Bruce writes about uses of steganography as digital dead drops. But he also claims that there are no business uses for steganography. I don't think this claim is valid. There are business scenarios where traffic analysis can leak information about potential mergers, investment analysis activity and so on. Steganography is just a valid mechanism to hide traffic as cover traffic. Stego in fact offers marginally higher security against traffic analysis because it will not be evident that the two parties exchanged information, nor even had the opportunity to. The opportunity to have communicated would be evident if they were using just cover traffic. Apart from business uses there are uses for civil rights workers, and generally members of the public who choose to retain association privacy. I don't think we should be giving the press and government ammunition in their arguments to ban various forms of crypto, especially for forms of communication which may help civil rights workers, and which infringe on the tools available to the individual to partially regain his privacy be that confidentiality or of association. Adam On Tue, Sep 25, 2001 at 09:42:53AM -0700, Subcommander Bob wrote:

Monday September 24 01:15 PM EDT

Terrorists and steganography By Bruce Schneier, Special to ZDNet

Why can't businesses use this? The primary reason is that legitimate businesses don't need dead drops. I remember one company talk about a corporation embedding a steganographic message to its salespeople in a photo on the corporate Web page. Why not just send an encrypted e-mail? Because someone might notice the e-mail and know that the salespeople all got an encrypted message. So send a message every day: a real message when you need to, and a dummy message otherwise. This is a traffic analysis problem, and there are other techniques to solve it. Steganography just doesn't apply here.