20 comments

[ 2.8 ms ] story [ 58.7 ms ] thread
Earlier use of whitespace coding: http://www.templetons.com/tech/proletext.html

... Invisible formatting information is embedded in trailing spaces and tabs on the ends of lines in an ordinary looking document. In addition, "blank" lines contain spaces and tabs with hidden formatting meanings. Assuming typical 60 column lines, one can have over 300 different codings on the end of a line without going past 80 columns. (Far fewer are needed.) On a blank line, almost a billion codings are possible.

Documents with invisible formatting always start with a magic line, which begins with "<SP><SP><TAB><SP><SP><TAB>" followed by version encoding. Thus documents can be spotted and formatted even without a Mime Content-Type header for this new text type. This otherwise useless combination of spaces and tabs on a blank line should virtually assure that random documents are not treated as formatted. ...

Whitespace is good, but with Unicode you can do even better by using invisible characters such as ZERO WIDTH SPACE (U+200B) and ZERO WIDTH JOINER (U+200D). I once made a proof of concept[1] using those two characters. It can converts arbitrary data into invisible text by using U+200B as bit 0 and U+200D as bit 1.

Most platforms (Twitter, Reddit, Hacker News) accepts those characters so you can paste invisible messages there. The illusion falls down as soon as you use a low-level text editor such as vim which marks exotic characters in a specific manner (by displaying their hexadecimal codepoint, as it happens). This is where whitespace can be more powerful, given its mainstream usage​‍​​‍‍‍‍​‍‍​‍​​​​​‍​‍‍​​​​‍​​​​​​‍‍​‍​​​​‍‍​​‍​‍​‍‍​‍‍​​​‍‍​‍‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​​‍​‍​‍‍‍​​‍​​‍‍​​‍​‍​​‍​‍‍‍​​​‍​​​​​​‍​​​‍‍‍​‍‍​‍‍​​​‍‍​​​​‍​‍‍​​‍​​​​‍​​​​​​‍‍‍​‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍‍​​‍‍​‍‍​​‍​‍​‍‍​​‍​‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​​​​‍​‍‍‍​‍​​​​‍​​​​​​‍‍‍‍​​‍​‍‍​‍‍‍‍​‍‍‍​‍​‍​​‍​​​​​​‍‍‍​‍‍‍​‍‍​​‍​‍​‍‍‍​​‍​​‍‍​​‍​‍​​‍​​​​​​‍‍​​​‍‍​‍‍‍​‍​‍​‍‍‍​​‍​​‍‍​‍​​‍​‍‍​‍‍‍‍​‍‍‍​‍​‍​‍‍‍​​‍‍​​‍​​​​​​‍‍​​‍​‍​‍‍​‍‍‍​​‍‍​‍‍‍‍​‍‍‍​‍​‍​‍‍​​‍‍‍​‍‍​‍​​​​​‍​​​​​​‍‍‍​‍​​​‍‍​‍‍‍‍​​‍​​​​​​‍‍​​​​‍​‍‍​​​‍‍​‍‍​‍​​​​‍‍​‍​​‍​‍‍​​‍​‍​‍‍‍​‍‍​​‍‍​​‍​‍​​‍​​​​​​‍‍‍​​‍​​‍‍​​‍​‍​‍‍​​​​‍​‍‍​​‍​​​‍‍​‍​​‍​‍‍​‍‍‍​​‍‍​​‍‍‍​​‍​​​​​​‍‍‍​‍​​​‍‍​‍​​​​‍‍​‍​​‍​‍‍‍​​‍‍.

[1] https://github.com/foobuzz/ium

This is slightly more recognisable though. One of the key things you're trying to achieve with steganography is for an adversary to not even notice you're trying to send a message, and ideally even if they suspect something you have plausible deniability (which may or may not be enough).

Steganography in the wild: https://www.youtube.com/watch?v=BgelmcOdS38

And it all falls apart if one is using a text editor which highlights trailing whitespace (like emacs).

The point of steganography is to hide that there is even a message; this fails at that.

But if you saw that would you assume it's an attempt to hide a message? How often do you open up webpages in your editor and inspect the line endings?

All steganographic methods can be detected if you start actively looking for them. The point is it's very hard to know what to look for, especially if you come up with your own coding which you do not share publicly (off the top of my head: using commas and full-stops to encode a bitstream in tweets.)

If you want your Perl files to be invisible, Acme::Bleach hides all of your source code by encoding it as white space: http://www.perlmonks.org/?node_id=967004
A major problem with being a Perl developer is that nothing impresses me any more
Thanks! I was wondering how I could make my Perl comprehensible to Brainfuck programmers. Luckily there's Acme::eyedrops.
Even better, you can use spacing within a line to create a 3-D effect to emphasize certain words: https://en.wikipedia.org/wiki/ASCII_stereogram#Text_emphasis
I fail to see a secret message. What exactly should I be looking for?
"John Smith is responsible"

Cross (or relax and sufficiently uncross) your eyes until the two columns overlay perfectly. Those words will be at a different "depth"; the message literally pops out at you.

I could not do it as well. My monitor is too far away I guess (about 60-70 cm).
It's a stereogram, you have to cross your eyes (or relax to infinity, I could never get that right) to see it. In the one linked, it shows 'John Smith is responsible' pretty clearly. Like the Magic Eye books... but in text. Works quite well actually.

https://en.wikipedia.org/wiki/Stereoscopy

Compared to some single image stereograms, it's pretty easy for me to see the 3D effect either way. The "straight" view shows the message in front of the rest, cross-eyed it's behind.

Of course, it's not particularly "secure", there would have to be layers of encryption of some kind if the goal is keeping the message hidden.

I'm wondering if steganography could become a practical transfer method in the event that governments start to prohibit encryption (and of course steganography).

Will they prohibit spurious whitespace in documents?

This neat and very readable page layout is rather pleasant. It's not often that you find sites like these anymore.

I also looked at the page's source to see if anything was hidden in trailing whitespace there, and wasn't disappointed by what I saw either.

Reminds me of an underhanded code submission I saw a couple of months ago, where it looked like a 1-liner script, but the malicious part was encoded in the number of spaces trailing each line of the file.