[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Stego Standards Silly ? (Was: Re: def'n of "computer network")



-----BEGIN PGP SIGNED MESSAGE-----

.pm writes:
> Indeed -- how could the recipient even know to look, unless these
> things arrived regularly and with a fully standardized form of
> stegonography, in which case why bother, all you've done is come up
> with a very odd form of transfer encoding.

I agree, but AFAICS an odd form of transfer encoding is exactly what the
doctor ordered. For plausible cryptodeniability, one wants to send 
ciphertext using a transfer encoding that doesn't automatically ring alarm
bells. Steganography amounts to laundering Content-Type: headers.

> If the recipient does know to look, that implies either that there is
> a hint, in which case the stegonography is useless, or it implies that
> you have prearrangement, in which case my comments on prearrangement
> hold.

If the recipient isn't getting spammed with GIFs (or whatever), she (or
rather her MDA) can simply look at all of them by default. Of course this
does not help with anonymous message pools on the order of Usenet, but that
is a sub-issue.

Deranged Mutant raised an IMHO important issue a few months ago. He suggested
that Mallet could go about trashing the purportedly "random" bits in each
instantiation of some transfer encoding used in a stego standard. For
example, he shuffles the LSBs of every passing JPEG. I'm not sure how feasible
this would really be (both technically and sociopolitically), but it
could be a big annoyance if only a few people were suspected of using stego
method XYZ. 

The standard answer to agent-in-the-middle tampering is of
course digital signatures. Now, the question is, will we be allowed to sign
our possibly-stego-enclosing GIFs with reasonable confidence that the govt.
can't forge our signatures ? Obviously the signature itself can't be
stegoed, or else we fall into an infinite regress.

 -Futplex <[email protected]>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMAXuSWf7YYibNzjpAQHlpQP/f3/e5iRl67zU3TLYZH1oNBBjC1+LYPH8
VkQMhvtRdlo2xBkY56jaZ6hZuzWanknVD1EKrG72vl5sPytXXDs5dVplFlelVw6f
VjC2UxNHe0dQHmmJqXNMMq4qlC8ZxgtNf4P9O+6iJKjz6SbA7F6LuRd+3TXv5tHm
xgGSY5bzJp8=
=ia+X
-----END PGP SIGNATURE-----