IP: The Digital Beat: The Debate Over Online Steganography

[David Farber <dave () farber net>]

> X-Sender: spaf@128.10.241.20
> Date: Thu, 1 Nov 2001 11:27:48 -0500
> To: dave () farber net
> From: Gene Spafford <spaf () cerias purdue edu>
>
>
> > Date: Thu, 1 Nov 2001 08:05:00 -0500 (EST)
> > From: Nev Dull <nev () sleepycat com>
> > To: nev () bostic com (/dev/null)
> > Subject: The Digital Beat: The Debate Over Online Steganography
> >
> > From: Andy Carvin <acarvin () benton org>
> >
> > The Digital Beat -- 31 October 2001
> >
> > When a Picture Is Worth a Thousand Secrets:
> > The Debate Over Online Steganography
> >
> > By Andy Carvin (acarvin () benton org)
> >
> > Introduction
> >
> > In the weeks since the horrendous September 11 attacks on New York and
> > Washington DC, investigators around the world have poured over tens of
> > thousands of leads. With each turn, it seems, authorities explore new pieces
> > of evidence that somehow fit into the giant puzzle that makes up the al
> > Qaeda terrorist network.
> >
> > As the news media continues its marathon coverage of the attack and
> > subsequent U.S. retaliations, one accusation has received particular
> > attention. Reports from ABC News, the Associated Press, the New York Times
> > and Newsweek, among other media outlets, have alleged that terrorists
> > associated with Osama bin Laden may have communicated covertly by imbedding
> > secret messages into publicly available files on the Internet, including
> > images from adult porn sites.
> >
> > This allegation has yet to be proven -- the FBI has stated in briefings that
> > they don't have evidence to back up these charges. But these media reports
> > have re-ignited interest in this ancient cloak-and-dagger technique, adding
> > more fuel to the fire in the searing debate over online civil liberties in a
> > post-September 11 world.
> >
> > Steganography: Hiding in Plain Sight
> >
> > Steganography, the science of hiding secret messages within publicly
> > accessible material, is by no means new. One of the first accounts of
> > steganography in action dates back to the Greek historian Herodotus. In the
> > fifth century BCE he documented the story of Demeratus, who struggled to
> > find a way of alerting Sparta that the Persian Great King Xerxes was gearing
> > up to invade Greece. Knowing that any overt message would be intercepted
> > easily by the Persians, he scraped off the wax surface of a wooden writing
> > tablet and scratched his warning into the underlying wood. Demeratus then
> > re-coated the tablet with a fresh layer of wax, thus allowing the apparently
> > blank writing tablet to be carried off to Sparta without arousing suspicion.
> >
> > The term steganography dates back to 14th century. German mathematician
> > Johannes Trithemius penned a book on black magic entitled Steganographia --
> > Greek for "hidden writing." Indeed, the controversial book was about hidden
> > writing. Instead of being a treatise on black magic, the manuscript was
> > actually a well-disguised essay on cryptography -- so well disguised that it
> > took half a millennia to crack it completely.
> >
> > During the 19th century, spies used creative forms of steganography
> > throughout the course of the legendary Great Game -- the decades-long war of
> > stealth conducted between imperial Russia and Great Britain as they competed
> > for dominance in Central Asia. The famed British-Indian spies known as
> > pundits used the accoutrements of itinerant monks to disguise the fact that
> > they were mapping out the complex topographies of Tibet and Afghanistan.
> > Pundits would carry a modified rosary made up of 100 prayer beads (instead
> > of the 108 beads usually found in a Buddhist rosary), allowing them to
> > secretly tabulate the number of paces as they walked in any given direction.
> > The details of their covert surveying work would then be hidden amongst
> > handwritten prayers contained in the center of the Tibetan prayer wheels
> > they carried openly.
> >
> > In modern times, steganography was used successfully during wartime as a way
> > of transmitting messages in plain view. German and allied forces both
> > employed steganography during the First World War; in one particular case, a
> > German spy transmitted the following message:
> >
> >         Apparently neutral's protest is thoroughly discounted
> >         and ignored.  Isman hard hit.  Blockade issue affects
> >         pretext for embargo on byproducts, ejecting suets and
> >         vegetable oils.
> >
> > A casual observer might easily ignore this seemingly innocuous message, but
> > if you take the second letter in each word, you'll soon discover a secret
> > message:
> >
> >         Pershing sails from NY June 1.
> >
> > A well-publicized example of steganography occurred during the height of the
> > Vietnam War, when Commander Jeremiah Denton, a naval aviator who had been
> > shot down and captured by North Vietnamese forces, was paraded in front of
> > the news media as part of well-staged propaganda event. Denton knew he would
> > be unable to say anything critical of his captors outright, so as he spoke
> > to the media, he blinked his eyes in Morse code, spelling out T-O-R-T-U-R-E.
> >
> > Perhaps the most public post-September 11 accusation regarding steganography
> > occurred several weeks ago when the Arab-language news service Al Jazeera
> > broadcast videotaped statements by Osama bin Laden and his associates in
> > their entirety. The Bush administration quickly responded by requesting that
> > all media outlets use greater discretion when it came to airing statements
> > from Al Qaeda, fearing that the unedited statements might contain secret
> > messages -- messages communicated by means of certain words or phrases being
> > used, combinations of clothing or discrete nonverbal gestures.
> >
> > Old Tricks, New Techniques
> >
> > Steganography, as the above examples demonstrate, is not limited to one
> > particular medium or technology -- it's simply a matter of disguising a
> > covert message within an overt one, whether that overt message is an ancient
> > wax tablet, a telegram or a person speaking through a television broadcast.
> > So it should come as no surprise that the technique has also found its way
> > onto the Internet. In fact, steganography tools are freely available for
> > public use. Steganography software allows users to secretly incorporate data
> > into various digital media - text, jpeg images, MP3 audio files, etc.
> >
> > One relatively innocuous example of online steganography in action can be
> > found at the Web site SpamMimic.com. This site allows users to encode and
> > decode secret text messages in what appears to be rambling spam messages.
> > For example, SpamMimic.com can produce a text message that looks like this:
> >
> >
> >         Dear Friend , Especially for you - this breath-taking
> >         news . If you no longer wish to receive our publications
> >         simply reply with a Subject: of "REMOVE" and you will
> >
> >         immediately be removed from our club ! This mail is
> >         being sent in compliance with Senate bill 1621 ; Title
> >         6 , Section 301 ! This is a ligitimate business proposal
> >         ! Why work for somebody else when you can become rich
> >         in 54 months....
> >
> >         (Note - the full message is longer than this paragraph and has
> >         been trimmed for length. A complete copy of the message can
> >         be found in the appendix at the bottom of this article.)
> >
> >
> > This seemingly incoherent advertisement can then be transmitted to anyone on
> > the Internet. For the average netizen, the message would undoubtedly find
> > its way into the trash folder, but for people who know that it's been
> > encoded by SpamMimic, they can go to the Web site, select the "decode"
> > option, and submit the full text (see appendix) to find this secret message:
> >
> >         Happy Halloween!
> >
> >
> > Of course, hiding brief text messages within larger text is limited by the
> > overall size of the larger text: text files simply aren't big enough to hide
> > more complex data like images or audio files. A solution to this dilemma can
> > be found in the availability of around 140 steganography software packages
> > readily available over the Internet. Free download sites have collections of
> > various steganography tools, including one called Invisible Secrets 3.0.
> > Invisible Secrets leads users through a series of easy steps that allows
> > them to encode a file secretly into another file.
> >
> > As a demonstration, I've set up a simple Web page with three photos on it:
> >
> > http://www.benton.org/DigitalBeat/stegdemo.html
> >
> > Here you'll see two photos that look identical to each other - a public
> > domain image of the space shuttle from NASA. The photo on the left is the
> > original image, while the photo on the right has been altered
> > steganographically: I've used the software Invisible Secrets 3.0 to hide a
> > picture of my cat Winston inside of it. The steganography software scatters
> > the data of my cat photograph, hiding that data amongst the bits and bytes
> > that makes up the NASA photo. The result of this process is the second copy
> > of the NASA photo, a covert kitten hidden within it, which I could share as
> > publicly as I would like -- emailing it to a listserv, placing it on my Web
> > site, etc. To the unsuspecting viewer, it's just a photo of the space
> > shuttle, but to someone who knows I've altered it steganographically, it's a
> > secret envelope that can be used to deliver any piece of data I'd like -- in
> > this case, a picture of my cat.
> >
> > Do Terrorists Dream of Steganographic Sheep:
> > When Rumors Lead to Bad Policymaking
> >
> > Whether used for safeguarding business secrets, watermarking
> > copyright-protected data or just for personal amusement, steganography was
> > largely seen as just another aspect of Internet culture until the September
> > 11 attack. Though news outlets such as USA Today and Wired News had reported
> > earlier this year on speculation that terrorists like Osama bin Laden might
> > use steganographic software for encoding secret messages into publicly
> > available pornographic image files, rumors regarding such activities have
> > caught on like wildfire in the weeks following the attack. All of these
> > reports had one thing in common: they stated that authorities suspected that
> > bin Laden and his associates _might_ have used steganography.
> >
> > There was no direct proof, however. Internet journalist Duncan Campbell
> > reported in the online magazine Telepolis that FBI officials stated in two
> > successive briefings that there was no evidence to suggest that terrorists
> > had employed steganography. To date, the only comment from a government
> > official implying a direct connection between terrorists and online
> > steganography has come from an unnamed source formerly connected to the
> > French defense ministry. The source, as noted in an October 30 story in the
> > New York Times, claimed that a terrorist suspect named Jamal Beghal used the
> > technique to plan a failed bombing plot of the U.S. embassy in Paris.
> > Details about the alleged use of steganography remain scant, however.
> >
> > Declan McCullagh, Washington DC correspondent for Wired News as well as one
> > of the first journalists to report on allegations of terrorist online
> > steganography, was also skeptical of the recent reports. "I've said in the
> > past that we should assume for purposes of political debate that terrorists
> > will use crypto and stego, because if they're not now, they eventually
> > will," he wrote in an email to his Politech e-newsletter. "The September 11
> > attackers were cunning, if nothing else. But there is a huge difference
> > between expecting that terrorists will eventually go in this direction --
> > and accepting as fact vague and self-promoting reports that the 19
> > suicide-hijackers did."
> >
> > Adding to this skepticism is a recent report from University of Michigan
> > computer scientists who scanned over two million online images for evidence
> > of hidden messages using special stego-detecting software they had
> > developed. (The art of detecting steganography, for those who are
> > interested, is known as steganalysis.) Their sweep of these two million
> > images identified no trace of steganography, whether for passing along
> > secret orders between terrorist cells or for passing along the Mrs. Fields
> > cookie recipe.
> >
> > "I am not aware of evidence that indicates the use of encryption or
> > steganography," explains Neils Provos, one of the authors of the University
> > of Michigan study. "The terrorist attacks are being used by some politicians
> > as a reason to pass legislation that they could not pass before.... There is
> > no indication that any encryption technology has been used."
> >
> > As Provos and others point out, one of the greatest concerns among online
> > civil libertarians is that these unsubstantiated claims of terrorists using
> > steganography will serve as ammunition for politicians to put further
> > restrictions on both steganography and encryption. Civil libertarians are
> > already finding themselves being shouted down by policymakers determined to
> > expand government surveillance activities and clamp down on tools used for
> > hiding or scrambling information. In the Netherlands, legislators have moved
> > to regulate public use of strong encryption on the Internet, backing off on
> > a 1998 policy memorandum that stated, "The use of cryptography will remain
> > permissible."
> >
> > In the United States, the sweeping anti-terrorism legislation signed into
> > law by President Bush on October 26, among other things, greatly expands the
> > ability of authorities to tap email accounts, access personal data and snoop
> > through electronic voice mail. "This bill does not strike the right balance
> > between empowering law enforcement and protecting civil liberties," worried
> > Sen. Russ Feingold (D-WI), the only senator to vote against the legislation.
> > "I don't know anybody in this country who's afraid of their law enforcement
> > people at this time -- they're afraid of terrorism," responded Sen. Orrin
> > Hatch (R-UT), one of the key supporters of the new law.
> >
> > The law contains many provisions that are profoundly frustrating to civil
> > libertarians, but this particular piece of legislation does not contain any
> > specific challenges to steganography. This is not to say that future
> > legislation will not attempt to curtail the rights of citizens to utilize or
> > develop steganography software, however. The very fact that these public
> > allegations of terrorists using steganography happen to contain a bizarrely
> > seductive mix of political issues that are close to the heart of many a
> > legislator (namely protecting national security and curtailing online
> > pornography) suggests that proposals to limit access to steganography could
> > be just around the corner.
> >
> > Of course, the passage of such proposals would lead to the next inevitable
> > question -- would anti-stego legislation actually serve their intended
> > purpose? If terrorists are indeed sophisticated enough to employ
> > steganography software, it would not be surprising if they also possessed
> > the sophistication to develop their own software should current stego tools
> > become inaccessible, or if investigative authorities were granted even
> > greater access to the decoding keys for these tools. So assuming that
> > terrorists had the wherewithal to craft their own steganography tools, the
> > only people who would truly feel the effects of anti-steg legislation would
> > be law-abiding citizens who might wish to employ steganography to protect
> > their online private interests. Additionally, if you consider the
> > allegations regarding bin Laden's supposed use of old-fashioned
> > steganography in videotape broadcasts, cracking down on _online_
> > steganography would do nothing to prevent terrorists or other criminal
> > elements from using more traditional, _analog_ means to pass along messages
> > to each other.
> >
> > Conclusion:
> > Much Ado About Nothing?
> > (or at least nothing visible without the assistance of stego software...)
> >
> > The media hype surrounding bin Laden, steganography and pornography make for
> > enticing copy -- but the stories published to date simply don't add up to
> > actual proof, let alone successfully demonstrate that changing the law to
> > curtail steganography would actually accomplish much in the war on
> > terrorism. In these trying times, it would be difficult to challenge the
> > sincerity of lawmakers as they use the tools at their disposal to combat
> > terrorism and keep America safe. Yet alongside their duty to help preserve
> > the security of the country is the equally important duty to recognize and
> > preserve our civil liberties. This is no truer than in times of war, when
> > emotion, fear and the desire for swift justice can cloud our constitutional
> > judgment.
> >
> > Related Links
> >
> > SpamMimic
> > http://www.spammimic.com
> >
> > Invisible Secrets 3.0
> > http://www.freedownloadscenter.com/Utilities/File_Encryption_Utilities/Invis
> > ible_Secrets.html
> >
> > Steganographia, by Johannes Trithemius (in Latin)
> > http://www.esotericarchives.com/tritheim/stegano.htm
> >
> > How Steganographia was cracked:
> > http://cryptome.unicast.org/cryptome022401/tri-crack.htm
> >
> > Detecting Steganographic Content on the Internet
> > (Analysis by Neils Provos and Peter Honeyman at the University of Michigan)
> > http://www.citi.umich.edu/u/provos/stego/
> >
> > Coded Communications
> > http://www.msnbc.com/news/632358.asp
> >
> > Veiled Messages of Terrorists May Lurk in Cyberspace
> > http://www.nytimes.com/2001/10/30/science/physical/30STEG.html?pagewanted=1
> >
> > How the Terror Trail Went Unseen, by Duncan Campbell
> > http://www01.heise.de/tp/english/inhalt/te/9751/1.html
> >
> > Bin Laden: Steganography Master?
> > http://www.wired.com/news/politics/0,1283,41658,00.html
> >
> >
> > USA-Patriot Act of 2001
> > http://www.epic.org/privacy/terrorism/hr3162.html
> >
> >
> > Appendix: Complete Text of SpamMimic Message
> >
> >         Dear Friend , Especially for you - this breath-taking
> >         news . If you no longer wish to receive our publications
> >         simply reply with a Subject: of "REMOVE" and you will
> >
> >         immediately be removed from our club ! This mail is
> >         being sent in compliance with Senate bill 1621 ; Title
> >         6 , Section 301 ! This is a ligitimate business proposal
> >         ! Why work for somebody else when you can become rich
> >         in 54 months . Have you ever noticed nobody is getting
> >         any younger & how long the line-ups are at bank machines
> >         . Well, now is your chance to capitalize on this .
> >         WE will help YOU use credit cards on your website and
> >         use credit cards on your website ! You can begin at
> >         absolutely no cost to you ! But don't believe us .
> >         Mrs Ames who resides in Massachusetts tried us and
> >         says "I've been poor and I've been rich - rich is better"
> >         ! We are licensed to operate in all states ! Don't
> >         delay - order today . Sign up a friend and your friend
> >         will be rich too . Best regards ! Dear Cybercitizen
> >         ; Thank-you for your interest in our briefing . If
> >         you no longer wish to receive our publications simply
> >         reply with a Subject: of "REMOVE" and you will immediately
> >
> >         be removed from our mailing list . This mail is being
> >         sent in compliance with Senate bill 1618 ; Title 2
> >         , Section 301 . This is not multi-level marketing !
> >         Why work for somebody else when you can become rich
> >         in 58 weeks ! Have you ever noticed people will do
> >         almost anything to avoid mailing their bills plus most
> >         everyone has a cellphone ! Well, now is your chance
> >         to capitalize on this ! We will help you SELL MORE
> >         and increase customer response by 170% ! You are guaranteed
> >         to succeed because we take all the risk . But don't
> >         believe us . Mr Jones of Georgia tried us and says
> >         "Now I'm rich many more things are possible" ! This
> >         offer is 100% legal ! So make yourself rich now by
> >         ordering immediately ! Sign up a friend and you'll
> >         get a discount of 60% . Best regards !
> >
> >
> > ----------------------------------------------------------
> >
> > (c) Benton Foundation, 2001. Redistribution of this online publication --
> > both internally and externally -- is encouraged if it includes this message.
> > Past issues of Digital Beat are available online at
> > http://www.benton.org/DigitalBeat. The Digital Beat is a free online news
> > service of the Benton Foundation's Communications Policy Program
> > (http://www.benton.org/cpphome.html).
> >
> > *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*


For archives see:
http://www.interesting-people.org/archives/interesting-people/