Maybe, but I think it would be very hard to write a general-purpose stego detector, without >knowing the techniques used for encoding the message. And if you know the distribution of your >cover channel as well as your attacker, or can generate lots of values from that distribution even if >you can'd describe it, you can encode messages in a way that provably can't be detected, down >to the quality of your random number generator and the difficulty of guessing your key.
Well, the first thing to remember is that Arabic more or less has a built-in method for distributing covert information...kind of like Hebrew, an Arabic word can be viewed in terms of a subset of consonants...for specific groupings there are lots of well-known associated words with the same letters. I'd bet a careful examination of bin Laden communiques will reveal the existence of pointers to such special words...the initated will know how to pull out those words and use them as passwords, etc...
As for the sophistication of Al Qaeda software, remember we're probably not talking about a very centrally-organized group. Their members are scattered in all sorts of socio-eco-bandwidth environments so that off-the-shelf (where shelf=internet) stuff is going to be common.
Remember too that broad categories of Stego can apparently be detected by FFT (someone here posted a link to a paper describing that). Put that and all sorts of other routines looking for specific Stego signatures inot a Variola suitcase and I bet they (NSA, though not police) can pull out practically anything they want to. BUT...that probably doesn't do them a ton of good...the plaintext will be in Arabic, it will speak symbolically, and maybe use some even more clever techniques for info obfscuration.
As for the 'semaphore' theory I consider that likely...lots of info will be sent out-of-band (ie, verbally) and Stego'd info will perhaps be triggers or possibly meeting coordinates. Maybe an account number every now and then (VERY easy to hide using Arabic letter-numerals).
-TD
I imagine this as something much like a virus scanner. Look for known stego programs, and also for signatures of known stegp programs. Really good programs might be impossible to find without doing, say, a password search.
But it's worth noting that AQ has to do key management just like the rest of us, and that's hard when you are communicating with a lot of different people. If your stego is password-protected, some terrorist's laptop is going to have a post-it note on the screen with the password.
... >-TD
--John Kelsey
