First Steganographic Image Found In The Wild

Niels Provos writes: "After months of searching for steganographic content on eBay and elsewhere -- downloading millions of images, we were finally able to find an image with a stegangraphic message hidden in it. Stegdetect and Stegbreak made short process with it. It took less than a second to compute the secret key necessary to extract the hidden message. Two commands at the prompt, and we found the hidden message to be an image of B-52 scrapyard. Right off Terraserver."

No suprise

[Lumpy]

That it was the planted image from ABC. This is not what I would call a real detection of "in the wild" Show me an image that wasn't part of a media company stunt, or other reporter activity on the very technology of stenaography. Any of the supposed bin-laden images? How about a simple script-kiddie or cracker/thief communication?

In the wild denotes actual use by thrid parties.. A virus in the wild means it's out there looking to do damage and infect, This image is the equilivant of a hello world program on a how to program website.

It's not in the wild, It's an example placed by ABC news.

Not a very good algorithm / implementation

[Tassach]

If it only took "a couple of seconds" to find the secret key, it couldn't be very good. There's a big difference between "hide a message in the low bits of an image" grade stego and cryptographically secure stego. If you "encrypt" a message by XORing it with 0xDEADBEEF, don't be suprised when your super-secret encryption is broken.

Good stego should be undetectable -- first off, the hidden message should be encrypted, and therefore nearly indistinguishable from any other set of random numbers. Also, the message needs to be several orders of magnitude smaller than the carrier image -- if you want to hide a 1K message, you ideally want a ~1M image to put it in. Isolating 1K of signal out of 1M of noise would be very computationally difficult.

Matter of opinion of course,

[trilucid]

but I'm kinda bothered by this sort of thing, not in the way some might think. I don't have any problem at all with the research being conducted (actually I support it, good stuff!), but I hate that gobs of bandwidth are wasted by this sort of thing.

I mean, how much bandwidth is taken from companies with large numbes of images on their sites (EBay for example) as a results of stuff like this? It's not exactly something you can say adheres to purely ethical use of their bandwidth.

There's got be lots of projects out there attempting this stuff, especially given recent press coverage on the topic. Who's picking up the tab for the network usage?

Perhaps a permission-based scheme would be better, or better yet a volunteer-supported test server pool dedicated to hosting images. That way, people could test out steganography techniques by posting their images to the pool for the community at large to take a crack at. Thoughts? Flames? Oranges?

Publicity from first search salted the earth

[DrXym]

Given the publicity that the first stego search got, I wouldn't be surprised if you ran the test again that it would find thousands of stego messages out there.

No doubt a fair proportion of them contain spook words too.

Re:Matter of opinion of course,

[saridder]

It's a PUBLIC internet and a PUBLIC web site. There is a "risk-analysis" companies make in doing business on and being connected to the Internet, whether it's virii, hackers and script kiddies, just plain web browses.

I admit there may be a huge glut bandwidth being used in the research, but it's just a fact of life on the internet.

And this proves what, precisely?

[Simon Brooke]

They search for steganographic images on eBay and have found none. Quel surprise.

Eventually they get told that yes, there is a steganographic image on ABC, and they look at it, and guess what? They prove that it is a steganographic image and they can really desteg it. Quel surprise!

Of course, this particular image was very simply constructed as an example for a mass entertainment news channel intended for a general, non-specialist, audience. It was not constructed by someone concerned about secrecy or desperate to conceal a secret message. On the contrary it was constructed using handy, freely available steganographic image tools, not special purpose custom written ones.

Great!

This doesn't prove that there aren't staganographic images on eBay which their software can't detect. It doesn't prove there aren't steganographic images on alt.sex.binaries.fluffy-bunnies. It doesn't prove there aren't steganographic images on your favourite pr0n site.

It doesn't even prove that some spook agency somewhere can't detect all these steganographic messages, desteg them, and read the payload. All it proves is that these two academics can only detect a steganographic image it they're told where it is and what it is, and even then only if it's produced with a small range of well known, freely available tools.

Incidentally, there is a steganographic payload in this post. Care to scan all Slashdot posts for steganographic payload? All Usenet? No, thought not.

Re:Yeah, except for...

[Gallowglass]

"Certain phrases, for example, in bin Laden's statements quite possible are intended to send an additional pre-defined meaning."

My only exception to stwilwebm's comment above is the phrase "quite possibly". IMNSHO, "not bloody likely" is the correct adverbial phrase.

Let's all stop and think about this for a meaning. I wish to send an important secret message to my evil henchmen on another continent. Do I send an encrypted letter? Do I send a human messenger by plane to carry the message? Do I phone them and use secret phrases with hidden meanings to convey the message to them?

Apparently not, if we are to believe the Security Experts who don't want us to hear Bin-Laden. Apparently the best way to send secret messages, is to tape yourself and hope that the corporate minions of the Great Satan will transmit your message, complete, clear (no poorly translated voice-overs, if you please) and in a timely fashion.

Am I the only one who thinks that if Bin-Laden really is that stupid, that we have little to worry about?

Well..

[mindstrm]

the reason they 'cracked' the key was obviously because it wasn't really encrypted.

Any real stego you wanted to hide would also be encrypted. Strongly. So all you would find is noise.

Re:Yeah, except for...

[Reckless Visionary]

Sure, but you don't have to trust American media to get your message across. Apparently Al Jahira (I forgot the exact name of the network, forgive me) is widely available via satellite. This network is the one the original broadcast was from.

It's not implausible to assume that the terrorists were instructed to watch that channel to receive instructions after the first US attacks occured.

Re:Yeah, except for...

[kilgore_47]

According to this [smh.com.au], bin Laden is indeed using verbal codes to communicate with his people. What better way to get the message out than a public statement?

I'm still bitter it's not getting played on US tv stations; how can a video taped statement from public enemy number one not be "newsworthy"? They say it "might contain a message". Well one message I heard was "infidels out". Is that the message they don't want us to hear? That his main demand is for us to stop occupying his 'homeland' and whatnot?

Sure, there might be a hidden message too. But people waiting to get the hidden message will undoubtedly obtain it from some foriegn news source that DOES deem it "newsworthy".

Censorship will only hide the message from joe sixpack & friends, and I think thats exactly the goal.

Steganographic content in Pictures vs. Streams

[friday2k]

I just find it very strange that somebody tries to make us believe that Steganographic content is limited to pictures and will be found on eBay. _IF_ you really want to hide something you might want to embedd a message at a certain time (time synching is not a problem) into an ever changing stream of data (like a webcam or an Internet radio station). The content has to be spread out over a certain amount of time. Maybe only chunks of a message per hour. This is not exactly emergency communication, orders, information, etc. can be received over several hours if needed. Now you spread the content over a pre-defined sequence and maybe start with a "wakeup" message to indicate that a new block of cipher information is about to come. This would be impossible to detect, because you have nothing to compare against (like a picture of a busy street is never the same). So I personally think that this "we scan on eBay and the pictures are evil" is something to put people at ease, but is not really helping a lot. Other than people will be forced into more stealthier methods ...

Re:Publicity from first search salted the earth

[DrXym]

You misunderstand my meaning. I'm saying "salted the earth" because presumably the purpose of these stego searches is to expose or at least disprove how stego is being used to nefariously hide terrorist communications and so on.

Future searches will find that very difficult because publicity from the first search has meant (in all likelihood) that thousands of new stego images have sprung up, effectively making new searches pointless. Yes you'll find stego but it wouldn't prove or disprove anything except that people are having fun downloading and trying out stego software. In other words, the publicity from the first search has salted the earth for future searches.

Comment removed

[account_deleted]

Comment removed based on user account deletion

More relevant than you think.

[supabeast!]

Given that image based steganography has been around for a while, and there are probably at least a few thousand people online experimenting with it, they should be turning up a lot of these. That doesn't even begin to factor in that criminal organizations all over the world are probably playing with the stuff, especially given recent coverage of steganography in the news.

What does this really mean? Perhaps finding well hidden messages is a hell of a lot harder than anyone expected- and it will only get harder. If criminals are using this to communicate, they may be justified in feeling safe doing so.

Of course, it is probably a bad idea to put stock in anything that comes from guys trying to grab the spotlight by reporting an image created by abc news as a steganographic image found "in the wild." If nothing else it reminds me of idiots who try to get attention reposting known securiuty vulnerabilities to BuqTraq.

Re:Yeah, except for...

[TheCarp]

Actually... it seems to me that this is a fine way to send a message. The "not bloody likely" part is the idea that censoring this will stop the information from getting to its intended recipients.

The message could be conveyed in something as simple as manner of dress or a key phrase. It could be "encoded" in where Bin Ladens gun rests in the background behind him in the shot.... or the even who sits to his right or left.

The plans were made a long time ago. Messages from Bin Laden to his people are likely of no more granulairty than "continue as planned" or "halt and wait" or "go with plan B"

Or even more specific... "transmit orders for plan B"... I think its very likely that Bin Laden, being a figurehead, has probably delegated the actual planning and coordination to someone else, so anything from him only has to be very very high level...which is where this sort of messahe excells.

That said... I think its silly to believe that they don't have operations setup such as to continue even if the communication channel is cutoff. All that censoring him does is stop americans from hearing what he has to say.

-Steve

Re:Yeah, except for...

[srvivn21]

Amazingly, showing Osama on the TV is not likely going to result in a massive outpouring of sympathy for him or his cause. A more likely result is a rise in TV repair business.

The media (as encouraged by the US government) has whipped the masses into a hateful frenzy, with Osama as the target.

Forget looking for the cause of his actions. Let's just label him a "mad man", and state that his goal is "the end of the free world".

Showing, or not showing his press releases is not going to make a whit of difference in this "war". Just like my posting my views is not going to change the mind of someone who wishes to believe the rhetoric and absolute crap that is spewing forth from the main stream media.

Overall, I enjoy being a U.S. citizen, but I am completely embarrassed, and even mortified by some of the actions that we (as a country) condone, and those that we perpetrate.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Yeah, except for...

[kilgore_47]

You mean stuff like *gasp* SPEAKING? Oh my god!

Sorry, I used the wrong link before. I meant to link to the actual interview [sundaymirror.co.uk] with bin Laden's son.
He says "My father believes American spies have joined the Taliban He talks in a code that even I can't understand".

It's not that he's speaking, it's that he's (likely) conveying another message besides the obvious one.

Re:MOD PARENT UP!

[ethereal]

No, it does not. It does not represent a decision by the computer's owner as to whether you had a right to request the file and whether they should supply it to you. If I walked up to your computer and started deleting files, would the fact that your computer deleted the files mean that I had your permission to do so? That's what you are arguing: That the computer has power of attorney for its owner.

If I did that in your office, then I would be trespassing. If you left your computer set up on a busy city street, with a big red "Delete" button to push, then it would appear to me and an average passerby that file deletion was OK with you. Thus also with files on servers on the 'net. Your machine does not have power of attorney, but if you set up an automatic file dispenser, you can't complain if people take files off of it, any more than you could complain if people took all the gumballs out of a free gumball machine that you set up. Of course, the eBay example is a little different than the gumball or "Delete" analogies, because eBay didn't run out of files, although they may have been marginally lower on server capacity and bandwidth at the time.

(Your honor, I had McDonalds' permission to take 2,372 straws because their machine gave me a straw each time I pushed the button...)?

Ah, but that's exactly my point - one straw at a time is OK, it's the overall pattern of straw usage that McD's should worry about. They would want to either alter their straw dispensers, or more likely just toss you out if you started doing that. The dispensers themselves aren't labeled "only take what you need" - how many times have you seen people take twice as many napkins or packets of ketchup than they need?

A computer responding to a file transfer request is not equivalent to the company giving you permission to transfer the file.

If the company didn't want their machine to post the files, why didn't they just tell it not to? If they set up an automatic process that affects their property and is freely available to the public, why shouldn't they be liable for what happens to it?

I think of a server as sort of a secretary. If you told your secretary to accept file submissions and store them on a global bulletin board, and she didn't know any better than to take pr0n too, then the failure is really in your instructions. What is needed is a more sophisticated way to describe to a web server what access patterns are acceptable, just like you would tell your secretary to only accept files with a legitimate business purpose. You can continue to curse the pranksters that keep submitting polaroids of women with Shetland ponies, but in the end you can't track them all down. You have to fix the problem at the source.

Now you are arguing about the practicality of enforcing a policy rather than the legalities. The most effective way to get people to follow your rules is to identify someone who violated them, sue them for civil damages, and make an example of them.

You haven't been reading the news much, have you? MP3 trading continues, DeCSS can be had for a 2-second Google search, software piracy flourishes - plenty of examples haven't really helped those issues. These are situations where you can't police everybody in the world at once, if not due to the unending variety of local law, then due to the sheer expense that would be required to do so. The only way to solve an Internet-scale problem is with a distributed technological solution.

Comment removed

[account_deleted]

Comment removed based on user account deletion