
Russian Spies Hid Secret Codes in Online Photos - CWuestefeld
http://news.yahoo.com/s/livescience/20100630/sc_livescience/russianspieshidsecretcodesinonlinephotos
======
ynniv
Since when is steganography hypothetical? Or rather, how does hypothetical
mean "previously undocumented in the wild"? There have been practical tools
for digital image steganography since at least the early '90s.

Heck, it was on Law and Order last year:
[http://allthingslawandorder.blogspot.com/2009/10/law-
order-s...](http://allthingslawandorder.blogspot.com/2009/10/law-order-svu-
hardwires-recap-review.html)

~~~
tptacek
Neils Provos did a study of all of Usenet (I think?) as part of his PhD
thesis, as an input data set for stegdetect, which used statistical (I think?)
techniques to detect steganography. Long story short: nobody uses
steganography.

It's really not that much of a win.

~~~
ComputerGuru
stegdetect isn't all that great. I've been working on an improved
steganography technique (actually, an alteration to pretty much any existing
methodology) for the past 6 months as a side project.

stegdetect is jpeg-only (yes, LSB steganography on raw audio/video is really,
_really_ lame, but it's really easy, too) and it really depends on the input
media. Using stegdetect itself on the sender's side with various source media
makes it easy to avoid detection in-transit.

Plus, _any_ statistical analysis tool is only useful for long messages (higher
signal:noise ratios). If you're sending one-liners in a 2MB photo, for all
intents and purposes, the original photo hasn't been modified and is really
difficult to catch.

~~~
tptacek
I'd sure hope you can do better than stegdetect, in that you've had over 10
years to improve on it!

I was overly terse in dismissing steg; I didn't really provide a rationale for
my comment. But I expect you'll agree with me anyways. Image steganography is
a pet trick. Given the constraints of a meaningful image file, it's unlikely
you're going to come up with a technique for encoding a covert channel that
will be truly hard to spot.

Meanwhile, it's a lot of added effort for a very minimal theoretical gain (and
a very likely severe practical loss) in operational security.

~~~
ComputerGuru
Agreed. Perhaps with today's multi-GB media (video) files, steganography will
see a new surge in popularity. But then again, we'd probably have already seen
that by now.

(and I'm working on a steganography technique, not steganalysis - if I can get
my act together and focus some, I'll be submitting it to a security conference
in next month... I hope :)

------
CWuestefeld
The meat of the article is in these two paragraphs:

 _The accused spies posted the seemingly mundane photos on publicly accessible
websites, but then extracted coded messages from the computer data of the
pictures, according to the criminal complaint filed by the FBI. Although
computer scientists have theorized about the existence of this communication
technique for over a decade, this is the first publicly acknowledged use of
the technique._

 _"There have been occasional claims in the press about al Qaeda using it, but
never with any evidence or even attributed to specific government officials,"
said Steven Bellovin, a professor in the Columbia University department of
computer science. "Here, we have court papers filed by the FBI under penalty
of perjury that says these folks were doing it. The threat, in other words, is
no longer hypothetical."_

~~~
dublinclontarf
Is itthat this means that the steganography tools they were using did not
prove effective? Or did the FBI discover their use by other means?

~~~
btilly
According to [http://www.networkworld.com/news/2010/063010-russian-spy-
rin...](http://www.networkworld.com/news/2010/063010-russian-spy-
ring.html?hpg1=bn) law enforcement officers found a 27-character password
written on a piece of paper at one suspect's house, and then used that to get
into the stenography program that the suspect had, which then let them extract
the hidden messages from the images.

Therefore the cryptography does not seem to have been the weak link. (In
truth, it seldom is.)

~~~
Groxx
So... the flaw in their security model is that _they wrote down their
password_. If people can memorize hundreds of digits of Pi (I personally got
past ~80 out of boredom (before I found programming), though I've since
forgotten most), _they_ could memorize 27 characters to protect everyone else
in the system.

Were I russia, and if these _are_ their spies, I don't think I'd be too sad to
lose that pair.

~~~
btilly
You can make a secure enough password that is much lower than 27 characters
pretty easily. Let me give an example.

My brother is named Aaron. First I think of a memorable sentence about him.
"Aaron got me to take money from a wishing well when I was 8." OK, that's
memorable to me and not many people know that story. Now I'll just take first
letters and make a few obvious substitutions. "Agm2t$fWW@8"

That's 11 characters. It includes capitals, small letters, numbers and
punctuation. It would be easy for me to remember. And would be a pretty hard
password to break. If they had passwords like that, I doubt that the FBI would
have ever broken into the program. (Though there must have been some other
reason to be suspicious.)

(For the record I just made that up. It has no relation to any password I have
ever used.)

~~~
Groxx
Or you could've just used that whole sentence as a password. I'd be willing to
bet it's _significantly_ more secure than those 11 characters, even if a
dictionary-based attacker used ideal grammar rules and a bit of knowledge
about you (say, family + pet names, ages, etc; only public knowledge).

~~~
btilly
True, but typing the whole sentence gets very, very annoying, quite quickly.
Plus the short version will eventually become muscle memory.

It is counter-intuitive, but frequently making security more convenient makes
it more likely to happen, which improves security. Conversely measures that
should increase security cause users to work around the annoyance, which
reduces security.

(For instance in this case the users could just leave a session running.)

~~~
marbu
That's not true if you do touch typing. Since you are using ordinary words you
can type it quickly almost immediatelly without need to wait for muscle memory
to develop. This way you get password which is both easy to remember and easy
to type and at the same time is long enough. See Diceware method
(<http://world.std.com/~reinhold/diceware.html>) if you are interested in this
scheme.

~~~
btilly
I disbelieve.

I touch type at about 60 wpm. (Where your top is depends on your coordination,
but for lots of people that is about the top.) Therefore it takes 5-6 seconds
to type in an 11 word password. By contrast a frequently typed 11 character
password typed from muscle memory takes no more than a second or two. That's
substantially faster.

In fact even when I'm still learning the password, I type it faster than I can
type the original sentence.

------
mtr
Would this work for sites (such as Facebook) that compress photos when
uploaded? Wouldn't the compression affect the embedded code?

~~~
btilly
No. If you've hidden the details in the finest image details, then any form of
lossy compression would ruin the message.

But there is no shortage of popular sites that will let you post innocuous
seeming files unchanged that could serve this purpose. So that is not a
problem.

------
conanite
I'm curious - if you encrypt the message before embedding it in the image, it
should be impossible to prove that a message exists (unless prosecution has
its hands on the original), because changing only the lowest-order bit of each
byte of image data probably has less impact than the noise from the camera
itself, especially if it's an old camera. Alternatively, given any image and
any message small enough, you could prove the message is hidden in the image.

~~~
btilly
That is exactly the idea.

Incidentally any form of encryption becomes even harder to break if you
compress the message first. Furthermore this results in a shorter encrypted
message, which is easier to hide. So the correct strategy is always compress,
then encrypt, then encode.

~~~
CWuestefeld
I don't think this is correct, at least if you're using a decent algorithm.

What's more, if you encrypt by using, say, ZIP, then the resulting file will
have a known header, and that makes it tremendously easier to decrypt.

I've read that one of the factors that led to breaking Enigma was that Germans
would habitually end their messages with "Heil Hitler". By assuming that _was_
the ending of most messages, the mathematicians were able to work backward to
find the key.

~~~
btilly
In truth if you're using a decent algorithm, then breaking it is effectively
impossible anyways.

But that said, techniques for breaking encryption rely on identifying
redundant information in a message. The less redundant information there is,
the harder this is to do. Sure, the known header on a ZIP is useful
redundancy. But the amount of introduced redundancy is much, much less than
the redundancy you got rid of by moving from a document in English to binary
gibberish.

Underlying this is a fundamental fact of information theory, which is that
messages with a high information density look like white noise. A slight
mistake in the message you have results in something that looks like another
potentially valid message rather than something that is obviously wrong. This
makes it much harder to verify that you're on an intermediate step towards
properly decrypting the message.

Therefore increasing information density makes an attacker's life harder.
Compression increases information density by a lot, and so makes the
encryption harder to break.

~~~
CWuestefeld
I think I'm understanding your argument, but I don't think it's correct.

A well-encrypted message -- whether pre-compressed or not -- is
indistinguishable from noise. If it was not pre-compressed, then its
information density is lower, which means the S/N is lower. Information theory
tells us that the worse the S/N, the harder it is to extract the information.

~~~
btilly
Whether or not you agree with it, the argument is believable enough to have
been presented in a graduate level course that I was in a number of years ago.
(The course was on wavelets, but background review on information theory was
presented at the beginning.)

You are correct that a _perfectly_ encrypted message is indistinguishable from
noise. Decryption is the art of distinguishing imperfectly encrypted messages
from noise. Anything that makes the message harder to distinguish, makes
decryption harder. Which means that the more the message looks like noise, the
harder it is to decrypt.

Your attempted counter argument fails on the fact that a redundant message has
very little noise, and therefore has a high S/N despite having not that much
signal per bit. However that said, it is true that if you take a redundant
message, remove some redundancy by adding some random noise to it, then
encrypt it, the result will be harder to decrypt than if you just encrypted
the original redundant message. Of course the fundamental reason behind that
is that detecting redundant information is at the heart of decryption.

In that light it is interesting to compare the two known perfect encryption
mechanisms. The first is the one-time pad. In that case the transmitted
message has absolutely no redundancy because the definition of the encryption
method contains as much information as the transmitted message. The second is
for the two end points to have a list of pre-agreed messages of equal
likelyhood, which they will refer to in binary code. This offers perfect
compression with absolutely no redundancy, and therefore the attacker again
has absolutely no way to guess what the pre-encoded messages are. (This is
much harder to do properly in practice than one time pads, which themselves
are pretty tricky.)

------
stcredzero
The flaw in the defendant's procedures was that the data containing the
steganography message existed on their machines at all. There is no longer any
reason to do this. A foreign power could have their agents do the following:

    
    
        - stego the messages locally in photos
        - upload photos to a small photo sharing site set up by the agency
        - use a secure erase program on the photos
    

The software on the "photo sharing site" can remove the steganography data
from the photos before displaying them on the site. All of the steps can even
be written into the "photo sharing" desktop client software provided to users
on the site. If a scheme like this had been properly implemented, the US
government wouldn't have the contents of any outgoing messages to use in their
case. The stego can be disguised as a fun easter egg to let site users play
secret agent. (Press Ctrl-Shift-0-0-7 to reveal the "invisible ink dialog.")

A challenge: can one use a scheme like this to also refuse government counter-
spies' access to incoming messages?

------
kilian
It's completely underwhelming to see 'real life spies' use the same
technologies you used _for fun_ with friends a decade ago...

------
binarymax
DIY: <http://mozaiq.org/encrypt/>

------
IgorPartola
I don't get why they wouldn't just use e-mail + PGP.

~~~
ynniv
Nothing says "Hey I've discovered classified information" quite like an
encrypted email to the KGB. A primary goal of steganography is to disguise the
act of transmitting sensitive data.

------
crististm
Russians spies? Al Qaeda and porn? Ancient Greek messages? 9/11?

~~~
crististm
Steganography is not a modern invention and if you don't get the hint, neither
is linking unrelated terms to get a hot title on a tabloid.

This Yahoo post is not far away from one.

