Jump to content

Steganography


scottandmitzi

Recommended Posts

Can anyone help me. I have created a steganography cache. Steganography is hiding a .txt file inside a .jpg in case you don't know. There are many of these caches already. The reviewer is telling me that it can't be published because it isn't allowed. There are all kinds of these already in existence. Who do I talk to in order to protest?

Link to comment

With steganography, you can hide a .txt file inside a .jpg. In order to find the coordinates you would have to save a copy of the picture and unzip it to separate the .txt file with the coordinates.

 

The reviewer states that it is not allowed to have anyone download anything. I say that is incorrect. There are also tons of this kind of cache already in existence.

Link to comment
If it did, why are there tons of other steganography caches?
As Harry Dolphin pointed out, "there is no precedent for placing geocaches."

 

The guidelines against geocaches that require additional website registration, installs or downloads have changed somewhat over the years, and their interpretation has definitely been tightened up over the years. Steganography caches that were published a few years ago might not be published if they were submitted today, but they are grandfathered in their original form.

Link to comment
What did the Reviewer say was not allowed? The location?

 

Reviewer notes all boil down to: please provide an online method for decrypting this picture that doesn't require downloading of the file and/or software to decrypt it.

 

This is a typical question I ask anytime Steganography is mentioned as there are so many different ways to encrypt coordinates. Some of the ways meet the guidelines, some of them do not. By showing an online way, you are meeting the guidelines.

Link to comment

Thanks for chiming in, OReviewer. Helpful to understand the nature of the problem.

 

That said, I would note that a well done steganography puzzle won't bend to the use of any 3rd party decryption tool. At it's best, a person would have to inspect the thing manually. Depending upon how the OP constructed it, t's possible that the answer is "there is no online or downloadable method available for solving it".

 

However, it's the 2nd part that has us all scratching our heads. Are you suggesting that one may not require the downloading of an image file as part of a puzzle solution? That does rather fly in the face of prior practice on many hundreds of puzzle caches - both where the owner's source file is hosted at gc.com and where it is not.

Link to comment

It's not the downloading of the image itself, but the possible need to download software that would deconstruct the image to find the secret hidden within. Requiring an online solution is the fastest path to happiness.

 

I just went through the same exercise with a sound file cache that had a new twist I hadn't seen before. My research, and the CO's initial answer, told me that third party downloaded software was needed. I cited the guideline, then the owner pointed me to a website that did the trick for free. I had him add the required download disclaimer language and was able to publish the cache the next morning.

 

EDIT, after seeing OReviewer's post below, to add: even though OReviewer and I both review in the same state, I have not looked at the cache in question. Nothing in this post is intended to be specific to the OP's cache.

Edited by Keystone
Link to comment
However, it's the 2nd part that has us all scratching our heads. Are you suggesting that one may not require the downloading of an image file as part of a puzzle solution? That does rather fly in the face of prior practice on many hundreds of puzzle caches - both where the owner's source file is hosted at gc.com and where it is not.

 

I can't really say more without giving away the puzzle and I won't do that. The way it is explained to me by the cache owner, I understand it isn't something we allow. I suggested he to to appeals for an unbiased second opinion.

Edited by OReviewer
Link to comment

I did already send a message to appeals about this before it was mentioned by OReviewer. It was already suggested to me earlier in this thread. Also, OReviewer said he/she isn't allowed to comment about it while it is in appeals. Hmmmmm. Doing an awful lot of commenting about it.

 

The fact is you are allowed to download pictures off of a page. Also, you DO NOT, I repeat DO NOT need to need third party software. There are plenty of free sites that will dismantle the steganograph without installing third party software. www.unzip-online.com is just one of many examples from a simple Google search. No installing of any third party software.

 

I have suggested this over and over. I keep getting told I can't require downloading a pic. Start cancelling puzzle caches then. Geocaching just got boring.

 

I also offered more than three times to add the disclaimer language that the download is required. I just keep getting told it's the downloading that isn't allowed.

Edited by scottandmitzi
Link to comment

You started a forum thread, which invites public discussion from anyone and everyone. There's no rule saying a reviewer cannot contribute their side of the story.

 

This is the "How do I?" forum, designed to help people with questions. Focus your posts on "how do I get my cache published?" and "how do I navigate through the appeals process?" rather than being snarky towards your reviewer. Thanks.

Link to comment

I wasn't trying to be snarky. I apologize. It was told to me straight from the reviewer that they weren't allowed to comment. I guess I misunderstood and apologize again.

It's just been a long day of going around in circles. I will withdraw this cache in a minute if I am wrong. I just want to make it right.

 

Is requiring the downloading of a pic okay? Is the solution I provided for an online way to solve the cache okay? Everyone has said other steganography caches get published. What is different? I will fix it.

Link to comment

I've since looked at your cache page. Based on written guidance given to the reviewers by Geocaching HQ concerning file downloads and (specifically) steganography, your design is not publishable. OReviewer is spot-on with the issues he noted on your cache page.

 

You're absolutely entitled, however, to ask for a second look from Appeals.

Link to comment

Can you PM me about what part of the design is unpublishable? Is there anything I can do to fix it? I value the second opinion. If it is not fixable, I will withdraw it immediately. I am just not understanding which part is wrong.

 

It has been said in this thread requiring a download is ok and offering an online solution is ok. Where am I going wrong?

Link to comment

Does a person have to register to use the software you referenced?

The site you use as an example, says it will "At unzip-online you can decompress .zip and .rar files without having to install software." Will it work on a .jpg file?

Link to comment

I wasn't trying to be snarky. I apologize. It was told to me straight from the reviewer that they weren't allowed to comment. I guess I misunderstood and apologize again.

It's just been a long day of going around in circles. I will withdraw this cache in a minute if I am wrong. I just want to make it right.

 

Is requiring the downloading of a pic okay? Is the solution I provided for an online way to solve the cache okay? Everyone has said other steganography caches get published. What is different? I will fix it.

Actually, they will be downloading the picture when they go to the cache page. That picture is already on their computer. They can SAVE the picture permanently to their hard drive, but it has already been downloaded simply by viewing it. In fact, a copy will already have been saved in their browser's cache.

Link to comment

It's not the downloading of the image itself, but the possible need to download software that would deconstruct the image to find the secret hidden within.

 

How could that ever be needed? In principle such tools can always be implemented from scratch if desired and if the required competence is available (which then rather is a question of the D

rating). Requiring the availability of an online tool is not the best thing to do in my opinion.

Link to comment

I wasn't trying to be snarky. I apologize. It was told to me straight from the reviewer that they weren't allowed to comment. I guess I misunderstood and apologize again.

It's just been a long day of going around in circles. I will withdraw this cache in a minute if I am wrong. I just want to make it right.

 

Is requiring the downloading of a pic okay? Is the solution I provided for an online way to solve the cache okay? Everyone has said other steganography caches get published. What is different? I will fix it.

Actually, they will be downloading the picture when they go to the cache page. That picture is already on their computer. They can SAVE the picture permanently to their hard drive, but it has already been downloaded simply by viewing it. In fact, a copy will already have been saved in their browser's cache.

 

I think I have an idea how this puzzle was constructed and if I'm right it would require saving (at least temporarily) a copy of the image onto their local hard drive before uploading it (with a small change) to an online web site.

 

I took a look at the online site the OP suggested and see the following:

 

"Just upload a file and download the uncompressed files in it."

 

I wonder if "download the uncompressed files in it" is causing the problem.

 

BTW, I've mentioned this before but it might be useful to have a pinned forum topic in the Geocaching HQ Announcements section which describe Geocache Listing Guidelines/Requirement changes or explanations when reviewers are told to interpret existing guidelines in a specific manner. If reviewers are being told to interpret the "No downloads" guideline in a specific way, it would be nice for potential caches owners know if a new interpretation is going to result in a puzzle cache they've worked on for a long time won't be published under a recent interpretation.

 

 

Link to comment

Exactly, because it isn't written that way at all. Instead of "interpretation", put it in plain English. This cache is harmless.

 

I'm sure that it is but it's understandable that GS would err on the side of caution to prevent someone from download a cache that look harmless, but isn't.

 

A trojan horse is basically a form of steganography. It's hiding a message, file, or possibly executable code inside another file.

 

 

Link to comment

Thanks for that, NYPaddleCacher. It is indeed the *risk* of mischief that drives the guideline, not the presence of actual mischief. And, there have been examples of actual mischief, unfortunately.

 

To your earlier post, since "steganography with a text file zipped inside an image" is not exactly as common an issue as, say, hiding one film canister less than 528 feet away from another, it's not specifically covered in the guidelines. We try to keep the guidelines text as short as possible. (And they're still too long and don't get read by everyone!) The general file downloads guideline provides a sufficient flag that there might be an issue:

 

In the interest of file security, caches that require the installing or running of data and/or executables will likely not be published.

 

A zip file is an "executable." And, that guideline goes on to carve out common exceptions -- PDFs, text files and sound files. Zip files aren't listed as an exception.

 

Please note, rather than a pinned forum topic, the Help Center has lots of supplemental information about what is and is not permitted under the guidelines. The articles on commercialism, challenge caches and cache maintenance are good examples. There is already a Technology article. It explains that Geocaching HQ will not attempt to maintain a comprehensive list of what is and is not permitted, due to constantly changing technology.

Edited by Keystone
Link to comment

Since the rules are:

Downloads of certain files (specifically .TXT files, .PDFs and all audio files) may be acceptable in the interest of allowing greater geocache creativity

The simple solution is to rename your steganopicture to .TXT or .PDF It does not really matter that the PDF does not get correctly presented in a PDF-reader. You could even tell your users to rename the file back to .jpg after downloading, cause that is allowed :)

 

I find it rather strange that .PDF IS allowed to download and .JPG/.PNG/.GIF is NOT. In .PDF you can built interactive javascript that wreaks havoc on your computer. In .JPG and .PNG there is no way to add executable contents and therefore are always harmfull (with the execption of some bufferoverruns that are already patched in windows)

Edited by Kalkendotters
Link to comment

It's not the downloading of the image itself, but the possible need to download software that would deconstruct the image to find the secret hidden within. Requiring an online solution is the fastest path to happiness.

 

Let's back up a minute. I've already been told that downloading images is acceptatble. I just can't have somebody download third party software to extract the info. I have found a way to do this all online. It makes the cache totally harder because you have to fine an obscure website. But, I guess that will have to be find with me.

Edited by scottandmitzi
Link to comment

A zip file is an "executable."

 

Pretty sure it's not.

 

You could take an executable file and zip it.

 

You could even create self-extracting zip file - that definitely is an executable.

 

But a standard zip file is just a compressed (or dehydrated in the modern parlance) version of whatever file(s) we added to the archive by the creator.

Link to comment

A zip file is an "executable."

Pretty sure it's not.

 

You could take an executable file and zip it.

 

You could even create self-extracting zip file - that definitely is an executable.

 

But a standard zip file is just a compressed (or dehydrated in the modern parlance) version of whatever file(s) we added to the archive by the creator.

I don't really have a dog in this fight, but I thought I should point out that zipped files can easily hold malevolent payloads. Attaching zipped files disguised as harmless documents, but which actually contain malware, is a time-honored way to infect a PC via e-mail. Not everybody has security software that can prevent infections via downloaded files. Personally, I never try to unzip a file without first scanning it with security software.

 

--Larry

Link to comment

There is a self-extracting zip file that is an executable, so it's possible to masquerade as a zip file but be something malevolent.

Pictures, videos and sound files are generally pretty safe, but Zip files and executables pose the very highest risk.

In order to reduce the risk to their users, Groundspeak has to draw the line somewhere on downloading things to solve puzzles.

Link to comment

There is a self-extracting zip file that is an executable, so it's possible to masquerade as a zip file but be something malevolent.

 

All covered in my original post.

 

Zip files and executables pose the very highest risk.

 

Could you go into some detail about why you believe that to be the case for zip files alone?

Link to comment

A zip file is an "executable."

Pretty sure it's not.

 

You could take an executable file and zip it.

 

You could even create self-extracting zip file - that definitely is an executable.

 

But a standard zip file is just a compressed (or dehydrated in the modern parlance) version of whatever file(s) we added to the archive by the creator.

I don't really have a dog in this fight, but I thought I should point out that zipped files can easily hold malevolent payloads. Attaching zipped files disguised as harmless documents, but which actually contain malware, is a time-honored way to infect a PC via e-mail. Not everybody has security software that can prevent infections via downloaded files. Personally, I never try to unzip a file without first scanning it with security software.

 

--Larry

 

There's no fight here :)

 

Yes - zipped files can hold malevolent payloads by virtue of the fact that they can contain executable files. This doesn't make the zip file itself executable - which was the correction I offered.

 

To the very best of my knowledge the only zip files that are executable are the self-extracting variety which coincidentally have a filename extension of .EXE.

Link to comment

Pretend that it instead says "prohibited file types."

 

^This^

 

They are prohibiting Zip files because they do not want to be in the position to examine all Zip files for malicious contents, and the average user does not have the expertise to do so, either.

 

Can we not just accept this and move on?

Link to comment

Pretend that it instead says "prohibited file types."

 

^This^

 

They are prohibiting Zip files because they do not want to be in the position to examine all Zip files for malicious contents, and the average user does not have the expertise to do so, either.

 

Can we not just accept this and move on?

 

Of course you can move on - I wasn't aware that my questioning your assertion that zip files pose the very highest risk was an impediment to the thread moving on - although I'm not sure where it will move on to given that the OP's question wss answered way back in post #13 and it amounted to your cache doesn't meet the guidelines for publication.

 

I had thought that you might perhaps be aware of some new development related to the use of zip files for the distribution of malware that would support your assertion, and given that today's blended threats evolve and mutate at an alarming rate and protection from such things is part of my day job I was interested to learn what might have changed - but I guess it was nothing after all.

 

Thanks for clearing that up - do please continue :)

 

It was no surprise to me that a zip file based steganography cache was disallowed in any case as I understand zip files have been disallowed for some time now. Not that that is a massive issue in truth as that method of steganography is already old-hat now anyway in terms of geocache puzzles. My advice to the OP would be to shrug this one off and find something better :)

Link to comment

A zip file is an "executable."

 

Pretty sure it's not.

 

You could take an executable file and zip it.

 

You could even create self-extracting zip file - that definitely is an executable.

 

But a standard zip file is just a compressed (or dehydrated in the modern parlance) version of whatever file(s) we added to the archive by the creator.

I find it interesting that pocket queries can be downloaded as .ZIP files (although there is the option to not have them zipped)

 

Is there any platform today that does not do native extraction of ZIP files (although Windows likes to call them "compressed folders")?

Link to comment

A zip file is an "executable."

 

Pretty sure it's not.

 

You could take an executable file and zip it.

 

You could even create self-extracting zip file - that definitely is an executable.

 

But a standard zip file is just a compressed (or dehydrated in the modern parlance) version of whatever file(s) we added to the archive by the creator.

I find it interesting that pocket queries can be downloaded as .ZIP files (although there is the option to not have them zipped)

 

Yes - but Groundspeak's .ZIP files are of course the standard, non-executable variety, which don't pose the very highest risk as suggested earlier in the thread :)

 

Is there any platform today that does not do native extraction of ZIP files (although Windows likes to call them "compressed folders")?

 

I can't comment on other platforms but it's been an integral part of Windows for donkey's years.

Link to comment

Meanwhile, the OP made some modifications to the steganography technique employed in his cache design. His puzzle cache was published yesterday, and three geocachers have already logged finds on it. :grin:

 

No. Idea where he is at or the cache is but after thus post at least I'll know how to solve at least ONE puzzle cache, lol!

Link to comment

Meanwhile, the OP made some modifications to the steganography technique employed in his cache design. His puzzle cache was published yesterday, and three geocachers have already logged finds on it. :grin:

 

No. Idea where he is at or the cache is but after thus post at least I'll know how to solve at least ONE puzzle cache, lol!

 

Not gonna make it to the detective squad, huh? :P

Link to comment

Meanwhile, the OP made some modifications to the steganography technique employed in his cache design. His puzzle cache was published yesterday, and three geocachers have already logged finds on it. :grin:

 

No. Idea where he is at or the cache is but after thus post at least I'll know how to solve at least ONE puzzle cache, lol!

 

Not gonna make it to the detective squad, huh? :P

 

Not thinkin' so!! :unsure:

 

Seriously though, I just never looked up his caches. It is actually 125 miles from me... So maybe a possiblity one day?

Edited by doc73
Link to comment

<tangent>

A ZIP file is just a container, much like the boxes we hide in the woods. A person can put something dangerous in either type.

 

So we embrace one but ban the other?

</tangent>

 

Well, one, the ZIP file, we can actually look into before we actually open it.

Link to comment

Well, for one thing, I would refuse to review any cache that required me to unzip a zip file that's provided by an unknown source. Community Volunteer Reviewers are not provided with free laptops that have Signal the Frog logos. Disgruntled geocachers can and do attempt malicious things to infect volunteers' computers, invade their privacy, spam their email accounts, etc.

 

At my paying job working for a large bank, employees are regularly subjected to social engineering schemes to infect our computers. A malicious zip file was sent to me within the past month. I recognized it as suspect, reported it to our IT Security department, and they confirmed I had detected an attempt to infiltrate our network.

 

At home I do not have an IT Security department, just commercial Anti-Virus software.

Link to comment

Well, for one thing, I would refuse to review any cache that required me to unzip a zip file that's provided by an unknown source. Community Volunteer Reviewers are not provided with free laptops that have Signal the Frog logos. Disgruntled geocachers can and do attempt malicious things to infect volunteers' computers, invade their privacy, spam their email accounts, etc.

 

At my paying job working for a large bank, employees are regularly subjected to social engineering schemes to infect our computers. A malicious zip file was sent to me within the past month. I recognized it as suspect, reported it to our IT Security department, and they confirmed I had detected an attempt to infiltrate our network.

 

At home I do not have an IT Security department, just commercial Anti-Virus software.

 

So Groundspeak's decision to include zip files on its list of prohibited file types is to protect the computers used by Community Volunteer Reviewers from risks associated with files which have the potential to infect said computers with some form of malware?

Link to comment

Well, for one thing, I would refuse to review any cache that required me to unzip a zip file that's provided by an unknown source. Community Volunteer Reviewers are not provided with free laptops that have Signal the Frog logos. Disgruntled geocachers can and do attempt malicious things to infect volunteers' computers, invade their privacy, spam their email accounts, etc.

 

At my paying job working for a large bank, employees are regularly subjected to social engineering schemes to infect our computers. A malicious zip file was sent to me within the past month. I recognized it as suspect, reported it to our IT Security department, and they confirmed I had detected an attempt to infiltrate our network.

 

At home I do not have an IT Security department, just commercial Anti-Virus software.

 

So Groundspeak's decision to include zip files on its list of prohibited file types is to protect the computers used by Community Volunteer Reviewers from risks associated with files which have the potential to infect said computers with some form of malware?

 

WOW! Is that what came out when you sent Keystone's statement through Google Translate?

Link to comment
Guest
This topic is now closed to further replies.
×
×
  • Create New...