Re: Stego worm
On Fri, 12 Dec 2003, Peter Fairbrother wrote: Any Chinese want to get immortalized in Internet history? And deleted with a bullet, for which they'd have to pay. That's insane. The creations of the majority of presently active virii/ worms are not attributable to individuals. :) That's true. However, you can be immortalized even if your identity isn't known; you can be known under a nym unknown creator of the StegoWorm. Besides, even Unknown Soldiers sometimes get statues. :) But:! you will stop all the people who are now using stego .. all two of them .. their stego will be corrupted Only the ones who use it to store documents in images on read-write media. The files in transit and on read-only wouldn't be corrupted. Speaking of storing data... the best for stego are big not-too-compressed or uncompressed files. Occassionally playing in a garage band or having a DV camera could be a good cover for having disks full of the only copies of WAV and video files, where no virgin versions are available for comparison for bit-level changes. Decreasing prices of DV camcorders could be helpful here.
RE: Stego worm
At 08:09 PM 12/11/03 -0500, Tyler Durden wrote: As for Variola's comment, you might be right. I just assumed there's some kind of relationship between LSB and those spatial freuencies wherein image information might be stored. Actually, I would still think there's a relationship, in which case an Echelon-like approach based on ffts and noise templates might be going on (hence the usefulness of jamming). I'm not saying that you could never use FT to detect weaker kinds of stego. But if information is encoded as say the parity of 3 LSBits from different regions of the image, good luck. Anyone got a TLA Operative Handbook? ANy mention in there of what kind of photos are best for Stego? How about cloud photos? (particularly where there are clouds of many different shapes and sizes present in the photo simultaneously.) The most important thing is not to put too much cargo in your carrier. Think in terms of signal to noise if you wish. Obviously a picture with truly uniform color fields ---like a digital cartoon-- won't be useful. But scanning a piece of paper does not have this problem, for say 8 bits per grayscale pixel. Because each analog scan of the same piece of paper gives different bits. TD, you surely have the background to look into this stuff (and stego detection) if you want. BTW Stego ~aka watermarking. And stego can be done in music, movies, ascii text, etc. Or you could work from first principles, if you are able to mentally switch between steganographer and stego-detecter. (This same playing-chess-with-yourself is vital to security analysis, crypto, etc.)
RE: Stego worm
Mr Shaddack... That's some interesting thinking there. The interesting thing is that no one might ever even notice the presence of this benevolent worm. It could go pretty much unchecked for a while. As for Variola's comment, you might be right. I just assumed there's some kind of relationship between LSB and those spatial freuencies wherein image information might be stored. Actually, I would still think there's a relationship, in which case an Echelon-like approach based on ffts and noise templates might be going on (hence the usefulness of jamming). Anyone got a TLA Operative Handbook? ANy mention in there of what kind of photos are best for Stego? How about cloud photos? (particularly where there are clouds of many different shapes and sizes present in the photo simultaneously.) -TD From: Thomas Shaddack [EMAIL PROTECTED] To: cypherpunks [EMAIL PROTECTED] Subject: Stego worm Date: Fri, 12 Dec 2003 01:10:24 +0100 (CET) It's unknown to which extent the Adversary can detect presence of steganography in images being sent over the Net. But whatever capabilities they have, they can be jammed. Imagine a worm that spreads from machine to machine, and on the infected machine it finds all suitable JPEG files, generates some random data as source and encrypts them with random key, and stegoes them into the files. In few days or even hours, a sizeable portion of images on the Net contains potentially detectable stegoed encrypted data. Any Chinese want to get immortalized in Internet history? _ Shop online for kidsÂ’ toys by age group, price range, and toy category at MSN Shopping. No waiting for a clerk to help you! http://shopping.msn.com
RE: Stego worm
At 08:09 PM 12/11/03 -0500, Tyler Durden wrote: .. As for Variola's comment, you might be right. I just assumed there's some kind of relationship between LSB and those spatial freuencies wherein image information might be stored. Actually, I would still think there's a relationship, in which case an Echelon-like approach based on ffts and noise templates might be going on (hence the usefulness of jamming). Well, you're going to have a model for your covertext. Maybe that's the statistical distribution of low-order bits in the image file, maybe that's the distribution of packet arrival times. You encode messages in your covertext by making up new covertexts (maybe from existing or old ones) that fit the same model. If an attacker has no better a model than you do, he can't tell stegoed covertext from unstegoed covertext. If an attacker has a better model, he may be able to tell the difference. Let's make this concrete. Suppose I decide to encode my real message to you in the time I send this e-mail. If I have 24 hours in which I'm willing to send this message, I can encode one of about 80,000 messages to you, since the timestamp goes down to the second. Now imagine an attacker who doesn't know anything about me. He has no reason to be surprised at any time I might be sending messages to you, so to him, this isn't a terrible scheme. Now imagine an attacker who knows I work a 9-5 job. He ought to be quite surprised at seeing e-mail from me at 10:30 AM on Friday, because I'm supposed to be in the office then. He ought to be pretty surprised at seeing e-mail from me at 4 AM, because that will make it hard for me to make it to work in the morning. He has a better model of what the covertext (the time I send the e-mail) should look like, so he can see a couple of innocent-looking e-mails from me to you with weird timestamps, and have some reason to suspect something interesting is going on. .. -TD --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259