 Unfortunately, he couldn't make it. So you get the alternate speaker, which in this case is me. My name is Ilanka Dunnan. I'm going to be speaking on steganography. This is not the same as the talk that's going to be immediately after mine, which is going to be on steganographic trojans. My talk is going to be more about an overview of steganography, and I'll be covering some stuff about whether or not Al Qaeda was using it to hide messages inside of web images. My own background is like my current career is game design. I am a manager at a company that runs a website called play.net. We do many massively multiplayer online games. So I've been doing that for over a decade, and all my hobbies were in solving puzzles. And I would talk at various game developer conferences and other fan conferences, such as at DragonCon in Atlanta, if anyone here has been to that. And since that would be part of the electronic frontiers forum, I would run into other people that were talking in that track, which would be people from the various 2,600 groups and whatnot, kind of pass them in the halls. And so through that convention, I heard about a puzzle challenge a couple of years ago that was called the FreakKnit code. And it was a code challenge with the prize offered to the first person that could crack it. And it had been a year, and no one had cracked it. So I heard about it through this convention. I was bored one weekend. I took a look at it, and I cracked it in 10 days. And so I went on a free trip to the con and T-shirts and drinks and hotel and all that good stuff. Since then, I've cracked a few of the other codes that are put out as code challenges. As a matter of fact, I've cracked so many codes in SE2600, Southeastern United States, as a matter of fact, that I'm no longer allowed to crack any of the codes that are posted by these groups. So like the Atlanticom code was handed out on a sheet. And at the bottom, there was a little note that said, on note, pass puzzle crackers are ineligible for prizes associated with solving these codes. Give someone else a chance, Ilanka. Since I've got all this crypto stuff kind of fresh in my mind from cracking these codes, after September 11th, I did some other things. For example, I organized a crisis center where I was using some of my skills on the web to track down the status of every one of my customers that had been affected by the events of September 11th. And I also cracked a hoax like there was one guy that used September 11th as an opportunity to declare himself dead and then went around online pretending to be his own widow. I was the one that figured that out, tracked him down, confronted him, got him to confess, got him to post a public apology and all that. If anyone wants more information on that, I can definitely give it to you. Another thing I did after September 11th was I contacted the local FBI and I said, hey, I've got all this skill and cryptography that I've been doing now. Can I help with the war on terrorism? Is there anything, is there any way that I can be of assistance? I don't want pay, I just want to help. It's the right thing to do. And they said yes. And specifically, they said that they wanted more information about some of the newer cryptographic techniques such as steganography. And they wanted me to come in and give an overview talk. In St. Louis, one of the things they do is they have a monthly computer crimes task force where they're bringing representatives from all of the different agencies. FBI, Secret Service, Assistant US Attorney, postal inspectors, customs agents, everybody. And they sit down once a month and they share information, trying to ease the communication between all the different agencies. And then each representative from the different agencies goes back to their regular jobs and kind of shares that information. So I was invited to one of those meetings to speak on cryptography and steganography, kind of describe what it is and how it might be used, if it's being used. And the talk that I'm going to give here is basically a version of that talk. Okay, let's get into it. Is this better? Okay. Okay, so I've kind of introduced myself. Other things I'm going to be going over, I'm going to be talking about some of the cryptographic systems that I have familiarity with through the code challenges. I'll be defining what steganography is, talking about its history a little bit, then getting some examples of modern steganography. Then I'll be going over something that I called the 3Ds of defeating steganography, which is detect, decrypt, and destroy. How do you detect a message? How do you decrypt it if it's there? And feeling that, how can you destroy a message that's there? I give a sample use of steganography specifically on a code challenge that I wrote, which is a beginner code challenge. I call it the Alonka Code. And then a summary, and I've also got a bibliography and some recommended reading. Okay, I'm general manager of online community at Simutronics Corporation, which was a company that I and the CEO got going out of an apartment loft. So we're one of the dot-coms and one of our claims to film is that we're still here. I've been doing multiplayer games for over 12 years. Been a computer hobbyist forever. My dad was involved in early days of computers like my father was on the team that launched the very first Geosynchronous Communication Satellite. He used to work at Hughes Aircraft and my mother's also a university professor. Some people in the 2600 scene, I see a few people around the audience here that I chat with via IMs and the crypto geek chick. Also last year, I was the speaker at the first DEFCON girls' luncheon, which was hosted by MOLOC and I spoke on how I cracked the FreakNIC code down. This stuff is not on the DEFCON CD. The slides will be on the FreakNIC website. I'll be speaking also at FreakNIC this year, which is the Nashville Hacker Convention. I have flyers up here. So after the talk, if anyone wants to come up and grab a flyer with information, feel free. Also, somebody gave me some mini CDs, which he says that there's a stubble tool on here called Hide4PGP. I have not used it. I can't give it a recommendation or a flyer or anything, but if anybody wants it, it's here. There's a whole big stack on here. Okay, so I was the first person to crack some of the FreakNIC codes on the Lanacon 2 code and then I also mentored several people online on cryptography and then they write their own codes and I cracked those codes. And I told you about the Crisis Center and the hoax that I cracked. Okay, so fact and fiction. The common knowledge was that terrorists were embedding hidden messages in high traffic web images, like on eBay and on Amazon and they were passing them through public news groups and that they were also swapping images and chat rooms and hiding messages inside those chat rooms, especially via porn. Again, this is what people were saying. Okay, for example, here's an article by USA Today. Now we did this article, terror groups hide behind web encryption and they had a sinister picture of Osana Bin Laden there. Wired Magazine covered it, Bin Laden's Stegonography Master. Also that secret messages come in waves. ABC News covered it as well. Now a secret language, hijackers may have used secret internet messaging techniques. Well, I have been researching the heck out of this and talking to many, many experts and so far I've not been able to find a single shred of evidence that hijackers were using any kind of stegonography to hide any message anywhere. If anyone has proof of it, feel free to come up and tell me. I have one, like I spoke to Peter Rayner who wrote the book, Disappearing Cryptography. I met him at H2K two a couple of weeks ago and he says it's the same thing. He's traced it back and he can find no proof. He traced it back and he'll say something like an official said or a source said. He and I were joking that with my talk here, which has been going around the government agencies now, it's also been forwarded around to DC. It's going through the State Department, the Office of Foreign Affairs, Pentagon Department of Defense. And Peter Rayner and I are concerned is that somebody in government may be looking at my talk, seeing the slides, and not paying a lot of attention to what I said and they may be walking away with a false impression and then saying, well, I saw some presentation that said Al-Qaeda was hiding messages inside of red images. So if you hear any more rumors on it, I'm probably going to be the source on it. Okay, I will talk about what stegonography is. I break down the words like stegos on the Greek stegos or roof, it means covered. And the word which is the Greek writing. So it means covered writing. Most people might see the word we think of this in stegosaurus, which is a covered or a roofed lizard, not a type of cryptography. Okay, what is stegonography? Okay, the definition of stegonography is a way of hiding a message in such a way that it is not immediately obvious that there even is a hidden message. For example, in a sentence, after the theater, all clients keep a tab down at Wesley's Nook. Anyone see a secret message there? Very good. I'm impressed, very good. You guys got that really fast. Yeah, if you take the first letter of each word and it's just very, very simple form and you highlight it all, you do get a message that says attack it down. So we have captured some of the code books that Osama bin Laden's people did use and we know what kind of messages they sent. Most of it is just open text and communication. When they did use a code, it was generally a very, very simple code. For example, we have proof that at one point when talking on a cell phone and they wanted to refer to the FBI, they didn't say FBI. Instead, what they said was food and beverage industry. If they wanted to refer to Osama bin Laden and so using his name, they would just say the director. If they wanted to say bomb, they would use an Arabic word for baby food. And everything else that we found was basically just open text and communication. Again, there's no examples of them using a steganography to hide a message inside of any kind of a web image. Okay, historical background of steganography, cryptography, basically there's three main types of ciphers. Substitution, transposition and concealment. Substitution being where you swap one letter out for another. Transposition where you move the letters around. And concealment, which is where you're hiding a message. So steganography is basically just a concealment cipher. Early examples, for example, about 2,000 years ago, Herodotus wrote about this. There was a general that needed to send a message across an enemy line. And he knew that any messenger he sent would be thoroughly searched. So he came up with the interesting road hand on it where he took a messenger, he showed the guy's head. Then he tattooed a message onto the guy's scalp, waited for the hair to grow back, and then sent the messenger across enemy lines. So the messenger was searched, and then found the message. He went and talked to the king that they were trying to get the message to. He could show this head and just point his head at the king, and there was the message. That is a very early example of steganography. Invisible ink, when you write one message in pen and another one in lemon juice or lemon juice or something on the paper, that's steganography. Newspapers, it used to be when you were sending a letter through the post, that you would be charged postage to send a letter. But if you were sending a newspaper, there was a loophole, where sending the newspaper would be free. There was no charge to send newspapers through the mail. So of course, the early hackers of that time figured out a way to use the system to send messages for free. They would take a newspaper and they would poke pinprick holes like if they wanted to say, dear Aunt Sally, they would find a letter D on the page, poke a hole under the letter D, find a letter E, poke a hole under the E, A, poke a hole. And that way they'd send the letter for free, no charge. The recipient, when they received the newspaper, they could just hold it up to the light, see the pinpricks and be able to read the message that way, no charge. So the methods have been changing over the years, but the discipline is basically the same. Okay, these are some of the types of cryptography that I've been running across when I deal with these code challenges in the hack of subculture. I will go into all of these in detail, in a lot 13, Anna Graham's visionary ciphers. I do talk about this, there's some elite speak over here on the right-hand side, which some of you are probably familiar with. I am a elite hacksawer. We're basically, if I see anyone using this extensively, it basically means to me that they don't want to be. And some of the less about codes that has really caught the imagination of the SE2600 group in the South-East United States, and other places as well, but it's really big in South-East, is the CIA's cryptos monument, which is a monument to cryptography, which is at CIA headquarters in Langley, Virginia. And it's been there for over 10 years and there's a code on there. So far, we know that it's been broken down into four sections. Only three of them have been solved so far. There's a fourth section that hasn't been solved yet. But there's been a lot of discussion on the web. And anyone who probably knows about cryptography has probably run into some mention of the cryptos monument at some point. One of my goals with my talk is, I'm hoping I'll be invited to CIA headquarters to give my talk, and that way I'll have an excuse to go in there and I can sit on that rock and have a sandwich and stare at that sculpture for a while. I tried to get in there once. There's no street address for CIA, so I figured out where they were by using satellite recon pictures and looking for the outline of the building. And then I got the latitude and longitude and found it that way. But when I drove up, I bought a lot of big guys with guns came out and wouldn't let me in. Okay, the Freedweek 3 code, this was released in 1999. I told you I cracked it in 10 days when I free-tripped your HackerCon. Then I wrote a tutorial about how I'd cracked it. This is all on the web. My, I've got several websites, the easiest one to remember is elonka.com. So if you go to that one, I've got links to all of these from there. And the PowerPoint slides will be up there eventually as well. And so I talked about all the different types of cryptography that were used in the Freedweek 3 code and how I kind of built into the center of it. And I put in a lot of in-jokes, you know, cyberpunk, you know, counter-culture jokes. I won't go into detail about how I solved the code, but it had several different systems. Hexadecimal, Route 13, Anagrams, PGP, Appointed a secret web page, secondography, red herrings, the whole bit. And one of the things it did was it pointed to this secret web page, which was on the Freedweek.org website. And on this page were two pictures. And one of the pictures was Johnny Axe, who's the guy who wrote the code in the first place. And I don't know if you can see it on the slides, but he's holding up a sign with a bunch of numbers. And what those numbers were, were hexadecimal and then a long string. Hexadecimal, it stood for the letters ISBN, and then a number, it was an ISBN number for a book, which was called Disappearing Cryptography, which was written by Peter Wainer about steganography. And then this lower picture was a picture of Johnny Axe's girlfriend's stomach. And he wrote on her stomach the message Geography Ants, which is an anagram for the word steganography. And then in this top picture here, the Johnny Axe had hidden a message using steganography with the password of steganography. And I was the first person to figure all this out and get to the center and then get instructions about what I was supposed to do next. His instructions were, and he didn't assume that a woman would be the person to solve this code, but he said I had to post a message to a specific hacker knowing list, which is the SE 26 on a root list, explaining why I like to go swimming with bare-legged women and swim between their legs. I also had to post the message in Haiku or Sonnet format. This was kind of a quandary for me. I don't have the stuff to solve the code when I'd write something like this. Anyway, I came up with something, Haiku is the one that was the 575 sort of the format. So I posted a message saying, John Alex and I will discuss things aquatic if he wears a suit. And that was how I announced I'd solve the code. Took him a month to respond and admit that I'd done it, but he finally did. Okay, I'll get away from that, going back to modern steganography. Messages can be hidden in images and audio files and videos, webpage, text. Can everyone still hear me with the plane there? Okay. Okay, for those who are not familiar with cryptography and steganography, if you can have one take away from this about what it is, remember the first polar bear in a snowstorm. Like if you ever saw a little kid in a school hold a Pashita White Pope in, so what is this a picture of? Ha ha ha, it's a polar bear in a snowstorm. Well basically that's kind of describing what steganography is. For example, this icon over here, it says snow. This is actually the icon of a company called Snow Software, which writes steganographic utilities. It's something called white space steganography, which I think is really cool. And if I open that image up with paint shot pro here and I look at the palette, there's actually three different colors in that image. You can ignore all this stuff in the middle, and we're just looking at these three colors in the top left hand corner, which is black, black, white, and white. So, why are there two shades of white? Okay, well if you build them down further into what the RGB values are, black of course has an RGB value of zero, zero, zero. White has an RGB value of 255, 255, 255. Now this image has two shades of white. One of them being 255, 255, 255, 255. The other one being 255, 255, 254. It's exactly one bit off from normal white. The human eye looking at it will generally, will not be able to see the difference between these two shades of white. But what I'm gonna do here is I'm gonna change one of these shades of white to a different color. And now we see what image was actually there, a picture of a polar bear in that snow storm. Okay, this can be used at steganography, it can be used for many things which is water marking. There's lots of tools out there. You can hide it in pretty much any type of format. You can hide it in GIFs, waves, JPEGs, pipped files. Pretty much any type of file format out there there's probably a utility to hide something in it with steganography. This is a page I pulled off the web that lists a bunch of steganography software. You can't really see it up at the top, but it lists all of these different platforms so you can select which one you want. Windows, Java, Macintosh, OS2, Unix, Amiga. Any kind of system you've got, there's a free to available software utilities for it. This is just a picture of one called JSTIG. It's a very simple point and click interface. Hide a file in an image, extract a file from an image. This is one called JPE Hide. So you have the input file, the hidden file, the save file. We'll go up here, we can set a passphrase. This is one I use a lot called S-Tools. I think S-Tools is really awesome. Okay, so here I actually hid a message inside of a picture that I pulled off the CIO website. So here's the unencrypted image on the left-hand side and then I hid something in it with S-Tools and this is the image on the right-hand side. If you look at the difference between the two images. On this side, the file size is actually 164K. After encryption, it's actually 150K. In this particular case, S-Tools actually shrunk the file size by reactive encrypting something in it. The color depth though, that's really key. On this one, we have 156 different colors that are in that image. After encryption, 252 colors. So many, many new colors were added to the image as a way while something was being hidden inside of it. The password I put on this was Mending Wall and I was encryption type of triple DES. This is what I hid inside that image. It's the Robert Frost poem Mending Wall. The good fences make good neighbors. So if you look very closely at the image, you're not going to see this text. It's hidden in different ways than that. If you were to highlight the bits, it would look basically like static throughout the image. Comparing the palette between those two images, here's the palette before encryption. And then on the other hand side, we get the palette after encryption. Specific things to look for. I don't know, again, I don't know if you can see it on the screen. But like if you look at the number of whites and the number of greens, I've sorted by luminance here. And then over here, we get like a group of four whites and you get over here a little group of four blues and over here a little group of four ambers. And so what it's been doing is it's increasing the number of colors that are very, very close to each other, very close color pairs. Also, if I look down here at the black part of the palette, there's a black which is 001 and then the second blackest black is 001. So we're getting these colors at exactly one bit apart, which is a big flag for me that steganography may be being used in that image. Here I hid something much larger inside of the Mendenwall picture. So again, on the left, we have the image before encryption. On the right, we have the image after encryption. And at this point, I tried to shoehorn a lot more data. I tried to hide 100K file inside of it. So we see that the color depth first, we have 156 colors on the unencrypted image. The encrypted image, we have 256 colors. So it uses all the colors that are available in order to do this. And then the file size went from 164K up to 252K. So by putting more data into this container image, it's actually ballooning the container image larger. And comparing the palette on this, again, I don't know if you can see it on the screen, but here we're getting many more different kinds. We're getting a big block of yellows and a big block of eight different greens and a big block of eight different purples. So it's really expanding those very, very close colors. Audio files, you can do the same kind of things. Again, you're using the least significant bits to hold data. There's also ways to transmit message like maybe any unhearable part of the audio spectrum. A group, MoLoc, did something where they encoded each musical note as a numerical value and then laid down an audio track in the background of some existing music. And that way, they had an encrypted message there using the notes. Also, this is, there's a story that I heard at Def Connors over the last year, the year before, where somebody wanted to defeat cryptography export regulations. So they converted the ISO source code into sound and then broadcast it to foreign countries via radio. Okay, I think I'm hooked up for sound. I put a very small thing into a sound file. It's basically the sound of a phone ring. If it doesn't come through, my apologies. It's not gonna be signed. Basically, I'm just doing this to show that there's no difference between the sounds. Here's a picture of the actual waves of the sounds. This is before encryption, after encryption. Blowing this up, you can see the way the wave looks. Then after encryption, again, it's basically the same wave but very, very tiny little one bit differences in the wave. Messages and video files, again, you could do this by adding things with at least significant bits of the data. There's also a lot of visual ways. For example, there was a lot of speculation about whether Osama bin Laden was hiding messages inside of the videos that he was sending because they would be like a video with Osama bin Laden and his lieutenants and then shortly thereafter, there'd be some sort of a terrorist attack somewhere. So you're wearing what there were secret messages being hidden there. It may not have been a mistake, I mean, it could be as simple as hand signals. For example, blackjack card counters when they work in teams. You have one person playing cards who's not counting and then someone else who's sitting across the table with his arms crossed, who is counting and signaling the player. And the signal might be as simple as if his hand is here, it means bet high. If his hand is here, it means bet low. So you can do a lot of things with simple hand signals. It could be a code saying, you know, if there's a certain al-Qaeda lieutenant sitting to Osama's left, it means something. If he's sitting to Osama's right, it means something else. I don't know, this is all just speculation on my part if they're doing this kind of thing. Eyeball code, they were sending in a movie. A guy was working on his eyebrows and they were sending a code. Vietnam POWs also had their code that they would use to transmit messages from one cell to another. For example, they would take the alphabet and they would put it into a five by five grid. So you'd have A-B-C-D-E-E-F-G-H-I-J and so five by five they doubled one of the letters in the alphabet. So the letter C, if they wanted to transmit the letter C since it's the third column over and one way down, one, two, three, one, that would be the code for the letter C. And that way they could transmit messages back and forth between cells. Then if you get real good at that code, it doesn't have to be tamping. You can use other methods of communicating. For example, if you're coughing while you're standing on that would be a way of transmitting a message, shuffling your feet, all different kinds of things you can do. Messages and web pages, the way that the data is arranged on a page can convey a message. White space steganography, for example, Snow software, they've got a really cool thing, a utility that will take a web page and then they'll insert spaces at the end of lines, one, two or three spaces, which is holding the data of the message that they want to send. And then they'll get the page, read the spaces and there's the message. Peter Wanner, the new version of this book, Disappearing Cryptography, talks about ways to transmit messages in David Letterman's top 10 list. There's many different ways that you could do this. A simple way might be each time the top 10 list is shown, the jokes are still there, the content is still there, but say each item on the list, if it's an odd number of words on the list, that might be a binary zero. If it's an even number of words on the list, that might be a binary one. So each time you post the list, you're getting some data across the highway. We can also do things with verb tenses, active words, passive words, sports announcers saying it's a long fly ball to the left field. But if they change that in instead of saying to the left field, it's a long fly ball. We've got all these different ways of transmitting data just by rearranging words. Okay, so ways that terrorists could be using steganography potentially, like if they had a tourist information website, a sender would just need to upload a new picture to the site with something inside of it. The receiver would do the page, they wouldn't even necessarily have to download the picture just by viewing the page. Of course, the image is in their cache and then they could open it later. And there were several witnesses who did see Mohamed Adda, one of the terrorists who was routinely going to libraries and was downloading images. So usually pictures of children and landscapes. But then again, he was also fitting into the American culture. Again, we had no proof that any of those images had anything inside of them. Okay, both of the three D's of defeating steganography, detect a cryptostory, detection. How can you detect if something has steganography, you can look at the images palette. As I showed you, look for very close color codes, count the number of colors. I see if it has a suspicious number of colors in it. Look at the last modified date and size. If there's a red page where everything there was last modified three years ago and there's one image that's really new, that might mean something. Also differences in the types of images. For example, if all the images are JPEG and then there's one image on the site which is a bitmap, that might mean that it needed to be a bitmap because that is the utility that they're using. Steg analysis tools, there's a few out there. One was written by Neos Provers out of the University of Michigan. It's called Steg Detect and it analyzes JPEG images. It's looking for the frequency of the DCT, discrete cosine transform coefficients. And I'll go more about, he did a very elaborate a collection of data on Uber and I'll be going over that in a little bit. Secure Stego, written by Professor Jessica Friedrich in the United States Air Force, which is analyzing pairs of colors and images and still has Stegonography Exploration Lab and I'm sure there's others out there but these are just some of the examples of a few. Also Neos Provers, that he wrote this program called Steg Detect to analyze images and find out if they're using Stegonography. Then what he did is he wrote another Stegonography utility which could hide brings in images that could not be detected by the Stegonalysis program that he just written. So it's a constant arms race. You tell it is a written laser found of locating them and then you tell it is a written round and round it goes. Decryption, you can use the standard cloak and band on this. You go out, you find someone who has the password, you buy the password or you threaten them or whatnot. You get the password, the location and the message, what the encryption type is and what software they're used and then you open the message. Also you can do these password dictionary attacks. So this is my normal rant about picking good passwords. Using a security workshop said that in any average group of passwords, no matter how many people are choosing good passwords, at least 25% of the passwords are gonna be bad passwords versus susceptible to dictionary attacks. And I used a program called Fast Zip Cracker. Some of the code challenges that I saw, it's kind of amusing because the people that are writing these code challenges think they're being all clever and they're putting clues to a password and then they'll have a password protected zip file. And as soon as I see a password protected zip file in one of these code challenges, I say heck to that, I'm just gonna pop it open with FCC. And usually the people that are writing these code challenges pick bad passwords for their password protected zip files and they use it for character passwords. So anyone that wants me to demonstrate this, I would be more than happy to show how fast I can open a password protected zip file. You pick out like a simple four letter password or a four number password, I'll have it open in about 30 seconds. Better passwords are ones that use combinations of letters and numbers. Best passwords are really long and also use a variety of punctuation symbols. A lot of writing like that, I know. Okay, so doing a dictionary attack on images, there is a utility called Steadbreak which runs password dictionary attacks on JPEG images. It can check between 15,000 and 112,000 words per second depending on the encryption type. And then if you use a distributed dictionary attack where you cluster a whole bunch of computers together, you can of course go through it much more rapidly. Okay, so let's say you're not sure about detecting or decrypting it but you wanna delete anything that you see is there, there is to do that. You intercept the image and then you can change it in some way, for example, crop it to a smaller size or change its color depth. Save it in a different format. If it's a GIF, save it as a JPEG or some combination of those. Those will probably delete any data that's in there hidden with their steganography. Not always, you have to play with it. I do have images where I've tried cropping them and it did not delete the data that was in the image. I actually had to save it as a different format. But most likely these things will delete the data that's there. Steganography does have other weaknesses. Of course password security is always a weakness. To use it, you need to have a certain amount of technical literacy. You need to have computers, you need to have software. So if you're out in the desert somewhere where you don't have access to power, that can be a problem. That's about interception. If someone's posting a message on a web page that's being viewed by 200,000 people, you don't know if someone else is routinely downloading your images and reading messages if they've already gotten the password. Messages need to stay small. Most minor web images are less than 10K. So source files that are smaller, like a page of text, one or two K can be hidden pretty easily with steganography. But large source files, spreadsheet, style grams, those are gonna be in the container image size or may not even fit at all. Audio files can hold even less. So fact and fiction. Going back, the University of Michigan did a comprehensive scan of eBay. They downloaded two million different images from eBay and then they ran the real estate analysis tools on them, looking to see if they might have some sort of steganographic content. They identified 17,000 out of those two million that might have steganographic content. And 15,000 of those might have been encrypted with a program called JP High. That was the signature that they found. So then they clustered 60 different computers together, did a massive dictionary attack, found nothing, zero. They did put some tracer images in there and the tracer images were found okay. But they didn't find anything else. Then they went on to Usenit. They downloaded one million messages off of Usenit. This time they clustered 200 computers together and again found nothing, nothing. This is the picture of the webpage from the University of Michigan. Anyone who wants more data on this, I can get you this info. Now there were weaknesses to the Michigan study. For example, they were only looking for very specific types of steganographic encryption. They were only looking for JPEGs. They were only looking for things that were encrypted without guests or J-Stake or JP Hyde. They weren't looking for S-Tours. They weren't looking at bitmaps or GIFs or wavefalls. Plus if terrorists are doing it, it's possible that the terrorists may have written their own independent applications which would not be found by this kind of a study. And they only looked on eBay. They only looked on Usenit. Also when they did their dictionary attacks and other weaknesses that they didn't look for very many languages. They were only looking for English, French and German dictionaries. They weren't looking for Arabic. They weren't looking for Farsi. Though they did have some words that were from the quran. Also it's possible that something that had been encrypted in there that had a really good password that was dictionary proof. And just wasn't found. So it's a possible. But again, looking at that Usenit security workshop research, humans being what they are, statistically something's gonna be findable. And the fact they found nothing, well their conclusion was that there were three possible explanations. Either there's no significant use of steganography on the internet. Or nobody uses steganographic systems that they could find. Or all users of steganographic systems carefully chose passwords that were not susceptible to dictionary attacks. So I know there is steganography on the web. I've got two examples on my own personal website. These kinds of things were never found by the study because again, it was only looking for JPEG images and not on major web scans. Oh, they did find one image. This was ABC News did a segment on steganography and as part of the segment, they said, on this website, we have an image which has something in it which was hidden with steganography. And so the university mission pointed the machine over at this web page and surprised, found an image that had something encrypted and it was steganography. The password on the image, ABC. So, now this top image is the image that was the cover image that was on the website and inside of this image, they had this image which was hidden, which was a satellite picture of some planes. Okay, here's another example of steganography on the internet, the Alanka code. I wrote this in February of this year. I used several different cryptographic techniques in it. Again, I'm not gonna go through it in detail. It's so far it's been solved by, actually this is a little idea. Nine different people have solved it in seven different states so far. I did contact each one of these people and say, you know, I'm gonna be talking to the FBI. Is it okay if I put your name up on the slide that's going up in front of the FBI? And every single one of them said, yeah, that would be really cool. Okay, Alanka code basically decrypts to a password and the instructions go to my personal site and look for the image next to the FAQ question while our icebergs blue. This is a screenshot of my personal site. I went to Antarctica a couple years ago on a big travel, I've been to every continent. And I went to Antarctica in 1999 and then did a web page about my trip with various pictures and FAQ questions. One page devoted to icebergs and I had to think about why icebergs blue. This is a blue picture there was one that I took back in 1999. And inside that image I went and I hid something this year which had a secret message inside of it. This is the secret message. I don't expect you guys to solve it right now but if anyone wants to see it later I'll show it to you. You can probably get in about 10 minutes. Okay, so we're starting out if we're going in the future. There is a new edition of a Peter Wainers book called Disappearing Cryptography. It just came out in May of 2002. If you want to get a book on steganography this is the book I recommend. He's the expert as far as I'm concerned on steganography and I did get a chance to meet him a couple weeks ago. He's a very nice guy. Steganography will be used for things like music and video, watermarking, documentation for example, perhaps when a physician takes an X-ray of you they'll be able to hide the physician's notes inside the X-ray using steganography that way everything stays together. Pixel voyages, there's been a discussion like right, we had the carnival which is scanning emails, perhaps there'll be some utility called pixel voyage, scans of the image that goes through looking for something with steganography. But it continues to be an arms race. New utilities are written, new ways of using steganalysis are written, more utilities are written, run around. So, summary. Steganography is a way of concealing messages inside other media such as sound files and graphic images. There are many freely available steganographic utilities which are out there on the red. Steganography is extremely difficult but not impossible to detect and there are many anecdotal stories about the use of steganography on the internet but so far no one has been successful at least publicly in running mass scans and finding any. I had some contact information, the easiest way to contact me is if you're on AIM, my screen name is Ilanka. And I've got a lot of things I'm recommending, reading and different articles. Again, I can send you this information or I'll be posting a link to it via the Fricknick site. Again, I have flyers for the Fricknick convention which are up here and some software CDs. Any questions? Way in the back with the hat. The question is why didn't they scan the obvious sites such as embassies and the CIA and those things? I spoke very briefly with Neos Provost online and my understanding is that they wanted to have a very specific quantifiable way of gathering data and since there were lots of rumors about eBay and Usenet that they go to eBay they downloaded two million images so it was a very focused getting a very large sample from one location. Blackshirt. The question is did the tracer images that they used have dictionary proof passwords on them? I'm sorry, I do not know that if I see Neos I'll ask them and then see if you want to come up and get me a new address and I'll get you the information. Blue shirt. Yes, how many people have noticed that there were some letters in the presentation that were colored a little bit differently? Did anyone get any message out of those letters? What did you get? Okay, I'm impressed, she got it. There was a secret message that I heard inside my presentation. The word that I flagged it is that I had a headline and the headline was either bold or it wasn't bold. If it was bold it was a signal that there were some letters in the slides that were colored a different color I've given this talk to a lot of people and we're the very first person to actually get the message out of that. So the message that I heard was anything they can do we can do better. Oh, you're a T-shirt. Any other questions? Here in Blackshirt. My briefing will eventually be on the FreakNIC.info web page. So at the FreakNIC convention I'll also be speaking there that it'll be on Nashville and I'll also have a link to it from my own site elanka.com. Any others? Any other questions? Way in the back, white shirt. I'm sorry, I cannot hear a single thing that you are saying, something about the answers. Sorry, if you want to come up here you can ask. Anyone else? Any other questions? Oh wait, I have some more flowers. We're out of CDs, the CDs are gone but we do have FreakNIC flowers up here. Anyone else? There are some more CDs downstairs. Okay, that's it. Thank you very much.