Hiding Secrets With Steganography On FreeBSD 424
BSD Forums writes "Bad guys in the movies all keep their wall safes hidden behind paintings. Is there a metaphor in there for your sensitive files? OnLamp's Dru Lavigne explores steganography, or hiding secret messages in images or sounds, with the outguess and steghide utilities on FreeBSD."
Steg is fairly useful, but it is crackable (Score:5, Insightful)
Re:Steg is fairly useful, but it is crackable (Score:1, Insightful)
You can encrypt a message then hide the encrypted text within a file with steganography. Casual browsing wouldn't reveal the existance of the encrypted info.
Re:Good stuff, but... (Score:2, Insightful)
Re:Good stuff, but... (Score:1, Insightful)
good point. I need more coffee before I reply to these things...
Steganographers Need To Hide Their Tools Too (Score:3, Insightful)
Adding hooks to libraries and hiding executable code in data areas and coming up with slick ways of calling into that code when you actually do some stega processing is an area ripe for exploration. It may be more challenging than data hiding as well, especially when you consider the huge libraries of md5sums for all known executables and libraries that are maintained and distributed by computer forensics people.
Re:No... (Score:0, Insightful)
And how is that different than... (Score:3, Insightful)
Where have YOU posted objecting to abuses like the above?
Well?
Re:The great thing about being disorganized... (Score:5, Insightful)
If I upload 500 photos a month to the net Each of them contain something in the photo (results of
I've seen this used many times and is used in nature by birds and fish...
a school of 500 fish makes it impossible for a predator to single out one specific fish.
Re:No... (Score:3, Insightful)
I used to use hollowed out books in college for safe storage from the idiot friends my roommate had, same as the trick of the first 4 bottles of beer in the fridge were filled with piss, the pattern of real beer versus piss was changed weekly by the beer owner. It kept the mooch friends out of the beer, although was a bit wierd to have bottles of piss in the fridge as far as I was concerned.
You can blend in if you make that elephant look like it belongs there... release a herd of elephants and your elephant will not be noticed.
It's the same trick as the fake rock holding your house key.
Re:Not so good.. (Score:2, Insightful)
if EVERY picture on a website trigger's it's detection and yet you find nothing in them you begin to suspect the usefulness of the tool.
here lies the true power in stenagraphy.
He's keeping your ass free (Score:0, Insightful)
He's making himself a target so you don't have to. Ass.
Re:No... (Score:5, Insightful)
If you are using stegged files (they do not have to be images) to communicate with others, then you are hiding the channel. This is a potentially very useful mechanism against automated monitoring tools, particularly if the data is first encrypted. Isolated information in high-volume channels can be very hard to detect. Another use would be to help defeat traffic analysis.
This is not to say that steganography is a magic means of information hiding. But it is one of the useful tools.
Yes, except (Score:5, Insightful)
Great Observation (Score:3, Insightful)
Just like calling downloaders 'pirates' and 'theft'.
Re:I wonder . . . (Score:3, Insightful)
This is usually not completely reversible. You'd better experiment on the file before doing that, or you'll lose data.
Re:Good stuff, but... (Score:5, Insightful)
Re:No... (Score:3, Insightful)
The only problem here is to keep track of what is what. After a couple of files, it's going to be a pain to remember which file has your pr0n site passwords in it, versus Gramma's cookie recipe.
Well obviously you only have to keep track of one file, the one which holds the list of all the other files you've got with encrypted content.
. Al.Re:Good stuff, but... (Score:2, Insightful)
... The bad guys get the same catalogs you do!
Re:No... (Score:5, Insightful)
Re:Commercial for BSD! (Score:2, Insightful)
Before you knock FreeBSD for supporting a form of encryption (encryption being something that every law-abiding citizen should be entitled to in order to protect his or her privacy), maybe you should tell us what OS YOU use so we can check to make sure it doesn't support encryption tools like the ones you're faulting FreeBSD for.
Re:Steg is fairly useful, but it is crackable (Score:2, Insightful)
If you want to earn that informative mod-up, provide a reference.
School of Fish (Score:2, Insightful)
I thought the strategy behind the school of fish was: if there are 500 fish, and I am one of them, then my odds of me getting eaten during an attack is 0.2% The larger the group, the lower the chance that *I personally* get singled out.
I don't think the predator cares about going after a certain fish. Unless if finds one that has really cute eyes. It just wants a fish.
Re:Really, what do you guys need to hide? (Score:2, Insightful)
Or, suppose you are a member of a group citizens petitioning the government for redress, to change some statute you find out-dated, or overly opressive. There are enough hot-button issues that are so politically charged, that anyone who even has the temerity to suggest that they be changed, is branded a pervert, a criminal, a traitor, or worse. (e.g. issues around gun control, legalizing marijuana or prostitution, lowering the age of consent)
I posit that in the US at this moment, it is actually very difficult for citizens to engage in cogent public discourse on these topics, for fear of being branded. It would behoove you to do your political organizing in private.
And finally, and perhaps most importantly: Just because one wishes to hold something private with their compatriots, does not mean they are planning a terrorist attack or a bank heist. What I choose to keep private is not subject to debate.
Now, the second point you make - at the current state of the art, using strong encryption is sufficiently difficult, that it is, in and of itself, a "red flag" that something might not be kosher. The only solution for that is for more and more people to use it more and more frequently.
This is of course, not without political expense: If suddenly 80% of all person-to-person e-mail is encrypted, and all person-to-group e-mail is at least signed, encryption technology will be front page on the Wall Street Journal, and the political powers for the suppression of thought-crime will demand that it be tightly regulated.
Encryption technology is restricted under export rules as a "munition." Perhaps a case could be made under the second amendment, that our fundamental freedoms are dependant on not only the right to bear arms in the form of an SKS, but also in the form of PGP.
Re:Good stuff, but... (Score:2, Insightful)
Re:Is this limited to FreeBSD only? (Score:5, Insightful)
or
A securely encrypted message, hidden in a file with ostensibly another purpose, such that there is no way to prove the existence of the hidden message would keep anyone from telling you: "Reveal the secret key to this obviously encrypted file, or face contempt of court and an automatic prison sentence."
Re:steganography isn't secure at all (Score:2, Insightful)
Main reason to use steganography: (Score:3, Insightful)
You're missing the point.
The main reason to use steganography is that it hides the fact that you are hiding something. If you use straight encryption, it is obvious that you have something sensitive that you want to encrypt (most people don't go to the trouble of encrypting things otherwise). Steganography helps you fly under the radar and send encrypted data without people knowing that you are sending encrypted data in the first place.
If someone is already suspicious of you, then of course they can analyze your communications and perhaps notice any steganographic attempts. But if not, you may be able to escape notice longer by exchanging seemingly innocuous data than by exchanging industrial-strengh encrypted data.
Re:Commercial for BSD! (Score:2, Insightful)
The only question you may be asking yourself is "why use such a utility?" Probably the most common use is to safeguard passwords. We all know that we should use different passwords for various tasks. For example, you should use a different password to log into your computer, another to retrieve email, another for online banking, and yet another for when you create an account on a web server. It can be very handy to make a text file of each password and its usage, and to safeguard that file by hiding it in a place no one would suspect to look.
Re:Commercial for BSD! (Score:3, Insightful)
You say you "fail to see legitimate uses". Very well. Would you have a legitimate use for a safe? I will assume "yes"... we all have valuables. So let me ask you this: does it make more sense to put the safe in the middle of a wide open room, standing out, maybe even with a sign that says "The safe is here!" Or maybe instead, hide it somewhere. At least in the closet. Or behind a fake wall panel. Buried in the basement? Recessed in the wall behind a dresser?
Steganography is the equivalent of hiding the safe somewhere where it wouldn't be located or expected. If I have passwords on my computer... even if I encrypt them, does it makes sense to store them in
Steganography is neither in itself good or bad. It's a tool which can be used for good or bad. Like a steak knife. Don't condemn it just because all you can think of are the bad uses.
What I'd like to see (Score:4, Insightful)