26 comments

[ 4.4 ms ] story [ 58.5 ms ] thread
Doh, some of these options seem horrible: eg, allowing the data to be extracted automatically using standard tools. If you can automatically detect hidden data, it's only hidden from people who aren't looking. If your data is worth hiding, it's worth hiding from people who know how to use "find -exec" (or had someone else set up an automated sweep program for them).
What, pray, is "SHA3 key generation"
Well it's got to be super sekrit so it needs the best SHA algorithm, what better than the one that even the NSA hasn't picked yet? :-)
Oh I'm sure the NSA has already picked it ;) NIST just hasn't yet...
Keccak was picked by NIST last October as the winner of the SHA-3 competition.
I thought Keccak has already been chosen to be SHA-3, is it not the case?
That they're using SHA3 as a key generation function to convert a passphrase to a key for encryption? What else would it mean?
See the reply by capnrefsmmat
The wisdom of using a homegrown sha-3 based algorithm for key generation is separate from what "sha-3 key generation" means.
Props for using social media share nag images that do not load from Twitter/Facebook/Google until click. :) Better speed and better privacy for end users.
(comment deleted)
is there any evidence that the steganography here is undetectable? i would have thought that uniformly random data in the low bits of an image's data (pixels or fourier coefficients or whatever) was a clear signature for anyone trying to find these things. aren't they naturally correlated in various ways?

also, something like tineye can be used to retrieve web-sourced images for comparison, which would make any hidden data really obvious (and a smooth gradient would be even more suspicious if the lowest bits weren't smooth).

what is the state of the art in steganography? is it feasible for reasonable bandwidth? what are the best carrier data to use? do phone cameras provide raw images or are they always jpegs? i guess a webcam video uploaded to youtube has the advantages of large data volume, unique content, and wide visibility. but do they reformat?

Off course before you even get to all that, I'd be concerned about the steganographic problem where they go to your ISP's logs and see you've visited the site.
That is the first thing I thought.

Unless it runs on your computer and you can trust that, it's useless.

also, something like tineye can be used to retrieve web-sourced images for comparison, which would make any hidden data really obvious (and a smooth gradient would be even more suspicious if the lowest bits weren't smooth).

Smooth gradients are only smooth if you add noise to the lower bits, due to having only 256 color levels per channel. A comparison: http://imgur.com/0cJWm8t

Those color bands are indeed only one color value apart per channel; the first visible band is rgb(50, 120, 50), while the second is rgb(51, 119, 51).

The banding is almost imperceptible though. I had to get close to the monitor and squint a lot to see it.
oh, good point. the site should explain this for people like me and also clarify how many bits are available.
No one's worried about the entire concept? It seems a little counter-intuitive to tell someone else your secrets, so they can hide them.
I would argue that to most people who download the tor browser that is effectively what they are doing.

As has been shown before, open and closed source products people use (including security software) has been time and time again proven to be insecure.

I still would be somewhat wary to use this site for actual stuff I care about, but its a cool site and a cool little idea.

> Supported container types: [...] rand, which downloads a random image from Wikimedia;

I honestly don't see the point of that container type. How much useful is steganography if the original JPEG is publicly available for comparison? How could anyone ever plausibly deny that?

"You were emailing this image from Wikimedia, but made subtle modifications to the file. Can you explain this?" - "Umm ... I guess I downloaded it via a noisy internet connection." ?!

Resize it, or perform a similar change so the file sizes wouldn't match up.
Comrade Smith, you have emailing picture wikimedia's, but you altering it. Why it resized when you having fast internet connection? We know you hiding message with steganography and requesting key. You will remaining in solitary confinement until key given.