yes, they look for stego, as a "Hacker Tool"

Fri Aug 13 16:48:06 PDT 2004

On Fri, 13 Aug 2004, Major Variola (ret) wrote:

> Any jpg which looks like noise will be of interest.  And any stego 
> program will make them look at your images (etc) more closely :-)
> 
> Most of the programs they've hashed is so the forensic pigs can discount 
> them. But they would find known-stego tools very interesting. And they 
> would find them, even if renamed, from their sigs; but not if 
> polymorphic or encrypted, but then they would be in the "unknown" 
> category, along with user-created files.  And programs :-)  To be 
> manually inspected by a forensic dude.

Run a tool for signature changing preemptively, on *all* the files in the 
system that can be changed without changing their function? Then you have 
the forest where every tree is marked and the leprechaun is laughing.

> These hash-CDROMs are also useful for finding unlicensed software and
> music....

Another reason for making your data unique.

> ----
> Osama sez: Always use original images and sounds as stego carriers.

DV camcorders are becoming increasingly popular. Is there any software to 
stego the data into DV streams? Such files are suitable as carriers, as it 
is easy to produce gigabytes and gigabytes of meaningful data from a 
single friend's wedding - which allows even sparse encoding without having 
improbable amount of data.

> And keep your tools encrypted, or on memory sticks you can flush or
> snap with your fingers.

Beware of destruction of memory sticks; as long as the Flash chip is 
intact, even if its casing itself is broken, it is easy for a properly 
equipped lab to get the chip out of the case and bond it to new casing. 
The Flash chips used in the USB disks have serial interfaces, which makes 
the task of connecting them again rather easy, if you have the right toys 
(available for anybody who does eg. thick-layer hybrid circuits).

A neat trick to lower the suspicion-factor for stego in JPEG or video 
could be releasing a closed-source program for Windows as either freeware 
or easy-to-hack (or without the time check at all) shareware (we don't 
want the money here, but we want the people to think it's doing a lot of 
good for them, and there still is a segment of consumers who think that 
when it is free, it's worthless), which is touted loudly for enhancing the 
images. While all it can be doing is to slightly manipulate brightness and 
contrast in the too dark or too light areas, smear or sharpen the image a 
little bit; may be just couple NetPBM tools cobbled together with a nice 
interface added (we'll violate the licence here, but that's a minor detail 
- which can further serve to bring attention to the tool). And, last but 
not least, inserting a steganographed random data into them. May be 
something meaningful, may be just random data, may be perhaps random data 
chunked to packets looking like a GPG-encrypted file.

Put it online, wait until the news are slow, and get some computer 
graphics magazines interested in it, writing articles about it. Perhaps 
run an astroturf campaign, guerrilla marketing. Get it distributed on the 
CDs shipped with them. Even with just fraction of % of the images "in the 
wild" there will be a lot of them looking like stegoed, serving as a 
convenient smokescreen for the "real" ones.

The sheeple don't have to be only a threat. They can be useful, if their 
gullibility is properly exploited.