Re: A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)

[hlangos-bugtraq () innominate com]

Calling a steganography software "Steganography" is quite presumptuous
in itself.(Like calling an encryption software "Cryptography".)

Without having looked into that matter deeper you are right on at least 
one account: Leaving a signature ("footprint") in stego text is defeating 
the purpose.

Quoting from Wikipedia (yes I am too lazy to wite this down myself):
> Steganography is the art and science of writing hidden messages in such
> a way that no one apart from the intended recipient knows of the
> existence of the message; this is in contrast to cryptography, where the
> existence of the message itself is not disguised, but the content is
> obscured.


As to the replacement of the password by a "known" password.

Replacing "aaaaaa" with "a" and getting the message extracted could mean
several things:

a) The password is not used at all to encrypt the message but to 
stop their own program from extracting the message from all files you 
present to it. (Possibly by comparing a hash of that password with a
hash stored in the sequence you replaced.)

b) They use a simple Vigenere cipher and you replaced the key-sequence 
of "aaaaaa","aaaaaa","aaaaaa"... by the key squence "a","a","a","a"...
which for the purpose of Vigenere ciphers is equivalent.

c) ... i'll skip the more complicated explainations. It's not worth it.


To test a) and b) you could try to replace the key squence of "aaaaaa" 
by a key sequence of "b". 

If that works then "a)" is true.
If it doesn't but replacing "ababab" by "ab" works then "b)" is probalby 
true.

Anyway ... having a cipher from the 16th century or having no encryption
at all doesn't make much of a difference, does it?

cheers
-henrik