Well, my point has never been that it's impossible for an attacker to be confident that you're using steganography. Rather it's that an attacker cannot prove with certainty.
The "decoy picture" aspect of the protocol is intended to provide social protection and ensure plausible deniability can be maintained. It is not intended as cryptographic protection, that is what the AES is for.
"Confidence" is only useful to an attacker when it comes to determining a target. But an attacker has to already be confident in order to perform such a test in the first place. Which means you've already been selected as a target. Furthermore they would have to compromise enough of your security to access your image data. If that happens, then the benefit of gaining further confidence is marginal at best.
Incidentally, regarding the specific details of such a detection method:
We (and the attacker) already know that the distribution of base64 characters in an AES-encrypted ciphertext is approximately random and follows no discernible pattern. We also know that the ciphertext is encoded into the last 2 bits of each 8-bit pixel. So, we can, with X amount of confidence, show that an image is not a Decoy if we extract the last 2 bits of each pixel and discover the resulting data is non-randomly distributed.
However, because it is possible for normal, non-Decoy, compressed JPEGs to exhibit a random distribution of the data in the last 2 bits of each pixel, the presence of randomness does not confirm that an image is a Decoy.
The only viable attack here would be to pull images which are "visually similar" (a trivial task by simply using Google image search), reduce them to the same size, compress them heavily, and then examine the last 2 bits of each of their pixels. If there is a significant difference in the randomness of the control images vs. the randomness of the suspected image, you could then suggest with X% confidence that the suspected image has been tampered with.
However, because it is possible for an image to be tampered with and yet NOT be a Decoy image, even then you could still not, with any legitimate amount of confidence, use such a test to state that an image is a Decoy.
Information security is a pretty big passion of mine; I don't think someone needs to have "something to hide" in order to make use of digital signing, encryption, etc. Another passion of mine is making things easier for other people to do. I've written a couple of tools that I think can be useful for the LW crowd.
Online PGP Signature: This is an online javascript-based tool which allows you to sign messages using your PGP private key. I love the idea of PGP-signed messages (I remember someone under the pseudonym "Professor Quirrell" handing out PGP-verified Quirrell points a few years back). The problem is, I had yet to find an easy way to do this that didn't involve downloading command-line based software. So I wrote this tool that uses open-sourced, javascript-based PGP libraries to let you easily sign messages in your browser.
The whole thing is client-side so your private key is never seen by me, but be smart about security. If you don't trust me, that's fine, just don't use the tool. But also remember that you could have a virus, your computer could be monitored, someone could be watching over your shoulder, etc. so please be smart about your security. But hopefully this can be helpful.
Decoy: an iPhone App: I wrote this after "The Fappening", where I was basically appalled at the terrible security practices that pretty much everyone uses when sending pictures back and forth. Decoy uses a combination of steganography and AES encryption to let you send images back and forth without having to sign up for an account or use some outside service that can be hacked or otherwise compromised.
You take the original picture, then you come up with a passphrase, then you take a "decoy" picture. The original picture is converted to base64 image data, which is then AES-encrypted using your passphrase. The resulting cipher text is then encoded into the pixels of the "decoy" picture, which is what gets saved on your phone and sent out. The "decoy" pictures are indistinguishable from any other picture on your or your recipients' camera rolls, and unless you have the passphrase, then the original image is thoroughly inaccessible.
If your phone is lost, hacked, stolen, or (more benignly) someone happens to be looking through pictures on your phone, all anyone will see are the "decoy" pictures. Without the password, those pictures are worthless. Although the app is primarily branded for, *ahem*, "personal use", there are plenty of other ways to use it. For example, my wife and I use it for things like sending pictures of sensitive physical documents like credit cards, birth certificates, social security cards, etc.
(full disclosure: although Decoy is free, it is ad-supported so I do financially benefit from people using the app. But on the bright side I'm an avowed rationalist and if I make a quajillion dollars with this app I will spend the vast majority of it on LW-friendly causes!)