TCP/IP Stego (was CU-SeeMe)

Jim McCoy mccoy at communities.com
Fri Mar 8 14:53:36 PST 1996



JonWeinke at aol.com writes:
>
>>     -It can be applied by two routers which are in the middle
>>         of the connection.
[...]
>
>You seem to be oblivious to the fact that this technique is only useful for
>ISP's, corporate networks, etc. that the average home computer user will
>never have access to.

I know that, I was just pointing out advantages you overlooked.  I guess
that the fact that I probably know more ISP operators and techs then
non-geeks who use the net made this part more obvious to me.  The original
technique of doing stego on packets is still valid, and by adding it in
to a WinSock lib or linux tcp/ip implementation the user can send hidden
messages just by connecting to a friendly stego-enhanced web server out
on the net and doing some casual browsing.

The difference between the two methods is, as I said before, exactly
the same as the difference between TCP/IP and UUCP.  Hiding info in
images or sound files works fine for "email" or file storage but has
no chance of being an interactive protocol, sometimes you need to
get things done in real-time.

> If I want to send a WAV file of my 2 year old son
>saying "Hi, gramma" (or a 24-bit color TIFF of him practicing nose-picking
>techniques) to my relatives, that is not overtly suspicious behavior, even if
>it has a slight amount of background noise (or graininess).

But your relatives are not the people who you need to communicate secrets
with securely.  These gross stego hacks to sound and image files are best
used to make postings to various binary Usenet newsgroups.  Broadcast the
message and then put it in a place where many people will download it
but only a few will know that it contains the hidden info.  Sending this
stuff via email is just begging for traffic analysis at the very least...

>As long as I
>don't stego too many bits in the file, and I strip out any overt "I'm crypto"
>headers, it will be impossible to prove that stego techniques were used on a
>file.  Finding random bits where random bits normally live cannot be used to
>prove anything.

Provided the bits are random in the way that they should be... The low-order
bits in such files were chosen by implementors of stego programs because
modification would not be noticed by the person viewing or listening to
the file, not necessarily because there was actually randomness at this
level which could be replaced.  Does anyone know of a survey of images or
sound files which tested the statistical randomness of these bits?  They
may not be as random as people think they are.

jim









More information about the cypherpunks-legacy mailing list