[sillysaurus2]

You of course don't know this, because you haven't read through the page and figured out what the code does.

Let's not get personal. I only mentioned your name because it was in the headline, not to bully anyone.

I know this is a framework. But the problem with stego is that as soon as you release your code, you make it almost trivial for law enforcement to detect that you're using stego. It's a catch-22: you want people using the code, but you don't want law enforcement knowing what code you're using, because then they can just use the same code to detect that you're using stego, which defeats the purpose of stego.

This isn't theoretical. Each time someone releases a new stego tool out into the wild, forensics companies add it to their own frameworks for detecting stego.

Let me be clear: I want you to succeed, and I think it's a great thing that so much effort is being put into developing these sorts of tools. But you have to say something like "Don't use this tool yet! It's not ready for production!" ... The way it was presented here made it sound as if it's ready to be used, but anyone who uses it in its current state will be swiftly detected by law enforcement.

Let's put it another way. Do you think the 120 people who upvoted this did so because they understood this is "just a framework / reference," or because they were hopeful this actually works? It's not fair to them not to include a disclaimer saying this shouldn't be used. The way the README is written makes it sound like you're encouraging people to use it, even though it's not intended to be used.

[skunkworks]

There's great irony in you saying

> Let's not get personal.

right after saying

> I'm surprised to see someone of Bram Cohen's caliber releasing something like this.

[sillysaurus2]

I feel bad about it. I shouldn't have called him out by name; I should've concentrated solely on why this tool falls short. Sorry, Bram.

I'm just worried that people will see his name, see that he's saying things like "this tool is ready to be used," and then actually use this, just because "It's Bram Cohen," and end up getting themselves caught.

[cynicalkane]

I don't see anything wrong with pointing out that a famous person's work is below par, particularly when said person decides to show up in the thread and ignore what you are saying and act like a jerk in response. You shouldn't retreat so easily.

[bramcohen]

This tool allows for the specifics of how the encoding is done to be changed without the decoding algorithm needing to be changed ever, so yes in fact it is ready to be used, although better encoders are both easy to write and welcome.

[sillysaurus2]

There are two possibilities. Either you've created a tool which enables people to covertly send messages without being detected, which every publicly-released stego tool thus far has failed to do, or you haven't.

Have you spent much time researching why current stego tools have all failed? The way you're endorsing this makes it sound like you haven't, and you're putting people in danger by pretending like law enforcement is incompetent.

Remember, law enforcement somehow managed to acquire an image of Silk Road's server, even though they were running it as a Tor Hidden Service, and they also managed to recover >100k bitcoins from DPR. All of this was done through forensics. Are you claiming that this tool is secure against such an adversary?

Hopefully someone will write a program called "DissidentXDetector" before law enforcement does. The myth that this generates undetectable messages needs to be debunked before people start trusting this.

[infinity0]

From the README:

Q. Can someone detect that a file has messages encoded in it?

A. That depends on the encoding used and the properties of the file the data is being encoded in. There's a whole field of academic literature on steganography, none of which is invalidated by this code. What this code does is vastly simplify the implementation of new steganographic techniques, and allow a universal decoder and encoding of multiple messages to different keys in the same file.

[sillysaurus2]

The README should read:

Q. Can someone detect that a file has messages encoded in it?

A. If the file was generated with an encoder whose code is public (i.e. Github, bitbucket, ...) then yes. Always. And even if the code is private, it may not be secure. Unless you come up with an encoding scheme that's never been thought of before, then law enforcement will likely be able to detect the encoded messages unless they're trivially short.

[TheLoneWolfling]

You're assuming that there isn't a shared secret between the sender and reciever.

[zzzeek]

random peanut gallery thought....mentioning "law enforcement" in the README itself might open up the tool itself to legal attacks, no ?

[nl]

No

[eliteraspberrie]

I have been working on a new steganography algorithm that I believe is secure. I plan to make it open source in the new year. Would you like to review the design and code when it is released?