Feeds

cDc prepares user-friendly stego app

Secret messaging made simple

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

In an effort to help Netizens in the more paranoid corners of the world evade national censorship, the cDc's Hacktivismo group is developing a browser product called Camera/Shy capable of creating and displaying images with messages which would likely get a Web site shut down or filtered in places like Saudi Arabia and China.

The browser, created by Hacktivismo member 'The Pull', uses steganography, a method for inserting text into graphics files for viewing with companion software. The text is encrypted and can be pass-protected for an additional layer of secrecy.

The group hopes that people hobbled by official Internet censorship will be able to exchange information and opinions which might otherwise be politically risky. Since countries can use filtering and firewalling to keep their citizens from Web sites with 'objectionable' content, the idea here is to hide it in plain sight in approved venues. A discussion of human rights could be carried out under the noses of administrators and moderators on an approved Chinese BBS, for example. The local Feds would have a very difficult time stopping it.

"If there were no state-sponsored censorship of the Internet, if Cisco et al weren't crack hoes for hire, if there were no democracy activists screaming for help -- hell, we could be off having fun instead of working long hours after our day jobs," Hacktivismo member and occasional Reg contributor Oxblood Ruffin told us.

The original idea was conceived by The Pull. "I noted that one thing quite often missing from free security applications was ease of use -- automation for the end user. The lack of that ease and automation irked me as a gaping need because people don't use security products if they have to jump through hoops. People like shortcuts; people like automation," he told us.

We've been playing with a beta version which seems to work well and intuitively in a few simple demo situations. There are four windows, one which renders the page normally and one with a list of image files which can be selected for decryption. When one is selected, the text appears in the main window without further intervention. Other windows allow content to be inserted into image files which the user may post, and there is a format conversion tool as well. Entire Web pages can easily be concealed within an image file. And of course the files can easily be e-mailed around and viewed with the browser.

Camera/Shy will also (optionally) shut off all active scripting and clear the cache and history, and reject images not originating on the site being viewed. There are as yet a couple of bugs which the group intends to have sorted out in time for the application's release at the H2K2 conference on 13 July in New York.

No doubt the release will raise hackles among bureaucrats and Feds in many parts of the world, even in the Enlightened West where many in government believe our personal lives should be laid bare for their occasional inspection and approval. Since the 9/11 atrocity, there has been repeated speculation in the press that international terrorist organizations have been using stegged files to communicate across the Internet, though no evidence of this activity has ever been produced.

One financially-weak spyware outfit called iomart attempted a post-9/11 publicity stunt with unsubstantiated claims of this nature, which a number of superstitious reporters in the mainstream press did unfortunately parrot.

There are steganalysis tools such as the one iomart claims to have used, and the Thought Police in several countries may well use them to find stegged files posted on Web sites. But filtering and interrupting the exchange of this data is another matter. "Because the data is hidden in the most common image format on the Web, they would have to perform steganalysis on every gif coming through their wire. This is entirely impractical," The Pull reckons.

So far Camera/Shy works well and promises to be a very useful contribution to the fight against government censorship. It's to be released under the GPL. We look forward to seeing the finished product in a week or so. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.