Securebook update adds real Social Steganography

After all the comments and blog posts about secure book, rob best added real steganography to Securebook.

I paid the money for the full version and will be posting some secret messages to my flickr and twitter friends in the near future.

Its clearly amazing how this project has progressed and I’m really happy to have had a tiny helping hand in making this what it has become. Now I need to run this pass some to the guys at work to see what they think. But in the mean time Rob really needs to get this in front of Schneier and Steve Gibson on the security end  and Danah Boyd and Stowe Boyd on the social tip.

I’m wondering if there is a interesting tie up with Google plus’s automatic uploading of photos and securebook’s social steganography? On #Techgrumps it was already mentioned that this would be great for those taking and sharing sensitive photos if there camera was later seized. Not only would your photos be online straight away, but they would also include hidden and secret information which you could only see if your a friend.

Social steganography with Securebook?

Rob Best wrote to me after seeing my post on Social Steganography.

I read your article on social steganography and I have also become interested in it even if it is old news by now. So intrigued I decided to write my first Android app (Securebook) with the sole purpose of letting you hide secret messages in seemingly normal Facebook status updates. Hope you’ll check it out: https://market.android.com/search?q=securebook&so=1&c=apps

I wrote back to Rob and said, I’ll check it out and I did. I got the Free ad-supported version…

Securebook required my facebook login which was done via a web login, so it shouldn’t worried too much. Once in the application was pretty simplistic. You can look at your wall or post something. When you post, you get the option to write something publicly and something hidden.

So I thought i’d test it and posted something on my facebook wall.

testing securebook lite the first social steganography app

Can’t read the message in the message? Download Securebook to see what you’re missing.

395AF95D1586A6C9A4258B2BCC6091CE19A3074721106FD591C7A366F135FD12E874725056814E63F1AF60E49681197C

Before long I received some interesting comments from friends (Combination of Micheal, Tim, Marcus, Maria, Paul) who were less that impressed… Of course you can’t see my wall (one of the problems with Facebook), so I finally did a summary and posted it to Rob Best as a email.

Having had a look about, it looks like securebook don’t understand what stenography means because they’re the ones adding lots of that text saying “Hey look, it’s encrypted”. Also, how would securebook know they’re the first social stenography app? There could be loads, and by definition you shouldn’t know if someone was using it! 🙂

Securebook isn’t doing stenography. Simple as that. Shoving the ciphertext in the exif comment data of a JPEG, and then posting the JPEG on a website, and linking to that from a facebook post (for example) would be stenography (after a fashion), because the message would not be visible. Simply adding the ciphertext clearly visible in the body of a status update is not stenography. If the person writing this app doesn’t understand that basic difference, stay away from the app, since they simply do not understand stenography.

Rob wrote back to me in this reply…

 

The paid version removes the “Can’t see the message …” text. And if you use the link functionality as your carrier, the only “give away” is that Facebook will show that the message was posted using Securebook (I may change this though).

And in reply to the rest of the comment…

Again, the cyphertext is not visible when a link is used as the carrier.

I actually had this in my first draft version. Actually, I first was encoding the message in the lower 4 bits of the photo and uploading it to Facebook. Problem is I couldn’t nail down Facebook’s compression so the message was lost. I then thought to put it in the exif data but Facebook strips that too! I then was forced to decide if I wanted to pursue this path or do something else.

I found that I could put the message in a Facebook link (replacing the actual URL) and since only the caption is displayed the message remained hidden, but of course the link was broken. I think this still constituted steganography though.

Lastly I looked into encoding the message using whitespace and also using the letter of each word in the message to do a dictionary lookup and find a word starting with that letter. The posts were of course non-nonsensical at that point so I scrapped that idea.

Going back to your comments, perhaps in version 2.0 I’ll add the ability to upload a photo to a site where I can manage the compression therefore saving the message encoded in the last 4 bits (or exif data) and link to it from Facebook.

So I think its a noble attempt and hopefully the feedback is helping Rob. Its a really great and useful first application, I’ll certainly keep it on my android device and look forward to the updates of Securebook. Good work Rob, interesting application and I’m sure once you get it cracked, people will flock to download it…