nixosbestos
a year ago
I've read all of the code in this repo, including the README, and have no idea what it does or why it needs to be communicating to a third party server. EDIT: And Octomim, the "secure" server that is somehow essential to this stego app, is written in C. :/
AFAICT this looks like "secure storing data on a third party server, with a username and password, with a tiny identifier token stored in an image". Which, like, why?
ersinesen
a year ago
[author here] The lack of explanation naturally causes some misunderstanding, sorry for that.
Let me clarify the main points:
1. Data is stored in only the image, not backend server. Octomim is a proprietary solution that provides a REST API. One can use standalone applications like steghide, etc.
2. Using a backend server like Octomim is useful since it provides key management. The key used for steganography stored securely in the server and is not propagated to any where. Key of the steganography algorithm is crucial to prevent extraction without knowledge of it. This enables the user to extract hidden data from anywhere with the image and his authentication information only.
3. Storing env variables in an image can be considered as a complementary security measure for securely storing them. You can transfer them anywhere (store in github, etc.) but without access to backend server no one can read the hidden data. As a matter of fact, attackers even won't be aware of the existence of hidden data.
4. 'Visualenv' is just an application scenario of this scheme. It can be considered as a hacker tool or if you are willing to build a secure variable distribution system it can provide additional level of security by obscurity.
dumpsterdiver
a year ago
It’s not even clear if images are involved at all since the only knowledge of such to the client is a filename returned from the create endpoint.
If the only knowledge of that image by the client is the filename, why would:
A) The client care about images at all? At that point you could send the name of your grandma and conceivably get back the same data.
B) The host spend more compute performing steganographic operations when they already have the unique identifier they require?
ersinesen
a year ago
[author here] Visualenv is a use case of a backend steganograpy engine. The main job is done in the backend.
A: The usage may not be clear from the samples. Let me explain step-wise:
1. Client sends text data to the backend to hide it in an image
2. Server;
2.1 Randomly creates a host image 2.2 Hides data in the image making use of the client's steganogprahy key in that is available in its database 2.3 Returns the stego image filename to the user (a unique name)
3. Client downloads stego image to its local.
4. Client extracts hidden data in an image by either:
4.1. Uploading image 4.2. Sending filename (assuming user let it be saved in the server)
P.S. Another user in the server cannot extract the hidden data since he cant access owner's stego key.
B: Steganographic operations are performed in the backend. Client host just waits for the result.
theamk
a year ago
I am not sure what server does, but for that repo to work, server does not even need any steganography, as the it has a database.
On "create", it picks a random image, hashes it and stores (user-id, secret, text) in database
On "extract", it's opposite - accept image, hash, fetch from db.
All the API calls would work just the same, no cryptography of any kind needed.
ersinesen
a year ago
[author here] Indeed it may be so by looking outside as a black box.
But, let me emphasize that there is no data stored in the backend database. Just user credentials and steganogprahy key. This key is crucial to extract data.
Hidden data is stored only in the image. Without access to it, server cannot extract the hidden data.