The Digital Beat: The Debate Over Online Steganography

From: Terry W. Colvin (fortean1@mindspring.com)
Date: Fri Nov 02 2001 - 07:35:39 MST


From: Andy Carvin <acarvin@benton.org>

The Digital Beat -- 31 October 2001

When a Picture Is Worth a Thousand Secrets: The Debate Over Online Steganography

By Andy Carvin (acarvin@benton.org)

Introduction

In the weeks since the horrendous September 11 attacks on New York and
Washington DC, investigators around the world have poured over tens of thousands
of leads. With each turn, it seems, authorities explore new pieces of evidence
that somehow fit into the giant puzzle that makes up the al Qaeda terrorist
network.

As the news media continues its marathon coverage of the attack and subsequent
U.S. retaliations, one accusation has received particular attention. Reports
from ABC News, the Associated Press, the New York Times and Newsweek, among
other media outlets, have alleged that terrorists associated with Osama bin
Laden may have communicated covertly by imbedding secret messages into publicly
available files on the Internet, including images from adult porn sites.

This allegation has yet to be proven -- the FBI has stated in briefings that
they don't have evidence to back up these charges. But these media reports have
re-ignited interest in this ancient cloak-and-dagger technique, adding more fuel
to the fire in the searing debate over online civil liberties in a
post-September 11 world.

Steganography: Hiding in Plain Sight

Steganography, the science of hiding secret messages within publicly accessible
material, is by no means new. One of the first accounts of steganography in
action dates back to the Greek historian Herodotus. In the fifth century BCE he
documented the story of Demeratus, who struggled to find a way of alerting
Sparta that the Persian Great King Xerxes was gearing up to invade Greece.
Knowing that any overt message would be intercepted easily by the Persians, he
scraped off the wax surface of a wooden writing tablet and scratched his warning
into the underlying wood. Demeratus then re-coated the tablet with a fresh layer
of wax, thus allowing the apparently blank writing tablet to be carried off to
Sparta without arousing suspicion.

The term steganography dates back to 14th century. German mathematician Johannes
Trithemius penned a book on black magic entitled Steganographia -- Greek for
"hidden writing." Indeed, the controversial book was about hidden writing.
Instead of being a treatise on black magic, the manuscript was actually a
well-disguised essay on cryptography -- so well disguised that it took half a
millennia to crack it completely.

During the 19th century, spies used creative forms of steganography throughout
the course of the legendary Great Game -- the decades-long war of stealth
conducted between imperial Russia and Great Britain as they competed for
dominance in Central Asia. The famed British-Indian spies known as pundits used
the accoutrements of itinerant monks to disguise the fact that they were mapping
out the complex topographies of Tibet and Afghanistan. Pundits would carry a
modified rosary made up of 100 prayer beads (instead of the 108 beads usually
found in a Buddhist rosary), allowing them to secretly tabulate the number of
paces as they walked in any given direction. The details of their covert
surveying work would then be hidden amongst handwritten prayers contained in the
center of the Tibetan prayer wheels they carried openly.

In modern times, steganography was used successfully during wartime as a way of
transmitting messages in plain view. German and allied forces both employed
steganography during the First World War; in one particular case, a German spy
transmitted the following message:

Apparently neutral's protest is thoroughly discounted and ignored. Isman hard
hit. Blockade issue affects pretext for embargo on byproducts, ejecting suets
and vegetable oils.

A casual observer might easily ignore this seemingly innocuous message, but if
you take the second letter in each word, you'll soon discover a secret message:

Pershing sails from NY June 1.

A well-publicized example of steganography occurred during the height of the
Vietnam War, when Commander Jeremiah Denton, a naval aviator who had been shot
down and captured by North Vietnamese forces, was paraded in front of the news
media as part of well-staged propaganda event. Denton knew he would be unable to
say anything critical of his captors outright, so as he spoke to the media, he
blinked his eyes in Morse code, spelling out T-O-R-T-U-R-E.

Perhaps the most public post-September 11 accusation regarding steganography
occurred several weeks ago when the Arab-language news service Al Jazeera
broadcast videotaped statements by Osama bin Laden and his associates in their
entirety. The Bush administration quickly responded by requesting that all media
outlets use greater discretion when it came to airing statements from Al Qaeda,
fearing that the unedited statements might contain secret messages -- messages
communicated by means of certain words or phrases being used, combinations of
clothing or discrete nonverbal gestures.

Old Tricks, New Techniques

Steganography, as the above examples demonstrate, is not limited to one
particular medium or technology -- it's simply a matter of disguising a covert
message within an overt one, whether that overt message is an ancient wax
tablet, a telegram or a person speaking through a television broadcast. So it
should come as no surprise that the technique has also found its way onto the
Internet. In fact, steganography tools are freely available for public use.
Steganography software allows users to secretly incorporate data into various
digital media - text, jpeg images, MP3 audio files, etc.

One relatively innocuous example of online steganography in action can be found
at the Web site SpamMimic.com. This site allows users to encode and decode
secret text messages in what appears to be rambling spam messages. For example,
SpamMimic.com can produce a text message that looks like this:

Dear Friend , Especially for you - this breath-taking news . If you no longer
wish to receive our publications simply reply with a Subject: of "REMOVE" and
you will

immediately be removed from our club ! This mail is being sent in compliance
with Senate bill 1621 ; Title 6, Section 301 ! This is a ligitimate business
proposal ! Why work for somebody else when you can become rich in 54 months....

(Note - the full message is longer than this paragraph and has been trimmed for
length. A complete copy of the message can be found in the appendix at the
bottom of this article.)

This seemingly incoherent advertisement can then be transmitted to anyone on the
Internet. For the average netizen, the message would undoubtedly find its way
into the trash folder, but for people who know that it's been encoded by
SpamMimic, they can go to the Web site, select the "decode" option, and submit
the full text (see appendix) to find this secret message:

Happy Halloween!

Of course, hiding brief text messages within larger text is limited by the
overall size of the larger text: text files simply aren't big enough to hide
more complex data like images or audio files. A solution to this dilemma can be
found in the availability of around 140 steganography software packages readily
available over the Internet. Free download sites have collections of various
steganography tools, including one called Invisible Secrets 3.0. Invisible
Secrets leads users through a series of easy steps that allows them to encode a
file secretly into another file.

As a demonstration, I've set up a simple Web page with three photos on it:

< http://www.benton.org/DigitalBeat/stegdemo.html >

Here you'll see two photos that look identical to each other - a public domain
image of the space shuttle from NASA. The photo on the left is the original
image, while the photo on the right has been altered steganographically: I've
used the software Invisible Secrets 3.0 to hide a picture of my cat Winston
inside of it. The steganography software scatters the data of my cat photograph,
hiding that data amongst the bits and bytes that makes up the NASA photo. The
result of this process is the second copy of the NASA photo, a covert kitten
hidden within it, which I could share as publicly as I would like -- emailing it
to a listserv, placing it on my Web site, etc. To the unsuspecting viewer, it's
just a photo of the space shuttle, but to someone who knows I've altered it
steganographically, it's a secret envelope that can be used to deliver any piece
of data I'd like -- in this case, a picture of my cat.

Do Terrorists Dream of Steganographic Sheep: When Rumors Lead to Bad
Policymaking

Whether used for safeguarding business secrets, watermarking copyright-protected
data or just for personal amusement, steganography was largely seen as just
another aspect of Internet culture until the September
11 attack. Though news outlets such as USA Today and Wired News had reported
earlier this year on speculation that terrorists like Osama bin Laden might use
steganographic software for encoding secret messages into publicly available
pornographic image files, rumors regarding such activities have caught on like
wildfire in the weeks following the attack. All of these reports had one thing
in common: they stated that authorities suspected that bin Laden and his
associates _might_ have used steganography.

There was no direct proof, however. Internet journalist Duncan Campbell reported
in the online magazine Telepolis that FBI officials stated in two successive
briefings that there was no evidence to suggest that terrorists had employed
steganography. To date, the only comment from a government official implying a
direct connection between terrorists and online steganography has come from an
unnamed source formerly connected to the French defense ministry. The source, as
noted in an October 30 story in the New York Times, claimed that a terrorist
suspect named Jamal Beghal used the technique to plan a failed bombing plot of
the U.S. embassy in Paris. Details about the alleged use of steganography remain
scant, however.

Declan McCullagh, Washington DC correspondent for Wired News as well as one of
the first journalists to report on allegations of terrorist online
steganography, was also skeptical of the recent reports. "I've said in the past
that we should assume for purposes of political debate that terrorists will use
crypto and stego, because if they're not now, they eventually will," he wrote in
an email to his Politech e-newsletter. "The September 11 attackers were cunning,
if nothing else. But there is a huge difference between expecting that
terrorists will eventually go in this direction -- and accepting as fact vague
and self-promoting reports that the 19 suicide-hijackers did."

Adding to this skepticism is a recent report from University of Michigan
computer scientists who scanned over two million online images for evidence of
hidden messages using special stego-detecting software they had developed. (The
art of detecting steganography, for those who are interested, is known as
steganalysis.) Their sweep of these two million images identified no trace of
steganography, whether for passing along secret orders between terrorist cells
or for passing along the Mrs. Fields cookie recipe.

"I am not aware of evidence that indicates the use of encryption or
steganography," explains Neils Provos, one of the authors of the University of
Michigan study. "The terrorist attacks are being used by some politicians as a
reason to pass legislation that they could not pass before.... There is no
indication that any encryption technology has been used."

As Provos and others point out, one of the greatest concerns among online civil
libertarians is that these unsubstantiated claims of terrorists using
steganography will serve as ammunition for politicians to put further
restrictions on both steganography and encryption. Civil libertarians are
already finding themselves being shouted down by policymakers determined to
expand government surveillance activities and clamp down on tools used for
hiding or scrambling information. In the Netherlands, legislators have moved to
regulate public use of strong encryption on the Internet, backing off on a 1998
policy memorandum that stated, "The use of cryptography will remain
permissible."

In the United States, the sweeping anti-terrorism legislation signed into law by
President Bush on October 26, among other things, greatly expands the ability of
authorities to tap email accounts, access personal data and snoop through
electronic voice mail. "This bill does not strike the right balance between
empowering law enforcement and protecting civil liberties," worried Sen. Russ
Feingold (D-WI), the only senator to vote against the legislation. "I don't know
anybody in this country who's afraid of their law enforcement people at this
time -- they're afraid of terrorism," responded Sen. Orrin Hatch (R-UT), one of
the key supporters of the new law.

The law contains many provisions that are profoundly frustrating to civil
libertarians, but this particular piece of legislation does not contain any
specific challenges to steganography. This is not to say that future legislation
will not attempt to curtail the rights of citizens to utilize or develop
steganography software, however. The very fact that these public allegations of
terrorists using steganography happen to contain a bizarrely seductive mix of
political issues that are close to the heart of many a legislator (namely
protecting national security and curtailing online pornography) suggests that
proposals to limit access to steganography could be just around the corner.

Of course, the passage of such proposals would lead to the next inevitable
question -- would anti-stego legislation actually serve their intended purpose?
If terrorists are indeed sophisticated enough to employ steganography software,
it would not be surprising if they also possessed the sophistication to develop
their own software should current stego tools become inaccessible, or if
investigative authorities were granted even greater access to the decoding keys
for these tools. So assuming that terrorists had the wherewithal to craft their
own steganography tools, the only people who would truly feel the effects of
anti-steg legislation would be law-abiding citizens who might wish to employ
steganography to protect their online private interests. Additionally, if you
consider the allegations regarding bin Laden's supposed use of old-fashioned
steganography in videotape broadcasts, cracking down on _online_ steganography
would do nothing to prevent terrorists or other criminal elements from using
more traditional, _analog_ means to pass along messages to each other.

Conclusion: Much Ado About Nothing? (or at least nothing visible without the
assistance of stego software...)

The media hype surrounding bin Laden, steganography and pornography make for
enticing copy -- but the stories published to date simply don't add up to actual
proof, let alone successfully demonstrate that changing the law to curtail
steganography would actually accomplish much in the war on terrorism. In these
trying times, it would be difficult to challenge the sincerity of lawmakers as
they use the tools at their disposal to combat terrorism and keep America safe.
Yet alongside their duty to help preserve the security of the country is the
equally important duty to recognize and preserve our civil liberties. This is no
truer than in times of war, when emotion, fear and the desire for swift justice
can cloud our constitutional judgment.

Related Links

SpamMimic < http://www.spammimic.com >

Invisible Secrets 3.0

< http://www.freedownloadscenter.com/Utilities/File_Encryption_Utilities/Invis
ible_Secrets.html >

Steganographia, by Johannes Trithemius (in Latin) <
http://www.esotericarchives.com/tritheim/stegano.htm >

How Steganographia was cracked: <
http://cryptome.unicast.org/cryptome022401/tri-crack.htm >

Detecting Steganographic Content on the Internet (Analysis by Neils Provos and
Peter Honeyman at the University of Michigan) <
http://www.citi.umich.edu/u/provos/stego/ >

Coded Communications < http://www.msnbc.com/news/632358.asp >

Veiled Messages of Terrorists May Lurk in Cyberspace
< http://www.nytimes.com/2001/10/30/science/physical/30STEG.html?pagewanted=1 >

How the Terror Trail Went Unseen, by Duncan Campbell <
http://www01.heise.de/tp/english/inhalt/te/9751/1.html >

Bin Laden: Steganography Master? <
http://www.wired.com/news/politics/0,1283,41658,00.html >

USA-Patriot Act of 2001 < http://www.epic.org/privacy/terrorism/hr3162.html >

Appendix: Complete Text of SpamMimic Message

Dear Friend , Especially for you - this breath-taking news . If you no longer
wish to receive our publications simply reply with a Subject: of "REMOVE" and
you will

immediately be removed from our club ! This mail is being sent in compliance
with Senate bill 1621 ; Title 6, Section 301 ! This is a ligitimate business
proposal ! Why work for somebody else when you can become rich in 54 months .
Have you ever noticed nobody is getting any younger & how long the line-ups are
at bank machines . Well, now is your chance to capitalize on this . WE will help
YOU use credit cards on your website and use credit cards on your website ! You
can begin at absolutely no cost to you ! But don't believe us . Mrs Ames who
resides in Massachusetts tried us and says "I've been poor and I've been rich -
rich is better" ! We are licensed to operate in all states ! Don't delay - order
today . Sign up a friend and your friend will be rich too . Best regards ! Dear
Cybercitizen ; Thank-you for your interest in our briefing . If you no longer
wish to receive our publications simply reply with a Subject: of "REMOVE" and
you will immediately

be removed from our mailing list . This mail is being sent in compliance with
Senate bill 1618 ; Title 2 , Section 301 . This is not multi-level marketing !
Why work for somebody else when you can become rich in 58 weeks ! Have you ever
noticed people will do almost anything to avoid mailing their bills plus most
everyone has a cellphone ! Well, now is your chance to capitalize on this ! We
will help you SELL MORE and increase customer response by 170% ! You are
guaranteed to succeed because we take all the risk . But don't believe us . Mr
Jones of Georgia tried us and says "Now I'm rich many more things are possible"
! This offer is 100% legal ! So make yourself rich now by ordering immediately !
Sign up a friend and you'll get a discount of 60% . Best regards !

----------------------------------------------------------

(c) Benton Foundation, 2001. Redistribution of this online publication -- both
internally and externally -- is encouraged if it includes this message. Past
issues of Digital Beat are available online at
http://www.benton.org/DigitalBeat. The Digital Beat is a free online news
service of the Benton Foundation's Communications Policy Program
(http://www.benton.org/cpphome.html).

This email was cleaned by emailStripper, available for free from
http://www.printcharger.com/emailStripper.htm

-- 
Terry W. Colvin, Sierra Vista, Arizona (USA) < fortean1@mindspring.com >
     Alternate: < terry_colvin@hotmail.com >
Home Page: < http://www.geocities.com/Area51/Stargate/8958/index.html >
Sites: Fortean Times * Northwest Mysteries * Mystic's Cyberpage *
   TLCB * U.S. Message Text Formatting (USMTF) Program
------------
Member: Thailand-Laos-Cambodia Brotherhood (TLCB) Mailing List
   TLCB Web Site: < http://www.tlc-brotherhood.org >[Vietnam veterans,
Allies, and CIA/NSA are welcome]


This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 08:11:46 MST