Silk Road forums
Discussion => Security => Topic started by: randomOVDB#2 on May 06, 2012, 02:36 pm
-
Pros, cons and software suggestions.
Discuss.
-
Each time I reply to this, something goes wrong -.-
Ok, here's what I was saying in short.
1. security through obscurity means *not* using an obscure channel or obscure piece of media for example, putting a steg encoded picture of a lolcat onto a popular image sharing website. Because the lolcat captions continually change there is no real benchmark against which to compare a steg encoded version, which makes life a lot tougher in terms of finding pictures which may have been steg altered (I expect there are non-invasive encoding techniques, but haven't looked into it).
2. using a public channel is not a small part of this, but a very important decision. If you use Tor to upload an image onto a Tor hosting service, congrats, since you fell into the techie profile, that image is more likely to be scanned by an adversary for steg encoding. Similarly, if you have a steg encoded attachment in your Tormail account and LE is looking at it...
On the other hand, if your steg encoded item is in massive circulation, then there's potentially millions of people who have a copy of the item and this is most ideal. I want for example, to have the FBI explain to the judge that having a picture of longcat on your computer's HD is a serious sign of potential criminal activity (pokerface).
3. Use steg *and* encryption. Remember the appealing metaphor of strands of rope apart or twisted together? Yup.
4. For PGP to be a standard method of encrypting data is fine. It's encryption. But for steneography, the encoding schema used would be an important clue, so it's best not to use any specific scheme recommended on a public forum.
-
Each time I reply to this, something goes wrong -.-
Ok, here's what I was saying in short.
1. security through obscurity means *not* using an obscure channel or obscure piece of media for example, putting a steg encoded picture of a lolcat onto a popular image sharing website. Because the lolcat captions continually change there is no real benchmark against which to compare a steg encoded version, which makes life a lot tougher in terms of finding pictures which may have been steg altered (I expect there are non-invasive encoding techniques, but haven't looked into it).
2. using a public channel is not a small part of this, but a very important decision. If you use Tor to upload an image onto a Tor hosting service, congrats, since you fell into the techie profile, that image is more likely to be scanned by an adversary for steg encoding. Similarly, if you have a steg encoded attachment in your Tormail account and LE is looking at it...
On the other hand, if your steg encoded item is in massive circulation, then there's potentially millions of people who have a copy of the item and this is most ideal. I want for example, to have the FBI explain to the judge that having a picture of longcat on your computer's HD is a serious sign of potential criminal activity (pokerface).
3. Use steg *and* encryption. Remember the appealing metaphor of strands of rope apart or twisted together? Yup.
4. For PGP to be a standard method of encrypting data is fine. It's encryption. But for steneography, the encoding schema used would be an important clue, so it's best not to use any specific scheme recommended on a public forum.
I've always viewed digital steganography with skepticism as although there are tools which allow you to hide data within another file in a non obvious manner, anyone with the same tool can then view that information.
It also seems to be possible to place encrypted data inside the lower bits of certain files but an analysis of the same would reveal the encrypted data thereby rather defeating the point of Steganography!
As Pine says this would be an excellent layer of security to employ in addition to encryption but if for example an image is used, it might be best to make it one of a series e.g a selection of holiday snaps rather than a single image of a lolcat.
Physical methods of Steganography can also be an ideal way of concealing longer passwords to encrypted files e.g using every third letter/digit in a shopping list but once again this should compliment the existing methods you have to protect your data, not replace them.
V.
-
I only know a little about steganography in the grand scheme of things, but I have heard from people who generally turn out to be right, that there is no such thing as strong steganography. If an image or other data is analyzed, it is possible to determine that it has something hidden in it. This is generally done with some statistical techniques looking for the presence of certain levels of randomness, since steganographically hiding data in a file always increases its randomness. It seems to me that maybe very small data transfers would be extremely difficult to detect though, I am kind of skeptic about adding a single additional bit of randomness being enough to identify stegos presence. This technique could also be countered by increasing the randomness in many images, but since most people are not doing this, the people attacking stego seem to be able to get almost non existent false negatives and few false positives, and to be able to fairly quickly defeat everything that is attempted. I believe using unknown and/or more sophisticated algorithms is helpful in slowing them down, but not in defeating their efforts.
This doesn't mean that stego is not useful to avoid arousing suspicion in the first place, and in a way that is what it is intended for. But in another sense the goal of stego is to hide data in other data and hide the fact that this is happening, and in this area it seems to fail.
Sorry I really know very little about stego, but it doesn't seem to be a favored technique by people who really know their shit.
-
Long story short if you use stego you'll get pwnt very fast.
Wealth of info: http://dde.binghamton.edu/
Back when I was very young and arrogant, I did use a digital stego tool to hide a password to an encrypted USB stick I kept in my mailbox - which in turn unlocked a video of the "Trooping of the Colour", most patriotic. I never got a chance to see the expression LEO's faces as they patted themselves on the back at their cleverness at following this false trail of breadcrumbs.
Perhaps if someone used plausible deniability in their encryption they could hide the "safe" password in this way? If you hand it over too quickly/eagerly they may realise it's a ploy.
V.