1. 5
  1.  

  2. 5

    I’ve done text-in-text steganography as a personal research topic and all I can say is, it’s impossible to fully hide anything. Also, the author has now painted a massive target on themselves. Don’t be surprised if you get a travel ban.

    The BIGGEST challenge that every crypto and stegan method require is sharing secret information.

    This secret information takes two forms:

    • a key
    • or a process

    No matter what, you need to share this. And most often than not these processes or keys end up looking like entropy-filled data, which signals someone is trying to hide things.

    The only way to be 100% protected is to use pre-shared secrets, and “talk in code”, i.e. words don’t mean what they usually mean, “the hat’s still in good shape” could mean “my assets are currently positive”. People have been doing this for years and its the most effective, as its least detectible. To automate the process you’d need some sort of NN to map new semantics to old semanics, which is pointless. Just use your brains.

    “Semantic encryption” I guess you could call it. Hiding your meanings in plain sight.

    1. 2

      The length of the text can be whatever, it can also be randomised between a set of choices, since it doesn’t matter here. They are simply turning garbage into “normal” text with hidden garbage.

      The article does state this as a limitation of the method: that you need a lot more “host” text than the length you are encoding. In the example given, this method can encode 255 characters into the bill of rights.

      Still, pretty cool.

      1. 2

        I saw this on HN and thought it was the dumbest thing in a long time. Glad it’s posted here, I’m interested to be proven wrong.

        Problems I can see:

        • requires a long text to carry the encoded plaintext (unsure)
        • carriers (FB etc) can trivially enforce correct capitalization
        • similarly, carriers can randomly swap capitalization to mess upp the steganography
        • the key has to be shared somehow… why not use that channel to send the message?
        1. 2

          To answer some (just my opinion) :

          1. The length of the text can be whatever, it can also be randomised between a set of choices, since it doesn’t matter here. They are simply turning garbage into “normal” text with hidden garbage.
          2. That would mess it up for anyone else and the approach could switch to using bold, spaces, etc.
          3. Same as before, that’s silly, since most people will be impacted for no reason and it can be countered again.
          4. Here the key is not an OTP, so I could tell you a new key every day/week/month/year when we meet in person and we use that when we are far away.

          So I’m not sure why you are thinking this is dumb. The dumb thing is to allow certain type of text but not another and since that seems to be the current push in certain government, now the plan is to move the banned text into a format almost indistinguishable from the other.

          1. 0
            1. The length of the text can be whatever, it can also be randomised between a set of choices, since it doesn’t matter here. They are simply turning garbage into “normal” text with hidden garbage.

            This doens’t make any sense. How can I (say) encode your quote above into the carrier text “Frodo was here”? There has to be enough “entropy” in the carrier medium to conceal the encoded content. I don’t know enough about steganography to comment further, I may be off base here.

            1. That would mess it up for anyone else and the approach could switch to using bold, spaces, etc.

            No it won’t, if you have a majority of text written normally and then a bunch of weirdly capitalized text, just applying normal capitalization rules will not even be noticed. It might even be welcomed.

            I actually don’t think point 3 will come into play, so let’s leave that aside.

            1. Here the key is not an OTP, so I could tell you a new key every day/week/month/year when we meet in person and we use that when we are far away.

            How do you tell me the key without the evil government knowing it too?

            1. 1

              I’m getting a strong impression that you don’t understand certain fundamental details.

              Anyway the point is to find a loophole on encryption being possibly banned in the US (and maybe worldwide in some future). By using some text which is supposed to be “unbannable” they are trying to circumvent this,as without knowing the password, it is not possible to prove that it does contain encrypted stuff.

              For the rest of your questions, look into steganography, I understand that this is twisting the meaning as they are not trying to hide in plain sight but this could be similar to being in a country where sharing encrypted data is illegal but sharing photos of the “Supreme Leader” is not. The change certain colors of the background or text to hide the data, thinking that the concept of sharing a nice picture of the leader will never ever be a punishable offense.

              1. 1

                I’m getting a strong impression that you don’t understand certain fundamental details.

                Your impression is wrong. But it’s obvious you are not really interested in educating me about what I’m wrong about, so I’m just going to end my interaction here. Thanks for the discussion.

          2. 1

            You’re 100% right. It’s fundamentally broken and yet another dumb idea painted pretty.

            -> the key has to be shared somehow… why not use that channel to send the message?

            Really does kill it. But also memespeech signals people are trying to potentially hide things. It’s useless.

            1. 3

              I mean, I get what they’re trying to aim for.

              They’re trying to safeguard the right to private communication by invoking the right to free speech, which is presumably “more important” legally.

              But they’re going to try to argue that posting the Bill of Rights in leetspeek is somehow protected, and that the act of normalizing capitalization is an infringement on their right of expression. Any court will just say that the normalized form is easier to read, and thus their speech is clearer transmitted than the previous version.

              IANAL.