Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Idea: Hiding a 3D object in an image by making a list how often every color appears and then displaying that as density information in a 256³ cube (aka using a 3D histogram to encode a 3D object)15
-
We can hide messages in images via steganography (or ZIP sewing), we can hide messages in sound via either sound-based transmission (like Morse) or waveform-based transmission (think oscilloscope art videos), we can transmit it in videos in like 300 different fucking combined forms...
Encryption isn't the ONLY way, yo. Social engineering and being a cheeky shithead can get it done too.2 -
Looked up at the clock... 2 AM... Thought about giving up and going to sleep, but something kept me there...
Rewrote my encoder and decoder for my steganography program, which are used to insert and retrieve data respectively from images. Compiled, ran, and output was as expected!
Tried to write actual data, instead of just headers, to the image, and it broke... Of course it wouldn't work first try, it's me writing the code after all.
But then, after debugging for a while and changing a couple lines, the encoder looked like it had done its work properly. Then I decoded it, and voila, data completely recovered! It almost felt too magical to be true, usually I have to modify a lot more to get it working.
So now I'm in bed, after literally decimating the memory usage of the program, amongst other optimizations, and I know that the code works perfectly 😎 best part is I refactored each class down to 100 lines each, so now it's clean and dense 😇
Just had to share, feeling so good right now 😄2 -
A thing that I am annoyed that people are getting wrong is security by obscurity.
You have heard of it and being told it is bad. It is so bad that it alone is a counter argument. Let me set you straight:
>>>Security by obscurity is the best security you will ever have<<<
There is an asterisk: It is probably not right for your business. But that is for the end.
Security by obscurity means to hide something away. Most security is based on hiding. You hide your private key or your password or whatever other secret there is. If you had a 2048 long sequence of port knocking, that would be fine, too.. Or it would be fine if it wasn't observable. You could write this down in your documentation and it wouldn't be security by obscurity. It would just be security. Weird, but fine.
The real meat of obscurity is: No one knows that there is someone. The server you port knock looks like a harmless server, but suddenly has an open port to a bad application for an IP, but only if that IP went to 25 other ports first.
In the animal kingdom, there are different survival strategies. One of them is being an apex predator or at least so big and lumbering that no predator wants a piece of you. That's our security. It is upstream security. It is the state.
But what is the rest of the animal kingdom going to do? Well, run away. That works. Not being caught. And those not fast enough? Hide! Just be invisible to the predators. They cannot triple check every leaf and expect to be done with the tree before starving. That's security by obscurity. Or hide in the group. Zebras. Easy to see, hard to track in the group. Look like everyone else.
There is a reason why drug smugglers don't have vaults in the carry-on. Arrive at the customs and just refuse to open the vault. If the vault is good enough. Nope, they lack the upstream security by the state. The state is there enemy, so they need obscurity rather than cryptographic safety.
And so, for a private person, having a port knocking solution or disguising a service as another service is a great idea.
Every cryptography course happily admits that the moment they can catch you physically, cryptography is useless. They also teach you about steganography. But they omit to tell you that obscurity is the second best solution to having a stronger army when you cannot rely on your state as upstream security.
Why did I say, not a good idea for companies?
1. It is self-defeating, since you have to tell it to all employees using it. A shared secret is no secret. And therefore it cannot be documented.
2. It makes working with different servers so much harder if there is a special procedure for all of them to access them. Even if it were documented. (See 1.)
3. You're a company, you are advertising your services. How to hide that you run them?
Do you see how those are not security relevant questions? Those are implementation relevant questions.
Here is an example:
Should you have your admins log into servers as normal users before elevating to root or is that just obscurity? Well, not for security purposes. Because that foothold is so bad, if compromised, it makes little difference. It is for logging purposes, so we have a better server log who logged in. Not only always root. But if our log could differentiate by the used private key, there is no issue with that.
If it is your private stuff, be creative. Hide it. Important skill. And it is not either, or. Encrypt it your backup, then hide it. Port knock, then required an elliptic curve private key to authenticate.
It is a lot of fun, if nothing else. Don't do it with your company. Downsides are too big. Cheaper to hire lawyers if needed.2 -
I want to use steganography for blob files (video files). Can anyone point me to the right direction? Is it even possible?13
Top Tags
Weekly Rant
View