http://www.brendastardom.com/arch.asp?ArchID=217
7-7-2003 - What Do STEGO'S and WMD'S Have In Common?
12:15 pm GMT
I'm being haunted by the word 'steganography' and since it's cropped up in the strangest places daily, even to seeing stego in action in a movie, I have to give this another go. I reported on terrorists and the probable use of steganography by the bin lad and Al Q crew in December. I almost didn't go this route today because I discovered it's been addressed many times since I wrote about it in much the same way.
Ah, steganography. As old as a runner's tattooed message-bearing scalp. I remember writing messages with milk and lemon juice as a kid and tripping hard as the heat from a match brought out the words. It was like magic. I didn't know it had a name. Good article on it, "Steganography: How to Send a Secret Message" written in October 2001.
Since it's been yelling in my ear, I tackled it again. I found a few surprises. Things have changed since then, like it being illegal in many states and legislation pending in others. This is no shocker in light of the way The Powers are doing things these days. It's part of the Super-DMCA (Digital Millennium Copyright Act) that has gone into effect in many states and is pending in others.
It passed in Michigan in March and one of the sneaky little provisions has made a guy remove his work on stego from a state-based server to one offshore.
"A University of Michigan graduate student noted for his research into steganography and honeypots -- techniques for concealing messages and detecting hackers, respectively -- says he's been forced to move his research papers and software offshore and prohibit U.S. residents from accessing it, in response to a controversial new state law that makes it a felony to possess software capable of concealing the existence or source of any electronic communication.
Provos says the Michigan law also makes most of his academic career a crime. Provos is an expert on steganography, the science of concealing secret messages in seemingly innocuous content. He's developed software to detect some types of stego in image files, but he's also worked the other side, developing improved methods for preventing a message from being detected. He also wrote "HoneyD," a free program that simulates a network of computers, with the aim of luring in and detecting hackers. The deceptive software arguably conceals the source of a communication.
The Super DMCA began quietly passing state legislatures two years ago, but did not come to public attention until last month, when the broad language in some versions of the bill immediately sparked anger from technologists and public interest groups.
The law, which took effect on March 31st, typifies the legislation: Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison."
The EFF (Electronic Frontier Foundation) has an immense amount of information about this on their site. I urge you to read it and check your state's status out. My focus is not on the DMCA, but on stego. Why has it suddenly become a subject again?
The feds and military are scared to death of steganography.
Why are most links dead relating to open source or in many cases the tools. Why do WetStone Technologies seem to be running a legal scam about steganography by offering expensive courses about the practice? They begin this month, to the tune of 1500 US smackeroos. The government has their hand in this as they need to have a surefire way to detect the plethora of stegos on the net, from sites, to popups to email images. Of course they think the only applications for this have to be terror related. Jeezus what isn't these days. Oh yeah, their stego tool, a cool 8 thousand bucks. I find it more than interesting that their homepage opens to stego, stego, stego.
According to blackhat.com, who's doing a course in conjunction with WetStone: "Pre-requisites.Students will be required to have basic computer skills and knowledge of the Windows environment. They will be subject to a background verification prior to final acceptance into the course. Students are not required to provide any materials.
Who should attend? Law enforcement, Intelligence,Security Consultants, Corporate Investigators, Forensic Accountants ,Other IT Investigators.
Course Length: 2 days
Cost: US $2000 on or before July 3, 2003, or US $2200 after July 3, 2003
NOTE: this is a two day course. A Black Hat Certificate of Completion will be offered."
I was taken aback by the word blackhat and to be sure I checked it out.
From a book called "Know Your Enemy".
"My commander used to tell me that to defend against the enemy, you have to first know who your enemy is: their methods of attack, tools and tactics, and objective. This military doctrine readily applies to network security just as it did in the Army. The blackhat community is the adversary; we must defend against this threat. However, to be successful, we must first know our enemy."
That's cause for a great big hmmm. What are they doing involved with the government and military if they're deemed the bad guys? Lame, very lame name for a security outfit.
Whoa. I mean this was a rein-yanker. " In addition, a $190,000 HUD EDI Special Project Grant for Cortland County IDA to be used for equipment and infrastructure improvements for WetStone Technologies." Something about WetStone really bothers me, nags at me like the word stego. This was in February of this year. Ohyeah, there's more.
"President and CEO of WetStone Technologies Chet Hosmer said, “Advancing the Sovereign Time Infrastructure at WetStone Technologies at our Cortland facility is critical if we are to effectively provide technology and services that help to defend our nations critical cyber infrastructure and improve our Homeland Security. The EDI special projects grant is allowing WetStone to meet these cyber security needs at one the most critical times in our nations history.” Ahem. Homeland Security.
See? It's all about terrorists and criminals use of steganography, forgetting about all the useful and harmless ways it's implemented. In the movie, 'Along Came A Spider' two kids send each other gifs with embedded stego messages. Countries use it where they're so firewalled there's no freedom of speech. Damn this is sneaky.
"At the same point seven U.S.-States have passed a law that would in fact outlaw VPNs and any other means of concealing the existence or place of origin or destination of any communication. Of course this also includes steganography, NAT (network address translation) or even honeypots, some of which might be used efficiently by criminals, but all of which are important for internet security and especially concerning corporate security."
How are people in individual states supposed to know what's legal and illegal? What does this have to do with the movie people and S-DMCA? I used a stego tool, Camera/Shy, from Hactivismo this morning, encoded a phrase in a picture and found it easy and fun.
This was said of Camera/Shy just before its release last year. "The group hopes that people hobbled by official Internet censorship will be able to exchange information and opinions which might otherwise be politically risky. Since countries can use filtering and firewalling to keep their citizens from Web sites with 'objectionable' content, the idea here is to hide it in plain sight in approved venues. A discussion of human rights could be carried out under the noses of administrators and moderators on an approved Chinese BBS, for example. The local Feds would have a very difficult time stopping it.
No doubt the release will raise hackles among bureaucrats and Feds in many parts of the world, even in the Enlightened West where many in government believe our personal lives should be laid bare for their occasional inspection and approval. Since the 9/11 atrocity, there has been repeated speculation in the press that international terrorist organizations have been using stegged files to communicate across the Internet, though no evidence of this activity has ever been produced."
Straight from Hactivismo. "CAMERA/SHY OVERVIEW
Sometimes hiding the truth is the best way to protect it, and yourself. Designed with the non-technical user in mind, Camera/Shy’s "one touch" encryption process delivers banned content across the Internet in seconds. Utilizing LSB steganographic techniques and AES-256 bit encryption, this application enables users to share censored information with their friends by hiding it in plain view as ordinary gif images. Camera/Shy is the only steganographic tool that automatically scans for and delivers decrypted content straight from the Web. It is a stand-alone, Internet Explorer-based browser that leaves no trace on the user’s system. As a safety feature Camera/Shy also includes security switches for protection against malicious HTML. Picture that." I got a laugh out of this. "ADVISORY: The following program may prove destabilizing for dictators"
The government is so scared of potential terrorists they're taking away all the good things and making them illegal. This is a frightening trend.
As to the subject of this report, this sums it all up.
"Why have they found nothing? Maybe they haven't searched enough. But there is a dilemma here, the dilemma that empowers steganography. You never know if a message is hidden. You can search and search, but when you've found nothing you can only conclude: Maybe I didn't look hard enough, but maybe there is nothing to find."
Brenda Stardom
Portugal
