How to stash secret messages in tweets using point-and-click ...

Steganography is the ancient practice of stashing secret text, images, or messages inside a different text, image, or message. Skiptomaincontent readercomments 56 with41postersparticipating,includingstoryauthor Sharethisstory ShareonFacebook ShareonTwitter ShareonReddit Steganographyistheancientpracticeofstashingsecrettext,images,ormessagesinsideadifferenttext,image,ormessage.ItdatesbacktoasearlyasthefifthcenturyBC,whenSpartanKingDemaratusremovedthewaxfromawritingtabletandwroteamessagehiddenonthewoodunderneathwarningofanimminentinvasionbyXerxes.SteganographywasacommontechniqueusedbyGermanspiesinbothWorldWars.Morerecently,ithasbeenusedtoconcealhighlyadvancedespionagemalwareinsideimagefilesandstashsecretal-Qaedadocumentsinsidepornographicimages. NowsteganographyisgoingmainstreamwithaservicethatembedshiddenmessagesinsidemoreorlessordinaryTwittermessages.Usersneedonlytypethetexttheywantotherstoseeinonefieldandthehiddenmessageinaseparatefield.Theservice,createdbyNewZealand-baseddeveloperMatthewHolloway,thenspitsoutatweetablemessagethatfusesthetwotogetherinawaythat'snotnoticeabletothehumaneye.Takethefollowingtweet: Tｈｅ ｔｅⅹthiｄdeｎ iｎ thіs⁰tweet іs soｓeϲｒeｔ thａt ｉt's⁰іmpossіｂle foｒ adⅴｅｒsａrіｅs ｔo readоｒ dｅteϲt⁰#stｅｇaｎｏgｒaｐhyｒoｃks #ｓecｕｒiｔｙ #privacy —DanGoodin(@dangoodin001)May8,2014 Securitythroughobscurity Embeddedinthevisiblemessage"Thetexthiddeninthistweetissosecretthatit'simpossibleforadversariestoreadordetect#steganographyrocks#security#privacy"arethewords"no,it'ssecuritythroughobscurity."Thelettersmakingupthesecrettextareexpressedinunicoderepresentationsthatareincludedinthepublicmessage.Theencodingaddedtothemessagesexplainstheunusualspacingandfontsfoundinthetweet.Withalittlemorework,orinformatsnotasconstrainedasTwitter's140-characterlimit,itwouldalmostcertainlybeeasiertocreatemessagesthatappearedlesscrude.Thesameservicetakesfinishedtweetsandferretsouttheirhiddencargo. Advertisement FurtherReadingSteganography:howal-QaedahidsecretdocumentsinapornvideoWhilesteganographyhaslongbeenreliedontosafeguardsensitivemessages,peopleshouldrealizethetechniqueislittlemorethansecuritythroughobscurity.That'sbecausetheembeddedsecretisripeforpluckingbyanyonewhotakesthetimetolookforit.Bycontrast,ciphertextgeneratedusingstrongandtime-testedencryptionalgorithmsisvirtuallyimpossibletodecodewithouttheunderlyingkey,whichcantakecenturiesormillenniatoguessusingeventhefastestcomputers. Soputsteganographyinthesamecategoryasdisappearingink.Itmayevenhaveusefulapplicationsinrarecircumstances.Forinstance,itmightbeaneffectivetechniqueforaprisonerofwarsendingapostcardtofamilymembers.Ifitweretoincludearandom-appearingsequenceofletters,itwouldbecleartocaptorsthatitincludedanencryptedmessage.IfinsteadthePOWcraftedapostcardthatusedeveryfifthlettertospellahiddenmessage,thecaptorsmightnotnotice.Thatsaid,steganographyismostlyfuntoplaywith.Itshouldneverbereliedontoprotectdigitalcrownjewelswithoutagoodreasonandwithplentyofforethought. PromotedComments Thismighthaveapracticaluseifyou'reattemptingtogetyourTweetsignoredbythemanyscrapingalgorithmsoutthere.ItmayonlybeamatteroftimeuntiltheTwittercrawlersbecomesophisticatedenoughtoseethroughthestenography,buttheredefinitelyseemstobealegitimateusehereforfoolingalgorithmstryingtoassimilateyourdata. Stenographyisfarmoreeffectivewhenyouuseitto,forexample,embedamessage-preferablyanencryptedone,orsomerawbinarydata-withinanimage.Thereareprogramsouttherethatwilldothat.Unlessyougotoofarwiththeamountofdatathatyoutrytoembed,itcanbenearlyundetectabletothehumaneye,orlooklikecompressionartifacts,whichpeopleareusedtoseeing.But"textwithintext"hasfailwrittenalloverit.(Andwithinit.) Securitythroughobscurityshouldn'tbereliedonasyouronlymethodofsecurity,butit'susefulinthatitisanaddedobstacleandcandeteralotofwould-bemiscreants.You'reprobablynotgoingtowanttoconveysensitiveinformationthiswayonitsown,butmaybeincombinationwithsomethingelseitcouldbeuseful.Everylittlebithelps,providedit'snotsomethingutterlyuseless. readercomments 56 with41postersparticipating,includingstoryauthor Sharethisstory ShareonFacebook ShareonTwitter ShareonReddit DanGoodin DanistheSecurityEditoratArsTechnica,whichhejoinedin2012afterworkingforTheRegister,theAssociatedPress,BloombergNews,andotherpublications. [email protected] // Twitter@dangoodin001 Advertisement Youmustloginorcreateanaccounttocomment. ChannelArsTechnica ←PreviousstoryNextstory→