... Invisible formatting information is embedded in trailing spaces and tabs on the ends of lines in an ordinary looking document. In addition, "blank" lines contain spaces and tabs with hidden formatting meanings. Assuming typical 60 column lines, one can have over 300 different codings on the end of a line without going past 80 columns. (Far fewer are needed.) On a blank line, almost a billion codings are possible.
Documents with invisible formatting always start with a magic line, which begins with "<SP><SP><TAB><SP><SP><TAB>" followed by version encoding. Thus documents can be spotted and formatted even without a Mime Content-Type header for this new text type. This otherwise useless combination of spaces and tabs on a blank line should virtually assure that random documents are not treated as formatted. ...
Whitespace is good, but with Unicode you can do even better by using invisible characters such as ZERO WIDTH SPACE (U+200B) and ZERO WIDTH JOINER (U+200D). I once made a proof of concept[1] using those two characters. It can converts arbitrary data into invisible text by using U+200B as bit 0 and U+200D as bit 1.
Most platforms (Twitter, Reddit, Hacker News) accepts those characters so you can paste invisible messages there. The illusion falls down as soon as you use a low-level text editor such as vim which marks exotic characters in a specific manner (by displaying their hexadecimal codepoint, as it happens). This is where whitespace can be more powerful, given its mainstream usage.
This is slightly more recognisable though. One of the key things you're trying to achieve with steganography is for an adversary to not even notice you're trying to send a message, and ideally even if they suspect something you have plausible deniability (which may or may not be enough).
But if you saw that would you assume it's an attempt to hide a message? How often do you open up webpages in your editor and inspect the line endings?
All steganographic methods can be detected if you start actively looking for them. The point is it's very hard to know what to look for, especially if you come up with your own coding which you do not share publicly (off the top of my head: using commas and full-stops to encode a bitstream in tweets.)
Cross (or relax and sufficiently uncross) your eyes until the two columns overlay perfectly. Those words will be at a different "depth"; the message literally pops out at you.
It's a stereogram, you have to cross your eyes (or relax to infinity, I could never get that right) to see it. In the one linked, it shows 'John Smith is responsible' pretty clearly. Like the Magic Eye books... but in text. Works quite well actually.
Compared to some single image stereograms, it's pretty easy for me to see the 3D effect either way. The "straight" view shows the message in front of the rest, cross-eyed it's behind.
Of course, it's not particularly "secure", there would have to be layers of encryption of some kind if the goal is keeping the message hidden.
I'm wondering if steganography could become a practical transfer method in the event that governments start to prohibit encryption (and of course steganography).
Will they prohibit spurious whitespace in documents?
Reminds me of an underhanded code submission I saw a couple of months ago, where it looked like a 1-liner script, but the malicious part was encoded in the number of spaces trailing each line of the file.
20 comments
[ 2.8 ms ] story [ 58.7 ms ] thread... Invisible formatting information is embedded in trailing spaces and tabs on the ends of lines in an ordinary looking document. In addition, "blank" lines contain spaces and tabs with hidden formatting meanings. Assuming typical 60 column lines, one can have over 300 different codings on the end of a line without going past 80 columns. (Far fewer are needed.) On a blank line, almost a billion codings are possible.
Documents with invisible formatting always start with a magic line, which begins with "<SP><SP><TAB><SP><SP><TAB>" followed by version encoding. Thus documents can be spotted and formatted even without a Mime Content-Type header for this new text type. This otherwise useless combination of spaces and tabs on a blank line should virtually assure that random documents are not treated as formatted. ...
Most platforms (Twitter, Reddit, Hacker News) accepts those characters so you can paste invisible messages there. The illusion falls down as soon as you use a low-level text editor such as vim which marks exotic characters in a specific manner (by displaying their hexadecimal codepoint, as it happens). This is where whitespace can be more powerful, given its mainstream usage.
[1] https://github.com/foobuzz/ium
Steganography in the wild: https://www.youtube.com/watch?v=BgelmcOdS38
The point of steganography is to hide that there is even a message; this fails at that.
All steganographic methods can be detected if you start actively looking for them. The point is it's very hard to know what to look for, especially if you come up with your own coding which you do not share publicly (off the top of my head: using commas and full-stops to encode a bitstream in tweets.)
Maybe the most controversial answer on StackOverflow.
Cross (or relax and sufficiently uncross) your eyes until the two columns overlay perfectly. Those words will be at a different "depth"; the message literally pops out at you.
https://en.wikipedia.org/wiki/Stereoscopy
Of course, it's not particularly "secure", there would have to be layers of encryption of some kind if the goal is keeping the message hidden.
Will they prohibit spurious whitespace in documents?
I also looked at the page's source to see if anything was hidden in trailing whitespace there, and wasn't disappointed by what I saw either.