This could be a cool way to visually "encrypt" messages. They're readable, but only by the correct tool. I wonder how these squiggles might be creatively arranged steganographicly in an image and still be "read" by the OCR tool.
Correct me if I'm wrong here, but that just seems like reinventing crypto with a large key, and requires you to implement a counterparty-provided algorithm, which could be malicious.
Believe it or not, there's still a lot of utility in putting encrypted messages on physical things (pieces of paper). One time pads work well for this, but imagine if the recognition algorithm was altered in different ways effectively acting as a key s.t. you had to have a similarly altered recognized on your side to see it. Yeah it's symmetric crypto in that sense but you can physically hide all kinds of stuff or divide up the message between different couriers or do other stuff in ways that are a bit unlike digital crypto. The simple fact of a message being the physical object might be enough to confuse an eavesdropper.
Or the message itself could also be encrypted with a more secure system, but then physically presented in an open area so that somebody with a tuned recognizer can get the encrypted data to later decrypt digitally.
The FBI didn't know about it until after she was caught. So believe it or not, Steganography _works_. If you're trying to hide the fact that you're a spy, encrypting all of your messages over TOR is a bad idea.
On the other hand, if you pretend to be a normal person and embed secret messages in your Facebook posts, you can be a spy for years and not get caught.
I think one of the reasons stego works is because of the sheer amount of data being generated and shared in the modern world.
It's kind of a blessing and a curse for spy agencies. On the one hand, they love to collect data, and the more the better, since with more data to analyze, they can potentially learn more things. But the more data there is, the more computing power they have to throw at it to make sense of it.
So it's really not surprising that data can be hidden from spy agencies (possibly by relatively primitive means even), because they probably don't have the computing power (vast as their computing power is) to effectively run every possible detection algorithm and all their highly sophisticated (and probably computationally expensive) steganalysis software on so much data.
Videos, since they are so huge compared to other media files like text or audio, have always seemed like an ideal medium for stego to me. Of course, it's more difficult to preserve one's hidden data on sites like youtube that re-compress the videos that get uploaded to them, but any site that hosts original videos unmolested should be ripe for stego.
>Steganography is solidly a "security through obscurity" thing.
Right, but that means it inherits all the problems of security by obscurity, like it breaking as soon as the public knows the technique, which they do now.
My other point was that this seems to be equivalent to traditional stego solutions but with a key size equal to the algorithm size.
(And I'm not sure why merely asking about they key size problem and obscurity problem hurt the discussion enough to get hammered so hard...)
> Steganography is solidly a "security through obscurity" thing.
I never really understood why is it so.
Encrypted data must be indistinguishible from random, thus, if you replace any random projection of a file with your data, the result should be completely unrecognizable. It shouldn't really matter if your algorithms are public.
Is the problem that it's hard to get random projections from modern data? If so, why not use older formats?
I think "random projection", as used by the parent, can be things like "low bits of the pixels in this image". If the color depth provides greater resolution than the sensors, then you can expect to have some random data implicit in the image that it would be possible to change in ways that could be provably undetectable.
A tremendous caveat is that when we find ourselves shipping around lots of meaningless random bits, we often quickly reach for lossy compression that doesn't faithfully reproduce those bits, and that can break the scheme.
From what I understand, ideally stego would be used in conjunction with encryption.
First, you would encrypt your message, then you would use stego to hide it.
If the stego is good, it would be a computationally intractable problem[2] for your adversary to determine whether there was indeed a message hidden within the data they were analyzing, with greater than 50% accuracy.
That said, I'm not sure how practical using an application like this would be for stego. It does not "whiten" the data it tries to hide, so unless the data's already whitened, it could potentially stand out like a sore thumb when subjected to steganalysis. And how would you propose actually using this?
This does present some intriguing possibilities, however, like maybe having Alice and Bob share a tweaked version of an OCR library and having Alice generate random images until her encrypted message has been "encoded" in such a way as to be recognizable by the tweaked OCR library that she shares with Bob. The tweaking of the library's character recognition parameters could be a sort of pre-shared key, and would not be available to Eve (the adversary).
[1] - this post comes from a hobbyist, not from any kind of security researcher, steganalyst, cryptoanalyst, etc. So please take what I say with a grain of salt and please correct me if I'm wrong.
[2] - "computationally intractable" being different for different adversaries, of course, which is one reason you need a good threat model.
This is a good idea! The problem with these squiggles is that they look abnormal and would draw attention. It would be interesting if these can be tweaked somehow so that they are still bot readable but can also be interpreted as patterns by humans.
Take handwriting, the more illegible the better. Then use a genetic algorithm where the fitness function is trying to find as small a perturbation as possible to the input such that the output is recognized as the letters you want.
