Steganography Thread - I put some data in your data bro

[Feral Postie]

Steganography is defined by Wikipedia as:

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident to an unsuspecting person's examination. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.

For those into computers it should be immediately evident why this would be useful to individuals concerned about privacy or those living in oppressive places, but it can also be used against you.

Perhaps one of the most common forms of steganography is done by printers in which they print a series of tiny, yellow dots on a page that represent the printer's serial number and which are invisible to the naked eye. By doing this it means any document can be traced back to a specific printer (and likely person). Here is an example of this:


A more interesting example would be hiding an image within another image. Take this image for example:


When you know how to decode that image you reveal a picture of a cat:


A good, easy to understand summary of how this is done is provided by incoherency.co.uk:

https://incoherency.co.uk/image-steganography/

At any point online you could be interacting with data that contains hidden data. You could just be unknowingly passing it along to its intended recipient, unknowingly passing it by, or someone could potentially use it against you if you were being targeted. Likewise you could be the one sending hidden data to other people to circumvent censorship, oppression, etc.

There are all kinds of steganographic methods and many are significantly more complex that the two examples I mentioned here. There's also numerous ways of attempting to prevent and defeat it, but I won't go into those right now.

Let's look at this sentence:

Yo' ؜whatup ho᠎m᠎ie I g᠎ot da؜t riz᠋z f᠎r noca؜p

In this sentence I've hidden a number. Zenforo removes most invisible characters but U+180E and U+61C are not filtered so we can make use of them to hide something. I will use U+180E as 0 and U+61C as 1. The hidden data is the binary number 1000101 which is the decimal number 69 (nice).

You can see the invisible characters if you copy and paste that text into this tool: https://www.soscisurvey.de/tools/view-chars.php

Using hidden characters like these or zero width spaces is a well known way to detect when someone has copied content you own and reposted it elsewhere. This could be used for things like copyrighted articles, or pre-press releases to detect who leaked them.

Microsoft actually somewhat famously used steganography to detect Xbox 360 leaks:


I have personally implemented something like this once in a commercial product to trace back pirated versions of a piece of software to the original customer, the one who released it via torrents or warez sites.

I don't expect this to be a very active topic, but this is a subject I'm fascinated by and I imagine some of you are too.

 

[Sprate Header]

Idk all the facts of this case, but this video from the YouTuber NightDocs in part talks about how Russian spies were allegedly using steganography to hide secret messages in Google Images:

It's a fairly interesting concept!

 

[allthewaydowntotheballbag]

I've been interested in this topic for a long time. The best program I've ever come across is OpenPuff. It's the only program that's usable on 4chan as far as I know.

 

[Squawking Macaw]

This is how Spore handles creature data. The creatures you create are saved as pngs where a render of the creature is displayed:

You could even save this png and paste it into your Spore creations folder to use it in-game. Edit: take care not to convert it to a webp as that's now KF's default.
But the actual info the game needs, like the stats, the diet, or the consequence traits, is saved on an alpha channel. You can make it visible by copying and pasting the png over and over again:

 

[Ho-oh]

Didn't know something like this exists, cheers. Following.

 

[AngryAboutInternets]

I made a tool for this way, way back. Fun stuff. In fact I think I even made one for audio files but it's been like 7 years so I can't recall.
As much as security through obscurity isn't good practice, I do think it's the way of the future somewhat for those who don't kowtow to gov/corp interests. Plus, it's great for ARG-like online games and hunts.

 

[We Are The Witches]

This is basically about concealing data and recovering it through a known method. Such thing reminds me of ciphertexts such as Vigenère, Beaufort, and more complex ones, although for decoding those other techniques are employed, like letter frequency of a particular language, so known patterns.

For things that seemingly have no rational pattern, the possibilities not only are limitless, but more difficult to crack.

What would be a fun one?
Maybe we can exchange messages by knowing a secret number (like 789), then I give you an image. Every 789 pixels (from left to right, up to down), the color-value of that pixel in HEX converted to binary corresponds to a letter (maybe to its Unicode value but with an offset).

The fun part would be creating software that decodes that stuff, you upload the image, give the secret number, and it concatenates the letters to create the message.

Then someone trying to decode this message, would need to create a software decoder that bruteforces that secret number, would go 1 by 1 giving messages until something resembles actual language.
We can go deeper on this, but as it is right now this sounds cool.

---

If I did this correctly, in this obvious & super simplified example, that is saying "hello", if you only look for the green channel of the RGB, every 40 pixels.

 

[Grim_Autismo]

I find steganography very interesting, especially in cases of digital provenance in AI. Things are hidden in waveforms, and you'd never know it. Machines are trained on LLMs, and they can read those patterns. We only see pictures, though, so we don't understand. (some of these provenance measures are as simple as opening the file in a text editor and there will be the name of a company or something IN PLAIN TEXT that you can strip out, lol! Sometimes it's more complex.)

This is also known as "forensic watermarking" but it's not limited to images, it can be used on audio, video, any waveform. It's actually a very big thing right now, they're using it to detect deepfakes/digital "adulteration", leak tracing (which is why you should ALWAYS retype an email or document, don't just screenshot it!), and for copyright purposes.

The awesome thing about steganography is you just have to hide it in the noise, and most files have a lot of noise. And with the advent of HD and high-speed connections, no one will bat an eye at a 96MB video file of something with something else hidden inside it.

 

[allthewaydowntotheballbag]

leak tracing (which is why you should ALWAYS retype an email or document, don't just screenshot it!)

There's a famous example of this. During Margaret Thatcher's reign individual copies of official documents were supposedly marked by slightly altering the spaces between words.

 

[Latex Catmaid]

I heard of it way back in 2013.
Apparently you can put a script or a program in the image and when opened it triggers the script or program. There was an article warning me of not downloading images from random places since they culd contain viruses and my browser blocked me from downloading an image once because it detected a virus in it

 

[Feral Postie]

This is how Spore handles creature data. The creatures you create are saved as pngs where a render of the creature is displayed:
View attachment 6394702
You could even save this png and paste it into your Spore creations folder to use it in-game.
But the actual info the game needs, like the stats, the diet, or the consequence traits, is saved on an alpha channel. You can make it visible by copying and pasting the png over and over again:
View attachment 6394722

This is an extremely cool real world example of a non-tracking usecase. I had no idea they did this, but it's a very nice solution to the problem they had.

 

[Grim_Autismo]

I heard of it way back in 2013.
Apparently you can put a script or a program in the image and when opened it triggers the script or program. There was an article warning me of not downloading images from random places since they culd contain viruses and my browser blocked me from downloading an image once because it detected a virus in it

Oh yeah, even MP4s can contain viruses or exploits. If the attacker knows what media player you're running, for example, they could trigger a buffer overflow with some malicious code (there were cases of this back in the day with certain versions of VLC). There's always a way to embed something into something else; any time you open something, there's a risk.

Here's a fun database of exploits/CVEs just for VLC (all of which have been patched afaik if you're running the latest version), just to give you an idea. VLC is not unique in this regard, all media players, image viewers, etc. are vulnerable to attack.

 

[Homocull]

This is how Spore handles creature data. The creatures you create are saved as pngs where a render of the creature is displayed:
View attachment 6394702
You could even save this png and paste it into your Spore creations folder to use it in-game.
But the actual info the game needs, like the stats, the diet, or the consequence traits, is saved on an alpha channel. You can make it visible by copying and pasting the png over and over again:
View attachment 6394722

less efficient, faster alternative - tossing that shit into a text chunk

 

[The Mass Shooter Ron Soye]

If you work at it you can hide messages in normal plain text sentences, no fancy characters or dots, with a predetermined code to pick the characters based on an offset or something. I remember making some crappy utility to facilitate this, where "243" would be the 2nd character of the 1st word, 4th character of the 2nd word, 3rd character of the 3rd word, and then it repeats.

The easy one is the first character of each sentence trick that is good for trolling.

I find steganography very interesting, especially in cases of digital provenance in AI. Things are hidden in waveforms, and you'd never know it. Machines are trained on LLMs, and they can read those patterns. We only see pictures, though, so we don't understand. (some of these provenance measures are as simple as opening the file in a text editor and there will be the name of a company or something IN PLAIN TEXT that you can strip out, lol! Sometimes it's more complex.)

OpenAI has the tech to watermark ChatGPT text—it just won’t release it (archive)

To deploy the tool, OpenAI would make tweaks to ChatGPT that would lead it to leave a trail in the text it generates that can be detected by a special tool. The watermark would be undetectable by human readers without the tool, and the company's internal testing has shown that it does not negatively affect the quality of outputs. The detector would be accurate 99.9 percent of the time. It's important to note that the watermark would be a pattern in the text itself, meaning it would be preserved if the user copies and pastes the text or even if they make modest edits to it.

 

[Scale Smerch]

Oh yeah, even MP4s can contain viruses or exploits. If the attacker knows what media player you're running, for example, they could trigger a buffer overflow with some malicious code (there were cases of this back in the day with certain versions of VLC). There's always a way to embed something into something else; any time you open something, there's a risk.

Heh funny you mentioned this, I recently learned about a historical Windows Media Player exploit which could take advantage of specific embedded code. Really opens your eyes to just what's possible and how damn near impossible it is to fully account for every avenue of attack.

 

[Grim_Autismo]

OpenAI has the tech to watermark ChatGPT text—it just won’t release it (archive)

It's really not that hard, most of them have tools for it. Here's the CAI open source SDK. They expect you to buy a license from them, kek, but you could just create your own licensing schema and do an endrun around it.

 

[allthewaydowntotheballbag]

If you work at it you can hide messages in normal plain text sentences, no fancy characters or dots, with a predetermined code to pick the characters based on an offset or something.

I love null ciphers. There's a very interesting example here on pages 181 and 182: https://archive.org/details/prisonerinturkey00stiluoft/page/180/mode/2up

I spend a lot of time thinking about these things and I've figured out a simple way to hide short codes in shitposts. It's not a null cipher but it's probably much easier to use.

1. create a codebook that maps e.g. 16 cleartext messages to 16 4-bit "codewords" (e.g. a message like "they're on to you; lay low" would be mapped to "0101")
2. write a plausible shitpost consisting of at least 4 sentences
3. alter the first 4 sentences of the shitpost so that each sentence has an even or odd number of words corresponding to the codeword of the message you want to send; if the codeword is "0101" the first sentence would have an even number of words, the second one and odd number of words, the third and even number of words etc. Basically the bit 0 corresponds to and even number of words, and 1 to and odd number of words in a sentence

It's a low bandwidth method but I think it could provide a lot of plausible deniability. You could warn your cartel or pedo friends of impending danger over a public forum post and nobody would suspect a thing.

 

[The Mass Shooter Ron Soye]

I love null ciphers. There's a very interesting example here on pages 181 and 182: https://archive.org/details/prisonerinturkey00stiluoft/page/180/mode/2up

I spend a lot of time thinking about these things and I've figured out a simple way to hide short codes in shitposts. It's not a null cipher but it's probably much easier to use.

1. create a codebook that maps e.g. 16 cleartext messages to 16 4-bit "codewords" (e.g. a message like "they're on to you; lay low" would be mapped to "0101")
2. write a plausible shitpost consisting of at least 4 sentences
3. alter the first 4 sentences of the shitpost so that each sentence has an even or odd number of words corresponding to the codeword of the message you want to send; if the codeword is "0101" the first sentence would have an even number of words, the second one and odd number of words, the third and even number of words etc. Basically the bit 0 corresponds to and even number of words, and 1 to and odd number of words in a sentence

It's a low bandwidth method but I think it could provide a lot of plausible deniability. You could warn your cartel or pedo friends of impending danger over a public forum post and nobody would suspect a thing.

In reality, most people would swap AES-256 keys instead of a codebook, and the pedos advertise themselves openly with a handful of phrases and symbols, then move on to private/encrypted chats.

I'm sure someone is using stegosaurusography. But the big one is command and control for botnets, which isn't as fun as two people talking.

 

[Why am I doing this?]

Steganography is cool, but Cicero is much cooler:

sed ut perspIciatis, unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa, quae ab illo inventore veritatis et quasi arcHitecto beATaE vitae dicta suNt, explIcabo. nemo enim ipsam voluptatem, quia voluptas sit, aspernatur aut odit aut fuGit, sed quia consequuntur maGni dolorEs eos, qui Ratione voluptatem Sequi nesciunt, neque porro quisquam est, qui dolorem ipsum, quia dolor sit amet consectetur adipisci velit, sed quia non numquam eius modi tempora incidunt, ut labore et dolore magnam aliquam quaerat voluptatem. ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? quis autem vel eum iure reprehenderit, qui in ea voluptate velit esse, quam nihil molestiae consequatur, vel illum, qui dolorem eum fugiat, quo voluptas nulla pariatur?

 

[UERISIMILITUDO]

No, cryptographer child, there is no hidden message within this message. Enjoy confusion.