69 lines
4.1 KiB
Markdown
69 lines
4.1 KiB
Markdown
# steganography
|
|
|
|
one may expect that using strong cryptography may one day make one a target.
|
|
unfortunately, cryptography by itself is easy to detect. good encryption is
|
|
indistinguishable from a string of random bytes. in other words, it looks like
|
|
a high-quality source of entropy, or "noise." while many real world processes
|
|
are "noisy," a communication channel that appears to be sending nothing _but_
|
|
noise between its two endpoints is suspicious!
|
|
|
|
steganography allows one to hide an encrypted message within the "noise" of
|
|
another "cover" message. if the cover message would not normally contain noise,
|
|
this is of course _still_ suspicious. care must be taken when using
|
|
steganography to hide messages in media which can be expected to normally
|
|
contain at least _some_ noise. grainy photographs are a good example, as are
|
|
low-quality music recordings. ("deep fried memes" might also be a great source
|
|
of cover, but research is needed.) original content should also be used; since
|
|
information is just a difference from some initial state, comparing a file to a
|
|
copy with a message hidden in it can make it obvious that steganography is being
|
|
used. care should also be taken to maintain the characteristics of the noise in
|
|
the "cover" message: it is suspicious when noise which should display some sort
|
|
of bias, for example, is instead perfectly random. (the larger the cover
|
|
message relative to the size of the hidden message, the easier this goal is to
|
|
achieve.)
|
|
|
|
the use of both encryption and steganography is important, of course: if the
|
|
steganography fails and any part of the message is not encrypted, then the
|
|
unencrypted portion will be revealed. (always pursue "defense in depth." never
|
|
depend on a single layer of defense holding up for one's protection, if it can
|
|
be helped.)
|
|
|
|
because good steganography is invisible when used carefully, it may be employed
|
|
to create theoretically undetectable communications networks atop of whatever
|
|
platforms one chooses, effectively subverting the power dynamics of each
|
|
platform's design and avoiding detection. these communications networks could
|
|
be employed to carry messages employing strong cryptography despite any legal
|
|
restrictions which may be in place, thus preserving the integrity of the closest
|
|
thing one has to a body in the digital world. (this idea is very similar to
|
|
what is described in the [stegobot](../refs/stegobot/readme.md) paper.)
|
|
|
|
since using steganography on the clearnet means one's isp _may_ directly trace
|
|
one's messages back to one's physical person if or when one's steganography
|
|
fails (assuming one has sent them from one's own computer over one's own
|
|
internet connection; doing otherwise introduces its own set of problems), this
|
|
is not ideal. however, if or when strong encryption is outlawed, one may not
|
|
have any other alternative. in such a case, having tools, techniques, and
|
|
procedures already in place to ease migrate from openly secure communication to
|
|
covertly secure communication would be advisable. once openly secure
|
|
communication channels are no longer an option, bootstrapping a covertly secure
|
|
communication channel may become much more difficult.
|
|
|
|
these considerations aside, there are two other potential difficulties one
|
|
should keep in mind:
|
|
|
|
- if any specialised tooling is used, it becomes obvious what one is doing if
|
|
one's devices are seized or compromised. ideally one's devices and tools will
|
|
be entirely innocuous and natural for one to possess. this may mean much of
|
|
one's technique may need to live entirely in one's head.
|
|
|
|
- if the tools and devices one uses for cryptography and steganography cannot be
|
|
trusted, then everything else is completely irrelevant. no amount of
|
|
encryption will save one if intel management engine has been performing
|
|
keylogging on behalf of some remote attacker.
|
|
|
|
i have spent my time mostly trying to address my own concerns about that last
|
|
one, as it seems foundational to me. as i near a place i am comfortable with,
|
|
my goal is to share what i have done in its pursuit, broaden the path a bit, and
|
|
allow those who come after to hopefully make fewer compromises than i have made,
|
|
and to modify what i have done in a way that makes sense for them.
|