Also, what makes you think activists have the technical expertise available to know what the "most secure techniques available" are and what methods have been broken?

I don't know where you got the idea that nation states are the only ones who use cryptography. Plenty of activists, along with other non-state actors do so all the time.

Plenty of cryptography is also designed by individuals not in the service of any nation state (as far as we know, anyway). In fact, some argue that such encryption is more trustworthy than encryption developed by nation states themselves.

"Also, what makes you think activists have the technical expertise available to know what the "most secure techniques available" are and what methods have been broken?"

I can't speak for any and all activists. It's really up to them to acquire such expertise or get advice from people who have such expertise.

That said, the problem here is no different from figuring out which encryption to use. So your criticism applies equally to encryption as it does to steganography.

We're not talking about users, we're talking about attackers and developers. Why would users have anything to do with our discussion?

Plenty of cryptography is also designed by individuals not in the service of any nation state (as far as we know, anyway). In fact, some argue that such encryption is more trustworthy than encryption developed by nation states themselves.

Developed by academics, but tested by both academics and the government. The testing is the thing that's actually important.

I can't speak for any and all activists. It's really up to them to acquire such expertise or get advice from people who have such expertise.

The point is that the technical expertise is not available. It's not up to them. It's not available. What you suggest they do is not possible.

That said, the problem here is no different from figuring out which encryption to use. So your criticism applies equally to encryption as it does to steganography.

Nope. Get back to me when we get government backed standards and recommendations for anonymity (hint: we have them for crypto).

Actually, in the message you responded to, I was specifically talking about users. I've been talking about users of crypto/stego all along!

They're the ones who take virtually all of the risk. The people who write the crypto/stego often aren't even in the same country, and they do their development in countries where crypto/stego are perfectly legal.

So I don't know why you started talking about developers all of a sudden.

However, I thought you might have switched subjects, so I specifically addressed crypto development in my second paragraph.

"Developed by academics, but tested by both academics and the government. The testing is the thing that's actually important."

That testing is only worthwhile if your threat model does not include the government itself, which has a vested interest in breaking all encryption, whether or not it has been "certified" by them.

"The point is that the technical expertise is not available. It's not up to them. It's not available. What you suggest they do is not possible."

How is it not available? There are plenty of people who design and analyze stego. There's your expertise.

"Get back to me when we get government backed standards and recommendations for anonymity (hint: we have them for crypto)."

Get back to me when that actually matters.

The government also has a vested intrest that the cryptography used by itself and its citizens be reasonably secure, else industrial espionage and other similar activities become trivial. Note that the NSA approved AES for the protection of Top Secret information. If you want to argue the NSA deliberately let the majority of classified information in the United States be protected by a flawed algorithm you're going to have to provide some proof.

How is it not available? There are plenty of people who design and analyze stego. There's your expertise.

The people that are good at building and designing crypto and stego (Are there any good stego systems? Doubt it.) systems are outside the paygrade of most companies, nevermind activists. The expertise is not available.

--

Your arguments are disconnected from reality and don't really have any particularly notable knowledge of this domain. This conversation has been a net loss, and judging by your average of ~2 karma per comment, other people seem to agree. I'll let you have the last word if you'd like it, but please refrain from wasting so much space in the future.

Pot, meet kettle.

Despite this, I'll do you the kindness of actually addressing the point you made by giving you a big, "so what?"

Activists and dissidents often go up against nation states. That's the nature of the business. And they knowingly take risks to do so.

The question is, are they simply going to use bare encryption, thereby virtually guaranteeing to draw attention to themselves in a state like China? Or are they going to wrap their encrypted message in a layer of steganography, thus giving themselves at least a chance to avoid detection in the first place?

How in-depth do you want me to get with you? I gave you an actual (high-level, easy-to-read, summarized) academic source. You clearly haven't read it. Why not go take some time with it and come back not sounding like a crank?

Got any suggestions? Because I know the millions of Chinese who attempt to circumvent China's firewall daily would love to hear about it.

The point is that probably 90% of the time, these people aren't using anything better than bare encryption (if that), and they're drawing attention to themselves anyway. If they're going to do that anyway, I think it makes much more sense to hide the communication via stego.

But if you've got a better idea, let's hear it.