Virtual Unreality

One thing to note is that, when you hide RANDOM data (or encrypted data) inside a source image, you probably aren't actually lowering the quality of the source image as much as you'd immediately suspect.

Let us say, for example, that you have an image file where each pixel has 24 bits of colour data, made up of 8 for red, 8 for green, and 8 for blue. For the sake of this discussion, the image is uncompressed (because I'm too lazy to think how compression affects matters) And you have some data you are trying to hide in the image, in the least-significant bit of each byte.

Now, you use steganography to place your data in your image. However, because the least-significant bit of each colour byte is as likely to be 0 as 1 (assuming a scanned or photographed regular picture), and because your hidden data has the same distribution, you will only on average change HALF the bits. The other half you 'change' to the same value they initially had.

So while the initial image had 24 bits of data per pixel, the new image with the hidden data sort of has 22.5 bits of data per pixel instead of the expected 21 bits per pixel. That is to say, the container image and the steganographic image only differ by one bit in sixteen.

The other thing is that the human eye is much less sensitive to blue in an image. You can change the blue data in an image almost twice as much as you can change the green or red without a person being able to see the difference. This gives you extra bandwidth for virtually no cost.

I found a project a long time ago that stripped out the identifying headers from a PGP-encrypted message and embedded that inside a picture (or maybe inside other data).

The advantage of doing this is that if you are careful (i.e. have a decent implementation), there's no way to tell that the data you pull out isn't MEANT to be part of the picture. That is, because properly encrypted data looks completely random, and without identifying headers, you are safe from the statistical analysis mentioned in the article. You are also safe from searching for headers, too. Unless you know the password, you cannot tell if you have found some hidden data or just noise.