Is Facebook’s Secretbook Secure?
Date: Thu, 11 Apr 2013 11:56:57 +0100
To: UKcrypto[at]chiark.greenend.org.uk
From: Richard Clayton
Subject: Re: “Secretbook” Lets You Encode Hidden Messages in Your Facebook Pics
Owen Blacker writes:
>http://www.wired.com/dangerroom/2013/04/secretbook/
>
>Facebook is a place where you can share pictures of cute animals and fun
>activities. Now there’s a browser extension that lets you encode those
>images with secret, hard-to-detect messages.
That’s two different properties… if the stego message has been encrypted before it is embedded then if the key is long enough then it is likely to stay secret.
If “too much” data is embedded then it will be detectable by one of a number of methods (real pictures have various statistical properties that are disrupted by the embedding of what is effectively “noise”).
There’s a vast literature on this, good starting place is Jessica Fridrich’s work:
http://www.ws.binghamton.edu/fridrich/
>”The goal of this research was to demonstrate that JPEG steganography can
>be performed on social media where it has previously been impossible,”
>Campbell-Moore tells Danger Room. He says he spent about two months spread
>out over the last year working on the extension as a research project for
>the university.
Embedding short messages into media that will survive transforms is called “watermarking” and there is a large literature on that as well! The initial robustness scheme called StirMark dates from 1997:
http://www.petitcolas.net/fabien/watermarking/stirmark/
And since this is usually successfully passed, there have been later proposals such as CheckMark which add more transforms.
The particular proposal here seems to have been specifically designed to survive Facebook’s transform rather than to survive more general changes to the image.
>It wasn’t easy developing the extension. “Many tools for steganography in
>JPEGs have existed in the past although they have always required that the
>images are transmitted exactly as they are,” Campbell-Moore says.
His draft paper is at:
Click to access secretbook-draft-1.pdf
It contains no references to other work at present, so it’s not possible to see whether or not he has encountered the papers that might disabuse him of this exact statement 😦
>If you’ve encoded a secret message in the image, Facebook will garble
>it. Facebook competitor Google+ doesn’t do this, so you can share
>encoded messages there without needing an app for it.
An important reason for processing the images is that this prevents people installing malicious images on their pages which will compromise visitors whose graphic display software contains security flaws! I fully expect [but have not tested] that Google+ does do some manipulations to avoid this!
—
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
__________
List-Id: UK Cryptography Policy Discussion Group
List-Archive:
List-Subscribe:
Bernd Pulch 