[Cryptography] russian spies using steganography?

[Christian Huitema]

On Sunday, May 8, 2016 2:15 PM, Kevin W. Wall wrote:
> 
> On Sun, May 8, 2016 at 8:24 AM, ianG <iang at iang.org> wrote:
> > http://www.theguardian.com/world/2016/may/07/discovered-our-parents-
> were-russian-spies-tim-alex-foley?CMP=share_btn_tw
> >
> > Bezrukov and Vavilova communicated with the SVR using digital
> steganography:
> > they would post images online that contained messages hidden in the
> pixels,
> > encoded using an algorithm written for them by the SVR....
> 
> Dumb question....if this was done in 2007, why not encrypt a short message
> that is itself a URL shortener (e.g., bit.ly) and embed THAT encrypted URL into
> the image and then have the spies retrieve the encrypted URL, decrypt it,
> and then use the URL to retrieve the actual message (which could require
> authentication or itself be encrypted). That seems like it would be
> a lot more secure and could be built into the software that was
> allowing them to retrieve the embedded hidden message in the first place.
> And if it seems obvious to me, surely I would have thought a spy agency
> would have thought of it.

The "URL" variation would have the interest of minimizing the length of the message. It has some obvious drawbacks, if access to shortened URL is somehow monitored by the adversaries. But using few bits is a very good thing. Of course, the dumb way is to put the information in the least significant bit of every pixel, and that gives plenty of bits. But that is very easy to detect, in particular because it is not robust to a simple decompression/recompression. If you want that kind of robustness, you are in the domain of "robust undetectable watermarks," and the bandwidth is very limited.

-- Christian Huitema