Since when is steganography hypothetical? Or rather, how does hypothetical mean "previously undocumented in the wild"? There have been practical tools for digital image steganography since at least the early '90s.
Neils Provos did a study of all of Usenet (I think?) as part of his PhD thesis, as an input data set for stegdetect, which used statistical (I think?) techniques to detect steganography. Long story short: nobody uses steganography.
Of course steganography is old, both as a concept and as tools to accomplish it.
The article says this is the first time it's actually known to have been used for nefarious purposes. That doesn't exclude prior usage for fun and experimentation, or even for practical purposes (say, wartime or corporate communications).
Seriously. I remember we had a stenography lesson at a summer program I participated in during high school, back in 2004. The software we used was pretty old, and the class was held at TN Tech and led by a guy from the Cooke Co. Sherrif's cybercrime division. Not exactly people on the front lines of internet security research.
The meat of the article is in these two paragraphs:
The accused spies posted the seemingly mundane photos on publicly accessible websites, but then extracted coded messages from the computer data of the pictures, according to the criminal complaint filed by the FBI. Although computer scientists have theorized about the existence of this communication technique for over a decade, this is the first publicly acknowledged use of the technique.
"There have been occasional claims in the press about al Qaeda using it, but never with any evidence or even attributed to specific government officials," said Steven Bellovin, a professor in the Columbia University department of computer science. "Here, we have court papers filed by the FBI under penalty of perjury that says these folks were doing it. The threat, in other words, is no longer hypothetical."
No. If you've hidden the details in the finest image details, then any form of lossy compression would ruin the message.
But there is no shortage of popular sites that will let you post innocuous seeming files unchanged that could serve this purpose. So that is not a problem.
I'm curious - if you encrypt the message before embedding it in the image, it should be impossible to prove that a message exists (unless prosecution has its hands on the original), because changing only the lowest-order bit of each byte of image data probably has less impact than the noise from the camera itself, especially if it's an old camera. Alternatively, given any image and any message small enough, you could prove the message is hidden in the image.
Incidentally any form of encryption becomes even harder to break if you compress the message first. Furthermore this results in a shorter encrypted message, which is easier to hide. So the correct strategy is always compress, then encrypt, then encode.
The flaw in the defendant's procedures was that the data containing the steganography message existed on their machines at all. There is no longer any reason to do this. A foreign power could have their agents do the following:
- stego the messages locally in photos
- upload photos to a small photo sharing site set up by the agency
- use a secure erase program on the photos
The software on the "photo sharing site" can remove the steganography data from the photos before displaying them on the site. All of the steps can even be written into the "photo sharing" desktop client software provided to users on the site. If a scheme like this had been properly implemented, the US government wouldn't have the contents of any outgoing messages to use in their case. The stego can be disguised as a fun easter egg to let site users play secret agent. (Press Ctrl-Shift-0-0-7 to reveal the "invisible ink dialog.")
A challenge: can one use a scheme like this to also refuse government counter-spies' access to incoming messages?
Nothing says "Hey I've discovered classified information" quite like an encrypted email to the KGB. A primary goal of steganography is to disguise the act of transmitting sensitive data.
But if you can hide communications in photos stored on, say, flickr, then nobody knows that communication between individuals is occurring. And because the images are publicly available, even when the authorities figure out what was happening and look into server logs, there's going to be a lot of noise in there, so they probably won't be able to say exactly who was receiving the messages.
(I suppose if there are many messages, they could do some cross-correlation between them, but I also suppose that savvy bad guys would expect that and take measures to make that noisy as well.)
With steganography, not only do you hide WHAT you're saying, but you hide the fact that you're saying anything at all. Pictures are easily distributed publicly, so if done carefully, there wouldn't even be a way to know who you had said it to.
Once a fact of agent's communication is established, the encryption doesn't matter all that much. It's only a matter of time for beating the keys out of you (ok we know FBI doesn't do that anymore).
[+] [-] ynniv|15 years ago|reply
Heck, it was on Law and Order last year: http://allthingslawandorder.blogspot.com/2009/10/law-order-s...
[+] [-] tptacek|15 years ago|reply
It's really not that much of a win.
[+] [-] statenjason|15 years ago|reply
[+] [-] CWuestefeld|15 years ago|reply
The article says this is the first time it's actually known to have been used for nefarious purposes. That doesn't exclude prior usage for fun and experimentation, or even for practical purposes (say, wartime or corporate communications).
[+] [-] shaddi|15 years ago|reply
[+] [-] CWuestefeld|15 years ago|reply
The accused spies posted the seemingly mundane photos on publicly accessible websites, but then extracted coded messages from the computer data of the pictures, according to the criminal complaint filed by the FBI. Although computer scientists have theorized about the existence of this communication technique for over a decade, this is the first publicly acknowledged use of the technique.
"There have been occasional claims in the press about al Qaeda using it, but never with any evidence or even attributed to specific government officials," said Steven Bellovin, a professor in the Columbia University department of computer science. "Here, we have court papers filed by the FBI under penalty of perjury that says these folks were doing it. The threat, in other words, is no longer hypothetical."
[+] [-] dublinclontarf|15 years ago|reply
[+] [-] hasanove|15 years ago|reply
[+] [-] _pi|15 years ago|reply
[+] [-] mtr|15 years ago|reply
[+] [-] btilly|15 years ago|reply
But there is no shortage of popular sites that will let you post innocuous seeming files unchanged that could serve this purpose. So that is not a problem.
[+] [-] conanite|15 years ago|reply
[+] [-] btilly|15 years ago|reply
Incidentally any form of encryption becomes even harder to break if you compress the message first. Furthermore this results in a shorter encrypted message, which is easier to hide. So the correct strategy is always compress, then encrypt, then encode.
[+] [-] stcredzero|15 years ago|reply
A challenge: can one use a scheme like this to also refuse government counter-spies' access to incoming messages?
[+] [-] kilian|15 years ago|reply
[+] [-] binarymax|15 years ago|reply
[+] [-] IgorPartola|15 years ago|reply
[+] [-] ynniv|15 years ago|reply
[+] [-] CWuestefeld|15 years ago|reply
But if you can hide communications in photos stored on, say, flickr, then nobody knows that communication between individuals is occurring. And because the images are publicly available, even when the authorities figure out what was happening and look into server logs, there's going to be a lot of noise in there, so they probably won't be able to say exactly who was receiving the messages.
(I suppose if there are many messages, they could do some cross-correlation between them, but I also suppose that savvy bad guys would expect that and take measures to make that noisy as well.)
[+] [-] TallGuyShort|15 years ago|reply
[+] [-] varjag|15 years ago|reply
Once a fact of agent's communication is established, the encryption doesn't matter all that much. It's only a matter of time for beating the keys out of you (ok we know FBI doesn't do that anymore).
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] crististm|15 years ago|reply
[+] [-] crististm|15 years ago|reply
This Yahoo post is not far away from one.