CDR: stego for the censored
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion. the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
Tom Vogt wrote:
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion.
the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
Spam seems the best best. Sometimes you get the same spam message multiple times, each message identical except for the munged return address. You can use that address to encode a few bytes per message. Send the same message ten times and you have enough of a channel for a short message. Maybe you could boost the information per message by doing the same trick with a header line. -- Steve Furlong, Computer Condottiere Have GNU, will travel 518-374-4720 sfurlong@acmenet.net
On Thu, 5 Oct 2000, Tom Vogt wrote:
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion.
the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
There are at least two more ideas that come to mind here.
The first would be to embed links in your spam messages which take you
sites that you have previously set up which contain a high amount of graphics.
You could then hide the data steganographically in those images. Of course
an automated tool of retrieval for those sites would be handy then as well
(say a browser plugin which scans images tries to extract data out of each
image and only accepts the extracted information if it has been signed with
a previously agreed on key -- i favour a browse plugin over a commandline
tool cause it would maybe look a little bit suss if somebody mirrored a
'become-a-millionaire-in-two-weeks'-website with wget or similar tools).
You might also want to have a look at MP3Stego, a tool which allows hiding
of information in MP3 files.
URL: http://www.cl.cam.ac.uk/~fapp2/steganography/mp3stego/
Sending someone a couple of megs of non-copyrighted mp3s (say bolivian
folklore) should not raise too much suspicion, or better yet, just mail him
links to some geocities account where he can download them instead of sending
them directly.
Any method for data transfer can be used for steganography -- just be creative.
Cheers,
-Ralf
--
Ralf-P. Weinmann
At 2:31 PM +0200 10/5/00, Tom Vogt wrote:
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion.
the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
Music. CDs are rarely restricted...DATs are probably uncommon, though. A typical 700 MB CD carries 43 MB in the LSBs. The LSBs are at the microphone/cabe/preamp noise levels..probably even the 2nd least significant bits as well. This is, of course, vastly more storage space than nearly any user might need. (Folks may recall that audio stego was one of my main examples for crypto anarchy a decade or so ago, where I cited the example of the B-2 bomber blueprints packed into the LSB of a Michael Jackson DAT.) Audio editing programs are common, for mixing tracks, altering compressions, etc. Many of these are freeware or readily available, for Windows, etc. It should be feasible to write the glue stuff to insert and extract bitstrreams into the LSBs. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Tim May wrote:
Music. CDs are rarely restricted...DATs are probably uncommon, though.
MP3 ? let's mix that with an idea I've been discussing in private mail. here's a proposal: set up a service that you can subscribe to. say: www.dailymusic.com - fill out a profile and we select a random number of songs from our huge archive of free mp3s that we believe you will like (snippets actually, with links to the full-length version). there's a constantly changing webpage for you that shows a list of songs. if you heard one (by clicking on the link), it's removed, and sometime later (all random!) a new one will be added. set up a second service, say: www.cryptomail.com - where you can subscribe for an e-mail address. however, we don't forward the mails to you, we stego them into an mp3. you automatically get a subscription with the first service as well, except that the number of songs isn't random for you, it's the number of mails you got. to avoid checksum creation, the snippets are made randomly and/or all songs have a "watermark" (with timestamp) implemented by, guess what, steganographic means. comments? the dailymusic.com service serves as a deniability front. since there is NO hint on it's website to the other service, you can plausably deny that you know about that one.
Reese wrote:
MP3 ?
Lossy compression.
balance snipped, we need lossless compression, eh?
nope we don't. remember that everyone said that .jpeg couldn't be used for stego for that same reason? then the first .jpeg-stego tools arrived.
On Fri, 6 Oct 2000, Tom Vogt wrote:
Lossy compression.
balance snipped, we need lossless compression, eh?
nope we don't. remember that everyone said that .jpeg couldn't be used for stego for that same reason? then the first .jpeg-stego tools arrived.
The only problem with lossy compression is that it severely limits the
capacity of the covert channel. On the other hand, embedding a maximum
amount of data into a data stream and losslessly coding the result will
certainly show in the compression ratio.
Some recent work in audio watermarking has achieved speeds of a couple of
hundreds of bits per second. Of course most of those do not get through mp3
but the good thing is that these methods are for all practical purposes
inaudible. Built for realtime use with e.g. shoutcast such methods should be
capacious enough even after error correction.
There's certain irony in using copyright protection research this way, as
well...
Sampo Syreeni
At 01:03 PM 06/10/00 +0200, Tom Vogt wrote:
Reese wrote:
MP3 ?
Lossy compression.
balance snipped, we need lossless compression, eh?
nope we don't. remember that everyone said that .jpeg couldn't be used for stego for that same reason? then the first .jpeg-stego tools arrived.
hmmm. Introduce the stego, after the .mp3 conversion has been performed, so that new data is introduced to the new .mp3, same as was done with the .jpg files. ok, we are parsing at the same bit rate, I read you loud and clear on this,,, Reese
----- Original Message -----
From: Tim May
At 2:31 PM +0200 10/5/00, Tom Vogt wrote:
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion.
the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
Music. CDs are rarely restricted...DATs are probably uncommon, though.
A typical 700 MB CD carries 43 MB in the LSBs. The LSBs are at the microphone/cabe/preamp noise levels..probably even the 2nd least significant bits as well.
I can see an excellent application for all of our old long-out-of-print LP's: Digitize them (assuming we still have an operational turntable!) and the noise level will be comfortably high. And, there is no digital "reference" for this audio anywhere, so comparisons will be virtually impossible. (Just re-digitize the same LP for an dramatically-different dataset, at least in the 6-7 LSB's.)
jim bell wrote:
I can see an excellent application for all of our old long-out-of-print LP's: Digitize them (assuming we still have an operational turntable!) and the noise level will be comfortably high. And, there is no digital "reference" for this audio anywhere, so comparisons will be virtually impossible. (Just re-digitize the same LP for an dramatically-different dataset, at least in the 6-7 LSB's.)
that would be a good and unique source of data, with the added advantage of strengthening the cover. I'm currently thinking of whether or not it is feasable to put stego data into EVERY .mp3 downloaded. just put random data into those not intended to carry a message.
On Fri, 6 Oct 2000, Tom Vogt wrote:
I'm currently thinking of whether or not it is feasable to put stego data into EVERY .mp3 downloaded. just put random data into those not intended to carry a message.
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best; it ticks me off that most folks seem to hear it as "good enough", because if most folks hear it as "good enough" it means we're not going to get a better sound format widely used. You're talking about making the audio channels a bit (more or less) thinner, but they're too thin already. Bear
At 10:52 AM 10/6/00 -0400, Ray Dillinger wrote:
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best;
Then why are you 'audiophiles' traumatizing yourselves by listening to it? it ticks me off that most folks seem to hear it as "good
enough", because if most folks hear it as "good enough" it means we're not going to get a better sound format widely used.
First 'good enough' depends on environment, e.g., ambient noise ---how about that computer fan, much less the noise in a car? Second, why did we evolve CDs if LPs were 'good enough' for most? [Besides portability] You're talking
about making the audio channels a bit (more or less) thinner, but they're too thin already.
Bear
We're talking about covertext, not rec.audio.cypherpunks.audiophile
On Fri, 6 Oct 2000, David Honig wrote:
At 10:52 AM 10/6/00 -0400, Ray Dillinger wrote:
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best;
Then why are you 'audiophiles' traumatizing yourselves by listening to it?
For the most part, I'm not. I had just hoped to have a better music format available on the web, and it looks like MP3 is blocking it from happening.
We're talking about covertext, not rec.audio.cypherpunks.audiophile
To your message recipient, it's covertext. To everybody else who downloads tunes, (since you're talking about putting stego in *all* MP3s downloaded from your site) it's degraded sound quality. Understand, it's your site and you do what you want: I'm just saying MP3 is already too thin. My crypto-relevant warning to you is that if you stego it at all heavily, the difference will be audible to some people. Even if you can't hear the difference, somebody (maybe a lot of somebodys) will be able to, and this could tip snoops off to the existence of the stegogram. Bear
There are better compression mechanisms available - AT&T's a2bmusic compression system claimed to use about half the bandwidth for equivalent audio quality, by using better models of human hearing in their algorithms, and I think SDMI and one of Sony's formats also do something like that. The catch is that most of them also include copy protection systems, with the attempted tradeoff of "better compression for copy protection" and they haven't been able to overcome the popularity of MP3 (as much because of Napster as because of copy protection, I suspect.) There are two ways to hide stego text in MP3 or JPEG. One is before the compression - figure out the kind of sound/picture data that will survive the compression mechanism, which is very hard, but more useful for watermarking. The other is after the compression - where you have to find methods that won't mess up the decompressed version, which may be hard, but either you might not care about the decompressed quality (depends on your threat model) or there might be ways to encode stuff that's either comment-like, so not decompressed at all, or only affects very small parts of the decompressed. At 04:40 PM 10/6/00 -0400, Ray Dillinger wrote:
On Fri, 6 Oct 2000, David Honig wrote:
At 10:52 AM 10/6/00 -0400, Ray Dillinger wrote:
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best;
Then why are you 'audiophiles' traumatizing yourselves by listening to it?
For the most part, I'm not. I had just hoped to have a better music format available on the web, and it looks like MP3 is blocking it from happening.
We're talking about covertext, not rec.audio.cypherpunks.audiophile To your message recipient, it's covertext. To everybody else who downloads tunes, (since you're talking about putting stego in *all* MP3s downloaded from your site) it's degraded sound quality.
Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
At 10:52 AM 10/6/00 -0400, Ray Dillinger wrote:
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best;
Then why are you 'audiophiles' traumatizing yourselves by listening to it?
it ticks me off that most folks seem to hear it as "good
enough", because if most folks hear it as "good enough" it means we're not going to get a better sound format widely used.
First 'good enough' depends on environment, e.g., ambient noise ---how about that computer fan, much less the noise in a car?
Second, why did we evolve CDs if LPs were 'good enough' for most? [Besides portability]
Portability, and durability were primary concerns, plus it's cheaper to make a "decent" sounding CD system than a *decent* sounding analog system. LPs (Well, *properly cared for LPS from early in the production run) (even to my Tin Ear) sound *better* than CDs when played on high end equipment, and when playing music where absolute fidelity matters. CDs are just cheaper to produce, easier to carry around, subject to less degradation when *mildly* abused etc. -- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
On Fri, 6 Oct 2000, Tom Vogt wrote:
I'm currently thinking of whether or not it is feasable to put stego data into EVERY .mp3 downloaded. just put random data into those not intended to carry a message.
For the sake of us audiophiles, please don't. MP3 is tinny and flat at best; it ticks me off that most folks seem to hear it as "good enough", because if most folks hear it as "good enough" it means we're not going to get a better sound format widely used. You're talking about making the audio channels a bit (more or less) thinner, but they're too thin already.
But if you make them a little "thinner" (and I'll admit to having a tin ear, and preferring the kind of music that doesn't suffer much in that kind of compression), won't that mean that it will sound worse to more people, thus making the push for a better format? -- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
On Fri, 6 Oct 2000, Tom Vogt wrote:
I'm currently thinking of whether or not it is feasable to put stego data into EVERY .mp3 downloaded. just put random data into those not intended to carry a message.
On Fri, 6 Oct 2000, Ray Dillinger wrote:
You're talking about making the audio channels a bit (more or less) thinner, but they're too thin already.
On Sat, 7 Oct 2000, petro wrote:
But if you make them a little "thinner" won't that mean that it will sound worse to more people, thus making the push for a better format?
Um, possibly if *all* MP3's were made with stegodata. If there is *one* source of MP3's that's stego'd and a bunch of other people trying to make them sound as good as possible, the one supplier with consistently poor sound quality will stand out when someone goes looking for stegograms. One thing, which you pointed out in a comment I snipped above, is that some music adapts better to MP3 compression than other music. There is plenty of room for stegodata in synthesizer- pop bands like "Yes" and "The Eurythmics", but almost none in layered atmospheric music like "Enya". If you pick and choose which plaintexts to stego, you can probably be less obtrusive about it. Bear
At 07:05 AM 10/6/00 -0400, Tom Vogt wrote:
I'm currently thinking of whether or not it is feasable to put stego data into EVERY .mp3 downloaded. just put random data into those not intended to carry a message.
Problem is that repeatedly decoding an .mp3 into a .wav, then feeding the .wav and the stegobits into a stego-mp3-compressor[1], will lose quality with each iteration. But if you're just taking 'first generation' simple rips off a CD or LP or Napster :-) you can do it easily. [1] http://www.cl.cam.ac.uk/~fapp2/steganography/mp3stego/
At 02:31 PM 10/5/00 +0200, Tom Vogt wrote:
I'm currently looking for a way to get encrypted data via stego to people who live in countries where crypto is illegal, and who may be watched. so just sending them a large graphic would likely arouse suspicion.
the 2 best solutions I've come up with so far are porn and spam. both are readily believable, even in large quantities. the problem with porn is that it may be illegal in itself in the same countries. the problem with spam is that ascii text just doesn't offer much to hide stego in (whitespacing, etc. is both easy to find and can store very little data).
MP3s are probably a better approach, though somebody has to write a decent MP3 stego program. Live concert recordings are good cover, since they get around the problems of intellectual property (usually) and the problems of visible differences between widely available recordings with or without stego (and they have lots of background noise.) Peter Wayner did a paper a while back on "Mimic Functions" - ways of encoding data in material that matches cover text using whatever level of detailed grammar productions you want to use. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (11)
-
Bill Stewart -
David Honig -
jim bell -
petro -
Ralf-Philipp Weinmann -
Ray Dillinger -
Reese -
Sampo A Syreeni -
Steve Furlong -
Tim May -
Tom Vogt