camera/shy

Sun Aug 1 11:56:56 CEST 2004

Camera/Shy FAQ and Help

BASIC INSTRUCTIONS:

There are two masked edit boxes. The top one is for the password, the
bottom one is for your signature. Treat these both as passwords for your
data. ALWAYS CHANGE YOUR PASSWORD AND SIGNATURE.

Password/Signature combos should be given as two words, with the
password
first and the signature second.

Browse to a site with stegged content which matches the password and
signature you have set. The stegged content will be found and populate
the box beneath the browser.

Double clicking on these links opens up the file from your cache and
unstegs it after finding it with your signature. Then the content is
base64 decoded. Then it is decrypted according to your password. Then,
the content is automatically viewed within your browser.

*********************************************************************

BASIC STEG CONTENT CREATION INSTRUCTIONS:

This is for more technical users. It should be a lot easier than even
dreamweaver, but you must
not put out stegs carelessly unless you live in a free world country.
Generally, use a proxy.

Understand right off, you are the weakest link. You are the control
person. You must take
every safe guard and be absolutely free from desire of money or concern
about family whom
may be trapped behind enemy lines.

You must not leave a copy of any gif files you used, on your system. Use
a wiping tool
such as pgp wipe to remove the files.

Choose a long password and long signature. A phrase is best. Pass these
out with the utmost
care and secrecy, in general. They may be passed out through secure
communication, through
PGP, through in person, or hidden in normal speech. Like say,
"[password]!!!" Where three
!!! is known to the listener to denote the new password. Or four, or
two. Or a question mark sequence.
Or, establish a code word to accompany the passphrases which is
transplanted into normal speech.

Some suggested sequences to denote passphrases (note the spaces):
???
? ??
! !
**
etc

That is for IM, etc.

Okay, now for basic instructions:

-> Hit View Browser Full Window
-> Note the far left arrow in the new part of the browser, use that to
load your image
-> Now, load a website or page from your file system. Ensure the path is
file:/// which is IE default
   OR, type your message in the bottom most textbox
->  IF the content to encrypt and steg is loaded in camera/shy then just
hit the IE lock button
-> IF the content to encyrpt and steg is in the bottommost text box, hit
the lock button above it
-> Hit red check page button to preview content

Do not use stegged image on dissident site. That defeats the purpose of
steganography. Use
the image on a non-dissident site, preferrably one which is
pro-"whatever system you are
fighting against". No one really believes in Communism in Communist
systems, anyway.

Guard the location of the content. Once you have a friend set up with
the password and
signature, throw it out in everyday speech with other such url's not
announcing it. That is
a good way to get it through.

Always work in cells where one cell is not connected to the other.
Always question people
about their motives, finances, and family's well being. Always pay close
attention to their reactions. Most
censors work by hiring informers by money or by kidnapping their family.
This could happen
to anyone of your members. Do not expect such a kidnapping to have to
happen publically.

Always use false names when talking with your own members.

Always strive to get everyone out of such a country. This means
everyone's family members.
Leave no one behind, and if you must go back yourself, go alone and do
not go legally.

We have learned the lessons the hard way from the Soviet Era. Do not
make the same
mistakes they made. (Note: the Pull is a old supporter of the old
Underground Church,
now a organization for the persecuted martyrs, as was headed by the late
Richard Wurmbrand. )
************************************************************************
*************
"How does Camera/Shy help?"

It provides usability to an area where there is often a lack of
usability or even
a disdain of usability. It automates the process of scanning for
steganographical
images within webpages. You don't have to download a file or work some
bothersome
wizard to get it to parse the content within.

It is aimed at a very specific target audience. Common end users behind
national
and corporate firewalls which censor content.

This enables them freely exchange ideas which otherwise might be banned.

"What are some of the practical usage examples?"

Users putting gifs in web forums. On hosted web sites. A gif amongst
normal
web page images.

On one hand, you have how the website appears, on the other you have the
real website through Camera/shy.

Putting gifs in public forums of all types is very good. Or, on someone
else's
website. This gives plausible deniability. There is no crime in
downloading such
an image if you didn't know it was there.

Another example is back to the "real website" and the "hidden website".
If you
host, say, a popular mp3 site which people from a country which blocks
free speech
at the firewall level, and say you host a gif there... then what? You
all of a sudden
have a popular site with a lot of traffic, and some of that traffic is
only for
the hidden website... others for the real website.

"What can I do to help?"

Plant stegged images on popular Communist approved sites. Plant stegged
images
everywhere.

Fake stegged images - they are really stegged, but no content - is the
key to blocking
their system. This effectively throws an atlas sized wrench into their
machine. They
can't ban the sites hosting the gifs, and they can't track the people
down.

"Steganalysis can be performed on gifs and they could be detected."

Because the data is hidden in the most common image format on the Web,
they
would have to perform steganalysis on every gif coming through their
wire. This is
entirely impractical.

Now, let's presume they do start to implement this on the IDS level.
What then? Oh
no! Then, we can merely put in another steganographical algorithm . It
is opensource,
and would be trivial to change the steg engine.

This is round one, not ten.

"Why not in mp3's or in wav files or video files?"

Because they are relatively uncommon on the web compared to gifs.

"But won't the ISP see the increase of gif traffic??"

Get real.

"What other potential formats might be used instead of gifs?"

Jpegs. Text, would probably be best. Maybe mp3 or video if we could work
this
in with p2p applications. But, not through HTTP. It remains too
uncommon.

Otherwise, mp3 or video is considered to have superior capabilities in
regards
to including stegged content.

It may be possible to invent an undetectable format, but for now, the
best way
would probably be to try and find a changing format... because they
can't scan
for something if they do not know what to scan for.

Otherwise, we are open minded... but, we believe that it is good if more
steganographical
applications compete with us on the usability level. After all, that is
one of the
strongest aims of this application. That is the message.

"What about PNG?"

Yes, I know all about PNG and have spent countless nights interchanging
bits within
various PNG files for very sordid reasons. PNG should absolutely not be
used. It is
far, far too uncommon.

"What about key exchanges? Why not implement PGP for that in this?"

PGP, or rather, using asymmetric  key negotiation would probably be
the best way to securely exchange keys... though, I did not consider it
mandatory as inclusion in this version for two reasons:

1> It would still require passing encrypted data which is potentially
illegal
and not stegged. This passing of the key file, itself, could be flagged
by
existing IDS's.

2> People can use asymetric key exchanges if they wish at anytime,
merely
to exchange passwords and locations. There remains the possibility that
they
may be trusting the wrong person (an infilitrator), but that is no big
deal.

"I have to tell you, steganography is not new!"

Thanks, we will take note of that.

"Why Internet Explorer? Don't you know it has security issues?"

And, I have found a number of them. And? We are talking with some
Mozilla
developers. Camera/Shy incorporates a number of optional security
measures,
and a number of non-optional security measures.

We support porting, but may not help in porting merely because of time
constraints.

We would like to see more applications of this kind.

"How does the 'no trace' features work?"

History is turned off while running Camera/Shy. All cache content is
deleted
after it is shut down.

"Doesn't Camera/Shy send a message across the wires which is discernable
from other browsers?"

No. Camera/Shy does no double pulling. All work is down after the page
is downloaded and
in the cache. It appears through the wire just as an ordinary browser
with absolutely no
signature.

"Where does Rijndael fit in? How is the content encrypted?"

The content is first encrypted to the user's password, then put in the
image according
to the user's signature.

"What other security measures does Camera/Shy offer?"

See the specs sheet. Otherwise, there is nothing illegal about
downloading a gif
file. How do you know the person knew there was hidden content in that
gif file? How
do you know there is dissident information in that gif file unless you
break the rijndael
steg?

Camera/Shy is a standalone application without multiple files which may
get left
behind. Just open from web, run, then delete when finished.

"Why not a browser plug-in?"

Because I wanted to avoid install files and permissions difficulties.
But, someone
should make such plug-ins.

"What about such and such steg application or such and such article on
steg?"

We did a lot of research on this before the start and looked at a very
wide range
of articles. We looked at free and for pay applications. We continue to
do so.

Some have superior steg routines, some have inferior steg routines. Some
have
a degree of automation in the creation and finding of stegged content,
others do
not.

Without a doubt, these conclusions were made: No steg formula out there,
no steg
application out there is fool proof to escape detection.

But, again, it is impractical to try and find stegged images in the gif
format if
what you are looking for is the everyday user.

"How is it possible to keep the police from rather easily getting the
stego
materials through penetrating the said group of people?"

This is probably the most informed question regarding security I have
seen.

There are three things you do not want the "police" to have. One, is the
password
to the encrypted content. Two, is the steganographical signature of the
encrypted
content. And, three, is the location of the content.

If users visit the same sites everyday or keep a list of sites everyone
within a group
visits, then all they must do is visit these sites in order to find the
content.

Passwords and signatures are important to keep secret. Because the
images may be
found if the country is scanning for them, the best bet is to keep the
password secret.
At times this may mean changing the password frequently... at other
times this may
mean not changing the password frequently.

This said, one must always be discreet and never trust anyone. Some
people tempting the
law, invariably, will be caught. They will be caught because they told
an undercover officer
the password or signature or location. This is the most dangerous part
of using the
application.

"What about web spidering for images? How can we protect against that."

This is a very good question. By planting fake stegged content all over
the web. That
would literally throw an atlas sized wrench into their plans. It would
create an
effective denial of service on their entire internet, if they decided to
ban websites
hosting such content -- and if they decided to try and track down people
visiting
these sites... they would find themselves trying to track down everyone.