Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Encryption

Steganography with Flickr 126

Posted by CmdrTaco from the you'll-just-have-to-look-harder dept.
yiangocy writes "Steganography is not something new, there have been techniques and available programs for hiding data in pictures/audio files for a long time now. However, one step further is using popular online photo sharing sites, such as Flickr in hiding your data, successfully."
This discussion has been archived. No new comments can be posted.

Steganography with Flickr More

Steganography with Flickr

Comments Filter:

  • Never a more apt Message (Score:5, Funny)

    by hawkeye_82 ( 845771 ) on Sunday August 21, 2005 @09:08AM (#13366255) Journal
    Nothing to see here. Please Move along.

  • not very groundbreaking (Score:5, Interesting)

    by towaz ( 445789 ) * on Sunday August 21, 2005 @09:10AM (#13366258)
    Not exactly a new idea, goverments have been paranoid of "Terrorists" using stego on places like ebay for triggers.

    More interesting projects, though off topic slightly; a method of obscuring your network communications and resolving key issues with stego (though I think the project stopped)
      http://www.m-o-o-t.org/ [m-o-o-t.org]

    They is also much more interesting uses for stego. in files, hdd slack space and this nice little project 4c.

    http://dione.ids.pl/~shykta/ [dione.ids.pl]

    4c (or fourcrypt) is a multiple-file steganography program inspired by Michal Zalewski's twocrypt (2c) program, designed to be "subpoena-proof". It supports mixing between one and eight files with independent keys. The files are architecture-independant (tested on x86 and UltraSparc).

  • Wouldn't it be a lot easier to send the images to a gmail account?

    --
    Dreamhost [dreamhost.com] superb hosting.
    Kunowalls!!! [kunowalls.host.sk] Random sexy wallpapers.
    • Depends on who you think will go out of business first.

      Flikr (Yahoo!) supports bulk uploads - the whole process could be easily scripted, ditto gmail. So this issue is: who do you feel will be around for the long term? Heck - double up your backups and store data on gmail and>/b flikr.

    • Re:Gmail? (Score:3, Informative)

      by Gudlyf ( 544445 )
      Easier? Sure, but a Flickr Pro account has unlimited storage.

    • Re:Gmail? (Score:3, Informative)

      by TheRaven64 ( 641858 )
      No. Sending to a gmail account is directed. If the receiver or sender is compromised then they can quite intercept the message. It may take them a while to decrypt it, but since they already know it's there then it's possible. Even if an attacker does not understand message, they gain information from the timing of it and the recipient. Posting to a flickr account means that it is impossible to track the recipient. Posting a random picture every day, eventually including a message, means that it is ve
      • So you create a separate gmail account that you share the user id and password with a bunch of people. You send to that account emails with attached jpegs, which contain the nefarious files embedded with steg-hide. Google knows the IPs that accessed the account, just as Flikr knows the IPs that accessed their images, but that's all.

    • Re:Gmail? (Score:3, Funny)

      by sanx ( 696287 )
      Would open up a whole new advertising channel for Google, wouldn't it:

      From: Joe
      To: Michelle
      Subject: No stego here
      <attachment: cutedoggy.jpg>

      Adwords by Gooooooogle
      Terrorists are using the Internet to send secret information.
      www.paranoia.gov

      Can't find your WMDs? Buy some more
      www.dod.gov

      Suspicious emails? Let us examine them
      www.noprivacy.gov

      Looking for Cute Doggies?
      www.sexwithcutedogs.com

  • I'm against this (Score:2, Interesting)

    by Ckwop ( 707653 ) *

    So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

    Flikr could probably detect the changes anyway. When you do stego on Jpegs you do it by altering the coefficients on the waveforms. The problem is these coefficients usually conform to a gaussian distribution and by packing so much data in to the jpeg you're going to screw up that distribution.

    To hide truly undetectable data in there is going

    • Re:I'm against this (Score:5, Funny)

      by LiquidCoooled ( 634315 ) on Sunday August 21, 2005 @09:20AM (#13366296) Homepage Journal
      Post Removed

      I'm Sorry, the posting you just made is against the Slashdot posting terms.
      We believe you are a terrorist trying to hide data within your non-conformist post text.

      After a detailed analysis of the contents of your posting, the waveform coeficients do not conform to standard slashdot thinking, more precisely, your posting failed to contain the phrases "first post", "in soviet russia" or "hot grits".

      Please remove the hidden message and try again.
    • So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

      It depends, doesn't it. If the hidden data is a picture, I don't think it's against the terms.

      • Re:I'm against this (Score:1, Informative)

        by Anonymous Coward
        Instead of speculating, why not actually read the terms of service [flickr.com]? It reads like it they picked up a lawyer from the $3.99 bin, which is not entirely surprising since terms of service are rarely enforceable anyway.

        The only real "term of service" worth reading is "We reserve the right to refuse service to anyone for any reason at any time." Everything else in that document is just preamble, really.

        My guess is it comes down to how much they care.

    • What if someone else runs the data through stego to see if something is hidden. That way anybody can find the hidden data.
      Ok, you can password protect it, but how good is stego in that? If gets really interesting to see if that is hackable.
      • What if someone else runs the data through stego to see if something is hidden. That way anybody can find the hidden data.

        Programs like Steghide [sourceforge.net] (the one used in the article) need the correct passphrase to even detect the existence of hidden data. Enter a wrong passphrase, and Steghide will tell you there is no embedded data.

    • Re:I'm against this (Score:2, Insightful)

      by nucal ( 561664 )
      Rather than worry about trying to detect stegnography, any image posting service could just arbitrarily set all of the least significant bits of jpgs to "1" as part of the image posting process. It might slightly degrade the image, but it would also erase any potential encoded messages.

      • Re:I'm against this (Score:5, Informative)

        by Ckwop ( 707653 ) * on Sunday August 21, 2005 @10:06AM (#13366429) Homepage

        Rather than worry about trying to detect stegnography, any image posting service could just arbitrarily set all of the least significant bits of jpgs to "1" as part of the image posting process. It might slightly degrade the image, but it would also erase any potential encoded messages.

        Not really, the best stego packages use error correcting codes to help mitigate this kind of attack. Some stego packages don't work by using the LSB but by swapping adjacent pixels. The cleaning of the LSB would have no real impact on this type of stego.

        Simon

        • Not really, the best stego packages use error correcting codes to help mitigate this kind of attack. Some stego packages don't work by using the LSB but by swapping adjacent pixels. The cleaning of the LSB would have no real impact on this type of stego.

          Sounds right to me. I wrote a stego app that just modifies bitmaps in a very obvious way [sourceforge.net], and it would certainly be defeated/corrupted by changing some of the bits (in fact, that's why I didn't feel qualms about posting it), but some of the the best open [freshmeat.net]

        • How about if they ran it through an image filter like "sharpen" or "unsharp mask"?

          • How about if they ran it through an image filter like "sharpen" or "unsharp mask"?

            I couldn't tell you exactly how they work but I know there are algorithms that can maintain the integrity of the data even when the image is resized, cropped, sharpened, blurred etc.

            Broadly, they work by changing more visible aspected of the image that aren't easily destroyed by these operations. The technology is used extensively in digital watermarking, where the watermark must survive all kinds of abuse.

            Unfortuan

    • Re:I'm against this (Score:3, Informative)

      by chronicon ( 625367 )
      So basically they're showing you how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

      Why would this be immoral? There has been a lot of noise about possibly violating the TOS but has anyone actually bothered reading them? (There are two, one for pre-Yahoo! accounts and one [yahoo.com] for Flickr after aquisition by Yahoo!--which everyone will be required to abide in 2006.)

      Both TOS say pretty much the same thing. You are responsible for y

  • That data is not necessarily secure, however; if someone were to decrypt one of the files and you didn't use encyrption on it, your data would be their data. Also, perhaps there's something in the TOS for Flickr that says something about use of their site fofr purposes other than storage of images. I don't know, just a thought though...

  • again? (Score:4, Informative)

    by thegoogler ( 792786 ) on Sunday August 21, 2005 @09:16AM (#13366279)
    you guys linked another wikipedia article on the front page without notifying them so that it could be locked

    owell, its probably goatse now, you guys should just put (NSFW) after all wikipedia links.

    • That's true of all open wikis though (and the software that wikipedia uses doesn't allow group access control so they're stuck with leaving it wide open).

      You could say the same about google linking to it...
      There's a nonzero chance that it'll be a page full of links to porn sites.. if you don't want to risk it don't click on links to wikis.

    • Re:again? (Score:4, Insightful)

      by imsabbel ( 611519 ) on Sunday August 21, 2005 @09:45AM (#13366371)
      Yeah yeah.
      Besides the usual trolling, there is some truth in the parent.

      Maybe just put a link to the (then current) revision, and not to the general article? That way, everybody will get the same article that excisted before the ./ story went online.
    • Even if you had notified "them" (I assume you mean the admins) the article wouldn't have been protected preemptively. Only if the article receives a lot of vandalism will it be protected. Looking at the history http://en.wikipedia.org/w/index.php?title=Steganog raphy&action=history [wikipedia.org], the vandalism isn't too bad yet. If every time some refers to wikipedia an article has to be protected, then wikipedia has some serious problems in its future.

  • nothing to do with Flickr (Score:5, Insightful)

    by Petronius ( 515525 ) on Sunday August 21, 2005 @09:20AM (#13366294)
    This is an interesting article, but it has nothing to do with Flickr, except for the fact that instead of saving the images on a local device, this guy uploaded them to Flickr.
    Yaaaawn, -1: misleading.

  • So THAT'S where the WMD are... (Score:5, Funny)

    by Anonymous Coward on Sunday August 21, 2005 @09:25AM (#13366312)
    Saddam's Weapons of Mass Destruction have finally been found inside pictures! Call Fox STAT!

  • stegnography in Mona Lisa (Score:5, Funny)

    by woverly ( 223564 ) on Sunday August 21, 2005 @09:27AM (#13366325)
    A couple of years ago newspapers and network news showed the cabin layout of a 747 shown inside the Mona Lisa, supposively used by terrorists. What supprised me was how little attention was payed to the fact that nobody was giving credit to Leonardo da Vinci for inventing the 747.
  • I've not used Flickr myself but if it's like several other web based gallery systems I've known they all resize and resample the uploaded images to fixed sizes, the original file is then usually deleted. This means the data making up the image will have changed destroying the encrypted data.

  • Hiding in the spam (Score:4, Insightful)

    by S3D ( 745318 ) on Sunday August 21, 2005 @09:44AM (#13366367)
    Other similar techincs is hiding messages so it looks like a spam http://www.google.com/search?hl=en&lr=&q=hiding+me ssages+using+spam&btnG=Search [google.com] I've even read an article (can't find link right now) analizing some samples of the actual spam and concluding that they in fact used as an encripted communication medium by spam originators.

  • Steganography?? (Score:1, Funny)

    by Anonymous Coward
    Dinosaurs could write? And in code? Boy, they must have had one heck of an intelligent designer.

  • Movie Plot Vulnerability (Score:5, Insightful)

    by Mr_Icon ( 124425 ) on Sunday August 21, 2005 @10:08AM (#13366433) Homepage
    Ho-hum. There are much better ways to back up your data for $25 a year.

    This is a general "this can be used by terrists!" freak-out. Well, you know, this is an awfully stupid and ineffective way to pass information -- something Bruce Schneier likes to call "movie plot" vulnerabilities. Why bother with steganography when there are much better means to pass encrypted data between two people? Like, I don't know, DCC'ing a file over IRC, or just plain sending an email? If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet. Much less stupid than using a complex routine to hide data in an image, and then upload it to a central service like Flickr for all to see (it shows up immediately in the "recently uploaded" pool).

    This is a fine idea for a movie plot, but utterly dumb for someone to actually try this. Thus, I assign the article a -1 Troll.

    • If you own both the sending and receiving servers, or use one of the infected army of the drones, there is a miniscule chance of your message even being observed in the ocean of the information that is the internet.

      Notice the word 'if'. If you *do not* own both the sending and receiving servers the story is different. For instance if you do not know where your agents are, who they are or when they are on line. The GIA once used an open for all mailing list (or was it usenet?) on football to send orders

      • Moreover, it helps protect the identity of the receiver of the message. If you encrypt a message and upload it to, say, a .binaries usenet group, then thousands of computers all over the world will be downloading the message. It becomes practically impossible to find out which one of the thousands (or millions if it's a nudie group :-) of receivers are the enemy agent, even if the sender and/or the message themselves get compromised.
        A direct connection, on the other hand, provides a handy place in which to

        • It becomes practically impossible to find out which one of the thousands (or millions if it's a nudie group :-) of receivers are the enemy agent, even if the sender and/or the message themselves get compromised.

          How could I not mention this story in my first post. It was your posting that reminded me of it:
          A couple of years ago a Dutch blackmailer [interesting-people.org] hid the ransom payment by steganography on an extremely busy public website. Of course police checked all the weblogs, and traced the one entry that had gone thro

  • stenography is easy.

  • I'm not sure I like the idea of offering up all my data to the public saying, "here, have a go at cracking this, you have the rest of your life to try - or wait for some undiscovered vuln". Especially when it seems so easy to check if a file is hidden in there (steghide info on 1000 jpegs?)
  • If you want to upload files for free, use http://www.gigashare.com/ [gigashare.com] or http://www.megaupload.com/ [megaupload.com]. They are much faster than uploading modified pics to Flickr. Encrypt the file if you wish.
  • Somebody has the job of searching alt.binaries.pictures.erotica.blondes all day for steganographs. Nice work if you can get it.
  • some little naive decided to have fun with some of the words in the article. oh how cute to insert the word penis , oh my god grow up already. as for wiki do you really trust a info source that is so easilly hacked?

  • A much better solution (Score:4, Funny)

    by mdarksbane ( 587589 ) on Sunday August 21, 2005 @12:02PM (#13366807)
    Would be to zip all your files together, encrypt them, then share them on Kazaa as "hot XXX teen pporn pr0n tryout mother daughter incest dog sex sex sex.avi." You data will never be lost completely ;-)

  • Steganography in recent fiction (Score:5, Interesting)

    by sidles ( 735901 ) <jasidles AT gmail DOT com> on Sunday August 21, 2005 @12:15PM (#13366844)
    Steganography is central to Carter Scholz's recent novel Radiance. In brief, complete engineering descriptions of all US nuclear weapons tests are smuggled out of the US national labs, steganographically conceiled in pornographic *.gif files.

    Warning: this novel is a demanding read. It is a higher-brow---and markedly dystopian---treatment of the same themes as Neil Stephensen's Cryptonomicon. In writing it, Mr. Scholz seems to have received considerable help from insiders at the national laboratories.

    With luck, the following link to Google Print will show you a sample page that is reasonably representative of the entire book.

    http://print.google.com/print?id=kVP7pIA9TYUC&pg=P A382&lpg=PA382&dq=steganography&prev=http://www.go ogle.com/search%3Fclient%3Dsafari%26rls%3Den-us%26 q%3DRadiance%26ie%3DUTF-8%26oe%3DUTF-8&sig=-uyML9j p9G4JsUZOCa59fPI6YpM [google.com]

  • we need humint, not sigint (Score:3, Insightful)

    by danharan ( 714822 ) on Sunday August 21, 2005 @12:23PM (#13366863) Journal
    So bad guys can communicate through even more opaque channels. Woop-dee-doo.

    The too-often referenced 9/11 attack was not a failure of signals intelligence. Secret services whose job it is to capture communications did their job in this regard.

    Information was not translated and/or acted upon.

    Getting more sigint will lead to a panopticon society, without actually resolving the fundamental problem of our lack of human intelligence.
    • "...without actually resolving the fundamental problem of our lack of human intelligence."

      Amen!

      In spite of all efforts to thwart the creation of the 9-11 Commission, and then to stonewall on making available government files regarding "who knew what, and when" to the Commission, the truth slowly but surely does surface eventually. Not only did the FBI have information on some of the 9-11 highjackers taking commercial aviation flight instruction pre-9-11, but it also turns out that DoD intelligence had pinp
  • After looking at millions of EBay images and USENET images for possible steg content, Niels Provos and Peter Honeyman found [xtdnet.nl] a grand total of ONE image with steg content "in the wild". That image was used by ABC News in a piece about.....steganography. Using Flickr represents no new threat vector. There really is nothing to see here. Oh, BTW, all the hip terrorists are Podcasting their stego. It's ueber-7eet!
  • You could use this to prove someone took your image and reposted it, possibly claiming it as his own. Personal and professional photographers and media outlets could really use this.

  • Stegdetect (Score:3, Interesting)

    by BCTECH ( 540338 ) on Sunday August 21, 2005 @02:40PM (#13367447) Homepage
    I ran the image through stegdetect [outguess.org] and it came up with a "false possitive". This utility detects images encoded with jsteg, jphide, invisible secrets, outguess, F5(header analysis), AppendX, and Camouflage. Although, steghide is not listed, I have found that false possitives are shown with images that I know to have an embeded file.

    I played around with steganography at one time and setup a script to create embed images [fea.net] via the web using Outguess [outguess.org]
  • We've been doing photo sharing for a few years longer than Flickr, and had this problem for a while. We ended up writing some filters which score suspicious-looking jpeg files (things like image dimensions vs filesize for one).

    It wasn't uncommon for us to get a 200x200 jpeg which was about 10M in size, and find RAR headers in it. Given the volume of photos submitted it's a bit hard to scan everything but we score it and it works 99% of the time.

    Of course, there's the pillocks who'll upload a photo called "w
  • From TFA:
    So should you embed a file within a JPEG image, for example, the casual observer would only see the image and perhaps only notice something odd due to the image's file size.

    So what? I can bloat a file with no visible benefit? Been doing that for years.

    Clippy: "It looks like you're trying to cram 24kb of text into a 3.2Mb .doc file. I can help!"

Slashdot Top Deals

"Oh what wouldn't I give to be spat at in the face..." -- a prisoner in "Life of Brian"

Close