blog/soft/003-steganography.md

steganography

one may expect that using strong cryptography may one day make one a target. unfortunately, cryptography by itself is easy to detect. good encryption is indistinguishable from a string of random bytes. in other words, it looks like a high-quality source of entropy, or "noise." while many real world processes are "noisy," a communication channel that appears to be sending nothing but noise between its two endpoints is suspicious!

steganography allows one to hide an encrypted message within the "noise" of another "cover" message. if the cover message would not normally contain noise, this is of course still suspicious. care must be taken when using steganography to hide messages in media which can be expected to normally contain at least some noise. grainy photographs are a good example, as are low-quality music recordings. ("deep fried memes" might also be a great source of cover, but research is needed.) original content should also be used; since information is just a difference from some initial state, comparing a file to a copy with a message hidden in it can make it obvious that steganography is being used. care should also be taken to maintain the characteristics of the noise in the "cover" message: it is suspicious when noise which should display some sort of bias, for example, is instead perfectly random. (the larger the cover message relative to the size of the hidden message, the easier this goal is to achieve.)

the use of both encryption and steganography is important, of course: if the steganography fails and any part of the message is not encrypted, then the unencrypted portion will be revealed. (always pursue "defense in depth." never depend on a single layer of defense holding up for one's protection, if it can be helped.)

because good steganography is invisible when used carefully, it may be employed to create theoretically undetectable communications networks atop of whatever platforms one chooses, effectively subverting the power dynamics of each platform's design and avoiding detection. these communications networks could be employed to carry messages employing strong cryptography despite any legal restrictions which may be in place, thus preserving the integrity of the closest thing one has to a body in the digital world. (this idea is very similar to what is described in the stegobot paper.)

since using steganography on the clearnet means one's isp may directly trace one's messages back to one's physical person if or when one's steganography fails (assuming one has sent them from one's own computer over one's own internet connection; doing otherwise introduces its own set of problems), this is not ideal. however, if or when strong encryption is outlawed, one may not have any other alternative. in such a case, having tools, techniques, and procedures already in place to ease migrate from openly secure communication to covertly secure communication would be advisable. once openly secure communication channels are no longer an option, bootstrapping a covertly secure communication channel may become much more difficult.

these considerations aside, there are two other potential difficulties one should keep in mind:

• if any specialised tooling is used, it becomes obvious what one is doing if one's devices are seized or compromised. ideally one's devices and tools will be entirely innocuous and natural for one to possess. this may mean much of one's technique may need to live entirely in one's head.

• if the tools and devices one uses for cryptography and steganography cannot be trusted, then everything else is completely irrelevant. no amount of encryption will save one if intel management engine has been performing keylogging on behalf of some remote attacker.

i have spent my time mostly trying to address my own concerns about that last one, as it seems foundational to me. as i near a place i am comfortable with, my goal is to share what i have done in its pursuit, broaden the path a bit, and allow those who come after to hopefully make fewer compromises than i have made, and to modify what i have done in a way that makes sense for them.