up with a steganographic RAID-ish storage volume.

Sounds like a variation on a "PAR" archive. It may be that a combination of PAR with a TrueCrypt volume way to go. If someone could do PAR as a FUSE project, then you'd be partway there. This would still be missing the steganography angle, and I don't see anything to help that along.

better name

XfiltratorX

#BADBIOS IS FUCKING YOU AND STILL YOU DISBELIEVE

N.S.A. Devises Radio Pathway Into Computers

By david e. sanger and thom shanker = jan. 14, 2014

= URL: http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
= Image: http://cryptome.org/2014/01/nsa-quantum-radio.jpg
== Coverage #1: http://news.slashdot.org/story/14/01/15/1324216/nyt-nsa-put-100000-radio-pathway-backdoors-in-pcs
== Coverage #2: http://cryptome.org/2014/01/nsa-quantum-radio.htm
== Coverage #3: http://rt.com/usa/nsa-radio-wave-cyberattack-607/
== Coverage #4: http://arstechnica.com/security/2014/01/nsa-uses-covert-radio-transmissions-to-monitor-100000-bugged-computers/
=== Archive: http://web.archive.org/web/20140116010210/http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html

"WASHINGTON - The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.

The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

The N.S.A. calls its efforts more an act of "active defense" against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level.

Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command, have been units of the Chinese Army, which the United States has accused of launching regular digital probes and attacks on American industrial and military targets, usually to steal secrets or intellectual property. But the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls "computer network exploitation."

"What's new here is the scale and the sophistication of the intelligence agency's ability to get into computers and networks to which no one has ever had access before," said James Andrew Lewis, the cybersecur

Cue the NSA

[Jason+Levine]

Cue the NSA insisting that they need to examine every photo and video that passes over the Internet because terrorists might be using this.

Also cue some enterprising NSA employee convincing his superiors that terrorists might hide stuff on porn sites and he needs to examine those photos/videos very carefully and repeatedly.

Re:Cue the NSA

[PPH]

In related news, the NSA's Utah data center is filled to capacity with versions of Goatse Guy.

Comic Sans

[ArhcAngel]

I just encode messages by changing the font of the letters in the hidden message to comic sans.

Closed?

[alexandre]

Will it be closed like Bittorrent-sync?

Re:Closed?

Closed in not strong enough of a word considering the way those jerks attack and threaten lawsuits or even arrests of people that talk about how the product works.

GAH!

Christ! Spoiler alert please!!

Question

[PPH]

Of course I didn't read TFA!

Will there be an effective way for cryptanalysts to know the number of separately encrypted messages that exist within a data object? If so, the deniability feature of this will be of little use. If the number is not known, then handing over the password to a relatively innocuous message might be sufficient to end the interrogation. If the number is known, the waterboarding will continue until all passwords are revealed..

Re:Question

[psithurism]

I read TFA, and you didn't miss much. The reporter dumbed the idea too far down or didn't understand it himself. https://github.com/bramcohen/DissidentX [github.com] has a little more explanation especially if you want to read the code.

Anyway, you can't tell how many messages are encoded, in fact you shouldn't be able to see if a single message is encoded at all, hence the purpose of the tool and stenography in general. Though, if you have the undoctered original file and you know that this tool is the only thing that might have messed with the file, then you can tell that at least one message has been encoded.

However, you can tell how many messages could be encoded and therefore keep water-boarding until you get that many messages, but likely no one put that many messages into the file in the first place so your just doing the extra torture for fun.

We got that covered

I'm pretty sure people in this thread are confused between cryptography and steganography. Either way, I thought we had the latter one covered with the rising popularity in the online meme images. Since they're expected to be doctored you have no way of detecting a hidden message under the obvious stupidity. Wow.

Not based on hashes

[dutchwhizzman]

Hashes are *always* one way. So you can't ever decrypt something that you only have a hash from. The best you can do is compare the hash to a hash of something you have as well and see if the hashes are the same. Unless you've chosen an algorithm that is known to have a lot of collisions, you can be fairly certain that your original text is probably the same thing as the other person's original text if the hashes are identical. Encrypting something with hashes so others can read it therefor doesn't work and this can't be based on "cryptographic hashes"

Re:Not based on hashes

[VortexCortex]

Hashes are *always* one way.

Well, then welcome to the infinite future. Here, in the way beyond all, "hashes" are simply a cryptographic primitive: Pseudo random number generators.

Where Hash() is any hashing function, and blocks are the length of a hash output, + is concatenation, XOR is Exclusive-Or of two blocks worth of bits.

Encipher:
output_block[ 0 ]: input_block[ 0 ] XOR Hash( key )
output_block[ 1 ]: input_block[ 1 ] XOR Hash( key + input_block[ 0 ] )
...
output_block[ n ]: input_block[ n ] XOR Hash( key + input_block[ 0 ] + input_block[ 1 ] + ... input_block[ n - 1 ] )

Decipher:
output_block[ 0 ]: input_block[ 0 ] XOR Hash( key )
output_block[ 1 ]: input_block[ 1 ] XOR Hash( key + output_block[ 0 ] )
...
output_block[ n ]: input_block[ n ] XOR Hash( key + output_block[ 0 ] + output_block[ 1 ] +n ... output_block[ n - 1 ] )

The trick here is to maintain two "hash" objects. One you keep advancing by adding plaintext to. Clone the state of this pseudo random number generator ("hash") before calling it's .digest() function to produce the hash output each round. This way you do not use the output of any prior rounds -- you use the message itself which is obscured inside the hash.

This is is a simple demonstration, not meant for real world use. It has some security problems with chosen plaintext attack, etc. However, with a few modifications you could easily fix this, and add HMAC, key stretching, etc.

Here in the future the past provides reference for all present meaning, as in the cipher above.

its crackable

its crackable and its not safe...period considering he works essentially for warner brothers...this is not even news its a joke on any that think it is

copyright infringment

i have a tool like this as part of my hacker tools
its 12 years old time to sue warner borthers and brahm cohen

Hide text in the indentation of source code.

You know about those people who say: "indents must be 4 spaces", "no indents must be tabs".
Well I use both, I encode messages in the indentations of my source code.
I set tabs to be 4 characters wide. Then use the following encoding:

tab = 0
space tab = 1
space space tab = 2
space space space tab = 3
space space space space = 4

Each line can encode multiple quinary digits. It is best when you program to make large functions, and to have multiple levels of for and while loops and deep if statements.

Encoding cleverly uses spaces, Oxford commas

[__roo]

This is really clever. It includes encoders that use tabs spaces at the ends of lines, and even Oxford commas. That is ridiculously cool. Nice work, Bram & co.!

Re:Encoding cleverly uses spaces, Oxford commas

All that is missing is some apostrophe abuse based encoding. Everybody's grammar/spelling/typing is getting so bad, nobody would notice!

I think not

They know exactly what the formatting of say a Word document should be

Yeah right, even Microsoft doesn't know that.

Small variations in know content will be detected.

If you hide anything in a common piece of media content it will stand out against all the other versions.