RE: DMCA has pushed me to my limit.
On Sat, 21 Jul 2001 [EMAIL PROTECTED] wrote: >In principle, it should be possible to write a stego program that is >undetectable, provided your enemy has no better models of noise sources in >the medium than you have. As far as I know, no one has done this. This is a point I raised on a watermarking list a while back -- most of the stego work today is aimed at watermarking/content protection applications, since that's where the money is. Those applications do not have the sort of strict demands on deniability that stego used for secret communication has. Instead of statistical transparency, they aim at perceptual. Instead of strict deniability, they go for robust detection and difficult removal, which imply easily caught redundancy in the output. Hence, most of the steganographic algorithms out there are completely unsuitable for cypherpunkly use, even when information theory posits steganography squarely as the kind of race-in-statistics you describe. Sampo Syreeni, aka decoy, mailto:[EMAIL PROTECTED], gsm: +358-50-5756111 student/math+cs/helsinki university, http://www.iki.fi/~decoy/front
Re: DMCA has pushed me to my limit.
Ah, but your assumptions are not quite right. See my Wired News article on steganalysis. -Declan On Wed, Jul 18, 2001 at 09:34:15AM -0700, David Honig wrote: > At 08:07 AM 7/18/01 -0700, Ray Dillinger wrote: > >I keep looking at the whole stego thing. But the basic problem > >remains the same. Stego relies on the *method* being secret, > >which stands in stark contrast to kerchoff's principle. I mean, > >sure, you can stego encrypted stuff so nobody who recovers it > >can read it, but if you use any of the "available" programs, > >there will always be utilities that can detect your encrypted > >stuff and, usually, extract it. > > 1. encrypted data is indisttinguishable from uniformly distributed noise > 2. LSBs in digitizations of analog signals are noise > 3. ignoring the nuance of different LSB distributions, how can you > distinguish a stego'd from unaltered file? > > Stego by itself is much less interesting than stego'd encrypted data > (with idenntifying headers stripped of course) > > That spam, mp3, or image could be merely a transport for more privledged > info. Posting /reading to a public newsgroup solves traffic-analysis > issues too.
RE: DMCA has pushed me to my limit.
At 06:56 PM 7/18/01 +0200, Eugene Leitl wrote: >On Wed, 18 Jul 2001, David Honig wrote: > >> 1. encrypted data is indisttinguishable from uniformly distributed noise > >Yes, but which natural data sources have that signature? None. I was glossing over how you should measure your (e.g., camera's) LSB stats then shape your ciphertext distribution that way. I also didn't mention the work by [???] on detecting stego, and about countermeasures to this detection. I also didn't mention how some stego does not use raw LSBs but interstitial places in complex encodings (e.g., mp3). I was only explaining the principle of how you don't need a 'secret method' to hide the existence of messages. >> 2. LSBs in digitizations of analog signals are noise > >Not uniformly distributed noise, unfortunately. Perhaps somebody should >put hardware entropy generators mixing white noise into multimedia steam >LSBs. People should definitely package stegano decoys into Open Source >streaming multimedia warez. Of course not uniformly distributed, you have to cook any source of noise to distill the pure stuff we covet. >> Stego by itself is much less interesting than stego'd encrypted data >> (with idenntifying headers stripped of course) > >The point of stego is not leaking the information that you're sending >other information. Yes. And as you point out correctly, doing this requires knowing something *clever* about the covertext. But it does not require *secret* algorithms, which is well known for not being robust.
RE: DMCA has pushed me to my limit.
see this link for papers on steganalysis: http://ise.gmu.edu/~njohnson/Steganography/ essentially, the papers assert that given our knowledge of how images and music files are encoded, and given information about how some of the popular steg. programs work, it's possible to detect the presence of hidden information and perhaps extract that information. this is very early stage work, so it doesn't provide all of the answers... phillip > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of David Honig > Sent: Wednesday, July 18, 2001 12:34 PM > To: Ray Dillinger > Cc: [EMAIL PROTECTED] > Subject: RE: DMCA has pushed me to my limit. > > > > At 08:07 AM 7/18/01 -0700, Ray Dillinger wrote: > >I keep looking at the whole stego thing. But the basic problem > >remains the same. Stego relies on the *method* being secret, > >which stands in stark contrast to kerchoff's principle. I mean, > >sure, you can stego encrypted stuff so nobody who recovers it > >can read it, but if you use any of the "available" programs, > >there will always be utilities that can detect your encrypted > >stuff and, usually, extract it. > > 1. encrypted data is indisttinguishable from uniformly distributed noise > 2. LSBs in digitizations of analog signals are noise > 3. ignoring the nuance of different LSB distributions, how can you > distinguish a stego'd from unaltered file? > > Stego by itself is much less interesting than stego'd encrypted data > (with idenntifying headers stripped of course) > > That spam, mp3, or image could be merely a transport for more privledged > info. Posting /reading to a public newsgroup solves traffic-analysis > issues too.
RE: DMCA has pushed me to my limit.
On Wed, 18 Jul 2001, David Honig wrote: > 1. encrypted data is indisttinguishable from uniformly distributed noise Yes, but which natural data sources have that signature? > 2. LSBs in digitizations of analog signals are noise Not uniformly distributed noise, unfortunately. Perhaps somebody should put hardware entropy generators mixing white noise into multimedia steam LSBs. People should definitely package stegano decoys into Open Source streaming multimedia warez. > 3. ignoring the nuance of different LSB distributions, how can you > distinguish a stego'd from unaltered file? By running a simple statistical test (most packages don't even pad, so you can vgrep for it). There is some pretty bulletproof stego out there, but 90% of it wouldn't stand a trace of scrutiny. Of course it limits the processivity of the screening. > Stego by itself is much less interesting than stego'd encrypted data > (with idenntifying headers stripped of course) The point of stego is not leaking the information that you're sending other information. > That spam, mp3, or image could be merely a transport for more privledged > info. Posting /reading to a public newsgroup solves traffic-analysis > issues too. -- Eugen* Leitl http://www.lrz.de/~ui22204/";>leitl __ ICBMTO : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3
RE: DMCA has pushed me to my limit.
At 08:07 AM 7/18/01 -0700, Ray Dillinger wrote: >I keep looking at the whole stego thing. But the basic problem >remains the same. Stego relies on the *method* being secret, >which stands in stark contrast to kerchoff's principle. I mean, >sure, you can stego encrypted stuff so nobody who recovers it >can read it, but if you use any of the "available" programs, >there will always be utilities that can detect your encrypted >stuff and, usually, extract it. 1. encrypted data is indisttinguishable from uniformly distributed noise 2. LSBs in digitizations of analog signals are noise 3. ignoring the nuance of different LSB distributions, how can you distinguish a stego'd from unaltered file? Stego by itself is much less interesting than stego'd encrypted data (with idenntifying headers stripped of course) That spam, mp3, or image could be merely a transport for more privledged info. Posting /reading to a public newsgroup solves traffic-analysis issues too.
Re: DMCA has pushed me to my limit.
On Tue, Jul 17, 2001 at 10:18:42AM -0700, Black Unicorn wrote: > When a foreign national can be arrested for a bit of coding which was > developed (I assume) outside the US and never, by his actions (I assume) > hit US soil well it really is time for the DMCA to go. Without quibbling with your sentiment, this isn't unique to the DMCA. Holocaust revisionism is a crime in Germany, I understand. If I ran my naziswereswell.com website from the U.S. as a U.S. citizen and made the mistake of traveling to Germany, I could easily be arrested. Let's not even talk about what would happen if Rushdie wanted to visit Iran. Similarly, U.S. law prohibits money laundering. If a known Russian money launderer visited the U.S., he'd likely be arrested. This is unremarkable. That's not even talking about kidnappings by U.S. agents. As for the DMCA, it says: "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that (does the good stuff)." Nowhere does it limit its scope to Americans. As I wrote in an article in April, all this means is that cutting-edge security conferences will be held overseas, or maybe in Canada.
Re: DMCA has pushed me to my limit.
On Tue, Jul 17, 2001 at 07:07:48PM -0700, Morlock Elloi wrote: > Buy some ad space in papers and get the message out. Running decent-size ads > will take many K$. Maybe if a number of contributors insist on this EFF would > coordinate it ? How does one round up contributors in cpunkish environment ? > The issue here is to not preach to the choir. Preaching to sheeple is > *expensive*, and the gain ("more freedom") is far away and very few will commit > actual cash to it. None of this will, of course, happen. It will join in the bitbucket the tens of thousands of other "cypherpunks should do this" ideas posted over the better part of the last decade. > > Anyway, I may know some that would - how do we get EFF to do directed campaign > ? Give them the money for it? -Declan
Re: DMCA has pushed me to my limit.
On Wed, Jul 18, 2001 at 10:21:44AM -0400, Trei, Peter wrote: > Well, if Pinochet can be arrested in London, on the request of a > French (or was it Spanish?) judge, over acts allegedly > committed in Chile, I'd say yes. > > and don't forget the Norwegian who was arrested in Oslo for > the deCSS code. Actually, Johansen was just questioned, not arrested. ObPhotos: see mccullagh.org for his appearance in NYC. -Declan
Re: DMCA has pushed me to my limit.
-- On 18 Jul 2001, at 0:55, Sampo Syreeni wrote: > On a more general level, is US law to be construed as granting > personal jurisdiction over anyone on the US soil, regardless of > where the actual crime was committed? I.e., if I do something > wrong according to the Code, > I'd better stay the hell out of US? US law is often construed as encompassing the whole world. US judges tend to believe they can punish anyone anywhere for violating US law. This failing is not limited to the US. The french tend to the same delusion. It is quite difficult for government officials to comprehend the concept of dealing with equals, and often they just do not get it. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 6gSy4Y0z9ue33pDKeFwyzeM5elboNp2slIKTcX4z 4ujXVIoMs+xOSrPo7Igk7A/xMOmINtm/7qMlVAVRH
Re: DMCA has pushed me to my limit.
At 12:55 AM +0300 7/18/01, Sampo Syreeni wrote: >On Tue, 17 Jul 2001, Black Unicorn wrote: > >>When a foreign national can be arrested for a bit of coding which was >>developed (I assume) outside the US and never, by his actions (I assume) >>hit US soil well it really is time for the DMCA to go. > >On a more general level, is US law to be construed as granting personal >jurisdiction over anyone on the US soil, regardless of where the actual >crime was committed? I.e., if I do something wrong according to the Code, >I'd better stay the hell out of US? Yes, just as an American who commits some crime under German law, while in the U.S., had better avoid travelling to Germany...or even to Denmark. (Case a few years ago of the American arrested in Copenhagen and extradited to Germany because he had published in America material deemed a thoughtcrime in Germany.) --Tim May -- Timothy C. May [EMAIL PROTECTED]Corralitos, California Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
Re: DMCA has pushed me to my limit.
On Tue, 17 Jul 2001 [EMAIL PROTECTED] wrote: > Cypherpunks do something? > > Maybe start with the basics: a WWW site. > Doesn't Choate have a couple registered names for our use? I have cpunks.org registered for Austin Cypherpunks use...do you live in Austin? Is there anyone in Austin working on this project? > Okay, to get back to the subject: an explanation on how > to release these tools anonymously. Document why it is > necessary. It's not the reverse engineering that needs > to be moved to foreign outposts. Perhaps describe some > methodologies for selling it anonymously. Get some Plan 9 boxes up and running sharing resources, impliment a distributed anonymizer, impliment a distributed e-cash scheme, and enjoy! http://einstein.ssz.com/hangar18 http://plan9.bell-labs.com -- Nature and Nature's laws lay hid in night: God said, "Let Tesla be", and all was light. B.A. Behrend The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::>/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'-
Re: DMCA has pushed me to my limit.
> Declan McCullagh <[EMAIL PROTECTED]> wrote: > >FBI agents have arrested a Russian programmer for giving >away software that removes the restrictions on encrypted >Adobe Acrobat files. The Big O wrote: > > "Nuts!" Black Unicorn with the opalesque spike wrote: # #Ok. That's pretty much my limit. # #Where can reverse engineering be conducted in the #world anymore without felonies being leveled? # #Does anyone care? Cypherpunks do something? Maybe start with the basics: a WWW site. Doesn't Choate have a couple registered names for our use? Describe how to use encryption on each platform. The various options for sending/receiving encrypted email. Set up (I volunteer to figure out the software scripting if people are interested in using it) a clone of lne. Boy, has lne eliminated 99% of the crap that the other nodes get. Anyway, a clone that accepts only encrypted submissions, and sends encrypted output. Purely for slinging more encrypted traffic around, obviously. Just on principle. The encrypted list software might be useful to other people. Okay, to get back to the subject: an explanation on how to release these tools anonymously. Document why it is necessary. It's not the reverse engineering that needs to be moved to foreign outposts. Perhaps describe some methodologies for selling it anonymously. Blacky wrote: # #I'd be interested in talking to cypherpunks who actually would #like to do something activist about eliminating this legislative #scourge and hopefully doing something a bit more substantial #than EFF or CPSR has been doing on the subject. That takes voters, right? We don't lob money, right? Maybe one of those "reach out to three others..." sequences, with an URL to tie everyone together to alerts to write letters. We'd provide a letter template for each alert that they could edit on our site, create a PDF or WWW page output for them to print and actually send in. Many places don't seem to react to email. What was that Kurt Vonnegut book/movie (Jerry Lewis): Slapstick. Maybe we should start a movement of people who all change/set legally their middle name to 'Privacy'. Damn straight.