July 6, 2002

GPLed Camera/Shy encryption tool: It's like "drag queens for democracy"

- By Grant Gross -

When the activists at Hacktivismo.com announced they were releasing a browser-based steganography application during the H2K2 Convention in New York City later this week, we thought that was pretty interesting -- and brave, considering all the recent speculation about how terrorists can use encryption tools to their advantage.
The people at Hacktivismo, compatriots of Cult of the Dead Cow, are aimng Camera/Shy at human rights workers and censored folks around the world, and it features a "one-touch" encryption process that "delivers banned content across the Internet in seconds." Users of Camera/Shy, a browser-based application, can "share censored information with their friends by hiding it in plain view as ordinary gif images." So basically, put up a Web page with pictures of your baby, use Camera/Shy to embed information banned by government censors into the picture, and the person on the other end uses the program to view the information. It only works with Windows and IE at the moment, however.

Making Hacktivismo's debut release even more interesting is that it's released under the GNU General Public License. That's not a particularly new philosophy for Cult of the Dead Cow -- there's a version of its Back Orifice program hosted on SourceForge.net. Hacktivismo is already defending the legitimate uses of Camera/Shy to the media, as Cult of the Dead Cow people had to do with Back Orifice. But Hacktivismo executive director Oxblood Ruffin says there will always be bad people who misuse good software.

We were thinking of writing a story, but Ruffin's answers are probably more interesting, and The Register has already done one with quotes from Camera/Shy's creator The Pull. So here's what Ruffin has to say:

NewsForge: How do you see Camera/Shy as a better alternative to PGP, etc.? Does
hiding the information in images give users another level of security -- government spy
people looking for "bad" content won't suspect something in a picture?

Ruffin: I was joking with a Tibetan human rights worker the other day that we've turned the Web into "Drag Queens for Democracy." What you see is not
what you get. C/S ignores the whole idea of content filtering and throws
a giant spanner in the works for governments attempting to thwart the
free flow of information by those means. Essentially C/S is a
publisher/browser type application. Content publishers can create C/S
enabled Web sites, and readers can go to there to peruse/decrypt content
on the fly.

NewsForge: What's the advantage of Camera/Shy over other, similar steganographic

Ruffin: It's user friendly. Our target user base is mostly non-technical.
Democracy and human rights activists tend to be liberal arts majors or
union leaders. Although some are somewhat technical, most are what I'd
call consumer-grade users. So we've made the process of encrypting and
decrypting content the kind of thing your momma could do.

NewsForge: Why is Camera/Shy released under the GNU GPL? It seems in line with
Cult of the Dead Cow's general philosophy on software, any special reasons for GPLing it?

Ruffin: There are both philosophical and practical reasons for this. I view the
open source/Free software communities as fellow travelers. Hacktivismo
is really about keeping the Internet healthy, and by extension, allowing
others to enjoy that privilege. GPL supporters are part of our family,
and share in large measure the values we support and try to express
through our work. So there's that natural affinity. Then of course
there's the willingness to take up projects that inspire them, to work
on bug fixes, get inspired and make contributions that improve the work,
or simply grab whatever they want and make it part of their own code. We
all go in the same direction at the end of the day.

NewsForge: I see it's available only for Windows and IE. Why only Windows? Are
there plans to port it to other OSes, such as Linux or BSD?

Ruffin: Again, when you look at the application install-base of the people we're
trying to help, then the Antichrist software is ground zero. We just
received an interesting offer to port this over to Mozilla, and with it
being open source and all, we also expect others to take it in as many
directions as suits their interests and willingness to make it more

NewsForge: What kind of reaction are you getting so far? How widespread to you
anticipate Camera/Shy's use to be? (Did that last question make sense?)

Ruffin: There are two kinds of reaction: The first from potential users; the
second from journalists. On the user side people are ecstatic. I've
gotten a number of emails today (Friday) from China [which is surprising because
our Web site was recently banned in Beijing] begging for the software.
I'm almost positive they was legit and not PSB spooks fishing around, but regardless, enthusiasm is high. There are people from other parts of
the world equally excited. Then we've got the journalist swell. There
seems to be a dilation over C/S being used by terrorists and weenie
waggers. Of course it could be, but that's something we have no control

But quite frankly, this whole aiding and abetting the terrorists hoo-haw
is quite misplaced. Terrorists, at least of the al Quaeda variety, are
very lo-tech. They use cell phones and pagers and the backs of cocktail
napkins [oops, I forgot they don't drink]. But the thing is, these are
not really the kinds of people who will be using an application like
this. But there will always be a fascination with turning new technology
releases into something that will help the bad people. Before 9.11,
everything that went out the door from almost any software developer was
immediately attacked as something that could help kiddie pornographers.
Now that boogie man has been replaced by terrorists. What's next?

NewsForge: I can image people from several parts of the world being interested --
North Koreans, Cubans, residents of several Arab countries, residents of the Stan countries, Americans who don't like to share their information with the FBI ...
is there a language issue with the program? Do you need to read English to use it?

Ruffin: We're in the process of translating the documentation into Chinese.
Eventually we'll get to Arabic and Farsi, and most likely French for
some of the African countries.

NewsForge: When was Hacktivismo launched?

Ruffin: We've been around for over two years. We were involved in
developing Peekabooty then we cut that whole mess loose. More recently we've returned to a series of projects in the hopper and decided to make
our maiden release Camera/Shy. Next month we'll release a P2P tunneling
protocol called The Six/Four System. It's hella tight and we expect a
great deal of development around that, both inside Hacktivismo and from
the hacking community at large.

Then Ruffin has some additional comments when I ask him if my description of Camera/Shy is correct.

NewsForge: Let me paste in a sentence I just wrote
to make sure I'm understanding this right: So basically, put up a Web page with pictures of your baby, use Camera/Shy to embed information banned by government censors into the picture, and the person on the other end uses the program to view the information.

Ruffin: Yes, that's it. I have an almost perverse desire to have our Chinese
associates put up C/S enabled fan sites for Li Peng and "Our Saviours
from the PSB." The other thing is there's going to be a lot of "up and
down" with C/S.

Sites will go up for a few days, then disappear. Then another round and
so on. Never anywhere long enough to develop consistent traffic
patterns. People will find out through chat clients and email where to
go. I say, drive The Man crazy :P

Later ...

NewsForge: We keep coming up with questions. Would there be a risk of someone
embedding a virus into a Web site? I'd imagine if that were a possibility, it
wouldn't be likey with most people sharing their C/S information with each other --
if you trust the person on the other end enough to tell them there's encoded information, you wouldn't be giving them viruses. But there was the JPEG virus scare recently ...

Ruffin: Of course there's always the possibility of exploiting vulnerabilities
here and there. The question is how realistic and likely would that be
in the case of hostile governments? The programmer who came up with
Camera/Shy [please mention him by name, his handle is The Pull] is the
king of exploits. So it's not as though the opportunities for corrupting
the program have been ignored, in fact quite the opposite. And again,
please remember that information on where a C/S enabled Web sites are to
be found -- especially in relation to the Chinese vertical -- are not
exactly going to be posted on Usenet. These are pretty tight cellular
groups, so it's unlikely the PSB will be able to set up a sort of
virulent C/S honey-pot.


  • Security
Click Here!