I would have to argue that it is infeasible to produce software that can
reliably detect the presence of steganographic data in an arbitrary file.
Assuming that the files used are already high entropy, like compressed
images, the detector would have to compare entropy levels against some sort
of baseline, or compare the file in question against its unmodified original.
The first case, comparison of entropy levels, I have heard mentioned
before, but I believe it to be worthless in practice. Entropy levels for
.jpg images vary tremendously with both source image complexity in color
space as well as the compression level chosen at quantization time. Not to
mention the obvious problems with hiding data in a lossy format. Lossless
formats, far better suited for stegonography, like .GIF or .PNG, vary even
more in entropy levels by the nature of the simpler compression levels.
There is no baseline to test against, as normal variation of all
significant metrics significantly exceeds variation caused by change or
addition of data to any given image.
The second case is far more interesting from a theoretical standpoint -
that of comparing files from the unmodified original. Technically this
would work just fine, as it is a simple variation of the classic key
management problem. That said, it is a relatively trivial manner to
manipulate image names and headers such that an arbitrary image can no
longer be matched to another single image, given that the stego would have
also changed the body. If the source image set were small enough, this
would be possible, but there are far too many images available in online
collections (especially in the adult porn area) to make this likely.
Stego detection is interesting and can be easily demonstrated in a lab for
clueless senior management types to secure funding by rigging the test in a
number of ways, but it is likely it will never be possible in practice.
At 06:48 PM 8/11/00 -0700, Stanton McCandlish wrote:
>Interesting. But my main concern was the anti-stego software. I can't
>see how it relates much to child porn (you can't hide a typical GIF or
>JPEG inside another one - it takes huge amounts of data in which to
>hide little amounts of other data that way). It seems to me that the
>anti-stego tools are being developed for completely different purposes,
>such as to detect short stego'd messages (on any topic) in e-mail file
>attachments. All this "pedophiles" hooplah smells like a handwave to
>me.
>
>That, and the lack of any evidence so far that these tools will be used
>in compliance with legally authorized investigation procedures, or any
>way for the public to oversee police use of such technologies.
>
>
>At 4:26 PM -0700 on 8/11/00, Kerry L. Bonin wrote:
>
>
>>>Any of these could raise some obvious concerns. I'm curious if anyone
>>>might have a clear idea what "image matching software" is, and whether
>>>"steganography detection software" is even feasible and what one might
>>>do to defeat it. The others are fairly obivious in both intent and
>>>viability.
>>
>> I've been thinking about this issues for some time and have an idea what
>> they may be referring to. Politics and ethics aside, here's a technical
>> concept:
>>
>> Reading about other child porn busts like Innocent Images and some info on
>> the workings of these groups, it appears that "bona fides" are sometimes
>> established between pedophiles through submission of personal collections
>> of child porn. One data point that stuck in my mind about this was a
>> "club" that required submission of 10k! images as the price of admission.
>>
>> Assuming the body of child porn in circulation is of some reasonable size,
>> and grows far less rapidly than adult porn, it should be feasible to
>> construct a "fingerprint" style database by scanning the collections the
>> FBI (and some postmasters) are known to have in their posession.
>>
>> An automated tool could then conceivably be created in conjunction with a
>> statefull inspection firewall or statefull passive line tap to recognize
>> when significant quantities of registered porn are being transmitted.
>>
>> The obvious counter for this would be encryption or steganography, which
>> was also mentioned.
>
>--
>
>
>--
>Stanton McCandlish [EMAIL PROTECTED] http://www.eff.org/~mech
>Online Communications Director/Webmaster, Electronic Frontier Foundation
>voice: +1 415 436 9333 x105 fax: +1 415 436 9993
>
>
>
