---------- Forwarded message ---------- Date: Thu, 11 Jul 2002 23:21:04 -0400 From: Declan McCullagh <declanat_private> To: politechat_private Subject: FC: Reply to Politech challenge: Stegograms found on azzam.com Keep in mind that these claims of bin-Laden-stego are closer to unsourced speculations than verifiable fact. Perhaps an enterprising prankster has been posting attack-at-dawn plans in stego form, for instance. And when some politicos have used 9-11 as an excuse to talk about encryption restrictions, it makes sense to be appropriately skeptical, though not entirely dismissive. Some of this looks like old news. I wrote about a similar claim in Feb 2001, as a followup to a USA Today article: http://www.wired.com/news/politics/0,1283,41658,00.html Since then it has been a recurring theme: http://www.politechbot.com/cgi-bin/politech.cgi?name=steganography Previous Politech message: http://www.politechbot.com/p-03735.html -Declan PS: Brian sent me his list as an attachment. I've put it at the end of this message. --- Date: Thu, 11 Jul 2002 22:48:15 -0400 From: Brian Ristuccia <brianat_private> To: "Richard M. Smith" <rmsat_private>, declanat_private Cc: list-geekat_private Subject: al-Qaeda stego on azzam.com Richard, Declan, Fellow Geeks: Preliminary checking with a tool called stegdetect shows that a large number of images on azzam.com may have hidden information encoded using an algorithm called jphide. The site at http://66.197.135.110/~azzam has roughly 580 images and yields some 70 hits almost all for jphide. Note that running stegdetect against some 2300 miscellaneous images including digital camera pictures and other junk on my personal web site and web mirrors yielded only a handful of low probability hits for steghide and outguess. 12% versus 1% is probably significant, at least enough so to warrant further investigation. The stegdetect package includes a program called stegbreak, which will attempt to extract the images from potential stego files. The process is computationally expensive and I'm not sure how long it will take or if it's even possible with the meager compute resources at my disposal. I'll be scrounging compute resources to try to extract the (probably encrypted) contents of at least some of these files and will keep you all posted on my findings. Thanks. -- Brian Ristuccia brianat_private bristuccat_private --- From: Mark Collins <meat_private> To: declanat_private Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications! Date: Wed, 10 Jul 2002 16:58:42 +0100 In-Reply-To: <5.1.1.6.0.20020710085405.01b30590at_private> This whole "Terrorists using Steganography" thing is BS. A company called iomart is, as far as I can tell, the only people actually claiming to have discovered anything related to terrorism in images, and even then, their results are a lil' questionable. === Mark 'Nurgle' Collins http://www.thisisnurgle.org.uk Stupid IRC quote of the <variable time period>: <keyDet79> fortunately the outside world (with which u are obviously not familiar with) fears script kiddies, --- Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications! From: Shaya Potter <spotterat_private> To: declanat_private Date: 10 Jul 2002 14:12:15 -0400 repost? message on politech http://www.politechbot.com/p-02638.html research of ebay (same time period) yes it could have changed, but where's the evidence. http://www.citi.umich.edu/u/provos/stego/abc.html on the issue of azzam.com I think I read about this a bit ago, wasn't this the site that the pictures changed (such as bin laden facing different directions) and the appropriate agencies felt that this was meant for giving messages. If so, its basically a one time pad which can't really be broken, until one gets rid of that property by accumulating lots of data points. --- From: "Quinn, SallyAnn" <SallyAnn.Quinnat_private> To: "'declanat_private'" <declanat_private> Subject: RE: Politech challenge: Decode Al Qaeda stego-communications! Date: Wed, 10 Jul 2002 17:23:56 -0500 MIME-Version: 1.0 I can't believe this is back. Niels Provos and Peter Honeyman at the Center for Information Technology integration at U Mich drove a stake through the heart of this rumor last fall by scientifically analyzing 2 million images from e-Bay and 1 million images from USENET. Their conclusion is: "...we are unable to report finding a single hidden message." The study can be viewed at: http://www.citi.umich.edu/u/provos/papers/detecting.pdf Oh, Gina Kolata's stories are highly suspect. She interviewed PGP's author Phillip Zimmerman after 9-11, and wrote an article insinuating the the algorithm was somehow the terrorists' best friend and that Phil was quite happy about it. Sally Ann Quinn, Software Test Engineer West 50 East Broad St., Rochester, NY 14694 Mail Drop A1-N135 Tel (585) 546-5530 x3243 --- Date: Wed, 10 Jul 2002 16:43:16 +0100 From: Pedro F <pedrofat_private> To: Declan McCullagh <declanat_private> Sender: Pedro F <pedrofat_private> Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications! Declan, concerning this subject, please see this old article from Newsbytes. I've made a search in the (old Newsbytes and now) TechNews.com but find nothing on this subject so I can't give you the link for the article. On this subject, see also the search page on Wired (http://search.wired.com/news/default.asp?query=Steganography). For a new application to be released this week, "known as Camera/Shy and is a browser-based steganography program that can hide data inside GIF images on any Web page", see "App Delivers Censored Content" (http://www.eweek.com/article2/0,3959,361950,00.asp). best wishes pedro No Hidden Messages At Pro-Bin Laden Site - Experts By Brian McWilliams, Newsbytes BLOOMSBURG, PENNSYLVANIA, U.S.A., 12 Dec 2001, 3:51 PM CST Photos at an anti-American Web site that provides information about Jihad are unlikely to contain hidden messages for terrorists, experts said today. A review today of dozens of photos at the Azzam.com Web site turned up no evidence that the images contained steganographic content, according to Niels Provos, an expert in the technology. A report in the Dec. 17 issue of Newsweek said British and U.S. intelligence sources suspected some of the site's photos and graphics contain secret messages for Al Qaeda terrorist operatives. Domain registration records indicate Azzam.com is operated by Azzam Publications of London, an organization believed to include Osama bin Laden supporters, according to the Newsweek report. Provos' findings were independently confirmed by a researcher at security consulting firm Bindview Corporation who goes by the nickname Simple Nomad. [...] --- To: declanat_private Subject: azzam.com Stego CONFIDENTIAL Date: Wed, 10 Jul 2002 19:19:48 -0400 (Please don't put out my email address.) I tried a little stego searching on azzam.com. Seems like all the images were at 66.197.135.110 so I mirrored the whole thing with httrack and used stegdetect on all jpgs in the images directory. The list below are the promising images, but I don't have the time or expertise to try to crack them, and I don't know the reliability of stegdetect. Maybe someone else can take it from here. # stegdetect ./*.jpg | grep "false\|\*" ./abubakr14.jpg : jphide(*) ./amarsmall.jpg : jphide(**) ./campxrayprisoners1.jpg : skipped (false positive likely) ./harithbahraini.jpg : jphide(*) ./iraqduniafalehsmall.jpg : skipped (false positive likely) ./iraqmuhammed.jpg : outguess(***) ./khartashoihomeruins.jpg : jphide(*) ./productspursuitsmall.jpg : jphide(**) ./productsrussianhell.jpg : jphide(*) ./shaheeddiraarsheeshani.jpg : jphide(***) ./shaheedhammamnajdi.jpg : jphide(***) ./shaheedharithbahraini3.jpg : jphide(**) ./shaheedjamaludeenaljazairi.jpg : jphide(*) ./shaheedkhalidqatari2.jpg : jphide(**) ./shaheedmuazqatari.jpg : jphide(*) ./shaheedmuslimturki.jpg : jphide(**) ./shaheedthabitdaheishi.jpg : skipped (false positive likely) ./shatoihomerussians.jpg : jphide(**) ./storiesharbi2.jpg : jphide(***) ./storieszubair1.jpg : jphide(***) Also in 66.197.135.110/~azzam/afghan/images/photos I get these possible hits ./tnchildwaits.jpg : jphide(***) ./tnjawad.jpg : jphide(*) ./tnsameera.jpg : jphide(*) --- To: declanat_private Subject: azzam.com Stego CONFIDENTIAL addition Date: Wed, 10 Jul 2002 19:28:39 -0400 I just found that there are more possibles in 66.197.135.110/~azzam/qoqaz/images, if you want to send my last email out, please copy and add this to it. Sorry :) More possibles here: 66.197.135.110/~azzam/qoqaz/images ./child3.jpg : jphide(**) ./crimes12.jpg : jphide(***) ./crimes14.jpg : jphide(*) ./crimes22.jpg : jphide(*) ./crimes9.jpg : jphide(***) ./dag2.jpg : jphide(*) ./dag20.jpg : jphide(**) ./dag24.jpg : jphide(*) ./dag25.jpg : jphide(**) ./dag27.jpg : jphide(*) ./dag29.jpg : jphide(*) ./dag32.jpg : jphide(*) ./dag34.jpg : jphide(*) ./dag35.jpg : jphide(**) ./dag36.jpg : jphide(*) ./dag41.jpg : jphide(**) ./dag45.jpg : jphide(***) ./dag54.jpg : jphide(*) ./dag58.jpg : jphide(***) ./db4.jpg : jphide(*) ./dead3.jpg : jphide(*) ./dead4.jpg : jphide(*) ./eidopabuansar.jpg : jphide(*) ./grozsupp1.jpg : jphide(***) ./grozsupp11.jpg : jphide(*) ./grozsupp4.jpg : jphide(***) ./grozsupp6.jpg : jphide(***) ./injured2.jpg : jphide(*) ./injured3.jpg : jphide(*) ./mass4.jpg : jphide(*) ./mass5.jpg : jphide(*) ./poss2.jpg : jphide(**) ./poss4.jpg : jphide(*) ./russianfear1.jpg : jphide(**) ./shaheed7.jpg : jphide(*) ./talhasmall.jpg : jphide(*) ./trio1.jpg : jphide(***) ./triohoriz2.jpg : jphide(***) --- [From Brian. --Declan] ./66.197.135.110/%7Eazzam/images/campxrayprisoners1.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/images/lands/worldsmall.jpg : jphide(***) ./66.197.135.110/%7Eazzam/images/productsrussianhell.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/productspursuitsmall.jpg : jphide(**) ./66.197.135.110/%7Eazzam/images/storieszubair1.jpg : jphide(***) ./66.197.135.110/%7Eazzam/images/shaheedkhalidqatari2.jpg : jphide(**) ./66.197.135.110/%7Eazzam/images/shaheedmuazqatari.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/storiesharbi2.jpg : jphide(***) ./66.197.135.110/%7Eazzam/images/shaheedhammamnajdi.jpg : jphide(***) ./66.197.135.110/%7Eazzam/images/abubakr14.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/shaheedthabitdaheishi.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/images/shaheedmuslimturki.jpg : jphide(**) ./66.197.135.110/%7Eazzam/images/shaheedjamaludeenaljazairi.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/shaheedharithbahraini3.jpg : jphide(**) ./66.197.135.110/%7Eazzam/images/harithbahraini.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/shaheeddiraarsheeshani.jpg : jphide(***) ./66.197.135.110/%7Eazzam/images/iraqmuhammed.jpg : outguess(***) ./66.197.135.110/%7Eazzam/images/iraqduniafalehsmall.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/images/amarsmall.jpg : jphide(**) ./66.197.135.110/%7Eazzam/images/khartashoihomeruins.jpg : jphide(*) ./66.197.135.110/%7Eazzam/images/shatoihomerussians.jpg : jphide(**) ./66.197.135.110/%7Eazzam/afghan/images/photos/worldsmostwanted.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/afghan/images/photos/tnchildwaits.jpg : jphide(***) ./66.197.135.110/%7Eazzam/afghan/images/photos/tnsameera.jpg : jphide(*) ./66.197.135.110/%7Eazzam/afghan/images/photos/tnjawad.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/sarajevo2.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/toronto2.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/madrid1.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/madrid3.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/shaheedthabitdaheishi.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/qoqaz/images/talhasmall.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/trio1.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/triohoriz2.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp1.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp6.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp11.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp4.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/dead3.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dead4.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/poss2.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/poss4.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/eidopabuansar.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/db4.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/shaheed7.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/injured2.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/injured3.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/russianfear1.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/child3.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/dag2.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag20.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/dag24.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag25.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/dag27.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag29.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/glossary/ak74.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag32.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag34.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag35.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/dag36.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag41.jpg : jphide(**) ./66.197.135.110/%7Eazzam/qoqaz/images/dag45.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/dag54.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/dag58.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/mass4.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/mass5.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/crimes9.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/crimes10.jpg : skipped (false positive likely) ./66.197.135.110/%7Eazzam/qoqaz/images/crimes12.jpg : jphide(***) ./66.197.135.110/%7Eazzam/qoqaz/images/crimes14.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/crimes22.jpg : jphide(*) ./66.197.135.110/%7Eazzam/qoqaz/images/qzasplogosmall.jpg : skipped (false positive likely) ./stegdetect/jpeg-6b/testimg.jpg : jphide(***) ./stegdetect/jpeg-6b/testimgp.jpg : jphide(***) ./stegdetect/jpeg-6b/testorig.jpg : jphide(***) ./stegdetect/jpeg-6b/testprog.jpg : jphide(***) ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ ------------------------------------------------------------------------- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 09:15:05 PDT