Jump to content

Steganography


Recommended Posts

For those of you who don't know what Steganography is, it simply means the hiding data (i.e. text etc.) within pictures.

 

To the best of my knowledge, there is no such thing as one program or website that can solve all forms of Steganography.

 

Therefore, one has to download different programs from different websites to solve different type of Steganography puzzles.

 

So, why have the GC Reviewers come to the conclusion that it is in their/our best interest to disallow this type of puzzle to exist?

 

To support their decision making process, the following statement has been used:

 

(Reference this guideline: http://www.geocaching.com/about/guidelines.aspx#thirdpartycontent)

 

In the interest of file security, caches that require the installing or running of data and/or executables will likely not be published.

 

Why don't you just leave my security to me. Sounds like GC's attempt to protect us from ourselves!

 

The funny thing is, their are several functions within GC itself that require downloading of various programs from other websites. Should those downloads be banned as well?

 

Does anyone over at GC care to explain why this type of puzzle is now being banned?

 

Fledermaus

 

My two mottos are: If It Ain't Broke, Don't Fix it! --- If It Still Works, Don't Replace It!

Link to comment

Because NOTHING should EVER need to be installed.

 

As soon as something needs to be installed, you've not only eliminated a significant number of cachers, you've introduced a security risk.

 

There's a lot of ways to hide info in pictures that don't require downloading apps or programs. Stick to those ways.

Link to comment

Groundspeak has every right to fret over their own file security, but I completely agree with the opening poster here.

The security of my own computer is my own business. They should not be condescending to the point of trying to protect people from themselves.

Simply include a clause in your terms of service and you're not liable if anything does happen -- problem solved.

Link to comment

I'm not sure what you're complaining about. Did you have an actual problem? The only time I've heard of that passage being applied, it was because of a requirement for a specific application, not rejecting a cache because one has to look around, find, and perhaps download one or more tools to solve a puzzle. I would be surprised that steganography puzzles in general would be prohibited, since in theory a solver could write his own application if he didn't want to use anyone elses.

 

And this agrees with the other statements about leaving security up to the individual solver. In addition to deciding whether a tool will help you solve a puzzle, one of the many things you would consider about any tool you download would be the risk involved and any larger commitment such as setting up an account. I can't imagine caches being prohibited because one possible approach involves taking risks and making commitments.

Link to comment
Therefore, one has to download different programs from different websites to solve different type of Steganography puzzles.

 

Not true. Steganography is not a magical process that must be performed by a program that the cache hider does not understand.

 

So, why have the GC Reviewers come to the conclusion that it is in their/our best interest to disallow this type of puzzle to exist?

 

They have come to no such conclusion. Groundspeak decided (several years ago, actually) against puzzles that require one particular piece of software to be installed.

 

If the puzzle can be solved by multiple possible software packages, it is fine.

 

If the steganography program explained exactly how its algorithm worked so that somebody could write their own program to extract the data, that would be fine as well. Heck, if the software was open-source, it might still be OK. But closed-source steganography is a particularly bad case to use for this argument, as the possibility that the software is doing something you don't want it to do is quite great. I personally tend not to trust steganography packages, much as I would not trust some random "super encryption" program for which the algorithm is not revealed.

 

My experience with steganography caches is that the hider usually has no idea of how the steganography program works, and there is no way to solve the puzzle except by guessing either the key or the program to extract it. Not very good puzzles, in my opinion.

 

Does anyone over at GC care to explain why this type of puzzle is now being banned?

 

Steganography caches have not been "banned." What is no longer allowed to be listed are caches where a specific program from an unknown author is required to be installed on your system to make it work.

 

FWIW, I also think that weird proprietary 2D barcodes that can only be read by a single application should not be accepted, either. I'm even unhappy about Chirp caches.

Link to comment

 

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

Link to comment

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

 

For that matter, just about any cache with a terrain rating of 1.5 or higher excludes those with mobility impairments. Maybe we should drop those. And don't get me started on all those puzzle caches with ratings of 3 or higher, which exclude stupid people. Don't stupid people have a right to cache? :)

 

Seriously, though ... I think we're losing track of the point. The guideline itself specifically states that the guideline is there "in the interest of file security". It's a really bad idea to encourage people to download a specific program from a specific location in order to solve a puzzle; there's no way for the average cacher to know whether or not that magic program is really a Trojan horse that will trash their computer.

 

I've solved a number of puzzles involving images for which one needed image-manipulating software to finish the puzzle. That's fine; I can get that software on my own from trusted sources, and be responsible for the consequences if I don't choose wisely. We just shouldn't be asking people to choose between finding a cache and keeping their computer free from malware.

Link to comment

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

A puzzle cache that utilizes a podcast containing crude language would cause some people to self-exclude themselves. Should this be banned as well? You seem to think so, even when the cache page itself is family friendly and includes appropriate warnings.

Link to comment

 

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

 

This is a bit of a rabbit trail from the original post but the answer has to be no.

 

If I want to find a Chirp cache I have to buy a Garmin product. I might be caching with a Magellan, a smartphone or a map but as soon as a Chirp appears it's Garmin or nothing.

 

If I want to do a scuba cache or a caving cache or an abseiling cache I can buy equipment from whatever producer takes my fancy - there is no requirement to support one particular company. If a cache required a long hike and had a restriction that you had to wear a pair of Timberland walking boots to do the hike it would rightly be rejected.

 

As for the OP's concern about steganography I'd agree with what people are saying about requiring a particular piece of software to be installed. As a computer literate user I expect to take responsibility for the security of my own PC but as soon as we require a particular application to solve a puzzle we eliminate people who don't use our choice of platform and expose the less computer literate to all sorts of unwanted issues.

 

For what it's worth I've solved a few steganography puzzles and when I realised how they worked I wrote my own application to get at the relevant data, which also allowed me to fiddle with just what it extracted when I came to solve subsequent puzzles by the same setter.

Link to comment

...And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Not so many as you might think are excluded. I can do them on my Garmin 62s and also on my Samsung Galaxy S3 phone. (yes, there is an app for that) Most Droids can do it with perhaps $40 for a simple cable and an ANT+ antenna module from Suunto.

Link to comment

...And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Not so many as you might think are excluded. I can do them on my Garmin 62s and also on my Samsung Galaxy S3 phone. (yes, there is an app for that) Most Droids can do it with perhaps $40 for a simple cable and an ANT+ antenna module from Suunto.

 

If you can do Chirp caches without a Garmin device then my objection to them is withdrawn.

Link to comment

...And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Not so many as you might think are excluded. I can do them on my Garmin 62s and also on my Samsung Galaxy S3 phone. (yes, there is an app for that) Most Droids can do it with perhaps $40 for a simple cable and an ANT+ antenna module from Suunto.

 

I believe you can buy a similar app/dongle combination to be able to do them using an iPhone.

Link to comment

For those of you who don't know what Steganography is, it simply means the hiding data (i.e. text etc.) within pictures.

 

Steganography isn't limited to hiding data in pictures - not by a long chalk.

 

It can be something as simple as hiding a message in the white space parts of a word processing document - the main idea being that anyone looking at that document, other than the sender and intended recipient of the encoded message, see only the carrier data and don't even suspect that there's a second message there - in plain sight.

 

It's quite true that there are many computer based steganography tools and typically a particular stego method will require a specific tool to extract the hidden message - but I thought the thou shalt not require those seeking thine cache to download data / executable files guideline was more generic than trying to save people having to install particular software on a particular platform for a particular job. I thought it was more to do with saving people having to download data for other good reasons, such as it might include malware? Or advertising?

Link to comment

...And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Not so many as you might think are excluded. I can do them on my Garmin 62s and also on my Samsung Galaxy S3 phone.

 

I can't on my S3. I was excited to see your post and very disappointed that mine apparently lacks the hardware.

Link to comment

I can't on my S3. I was excited to see your post and very disappointed that mine apparently lacks the hardware.

All S3 phones lack the hardware. As I said you have to add the USB OTG adapter cable and the Suunto ANT+ module at about $40. Some other brand phones have the hardware built in but the S3 is the most popular phone out there and it needs the additional stuff added as described below.

http://fun2code-blog.blogspot.com/2012/08/cache-beacon-beta-introduction.html

Link to comment

I thought it was more to do with saving people having to download data for other good reasons, such as it might include malware? Or advertising?

 

Technically, that would include any web page on the internet. All a web browser does is request data from a server and then renders it on your screen. That data could include images with embedded malicious information, cookies that get stored on your machine, and quite commonly, advertising (for example, the geocaching.com pages).

 

 

Link to comment

I thought it was more to do with saving people having to download data for other good reasons, such as it might include malware? Or advertising?

 

Technically, that would include any web page on the internet. All a web browser does is request data from a server and then renders it on your screen. That data could include images with embedded malicious information, cookies that get stored on your machine, and quite commonly, advertising (for example, the geocaching.com pages).

 

Absolutely correct - which is why that particular guideline is far from perfect.

Link to comment

I'd never tried creating a steganography puzzle and my first go has struck a problem.

I tried using mozaiq, but the hidden information seems to get "lost" when I upload the picture to a cache page.

Can anyone help with this or point me to another method where this won't happen?

Edited by Bunya
Link to comment

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

A puzzle cache that utilizes a podcast containing crude language would cause some people to self-exclude themselves. Should this be banned as well? You seem to think so, even when the cache page itself is family friendly and includes appropriate warnings.

Do tell... :unsure:

Link to comment

And I completely agree that Chirp caches should not be allowed, since it exclude a significant portion of geocachers.

Judging by the number of Garmin Oregon GPSr units sold over the last several years, I would say that a true 5/5, (deep SCUBA, serious cliff hides, etc), excludes a significantly greater number of cachers than a Chirp does. Should these be banned as well?

A puzzle cache that utilizes a podcast containing crude language would cause some people to self-exclude themselves. Should this be banned as well? You seem to think so, even when the cache page itself is family friendly and includes appropriate warnings.

Do tell... :unsure:

So, you don't think so?

Link to comment

A puzzle cache that utilizes a podcast containing crude language would cause some people to self-exclude themselves. Should this be banned as well? You seem to think so, even when the cache page itself is family friendly and includes appropriate warnings.

 

Godwin's law has been augmented by CanadianRockies law: "given enough time, in any online discussion—regardless of topic or scope— inevitably a reference will be made to the ill-fated attempt to publish the infamous podcast puzzle."

 

I now return you to your regularly scheduled thread, which I believe had something to do with steganography.

Edited by cheech gang
Link to comment

For those of you who don't know what Steganography is, it simply means the hiding data (i.e. text etc.) within pictures.

 

Steganography isn't limited to hiding data in pictures - not by a long chalk.

 

It can be something as simple as hiding a message in the white space parts of a word processing document - the main idea being that anyone looking at that document, other than the sender and intended recipient of the encoded message, see only the carrier data and don't even suspect that there's a second message there - in plain sight.

 

That's a specific type of steganography where the message isn't so much hidden as it is encoded using the formatting of plain text. For example, I've seen a case where the number of spaces

in between the words in several paragraphs essentially represented a binary state. For example, one space would be a 0 and two spaces a 1. Each paragraph could effectively produce a string

of ones and zeros which could then decode to one of many different representations of a number; binary to decimal, the ascii values of the characters of the number, baudot code, etc. In this case,

the string of ones and zeros mapped to another type of code that can be represented as a string of binary states. When you think about it, there are a lot of possibilities for representing binary states.

On/Off, Big/Small, Light/Dark, or pretty much any combination of two "things".

 

 

Link to comment

To the OP; I understand and support the position of Groundspeak in this matter. They have a vested interest in maintaining the security and safety of their site. We all have used their listing service for many years without encountering malicious code. This creates the appearence that anything listed or referenced here is also safe. IMHO, GS is merely protecting their electronic reputation.

Link to comment

I use the website imgops.com. You can use multiple tools to find text hidden in pictures without having to runsnt additional software on your own computer. You just give the website the address of the image and it does the rest

That's an excellent example; there may be others.

 

This is consistent with advice given by the reviewer to the OP: "Is there any way to solve this puzzle without downloading these specific steganography programs? For example an optional online tool or a generic image editing program?" and "The problem isn't just the links, it's that the puzzle can't be solved without downloading an executable file. I can't publish a cache like that. I believe there are some online steganogaphy tools that don't require a download or there are ways to conceal information in an image that down require downloading a specific program. Those would be my best suggestions for moving forward."

 

The actual facts tell a very different story than "disallow[ing] this type of puzzle to exist."

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...