What about Walter making insignificant changes to the cleartext and replacing the hash with the new hash?

Because you are using an unkeyed hash (and not a sig) he can do that and foul up the stegomessage

Walter can still play silly spooks with your stego if he breaks the

40-bit encryption.

True. The examples was just illustrative. Given unkeyed hashes or 40 bit encryption, Walter could also frame you by replacing your bits with ones that combine into a very incriminating encrypted message and then leaking the key.

The cyphertext/plaintext ratio looks like getting really huge too. Your messages must all arrive, and retain the right order.

Hey, I never claimed it was efficient. :-) Actually, the messages don't have to arrive in order. The correct order can be discovered by trial and error (e.g. does this combination decrypt into something readable? No. How about this one?). Depending on the cryptographic protocol, there may be other, more efficient means for sending hidden encrypted messages. If, for example, a protocol requires a cryptographically random confounder to be appended to the front of the plaintext before encryption, you could use chunks of you secret encrypted message for the entire confounder. Jim_Miller@suite.com