
Whitespace Steganography - beardog
http://darkside.com.au/snow/
======
foobuzz
Whitespace is good, but with Unicode you can do even better by using invisible
characters such as ZERO WIDTH SPACE (U+200B) and ZERO WIDTH JOINER (U+200D). I
once made a proof of concept[1] using those two characters. It can converts
arbitrary data into invisible text by using U+200B as bit 0 and U+200D as bit
1.

Most platforms (Twitter, Reddit, Hacker News) accepts those characters so you
can paste invisible messages there. The illusion falls down as soon as you use
a low-level text editor such as vim which marks exotic characters in a
specific manner (by displaying their hexadecimal codepoint, as it happens).
This is where whitespace can be more powerful, given its mainstream
usage​‍​​‍‍‍‍​‍‍​‍​​​​​‍​‍‍​​​​‍​​​​​​‍‍​‍​​​​‍‍​​‍​‍​‍‍​‍‍​​​‍‍​‍‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​​‍​‍​‍‍‍​​‍​​‍‍​​‍​‍​​‍​‍‍‍​​​‍​​​​​​‍​​​‍‍‍​‍‍​‍‍​​​‍‍​​​​‍​‍‍​​‍​​​​‍​​​​​​‍‍‍​‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍‍​​‍‍​‍‍​​‍​‍​‍‍​​‍​‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​​​​‍​‍‍‍​‍​​​​‍​​​​​​‍‍‍‍​​‍​‍‍​‍‍‍‍​‍‍‍​‍​‍​​‍​​​​​​‍‍‍​‍‍‍​‍‍​​‍​‍​‍‍‍​​‍​​‍‍​​‍​‍​​‍​​​​​​‍‍​​​‍‍​‍‍‍​‍​‍​‍‍‍​​‍​​‍‍​‍​​‍​‍‍​‍‍‍‍​‍‍‍​‍​‍​‍‍‍​​‍‍​​‍​​​​​​‍‍​​‍​‍​‍‍​‍‍‍​​‍‍​‍‍‍‍​‍‍‍​‍​‍​‍‍​​‍‍‍​‍‍​‍​​​​​‍​​​​​​‍‍‍​‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍​​​​‍​‍‍​​​‍‍​‍‍​‍​​​​‍‍​‍​​‍​‍‍​​‍​‍​‍‍‍​‍‍​​‍‍​​‍​‍​​‍​​​​​​‍‍‍​​‍​​‍‍​​‍​‍​‍‍​​​​‍​‍‍​​‍​​​‍‍​‍​​‍​‍‍​‍‍‍​​‍‍​​‍‍‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​‍​​‍​‍‍‍​​‍‍.

[1] [https://github.com/foobuzz/ium](https://github.com/foobuzz/ium)

~~~
fredley
This is slightly more recognisable though. One of the key things you're trying
to achieve with steganography is for an adversary to not even notice you're
trying to send a message, and ideally even if they suspect something you have
plausible deniability (which may or may not be enough).

Steganography in the wild:
[https://www.youtube.com/watch?v=BgelmcOdS38](https://www.youtube.com/watch?v=BgelmcOdS38)

------
theunamedguy
Even better, you can use spacing within a line to create a 3-D effect to
emphasize certain words:
[https://en.wikipedia.org/wiki/ASCII_stereogram#Text_emphasis](https://en.wikipedia.org/wiki/ASCII_stereogram#Text_emphasis)

~~~
Bronze_Colossus
I fail to see a secret message. What exactly should I be looking for?

~~~
kbaker
It's a stereogram, you have to cross your eyes (or relax to infinity, I could
never get that right) to see it. In the one linked, it shows 'John Smith is
responsible' pretty clearly. Like the Magic Eye books... but in text. Works
quite well actually.

[https://en.wikipedia.org/wiki/Stereoscopy](https://en.wikipedia.org/wiki/Stereoscopy)

~~~
jrapdx3
Compared to some single image stereograms, it's pretty easy for me to see the
3D effect either way. The "straight" view shows the message in front of the
rest, cross-eyed it's behind.

Of course, it's not particularly "secure", there would have to be layers of
encryption of some kind if the goal is keeping the message hidden.

------
magicseth
If you want your Perl files to be invisible, Acme::Bleach hides all of your
source code by encoding it as white space:
[http://www.perlmonks.org/?node_id=967004](http://www.perlmonks.org/?node_id=967004)

~~~
peteretep
A major problem with being a Perl developer is that nothing impresses me any
more

------
dsr_
Earlier use of whitespace coding:
[http://www.templetons.com/tech/proletext.html](http://www.templetons.com/tech/proletext.html)

... Invisible formatting information is embedded in trailing spaces and tabs
on the ends of lines in an ordinary looking document. In addition, "blank"
lines contain spaces and tabs with hidden formatting meanings. Assuming
typical 60 column lines, one can have over 300 different codings on the end of
a line without going past 80 columns. (Far fewer are needed.) On a blank line,
almost a billion codings are possible.

Documents with invisible formatting always start with a magic line, which
begins with "<SP><SP><TAB><SP><SP><TAB>" followed by version encoding. Thus
documents can be spotted and formatted even without a Mime Content-Type header
for this new text type. This otherwise useless combination of spaces and tabs
on a blank line should virtually assure that random documents are not treated
as formatted. ...

------
userbinator
This neat and very readable page layout is rather pleasant. It's not often
that you find sites like these anymore.

I also looked at the page's source to see if anything was hidden in trailing
whitespace there, and wasn't disappointed by what I saw either.

------
lillesvin
Until you run into that one Whitespace
<[https://en.wikipedia.org/wiki/Whitespace_(programming_langua...](https://en.wikipedia.org/wiki/Whitespace_\(programming_language\)>)
programmer that has syntax highlighting turned on.

------
13of40
Reminds me of an underhanded code submission I saw a couple of months ago,
where it looked like a 1-liner script, but the malicious part was encoded in
the number of spaces trailing each line of the file.

------
wjessup
I wrote a tool to do this for fun and to learn node:
[https://github.com/wjessup/secret-js](https://github.com/wjessup/secret-js)

------
wtbob
And it all falls apart if one is using a text editor which highlights trailing
whitespace (like emacs).

The point of steganography is to hide that there is even a message; this fails
at that.

~~~
fredley
But if you saw that would you assume it's an attempt to hide a message? How
often do you open up webpages in your editor and inspect the line endings?

All steganographic methods can be detected if you start actively looking for
them. The point is it's very hard to know what to look for, especially if you
come up with your own coding which you do not share publicly (off the top of
my head: using commas and full-stops to encode a bitstream in tweets.)

------
fulldecent
See also: adding side channel data to JSON files with whitespace.
[http://stackoverflow.com/a/23275699/300224](http://stackoverflow.com/a/23275699/300224)

Maybe the most controversial answer on StackOverflow.

------
amelius
I'm wondering if steganography could become a practical transfer method in the
event that governments start to prohibit encryption (and of course
steganography).

Will they prohibit spurious whitespace in documents?

