Securebook update adds real Social Steganography

After all the comments and blog posts about secure book, rob best added real steganography to Securebook.

I paid the money for the full version and will be posting some secret messages to my flickr and twitter friends in the near future.

Its clearly amazing how this project has progressed and I’m really happy to have had a tiny helping hand in making this what it has become. Now I need to run this pass some to the guys at work to see what they think. But in the mean time Rob really needs to get this in front of Schneier and Steve Gibson on the security end  and Danah Boyd and Stowe Boyd on the social tip.

I’m wondering if there is a interesting tie up with Google plus’s automatic uploading of photos and securebook’s social steganography? On #Techgrumps it was already mentioned that this would be great for those taking and sharing sensitive photos if there camera was later seized. Not only would your photos be online straight away, but they would also include hidden and secret information which you could only see if your a friend.

Social steganography with Securebook?

Rob Best wrote to me after seeing my post on Social Steganography.

I read your article on social steganography and I have also become interested in it even if it is old news by now. So intrigued I decided to write my first Android app (Securebook) with the sole purpose of letting you hide secret messages in seemingly normal Facebook status updates. Hope you’ll check it out: https://market.android.com/search?q=securebook&so=1&c=apps

I wrote back to Rob and said, I’ll check it out and I did. I got the Free ad-supported version…

Securebook required my facebook login which was done via a web login, so it shouldn’t worried too much. Once in the application was pretty simplistic. You can look at your wall or post something. When you post, you get the option to write something publicly and something hidden.

So I thought i’d test it and posted something on my facebook wall.

testing securebook lite the first social steganography app

Can’t read the message in the message? Download Securebook to see what you’re missing.

395AF95D1586A6C9A4258B2BCC6091CE19A3074721106FD591C7A366F135FD12E874725056814E63F1AF60E49681197C

Before long I received some interesting comments from friends (Combination of Micheal, Tim, Marcus, Maria, Paul) who were less that impressed… Of course you can’t see my wall (one of the problems with Facebook), so I finally did a summary and posted it to Rob Best as a email.

Having had a look about, it looks like securebook don’t understand what stenography means because they’re the ones adding lots of that text saying “Hey look, it’s encrypted”. Also, how would securebook know they’re the first social stenography app? There could be loads, and by definition you shouldn’t know if someone was using it! 🙂

Securebook isn’t doing stenography. Simple as that. Shoving the ciphertext in the exif comment data of a JPEG, and then posting the JPEG on a website, and linking to that from a facebook post (for example) would be stenography (after a fashion), because the message would not be visible. Simply adding the ciphertext clearly visible in the body of a status update is not stenography. If the person writing this app doesn’t understand that basic difference, stay away from the app, since they simply do not understand stenography.

Rob wrote back to me in this reply…

 

The paid version removes the “Can’t see the message …” text. And if you use the link functionality as your carrier, the only “give away” is that Facebook will show that the message was posted using Securebook (I may change this though).

And in reply to the rest of the comment…

Again, the cyphertext is not visible when a link is used as the carrier.

I actually had this in my first draft version. Actually, I first was encoding the message in the lower 4 bits of the photo and uploading it to Facebook. Problem is I couldn’t nail down Facebook’s compression so the message was lost. I then thought to put it in the exif data but Facebook strips that too! I then was forced to decide if I wanted to pursue this path or do something else.

I found that I could put the message in a Facebook link (replacing the actual URL) and since only the caption is displayed the message remained hidden, but of course the link was broken. I think this still constituted steganography though.

Lastly I looked into encoding the message using whitespace and also using the letter of each word in the message to do a dictionary lookup and find a word starting with that letter. The posts were of course non-nonsensical at that point so I scrapped that idea.

Going back to your comments, perhaps in version 2.0 I’ll add the ability to upload a photo to a site where I can manage the compression therefore saving the message encoded in the last 4 bits (or exif data) and link to it from Facebook.

So I think its a noble attempt and hopefully the feedback is helping Rob. Its a really great and useful first application, I’ll certainly keep it on my android device and look forward to the updates of Securebook. Good work Rob, interesting application and I’m sure once you get it cracked, people will flock to download it…

Hiding in plain sight: Social Steganography

I know its quite old (all of a year) but I’m really intriguing…

Privacy in a public age

Carmen is engaging in social steganography. She’s hiding information in plain sight, creating a message that can be read in one way by those who aren’t in the know and read differently by those who are. She’s communicating to different audiences simultaneously, relying on specific cultural awareness to provide the right interpretive lens. While she’s focused primarily on separating her mother from her friends, her message is also meaningless to broader audiences who have no idea that she had just broken up with her boyfriend. As far as they’re concerned, Carmen just posted an interesting lyric.

Social steganography is one privacy tactic teens take when engaging in semi-public forums like Facebook. While adults have worked diligently to exclude people through privacy settings, many teenagers have been unable to exclude certain classes of adults – namely their parents – for quite some time. For this reason, they’ve had to develop new techniques to speak to their friends fully aware that their parents are overhearing. Social steganography is one of the most common techniques that teens employ. They do this because they care about privacy, they care about misinterpretation, they care about segmented communications strategies. And they know that technical tools for restricting access don’t trump parental demands to gain access. So they find new ways of getting around limitations. And, in doing so, reconstruct age-old practices.

I would also add the suggestion that deep down they also know that technical methods are seriously no good for privacy. So they deploy there own privacy by adding steganography to there imprint on the web. Its also not just teenagers…