Using Steganography
M. Roberts

Reading DF!, I get the idea that using encryption to protect communications isn't exactly new to you. But I don't recall seeing steganography mentioned. I think it's a useful adjunct to crypto.

Steganography isn't exactly encryption, even if it can incorporate it. Instead of obscuring data, it hides the information; typically inside a graphic file like a GIF or JPEG. A stego program simply steals a few of the bits that usually describe the color characteristics of various pixels, and replaces them with your "secret" message. You might hide a text message inside a GIF of your new baby girl you're emailing out to friends and family. Neat trick.

Stego does have some limitations, naturally enough. If your message is large enough relative to the picture you're using, too many pixel bits get stolen, and the image quality is degraded. And since the bits have to be taken in a recognizable fashion (so your recipient can look at the right bits and extract the message) the use of stego can be detected if someone is specifically looking for it. And by itself, stego is not crypto, so a detected message can be read, if not otherwise protected.

Still, stego makes "purloined letter" traffic easier to manage.

I've heard some people object to the use of encryption in their email, because they believe that using crypto at all is a red flag that will attract unwanted federal and LEO attention. There's some merit to that: If the only time you use crypto to protect your messages is when you're talking about overthrowing the Chinese government with your buddies in Tibet, yeah, that's a flag. So I try to use crypto for everything.

But if that isn't practical, or if you do think any crypto use will give you away, make a habit of sending out pictures. And occasionally you can stuff sensitive traffic into an image. This will give you a basic degree of privacy, on par with a snail mail envelope, keeping casual prying eyes off your illicit love letters. But for really sensitive data, encrypt, then stego the encrypted message into the picture. You get the best of both worlds.

Finding stego software is pretty easy. You can find links to stego programs for Linux, Windows, Mac, even Amiga here.

One cute little stego routine for Windows (and there's a Linux version, too) is JPHS. for "JPeg Hide and Seek. It's easy to use, and includes an encryption engine. But I'm not qualified to evaluate crypto effectiveness; personally, I encrypt with PGP anyway, then stego that.

Another program is Image Hide. Unlike JPHS, which as its name implies, only handles JPEGs, Image Hide can work with several file formats. On the downside, it's Windows-only, so far as I know.

And then there's Camera/Shy, from the good folks at Hacktivismo.

Up until last year, about the only use I was aware of most people making of stego was in email traffic. But it always seemed to me that stego'ing a message into a graphic on a website, for wide covert distribution, would be a neat idea. If you used a standard logo that always appeared on your site, I doubt many folks not clued in would ever consider that it might occasionally conceal a secret message.

Enter Camera/Shy, which goes that one better. It's basically a steganography-enabled web-browser. If you use it to view a website -- for which you already have any applicable passwords -- it automatically scans every GIF image on the page for hidden messages and displays them to you in a separate window. Not bad. Apparently the program was originally developed with Chinese activists in mind; folks who are going to be watched to see if they try to reach unapproved sites, or view politically incorrect ideas. But anyone can make use of it. If you run a graphics-intensive site, you can dish out a lot of extra data on the side.

And there's another way to make stego -- or the lack -- work for you. A while back, DF! had an article that suggested using duress codes. Imagine that you run a website updated on a regular basis, which happens to have a regular logo. Now imagine that the FBI takes an interest in you and your site's visitors. You're coerced into continuing the site under federal supervision, so they can watch your visitors. You can't publish a warning, send it out by email. So what to do?

Suppose you had been embedding a duress code update timestamp in your site's logo for weeks. Suddenly visitors in the know notice that the duress code isn't updated. A ha! Or you could slide a pre-positioned stego-embedded logo in from your template folder. You use templates all the time; how many folks would notice? For that matter, if your keepers turn out to be as clueless as some federal agents I've encountered, it isn't inconceivable that you might even have a chance to create a brand new message and stego it into your logo, right under their noses. Don't count on it though.


Comment on this article
View all comments on this article


Did you like this article?
Please consider rewarding the author's
hard work with a donation.

Don't have PayPal yet?


Please rate this article! Knowing what you like will help us provide the content you want.

Bad Poor Average Good Excellent

If there's anything specific you'd like to say about this article, please do so here. Comments may be used in an upcoming Letters to the Editor.

Copyright © 2003 by Doing Freedom! magazine. All rights reserved.