BitTorrent's Bram Cohen Unveils New Steganography Tool DissidentX 124
Sparrowvsrevolution writes "For the last year Bram Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a tool he calls DissidentX, a steganography tool that's available now but is still being improved with the help of a group of researchers at Stanford. Like any stego tool, DissidentX can camouflage users' secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment. But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego. And it also makes it possible to encode multiple encrypted messages to different keys in the same cover text."
Bram Cohen (Score:5, Insightful)
Re:Bram Cohen (Score:5, Funny)
Yeah, I like that Dracula book.
Re: (Score:1)
0/~ Everybody knooooowwsssss 0/~ it was Bram STOKER. ;)
Svefg cbfg! (Score:5, Funny)
Re:Svefg cbfg! (Score:5, Funny)
I almost modded that as Troll, but maybe it's insightful if decoded with a different key.
Re: (Score:2)
I almost modded that as Troll, but maybe it's insightful if decoded with a different key.
Iway on'tday inkthay it'sway anway encryptionway emeschay, utbay away ewnay anguagelay. Avehay ouyay iedtray unningray itway oughthray Ooglegay?
Re: (Score:1)
First post in Rot13? Not entirely informative. Also not first.
Actual Link (Score:5, Informative)
Come on guys! At least post a link to the project.
https://github.com/bramcohen/DissidentX [github.com]
Re: (Score:3)
Now there's going to be some download logs closely scrutinized by intelligence agencies.
Because, if you have nothing to hide you have nothing to fear, right? So if you've got something to hide, you must be guilty of something.
*sigh*
Re: (Score:2)
...so grab the thing via BitTorrent at the nearest McDonald's WiFi and be done with it.
(...geez - do I have to think of *everything*? ;) )
Re: (Score:1)
Re: (Score:1)
Come on, nerds only go thru the drive thru late at nite.
Re: (Score:2)
I'm curious what the actual "expansion ratio" is. I.e., if you want to encrypt N bytes in a cover-message of M bytes, how many bytes do you actually need to store/transmit?
Re: (Score:2)
I'm curious what the actual "expansion ratio" is. I.e., if you want to encrypt N bytes in a cover-message of M bytes, how many bytes do you actually need to store/transmit?
From TFA:
"Even with Cohen’s clever hashing trick, the cover text for a secret message must be much larger than that message itself. Cohen suggests a file five hundred times as large as the secret message to encode communications without raising suspicions."
Brave (Score:1)
It's probably better to work on this kind of thing in silence until it's released...
Re:Brave (Score:5, Funny)
It's probably better to work on this kind of thing in silence until it's released...
Or even beyond that point.
I released a similar tool two years ago and I'm still eagerly waiting for someone to discover it.
Re:Brave (Score:4, Funny)
I released a similar tool two years ago and I'm still eagerly waiting for someone to discover it.
I sent you an email to say thanks but it would have looked like a letter from a Nigerian diplomat.
Re: (Score:3)
I did receive it, but I didn't disclose its existence to protect your identity.
Once again, in cryptography, the user was his own worst enemy.
I originally read headline as (Score:1)
"Baron Cohen Unveils New Steganography Tool DissidentX"
Proprietary software... (Score:1)
If you're a whistleblower and use proprietary software, you're braindead. Might soon all dead...
Re: (Score:3)
There are tools to spot obvious steganography, especially if the de-stegged picture is already on the Internet somewhere. I remember reading something on /. where a researcher did a mass scan of Web pictures, and found almost no stego whatsoever.
Stego is a useful tool for transporting provided the de-stegoed document never, ever winds up on the Internet, but for storing data, it would be a lot better to use something like TrueCrypt or PhonebookFS.
Re: (Score:3, Interesting)
Stego is a useful tool for transporting provided the de-stegoed document never, ever winds up on the Internet
Just make sure vast numbers of multiple "similar but not exactly the same" pictures like that one you're using are already on the internet. What did you think all those funny cat meme pictures were for?
Re: (Score:1)
That is proper modern steganography, yes. It's a relatively new development compared to the long history of steganography. The key question, though, is if you're going to use encryption on your source data anyway, why go so far as to hide the cipher text inside a special, different container? Presumably, the answer has something to do the relative amount of work of detection. However, it seems like it would be easier and more effective to hide the encrypted data in a large sea of entropy (on whichever s
Re: (Score:2)
I don't understand. If I put a message in some seemingly random data, either it stays on my system or I look suspicious for sending it to somebody else. If I use my phone to get JPEGs of my cats looking cute, and embed messages in them, and send them around, and never reuse a photograph, I'm not doing anything suspicious. (Selfies would also work, but I personally don't like sending all sorts of photographs of me around.)
Re: (Score:2)
...what sibling said.
If you post a unique picture to, say, Instagram, then there's not going to be anything to compare against, especially if you're using something non-obvious and intelligent. If you post a unique Excel document with lots of formulas/macros in it, then that's obviously going to bork-up any attempt at finding steganography by way of algorithm. Even in your example of MS Word? one custom font, embedded picture/graph, macro and suchlike will happily help your document evade detection if the e
Re: (Score:2)
There are simpler ways as well, depending on what one's forseen adversary is. In a past life, I had to deal with a third party whose E-mail server refused to allow any E-mail attachments whatsoever except Acrobat, and AutoCAD files were needed to be exchanged fairly quickly. So, when sending the DXF file, I ended up embedding it as an attachment in a password-protected PDF, and this did the trick.
Re: (Score:2)
In a past life, I had to deal with a third party whose E-mail server refused to allow any E-mail attachments whatsoever except Acrobat, and AutoCAD files were needed to be exchanged fairly quickly. So, when sending the DXF file, I ended up embedding it as an attachment in a password-protected PDF, and this did the trick.
You probably went to a lot of unnecessary work. Just rename your file "sekritdrawing.dxf.PDF" and it'll get past the server's filter just fine.
Re:The problem... (Score:4, Funny)
it would surprise me if they don't have automated tools to spot steganography. (i.e. They know exactly what the formatting of say a Word document should be, and should have the capability to automatically flag traffic which has nonstandard information in the headers or data.)
Have you seen the formatting of Word documents that come out of your typical user?
You don't hit the "enter" key to make space, you jackasses. That creates a new fucking paragraph. Edit the paragraph's spacing if you want space below it. If you want an actual newline+carriage return, hit shift+enter. Stop using tab without first defining your tab stops to control where you want shit to be. Why are you using tabs to make columns anyway? Why are you trying to make columns (incorrectly via tabs) when what you want is a table? That's it, you're getting party vanned.
Re: (Score:2)
I have a macro that removes tabs, double newlines, and double spaces after periods among other things. I don't really fault users - most people learned word processing by simply dicking around with the software.
The worst one for me is when they don't set the tab stops and so resort to hitting tab and then space a few times until the text lines up approximately where they want. No (easy) way to automate that out!
Re: (Score:2)
*ahem* - apparently this little project costs the end-user $0.00 to acquire.
Not seeing much profit going on with this one...
Brilliant (Score:2)
01101110 01101111 00100000 01101101
01101111 01110010 01100101 00100000
01110011 01100101 01100011 01110010
01100101 01110100 01110011
Re: (Score:2)
To the typical user it just looks like a random bunch of ones and zeros.
01101110 01101111 00100000 01101101
01101111 01110010 01100101 00100000
01110011 01100101 01100011 01110010
01100101 01110100 01110011
Nah, only morons openly represent encoded stuff exposed. Concealing real encodings takes stenography...
FTFY.
Re:Steganography has always one big problem (Score:4, Funny)
All the other side needs to know is that you have something to hide, and depending on the level of society you live on, water boarding, lead pipes, or court order to make you divulge what it is.
Unsophisticated societies use lead pipes to force people to divulge information.
Sophisticated societies use court orders.
Modern societies use waterboarding.
Postmodern societies use facebook.
Think about it.
Re: (Score:2)
If you can make the diff of the documents
1) take photo
2) do steno stuff to hide data
3) delete original
Ideally you wanna get a digital camera with a ton of megapixels and a very crappy sensor -- ie, one with a very noisy image. I've got a Canon SX100IS that should do nicely, particularly if you use dim lighting...
tool? (Score:3, Interesting)
This does not even have tests. Barely any project-like organization. Just a bunch of python scripts hobbled together. Seriously, this is barely v0.1 material.
Call it a proof-of-concept, an experiment, anything. But not a tool.
Re: (Score:2)
From the first lines of the first file on Github:
def x(m1, m2):
assert type(m1) is bytes
assert type(m2) is bytes
return (int.from_bytes(m1, 'big') ^ int.from_bytes(m2, 'big')).to_bytes(len(m1), 'big')
assert x(x(b'abc', b'def'), b'def') == b'abc'
Maybe that was added after you posted. Note that it ostensibly has a 'test' (assert) but with functions named h(), x(), I find the code very unfriendly indeed.
Re: (Score:2)
Re: (Score:2)
Steganography? (Score:2)
Leak Tracking (Score:5, Insightful)
But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego.
I think steganography is far more likely to be used to track the people who leak information. When information gets out that was apparently available to multiple people, the leaker may not realize that his copy had a specific steganographic signature that identifies him as the source. It could be a pattern of extra spaces or line breaks in the code of document that he doesn't even see. The increased availability of the technology will likely mean smaller companies or government agencies will use it to suppress leaks.
Re: (Score:2)
Wouldn't this concern be nullified if the original leaked documents are even slightly changed prior to release? From what I understand, any modification would render any encrypted messages unreadable...
Re: (Score:2)
No necessarily, because guttentag is really talking about watermarking, not steganography. You can watermark a document in such a way that the reader cannot detect the watermark (unless the compare theirs to the original). The watermark is retained even during (most) modifications. For example, a misspelling can be a watermark. Even if it is modified, so long as one or more misspellings remain, the watermark can be identified.
Re: (Score:2)
What about converting to another file format before passing along the data?
jpg ---> png
doc ---> pdf
pdf --> screenshot ---> ?
Re: (Score:1)
That would remove nearly all steganography during the encoding phase, since the encoder doesn't care much about seemingly insignificant bits (like the low-order, high-entropy bits of an RGB image).
As the person you replied to pointed out, tracking is more about clever watermarking. Watermarks will not necessarily be removed by encoding to a new format. For text, patterns of spelling or mis-spelling will be preserved. Whitespace may or may not be preserved, depending on the source and target formats. Ima
Re: (Score:2)
Re: (Score:2)
That's why I always leak someone else's copy.
Re: (Score:2)
You can nullify that by doing an N-way merge of the document with the N people that received it.
Re: (Score:1)
Re: (Score:2)
An authority like Wikileaks can do the N-way merge for you.
Just upload the document to Wikileaks.
And supply the parameter N (meaning you don't want it published if the merge uses less than N documents).
Of course, you should then trust that the others uploading the document are not working against you.
Re:Leak Tracking (Score:4, Interesting)
I think steganography is far more likely to be used to track the people who leak information.
You've got the right idea, but you're not connecting all the pieces of the puzzle to answer how. Allow me: You know that massive data center the NSA is building to basically "download the internet"? Well, as it turns out, the overwhelming amount of traffic on the internet is just a copy of something else. Translation: If you compressed it you'd get some amazing compression rates. Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this. Plausible deniability goes right out the window.
The increased availability of the technology will likely mean smaller companies or government agencies will use it to suppress leaks.
This is something separate from steganography. What you're talking about is watermarking, and it's something color printers already do -- the serial number, username, time, etc., is encoded in yellow microdots on all pages. It was originally implimented to assist in anti-counterfeiting measures, but has since expanded to cover "national security" interests. And by that, I mean tracking down political undesireables and neutralizing them.
Re: (Score:1)
I think steganography is far more likely to be used to track the people who leak information.
You've got the right idea, but you're not connecting all the pieces of the puzzle to answer how. Allow me: You know that massive data center the NSA is building to basically "download the internet"? Well, as it turns out, the overwhelming amount of traffic on the internet is just a copy of something else. Translation: If you compressed it you'd get some amazing compression rates. Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this. Plausible deniability goes right out the window.
Why would you use something already public as the carrier? Just encode your secret payload into a video you just made of your cat playing with a piece of string, and then delete the original video. Now nobody can diff your carrier file.
Re: (Score:1)
Your first point/paragraph is why steganography can't replace good encryption as a data hiding technique. Steganography is much older than strong cryptographic encryption, but likewise it is much more limited in its capacities. When one relies on steganography, that person is taking a gamble that the method of data obscuration is never discovered. With encryption, assuming the algorithm is actually cryptographically sound, the discovery of the algorithm and even its specific implementation is not a big c
Re: (Score:2)
Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration.
Bullshit. Useless to try hampering all the stenographic wrapper resources. Origin's not generally your only usecase. Lossy artifacts may encode representations.
Well, how about that? A stenographic insult lays lexically yet most other readings offer none.
Re: (Score:2)
Here's the thing about steganography that is going to fuck most people who try to use it: If they ever find the original file that you used pre-stego, a simple binary comparison will reveal the alteration. In other words, if you use any publicly available image, document, etc., and then "stego" it... an adversary like the NSA can programically detect this.
If you are stupid, yes.
If you are not stupid, you copy the image, crop it a bit, apply some filter and re-encode it. There goes your programmatic detection.
Re: (Score:2)
It's simple. First, come up with a type of picture that you can plausibly send around. Ideally, acquire cats. Second, take your own pictures. Third, embed your message in the picture. Fourth, send out the picture that contains the message. Make sure the original never leaves your own possession, and never ever reuse a picture. Find different cute positions for your cats instead.
We need a higher level of functionality (Score:3)
Re: (Score:3)
I was thinking of something similar.
The idea that popped into my head was a virtual volume whose backing store was a directory full of image files with the data spread out across the image files using a distributed parity system. Ideally it would be encrypted prior to being stored steganographically in the image files.
With the right automation you could have the storage system dynamically use something like Google image search to grab new images to use as stego storage targets.
Re: (Score:2)
Sounds like a variation on a "PAR" archive. [wikipedia.org] It may be that a combination of PAR with a TrueCrypt volume way to go. If someone could do PAR as a FUSE project, then you'd be partway there. This would still be missing the steganography angle, and I don't see anything to help that along.
Cue the NSA (Score:2)
Cue the NSA insisting that they need to examine every photo and video that passes over the Internet because terrorists might be using this.
Also cue some enterprising NSA employee convincing his superiors that terrorists might hide stuff on porn sites and he needs to examine those photos/videos very carefully and repeatedly.
Re: (Score:2)
In related news, the NSA's Utah data center is filled to capacity with versions of Goatse Guy.
Comic Sans (Score:2)
Closed? (Score:2)
Will it be closed like Bittorrent-sync?
Question (Score:2)
Of course I didn't read TFA!
Will there be an effective way for cryptanalysts to know the number of separately encrypted messages that exist within a data object? If so, the deniability feature of this will be of little use. If the number is not known, then handing over the password to a relatively innocuous message might be sufficient to end the interrogation. If the number is known, the waterboarding will continue until all passwords are revealed..
Re: (Score:2)
I read TFA, and you didn't miss much. The reporter dumbed the idea too far down or didn't understand it himself. https://github.com/bramcohen/DissidentX [github.com] [github.com] has a little more explanation especially if you want to read the code.
Anyway, you can't tell how many messages are encoded, in fact you shouldn't be able to see if a single message is encoded at all, hence the purpose of the tool and stenography in general. Though, if you have the undoctered original file and you know that this tool is the on
Not based on hashes (Score:2)
Re: (Score:2)
Hashes are *always* one way.
Well, then welcome to the infinite future. Here, in the way beyond all, "hashes" are simply a cryptographic primitive: Pseudo random number generators.
Where Hash() is any hashing function, and blocks are the length of a hash output, + is concatenation, XOR is Exclusive-Or of two blocks worth of bits.
Encipher:
...
output_block[ 0 ]: input_block[ 0 ] XOR Hash( key )
output_block[ 1 ]: input_block[ 1 ] XOR Hash( key + input_block[ 0 ] )
output_block[ n ]: input_block[ n ] XOR Hash( key + input_block[ 0 ] + input
Encoding cleverly uses spaces, Oxford commas (Score:3)
This is really clever. It includes encoders that use tabs [github.com] spaces at the ends of lines [github.com], and even Oxford commas [github.com]. That is ridiculously cool. Nice work, Bram & co.!
Re: (Score:1)
People who want to increase the chances that something will stay secret? People who want to reveal the crimes of their governments?
Re: Who the hell needs this? (Score:1)
Innocent People residing in a land with a security agency of questionable legality in its practices? In other words, 90+% of Americans?
Re:Who the hell needs this? (Score:5, Insightful)
Need is relative. Even if all i want to do is have my wife send me a note to pick up milk on the way home, its not the governments business. So in reality, *yes* i do have something to hide. It doesn't mean i'm a criminal. Its called personal privacy.
Re: (Score:1)
You seem confused about which way you want to troll this one. I admire the thought that maybe you could embrace the power of AND and go both ways, but, sometimes that doesn't work out. This is one of those times.
Re: (Score:2)
He got you, didn't he? I'd call that a success.
Re: (Score:2)
Or he fake trolled himself, the real troll, to get you?
I've still not finished "Gödel, Escher, Bach: An Eternal Golden Braid", so I don't know the answer yet.
Re: (Score:2)
2) She can request that he buys milk on the way home. It's a sign of working as a team.
I could also say that he is likely to do it because he enjoys being married, but I think that's a bit sensationalist.
Re: (Score:2)
People who live in a country with a security force that can make you disappear and torture you to death for posting the wrong message unencrypted.
Re: (Score:1)
Yes, but other than that ... and a run-away / out of control government, the USA is not so bad!
Re: (Score:2)
Today, that's pretty much all of them.
Re:Who the hell needs this? (Score:5, Insightful)
I see it as more of a big "screw you" to the people who want to watch everything we do.
I'm not committing any crime, and you have no reasonable basis to believe I am. It's still my right to communicate and keep some things private.
But if you're going to insist on tracking everything we do, we're going to make your job harder.
Expect to see lots of products intended to give end-user security.
If you're willing to allow the government to spy on everything you do (clearly not the case since you posted as AC), that's your problem.
Since the whole planet is being spied on by the US, denying them the information is the best response.
Re:Who the hell needs this? (Score:5, Insightful)
But normal people do not need this - it's completely loony-tunes.
Normal people shouldn't need this. What's completely loony-tunes is that they do.
Re: (Score:2)
But normal people do not need this
You are not thinking creatively enough. I can see a dozen uses for this, some playful, some serious, some a bit geeky, some artistic.
Re: (Score:1)
You ARE the problem. You've been conditioned to believe this since 9/11 and it's wrong. Us old folks remember when our lives were private unless WE divulged the information. They've trained millennials to SHARE everything and quite a few of us older folks think we have to change with the times. Well, no. Fuck that.
Re: (Score:2)
Just how old are you? America started spying on its citizens during the civil war by intercepting the telegraph, ramped it up during WWI when national security started to be used to justify removable of what were apparent rights such as free speech and not much later the rule of J. Edgar Hoover, based on having dirt on everyone, started.