cDc prepares user-friendly stego app
Secret messaging made simple
In an effort to help Netizens in the more paranoid corners of the world evade national censorship, the cDc's Hacktivismo group is developing a browser product called Camera/Shy capable of creating and displaying images with messages which would likely get a Web site shut down or filtered in places like Saudi Arabia and China.
The browser, created by Hacktivismo member 'The Pull', uses steganography, a method for inserting text into graphics files for viewing with companion software. The text is encrypted and can be pass-protected for an additional layer of secrecy.
The group hopes that people hobbled by official Internet censorship will be able to exchange information and opinions which might otherwise be politically risky. Since countries can use filtering and firewalling to keep their citizens from Web sites with 'objectionable' content, the idea here is to hide it in plain sight in approved venues. A discussion of human rights could be carried out under the noses of administrators and moderators on an approved Chinese BBS, for example. The local Feds would have a very difficult time stopping it.
"If there were no state-sponsored censorship of the Internet, if Cisco et al weren't crack hoes for hire, if there were no democracy activists screaming for help -- hell, we could be off having fun instead of working long hours after our day jobs," Hacktivismo member and occasional Reg contributor Oxblood Ruffin told us.
The original idea was conceived by The Pull. "I noted that one thing quite often missing from free security applications was ease of use -- automation for the end user. The lack of that ease and automation irked me as a gaping need because people don't use security products if they have to jump through hoops. People like shortcuts; people like automation," he told us.
We've been playing with a beta version which seems to work well and intuitively in a few simple demo situations. There are four windows, one which renders the page normally and one with a list of image files which can be selected for decryption. When one is selected, the text appears in the main window without further intervention. Other windows allow content to be inserted into image files which the user may post, and there is a format conversion tool as well. Entire Web pages can easily be concealed within an image file. And of course the files can easily be e-mailed around and viewed with the browser.
Camera/Shy will also (optionally) shut off all active scripting and clear the cache and history, and reject images not originating on the site being viewed. There are as yet a couple of bugs which the group intends to have sorted out in time for the application's release at the H2K2 conference on 13 July in New York.
No doubt the release will raise hackles among bureaucrats and Feds in many parts of the world, even in the Enlightened West where many in government believe our personal lives should be laid bare for their occasional inspection and approval. Since the 9/11 atrocity, there has been repeated speculation in the press that international terrorist organizations have been using stegged files to communicate across the Internet, though no evidence of this activity has ever been produced.
One financially-weak spyware outfit called iomart attempted a post-9/11 publicity stunt with unsubstantiated claims of this nature, which a number of superstitious reporters in the mainstream press did unfortunately parrot.
There are steganalysis tools such as the one iomart claims to have used, and the Thought Police in several countries may well use them to find stegged files posted on Web sites. But filtering and interrupting the exchange of this data is another matter. "Because the data is hidden in the most common image format on the Web, they would have to perform steganalysis on every gif coming through their wire. This is entirely impractical," The Pull reckons.
So far Camera/Shy works well and promises to be a very useful contribution to the fight against government censorship. It's to be released under the GPL. We look forward to seeing the finished product in a week or so. ®
Sponsored: 2016 Cyberthreat defense report