Feeds

cDc prepares user-friendly stego app

Secret messaging made simple

  • alert
  • submit to reddit

SANS - Survey on application security programs

In an effort to help Netizens in the more paranoid corners of the world evade national censorship, the cDc's Hacktivismo group is developing a browser product called Camera/Shy capable of creating and displaying images with messages which would likely get a Web site shut down or filtered in places like Saudi Arabia and China.

The browser, created by Hacktivismo member 'The Pull', uses steganography, a method for inserting text into graphics files for viewing with companion software. The text is encrypted and can be pass-protected for an additional layer of secrecy.

The group hopes that people hobbled by official Internet censorship will be able to exchange information and opinions which might otherwise be politically risky. Since countries can use filtering and firewalling to keep their citizens from Web sites with 'objectionable' content, the idea here is to hide it in plain sight in approved venues. A discussion of human rights could be carried out under the noses of administrators and moderators on an approved Chinese BBS, for example. The local Feds would have a very difficult time stopping it.

"If there were no state-sponsored censorship of the Internet, if Cisco et al weren't crack hoes for hire, if there were no democracy activists screaming for help -- hell, we could be off having fun instead of working long hours after our day jobs," Hacktivismo member and occasional Reg contributor Oxblood Ruffin told us.

The original idea was conceived by The Pull. "I noted that one thing quite often missing from free security applications was ease of use -- automation for the end user. The lack of that ease and automation irked me as a gaping need because people don't use security products if they have to jump through hoops. People like shortcuts; people like automation," he told us.

We've been playing with a beta version which seems to work well and intuitively in a few simple demo situations. There are four windows, one which renders the page normally and one with a list of image files which can be selected for decryption. When one is selected, the text appears in the main window without further intervention. Other windows allow content to be inserted into image files which the user may post, and there is a format conversion tool as well. Entire Web pages can easily be concealed within an image file. And of course the files can easily be e-mailed around and viewed with the browser.

Camera/Shy will also (optionally) shut off all active scripting and clear the cache and history, and reject images not originating on the site being viewed. There are as yet a couple of bugs which the group intends to have sorted out in time for the application's release at the H2K2 conference on 13 July in New York.

No doubt the release will raise hackles among bureaucrats and Feds in many parts of the world, even in the Enlightened West where many in government believe our personal lives should be laid bare for their occasional inspection and approval. Since the 9/11 atrocity, there has been repeated speculation in the press that international terrorist organizations have been using stegged files to communicate across the Internet, though no evidence of this activity has ever been produced.

One financially-weak spyware outfit called iomart attempted a post-9/11 publicity stunt with unsubstantiated claims of this nature, which a number of superstitious reporters in the mainstream press did unfortunately parrot.

There are steganalysis tools such as the one iomart claims to have used, and the Thought Police in several countries may well use them to find stegged files posted on Web sites. But filtering and interrupting the exchange of this data is another matter. "Because the data is hidden in the most common image format on the Web, they would have to perform steganalysis on every gif coming through their wire. This is entirely impractical," The Pull reckons.

So far Camera/Shy works well and promises to be a very useful contribution to the fight against government censorship. It's to be released under the GPL. We look forward to seeing the finished product in a week or so. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.