[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A promising method to thwart global surveillence

Hash: SHA1

On 05/26/2016 03:29 PM, Ryan Carboni wrote:
> The Russian Illegals spy ring in New York used steganography.

I wasn't able to find much detail on that case (in just a couple of
minutes), but it appears that the crew in question were reportedly
using a "custom" stego application to hide documents in photos.

Steganalysis tools that look for statistical and other anomalies in
photos (or audio, etc.) have been under development since ever, and
seem to work very well; presumably NSA et al have way better ones than
we do.  This suggests that the only way to make steganograhy work
against State actors is to "act normal" and hope for the best, i.e.
that your message traffic will not be inspected.  This may sound like
it would work, given the terabytes per millisecond of potential
carrier files crossing the networks - way more than can be stored and
analyzed fast enough for full coverage.

Only one little problem:  Everyone who has traveled to any "hostile
jurisdiction" and everyone who has ever used the word "steganography"
in a cleartext message, visited websites on the topic, participated in
any kind of online discussion about cryptography, etc. is a small
enough set that a large part of /their/ message traffic could be
routinely inspected for hidden content by State level actors.  So that
leaves most spies and all of /us/ out in the cold.

> The Caliphate cell in Brussels used truecrypt files uploaded to 
> cyberlockers in Turkey. But the grugq notes that truecrypt files
> would probably have a fixed size (and even with a random length, it
> would still round to kilobyte sizes), so it wouldn't be so simple.

Not sure how Truecrypt volumes constitute steganography. Padded
ciphertext is still ciphertext, plain as day.

> Obviously if state-level actors use these methods against the NSA, 
> steganography does have a good role to play. Problem is that
> machine learning has advanced substantially. In a worst case
> scenario, it will be obvious that you have steganographic files,
> that is if photodna hashes are similar for many files, but fuzzy
> hashes aren't as similar.

If state-level actors are /caught/ using these methods against the
NSA, that would tend to demonstrate that the methods in question do
not work against State actors.

Hiding files inside of files seems to be a bust, but that's not the
only vector for steganography.  Manipulating the timing of signal
traffic, the timing of "real" environmental noise in audio recordings,
the presence/absence/number/postion of certain objects in normal
photographs, the presence/location of specific words in text files
etc. could convey covert messages with little or no risk of detection
through automated analysis - but could not hide kilo- or megabytes of
information per carrier file.

> The best that could be done would be to make automated scans more 
> probabilistic and less reliable (I have tens of thousands of files
> on my computer), by embedding encrypted data steganographically in
> images in the PDF file. The text and images of the PDF file could
> be procedurally generated.

Any practical stego detection protocol should include native analysis
of images embedded in PDF files, with no additional computational
overhead vs. analyzing plain old image files.  In the case of
analyzing the content of seized computer, the presence of stego tools
should assure full steganalysis of all relevant files - and stored
message traffic to and from the user.

> But I'm not an expert. I'm just pointing out what makes sense to
> me.

Me neither, but I used to be very interested in stenography.  Reading
up on the subject led me to the conclusion that it should work /great/
against adversaries who "suspect nothing" and/or don't know that
stenography exists.  Other adversaries, not so much - unless, as noted
above, one is using a system more akin to a code than a cipher, which
hides a /few/ bits of information in plain sight via the presence,
absence or position of "normal" content in text or media files.


Version: GnuPG v2.0.22 (GNU/Linux)