Its Time to Look at Real Digital Security

By Peter Coffee  |  Posted 2004-08-09 Print this article Print

'Retouching' technologies have good uses—and bad.

Digital tools make and take away perfect copies of information, leaving no tracks behind. They can also be used, though, to distort information in ways hard to detect. Sensitive knowledge easily crosses our borders, while once-trustworthy data such as photographs become no more credible than the person who presents them. We dont know what were losing, and we cant believe what we keep.

This lack of digital security may come from misplaced imitation of physical security methods. If you change the form of a valuable physical object, you also change its value; information security is harder than physical security because information can change among many forms without being degraded. But were used to the idea that briefcases are searched and car trunks are opened; bad information security mimics these methods with techniques such as keyword scans of e-mail.

Information can cross even a well-guarded boundary at will, however, using tools of steganography. No amount of keyword scanning or other naive inspection will detect a client list, a process description or a complex diagram if its embedded in some innocent-looking image or other carrier object. Steganographic methods can be as simple and obvious as encoding a message in the initial letters of the words of an apparently ordinary e-mail or as subtle as tiny alterations of line spacing or tweaking of the least significant bits of image pixels to represent covert content.

Click here to read more about steganography tools. Compressed image formats, such as JPEG, have enough erratic variation between adjacent pixels to prevent easy detection of such concealment, especially if the payload is first encrypted to produce a ciphertext that has the statistics of random noise.

"The use of steganography is certain to increase," stated Gary Kessler, an associate professor in the Computer and Digital Forensics Program at Champlain College, in his February paper, "An Overview of Steganography for the Computer Forensics Examiner," republished in July by the FBI journal Forensic Science Communications.

Steganography "will be a growing hurdle for law enforcement and counterterrorism activities," said Kessler, despite the difficulty of measuring its current level of use. "Ignoring the significance of steganography because of the lack of statistics is security through denial and not a good strategy," he warned.

But even while people rightly worry that there may be hidden meanings in the noisy bits of ordinary-looking e-mail attachments, other records that reside quietly at home may be living a lie. Ive taught my sons to retouch photos, for example, to remove a fingertip blocking a corner of a picture. The boys dont leave obvious edges; they know how to use a feather-edged selection to merge a piece of unobstructed sky over what they want to remove. Unfortunately, there are plenty of less innocent reasons to alter supposedly objective bits of history.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. Research teams, including one at the State University of New York, are developing statistical methods to detect such image alterations. As is so often the case, though, theres an emerging arms race between good guys and bad guys. Tools complex enough to produce top-flight forgeries "will move from research labs to commercial software," wrote SUNY Binghamtons Jessica Fridrich, David Soukal and Jan Lukás in their August 2003 paper, "Detection of Copy-Move Forgery in Digital Images."

Fridrichs current project, described late last month in The New York Times, seeks to assure the provenance of digital photos by combining two images: one of what the lens sees in front of the camera, the other of the distinctive patterns in the eye of the photographer. By merging these two inputs, one winds up with a record whose integrity is assured; it can be shown that an image on record is the one that was originally captured, with the origin of the image traced to a particular person.

Perhaps, in general, we can secure information only by controlling its relationships with people. Role-based access limits opportunities to leak it; origination keys, like those in Fridrichs camera, reduce the temptation to distort it.

Thats the path to real information security, instead of an irrelevant and futile imitation.

Technology Editor Peter Coffee can be reached at

To read more Peter Coffee, subscribe to eWEEK magazine. Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel