Judging by the claims and the code, this is a tool created by someone who hasn't read any prior research about steganography. If you trust this, don't be surprised when law enforcement detects that you're using it.<p>I'm surprised to see someone of Bram Cohen's caliber releasing something like this. No one has any business coding security tools unless they've taken time to read forensics whitepapers to look for reasons why their tool won't work. And this tool certainly won't work.<p>The goal of steganography is to hide the fact that you've transmitted messages. The longer the message, the harder that becomes. This may be suitable for hiding a few bytes, but no useful message is going to be a few bytes, unless it's something like a decryption key (and hiding a decryption key using stego would be crazy). This doesn't solve the problem of "law enforcement wants to know what your decryption keys are, because they've detected you're encrypting data." The whole point of stego is to avoid that scenario.<p>Anyone who's interested in steganography should start here: <a href="http://www.cl.cam.ac.uk/~rja14/Papers/jsac98-limsteg.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~rja14/Papers/jsac98-limsteg.pdf</a> ... No one who reads that whitepaper and understands its implications would take this tool seriously.<p>EDIT: To clarify: a message as short as ~50 bytes can often be detected, depending on the stego implementation, because even that is enough to cause statistical anomalies in the covertext which indicates that an encrypted message is hidden in the covertext. So I'm not talking about detecting images or videos sent via stego; just encrypted plaintext messages.
Here's another fun steganographic tool: <a href="http://www.spammimic.com" rel="nofollow">http://www.spammimic.com</a><p>Hide messages in SPAM Text:<p>Dear Decision maker , We know you are interested in
receiving amazing intelligence . This is a one time
mailing there is no need to request removal if you
won't want any more . This mail is being sent in compliance
with Senate bill 1625 ; Title 4 ; Section 302 . THIS
IS NOT MULTI-LEVEL MARKETING ! Why work for somebody
else when you can become rich as few as 33 days . Have
you ever noticed people love convenience and more people
than ever are surfing the web ! Well, now is your chance
to capitalize on this ! WE will help YOU decrease perceived
waiting time by 190% and increase customer response
by 150% . You can begin at absolutely no cost to you
. But don't believe us . Ms Ames of Washington tried
us and says "I was skeptical but it worked for me"
. We assure you that we operate within all applicable
laws . We implore you - act now ! Sign up a friend
and you get half off . God Bless !
Stenography is one of the NSA's worst nightmares. Encrypted strings sent over the Internet they know are encrypted, and often know what algorithm and key length. But the fact that any image can contain an encrypted message, and there's know way to know whether or not something exists within, scares the shit out of them.<p>So, good work.
I would have liked to have seen some references to the research in the field in the explanation or comments. I wrote something like this around 15 years ago (<a href="https://github.com/tokenrove/steaghan/;" rel="nofollow">https://github.com/tokenrove/steaghan/;</a> horribly broken, do not use) but quickly abandoned it when Niels Provos started doing much more sophisticated stuff (<a href="http://www.citi.umich.edu/u/provos/stego/" rel="nofollow">http://www.citi.umich.edu/u/provos/stego/</a>).<p>Since then, there has been a fair bit of really interesting research in the field; I recommend anyone interested read Peter Wayner's book Disappearing Cryptography. Might be a good place to start for enhancing this provocatively named framework.
I feel like this is a good place to mention a similar project which aims to circumvent deep-packet inspection with some cool encoding techniques. It can even be used as a Tor plugin!<p><a href="https://github.com/kpdyer/fteproxy" rel="nofollow">https://github.com/kpdyer/fteproxy</a>
<a href="https://fteproxy.org/" rel="nofollow">https://fteproxy.org/</a>
<i></i>Q. Why did you use Python3 as a reference language?<i></i><p><i></i>A. Because not having distinct binary and unicode string types is barbaric.<i></i><p>Well played.
This isn't really a "censorship resistance" tool as it is a steganography tool. You can still be censored if your internet access is cut, or you have no way to publish your message.
It's been a long time since I've done work in infosec related things, so I apologize if I'm way behind on...things.<p>I remember in school a million years ago we discussed an algorithm of the following type for sending short covert messages.<p>1. Negotiate cipher/mapping for where to look for hidden information
2. A wants to send B message "Let's get drinks @ 9 @ Bill's" -- instead of inserting this into some random file, he instead maps to the cipher/mapping area and then iteratively searches for images/texts that are closest possible matches in those bits to his message.
3. Ideally, given access to enough cover files and a short enough message, he has an EXACT match. A sends B picture of puppies with NO bit twiddling. B knows to meet at the pub.
I love the question in the FAQ:<p><pre><code> Q. Why can't it be given more than two alternates for one position to encode more information?
A. Because of math. See Explanation.txt for a bit more detail.
</code></pre>
<i>Because of math</i> hilarious
Steganography has a bad reputation because the only tools publicly available are worthless. Not one is both secure according to Kerckhoffs's principle and secure against statistical analysis. I hope to change that by releasing an implementation of a new algorithm I have developed, sometime in the new year. If you are interested in reviewing the algorithm and code when it is released, feel free to follow my blog.