Word List Steganography from 1995 is far more secure than modern PGP

[GeniusJit]

John Walker, legendary creator of AutoDesk, wrote a tiny piece of software that embeds a message into a jpeg file. The message that accompanies the image is the decryption key.
In my last post, I established that PGP is vulnerable to Rubber Hose Decryption. How is decryption possible if no one knows you have received a secret message?
Children make a lot of noise but know so little. You'll learn to be quieter when you grow up.
Edit

Aminet - Search

aminet.net

The PC version is gone. It was on fourmilab as source code. It was written in Portable C, and finding a compiler is probably too hard.
I had an Amiga back then.
You'll need WinUAE Amiga emulator to run it. FS-UAE Amiga Emulator for people running *NIX systems.
It's even more secure than it used to be.

 

[MSR605Master]

"How is decryption possible if no one knows you have received a secret message?"
-- Nobody needs to know that you "intercepted" the secret message or the handshake. In war time, cryptographers were always at the front-lines trying to crack the enemies code.
The enemy did not need to know that this was taking place. But it's how we formed Signals Intelligence and why before every war we first deploy our reconnaissance teams.
"Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of signals, whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence—abbreviated to ELINT). As classified and sensitive information is usually encrypted, signals intelligence may necessarily involve cryptanalysis (to decipher the messages). Traffic analysis—the study of who is signaling to whom and in what quantity—is also used to integrate information, and it may complement cryptanalysis"

National Security Agency/Central Security Service > Signals Intelligence > Overview

Signals intelligence - Wikipedia

en.wikipedia.org

 

[GeniusJit]

"How is decryption possible if no one knows you have received a secret message?"
-- Nobody needs to know that you "intercepted" the secret message or the handshake. In war time, cryptographers were always at the front-lines trying to crack the enemies code.
The enemy did not need to know that this was taking place. But it's how we formed Signals Intelligence and why before every war we first deploy our reconnaissance teams.
"Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of signals, whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence—abbreviated to ELINT). As classified and sensitive information is usually encrypted, signals intelligence may necessarily involve cryptanalysis (to decipher the messages). Traffic analysis—the study of who is signaling to whom and in what quantity—is also used to integrate information, and it may complement cryptanalysis"

National Security Agency/Central Security Service > Signals Intelligence > Overview

Signals intelligence - Wikipedia

en.wikipedia.org

So, you think someone has been trying to decrypt every image file sent over the net since 1995.

Do you think the NSA are running WinUAE Amiga emulator looking for secret messages?

 

[ImposterJack]

Contextual for sure. Storing data in images that's encrypted might be more secure in some situations where it doesn't make sense to send a message, but if everyone starts sending images on a market for example to communicate any adversary would quickly figure out those images contain some sort of message and work to decode it.
There are only so many ways you can store data in a jpg, and unless you have an incredibly strong password (which most won't, it's human nature), I can see the encryption being weaker than PGP. PGP takes care of having a strong password.

 

[GeniusJit]

Contextual for sure. Storing data in images that's encrypted might be more secure in some situations where it doesn't make sense to send a message, but if everyone starts sending images on a market for example to communicate any adversary would quickly figure out those images contain some sort of message and work to decode it.
There are only so many ways you can store data in a jpg, and unless you have an incredibly strong password (which most won't, it's human nature), I can see the encryption being weaker than PGP. PGP takes care of having a strong password.

I can use every word in my reply as a simple way of making a complex password. I agree that it isn't suitable for the markets.
Everywhere else, it's brilliant.

 

[HoodRansom]

Steganography and encryption have different goals and are appropriate for different threat models. Steganography is hard. You have to make the overt data that hides the covert data as indistinguishable as possible from regular data. Let's not forget Kerckhoffs's principle. Assume the adversary knows how your system works.

 

[HoodRansom]

Also, would you please share the name of the program? I'm having trouble finding it by searching for John Walker and steganography.

 

[GeniusJit]

Also, would you please share the name of the program? I'm having trouble finding it by searching for John Walker and steganography.

Aminet - Search

aminet.net

The PC version is gone. I had an Amiga back then.
You'll need WinUAE or FS-UAE Amiga Emulator to run it.
It's even more secure than it used to be.

 

[GeniusJit]

I'd never heard of Kerckhoffs's principle. Thanks for the education. I love learning new things.

 

[Runner64]

Interesting

 

[ATmEater83]

The PGP and steganography have both very different use cases and should not be compared to each other like apples and needles.
Both have their place in the OpSec context of your operation.

 

[GeniusJit]

The PGP and steganography have both very different use cases and should not be compared to each other like apples and needles.
Both have their place in the OpSec context of your operation.

PGP is great for when you see it anyway, like addresses on the market.
A friend and I exchanged messages in the images on a website we both administered