Word List Steganography from 1995 is far more secure than modern PGP

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
John Walker, legendary creator of AutoDesk, wrote a tiny piece of software that embeds a message into a jpeg file. The message that accompanies the image is the decryption key.
In my last post, I established that PGP is vulnerable to Rubber Hose Decryption. How is decryption possible if no one knows you have received a secret message?
Children make a lot of noise but know so little. You'll learn to be quieter when you grow up.
Edit
The PC version is gone. It was on fourmilab as source code. It was written in Portable C, and finding a compiler is probably too hard.
I had an Amiga back then.
You'll need WinUAE Amiga emulator to run it. FS-UAE Amiga Emulator for people running *NIX systems.
It's even more secure than it used to be.
 

MSR605Master

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
15
Post Replies
61
Status
online
Last seen
"How is decryption possible if no one knows you have received a secret message?"
-- Nobody needs to know that you "intercepted" the secret message or the handshake. In war time, cryptographers were always at the front-lines trying to crack the enemies code.
The enemy did not need to know that this was taking place. But it's how we formed Signals Intelligence and why before every war we first deploy our reconnaissance teams.
"Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of signals, whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence—abbreviated to ELINT). As classified and sensitive information is usually encrypted, signals intelligence may necessarily involve cryptanalysis (to decipher the messages). Traffic analysis—the study of who is signaling to whom and in what quantity—is also used to integrate information, and it may complement cryptanalysis"
 

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
"How is decryption possible if no one knows you have received a secret message?"
-- Nobody needs to know that you "intercepted" the secret message or the handshake. In war time, cryptographers were always at the front-lines trying to crack the enemies code.
The enemy did not need to know that this was taking place. But it's how we formed Signals Intelligence and why before every war we first deploy our reconnaissance teams.
"Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of signals, whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly used in communication (electronic intelligence—abbreviated to ELINT). As classified and sensitive information is usually encrypted, signals intelligence may necessarily involve cryptanalysis (to decipher the messages). Traffic analysis—the study of who is signaling to whom and in what quantity—is also used to integrate information, and it may complement cryptanalysis"
So, you think someone has been trying to decrypt every image file sent over the net since 1995.
😅 🤣 😂 😅 🤣 😂 😅 🤣 😂
Do you think the NSA are running WinUAE Amiga emulator looking for secret messages?
 

ImposterJack

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
23
Post Replies
101
Status
away
Last seen
Contextual for sure. Storing data in images that's encrypted might be more secure in some situations where it doesn't make sense to send a message, but if everyone starts sending images on a market for example to communicate any adversary would quickly figure out those images contain some sort of message and work to decode it.
There are only so many ways you can store data in a jpg, and unless you have an incredibly strong password (which most won't, it's human nature), I can see the encryption being weaker than PGP. PGP takes care of having a strong password.
 

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
Contextual for sure. Storing data in images that's encrypted might be more secure in some situations where it doesn't make sense to send a message, but if everyone starts sending images on a market for example to communicate any adversary would quickly figure out those images contain some sort of message and work to decode it.
There are only so many ways you can store data in a jpg, and unless you have an incredibly strong password (which most won't, it's human nature), I can see the encryption being weaker than PGP. PGP takes care of having a strong password.
I can use every word in my reply as a simple way of making a complex password. I agree that it isn't suitable for the markets.
Everywhere else, it's brilliant.
 

HoodRansom

New Contributor
Joined
Feb 13, 2024
Threads
34
Post Replies
92
Status
away
Last seen
Steganography and encryption have different goals and are appropriate for different threat models. Steganography is hard. You have to make the overt data that hides the covert data as indistinguishable as possible from regular data. Let's not forget Kerckhoffs's principle. Assume the adversary knows how your system works.
 

HoodRansom

New Contributor
Joined
Feb 13, 2024
Threads
34
Post Replies
92
Status
away
Last seen
Also, would you please share the name of the program? I'm having trouble finding it by searching for John Walker and steganography.
 

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
Also, would you please share the name of the program? I'm having trouble finding it by searching for John Walker and steganography.
The PC version is gone. I had an Amiga back then.
You'll need WinUAE or FS-UAE Amiga Emulator to run it.
It's even more secure than it used to be.
 

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
I'd never heard of Kerckhoffs's principle. Thanks for the education. I love learning new things.
 

Runner64

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
11
Post Replies
61
Status
away
Last seen

ATmEater83

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
11
Post Replies
82
Status
away
Last seen
The PGP and steganography have both very different use cases and should not be compared to each other like apples and needles.
Both have their place in the OpSec context of your operation.
 

GeniusJit

New Contributor
Regular Member
Joined
Feb 14, 2024
Threads
12
Post Replies
84
Status
away
Last seen
The PGP and steganography have both very different use cases and should not be compared to each other like apples and needles.
Both have their place in the OpSec context of your operation.
PGP is great for when you see it anyway, like addresses on the market.
A friend and I exchanged messages in the images on a website we both administered
 

Users who are viewing this thread

Top