Schneier on Stego, Dead Drops, bin Laden

[Adam Back]

Bruce writes about uses of steganography as digital dead drops.

But he also claims that there are no business uses for steganography.
I don't think this claim is valid.

There are business scenarios where traffic analysis can leak
information about potential mergers, investment analysis activity and
so on.

Steganography is just a valid mechanism to hide traffic as cover
traffic.  Stego in fact offers marginally higher security against
traffic analysis because it will not be evident that the two parties
exchanged information, nor even had the opportunity to.  The
opportunity to have communicated would be evident if they were using
just cover traffic.

Apart from business uses there are uses for civil rights workers, and
generally members of the public who choose to retain association
privacy.

I don't think we should be giving the press and government ammunition
in their arguments to ban various forms of crypto, especially for
forms of communication which may help civil rights workers, and which
infringe on the tools available to the individual to partially regain
his privacy be that confidentiality or of association.

Adam

On Tue, Sep 25, 2001 at 09:42:53AM -0700, Subcommander Bob wrote:
> Monday September 24 01:15 PM EDT
> 
>         Terrorists and steganography
>         By Bruce Schneier, Special to ZDNet
>
>         Why can't businesses use this? The primary reason is that
> legitimate businesses don't need dead drops. I remember one company
> talk about a corporation embedding a steganographic message to its
> salespeople in a photo on the corporate Web page.  Why not just send
> an encrypted e-mail? Because someone might notice the e-mail and
> know that the salespeople all got an encrypted message. So send a
> message every day: a real message when you need to, and a dummy
> message otherwise. This is a traffic analysis problem, and there are
> other techniques to solve it. Steganography just doesn't apply here.