1994-02-14 - Re: alt.steganography

Header Data

From: qwerty@netcom.com (Xenon)
To: cypherpunks@toad.com
Message Hash: cbf65e10c9830a792f0981042be0368d3ac5f1c2d5480b8b0e032dfb3b5654b7
Message ID: <199402141932.LAA15176@mail.netcom.com>
Reply To: N/A
UTC Datetime: 1994-02-14 19:41:30 UTC
Raw Date: Mon, 14 Feb 94 11:41:30 PST

Raw message

From: qwerty@netcom.com (Xenon)
Date: Mon, 14 Feb 94 11:41:30 PST
To: cypherpunks@toad.com
Subject: Re: alt.steganography
Message-ID: <199402141932.LAA15176@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Tim May wrote,

>(And why not, by the same logic, also create alt.random.numbers,
>alt.dining.cryptographers, alt.remailers, alt.digital.money,
>alt.voice.pgp, and so on? All of these are of about the same
>importance as stegonography. Probably more so, as stegonagraphy is
>inherently limited by it being "security through obscurity," which
>typically doesn't last very long. Like invisible inks and
>microdots--the two compelling examples of past stegonagraphy--once the
>secret gets out, the technique rapidly fades in significance.)

The whole point is that with Stealth-PGP, you don't need the "obscurity"
part. It doesn't matter if people know the Cypherpunks are using steg.
But as it is now, with current PGP, using steg is detectable using
automated methods, something Clipper will allow. The equivalent of
invisible inks and microdots aren't what I'm talking about. I'm talking
about sending messages right out there in public, in which your encrypted
message is masquerading as noise in the carrier message, and in which
nobody can prove that that noise IS a message unless they successfully
decrypt it, only possible with the right secret key. How better to render
the Clipper chip an insignificant worry?

>Cool your jets, Xenon! :-}

I try. I crank down a beer and get enough sleep, and yet a certain
fanatical drive remains. Hasn't exactly hurt me much, in fact it's
gotten me quite far in this world ;-).

I think it's time to fire up all of our jets, and happily yours were
fired up too, with your "Sabotage of Clipper" posts here. My point
is, Stealth-PGP combined with a steganograph is the technological
way to "sabotage" Clipper. It REALLY is. Think about it. But it's just
that like you said, most people are struggling just to understand
how to use PGP. What I attempted to do was get those people to at
least understand what steganography was, and how current PGP
will allow random Info Superhighway spot-checks for the soon-to-
be-banned use of real encryption. How can they hope to outlaw PGP,
if they can't even figure out you are using it?

>...cf. my post in 1988 in sci.crypt on the LSB method...

Could someone send me this (Hi Tim), as I only got a modem in '93,
five years after the post. Actually with the rate of growth of the
internet, MOST people out here haven't seen that post.

>> There's quite a few serious programmer types who want to create
>> steganographic software. I've gotten quite a response to my "announcing"
>> Stealth-PGP on Usenet. The person who gets credit for coming up with
>> the name "Stealth" instead of my boring "VGP" says he has changed plans
>> and hopes to offer an external utility to strip and later restore any PGP
>> message. For the newbies, this isn't just removing the "-----BEGIN..."
>> header and footer!

> Maybe I'm revealing myself as one of the "newbies," but what do you
> mean here? Headers and footers all look the same, meaning they are
> apparently uncorrelated to the contents (carry no information). I
> agree that not having them introduces other problems (knowing which
> bits to treat as the PGP message, as above).

The "headers and footers" are trivial to remove and restore, so they
aren't the important thing to strip off and later restore. It's the hidden
headers and footer WITHIN any PGP message, binary or ascii, that need
to be stripped and later restored. Then steganography is SO much more
useful. See pgp.format in the PGP documentation. I'll just say, ideally
with such a utility, or updated form of PGP, you could send an encrypted
message using steg, or even without using steg, and nobody who wasn't
willing to spend some serious time looking into the matter could nail you
for sending an encrypted message. "Sufficiently advanced communication
is indistinguishable from noise."

The problem with knowing WHICH bits to treat as the message is a
technicality. The simplest is to make the carrier exactly the right size!
You can put padding WITHIN the Stealth-PGP message if you want. And
this is only the most simple-minded solution.

>I'm not sure who your source was, but be advised that the term
>"Stealth PGP" was in use at least a year ago....I heard Kelly Goen or
>Phil Zimmermann refer to a future version of PGP with this name. Not
>that it really matters a lot, but you ought to be aware that the
>designers of PGP were aware of the issues you have raised
>recently. Only so much time to get everything done, though.

"Nobody can be so amusingly arrogant as a young man who has just
discovered an old idea and thinks it is his own." - Sydney J. Harris

I've been actively reading alt.security.pgp for a year now, and the
ONLY time this was mentioned was when I asked about it last year.
Very little interest was generated. And given the lack of response
of the PGP development team to potential USERS voicing their needs,
I think getting the general population of PGP users to know enough to
ASK FOR Stealth-PGP, will go a long way in getting the developers to
stop putting this on the back burner.

Be advised that the person who in the end gets credit for coining a
term gets credit for coining a term ;-). If be it lost in some old post,
and I've never seen PRZ post to Cypherpunks or alt.security.pgp in
the last year, then I get the Pulitzer, since mine got noticed. Yes, I think
many of the PGP developers realize a need for Stealth-PGP, but I also
think with good justification, that they could use a bit of a push. A bit
of an eye-opening about how Stealth-PGP could be the "Underground's
answer to the Clipper chip."

>...
>jaded in the face of Xenon's obvious anxiousness to get rolling.  It's
>just that Romana M., for example, put a _huge_ amount of effort into
>her Stego program...and it was not met with cymbal crashes of
>enthusiasm, either by folks on this list or outside. I suspect this is
>because, when you get down to brass tacks, stegonography is just a
>backwater of crypto (to mix some metaphors horribly). Once you've
>played around with it, what do you actually _use_ it for?...

That's because PGP tattles on itself, and Stego can be reversed by
anyone.

Mind shift needed. Think think think. You use it for.... Defeating the
Clipper chip. See, they are going to outlaw real crypto soon. I liked the
point about how Denning's secret need for the Clipper as being the use of
the NSA as an ECONOMIC spy agency, not just for terrorist types. They
want to spy on SONY! Now you're talking billions of dollars at stake, for
if economics isn't part of "national security", what is? Those kind of
forces lead to the common man's rights being forfeited.

"Encryption Always Wins" (Who said that?). But only if your encrypted
messages can only be shown to BE a message by successfully decrypting
it. Here stegonography becomes crucial, NOT to "hide the message", but
to give you an EXCUSE for sending random-looking blocks of data.

>I happen to agree that transmitting bits in the LSBs of sound and
>image files gives "plausible deniability" to users of crypto. Work
>should continue on this. I just don't see much urgency for getting
>the capability widespread _right now_, especially not when the
>practical difficulties of using PGP (discussed many times) mean most
>of us are rarely using it at all!

Well, _right now_, I seem to notice that these guys in suits in Washington
are arranging that they have the tools needed to smart-search not just
the internet but ALL electronic communication for PGP messages. Then
your name goes on their "crypto subversive" list, and the computer starts
logging WHO you are talking to, and then 1984 has arrived. This is happening
_right now_.

>Plenty of higher priority projects, in my opinion.

Those projects, at least those that relate to Clipper, seem to be politically
oriented. "Sabotage Clipper", "Call you reps", "Join EFF",
"Get more to use remailers and PGP". These are great, but if you step
back and look for what acts will have true historical significance,
Stealth-PGP alongside a nice Plug-and-Play steganograph looks to me like
what's going to make it into the history books, and is what will have the
most damning effect on those pushing their silly Clipper chip on us.

The other point, crucial in my mind, is that getting large numbers of people
to use PGP becomes much less important if you have Stealth-PGP and a
steganograph. Then in effect they are still helping you obtain "obscurity",
but all they need to do is send ANY digital message that has noise in it.

There's a paradigm-shift needed here. When it clicks into place in one's
mind, you will see why I am so adamant about Stealth-PGP, for rather than
being a back-burner project, it is THE very thing that is most important
for the defeat of Big Brother's Clipper chip and his wiretap proposals. It
REALLY IS a "Stealth" technology. I'm sure there are already thousands in
repressive countries who need it NOW, and if you don't call the USA a
repressive country as well, I've got a burning Constitution and Bill of
Rights for you burn your hands on.

You can nit-pick specific details and problems with the idea, but that's
why I proposed alt.security.steganography. I think we could make this
thing fly. Maybe steganography isn't even the right word however! I'm not
talking about hiding a plaintext message on an electronic microdot.

>My advice is to discuss it here, or on sci.crypt. If the volume is
>consistently high for at least several months, that's the time to
>think about creating a special group or list for it.

Message received.

 -=Xenon=-



-----BEGIN PGP SIGNATURE-----
Version: 2.3

iQCVAgUBLV+JjgSzG6zrQn1RAQHSSgP/cL61D/OwM4VHfk9aL7LC+JC0kDxdHwRQ
4/MxFd66EVXONCnYSRxTE8WRJsuNdOGTzDW2L43cMNeik3/jZd9vdb3pn7YibrSN
2Z+8qKfeKAvJMLNkIZ3xGz6/radp0gjHpU6/raIi33yGwCn1au3yRcoP7iy1yDHa
i1GKC3E2T54=
=6bwj
-----END PGP SIGNATURE-----





Thread