-----BEGIN PGP SIGNED MESSAGE----- Tim May wrote,

(And why not, by the same logic, also create alt.random.numbers, alt.dining.cryptographers, alt.remailers, alt.digital.money, alt.voice.pgp, and so on? All of these are of about the same importance as stegonography. Probably more so, as stegonagraphy is inherently limited by it being "security through obscurity," which typically doesn't last very long. Like invisible inks and microdots--the two compelling examples of past stegonagraphy--once the secret gets out, the technique rapidly fades in significance.)

The whole point is that with Stealth-PGP, you don't need the "obscurity" part. It doesn't matter if people know the Cypherpunks are using steg. But as it is now, with current PGP, using steg is detectable using automated methods, something Clipper will allow. The equivalent of invisible inks and microdots aren't what I'm talking about. I'm talking about sending messages right out there in public, in which your encrypted message is masquerading as noise in the carrier message, and in which nobody can prove that that noise IS a message unless they successfully decrypt it, only possible with the right secret key. How better to render the Clipper chip an insignificant worry?

Cool your jets, Xenon! :-}

I try. I crank down a beer and get enough sleep, and yet a certain fanatical drive remains. Hasn't exactly hurt me much, in fact it's gotten me quite far in this world ;-). I think it's time to fire up all of our jets, and happily yours were fired up too, with your "Sabotage of Clipper" posts here. My point is, Stealth-PGP combined with a steganograph is the technological way to "sabotage" Clipper. It REALLY is. Think about it. But it's just that like you said, most people are struggling just to understand how to use PGP. What I attempted to do was get those people to at least understand what steganography was, and how current PGP will allow random Info Superhighway spot-checks for the soon-to- be-banned use of real encryption. How can they hope to outlaw PGP, if they can't even figure out you are using it?

...cf. my post in 1988 in sci.crypt on the LSB method...

Could someone send me this (Hi Tim), as I only got a modem in '93, five years after the post. Actually with the rate of growth of the internet, MOST people out here haven't seen that post.

...

There's quite a few serious programmer types who want to create steganographic software. I've gotten quite a response to my "announcing" Stealth-PGP on Usenet. The person who gets credit for coming up with the name "Stealth" instead of my boring "VGP" says he has changed plans and hopes to offer an external utility to strip and later restore any PGP message. For the newbies, this isn't just removing the "-----BEGIN..." header and footer!

Maybe I'm revealing myself as one of the "newbies," but what do you mean here? Headers and footers all look the same, meaning they are apparently uncorrelated to the contents (carry no information). I agree that not having them introduces other problems (knowing which bits to treat as the PGP message, as above).

The "headers and footers" are trivial to remove and restore, so they aren't the important thing to strip off and later restore. It's the hidden headers and footer WITHIN any PGP message, binary or ascii, that need to be stripped and later restored. Then steganography is SO much more useful. See pgp.format in the PGP documentation. I'll just say, ideally with such a utility, or updated form of PGP, you could send an encrypted message using steg, or even without using steg, and nobody who wasn't willing to spend some serious time looking into the matter could nail you for sending an encrypted message. "Sufficiently advanced communication is indistinguishable from noise." The problem with knowing WHICH bits to treat as the message is a technicality. The simplest is to make the carrier exactly the right size! You can put padding WITHIN the Stealth-PGP message if you want. And this is only the most simple-minded solution.

I'm not sure who your source was, but be advised that the term "Stealth PGP" was in use at least a year ago....I heard Kelly Goen or Phil Zimmermann refer to a future version of PGP with this name. Not that it really matters a lot, but you ought to be aware that the designers of PGP were aware of the issues you have raised recently. Only so much time to get everything done, though.

"Nobody can be so amusingly arrogant as a young man who has just discovered an old idea and thinks it is his own." - Sydney J. Harris I've been actively reading alt.security.pgp for a year now, and the ONLY time this was mentioned was when I asked about it last year. Very little interest was generated. And given the lack of response of the PGP development team to potential USERS voicing their needs, I think getting the general population of PGP users to know enough to ASK FOR Stealth-PGP, will go a long way in getting the developers to stop putting this on the back burner. Be advised that the person who in the end gets credit for coining a term gets credit for coining a term ;-). If be it lost in some old post, and I've never seen PRZ post to Cypherpunks or alt.security.pgp in the last year, then I get the Pulitzer, since mine got noticed. Yes, I think many of the PGP developers realize a need for Stealth-PGP, but I also think with good justification, that they could use a bit of a push. A bit of an eye-opening about how Stealth-PGP could be the "Underground's answer to the Clipper chip."

... jaded in the face of Xenon's obvious anxiousness to get rolling. It's just that Romana M., for example, put a _huge_ amount of effort into her Stego program...and it was not met with cymbal crashes of enthusiasm, either by folks on this list or outside. I suspect this is because, when you get down to brass tacks, stegonography is just a backwater of crypto (to mix some metaphors horribly). Once you've played around with it, what do you actually _use_ it for?...

That's because PGP tattles on itself, and Stego can be reversed by anyone. Mind shift needed. Think think think. You use it for.... Defeating the Clipper chip. See, they are going to outlaw real crypto soon. I liked the point about how Denning's secret need for the Clipper as being the use of the NSA as an ECONOMIC spy agency, not just for terrorist types. They want to spy on SONY! Now you're talking billions of dollars at stake, for if economics isn't part of "national security", what is? Those kind of forces lead to the common man's rights being forfeited. "Encryption Always Wins" (Who said that?). But only if your encrypted messages can only be shown to BE a message by successfully decrypting it. Here stegonography becomes crucial, NOT to "hide the message", but to give you an EXCUSE for sending random-looking blocks of data.

I happen to agree that transmitting bits in the LSBs of sound and image files gives "plausible deniability" to users of crypto. Work should continue on this. I just don't see much urgency for getting the capability widespread _right now_, especially not when the practical difficulties of using PGP (discussed many times) mean most of us are rarely using it at all!

Well, _right now_, I seem to notice that these guys in suits in Washington are arranging that they have the tools needed to smart-search not just the internet but ALL electronic communication for PGP messages. Then your name goes on their "crypto subversive" list, and the computer starts logging WHO you are talking to, and then 1984 has arrived. This is happening _right now_.

Plenty of higher priority projects, in my opinion.

Those projects, at least those that relate to Clipper, seem to be politically oriented. "Sabotage Clipper", "Call you reps", "Join EFF", "Get more to use remailers and PGP". These are great, but if you step back and look for what acts will have true historical significance, Stealth-PGP alongside a nice Plug-and-Play steganograph looks to me like what's going to make it into the history books, and is what will have the most damning effect on those pushing their silly Clipper chip on us. The other point, crucial in my mind, is that getting large numbers of people to use PGP becomes much less important if you have Stealth-PGP and a steganograph. Then in effect they are still helping you obtain "obscurity", but all they need to do is send ANY digital message that has noise in it. There's a paradigm-shift needed here. When it clicks into place in one's mind, you will see why I am so adamant about Stealth-PGP, for rather than being a back-burner project, it is THE very thing that is most important for the defeat of Big Brother's Clipper chip and his wiretap proposals. It REALLY IS a "Stealth" technology. I'm sure there are already thousands in repressive countries who need it NOW, and if you don't call the USA a repressive country as well, I've got a burning Constitution and Bill of Rights for you burn your hands on. You can nit-pick specific details and problems with the idea, but that's why I proposed alt.security.steganography. I think we could make this thing fly. Maybe steganography isn't even the right word however! I'm not talking about hiding a plaintext message on an electronic microdot.

My advice is to discuss it here, or on sci.crypt. If the volume is consistently high for at least several months, that's the time to think about creating a special group or list for it.

Message received. -=Xenon=- -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLV+JjgSzG6zrQn1RAQHSSgP/cL61D/OwM4VHfk9aL7LC+JC0kDxdHwRQ 4/MxFd66EVXONCnYSRxTE8WRJsuNdOGTzDW2L43cMNeik3/jZd9vdb3pn7YibrSN 2Z+8qKfeKAvJMLNkIZ3xGz6/radp0gjHpU6/raIi33yGwCn1au3yRcoP7iy1yDHa i1GKC3E2T54= =6bwj -----END PGP SIGNATURE-----