Has this photo been de-stegoed? (and Clouds)

Thu Dec 11 11:35:51 PST 2003

Variola wrote...

"How do you know the signature of the unaltered carrier-medium?
E.g., have you measured the LSBit noise from my camera recently?
Under which lighting conditions?"

Well, having done some optical signal processing (and getting a patent in 
that area, come to think of it), I imagined that most photos will naturally 
have some image noise in certain frequency bands...this noise would not have 
to have anything to do with your camera or whatever, but is probably a 
function of what's in the image. For instance, a picture of a naked girl 
standing in front of drywall probably has very little useful image energy in 
spatial frequencies represented down at the length of a pixel. In a spatial 
fft there's probably a lot of low frequency white noise for a while, until 
you get to the level of the shorter body hairs and whatnot. And then there 
may be spatial freuency bands between that and her height that are nearly 
unoccupied with image energy.

>From a spatial/fft perspective I imagined that this is where stego'd 
information goes. I also imagined that if it were done in a very simple way, 
the stegoed info will be fairly obvious to someone knowledgeable and looking 
at the spatial fft of the image. I imagine that it will look obvious 
because, to an expert, it won't look like the authentic kind of noise 
expected there. If the information is encrypted, I consider it possible that 
the noise may even look too "perfect" perhaps.

If that's true, then I suspect it's often possible to determine that a 
photo's stego has been removed. Or at least, there will be cases where stego 
removal will be "obvious".

Come to think of it, I bet TLA operatives are given precise instructions 
about what kinds of photos make for undiscernable stego (I'd bet where the 
spatial image information is not well-concentrated into "bands"). In other 
words, a photo with all different-sized objects in it. Perhaps they even 
travel with some photos for just this purpose.

Hum. I wonder if photos of "clouds" work well for this purpose. That would 
actually explain something I encountered recently....

-TD

>From: "Major Variola (ret)" <mv at cdc.gov>
>To: "cypherpunks at lne.com" <cypherpunks at lne.com>
>Subject: Re: Has this photo been de-stegoed?   (and Anonymity)
>Date: Thu, 11 Dec 2003 10:26:16 -0800
>
>At 06:22 PM 12/10/03 +0200, Anatoly Vorobey wrote:
> >On Tue, Dec 09, 2003 at 04:20:20PM -0600, Declan McCullagh wrote:
> >> We have anonymity in Web browsing (more or less, thanks to Lance &
> >> co). It's not NSA-proof, but it's probably subpoena-proof.
> >>
> >> We have anonymity in email thanks to remailers (to the extent they're
>
> >> still around).
> >>
>...
> >
> >alt.anonymous.messages has a healthy amount of traffic.
>
>One could count some fraction of all the *.binaries.* on usenet
>as anonymous communications (via stego), but then you'd have to know
>how many are stego'd, and that is the game after all.
>
>
>At 02:24 PM 12/8/03 -0500, Tyler Durden wrote:
> >Is it possible to determine that the photo 'originally' (ie, when it
>was
> >sent to me) contained stegoed information, but that it was intercepted
>in
> >transit and the real message overwritten with noise or whatever?
>
>Yes.  Trivially, If your correspondent told you, but that's out of
>band.  Otherwise,
>If there *remains* info which was not washed out "in transit", then that
>
>would be an inband way.  Maybe all the pictures with a red flower
>in them are carriers, and this content isn't washed out.  Maybe its a
>more subtle crypto-watermark, independent of the stego'd message.
>
> >Now I know pretty much nothing about this subject, but I would suppose
>that
> >de-stegoing a photo must like some kind of spatial spectral fingerprint
>that
> >should be visible after the photo is FFT'd (is there freeware software
>out
> >there?).
>
>1. How do you know the signature of the unaltered carrier-medium?
>E.g., have you measured the LSBit noise from my camera recently?
>Under which lighting conditions?
>
>2. Don't you think I can measure the properties of my carrier and shape
>the stego'd info to match?   (This does get into an arms race over what
>properties to measure.)
>
> >Now I IMAGINE that a sophisticated interceptor could substitute
>'believable'
> >de-stego-ing noise so that it would look like the photo never had any
>stego
> >in the first place. OR...is this actually 'impossible' to do perfectly?
>
>You don't just put your message in the LSBits or whatever.  You
>compress,
>encrypt, and possibly redundantly code them.  Then you shape the noise
>to match the bits you're replacing.
>
>
> >And then, what if the interceptor tried to put an alternate message in
>there
> >instead? Is there a way to tell that there was originallya different
>message
> >there?
>
>Depends on the coding.
>
> >My assumption first of all is that nothing was done to prepare the
>photo
> >against these possibilities.
>
>Just make sure you did the original analog recording and destroy the
>original after you stego it.  Best also if you never post unstego'd
>messages
>so the Adversary can't measure your raw carrier.
>
>A simple stego message was placed without real
> >thought about whether it might be intercepted and altered.
>
>You shouldn't stego life-critical messages without proper training in
>the use of your tools.
>(That training may vary with personality, see _Silk and Cyanide_.  Some
>like "why",
>some like "do this".)
>
>-----
>"You can have democracy when you vote for the people we approve of"
>King George to the Colony of Iraq

_________________________________________________________________
Cell phone switch rules are taking effect  find out more here. 
http://special.msn.com/msnbc/consumeradvocate.armx