Correction sought

Peter Fairbrother peter.fairbrother at ntlworld.com
Tue, 09 Oct 2001 17:51:54 +0100 

Unfortunately I don't have a reference, but a few years ago I did hear that
UK Muslim (but not terrorist) sites were using stego - the embedded messages
were quotes from the Koran and suchlike, and there was of course no porno
involved. There was even a young Muslim quoted as saying how nice it was to
decode such messages hidden in religious images - apparently it's of
cultural/religious significance (anyone know how?).

Another (school-age) said that he could access sites that didn't seem
Muslim, and thus didn't draw attention or scorn from his schoolmates who
weren't Muslims, and read Koran verses etc there. It was an upbeat fluff
piece on TV, but I don't remember where or when. Taking a
paranoid-of-Muslims approach, perhaps the messages were a test? More likely,
just a bit of fun.



I do agree that it's unlikely Bin Laden used stego, mainly because it isn't
seen as very secure against NSA by the open crypto community, to which Bin
Laden apparently has access. He seems a bit paranoid of electronics and
hi-tech in general anyway.

However this is just an opinion, not fact, and not shared by all
cryptologists.




Regarding the Niels Provos / Peter Honeyman paper, I do know some people who
have put stego on the 'net, for fun and test etc. purposes, which makes me
more than a little wary of drawing wide conclusions from the paper - absence
of evidence, which is what this paper provides, is not evidence of absence.
That point has I hope finally been accepted by Neils. The claim of analysing
two million images is misleading, as they apparently hadn't completed all
the analyses - from some reasonable assumptions and back-of-an-envelope
calculations, they still can't have done so even now.

The techniques used for raw detection are statistical tests with a high
false negative rate, 60% or more from high quality images, looking
specifically for output from three stego products, none of which I (or Ross)
would recommend. However, low bandwidth embedded text can be very hard to
detect, and will reliably pass these "Stegdetect" statistical tests
undetected. They found about 1% positives in the statistical tests, and
assumed (without explaining why) many were false. About 90% of these
positives were suspected to be output from one of the three programs.

They then tried dictionary attacks on the "positive" suspected embedded
texts, looking for headers and then plaintext. These attacks were only
performed on positives suspected to be output from one of the three stego
products, the 90% one which also has the highest false negative rate.
Positives suspected to be from a second product are dismissed, or at least I
can find no reference to what happened to them.

The last product they have a dictionary attack for, but they don't say how
many times it has been applied, or to what % of positives from the first
stage. And there's always the difficulty of positively identifying each and
every bit of embedded ciphertext, in order to pass it to the decrypt
network.

Success in the second stages is the only way they would accept a "real"
positive, fair enough if you want to be "sure", but it leaves a _lot_ of
possibilities for traffic to pass undetected, some of which I haven't
mentioned eg low image quality on the 'net. To quote from the report's
conclusions: "Nobody uses steganographic systems that we can find." Perhaps
it shows that stego is more secure than people think, instead of showing
no-one uses it. Or, that they aren't very good at finding stego.

-- Peter


> Ross Anderson wrote:

> In my note yesterday I got the date of the University of Michigan
> technical report wrong. It appeared in August 2001, thus after rather
> than before the USA Today article. It is CITI tech report 01-11:
> 
> Niels Provos and Peter Honeyman,
> "Detecting Steganographic Content on the Internet," August 2001.
> <http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf>
> 
> It reports that no steganographic content was found.
> 
> I regret the error; thanks to Duncam Campbell and Niels Provos for
> pointing it out. 
> 
> My main point nonetheless stands: the media are continuing to run this
> `mad mullah is a cryptopornographer' story in the face of both
> scientific advice, and categorical statements from the FBI that the
> hijackers used plaintext email communications rather than any fancy
> encryption or anonymity service. The fact that the UK security
> services are putting them up to it raises some interesting questions
> of public policy.
> 
> Ross
> 
> 
> 
>