Privacy

Concepts

Crypto Software

Digital Money

Keys & Servers

Steganography

Anonymous Remailers

PGPfone

Zimmermann Legal Defense

CypherPunks

Pretty Good Privacy

Hiding something in plain sight

When looking through the contents of email (or files attached to email) it's easy to spot an encrypted message: it looks like complete gibberish which follows some well-defined format. Sending gibberish alerts the black hats that you've got something to hide (or at least keep from their prying eyes). Another level of the "game" is to hide the fact that you're sending encrypted messages. Steganography (literally "covered writing") isn't a new science, by any means. It has a long and colorful history.

Centuries ago messengers were shorn, and the message applied to their scalps. By the time they entered hostile territory their hair had grown back, and that they were concealing a message wasn't obvious.

One wonders how long after the first papyrus papers were created it was that someone started experimenting with invisible inks. (I remember many happy hours of childhood playing with lemon-based inks that appeared only when heated.) One writes a cover message to give purpose to delivering the paper, and then writes a hidden message in invisible ink "between the lines".

During the frenetic wartime activity during the Second World War, the microdot came into use. A secret message was photographically reduced to the size of a period, and affixed as the dot for the letter 'i' (or other punctuation) on a paper containing a written message. The fact of the transmission of a secret message was effectively hidden. (I remember many happy hours of childhood reading books about blind drops, folded newspapers, and the like.)

A famous steganographic episode occured when, in the 1960s, a photograph of several members of the crew of the U.S.S. Pueblo was released by their captors in order to demonstrate their cooperation. The seemingly-ordinary photograph contained a steganographic message: the hand positions of the crew members spelled the word "SNOWJOB" in sign language (c.f. "Deaf Culture"). (In colloquial American English a "snow job" means to figuratively cover up or blind someone to prevent them from seeing the truth.)

In 1979 I wrote a paper enumerating all the different elements purported to have been steganographically placed by the Beatles in their record albums to communicate the early demise of Paul McCartney, and his subsequent replacement by Billy Shears. (There were quite a few such "clues" discoverd by the enthusiastic. Sadly, I lost the paper many years ago. It would have been perfect for the web.)

The religious right still, from time to time, "finds" satanic messages hidden in records, targeted at the segment of the audience that plays their records backwards. (If one could play CD-ROMs backwards I'm sure we'd still be hearing about such nonsense today.)

Steganographic today

To use steganography today, you need to find a communication medium that uses lots of bits, where changing some of them wouldn't obviously alter the overt message. Hey, that sounds exactly like a digital image (picture).

An "8-bit" digital image, one capable of conveying 256 colors, uses 8 bits to represent one pixel, or picture element. (All the images you see on my web pages are 8-bit images.) It's not remarkable today to see an images that encodes thousands or millions of colors, where 32 bits are used to represent each pixel.

Putting a message in that 32nd bit wouldn't significantly (or even perceptably) alter the digital image. An 8-bit digital image that measured 480 by 100 pixels, the size of many web page banners, theoretically can hold 5000 letters of text. And that's a small image. A big 32-bit image could hold much, much more.

The message to be steganographically applied to a digital image doesn't have to be in plain text, it can be a PGP-encrypted missive. So you can have your encryption cake and send the results without others being aware of it. (There are, of course, methods of attack on steganographic messages.)

The message doesn't have to be a digital image; any "bit-heavy" transmission such as audio and video will do. (I wonder when we'll hear about the first satanic message embedded in a publicly-available audio or video stream; not long I'll bet.)