Is anyone here on the Steganography mailing list? Last I checked it looked pretty dead, which is a shame. Stego seems to be a really important topic, and a difficult one at that. The good news is there's all sorts of entropy in the data we send back and forth, the bad news is it's hard to actually exploit it. tcmay@got.net (Timothy C. May) writes:
This is my take on fixing the stego situation. Instead of worrying about a "stealth PGP version," which is likely to be only a slight speed bump (because of the statistics), think about flooding the detection channels.
The stealth PGP is, of course, a necessary element: you have to remove the big "THIS IS AN ENCRYPTED MESSAGE FOR RESISTOR-CELL-23" before you can slip it in somewhere. As noble as "flood the detection channels" sounds, has it really ever succeeded? Do people who don't care about privacy day to day ever go through extra trouble to make other people's privacy easier? I can think of two public efforts to increase noise that have failed: putting Spook keywords in all Usenet posts, and using PGP email for normal day to day traffic. The failure of the second channel-flooding is especially notable: even people doing serious crypto hacking, with well established public keys, don't seem to PGP encrypt normal day to day traffic. It's just not convenient enough. I think asking people to increase entropy in their day to day communication is doomed to fail, it's just too much trouble. Better to exploit the entropy we already have, and maybe encourage designers of new systems to build in some extra entropy sources when they get the chance. I've got some specific ideas, but am a bit nervous about talking about them because of intellectual property issues. Also, I'm not convinced that unlike cryptography, some extra security can be maintained in a steganographic system by not disclosing the way it works. I haven't resolved these concerns, but would be happy to engage in some metadiscussion about them.