-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/26/2016 03:29 PM, Ryan Carboni wrote:

The Russian Illegals spy ring in New York used steganography.

I wasn't able to find much detail on that case (in just a couple of minutes), but it appears that the crew in question were reportedly using a "custom" stego application to hide documents in photos. Steganalysis tools that look for statistical and other anomalies in photos (or audio, etc.) have been under development since ever, and seem to work very well; presumably NSA et al have way better ones than we do. This suggests that the only way to make steganograhy work against State actors is to "act normal" and hope for the best, i.e. that your message traffic will not be inspected. This may sound like it would work, given the terabytes per millisecond of potential carrier files crossing the networks - way more than can be stored and analyzed fast enough for full coverage. Only one little problem: Everyone who has traveled to any "hostile jurisdiction" and everyone who has ever used the word "steganography" in a cleartext message, visited websites on the topic, participated in any kind of online discussion about cryptography, etc. is a small enough set that a large part of /their/ message traffic could be routinely inspected for hidden content by State level actors. So that leaves most spies and all of /us/ out in the cold.

The Caliphate cell in Brussels used truecrypt files uploaded to cyberlockers in Turkey. But the grugq notes that truecrypt files would probably have a fixed size (and even with a random length, it would still round to kilobyte sizes), so it wouldn't be so simple.

Not sure how Truecrypt volumes constitute steganography. Padded ciphertext is still ciphertext, plain as day.

Obviously if state-level actors use these methods against the NSA, steganography does have a good role to play. Problem is that machine learning has advanced substantially. In a worst case scenario, it will be obvious that you have steganographic files, that is if photodna hashes are similar for many files, but fuzzy hashes aren't as similar.

If state-level actors are /caught/ using these methods against the NSA, that would tend to demonstrate that the methods in question do not work against State actors. Hiding files inside of files seems to be a bust, but that's not the only vector for steganography. Manipulating the timing of signal traffic, the timing of "real" environmental noise in audio recordings, the presence/absence/number/postion of certain objects in normal photographs, the presence/location of specific words in text files etc. could convey covert messages with little or no risk of detection through automated analysis - but could not hide kilo- or megabytes of information per carrier file.

The best that could be done would be to make automated scans more probabilistic and less reliable (I have tens of thousands of files on my computer), by embedding encrypted data steganographically in images in the PDF file. The text and images of the PDF file could be procedurally generated.

Any practical stego detection protocol should include native analysis of images embedded in PDF files, with no additional computational overhead vs. analyzing plain old image files. In the case of analyzing the content of seized computer, the presence of stego tools should assure full steganalysis of all relevant files - and stored message traffic to and from the user.

But I'm not an expert. I'm just pointing out what makes sense to me.

Me neither, but I used to be very interested in stenography. Reading up on the subject led me to the conclusion that it should work /great/ against adversaries who "suspect nothing" and/or don't know that stenography exists. Other adversaries, not so much - unless, as noted above, one is using a system more akin to a code than a cipher, which hides a /few/ bits of information in plain sight via the presence, absence or position of "normal" content in text or media files. :o/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXSGcbAAoJEECU6c5Xzmuq5ngIAMODdmUor3IjxjiAMNas2Eli ORv9hSob7GXpakZrEc7ZLGofrZ8aSJHTPSx9/PR2mqraaRYWEo/P/C6iiDabcGon DVhCfGAuhrUoEwRULVqxJkl/2eP5ycZEXOAaJH3YVeVHkbLK2M5j1zwtUQlz/CB9 FtAN9S8cG0QtiP83sDn/gzU6xJZSQH+lMi9ltbaUKWqkU/p87O8kddnPPdqQyFWE FpsbdvjV919MAb7pXRaFZWVshXfj7YR4YgZ60X4ZOUZ3/sJwJ4x3oEnbStEd8lQb hDF8UxZ53NyuS/h8Brw/eLiYLRdjIWN+0ZqYkG+sjHjS7eFWKAGWyntn7CTOP6I= =kulv -----END PGP SIGNATURE-----