
Show HN: Hide Secret Messages In Facebook Photos With My Chrome Extension - owencm
http://www.owencampbellmoore.com/blog/2013/04/hide-secret-messages-in-facebook-photos-using-this-new-chrome-extension/
======
owencm
I built this Steganography tool as a research project within Oxford
University. The goal was for users to be able to communicate via Facebook
without anybody being able to even detect the presence of a message, let alone
the content.

This is a dramatic improvement over the 'dead-dropping' technique of
communicating secretly by leaving emails in the draft box for others to
receive without actually sending them.

The really notable thing about this extension is that the JPEGs it produces
can handle recompression without the contained message being damaged. Simply
strapping error correction onto Steganography doesn't work and this extension
is based on a new algorithm for JPEG steganography which I explain in the
paper linked from the article.

I'd love to get your feedback on the extension, let me know how you found it
to use and let me know if there's anything I can do to make the experience
easier!

~~~
97-109-107
I'm the author of umshade (<http://umshade.it>), which aims to bring a chrome
extension that provides proof-of-concept grade text-encryption to any website.
Obviously I like what you did a lot. How much further are you taking it? What
other approaches to UI/flows did you consider?

~~~
owencm
How far I take it depends largely on feedback I receive. I have now completed
this research project so in that capacity it is complete.

I considered a number of flows but eventually decided this was most discrete.
Check out the paper I link to at the bottom of my post to read all about the
options I considered and why I selected this one.

------
ams6110
_Governments also do not have access to privately shared Facebook albums_

Don't count on it.

~~~
xxbondsxx
God you guys need to start wearing tinfoil hats

~~~
epoxyhockey
_God you guys need to start wearing tinfoil hats_

It's not really a secret: <http://www.youtube.com/watch?v=XDM3MqHln8U#t=3318s>
(note that Facebook was specifically mentioned @ 56:07)

~~~
owencm
He also specifically mentions 'cloud'. Just saying.

------
elliottcarlson
I remember reading an article where Al Qaeda is using the same practices for
sending messages to hidden members via eBay (and other sites). Here is an
article (not the same one I read, but the same topic):
[http://www.nytimes.com/2001/10/30/science/physical/30STEG.ht...](http://www.nytimes.com/2001/10/30/science/physical/30STEG.html?pagewanted=all)

The article mentions government level detection software - but there is also
open source software such as StegDetect
(<http://www.outguess.org/detection.php>) which does a reasonable job of
detecting steganography within images.

~~~
owencm
As you say, it is very possible to build or use detectors for systems such as
this. The advantage in this case is that 300+ million new photos are uploaded
to Facebook every day so scanning them all would be highly computationally
intensive. Governments also do not have access to privately shared Facebook
albums so the risk of steganography being detected in a walled garden such as
Facebook is much lower than for images shared on public websites such as eBay
in the case of Al Qaeda in the past. In the past walled gardens have always
recompressed JPEGs rendering previous steganography tools unusable - that is
the true innovation this extension brings.

~~~
ramayac
"Governments also do not have access to privately shared Facebook albums" ...
yet! But either way it's really useful tool, I think my GF will love it.

~~~
junto
I have always assumed that the NSA have a firehose feed running from Facebook
to Fort Meade.

I can't imagine a reason why in the interests of national security, why they
wouldn't have already approached Facebook with a secret request to get full
access to all Facebook data, regardless of the user's privacy settings.

I have already proved to myself that when you delete something on Facebook, it
is not actually deleted, but simply marked as archived. My guess is that they
now also move the images, rather than delete them, to satisfy the previous
outcry at deleted photos that were still "cached on the CDN". _cough
bullshit_.

Once your data is on Facebook, you can never remove it. I don't trust them as
far as I can throw a $1 billion company.

I'll take my tin-foil hat off now.

<http://arstechnica.com/uncategorized/2007/01/8701/>

------
leeoniya
the presence of steganography has long been detectable in images and audio.
whether it can be decoded depends on the cipher (if any) that's used for the
actual message, but this is a pretty poor way to hide your intent from anyone
but the casual onlooker.

~~~
owencm
You're right, if provided a folder of 10 images, one of which contained a
secret message then detecting it would be trivial. For Facebook to do the same
with 300+ million photo uploads daily would be certainly a non-trivial
process. And govt agencies don't yet have full access to non-public albums so
the risk of them downloading and scanning all images is also mitigated.

~~~
ams6110
If they can handle recompressing 300+ million photos a day they could
proabably add a quick check for steganograpic markers and dump those images
off to a separate queue for further processing, if they were so inclined.

~~~
owencm
The whole point of steganography is to not leave any markers. But yes, in
theory they could scan them on upload but I'm not exactly sure what their
prerogative to do so would be (unless the extension turns out to be used for
terrorism that is). And plus, with that many photos to process the low false
positive rate is going yo cause them huge problems.

------
waitwhat
I did my own undergrad project on JPEG steganography, and I was surprised that
section 2.6 accurately represents popular algorithms being implemented today.
At the time it seemed to me that you got significantly better results than the
naive algorithm when measuring visible differences and statistical anomalies
in two ways...

1) Consider the _unquantised_ DCT coefficients. If the unquantised coefficient
is 12, and the quantisation factor is 5, then the quantised value is
round(12/5) = round(2.4) = 2. If you need to flip the LSB, then the F5
algorithm would change this to 1. My algorithm would have changed this to 3
instead as this was much closer to the unrounded 2.4.

2) Encode one bit into multiple quantised co-efficients. For example: If you
only need to hide one bit in a block, xor together the LSB of all 64 quantised
co-efficients and use that; if you need to flip it, then carefully choose the
single co-efficient which produces the best result for your visual/statistical
models. (I might have excluded the DC co-efficient, don't remember.) If you
need to hide two bits, use half of the co-efficients for one bit, and half for
the other, and so on. Conversely, this method could also be extended to so
that one bit is encoded into multiple blocks.

Rather than a keyed shuffle, I simply required the secret message to be
strongly encrypted. This appears to have the added advantage of a message with
predictable statistical properties.

Note also that robustness was not one of my criteria at the time.

Hope this is of some value (or at least interest). And my apologies if I have
some of the terminology wrong - this was nearly twenty years ago and I don't
have the work in front of me right now!

~~~
owencm
Just for clarity's sake, I use F5 to flip bits. Your suggestion in 1) makes
sense to me, although I've not read of somebody trying this - if you have any
more data on it I'd love to see it.

2) This general idea is a good one and the way it is used in steganography is
Wet Paper Codes. These effectively provide options for how to encode short
messages so you can select that which best matches the coefficients which
already exist. A simple example:

Encode 00 as either 0000, 0001, 0010 or 0011 Encode 01 as either 0100, 0101,
0110 or 0111 And so on

Hence when we wish to send a 2-bit message we often only need to change a
single bit in the coefficients to get to a correct code word.

Hence Wet Paper Codes are able to achieve a high ratio of bits transferred to
bits flipped.

I'm sure a keyed shuffle is the right way to go, certainly also encrypting is
helpful but I see no downside of more evenly spreading changes across an image
using a shuffle.

------
gallerytungsten
RE: "These messages are hidden in photos so they cannot be detected by
Facebook, Governments or prying friends."

I think this claim is overly broad and not particularly true. The NSA surely
knows about steganography too. It's been around for a while.

~~~
owencm
Good point. I've rephrased this sentence to be less strong. The gist is that
although they could theoretically be detected it would be computationally
infeasible for Facebook to do the scanning since they receive 300+ million new
photos a day and with a database of about 250 billion photos even if the NSA
could get access, they could never feasibly scan them all.

~~~
gallerytungsten
They don't have to scan them all. Only the ones uploaded by the people on
their target list. As for access, I'm sure they have it. Regarding
computational power, the NSA is generally reputed to have enough
supercomputers to fill a football field. I'm sure their new data center in
Utah will be greatly enlarging their capabilities.

I'd suggest you read James Bamford's three books on the NSA for further
insight. (The Puzzle Palace, Body of Secrets, and The Shadow Factory.)
<http://en.wikipedia.org/wiki/James_Bamford#Books>

~~~
owencm
Fundamentally you're correct. Honestly, if I thought this extension was going
to be useful to terrorists I wouldn't have released it! In my write-up (linked
at the bottom of the article) and also in the instructions it is clear that
this is a toy application for hobbyists and is not appropriate for serious
security uses.

Also, those books do look interesting, might go pick one up..!

------
DanBC
You're relying on volume of photographic posts to hide encrypted content?

Could you perhaps include encrypted content in many more photographs to make
the volume of encrypted content higher, thus increasing the work load of
dealing with encrypted content?

I'm not sure how hard it is to detect this content. Try this experiment.
Download a BBC tv programme (Horizon works) from a torrent. Edits out a short
3 minute clip. Upload the clip to Youtube. Youtube has very many videos
uploaded every minute, yet they ban your clip almost instantly.

~~~
owencm
Finding such clips is vital to YouTube's business. Detecting use of
steganography isn't vital to Facebook so unless it becomes a very public issue
(e.g. is widely used by terrorists) they are highly unlikely to integrate
detectors for it.

Either way, this is a marked improvement over sending private messages on the
Facebook or unencrypted emails (and sending encrypted emails is a very fast
way to get noticed).

------
neya
Owen, I love your concept. And readers, forget being detected by ant-terrorist
organizations, as long as you're not into that stuff! Worse=case scenario,
even if some govt. agency inquires you, I'm sure you will pass their lie
detector tests with ease since you're not really a terrorist :)

Congrats Owen, I can imagine some brilliant use cases for this already - Like
surprising your girlfriend on her birthday, etc. :)

Thank you for this wonderful extension :)

------
jstanley
Very cool, I'm surprised this hasn't had more upvotes. Many years ago I wrote
a CLI image steganography tool (with a PHP web interface at
<http://incoherency.co.uk/tools/hideimage.php> ) but it didn't support JPEG
re-compression and isn't nearly as awesome as yours.

------
salimmadjd
That's awesome! I had this idea for a while and I'm glad someone implemented
it. Initially I thought about it being used for teens wanting to share secret
messages among closed nit friends.

------
Comkid
Anyone else getting a 'Package is invalid. Details: 'Could not decode image:
'128.png''.' when trying to install the extension from the Chrome Web Store?

~~~
owencm
I've uploaded a new version with that image replaced just in case. Try again
now.

------
mansigandhi
Why did you build this for Facebook as opposed to other messaging clients or
even email? It's pretty cool btw :)

~~~
owencm
Hundreds of steganography tools already exist for making images which can be
shared on any medium where recompression is not an issue
(<http://www.jjtc.com/Steganography/tools.html>). In this case I wanted to
provide a simple user experience and also handle Facebook's recompression
specifically.

In the future this tool could be extended to other sites which recompress
images when they're uploaded although it would certainly be a more confusing
user experience.

------
iso8859-1
Why not make it proper open source so it's not necessary to extract code from
the PDF?

I'd like to use this from the command-line.

Thanks.

------
jaytaylor
Excellent reference implementation of a covert communication channel. Well
done.

------
jpswade
What problem does this solve?

~~~
owencm
Encryption provides the ability to communicate without any intercepter being
able to read the content. In many cases this is fine, but in some cases using
encryption software is enough to incriminate you (e.g. spies).

Hence steganography means that not only can your messages not be decoded, they
can't be detected.

Specifically, this extension's innovation is allowing steganography on walled
gardens such as Facebook which recompress images after uploading them.

~~~
jpswade
I understand what steganography is, but what does this solve? Why would you
want to send encrypted messages in a photo across facebook?

It just seems really inefficient way of sending an encrypted message.

------
jutz
I don't see a message in the Before or After picture examples. Where is it?

~~~
shawabawa3
The whole point is that the message isn't visible, and it's impossible to be
able to tell if there even is a message.

The message is encoded in the image by very slightly changing the values of
pixels (or some similar method). The message is only revealed with the browser
extension

~~~
elliottcarlson
It's not necessarily impossible to detect that there is a message - there are
plenty of ways to detect them. The challenge is being able to extract the
message without access to the steganography algorithme used, and the
passphrase (which could be bruce forced once you have access to the method
used to hide/extract - which is a whole other challenge).

~~~
DanBC
The whole point of steganography is to make it impossible to detect that a
message is included.

Some people can encrypt their messages and send that encrypted message.

But for some people, in some oppressive regime, encrypting a message and
sending it will result in torture. Those people not only have to encrypt the
message, they have to hide the encrypted message.

Unfortunately there are very many proof of concept steganography sysems which
demonstrate a concept. ("Let's alter the least significant bits in this gif
image to hide a message.") These are usually trivially easy to detect, and
often easy to disrupt.

This PoC is nice in that it avoids a common disruption - recompression of
images - but it's still a proof of concept.

Since it's from Oxford I would have liked to see some kind of Chaffinch
integration, and some discussion of how much cover text you need to make the
steganographic text hard to find.

EDIT: Whoops! Sorry about Oxford / Cambridge mixup. I've left my mistake in
place.

~~~
owencm
OP here. You're precisely correct, the goal of this project was to demonstrate
a PoC of a steganography algorithm which can avoid JPEG recompression and is
hence suitable for use in walled gardens such as Facebook.

Also, Chaffinch is a Cambridge project so <sarcasm>naturally not worth
integrating with.</sarcasm> But really, this was a single term's undergraduate
research project so scope for such integration was thoroughly out of the
question.

