>>>>> Perry writes:
> I have my doubts about the reality of this description -- the
> entire stego description seems like fantasy, especially given the
> low bandwidths available into many countries, and the obviousness
> of the whole thing...
I think that you misunderstand the purpose of the stego, and
overestimate the amount of message data that has to be hidden.
Because of PGP compression, a typical daily encrypted digest is only
5 to 20 Kbytes. This can be hidden within a 20 to 160 Kbyte image
file. Sure, it degrades the image quality, but the only purpose of
the stego is to make automatic identification of encrypted messages
impractical. PGP encryption of the digest and of individual messages
provides the actual message security. And, of course, in some
countries, we don't have to stego the encrypted digests at all.
Many NGOs working in rural parts of Africa and Asia use packet email
provided by a constellation of small-aperture Japanese satellites.
These circle the earth several times a day, and transfer as much as
several MB of mail at each contact. We are charged by the kB, but
it still ends up being relatively inexpensive.
Companies like Compuserve also have a pretty thorough network of POPs,
accessable from almost any medium to large African or Asian city at
speeds from 9.6 to 56Kb/s. Much of this traffic is monitored, but the
local LEOs only have the resources to pick out obvious messages.
Don't forget that our threat model is not the NSA or GCHQ, but
organisations like the Iranian and Rwandan intelligence services.
Our work is well regarded in our host countries, so we don't have to
hassle with more sophisticated Western LEOs. Given that, this mix of
off-the-shelf software, Perl code, and small US and European mail
servers is very effective.
