
Secret messages on the web: How to do steganography in JavaScript - gw
http://oakes.github.com/PixelJihad/about.html
======
meriksson
Here is a newly launched service for steganography in images, primarily
lolcats:

<http://lolsecurity.se>

~~~
Jach
I love how someone actually did this. drostie replied to my comment several
months ago with some great analysis on my off-hand remark about potentially
hiding your web traffic through sending lots of steg'd cat pictures:
<https://news.ycombinator.com/item?id=3575232>

------
dchest
_For extra security, it's good to provide the option of encrypting the message
before hiding it in the image._

Doesn't encryption make it easier to detect hidden messages, because it
generates a uniform pseudorandom output, something that an image without the
hidden message doesn't have?

~~~
peterwwillis
This paper recommends embedding AES using a thresholding algorithm:
[http://www.scribd.com/doc/62034623/A-Multi-Layered-Secure-
Ro...](http://www.scribd.com/doc/62034623/A-Multi-Layered-Secure-Robust-and-
High-Capacity-Image-Steganographic-Algorithm)

This paper is really good at explaining image steganography from a beginner's
standpoint:
[https://docs.google.com/viewer?a=v&q=cache:kWVnLQVjyR0J:...](https://docs.google.com/viewer?a=v&q=cache:kWVnLQVjyR0J:martinolivier.com/open/stegoverview.pdf+&hl=en&gl=us&pid=bl&srcid=ADGEEShqeA3VSpam5rS7capPIrbzk22kTtJBMEBWVtXQ-
jSrv6GAT4IX1L0KIzbA_PvhL8_IvJhyLk8LWn3IMK-
VZO5Rb-8yMPYEIZa71yZ7HaXsPTdXF69vF6mUS5aE6lJA_YXFYxQO&sig=AHIEtbQg9VAMBeSntkcN-
_WClletsaZMpQ&pli=1)

In my opinion, the whole point of embedding a "secret" message in an object is
defeated if there's the possibility that the "secret" may be revealed. The
math involved in cryptography is much harder to defeat than the art of
detecting a structured message layered into an object, so I prefer to just
pass a plain-old encrypted message. But if you want to prevent someone even
thinking you're passing an encrypted message, embedding that encrypted message
in an image or audio can be beneficial. And risking someone finding out the
actual secret just because you thought they might be able to tell you're
sending one is not worth it.

~~~
dchest
Thank you for the links! Indeed, I was thinking about applying some form of
encryption that is harder to distinguish from image data than just AES in
standard modes.

------
bsaunder
Pretty cool, but I wonder if the author realizes that you can
steganographically encode data in any format including HTML and even JS
itself.

Bonus points if you can split the steganographic data into multiple domains,
where building the original message requires finding and assembling the pieces
in the canvas, HTML and JS sections.

Also, I believe there may be blurring techniques you can use to smooth out the
dense randomness that is a signature of encryption.

~~~
gw
Good point regarding text-based steganography. I've had a greater interest in
hiding within binary files, though, because they tend to be larger and have
highly varied contents. Also, it's very common to share images over email and
other means, so doing so wouldn't inherently raise suspicion.

------
lucian1900
Interesting, but the obvious weak point is the browser environment itself. How
can the code doing the steganography be sure it hasn't been interfered with?

~~~
gw
Being client side JavaScript, you could save it locally and run it as a
file:// URL if that is a concern.

------
theallan
Great method! I had ideas about doing something similar (although this
technique is rather more advanced than mine) a while back, about being able to
show messages based on character read from an HTML page. I wrote a little
script for it: <http://sprymedia.co.uk/article/Secret> .

------
darronz
I wonder if a similar technique could be used to detect if a user has
stylesheets enabled.

------
ssdsa
Hm, I thought this was about hiding data in JavaScript source code!

