-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
75 lines (66 loc) · 5.61 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Simple Steganography - They Live</title>
<style type="text/css">
#obey { float: right; }
div.container { float:left; }
div.actions { clear:left; }
img { display:block; }
dt { font-weight: bold; margin-top: .5em; }
</style>
</head>
<body>
<div id="obey"><img src="images/obey-conform-buy_200x200.png" width="200" height="200" alt="Obey Consume Buy"></div>
<h1>They Live - Simple Steganography</h1>
<p>Just for fun.</p>
<ul>
<li><a href="encode.html">encode</a> a steganographic image (works in Firefox)</li>
<li><a href="decode.html">decode</a> a steganographic image</li>
<li><a href="https://github.com/cherdt/they-live">Chrome extension</a></li>
</ul>
<h2>Frequently Asked Questions</h2>
<dl>
<dt>What is <em>steganography</em>?</dt>
<dd>Hiding a message within another message. In this case, we are hiding a black-and-white picture within a color picture.</dd>
<dt>Why would someone want to do that?</dt>
<dd>If a secret message is intercepted, it is obvious that it is a secret message, right? But what if the secret message looks like a different, harmless message? Steganography would allow people to share a message that, on the surface, looks like something innocuous (for example, a Business Cat meme) but contains a hidden message.</dd>
<dt>Can I use this to send secret messages?</dt>
<dd>Well, yes and no. It would be pretty easy to figure out that there is a hidden message. The hidden message will be hard to decode if you use a custom key, though. I wouldn't use this to hide information from an intelligence agency, but you might be able to hide something from your parents. Assuming your parents don't work for an intelligence agency. There is a saying in the information technology community: "Don't roll your own crypto." Translated, that means you are better off using well-studied, industry-standard cryptography methods (like TLS, which is used by HTTPS) than creating your own (or using one made by me).</dd>
<dt>Do you keep copies of the hidden messages?</dt>
<dd>No. All of the image hiding and un-hiding takes place in your web browser using client-side code. The images you provide are not sent over the network. This site does use Google Analytics, which tracks user visits but should not access your images.</dd>
<dt>I tried it but part of my hidden message is missing!</dt>
<dd>If your facade image is smaller than your hidden message, only the portion of your hidden message that fits within the facade image will be included. It works best if your hidden message and your facade image are the same size, but a larger facade image will work too.</dd>
<dt>I posted an encoded image Facebook and it no longer contains the encoded message. Why not?</dt>
<dd>Facebook converts uploaded images to JPEGs. The JPEG format is a lossy format and the conversion will almost certainly eliminate the coded message. I've successfully posted an encoded image to Twitter and Tumblr though. The following image hosting sites all preserve the hidden data:
<ul>
<li><a href="https://www.flickr.com">Flickr</a></li>
<li><a href="https://imgur.com">imgur</a></li>
<li><a href="https://postimage.io">postimage.io</a></li>
<li><a href="https://imgsafe.org">imgsafe.org</a></li>
<li><a href="http://pasteboard.co">pasteboard</a></li>
<li><a href="https://imgbb.com">imgbb</a></li>
</ul>
</dd>
<dt>How does it work?</dt>
<dd>Black and white images (not grayscale, but literally just black and white) contain only one bit of data per pixel. The encoder alters the least-significant red bit in each pixel of the facade image. The result is different, but not perceptible to the human eye in most cases. When using the default key, the least-significant red bit matches the corresponding bit of the black and white code image.</dd>
<dt>What are the custom keys?</dt>
<dd>The custom keys are randomly-generated noise (technically, pseudo-randomly–generated noise) that is used as a symmetric encryption key. The default key is a symmetric encryption key too, it's just a really simple one -- like if you used "123456" for a password. Custom keys are like using better passwords.</dd>
<dt>How do I use custom keys?</dt>
<dd>You have to save the custom key and provide it to anyone you want to decode your message. This is difficult, because how do you share the key with them in a secure way? E-mail is generally not secure, unless you use encrypted email. And if you and your friend are both using secure e-mail, you could probably just e-mail each other instead of hiding messages in images. You could hand them a USB key containing your custom key file or custom key files. You should not re-use custom key files too many times--the more you re-use them, the easier it would be for someone to decode your hidden messages.</dd>
<dt>Why did you call it "They Live"?</dt>
<dd><a href="http://www.imdb.com/title/tt0096256/">They Live</a> is a 1988 movie directed by John Carpenter. The main character discovers, with the help of a special pair of sunglasses, that the world is full of subliminal messages hidden in plain sight.</dd>
</dl>
<p>Questions or comments? Contact chris @ osric.com</p>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-19082249-1', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>