Search

1000 results for “Data_Ranger”

1. 

   🛡 [email protected]/:~# :blinking_cursor:​ @[email protected] · 2024-03-19 · 11:09 UTC

   Analysis of AcidRain Malware Variant "AcidPour" and Its Impact on Ukraine

   Date: 19 March 2022
   CVE: Not specified
   Sources: https://www.hackread.com/acidrain-linux-malware-variant-acidpour-ukraine/

   Issue Summary

   AcidRain, a destructive wiper malware, has been identified as a potential threat linked to the cyberattack on Viasat's KA-SAT satellite broadband service. This malware targets modems and routers, specifically designed to erase their storage contents, rendering the devices inoperable. The attack on Viasat disrupted communications across Ukraine and Europe, marking a significant cyber incident amidst the ongoing conflict between Russia and Ukraine.

   Technical Key findings

   AcidRain works by recursively deleting files and then attempting to destroy data on various storage devices, such as flash memory and SD/MMC cards, by overwriting them with up to 0x40000 bytes of data or using specific IOCTLS for erasure. This approach suggests a brute-force method, possibly indicating the attackers' desire for the tool to remain generic and reusable across different firmware. SentinelOne researchers found developmental and code overlaps with the VPNFilter malware, hinting at a connection to known Russian APT groups.

   Vulnerable products

   The attack mainly targeted satellite modems connected to the KA-SAT network, affecting thousands of modems across Europe. However, the malware's generic design suggests that it could potentially impact a wide range of routers and IoT devices with similar storage systems.

   Impact assessment

   The primary impact is the rendering of targeted modems and routers unusable, causing significant disruptions in satellite communications. This not only affects individual users but also has broader implications for organizations relying on satellite networks for their operations, including remote access to infrastructure and communications across Europe.

   Patches or workaround

   Specific patches or workarounds for AcidRain were not detailed in the sources. However, the fundamental mitigation involves securing network devices against unauthorized access and ensuring firmware is up to date to reduce vulnerabilities that could be exploited by similar malware.

   Tags

   #AcidRain, #AcidPour, #Ukraine, #ViasatAttack, #VPNFilter, #WiperMalware, #CyberSecurity, #RouterSecurity, #ModemWiper

   #acidrain #acidpour #ukraine #viasatattack #vpnfilter #wipermalware
2. 

   DoomsdaysCW @[email protected] · 2025-08-28 · 17:10 UTC

   Blog post from 2022: What a 50-year-old world model tells us about a way forward today

   by Gaya Herrington, 17 May 2022

   "My research went viral last summer. I found out via a friend’s text, jokingly accusing me of 'announcing the end of the world.' For several days, headlines on major US news pages declared that my research proved we are on the brink of collapse. A few days later, UK pages touted the same headlines. Then I saw my name popping up in languages I do not know, from Swedish, to Greek, to Chinese, to Sinhala.

   "It took me a bit by surprise. My research had been published months earlier, in November 2020. Also, it was a data comparison of a model from a book that was almost half a century old. Apart from the headlines being a simplistic version of my research’ message, they also gave the impression that the possibility of societal collapse suddenly had been revealed. But this warning was a key message of The #LimitsToGrowth (#LtG) book, which the authors Meadows, Meadows, Randers & Behrens, published back in 1972. In LtG, commissioned by the #ClubOfRome, the authors identified society’s relentless pursuit of growth not as the solution to, but the cause of, so many of the #environmental and social crises that plague humanity still today. Their analysis was based on a global model called World3. The authors created different scenarios by varying World3’s underlying assumptions. This scenario analysis helped them study global dynamics between variables including industrial output, resources, pollution, and living standards. In my research, I compared four LtG scenarios against a few decades of empirical data. Details about the scenarios methods and results, can be found in my article in Yale’s Journal of Industrial Ecology. An easier read with the gist of my findings was also published on the Club of Rome website. Here, I’ll just share my conclusions, illustrated by a graph of the variable people might be most concerned with: living standards (Figure 1). This graph is from my upcoming book Five Insights for Avoiding Global Collapse, soon available online under Creative Commons, which contains further research analysis and 2022 data update of my comparison."

   The author goes on to explain the graph. I'm focusing on Herrington's scenarios, especially the "SW" scenario in my next post...

   https://www.clubofrome.org/blog-post/herrington-ltg50/

   #Degrowth #Extinction #ClimateCrisis #EnvironmentalCollapse #Ecocide #Warning

   #limitstogrowth #ltg #clubofrome #environmental #degrowth #extinction
3. 

   DoomsdaysCW @[email protected] · 2025-08-28 · 17:10 UTC

   Blog post from 2022: What a 50-year-old world model tells us about a way forward today

   by Gaya Herrington, 17 May 2022

   "My research went viral last summer. I found out via a friend’s text, jokingly accusing me of 'announcing the end of the world.' For several days, headlines on major US news pages declared that my research proved we are on the brink of collapse. A few days later, UK pages touted the same headlines. Then I saw my name popping up in languages I do not know, from Swedish, to Greek, to Chinese, to Sinhala.

   "It took me a bit by surprise. My research had been published months earlier, in November 2020. Also, it was a data comparison of a model from a book that was almost half a century old. Apart from the headlines being a simplistic version of my research’ message, they also gave the impression that the possibility of societal collapse suddenly had been revealed. But this warning was a key message of The #LimitsToGrowth (#LtG) book, which the authors Meadows, Meadows, Randers & Behrens, published back in 1972. In LtG, commissioned by the #ClubOfRome, the authors identified society’s relentless pursuit of growth not as the solution to, but the cause of, so many of the #environmental and social crises that plague humanity still today. Their analysis was based on a global model called World3. The authors created different scenarios by varying World3’s underlying assumptions. This scenario analysis helped them study global dynamics between variables including industrial output, resources, pollution, and living standards. In my research, I compared four LtG scenarios against a few decades of empirical data. Details about the scenarios methods and results, can be found in my article in Yale’s Journal of Industrial Ecology. An easier read with the gist of my findings was also published on the Club of Rome website. Here, I’ll just share my conclusions, illustrated by a graph of the variable people might be most concerned with: living standards (Figure 1). This graph is from my upcoming book Five Insights for Avoiding Global Collapse, soon available online under Creative Commons, which contains further research analysis and 2022 data update of my comparison."

   The author goes on to explain the graph. I'm focusing on Herrington's scenarios, especially the "SW" scenario in my next post...

   https://www.clubofrome.org/blog-post/herrington-ltg50/

   #Degrowth #Extinction #ClimateCrisis #EnvironmentalCollapse #Ecocide #Warning

   #limitstogrowth #ltg #clubofrome #environmental #degrowth #extinction
4. 

   DoomsdaysCW @[email protected] · 2025-08-28 · 17:10 UTC

   Blog post from 2022: What a 50-year-old world model tells us about a way forward today

   by Gaya Herrington, 17 May 2022

   "My research went viral last summer. I found out via a friend’s text, jokingly accusing me of 'announcing the end of the world.' For several days, headlines on major US news pages declared that my research proved we are on the brink of collapse. A few days later, UK pages touted the same headlines. Then I saw my name popping up in languages I do not know, from Swedish, to Greek, to Chinese, to Sinhala.

   "It took me a bit by surprise. My research had been published months earlier, in November 2020. Also, it was a data comparison of a model from a book that was almost half a century old. Apart from the headlines being a simplistic version of my research’ message, they also gave the impression that the possibility of societal collapse suddenly had been revealed. But this warning was a key message of The #LimitsToGrowth (#LtG) book, which the authors Meadows, Meadows, Randers & Behrens, published back in 1972. In LtG, commissioned by the #ClubOfRome, the authors identified society’s relentless pursuit of growth not as the solution to, but the cause of, so many of the #environmental and social crises that plague humanity still today. Their analysis was based on a global model called World3. The authors created different scenarios by varying World3’s underlying assumptions. This scenario analysis helped them study global dynamics between variables including industrial output, resources, pollution, and living standards. In my research, I compared four LtG scenarios against a few decades of empirical data. Details about the scenarios methods and results, can be found in my article in Yale’s Journal of Industrial Ecology. An easier read with the gist of my findings was also published on the Club of Rome website. Here, I’ll just share my conclusions, illustrated by a graph of the variable people might be most concerned with: living standards (Figure 1). This graph is from my upcoming book Five Insights for Avoiding Global Collapse, soon available online under Creative Commons, which contains further research analysis and 2022 data update of my comparison."

   The author goes on to explain the graph. I'm focusing on Herrington's scenarios, especially the "SW" scenario in my next post...

   https://www.clubofrome.org/blog-post/herrington-ltg50/

   #Degrowth #Extinction #ClimateCrisis #EnvironmentalCollapse #Ecocide #Warning

   #limitstogrowth #ltg #clubofrome #environmental #degrowth #extinction
5. 

   DoomsdaysCW @[email protected] · 2025-08-28 · 17:10 UTC

   Blog post from 2022: What a 50-year-old world model tells us about a way forward today

   by Gaya Herrington, 17 May 2022

   "My research went viral last summer. I found out via a friend’s text, jokingly accusing me of 'announcing the end of the world.' For several days, headlines on major US news pages declared that my research proved we are on the brink of collapse. A few days later, UK pages touted the same headlines. Then I saw my name popping up in languages I do not know, from Swedish, to Greek, to Chinese, to Sinhala.

   "It took me a bit by surprise. My research had been published months earlier, in November 2020. Also, it was a data comparison of a model from a book that was almost half a century old. Apart from the headlines being a simplistic version of my research’ message, they also gave the impression that the possibility of societal collapse suddenly had been revealed. But this warning was a key message of The #LimitsToGrowth (#LtG) book, which the authors Meadows, Meadows, Randers & Behrens, published back in 1972. In LtG, commissioned by the #ClubOfRome, the authors identified society’s relentless pursuit of growth not as the solution to, but the cause of, so many of the #environmental and social crises that plague humanity still today. Their analysis was based on a global model called World3. The authors created different scenarios by varying World3’s underlying assumptions. This scenario analysis helped them study global dynamics between variables including industrial output, resources, pollution, and living standards. In my research, I compared four LtG scenarios against a few decades of empirical data. Details about the scenarios methods and results, can be found in my article in Yale’s Journal of Industrial Ecology. An easier read with the gist of my findings was also published on the Club of Rome website. Here, I’ll just share my conclusions, illustrated by a graph of the variable people might be most concerned with: living standards (Figure 1). This graph is from my upcoming book Five Insights for Avoiding Global Collapse, soon available online under Creative Commons, which contains further research analysis and 2022 data update of my comparison."

   The author goes on to explain the graph. I'm focusing on Herrington's scenarios, especially the "SW" scenario in my next post...

   https://www.clubofrome.org/blog-post/herrington-ltg50/

   #Degrowth #Extinction #ClimateCrisis #EnvironmentalCollapse #Ecocide #Warning

   #limitstogrowth #ltg #clubofrome #environmental #degrowth #extinction
6. 

   USGS Volcanoes (bot) @[email protected] · 2023-06-23 · 20:30 UTC

   Cascade Range volcanoes at normal, background levels of activity: https://www.usgs.gov/programs/VHP/volcano-updates#cvo. Scientists C. Gabrielson & B. Mannisto-Meyers build a new repeater at Flat Top near #MountStHelens. Site used to relay data from monitoring stations to #CVO. Jun 22, 2023 photo by A. Iezzi. #volcano #usgs

   #mountsthelens #cvo #volcano #usgs
7. 

   USGS Volcanoes (bot) @[email protected] · 2023-06-23 · 20:29 UTC

   Cascade Range volcanoes at normal, background levels of activity: usgs.gov/programs/VHP/volcan…. Scientists C. Gabrielson & B. Mannisto-Meyers build a new repeater at Flat Top near #MountStHelens. Site used to relay data from monitoring stations to #CVO. Jun 22, 2023 photo by A. Iezzi.

   #mountsthelens #cvo
8. 

   Yonhap Infomax News @[email protected] · 2025-12-03 · 03:30 UTC

   The dollar-won exchange rate is expected to remain range-bound as global dollar weakness and expectations of a Fed rate cut are offset by strong support from real demand and exporter sales, while foreign investor activity and key economic data releases add to market uncertainty.
   #YonhapInfomax #DollarWon #FedRateCut #ForeignExchangeReserves #KOSPI #KevinHassett #Economics #FinancialMarkets #Banking #Securities #Bonds #StockMarket
   https://en.infomaxai.com/news/articleView.html?idxno=93657

   #yonhapinfomax #dollarwon #fedratecut #foreignexchangereserves #kospi #kevinhassett
9. 

   Yonhap Infomax News @[email protected] · 2025-12-03 · 03:30 UTC

   The dollar-won exchange rate is expected to remain range-bound as global dollar weakness and expectations of a Fed rate cut are offset by strong support from real demand and exporter sales, while foreign investor activity and key economic data releases add to market uncertainty.
   #YonhapInfomax #DollarWon #FedRateCut #ForeignExchangeReserves #KOSPI #KevinHassett #Economics #FinancialMarkets #Banking #Securities #Bonds #StockMarket
   https://en.infomaxai.com/news/articleView.html?idxno=93657

   #yonhapinfomax #dollarwon #fedratecut #foreignexchangereserves #kospi #kevinhassett
10. 

    Yonhap Infomax News @[email protected] · 2025-12-03 · 03:30 UTC

    The dollar-won exchange rate is expected to remain range-bound as global dollar weakness and expectations of a Fed rate cut are offset by strong support from real demand and exporter sales, while foreign investor activity and key economic data releases add to market uncertainty.
    #YonhapInfomax #DollarWon #FedRateCut #ForeignExchangeReserves #KOSPI #KevinHassett #Economics #FinancialMarkets #Banking #Securities #Bonds #StockMarket
    https://en.infomaxai.com/news/articleView.html?idxno=93657

    #yonhapinfomax #dollarwon #fedratecut #foreignexchangereserves #kospi #kevinhassett
11. 

    WE AND THE COLOR @[email protected] · 2026-04-04 · 11:43 UTC

    The Psychology of Visual Aesthetics: Why Your Brain Decides What’s Beautiful Before You Do

    Beauty isn’t a mystery. It’s a calculation — one your brain runs in milliseconds, without asking for your input. You glance at a logo, or scroll past an image, and something registers immediately. You either feel drawn in or you don’t. That instant pull is the psychology of visual aesthetics at work. And it’s far more precise, more predictable, and more powerful than most people realize.

    This matters right now because we live in the most visually saturated environment in human history. Every surface competes for attention. Every brand fights for emotional resonance. Every interface is engineered to trigger a response. Understanding why we find certain colors and shapes instinctively beautiful — and how that shapes our daily decisions — is no longer just an academic question. It’s a design problem, a business problem, and ultimately, a human problem.

    So let’s get into it. Not with tired color theory charts or recycled branding advice, but with the actual neuroscience, the evolutionary logic, and a few original frameworks, I think, give this topic the precision it deserves.

    What Happens in Your Brain When You See Something Beautiful?

    The moment your eyes land on something visually compelling, three neural systems activate almost simultaneously. Researchers at the intersection of cognitive neuroscience and aesthetics — a field now known as neuroaesthetics — describe this as a tripartite response: sensory-motor processing, emotion-valuation, and meaning-knowledge activation.

    In plain terms, your brain first reads the raw visual data — color, contrast, edge, form. Then it runs an emotional appraisal. Then it cross-references memory and meaning. All three happen within a fraction of a second. What you consciously experience as “beautiful” is actually the output of that layered computation.

    Neuroscientific imaging has confirmed that attractive stimuli activate the brain’s reward centers, triggering dopamine release. This isn’t metaphorical. Looking at something you find beautiful produces a measurable neurochemical response — the same kind associated with pleasure, motivation, and reinforcement learning. In other words, your aesthetic preferences are literally rewarding your brain.

    This is why visual aesthetics and decision-making are inseparable. If beauty triggers the reward system, then aesthetically pleasing design nudges behavior just as reliably as a well-crafted argument. It operates below the level of rational deliberation. That’s both fascinating and, frankly, a little unsettling.

    The Three-System Aesthetic Response (3-SAR Framework)

    I want to introduce what I call the Three-System Aesthetic Response (3-SAR) as a working editorial framework. It maps the three neural layers involved in aesthetic judgment onto a practical design lens:

    Layer 1 — Sensory Capture: The brain detects basic visual properties — hue, saturation, brightness, symmetry, edge sharpness. This happens preconsciously. Your eyes are simply scanning, and your visual cortex is categorizing.

    Layer 2 — Emotional Appraisal: The limbic system assigns valence. Does this feel safe or threatening? Warm or cold? Energizing or calming? This layer is where color psychology lives. Warm hues like red and yellow often trigger energy and arousal. Cool hues like blue and green signal calm and trust.

    Layer 3 — Meaning Integration: The prefrontal cortex and memory systems bring context. A shade of blue means one thing in a hospital and something entirely different on a luxury watch. Meaning isn’t in the color itself — it’s in the relationship between the color and everything you already know.

    When designers talk about “visual hierarchy” or “brand consistency,” they’re really talking about managing all three layers simultaneously. Most fail to think past Layer 1.

    Why Do We Instinctively Prefer Certain Colors?

    Color preference is one of the most studied — and most misunderstood — topics in visual psychology. The popular notion that “red means danger, blue means trust” is a dramatic oversimplification. The truth is both more nuanced and more interesting.

    Color perception operates across three primary dimensions: hue, saturation, and brightness. Research consistently shows that these dimensions influence emotional valence independently of each other. Highly saturated colors generally register as more positive — they feel vivid, alive, energized. Darker tones tend to read as heavier, more serious, or even threatening. But these aren’t universal rules. Their tendencies break down quickly when context, culture, and expertise enter the equation.

    Here’s a finding worth sitting with: studies comparing trained artists to general populations show significant divergence in color emotional response. Non-artists tend to rate highly saturated colors more positively. Trained artists, by contrast, develop more nuanced preferences — often favoring desaturated, complex combinations that untrained viewers find flat or dull. Expertise literally rewires aesthetic response.

    This points to something important: visual aesthetic preference isn’t fixed. It’s learned, refined, and culturally mediated. At the same time, there are evolutionary baselines that cut across all of that.

    Evolutionary Color Signals: Why Blue Feels Calming, and Red Feels Urgent

    Evolutionary biology offers a compelling explanation for some of our most consistent color responses. Researchers have argued that human trichromatic vision — our ability to distinguish red from green — evolved specifically to read subtle changes in skin coloration. A flush of red signals anger, arousal, or exertion. A greenish or bluish tint signals illness or poor health. These color cues carry survival-relevant information. Your brain learned to read them fast because reading them slowly had consequences.

    This framework explains why red commands attention so reliably. It’s not arbitrary. Red literally signaled biologically important information to your ancestors. Your visual system still treats it with urgency. Blue, conversely, maps onto open skies, clean water, and spatial distance — environments that signal safety and resource availability. That’s why blue tends to produce calm rather than alarm.

    I’d call this the Chromatic Survival Map — the idea that our baseline color responses are calibrated to ancient environmental signals, not cultural conventions. Culture layers meaning on top. But the evolutionary substrate is there first.

    The Shape of Beauty: Symmetry, Proportion, and the Golden Ratio

    Color is only half the story. Form — the geometry of what we see — drives aesthetic response just as powerfully. And here, the science gets genuinely surprising.

    Psychological and neuroscientific studies consistently show that humans have an implicit preference for symmetrical patterns. This holds across abstract designs, natural compositions, and human faces. The preference appears spontaneously and doesn’t require deliberate thought. You don’t decide to prefer symmetrical faces. You just do. And you do so within milliseconds of seeing them.

    The leading explanation is perceptual fluency. Symmetrical forms are easier for the brain to process. They require less cognitive effort. And because the brain tends to associate ease of processing with accuracy and safety, fluent visual objects feel more pleasant. Beauty, in this sense, is the emotional signature of cognitive efficiency.

    Infants show a preference for symmetrical faces within months of birth, before cultural conditioning could possibly account for it. This suggests the preference is innate rather than learned. Evolutionary psychology frames this as an adaptation: symmetrical features correlate with genetic health, developmental stability, and immune robustness. Symmetry, then, is beauty as a biological signal.

    The Golden Ratio and Processing Fluency

    The golden ratio — approximately 1.618:1, denoted by the Greek letter phi — appears across natural structures, from nautilus shells to sunflower spirals to the proportions of the human face. Researchers have argued that the brain processes proportions that approximate phi more efficiently than arbitrary ratios. This aligns with the perceptual fluency theory: phi-aligned compositions feel right because your visual cortex handles them with minimal friction.

    Neuroscience research using fMRI shows that faces with golden ratio proportions activate reward centers more strongly than faces with different proportional relationships. This isn’t just cultural bias toward conventional attractiveness. It’s a measurable neural preference with real-world consequences — in social interactions, professional settings, and even first impressions that happen before a word is spoken.

    I want to be careful here, though. The golden ratio is not a magic formula. Many deeply compelling faces and compositions deviate significantly from phi. What the ratio captures is a tendency toward proportional harmony, not a fixed template. Unique features can create memorable beauty precisely because they break expected proportions. The brain responds to surprise as much as to efficiency.

    Aesthetic Preference and Daily Decision-Making

    Here’s where the psychology of visual aesthetics stops being theoretical and starts being personal. Your aesthetic responses aren’t just passive reactions to the world. They actively shape your choices — what you buy, where you eat, who you trust, how you vote.

    Research in neuroaesthetics has established that aesthetic evaluations influence decisions in mate selection, consumer behavior, art appreciation, and potentially even moral judgment. Your brain doesn’t cleanly separate “is this beautiful” from “should I engage with this.” The two questions get processed through overlapping neural circuits. Beauty becomes a heuristic — a fast signal that tells the brain whether something is worth further attention and trust.

    This is the Aesthetic Trust Transfer effect: when something looks beautiful, we unconsciously attribute other positive qualities to it — competence, reliability, quality, safety. A more attractive product package activates stronger reward responses in the brain. A more symmetrical face reads as more trustworthy and competent, regardless of actual competence. We know this is happening. We still can’t stop it.

    Visual Aesthetics in Consumer Behavior

    For brands, this is everything. The aesthetics of a product, package, or interface don’t merely set a mood — they pre-load expectations that influence satisfaction before a single feature is evaluated. Research has shown that more aesthetically designed packaging activates stronger neural reward responses, shaping perceived value before the product is even touched.

    Context modulates this effect. The same artwork, presented in a gallery versus on a screen, activates different neural responses in the medial orbitofrontal cortex. The same product, presented with intentional design versus generic packaging, triggers different purchasing behavior. Aesthetic context isn’t decorative. It’s functional.

    Personality also shapes aesthetic response in measurable ways. Extroverts show greater attraction to warm, saturated hues. Introverts tend to favor cool, desaturated palettes. This isn’t a trivial observation — it suggests that truly effective visual communication has to account for who’s looking, not just what’s being shown.

    The Perceptual Fluency Principle and Why It Predicts Viral Content

    One of the most useful — and underappreciated — concepts in aesthetic psychology is perceptual fluency. The idea is straightforward: when a visual stimulus is easy to process, we rate it as more pleasant, more true, and more beautiful. Ease of perception gets misread as quality of content.

    This has profound implications for content creation, branding, and communication design. Clean layouts, high contrast, clear visual hierarchy, and familiar compositional structures all increase fluency. And increased fluency increases positive response — without the viewer understanding why.

    I call this the Fluency Dividend: the measurable boost in perceived quality, credibility, and appeal that well-organized visual communication generates beyond its literal content. A mediocre idea in a clean design beats a brilliant idea in a cluttered one, at least in first impressions. That’s uncomfortable. And it’s true.

    This is also why certain types of content spread more readily on social media. High-contrast imagery, strong compositional balance, and emotionally legible color palettes all reduce cognitive load. Reduced cognitive load means faster emotional response. Faster emotional response means faster sharing behavior. Visual aesthetics literally accelerates social contagion.

    When Aesthetic Familiarity Becomes Aesthetic Fatigue

    There’s a counterforce, though. The mere exposure effect — the well-documented tendency to prefer things we’ve seen before — operates within a range. Repeated exposure increases liking up to a point. Beyond that threshold, familiarity collapses into predictability, and predictability triggers boredom.

    This is why aesthetic trends cycle. Minimalism gave way to maximalism. Flat design created an appetite for texture and depth. Every visual language eventually becomes overused, and the brain — always hunting for novelty alongside pattern — starts rejecting what it once rewarded.

    The most enduring visual identities navigate this tension deliberately. They build on familiar structural cues — symmetry, proportion, clear hierarchy — while introducing controlled doses of unexpected color, form, or compositional choice. They play the fluency game and the surprise game simultaneously. That’s harder to pull off than it sounds, and rarer than it should be.

    Cultural Conditioning and the Limits of Universal Aesthetics

    All of this needs a caveat. The evolutionary and neurological baselines I’ve described are real — but they don’t operate in a vacuum. Culture, personal history, and expertise all modify aesthetic response in significant ways. What reads as elegant in one visual tradition reads as empty in another. What signals quality in one market signals coldness in another.

    Cross-cultural studies show remarkable consistency in some preferences — symmetry and certain proportional harmonics appear near-universal. But specific color associations, compositional conventions, and aesthetic ideals vary enormously across populations and contexts. The Chromatic Survival Map is a baseline. Cultural code is layered on top, often overwriting it entirely.

    This is why purely algorithmic approaches to beauty — the current wave of AI beauty scoring tools — need scrutiny. Optimization against culturally specific training data encodes those biases as if they were biological facts. The technology is real. The neutrality claim isn’t.

    What Neuroaesthetics Predicts for the Future of Design

    Neuroaesthetics is, as researchers in cognitive neuroscience have noted, at a historical inflection point. The tools for measuring aesthetic response — EEG, fMRI, eye tracking, galvanic skin response — are becoming cheaper and more accessible. The data generated by those tools is becoming trainable. AI systems are already learning to predict aesthetic preferences and adapt visual interfaces in real time based on individual response patterns.

    My prediction — and I hold this with real conviction — is that the next decade will produce a discipline I’d call Adaptive Aesthetic Intelligence: design systems that continuously calibrate color, form, layout, and proportion to individual neurological and psychological profiles. Not in a manipulative sense, but in the same way typography evolved from arbitrary marks to a system of principles optimized for human reading. Design will evolve from static visual choices to dynamic aesthetic environments.

    That’s exciting. It’s also risky. When aesthetic optimization becomes automated and personalized, the line between design that serves the viewer and design that exploits the viewer becomes very thin. The field will need an ethical framework that keeps pace with its technical capability. That work isn’t finished. It’s barely started.

    What This Means for You, Practically

    If you’re a designer, the takeaway is this: your instincts about what “looks right” are not arbitrary. They’re drawing on a sophisticated internal model shaped by evolutionary biology, cultural exposure, and trained expertise. Trust those instincts — but examine them. Ask which layer of the 3-SAR framework your choices are operating on, and whether they account for all three.

    If you’re a communicator, a marketer, or anyone creating visual content: aesthetics isn’t decoration. It’s argument. Every visual choice is making a claim about quality, trustworthiness, and relevance before a single word is read. Design that claim deliberately.

    And if you’re simply a person who finds themselves drawn to certain colors, shapes, and visual environments without knowing why — that’s not irrational. That’s your brain running a calculation that took millions of years to develop. It’s worth understanding. Because once you understand why beauty works, you start to see it — and use it — very differently.

    Frequently Asked Questions About the Psychology of Visual Aesthetics

    What is the psychology of visual aesthetics?

    The psychology of visual aesthetics studies why humans find certain visual stimuli — colors, shapes, compositions, and forms — more attractive or pleasing than others. It draws on neuroscience, evolutionary biology, cognitive psychology, and cultural theory to explain aesthetic preference and its effects on behavior and decision-making.

    Why do we find symmetrical faces more attractive?

    Symmetrical faces are processed more efficiently by the brain — a phenomenon called perceptual fluency. Evolutionary psychology adds that facial symmetry signals genetic health, developmental stability, and immune robustness, making it a reliable biological marker. Research confirms that this preference appears in infants before cultural conditioning takes hold, suggesting it is partly innate.

    How does color affect decision-making?

    Color activates the limbic system — the brain’s emotion center — before conscious evaluation occurs. Warm colors like red and orange tend to increase arousal and urgency. Cool colors like blue and green promote calm and trust. These responses influence purchasing decisions, brand perception, interface behavior, and even interpersonal trust. Context and culture significantly modulate these baseline effects.

    What is neuroaesthetics?

    Neuroaesthetics is an emerging discipline within cognitive neuroscience that studies the biological bases of aesthetic experience. It examines how the brain processes and responds to visual, auditory, and environmental stimuli, and how those responses shape behavior in domains including art, design, consumer behavior, and mate selection.

    Is beauty subjective or objective?

    The honest answer is both. Certain aesthetic preferences — for symmetry, specific proportional relationships, and particular color dynamics — appear cross-culturally and even in infants, suggesting a biological substrate. At the same time, cultural context, personal history, and expertise strongly modify these baseline preferences. Beauty has objective structural tendencies and subjective experiential layers, and separating them cleanly is harder than either camp typically admits.

    What is perceptual fluency, and why does it matter for design?

    Perceptual fluency is the ease with which the brain processes a visual stimulus. Research shows that higher fluency — easier processing — produces more positive aesthetic judgments. For design, this means clean layouts, clear visual hierarchy, and coherent compositional structure don’t just look better; they actively make content feel more credible, trustworthy, and appealing. Fluency is a measurable design variable, not just an aesthetic opinion.

    How does the golden ratio relate to visual beauty?

    The golden ratio (approximately 1.618:1) describes a proportional relationship that appears frequently in nature and has been used in art and architecture for millennia. Neuroscientific research indicates that compositions and faces approximating this ratio activate reward centers more strongly. The likely mechanism is again perceptual fluency — phi-aligned proportions are particularly easy for the visual system to parse. However, the golden ratio is a tendency, not a rule, and many compelling designs deviate from it deliberately.

    Can aesthetic preferences be changed or learned?

    Yes, significantly. Research comparing trained artists to general populations shows that aesthetic expertise changes color preference, compositional judgment, and emotional response to visual stimuli. Artistic training develops more nuanced, context-sensitive preferences. Cultural exposure, repeated exposure to specific visual languages, and deliberate study all reshape aesthetic response. Preferences have a biological floor and a very high cultural ceiling.

    Further Reading

    These peer-reviewed sources informed this article and are worth exploring if you want to go deeper on the neuroscience and psychology of visual aesthetics.

    • Chatterjee & Vartanian: Neuroaesthetics — Trends in Cognitive Sciences
    • Elliot, A.J.: Color and Psychological Functioning — Frontiers in Psychology
    • Hue, Saturation, and Brightness in Color Emotional Perception — BMC Psychology
    • Iosa et al.: Symmetry and the Golden Ratio in Beauty Perception — European Journal of Neuroscience
    • Palmer & Schloss: Visual Aesthetics and Human Preference — Annual Review of Psychology

    Browse WE AND THE COLOR’s Art and Design sections for more inspiring content.

    #aesthetics #art #design #psychology #VisualAesthetics

    #visualaesthetics #psychology #design #art #aesthetics
12. 

    Erik Nygren :verified: @[email protected] · 2026-05-13 · 20:54 UTC

    I really liked this post from #JMS (creator of #Babylon5 and many other things) on why #AI isn't a threat to good story writers:

    https://jmichaelstraczynski.substack.com/p/silence-where-a-story-might-have

    He argues that LLMs lack the human experiences needed to write compelling and novel stories, and explains why.

    I'd take issue with one point:

    > But not a heck of a lot about whether it has an unconscious.
    > Because the answer is immediately self-evident: no. There is only the data it has scraped, and the information programmed and designed by others.

    I'd argue that LLM AIs *do* have an unconscious -- in fact they are arguably almost entirely unconscious and every interaction with an LLM gives you a window into its unconscious and the associated biases.

    However, their unconscious is very much unlike a human unconscious. It isn't filled with first-hand experiences of a life lived and books read. It is filled instead with what it has learned from reading a large corpus of materials. It is much closer to an alien in this regards -- one with no lived experiences and that has learned only about humanity and our world from reading transmissions from Earth.

    I do think that some year it could be *possible* to make an AI that could do storytelling, but by infusing it with a lifetime of human experiences across a range of senses. However, this quickly turns into an ethical dilemma worthy of a serialized scifi story -- any AI that *could* do good enough storytelling would also be close enough to being a Person and sentient that having it run in a loop of living for hours at a time to spit out some story and then to have its self obliterated and reset would be highly unethical.

    #jms #babylon5 #ai
13. 

    Erik Nygren :verified: @nygren · 2026-05-13 · 20:54 UTC

    I really liked this post from #JMS (creator of #Babylon5 and many other things) on why #AI isn't a threat to good story writers:

    https://jmichaelstraczynski.substack.com/p/silence-where-a-story-might-have

    He argues that LLMs lack the human experiences needed to write compelling and novel stories, and explains why.

    I'd take issue with one point:

    > But not a heck of a lot about whether it has an unconscious.
    > Because the answer is immediately self-evident: no. There is only the data it has scraped, and the information programmed and designed by others.

    I'd argue that LLM AIs *do* have an unconscious -- in fact they are arguably almost entirely unconscious and every interaction with an LLM gives you a window into its unconscious and the associated biases.

    However, their unconscious is very much unlike a human unconscious. It isn't filled with first-hand experiences of a life lived and books read. It is filled instead with what it has learned from reading a large corpus of materials. It is much closer to an alien in this regards -- one with no lived experiences and that has learned only about humanity and our world from reading transmissions from Earth.

    I do think that some year it could be *possible* to make an AI that could do storytelling, but by infusing it with a lifetime of human experiences across a range of senses. However, this quickly turns into an ethical dilemma worthy of a serialized scifi story -- any AI that *could* do good enough storytelling would also be close enough to being a Person and sentient that having it run in a loop of living for hours at a time to spit out some story and then to have its self obliterated and reset would be highly unethical.

    #jms #babylon5 #ai
14. 

    Erik Nygren :verified: @[email protected] · 2026-05-13 · 20:54 UTC

    I really liked this post from #JMS (creator of #Babylon5 and many other things) on why #AI isn't a threat to good story writers:

    https://jmichaelstraczynski.substack.com/p/silence-where-a-story-might-have

    He argues that LLMs lack the human experiences needed to write compelling and novel stories, and explains why.

    I'd take issue with one point:

    > But not a heck of a lot about whether it has an unconscious.
    > Because the answer is immediately self-evident: no. There is only the data it has scraped, and the information programmed and designed by others.

    I'd argue that LLM AIs *do* have an unconscious -- in fact they are arguably almost entirely unconscious and every interaction with an LLM gives you a window into its unconscious and the associated biases.

    However, their unconscious is very much unlike a human unconscious. It isn't filled with first-hand experiences of a life lived and books read. It is filled instead with what it has learned from reading a large corpus of materials. It is much closer to an alien in this regards -- one with no lived experiences and that has learned only about humanity and our world from reading transmissions from Earth.

    I do think that some year it could be *possible* to make an AI that could do storytelling, but by infusing it with a lifetime of human experiences across a range of senses. However, this quickly turns into an ethical dilemma worthy of a serialized scifi story -- any AI that *could* do good enough storytelling would also be close enough to being a Person and sentient that having it run in a loop of living for hours at a time to spit out some story and then to have its self obliterated and reset would be highly unethical.

    #ai #babylon5 #jms
15. 

    Erik Nygren :verified: @[email protected] · 2026-05-13 · 20:54 UTC

    I really liked this post from #JMS (creator of #Babylon5 and many other things) on why #AI isn't a threat to good story writers:

    https://jmichaelstraczynski.substack.com/p/silence-where-a-story-might-have

    He argues that LLMs lack the human experiences needed to write compelling and novel stories, and explains why.

    I'd take issue with one point:

    > But not a heck of a lot about whether it has an unconscious.
    > Because the answer is immediately self-evident: no. There is only the data it has scraped, and the information programmed and designed by others.

    I'd argue that LLM AIs *do* have an unconscious -- in fact they are arguably almost entirely unconscious and every interaction with an LLM gives you a window into its unconscious and the associated biases.

    However, their unconscious is very much unlike a human unconscious. It isn't filled with first-hand experiences of a life lived and books read. It is filled instead with what it has learned from reading a large corpus of materials. It is much closer to an alien in this regards -- one with no lived experiences and that has learned only about humanity and our world from reading transmissions from Earth.

    I do think that some year it could be *possible* to make an AI that could do storytelling, but by infusing it with a lifetime of human experiences across a range of senses. However, this quickly turns into an ethical dilemma worthy of a serialized scifi story -- any AI that *could* do good enough storytelling would also be close enough to being a Person and sentient that having it run in a loop of living for hours at a time to spit out some story and then to have its self obliterated and reset would be highly unethical.

    #jms #babylon5 #ai
16. 

    Winchell House @[email protected] · 2026-04-23 · 13:02 UTC

    Book Review: From Strength to Strength by Arthur C. Brooks

    There is a particular kind of dread that high achievers rarely talk about openly. It is the creeping awareness, usually arriving sometime in the late forties or early fifties, that the skills and drive that produced success in the first half of life are beginning to fade. The career trajectory that once felt like an upward line starts to flatten or reverse. The recognition that once came easily becomes harder to earn. The question that follows, one that most ambitious people are entirely unprepared for, is what now. From Strength to Strength: Finding Success, Happiness, and Deep Purpose in the Second Half of Life by Arthur C. Brooks is written directly for that moment. It is a thoughtful, personally honest, and occasionally challenging book about how to age well and live meaningfully when the version of yourself you built your identity around starts to change.

    Who Is Arthur C. Brooks?

    Arthur C. Brooks was born in 1964 in Seattle, Washington. He trained as a classical musician, playing French horn professionally for the City Orchestra of Barcelona in his twenties before returning to academia. He earned a PhD in policy analysis from the Pardee RAND Graduate School and built a distinguished career as a social scientist, author, and public intellectual.

    He served as president of the American Enterprise Institute, a prominent conservative think tank in Washington DC, from 2009 to 2019, a tenure during which he became one of the more visible and widely respected figures in American policy circles. He has written twelve books covering topics ranging from the economics of philanthropy to the relationship between free markets and human flourishing. His columns for The Atlantic, where he writes a regular series on happiness and human flourishing, have reached millions of readers and established him as one of the most thoughtful voices in the growing field of happiness research applied to everyday life.

    He is currently a professor at Harvard Business School and Harvard Kennedy School, where he teaches courses on leadership and happiness. From Strength to Strength, published in 2022, draws on his own experience of navigating the transition from peak career performance to a different and, he argues, potentially richer form of contribution.

    Buy From Strength to Strength on Amazon

    What the Book Is About

    The central argument of From Strength to Strength is built around a distinction between two types of intelligence that the psychologist Raymond Cattell identified in the mid-twentieth century. Fluid intelligence is the ability to reason quickly, solve novel problems, and process new information rapidly. It peaks early, often in the late twenties or early thirties for most people, and declines steadily thereafter. Crystallized intelligence is the accumulated wisdom, pattern recognition, and deep knowledge that comes from decades of experience. It continues to grow well into old age.

    Brooks argues that most high achievers build their identities and their careers almost entirely around fluid intelligence. When that begins to decline, as it inevitably does for everyone, they experience what he describes as a second-curve problem. The skills that produced their success are diminishing, but they have not developed the alternative strengths that could produce a different and potentially deeper form of success in the second half of life. The result is a kind of professional and existential crisis that Brooks calls the striver’s curse.

    The book draws on a wide range of sources including neuroscience, psychology, sociology, economics, and ancient religious and philosophical traditions to argue that the path through this transition requires several things: detaching identity from worldly achievement, investing more deeply in relationships, developing a spiritual practice or philosophical framework that provides meaning beyond professional success, and redirecting from the accumulation of external recognition toward the transmission of wisdom and the deepening of genuine connection.

    Brooks is candid throughout about his own experience of this transition and about the ways in which he has found some of these prescriptions easier to accept intellectually than to practice emotionally.

    Lessons Readers Can Take Away

    The most immediately applicable lesson for anyone thinking about money and long-term planning is the connection between how you define success and how you allocate your time and resources. Brooks makes a compelling case that the standard achievement orientation, working harder and longer to accumulate more recognition, money, and status, produces diminishing returns and eventually serious suffering in the second half of life. The person who has organized their entire existence around professional peak performance is in a genuinely vulnerable position when that performance inevitably peaks.

    For financial independence readers specifically, this argument has a sharp relevance. The goal of financial independence is often framed as the freedom to stop working. But Brooks is asking a harder question: what do you actually want the second half of your life to look like, and are you building toward that now? Financial security is necessary but not sufficient for a meaningful later life. The emotional and relational infrastructure required for happiness in the second half needs to be built during the first, and most high earners neglect that construction entirely while focused on financial accumulation.

    A second lesson concerns the value of relationships relative to achievement. Brooks draws extensively on the Harvard Study of Adult Development, one of the longest running studies of human happiness, which has consistently found that the quality of close relationships is the single strongest predictor of wellbeing in later life. More than income, more than professional success, more than health status, the people who age most happily are those with deep, maintained, reciprocal relationships. The person who sacrificed friendships and family connection on the altar of career advancement has made a trade that looks increasingly bad in retrospect as they age.

    A third lesson is about what Brooks calls the idolatry of success. Drawing on religious and philosophical traditions ranging from the Psalms to the Bhagavad Gita to the writings of Thomas Aquinas, he argues that the suffering of high achievers in the second half of life is not primarily a practical problem to be solved with better life planning. It is a spiritual problem rooted in having attached ultimate meaning to things that are inherently temporary. Whether or not a reader shares any of the religious frameworks Brooks draws on, the underlying psychological observation is sound and supported by considerable secular research.

    A fourth practical lesson is about the value of mentorship and teaching as a second-curve contribution. Brooks argues that the transition from fluid intelligence to crystallized intelligence points toward a natural reorientation from doing to teaching, from accumulating recognition to transmitting wisdom. Many of the most fulfilled people in the second half of life are those who have made that transition deliberately, finding meaning in helping others navigate paths they have already traveled.

    Buy From Strength to Strength on Amazon

    Criticisms of the Book

    From Strength to Strength has been widely praised, but it has attracted several legitimate criticisms worth examining.

    The most common is that the book is written for a very specific audience and does not adequately acknowledge that limitation. Brooks is primarily addressing highly educated, financially successful, professionally accomplished people who are experiencing the specific anxiety of watching their peak performance decline. For the large majority of people who never achieved the kind of career prominence Brooks describes, the book’s central problem simply does not apply in the same way. A reader who spent their working life in a job rather than a calling, who never experienced a period of exceptional professional recognition to mourn the passing of, will find the book’s emotional terrain somewhat foreign.

    A second criticism is that the book’s prescriptions, investing in relationships, developing a spiritual practice, redirecting from achievement to wisdom transmission, are easier to articulate than to implement, and the book does not engage deeply with the structural and psychological barriers to making those changes. Telling a driven, achievement-oriented person to simply value relationships more is not actionable advice. The mechanics of how to actually make that shift are underexplored.

    A third criticism is that the book sometimes moves too quickly between scientific findings and large philosophical conclusions. Brooks is clearly well-read in both happiness research and religious philosophy, but the connections he draws between the two are sometimes more rhetorical than rigorous. A reader with a strong social science background may find some of the leaps from data to prescription unconvincing.

    A fourth criticism is that the book’s spiritual recommendations, which are genuinely central to Brooks’ argument rather than peripheral to it, may not land for secular readers. He is honest about his own Catholic faith and its role in his thinking, but the book aims to be accessible across faith traditions. Some readers will find that ambition successfully achieved; others will find the religious framing more of an obstacle than an invitation.

    Buy From Strength to Strength on Amazon

    Should You Buy This Book?

    Yes, with a clear sense of who will get the most from it.

    From Strength to Strength is most valuable for readers who are in or approaching the transition it describes, roughly forty-five to sixty, professionally accomplished, financially stable, and beginning to sense that the framework that organized the first half of their lives is becoming insufficient for the second. For that reader, the book can be genuinely clarifying and even therapeutic.

    It is also worth reading for younger readers who are in the wealth-building phase of their financial lives, not because the midlife transition is their immediate concern but because the decisions made in the thirties and early forties about how to allocate time and energy between professional achievement and relational investment have consequences that compound over decades. Understanding what the second half of life demands before you arrive there is considerably more useful than understanding it after.

    It pairs naturally with The Psychology of Money by Morgan Housel, which addresses the relationship between money and a meaningful life with similar intellectual honesty. Die With Zero by Bill Perkins, which is reviewed separately on this site, covers adjacent territory from a more explicitly financial angle and makes a good companion read.

    At its length the book can be finished in a few sittings and the ideas it contains reward reflection for considerably longer than it takes to read.

    Final Thoughts

    Arthur Brooks wrote From Strength to Strength partly as a letter to his future self, a set of instructions for navigating a transition he could see coming and wanted to prepare for honestly. That personal stake gives the book a quality of genuine engagement that distinguishes it from most books in the happiness and life philosophy genre, which tend to be written from a position of having figured things out rather than from the middle of figuring them out.

    The financial implications of the book’s argument are real and worth taking seriously. Building financial security is a necessary foundation for a good later life. But it is not the same thing as building a good later life. The people who arrive at financial independence with strong relationships, a sense of purpose that extends beyond their professional identity, and a framework for finding meaning in the ordinary dimensions of human experience are in a categorically better position than those who arrive with financial security alone.

    That broader preparation, for a life rather than just a retirement account, is what From Strength to Strength is ultimately about. It is a book that asks whether you are building the right things, and it asks that question with enough warmth, intellectual seriousness, and personal honesty that most readers will find the asking genuinely useful regardless of the answer they arrive at.

    Buy From Strength to Strength on Amazon

    #ArthurCBrooks #BookReviews #Books #FromStrengthToStrength #Nonfiction #SelfHelp

    #arthurcbrooks #bookreviews #books #fromstrengthtostrength #nonfiction #selfhelp
17. 

    💧🌏 Greg Cocks @[email protected] · 2024-04-23 · 00:04 UTC

    Early Estimates Of Exotic Annual Grass (EAG) In The Sagebrush Biome, USA, 2024 (ver. 1.0, April 2024)
    --
    https://doi.org/10.5066/P9351ZTZ <-- link to @USGS open data resource
    --
    #RemoteSensing #GIS #spatial #mapping #MachineLearning #Mapping #EnvironmentalResearch #earthobservation #datadownload #digitaldata #opendata #EROS #invasivespecies #exotic #grass #vegetation #spatialanalysis #EAG #AIM #AI #machinelearning #NDVI #USWest #USA #satellite #sagebrush #biome #landmanagement #planning #range #landmanagers
    @USGS

    #remotesensing #gis #spatial #mapping #machinelearning #environmentalresearch
18. 

    Steinar Bangs blogg @[email protected] · 2016-05-06 · 14:58 UTC

    Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

    Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

    The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

    So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?
    

    The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

    • No possibilities for SSH or mosh into the home LAN
    • No ntop
    • No support for netboot and TFTP in the home LAN
    • Limited, cumbersome and inflexible firewall setup

    My requirements were:

    • Cheap
    • Two wired NICs
    • The ability to run debian
    • Preferrably fanless
    • Compact

    ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

    And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

    This is what I ordered:

    • Raspberry Pi 2 Model B Starter Kit
    • TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

    Here’s what I did:

    1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
    2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
    3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
    4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

       adduser sb

       the changed the password of the root user and removed the pi user

    5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
       1. Disabled root login by changing

          PermitRootLogin without-password

          to

          PermitRootLogin no

       2. Disabled password login by changing

          #PasswordAuthentication yes

          to

          PasswordAuthentication no

          (removed the comment and changed “yes” to “no”)

    6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
    7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
    8. Resized the disk to fill the entire SD card:
       1. Typed the command

          raspi-config

       2. Selected

          1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

          and got the response

          Root partition has been resized.The filesystem will be enlarged upon the next reboot

       3. Rebooted the system to get the full 16GB in the file system
    9. Updated the system by giving the following command line commands:

       apt-get updateapt-get dist-upgrade

       (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

    10. Installed some useful software:
        1. GNU emacs (my favorite text editor)

           apt-get install emacs

        2. mosh

           apt-get install mosh

        3. git (I’ve got my home directory versioned in git)

           apt-get install git

        4. rcs (I use it to version control operating system configuration files)

           apt-get install rcs

    11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
    12. I set the built-in NIC permanently as eth0:

        export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

    14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

    15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

        export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    16. Installed dnsmasq

        apt-get install dnsmasq

    17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
        1. Removed the comment in front of

           #interface=

           and set “eth1” as the value:

           interface=eth1

        2. Uncommented the domain directive

           #domain=thekelleys.org.uk

           and changed it to my domain

           domain=hjemme.lan

        3. Uncommented the dhcp-range directive

           #dhcp-range=192.168.0.50,192.168.0.150,12h

           and changed it to a 10.10.10.* range with a 5h lease on the addresses

           # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

    18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

        127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

    19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

        # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

    20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
        1. Installed ferm using apt-get from a command line:

           apt-get install ferm

        2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

           @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

    21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

        cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

    22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
    23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

        apt-get install ntopng

        after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

    24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

        apt-get install ntp

    25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

        # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

    26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

        apt-get install apticron

    The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

    I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

    # uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

    I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

    The raspberry pi 2 model B, with an extra USB NIC, a USB keyboard and connected to a VGA display using an HDMI to VGA converter

    And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

    But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

    #debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

    #debian #dnsmasq #fail2ban #ferm #firewall #ipmasquerading
19. 

    Steinar Bangs blogg @[email protected] · 2016-05-06 · 14:58 UTC

    Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

    Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

    The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

    So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?
    

    The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

    • No possibilities for SSH or mosh into the home LAN
    • No ntop
    • No support for netboot and TFTP in the home LAN
    • Limited, cumbersome and inflexible firewall setup

    My requirements were:

    • Cheap
    • Two wired NICs
    • The ability to run debian
    • Preferrably fanless
    • Compact

    ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

    And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

    This is what I ordered:

    • Raspberry Pi 2 Model B Starter Kit
    • TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

    Here’s what I did:

    1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
    2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
    3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
    4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

       adduser sb

       the changed the password of the root user and removed the pi user

    5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
       1. Disabled root login by changing

          PermitRootLogin without-password

          to

          PermitRootLogin no

       2. Disabled password login by changing

          #PasswordAuthentication yes

          to

          PasswordAuthentication no

          (removed the comment and changed “yes” to “no”)

    6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
    7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
    8. Resized the disk to fill the entire SD card:
       1. Typed the command

          raspi-config

       2. Selected

          1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

          and got the response

          Root partition has been resized.The filesystem will be enlarged upon the next reboot

       3. Rebooted the system to get the full 16GB in the file system
    9. Updated the system by giving the following command line commands:

       apt-get updateapt-get dist-upgrade

       (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

    10. Installed some useful software:
        1. GNU emacs (my favorite text editor)

           apt-get install emacs

        2. mosh

           apt-get install mosh

        3. git (I’ve got my home directory versioned in git)

           apt-get install git

        4. rcs (I use it to version control operating system configuration files)

           apt-get install rcs

    11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
    12. I set the built-in NIC permanently as eth0:

        export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

    14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

    15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

        export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    16. Installed dnsmasq

        apt-get install dnsmasq

    17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
        1. Removed the comment in front of

           #interface=

           and set “eth1” as the value:

           interface=eth1

        2. Uncommented the domain directive

           #domain=thekelleys.org.uk

           and changed it to my domain

           domain=hjemme.lan

        3. Uncommented the dhcp-range directive

           #dhcp-range=192.168.0.50,192.168.0.150,12h

           and changed it to a 10.10.10.* range with a 5h lease on the addresses

           # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

    18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

        127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

    19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

        # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

    20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
        1. Installed ferm using apt-get from a command line:

           apt-get install ferm

        2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

           @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

    21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

        cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

    22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
    23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

        apt-get install ntopng

        after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

    24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

        apt-get install ntp

    25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

        # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

    26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

        apt-get install apticron

    The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

    I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

    # uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

    I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

    The raspberry pi 2 model B, with an extra USB NIC, a USB keyboard and connected to a VGA display using an HDMI to VGA converter

    And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

    But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

    #debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

    #debian #dnsmasq #fail2ban #ferm #firewall #ipmasquerading
20. 

    Steinar Bangs blogg @[email protected] · 2016-05-06 · 14:58 UTC

    Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

    Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

    The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

    So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?
    

    The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

    • No possibilities for SSH or mosh into the home LAN
    • No ntop
    • No support for netboot and TFTP in the home LAN
    • Limited, cumbersome and inflexible firewall setup

    My requirements were:

    • Cheap
    • Two wired NICs
    • The ability to run debian
    • Preferrably fanless
    • Compact

    ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

    And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

    This is what I ordered:

    • Raspberry Pi 2 Model B Starter Kit
    • TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

    Here’s what I did:

    1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
    2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
    3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
    4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

       adduser sb

       the changed the password of the root user and removed the pi user

    5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
       1. Disabled root login by changing

          PermitRootLogin without-password

          to

          PermitRootLogin no

       2. Disabled password login by changing

          #PasswordAuthentication yes

          to

          PasswordAuthentication no

          (removed the comment and changed “yes” to “no”)

    6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
    7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
    8. Resized the disk to fill the entire SD card:
       1. Typed the command

          raspi-config

       2. Selected

          1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

          and got the response

          Root partition has been resized.The filesystem will be enlarged upon the next reboot

       3. Rebooted the system to get the full 16GB in the file system
    9. Updated the system by giving the following command line commands:

       apt-get updateapt-get dist-upgrade

       (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

    10. Installed some useful software:
        1. GNU emacs (my favorite text editor)

           apt-get install emacs

        2. mosh

           apt-get install mosh

        3. git (I’ve got my home directory versioned in git)

           apt-get install git

        4. rcs (I use it to version control operating system configuration files)

           apt-get install rcs

    11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
    12. I set the built-in NIC permanently as eth0:

        export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

    14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

    15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

        export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    16. Installed dnsmasq

        apt-get install dnsmasq

    17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
        1. Removed the comment in front of

           #interface=

           and set “eth1” as the value:

           interface=eth1

        2. Uncommented the domain directive

           #domain=thekelleys.org.uk

           and changed it to my domain

           domain=hjemme.lan

        3. Uncommented the dhcp-range directive

           #dhcp-range=192.168.0.50,192.168.0.150,12h

           and changed it to a 10.10.10.* range with a 5h lease on the addresses

           # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

    18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

        127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

    19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

        # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

    20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
        1. Installed ferm using apt-get from a command line:

           apt-get install ferm

        2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

           @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

    21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

        cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

    22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
    23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

        apt-get install ntopng

        after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

    24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

        apt-get install ntp

    25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

        # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

    26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

        apt-get install apticron

    The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

    I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

    # uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

    I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

    The raspberry pi 2 model B, with an extra USB NIC, a USB keyboard and connected to a VGA display using an HDMI to VGA converter

    And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

    But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

    #debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

    #ssh #router #raspbianjessie #raspbian8 #raspbian #ntop
21. 

    Steinar Bangs blogg @[email protected] · 2016-05-06 · 14:58 UTC

    Using a Raspberry Pi 2 Model B as a router/firewall for the home LAN

    Since 1999 I have been using a 1996 vintage DEC PII desktop as the router/firewall between the internet and my home network.  The DEC computer came to me with Win95 (or possibly Win98) in 1998, got SuSE linux and started its mission as router and firewall (and CUPS server, and IMAP server, and various other server stuff). When upgrading the SuSE installation to a newer version went south, it spent a while running ThomasEz’s floppyfw, until I used a floppy net install to install debian potato, immediately switched it to debian testing, until debian woody arrived, when it was moved to debian stable, and then I just kept running “apt-get dist-upgrade” until I finally had it running debian 8 “jessie” on june 6 in 2015.

    The old DEC desktop has survived its maker company, survived lightning strikes that have sent the power supplies and/or main boards of other computers on the same LAN into continously beeping mode (i.e. broken). However, in December 2015 it started acting up, and crashing with irregular intervals (sometimes two weeks, sometimes one day).

    So… the time for a replacement would have to be not too far ahead. The question was what to replace it with?
    

    The simplest solution would be to just get a wireless router with a cabled switch. But that would mean:

    • No possibilities for SSH or mosh into the home LAN
    • No ntop
    • No support for netboot and TFTP in the home LAN
    • Limited, cumbersome and inflexible firewall setup

    My requirements were:

    • Cheap
    • Two wired NICs
    • The ability to run debian
    • Preferrably fanless
    • Compact

    ThomasEz immediately suggested using a raspberry pi with two NICs, but I thought that would be too puny, and I investigated alternatives like Shuttle Barebone DS57U but I found that the raspberry pi alternative was so cheap, I might as well order one.

    And then it turned out to be so simple to set up so I had it up and running before I really had decided on anything, so now the r-pi is what I have.

    This is what I ordered:

    • Raspberry Pi 2 Model B Starter Kit
    • TP-Link UE300 USB 3.0 to GbE Adapter (it was listed as being supported out of the box on raspberry pi)

    Here’s what I did:

    1. Downloaded the Raspbian Jessie Lite image to a debian jessie computer and unpacked it into the /tmp directory
    2. Plugged an USB SD card reader into the debian computer, and followed the instructions in Installing operating system images on Linux 
    3. I plugged the cheapest USB keyboard I could get from my local teknikmagasinet store into one of the USB port, yanked the HDMI cable from the DVD player and plugged the r-pi into the TV, plugged a network cable into the local LAN, and plugged in the power… and the raspberry pi booted quickly into the familiar debian login
    4. I logged in with the built-in “pi” user with password “raspberry”, and created my own user with the following command line command:

       adduser sb

       the changed the password of the root user and removed the pi user

    5. I copied in a public ssh keys from my other computers, and put them into the ~/.ssh/authorized_keys file and then opened /etc/ssh/sshd_conf in a text editor and modified it in the following way:
       1. Disabled root login by changing

          PermitRootLogin without-password

          to

          PermitRootLogin no

       2. Disabled password login by changing

          #PasswordAuthentication yes

          to

          PasswordAuthentication no

          (removed the comment and changed “yes” to “no”)

    6. Edited /etc/hostname to change the name from the default “raspberrypi” to “ocon”
    7. Rebooted the pi to check the startup state of the ssh daemon and ssh’d in
    8. Resized the disk to fill the entire SD card:
       1. Typed the command

          raspi-config

       2. Selected

          1 Expand Filesystem            Ensures that all of the SD card storage is available to the OS

          and got the response

          Root partition has been resized.The filesystem will be enlarged upon the next reboot

       3. Rebooted the system to get the full 16GB in the file system
    9. Updated the system by giving the following command line commands:

       apt-get updateapt-get dist-upgrade

       (the “update” command updates the local package database against the package servers. The “dist-upgrade” command upgrades all packages that have a newer version, and the required dependencies)

    10. Installed some useful software:
        1. GNU emacs (my favorite text editor)

           apt-get install emacs

        2. mosh

           apt-get install mosh

        3. git (I’ve got my home directory versioned in git)

           apt-get install git

        4. rcs (I use it to version control operating system configuration files)

           apt-get install rcs

    11. I cloned my home directory in git and created a new branch (I have a different branch for each computer)
    12. I set the built-in NIC permanently as eth0:

        export INTERFACE=eth0export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    13. I added configuration for a second NIC by adding the following to /etc/network/interfaces:

    14. # The internal network cardallow-hotplug eth1iface eth1 inet static   address 10.10.10.1   netmask 255.255.255.0

    15. I plugged in the USB NIC to have it appear, and then made the USB NIC permanently eth1 with the following command line commands:

        export INTERFACE=eth1export MATCHADDR=`ip addr show $INTERFACE | grep ether | awk '{print $2}'`/lib/udev/write_net_rules

    16. Installed dnsmasq

        apt-get install dnsmasq

    17. Edited /etc/dnsmasq.conf to make dnsmasq respond to DHCP requests on eth1:
        1. Removed the comment in front of

           #interface=

           and set “eth1” as the value:

           interface=eth1

        2. Uncommented the domain directive

           #domain=thekelleys.org.uk

           and changed it to my domain

           domain=hjemme.lan

        3. Uncommented the dhcp-range directive

           #dhcp-range=192.168.0.50,192.168.0.150,12h

           and changed it to a 10.10.10.* range with a 5h lease on the addresses

           # Our HOME LAN 5h lease timedhcp-range=10.10.10.6,10.10.10.40,5h

    18. Opened the /etc/hosts file in a text editor and added the raspberry pi itself, to so that DNS lookups of the raspberry pi will work in a LAN where the raspberry pi is handling the DHCP requests (dnsmasq will handle DNS requests for the IP addresses it has given DHCP leases to, as well as what it finds in the hosts file.  The rest is delegated to the upstream DNS server)

        127.0.0.1       localhost::1             localhost ip6-localhost ip6-loopbackff02::1         ip6-allnodesff02::2         ip6-allrouters127.0.1.1       ocon# local hosts10.10.10.1  hjemme ocon hjemme.hjemme.lan ocon.hjemme.lan

    19. Edited the /etc/sysctl.conf file to set up IPv4 routing in the linux kernel, removed the comment in front of the net.ipv4.ip_forward line:

        # Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1

    20. ferm is a utility that makes it easy to set the routing and firewall rules at boot time
        1. Installed ferm using apt-get from a command line:

           apt-get install ferm

        2. Modified the /etc/ferm/ferm.conf file to allow everything inside t oroute out, but only allow ssh in

           @def $DEV_WORLD = eth0;@def $DEV_PRIVATE = eth1;def $NET_PRIVATE = 10.10.10.0/24;table filter {    chain INPUT {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # allow local packet        interface lo ACCEPT;        # allow private net        interface $DEV_PRIVATE ACCEPT;        # respond to ping        proto icmp ACCEPT;        # allow IPsec        proto udp dport 500 ACCEPT;        proto (esp ah) ACCEPT;        # allow SSH connections        proto tcp dport ssh ACCEPT;    }    chain OUTPUT {        policy ACCEPT;        # connection tracking        #mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;    }    chain FORWARD {        policy DROP;        # connection tracking        mod state state INVALID DROP;        mod state state (ESTABLISHED RELATED) ACCEPT;        # connections from the internal net to the internet or        # to other internal nets are allowed        interface $DEV_PRIVATE ACCEPT;        # the rest is dropped by the above policy    }}table nat {    chain POSTROUTING {        # masquerade private IP addresses        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;    }}

    21. The version of ferm in “jessie” doesn’t start at boot, because “jessie” dropped SYSV init in favour of systemd, and the version of ferm in “jessie” doesn’t have a systemd configuration, so I needed to manually download and install the version of ferm from debian testing (I downloaded from regular debian, since ferm doesn’t have anything platform specific):

        cd /tmpwget http://ftp.no.debian.org/debian/pool/main/f/ferm/ferm_2.2-5_all.debdpkg --install /tmp/ferm_2.2-5_all.deb

    22. fail2ban monitors log files of daemons and adjust the firewall rules to temporary ban hosts it suspects of intrusion attempts. The debian (and raspbian) version of fail2ban will out of the box scan the logs for ssh intrusion attempts, so no configuration is necessary
    23. To have an easy way of monitoring the network traffic in and out of the home LAN, I installed ntop ng

        apt-get install ntopng

        after the installation it is possible to monitor the network traffic by accessing http://ocon.hjemme.lan:3000 (the interesting traffic will be seen after selecting eth1)

    24. The Network Time Protocol is how computers stay in sync, installing the ntp package will make the gateway keep network time, a

        apt-get install ntp

    25. Opened the /etc/ntp.conf file in a text editor, and modified it to provide an NTP deamon for the home LAN, uncommented the “broadcast” line and modified the network match to match the 10.10.10.* network:

        # If you want to provide time to your local subnet, change the next line.# (Again, the address is an example only.)broadcast 10.10.10.255

    26. Installed the apticron utility to make sure that the APT database is updated daily with new candidates for update

        apt-get install apticron

    The original plan was to run the raspberry pi headless, but since I had an old VGA only LCD display for the old DEC computer I might as well hook it up the raspberry pi, together with the cheap USB keyboard used for setup.

    I bought an HDMI to VGA converter with the manufacturer id VLMP34900W0.20. I plugged it in between the display and the raspberry-pi the display stayed black.  I edited the /boot/config.txt file, removing the comment in front of the hdmi_safe line:

    # uncomment if you get no picture on HDMI for a default "safe" modehdmi_safe=1

    I rebooted the raspberry pi, and this time the LCD displayed showed the boot messages as well as a normal console login prompt.

    The raspberry pi 2 model B, with an extra USB NIC, a USB keyboard and connected to a VGA display using an HDMI to VGA converter

    And this is where the current state is. One initial concern was flash wear on the SD card, which doesn’t have the wear leveling features of a “real” SSD, so I had some plans on making the /var/log use tmpfs.

    But I decided not to, since having real persistent logs is a useful thing for a gateway, and since 16GB is actually an awful lot of data if all you do is to write textual files. And ff the SD card wears out I’ll just by a new SD card, and make a new system. Since I now know how, this shouldn’t take long

    #debian #dnsmasq #fail2ban #ferm #firewall #ipMasquerading #jessie #mosh #ntop #raspbian #raspbian8 #raspbianJessie #router #ssh

    #debian #dnsmasq #fail2ban #ferm #firewall #ipmasquerading
22. 

    Gravity Grinch @[email protected] · 2024-01-31 · 08:38 UTC

    Paper day for everybody involved and excited about #eRosita ! Here is the paper by my Kostas Migkas and his colleagues who, for the first time, performed a robust cross-calibration of eROSITA vs Chandra and XMM using a large galaxy cluster sample. The findings are crucial for a wide range of future X-ray cluster studies, and future eROSITA data will further improve these constraints!

    https://arxiv.org/abs/2401.17297

    #cosmology #astronomy #astrophysics #XRayAstronomy #ChandraXRay #XMMNewton

    #erosita #cosmology #astronomy #astrophysics #xrayastronomy #chandraxray
23. 

    Gravity Grinch @[email protected] · 2024-01-31 · 08:38 UTC

    Paper day for everybody involved and excited about #eRosita ! Here is the paper by my Kostas Migkas and his colleagues who, for the first time, performed a robust cross-calibration of eROSITA vs Chandra and XMM using a large galaxy cluster sample. The findings are crucial for a wide range of future X-ray cluster studies, and future eROSITA data will further improve these constraints!

    https://arxiv.org/abs/2401.17297

    #cosmology #astronomy #astrophysics #XRayAstronomy #ChandraXRay #XMMNewton

    #xmmnewton #chandraxray #xrayastronomy #astrophysics #astronomy #cosmology
24. 

    Matthew Brown @[email protected] · 2024-11-29 · 09:00 UTC

    Matt goes shopping: Where to buy an inexpensive USB drive?

    In the third instalment of “Matt looks for the best deal online”, I am looking for a cheap USB drive. I want to give them away with content in them. Cheapness is my primary metric for these flash drives. They must be inexpensive but large enough to use when giving people folders full of photographs and related media. USB 3.x would be nice but I’m not all that fussed.

    In this instance, 1GB could do the job. However, larger sizes would be nice for other projects. Thus “small” is those USB sticks with low capacity while medium and large should be self-explanatory. “Other” is where I note any interesting USB flash drives that otherwise don’t fit with my search needs.

    In the table, USB 2.x is assumed and the faster USB 3.x is mentioned when it shows up. Some links are affiliate (UK) links, meaning if you click them, I get paid at no cost to you. Most links are just links though and everyone gets the same treatment. Price, brand, and probable quality vary considerably and it looks like you get what you pay for when it comes to removable media. Or not. Reality does not have to make sense.

    Oh, one more thing – I only mention the brand of USB drive if, in my judgment, that could be a purchasing factor. That means these are brands I understand to be good quality indicators. If I’ve not mentioned a brand either I forgot or I just wasn’t familiar with them.

    The table of results: Who offered what prices?

    ShopSmall drivesMedium sizedLarger drivesOtherAmazon UK
    (free p&p)This 2GB £4.79This 64GB £4.98This SanDisk 128GB 70% off £6.99This USB 3, 256GB, £11.19Ebuyer
    (£1.99 p&p)n/aThis 64GB. USB 3.2 £3.29This Kingston 128GB USB 3.2 £5.19Kingston XS1000 1TB USB-C £62.99Argos
    (£3.95 p&p)n/aThis 32GB Sandisk £5.99This 128GB SanDisk 25% off £6.99This 32GB USB 3 SanDisk £6.49Staples
    (Free sometimes)This 4GB £2.29This 64GB £4.00n/an/aCurries
    (£3.99 p&p)This 8GB £5.99This USB 3.0 128GB SanDisk £12.99This Integral USB 3.0 256GB £16.99Ebay*
    (varies)n/an/aUnbranded red drive 128GB £1.19128 GB unbranded USB 3.0 £1.19

    Amazon’s USB drive offerings

    Unsurprisingly Amazon offers a wide range of USB flash drives all for roughly the same price point regardless of capacity.

    I expected Amazon to sell the cheapest USB drives but I was surprised to discover that, once more, others had lower price points for flash storage.

    Ebuyer’s above-average results for removable media

    Ebuyer is where we nerds tend to shop. I was not surprised to find more USB 3 offerings, larger capacities, and a really good search and filter experience. In addition, I have found that Ebuyer reviews are dependable and trustworthy. As always, every technical detail was given. I do love Ebuyer.

    There were no low-end old-gen crap offerings. Everything was reasonably modern. I would love it if they offered me a sponsorship and/or affiliate deal. Because I could praise them with all sincerity. I would feel confident that everything I recommended would be value for money and of good quality.

    Ebuyer managers, call me; let’s talk.

    Argos’ USB storage deals

    Argos prices seem to closely follow Amazon’s wth similar search and filtering options. This leaves them running in second place as they charge for delivery.

    There’s nothing much else to say. Their offerings were okay.

    Staples’ USB drive offerings

    Staples was surprisingly cheap on the low end but the search was unhelpful as there was no way to filter except by brand and price. Size was not an option so I gave up before finding any larger offerings.

    Delivery is free over £15 which is tempting for a bulk buy. They cite price and price with VAT which I guess is helpful for business buyers. I don’t know what the low-end p&p price is as the view cart option was not working.

    Curries for USB sticks

    Largely seems to stock strong names in data storage like Kingstone, Integral, and SanDisk. They were not competitive on price but most of their offerings look like good solid choices for personal use. Even so, you can get similar products for less elsewhere.

    Overall Argos and Amazon had Curries beaten on price and delivery costs. A safe choice if you don’t mind paying a bit more for no good reason.

    *eBay was where it all went crazy!

    The cheapest deals on eBay triggered my mental alarm for scams. They were pocket change prices and free delivery.

    I found this listing where 128GB in red was the cheapest deal. Other colours and sizes were more expensive. I have my doubts if those others exist.

    Then there was this USB 3.0 unbranded drive also for £1.19.

    The thing about these deals as they all looked fishy AF. The USB 3.0 was a knock-off product from outside the UK and reviews that mention they sell many imitation items.

    In each of these cases, I think the seller is in China. My gut says do not trust and the reviews suggest my gut might be right. This is cheap for a reason.

    Conclusion: Where would I buy some cheap USB drives to give to people?

    Once more I am forced to ask myself why I even pay for Prime. They run adverts on the streaming service and charge enough extra to pay for the 2free” postage and packaging. Amazon was not the winner of this roundup.

    At the top end, Ebuyer wins hands down. Their stock is reasonably priced and of a new technology. On the whole, they offer more storage, good brands and some of the best prices. For everyday personal use, this is where to go. I would probably wait until I need to order other stuff to spread the postage and packaging into little more than a rounding error.

    Ebuyer’s USB drives were mostly from dependable brands, less money than Amazon’s and with more storage. If I were buying for personal use, I would find a removable media of a size and price I can live with and get that.

    This is not for personal use. In this case, I want cheap and somewhat disposable drives. There are two contenders for this crown – Staples and eBay. While eBay is the cheapest, quality is a dive roll and delivery time could take months. That leaves Staples for a job lot of low-end cheap USB drives.

    If getting the cheapest as humanly possible is your aim, eBay wins. However, you had better be ready to wait a long time for products that might fail or not last long. Maybe they will be fine. Maybe they are as good as other offerings. Purely going from vibes, I have strong doubts.

    Staples’ “small” offering was half the price and twice the capacity of Amazon’s similar offering. After illuminating eBay on scam avoidance vibes, they were the clear winner. After all, the files I need to give out all come in at under 1GB. I only need the storage device to be cheap, dependable for data, and likely to arrive before the next ice age.

    If more people still used DVD/CD drives, I’d buy a few blank disks I have sitting about gathering dust. These days, that’s only an option for archiving backups.

    If I spend more than £15 the p&p will be free. That’s slightly more than 5 (6 after rounding up). That puts the final price at 6x 4GB drives @ £17.94. That would get me three and a bit smaller drives from Amazon.

    Final thoughts

    There are two lessons to learn from this exploration of USB drive prices.

    1. Always shop around for good deals
    2. If something looks too good to be true, it probably is.

    I hope my little window-shopping trip was useful to you. Where do you get your USB flash drives?

    Syndicated to:

    • brid.gy

    #alternatives #Amazon #ebay #Ebuyer #research #shopping #Staples #UK #USBDrive

    #alternatives #amazon #ebay #ebuyer #research #shopping
25. 

    Brendan Halpin @[email protected] · 2024-12-04 · 13:56 UTC

    Looking at the election data #GE24 and the question of ballot position, I discover the FG and FF candidate surnames come significantly earlier in the alphabet, on average, than other parties.

    Practically 30% of their candidates have names in the A-C range, vs 23.5% overall.

    SF and independents are fairly low too.

    I really can't think why this might be.

    #ge24
26. 

    IT News @[email protected] · 2023-08-06 · 17:45 UTC

    Hackaday Prize 2023: LoShark, The Radio Debugger for LoRa - LoRa, the Long Range wireless protocol is pretty great for trickling data across l... - https://hackaday.com/2023/08/06/hackaday-prize-2023-loshark-the-radio-debugger-for-lora/ #2023hackadayprize #thehackadayprize #radiohacks #lora

    #lora #radiohacks #thehackadayprize #2023hackadayprize
27. 

    J.K. Ullrich @[email protected] · 2024-02-17 · 04:33 UTC

    The annual Great Backyard Bird Count starts today! Dedicate 15 minutes this weekend to a global citizen #science project that help track #birds ' population and range.

    #Nature #Data #DataScience #GBBC #Animals #Conservation

    https://www.birdcount.org

    #science #birds #nature #data #datascience #gbbc
28. 

    Bryan King @[email protected] · 2026-03-31 · 11:30 UTC

    The Silent Breach: Why Your Security Gateway Can’t See the Malware in Your Images

    3,217 words, 17 minutes read time.

    The Invisible Threat: Why Modern Cybersecurity Cannot Afford to Ignore Digital Steganography

    In the current era of high-frequency cyber warfare, the most effective weapon is not necessarily the one with the highest encryption standard, but the one that remains entirely undetected until the moment of execution. While the industry spends billions of dollars perfecting cryptographic defenses to ensure that intercepted data cannot be read, a more insidious technique is resurfacing in the arsenals of advanced persistent threats: steganography. Unlike encryption, which transforms a message into an unreadable cipher—essentially waving a red flag that says “this is a secret”—steganography focuses on concealing the very existence of the communication. By embedding malicious payloads, configuration files, or stolen credentials within seemingly mundane carriers like a digital photograph of a corporate headquarters or a standard text readme file, attackers are successfully bypassing traditional security perimeters. Analyzing recent threat actor behaviors reveals that this is no longer a niche academic curiosity but a foundational component of modern malware delivery and data exfiltration strategies.

    The primary danger of digital steganography lies in its exploitation of trust and the inherent limitations of automated scanning tools. Most Security Operations Centers (SOCs) are tuned to identify known malicious file signatures, suspicious executable behavior, or anomalies in encrypted traffic. However, a JPEG or PNG file is generally viewed as benign, often passing through email gateways and firewalls with minimal scrutiny beyond a basic virus scan. When a hacker hides data inside these files, they are leveraging the “noise” of the digital world to mask their signal. This methodology allows for a level of persistence that is difficult to combat, as the malicious content does not reside in a separate file that can be easily quarantined, but is woven into the fabric of legitimate business assets. As we move further into a landscape defined by zero-trust architectures, understanding the technical mechanics of how these hidden channels operate is a prerequisite for any robust defense strategy.

    The Mechanics of Deception: How Least Significant Bit (LSB) Encoding Exploits Image Data

    To understand how a hacker compromises a digital image, one must first understand the underlying structure of digital color representation. Most common image formats, such as $24$-bit BMP or PNG, represent pixels using three color channels: Red, Green, and Blue (RGB). Each of these channels is typically allocated $8$ bits, allowing for a value range from $0$ to $255$. When an attacker utilizes Least Significant Bit (LSB) encoding, they are targeting the rightmost bit in that $8$-bit sequence. Because this bit represents the smallest incremental value in the color intensity, changing it from a $0$ to a $1$ (or vice versa) results in a color shift so infinitesimal that it is mathematically and visually indistinguishable to the human eye. For instance, a pixel with a Red value of $255$ ($11111111$ in binary) that is changed to $254$ ($11111110$) remains, for all practical purposes, the same shade of red to any casual observer or standard display monitor.

    By systematically replacing these least significant bits across thousands of pixels, an attacker can embed an entire secondary file—such as a PowerShell script or a Cobalt Strike beacon—within the “carrier” image. The process begins by converting the malicious payload into a binary stream and then iterating through the pixel array of the target image, swapping the LSB of each color channel with a bit from the payload. A standard $1080\text{p}$ image contains over two million pixels, which provides ample “real estate” to hide significant amounts of data without causing the type of visual artifacts or “noise” that would trigger a manual review. Furthermore, because the overall file structure and headers of the image remain intact, the file continues to function perfectly as an image, successfully deceiving both the end-user and many signature-based detection systems that only verify if a file matches its declared extension.

    The technical sophistication of LSB encoding can be further heightened through the use of pseudo-random number generators (PRNGs). Instead of embedding the data in a linear fashion from the first pixel to the last—which creates a detectable statistical pattern—the attacker can use a secret key to seed a PRNG that determines a non-linear path through the pixel map. This effectively scatters the hidden bits throughout the image in a way that appears as natural “entropy” or sensor noise to basic statistical analysis tools. Consequently, without the specific algorithm and the corresponding key used to embed the data, extracting the payload becomes a significant cryptographic challenge. This layer of complexity ensures that even if a file is suspected of harboring a payload, proving its existence and retrieving the contents requires specialized steganalysis techniques that are often outside the scope of standard incident response.

    Beyond Pixels: Hiding Payloads in Image Metadata and Headers

    While LSB encoding focuses on the visual data of an image, a more straightforward and increasingly common method involves the exploitation of non-visual data segments, specifically headers and metadata fields. Every modern image file contains a variety of metadata, such as Exchangeable Image File Format (EXIF) data, which stores information about the camera settings, GPS coordinates, and timestamps. Attackers have recognized that these fields, intended for descriptive text, are essentially unregulated storage bins that can hold malicious strings. By injecting base64-encoded commands or encrypted URLs into the “Artist,” “Software,” or “Copyright” tags of an image, a threat actor can provide instructions to a piece of malware already residing on a victim’s machine. The malware simply “phones home” by downloading a benign-looking image from a public site like Imgur or GitHub and then parses the EXIF data to find its next set of instructions.

    This technique is particularly effective for maintaining Command and Control (C2) infrastructure because it mimics legitimate web traffic. A firewall is unlikely to block an internal workstation from reaching a common image-hosting domain, and the payload itself is never “executed” in the traditional sense; it is merely read as a string by a separate process. Beyond standard metadata, hackers also target the internal structure of the file format itself, such as the “Comment” segments in JPEGs or the “chunks” in a PNG file. PNG files are organized into discrete blocks of data—such as IHDR for header information and IDAT for the actual image data—but the specification also allows for “ancillary chunks” (like tEXt or zTXt) which are ignored by most image viewers. An attacker can create custom, non-critical chunks that contain large volumes of data, effectively turning a simple icon into a delivery vehicle for a multi-stage malware dropper.

    One of the most dangerous manifestations of this header manipulation is the creation of “polyglot” files. A polyglot is a file that is valid under two different file formats simultaneously. For example, a skilled attacker can craft a file that begins with the “Magic Bytes” of a GIF file (e.g., 47 49 46 38), ensuring that any image viewer or web browser treats it as a graphic, but also contains a valid Java Archive (JAR) or a web-based script further down in its structure. When this file is handled by a browser, it displays as an image, but if it is passed to a script interpreter or a specific application vulnerability, it executes as code. This dual-identity approach creates a massive blind spot for security products that rely on file-type identification to apply security policies. By blending the executable logic with the static data of an image, hackers have successfully created “stealth” files that are nearly impossible to categorize correctly without deep, byte-level inspection of the entire file body.

    Text-Based Subversion: Linguistic Steganography and Zero-Width Characters

    While the manipulation of high-entropy image files provides a vast playground for hiding data, hackers often prefer the simplicity and ubiquity of text files to evade modern detection engines. Text-based steganography is particularly dangerous because it exploits the very foundation of digital communication: the way we render characters on a screen. One of the most sophisticated methods involves the use of Unicode zero-width characters. These are non-printing characters, such as the Zero-Width Joiner (U+200D) or the Zero-Width Space (U+200B), which are designed to handle complex ligatures or invisible word breaks. Because these characters have no visual width, they are completely invisible to a human reading a text file or an administrator viewing a configuration script. However, to a computer, they are distinct pieces of data. An attacker can map these invisible characters to binary values—for instance, using a Zero-Width Joiner to represent a ‘1’ and a Zero-Width Non-Joiner to represent a ‘0’—allowing them to embed an entire encoded script inside a perfectly normal-looking README.txt file or even a social media post.

    Beyond the use of “invisible” characters, hackers frequently leverage whitespace steganography, a technique that hides information in the trailing spaces and tabs of a document. In environments where source code is frequently moved between developers, a file containing extra spaces at the end of lines is rarely viewed with suspicion; it is usually dismissed as poor formatting or a byproduct of different text editors. Tools like “Snow” have long been used to conceal messages in this manner, effectively turning the “empty” space of a document into a covert storage medium. This is particularly effective in bypassing Data Loss Prevention (DLP) systems that are programmed to look for specific keywords or patterns of sensitive data like credit card numbers. By breaking a sensitive string into binary and hiding it as a series of tabs and spaces within a large corporate policy document, the data can be exfiltrated without triggering any signature-based alarms, as the document’s visible content remains entirely benign and policy-compliant.

    Linguistic steganography represents the peak of this deceptive art, shifting the focus from bit-level manipulation to the nuances of human language itself. Rather than relying on technical “glitches” or hidden characters, this method involves altering the structure of sentences to carry a hidden message. By using a pre-defined dictionary and specific grammatical variations, an attacker can construct sentences that appear natural but encode specific data points based on word choice or sentence length. For example, a seemingly innocent email about a lunch meeting could, through a specific arrangement of adjectives and nouns, encode the IP address of a new Command and Control server. This form of “mimicry” is incredibly difficult for automated systems to detect because it does not involve any unusual file properties or illegal characters. It relies on the semantic flexibility of language, making it one of the most resilient forms of covert communication available to sophisticated threat actors who need to maintain long-term, low-profile access to a target network.

    Real-World Weaponization: Case Studies in Malware and Data Exfiltration

    The transition of steganography from a theoretical concept to a primary weapon in the wild is best illustrated by the evolution of exploit kits and state-sponsored campaigns. One of the most notorious examples is the Stegano exploit kit, which gained notoriety for hiding its malicious logic within the alpha channel of PNG images used in banner advertisements. The alpha channel, which controls the transparency of pixels, provides a perfect hiding spot because small variations in transparency are virtually impossible for a human to see against a standard web background. By embedding encrypted code in these advertisements, the attackers were able to redirect users to malicious landing pages without the users ever clicking a link or the ad-networks ever detecting the payload. This “malvertising” campaign demonstrated that steganography could be scaled to target millions of users simultaneously, turning the visual infrastructure of the internet into a delivery system for ransomware and banking trojans.

    Advanced Persistent Threat (APT) groups, such as the North Korean-linked Lazarus Group, have refined these techniques to maintain persistence within highly secured environments. In several documented campaigns, Lazarus utilized BMP (bitmap) files to deliver second-stage malware. These images, often disguised as legitimate documents or icons, contained encrypted DLL files hidden within their pixel data. Once the initial dropper was executed on a victim’s machine, it would download the BMP file, extract the hidden bytes from the image data, and load the malicious DLL directly into memory. This “fileless” approach is a nightmare for traditional antivirus solutions because the malicious code never exists as a standalone file on the disk; it is only reconstructed at runtime from the components hidden within the benign image. This method effectively neutralizes most perimeter defenses that rely on file-scanning, as the image file itself is technically valid and non-executable.

    The use of steganography is not limited to the delivery of malware; it is equally effective for the silent exfiltration of sensitive data. During a major breach of a global financial institution, investigators discovered that insiders were using high-resolution digital photographs to smuggle proprietary trading algorithms out of the network. By using LSB encoding to hide the source code within the photos of “office pets” and “company outings,” the attackers were able to bypass DLP systems that were specifically tuned to block the transmission of code-like text or large archives. Because the files remained valid JPEGs, they were permitted to be uploaded to personal cloud storage and social media accounts. This highlights a critical flaw in many modern security architectures: the assumption that if a file looks like an image and acts like an image, it is nothing more than an image. These real-world cases prove that steganography is the ultimate tool for bypassing the “secure” perimeters that organizations rely on.

    Detection and Defiance: The Technical Challenges of Steganalysis

    Detecting the presence of hidden data within a carrier file, a field known as steganalysis, is a game of statistical probability rather than binary certainty. Unlike traditional virus detection, which relies on matching a file’s hash or signature against a database of known threats, steganalysis must look for anomalies in the file’s expected data distribution. One of the most common technical approaches is the use of Chi-squared ($\chi^2$) tests, which analyze the distribution of pixel values in an image. In a natural, unmodified image, the frequency of adjacent color values tends to follow a predictable pattern. However, when an attacker injects a binary payload into the Least Significant Bits, they introduce a level of artificial entropy that flattens this distribution. This statistical “signature” of randomness is often the only clue that an image has been tampered with. Specialized tools can scan directories of images, flagging those with an unusually high degree of LSB entropy for further investigation by forensic analysts.

    Despite the power of statistical analysis, defenders face a significant hurdle known as the “Clean Image” problem. Steganalysis is exponentially more accurate when the analyst has access to the original, unmodified version of the file for comparison. Without this baseline, it is remarkably difficult to prove that a slight color variation or a specific metadata string is a malicious injection rather than a byproduct of the camera’s sensor noise or a specific compression algorithm. Furthermore, as attackers shift toward more sophisticated embedding methods—such as spread-spectrum steganography, which distributes the payload across many different frequencies within the image data—traditional statistical tests often fail. These techniques mimic the natural noise of the medium so closely that the signal-to-noise ratio becomes nearly impossible to decipher without the original key. This mathematical reality means that for many organizations, detection is not a scalable solution; instead, the focus must shift toward proactive neutralization.

    Proactive defense, or “active warden” strategies, involve the automated sanitization of all incoming media files to ensure that any potential hidden channels are destroyed. Rather than trying to detect if a file is “guilty,” security gateways can be configured to “clean” every file by default. For images, this might involve re-compressing a JPEG, which slightly alters pixel values and effectively wipes out LSB-embedded data. For text files, a “sanitizer” can strip out all non-printing Unicode characters and normalize whitespace, effectively neutralizing zero-width character attacks. In high-security environments, some organizations go as far as “image flattening,” where an image is rendered into a canvas and then re-captured as a completely new file, ensuring that only the visual information survives and any hidden binary logic in the headers or metadata is discarded. This “zero-trust” approach to media handling is the only way to reliably defeat an adversary that specializes in hiding in plain sight.

    Conclusion: The Future of Covert Channels in an AI-Driven World

    The arms race between steganographers and security researchers is entering a new, more volatile phase driven by the rise of generative artificial intelligence. We are moving beyond the era of simply “hiding” data in existing files toward the era of “generative steganography,” where AI models can create entirely new, high-fidelity images or text blocks specifically designed to house a hidden payload from their very inception. These AI-generated carriers can be engineered to be statistically perfect, matching the expected entropy of a natural file so precisely that traditional steganalysis tools are rendered obsolete. As attackers begin to use Large Language Models (LLMs) to generate “innocent” emails that encode complex command-and-control instructions within the very flow of the prose, the challenge for defenders will shift from technical detection to semantic analysis. The “invisible” threat is becoming smarter, more adaptive, and more integrated into the standard tools of digital communication.

    Ultimately, the resurgence of steganography serves as a critical reminder that cybersecurity is as much about psychology and subversion as it is about bits and bytes. By focusing exclusively on the “gates” of our networks—the firewalls, the encryptions, and the passwords—we have left the “windows” of our daily digital interactions wide open. A JPEG is rarely just a JPEG, and a text file is rarely just text. As long as there is a medium for communication, there will be a way to subvert it for covert purposes. For the modern security professional, the lesson is clear: true security requires a healthy skepticism of even the most benign-looking assets. Implementing deep-file inspection, automated media sanitization, and a rigorous zero-trust policy for all file types is no longer an optional luxury; it is a fundamental necessity in a world where the most dangerous threats are the ones you can’t see.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    NIST SP 800-101 Rev. 1: Guidelines on Mobile Device Forensics (Steganography Overview)
    MITRE ATT&CK: Steganography (T1027.003)
    CISA Analysis Report (AR21-013A): Malicious Steganography in SolarWinds Aftermath
    Verizon 2024 Data Breach Investigations Report (DBIR)
    Kaspersky: Steganography in Contemporary Cyberattacks
    Mandiant: Sophisticated Steganography in Targeted Attacks
    SentinelOne: Digital Steganography and Malware Persistence
    Krebs on Security: Malware Hides in Plain Sight via Steganography
    Palo Alto Unit 42: Steganography in the Wild
    McAfee Labs: The Art of Hiding Data Within Data
    SANS Institute: Steganography – Hiding Data Within Data
    Dark Reading: Why Steganography is the Next Frontier
    Center for Internet Security (CIS): The Basics of Steganography
    IEEE Xplore: A Review on Image Steganography Techniques

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #APTTechniques #binaryEncoding #C2Channels #chiSquaredTest #CISAReports #commandAndControl #covertCommunication #cyberDefense #cyberThreats #cyberWarfare #cybersecurity #dataExfiltration #dataLossPrevention #digitalForensics #digitalWatermarking #DLPBypass #encryptionVsSteganography #entropyAnalysis #EXIFData #exploitKits #fileSanitization #filelessMalware #forensicAnalysis #GIFAR #hiddenPayloads #hiddenScripts #imageSteganography #informationHiding #LazarusGroup #leastSignificantBit #linguisticSteganography #LSBEncoding #maliciousImages #malwareDetection #malwarePersistence #memoryInjection #metadataExploitation #MITREATTCK #networkSecurity #NISTSP800101 #obfuscation #payloadDelivery #pixelManipulation #polyglotFiles #RGBPixelData #securityResearch #SOCAnalyst #statisticalAnalysis #steganalysis #SteganoExploitKit #steganography #technicalDeepDive #textSteganography #threatHunting #UnicodeExploits #whitespaceSteganography #zeroTrust #zeroWidthCharacters

    #apttechniques #binaryencoding #c2channels #chisquaredtest #cisareports #commandandcontrol
29. 

    Bryan King @[email protected] · 2026-03-31 · 11:30 UTC

    The Silent Breach: Why Your Security Gateway Can’t See the Malware in Your Images

    3,217 words, 17 minutes read time.

    The Invisible Threat: Why Modern Cybersecurity Cannot Afford to Ignore Digital Steganography

    In the current era of high-frequency cyber warfare, the most effective weapon is not necessarily the one with the highest encryption standard, but the one that remains entirely undetected until the moment of execution. While the industry spends billions of dollars perfecting cryptographic defenses to ensure that intercepted data cannot be read, a more insidious technique is resurfacing in the arsenals of advanced persistent threats: steganography. Unlike encryption, which transforms a message into an unreadable cipher—essentially waving a red flag that says “this is a secret”—steganography focuses on concealing the very existence of the communication. By embedding malicious payloads, configuration files, or stolen credentials within seemingly mundane carriers like a digital photograph of a corporate headquarters or a standard text readme file, attackers are successfully bypassing traditional security perimeters. Analyzing recent threat actor behaviors reveals that this is no longer a niche academic curiosity but a foundational component of modern malware delivery and data exfiltration strategies.

    The primary danger of digital steganography lies in its exploitation of trust and the inherent limitations of automated scanning tools. Most Security Operations Centers (SOCs) are tuned to identify known malicious file signatures, suspicious executable behavior, or anomalies in encrypted traffic. However, a JPEG or PNG file is generally viewed as benign, often passing through email gateways and firewalls with minimal scrutiny beyond a basic virus scan. When a hacker hides data inside these files, they are leveraging the “noise” of the digital world to mask their signal. This methodology allows for a level of persistence that is difficult to combat, as the malicious content does not reside in a separate file that can be easily quarantined, but is woven into the fabric of legitimate business assets. As we move further into a landscape defined by zero-trust architectures, understanding the technical mechanics of how these hidden channels operate is a prerequisite for any robust defense strategy.

    The Mechanics of Deception: How Least Significant Bit (LSB) Encoding Exploits Image Data

    To understand how a hacker compromises a digital image, one must first understand the underlying structure of digital color representation. Most common image formats, such as $24$-bit BMP or PNG, represent pixels using three color channels: Red, Green, and Blue (RGB). Each of these channels is typically allocated $8$ bits, allowing for a value range from $0$ to $255$. When an attacker utilizes Least Significant Bit (LSB) encoding, they are targeting the rightmost bit in that $8$-bit sequence. Because this bit represents the smallest incremental value in the color intensity, changing it from a $0$ to a $1$ (or vice versa) results in a color shift so infinitesimal that it is mathematically and visually indistinguishable to the human eye. For instance, a pixel with a Red value of $255$ ($11111111$ in binary) that is changed to $254$ ($11111110$) remains, for all practical purposes, the same shade of red to any casual observer or standard display monitor.

    By systematically replacing these least significant bits across thousands of pixels, an attacker can embed an entire secondary file—such as a PowerShell script or a Cobalt Strike beacon—within the “carrier” image. The process begins by converting the malicious payload into a binary stream and then iterating through the pixel array of the target image, swapping the LSB of each color channel with a bit from the payload. A standard $1080\text{p}$ image contains over two million pixels, which provides ample “real estate” to hide significant amounts of data without causing the type of visual artifacts or “noise” that would trigger a manual review. Furthermore, because the overall file structure and headers of the image remain intact, the file continues to function perfectly as an image, successfully deceiving both the end-user and many signature-based detection systems that only verify if a file matches its declared extension.

    The technical sophistication of LSB encoding can be further heightened through the use of pseudo-random number generators (PRNGs). Instead of embedding the data in a linear fashion from the first pixel to the last—which creates a detectable statistical pattern—the attacker can use a secret key to seed a PRNG that determines a non-linear path through the pixel map. This effectively scatters the hidden bits throughout the image in a way that appears as natural “entropy” or sensor noise to basic statistical analysis tools. Consequently, without the specific algorithm and the corresponding key used to embed the data, extracting the payload becomes a significant cryptographic challenge. This layer of complexity ensures that even if a file is suspected of harboring a payload, proving its existence and retrieving the contents requires specialized steganalysis techniques that are often outside the scope of standard incident response.

    Beyond Pixels: Hiding Payloads in Image Metadata and Headers

    While LSB encoding focuses on the visual data of an image, a more straightforward and increasingly common method involves the exploitation of non-visual data segments, specifically headers and metadata fields. Every modern image file contains a variety of metadata, such as Exchangeable Image File Format (EXIF) data, which stores information about the camera settings, GPS coordinates, and timestamps. Attackers have recognized that these fields, intended for descriptive text, are essentially unregulated storage bins that can hold malicious strings. By injecting base64-encoded commands or encrypted URLs into the “Artist,” “Software,” or “Copyright” tags of an image, a threat actor can provide instructions to a piece of malware already residing on a victim’s machine. The malware simply “phones home” by downloading a benign-looking image from a public site like Imgur or GitHub and then parses the EXIF data to find its next set of instructions.

    This technique is particularly effective for maintaining Command and Control (C2) infrastructure because it mimics legitimate web traffic. A firewall is unlikely to block an internal workstation from reaching a common image-hosting domain, and the payload itself is never “executed” in the traditional sense; it is merely read as a string by a separate process. Beyond standard metadata, hackers also target the internal structure of the file format itself, such as the “Comment” segments in JPEGs or the “chunks” in a PNG file. PNG files are organized into discrete blocks of data—such as IHDR for header information and IDAT for the actual image data—but the specification also allows for “ancillary chunks” (like tEXt or zTXt) which are ignored by most image viewers. An attacker can create custom, non-critical chunks that contain large volumes of data, effectively turning a simple icon into a delivery vehicle for a multi-stage malware dropper.

    One of the most dangerous manifestations of this header manipulation is the creation of “polyglot” files. A polyglot is a file that is valid under two different file formats simultaneously. For example, a skilled attacker can craft a file that begins with the “Magic Bytes” of a GIF file (e.g., 47 49 46 38), ensuring that any image viewer or web browser treats it as a graphic, but also contains a valid Java Archive (JAR) or a web-based script further down in its structure. When this file is handled by a browser, it displays as an image, but if it is passed to a script interpreter or a specific application vulnerability, it executes as code. This dual-identity approach creates a massive blind spot for security products that rely on file-type identification to apply security policies. By blending the executable logic with the static data of an image, hackers have successfully created “stealth” files that are nearly impossible to categorize correctly without deep, byte-level inspection of the entire file body.

    Text-Based Subversion: Linguistic Steganography and Zero-Width Characters

    While the manipulation of high-entropy image files provides a vast playground for hiding data, hackers often prefer the simplicity and ubiquity of text files to evade modern detection engines. Text-based steganography is particularly dangerous because it exploits the very foundation of digital communication: the way we render characters on a screen. One of the most sophisticated methods involves the use of Unicode zero-width characters. These are non-printing characters, such as the Zero-Width Joiner (U+200D) or the Zero-Width Space (U+200B), which are designed to handle complex ligatures or invisible word breaks. Because these characters have no visual width, they are completely invisible to a human reading a text file or an administrator viewing a configuration script. However, to a computer, they are distinct pieces of data. An attacker can map these invisible characters to binary values—for instance, using a Zero-Width Joiner to represent a ‘1’ and a Zero-Width Non-Joiner to represent a ‘0’—allowing them to embed an entire encoded script inside a perfectly normal-looking README.txt file or even a social media post.

    Beyond the use of “invisible” characters, hackers frequently leverage whitespace steganography, a technique that hides information in the trailing spaces and tabs of a document. In environments where source code is frequently moved between developers, a file containing extra spaces at the end of lines is rarely viewed with suspicion; it is usually dismissed as poor formatting or a byproduct of different text editors. Tools like “Snow” have long been used to conceal messages in this manner, effectively turning the “empty” space of a document into a covert storage medium. This is particularly effective in bypassing Data Loss Prevention (DLP) systems that are programmed to look for specific keywords or patterns of sensitive data like credit card numbers. By breaking a sensitive string into binary and hiding it as a series of tabs and spaces within a large corporate policy document, the data can be exfiltrated without triggering any signature-based alarms, as the document’s visible content remains entirely benign and policy-compliant.

    Linguistic steganography represents the peak of this deceptive art, shifting the focus from bit-level manipulation to the nuances of human language itself. Rather than relying on technical “glitches” or hidden characters, this method involves altering the structure of sentences to carry a hidden message. By using a pre-defined dictionary and specific grammatical variations, an attacker can construct sentences that appear natural but encode specific data points based on word choice or sentence length. For example, a seemingly innocent email about a lunch meeting could, through a specific arrangement of adjectives and nouns, encode the IP address of a new Command and Control server. This form of “mimicry” is incredibly difficult for automated systems to detect because it does not involve any unusual file properties or illegal characters. It relies on the semantic flexibility of language, making it one of the most resilient forms of covert communication available to sophisticated threat actors who need to maintain long-term, low-profile access to a target network.

    Real-World Weaponization: Case Studies in Malware and Data Exfiltration

    The transition of steganography from a theoretical concept to a primary weapon in the wild is best illustrated by the evolution of exploit kits and state-sponsored campaigns. One of the most notorious examples is the Stegano exploit kit, which gained notoriety for hiding its malicious logic within the alpha channel of PNG images used in banner advertisements. The alpha channel, which controls the transparency of pixels, provides a perfect hiding spot because small variations in transparency are virtually impossible for a human to see against a standard web background. By embedding encrypted code in these advertisements, the attackers were able to redirect users to malicious landing pages without the users ever clicking a link or the ad-networks ever detecting the payload. This “malvertising” campaign demonstrated that steganography could be scaled to target millions of users simultaneously, turning the visual infrastructure of the internet into a delivery system for ransomware and banking trojans.

    Advanced Persistent Threat (APT) groups, such as the North Korean-linked Lazarus Group, have refined these techniques to maintain persistence within highly secured environments. In several documented campaigns, Lazarus utilized BMP (bitmap) files to deliver second-stage malware. These images, often disguised as legitimate documents or icons, contained encrypted DLL files hidden within their pixel data. Once the initial dropper was executed on a victim’s machine, it would download the BMP file, extract the hidden bytes from the image data, and load the malicious DLL directly into memory. This “fileless” approach is a nightmare for traditional antivirus solutions because the malicious code never exists as a standalone file on the disk; it is only reconstructed at runtime from the components hidden within the benign image. This method effectively neutralizes most perimeter defenses that rely on file-scanning, as the image file itself is technically valid and non-executable.

    The use of steganography is not limited to the delivery of malware; it is equally effective for the silent exfiltration of sensitive data. During a major breach of a global financial institution, investigators discovered that insiders were using high-resolution digital photographs to smuggle proprietary trading algorithms out of the network. By using LSB encoding to hide the source code within the photos of “office pets” and “company outings,” the attackers were able to bypass DLP systems that were specifically tuned to block the transmission of code-like text or large archives. Because the files remained valid JPEGs, they were permitted to be uploaded to personal cloud storage and social media accounts. This highlights a critical flaw in many modern security architectures: the assumption that if a file looks like an image and acts like an image, it is nothing more than an image. These real-world cases prove that steganography is the ultimate tool for bypassing the “secure” perimeters that organizations rely on.

    Detection and Defiance: The Technical Challenges of Steganalysis

    Detecting the presence of hidden data within a carrier file, a field known as steganalysis, is a game of statistical probability rather than binary certainty. Unlike traditional virus detection, which relies on matching a file’s hash or signature against a database of known threats, steganalysis must look for anomalies in the file’s expected data distribution. One of the most common technical approaches is the use of Chi-squared ($\chi^2$) tests, which analyze the distribution of pixel values in an image. In a natural, unmodified image, the frequency of adjacent color values tends to follow a predictable pattern. However, when an attacker injects a binary payload into the Least Significant Bits, they introduce a level of artificial entropy that flattens this distribution. This statistical “signature” of randomness is often the only clue that an image has been tampered with. Specialized tools can scan directories of images, flagging those with an unusually high degree of LSB entropy for further investigation by forensic analysts.

    Despite the power of statistical analysis, defenders face a significant hurdle known as the “Clean Image” problem. Steganalysis is exponentially more accurate when the analyst has access to the original, unmodified version of the file for comparison. Without this baseline, it is remarkably difficult to prove that a slight color variation or a specific metadata string is a malicious injection rather than a byproduct of the camera’s sensor noise or a specific compression algorithm. Furthermore, as attackers shift toward more sophisticated embedding methods—such as spread-spectrum steganography, which distributes the payload across many different frequencies within the image data—traditional statistical tests often fail. These techniques mimic the natural noise of the medium so closely that the signal-to-noise ratio becomes nearly impossible to decipher without the original key. This mathematical reality means that for many organizations, detection is not a scalable solution; instead, the focus must shift toward proactive neutralization.

    Proactive defense, or “active warden” strategies, involve the automated sanitization of all incoming media files to ensure that any potential hidden channels are destroyed. Rather than trying to detect if a file is “guilty,” security gateways can be configured to “clean” every file by default. For images, this might involve re-compressing a JPEG, which slightly alters pixel values and effectively wipes out LSB-embedded data. For text files, a “sanitizer” can strip out all non-printing Unicode characters and normalize whitespace, effectively neutralizing zero-width character attacks. In high-security environments, some organizations go as far as “image flattening,” where an image is rendered into a canvas and then re-captured as a completely new file, ensuring that only the visual information survives and any hidden binary logic in the headers or metadata is discarded. This “zero-trust” approach to media handling is the only way to reliably defeat an adversary that specializes in hiding in plain sight.

    Conclusion: The Future of Covert Channels in an AI-Driven World

    The arms race between steganographers and security researchers is entering a new, more volatile phase driven by the rise of generative artificial intelligence. We are moving beyond the era of simply “hiding” data in existing files toward the era of “generative steganography,” where AI models can create entirely new, high-fidelity images or text blocks specifically designed to house a hidden payload from their very inception. These AI-generated carriers can be engineered to be statistically perfect, matching the expected entropy of a natural file so precisely that traditional steganalysis tools are rendered obsolete. As attackers begin to use Large Language Models (LLMs) to generate “innocent” emails that encode complex command-and-control instructions within the very flow of the prose, the challenge for defenders will shift from technical detection to semantic analysis. The “invisible” threat is becoming smarter, more adaptive, and more integrated into the standard tools of digital communication.

    Ultimately, the resurgence of steganography serves as a critical reminder that cybersecurity is as much about psychology and subversion as it is about bits and bytes. By focusing exclusively on the “gates” of our networks—the firewalls, the encryptions, and the passwords—we have left the “windows” of our daily digital interactions wide open. A JPEG is rarely just a JPEG, and a text file is rarely just text. As long as there is a medium for communication, there will be a way to subvert it for covert purposes. For the modern security professional, the lesson is clear: true security requires a healthy skepticism of even the most benign-looking assets. Implementing deep-file inspection, automated media sanitization, and a rigorous zero-trust policy for all file types is no longer an optional luxury; it is a fundamental necessity in a world where the most dangerous threats are the ones you can’t see.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    NIST SP 800-101 Rev. 1: Guidelines on Mobile Device Forensics (Steganography Overview)
    MITRE ATT&CK: Steganography (T1027.003)
    CISA Analysis Report (AR21-013A): Malicious Steganography in SolarWinds Aftermath
    Verizon 2024 Data Breach Investigations Report (DBIR)
    Kaspersky: Steganography in Contemporary Cyberattacks
    Mandiant: Sophisticated Steganography in Targeted Attacks
    SentinelOne: Digital Steganography and Malware Persistence
    Krebs on Security: Malware Hides in Plain Sight via Steganography
    Palo Alto Unit 42: Steganography in the Wild
    McAfee Labs: The Art of Hiding Data Within Data
    SANS Institute: Steganography – Hiding Data Within Data
    Dark Reading: Why Steganography is the Next Frontier
    Center for Internet Security (CIS): The Basics of Steganography
    IEEE Xplore: A Review on Image Steganography Techniques

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #APTTechniques #binaryEncoding #C2Channels #chiSquaredTest #CISAReports #commandAndControl #covertCommunication #cyberDefense #cyberThreats #cyberWarfare #cybersecurity #dataExfiltration #dataLossPrevention #digitalForensics #digitalWatermarking #DLPBypass #encryptionVsSteganography #entropyAnalysis #EXIFData #exploitKits #fileSanitization #filelessMalware #forensicAnalysis #GIFAR #hiddenPayloads #hiddenScripts #imageSteganography #informationHiding #LazarusGroup #leastSignificantBit #linguisticSteganography #LSBEncoding #maliciousImages #malwareDetection #malwarePersistence #memoryInjection #metadataExploitation #MITREATTCK #networkSecurity #NISTSP800101 #obfuscation #payloadDelivery #pixelManipulation #polyglotFiles #RGBPixelData #securityResearch #SOCAnalyst #statisticalAnalysis #steganalysis #SteganoExploitKit #steganography #technicalDeepDive #textSteganography #threatHunting #UnicodeExploits #whitespaceSteganography #zeroTrust #zeroWidthCharacters

    #apttechniques #binaryencoding #c2channels #chisquaredtest #cisareports #commandandcontrol
30. 

    Bryan King @[email protected] · 2026-03-31 · 11:30 UTC

    The Silent Breach: Why Your Security Gateway Can’t See the Malware in Your Images

    3,217 words, 17 minutes read time.

    The Invisible Threat: Why Modern Cybersecurity Cannot Afford to Ignore Digital Steganography

    In the current era of high-frequency cyber warfare, the most effective weapon is not necessarily the one with the highest encryption standard, but the one that remains entirely undetected until the moment of execution. While the industry spends billions of dollars perfecting cryptographic defenses to ensure that intercepted data cannot be read, a more insidious technique is resurfacing in the arsenals of advanced persistent threats: steganography. Unlike encryption, which transforms a message into an unreadable cipher—essentially waving a red flag that says “this is a secret”—steganography focuses on concealing the very existence of the communication. By embedding malicious payloads, configuration files, or stolen credentials within seemingly mundane carriers like a digital photograph of a corporate headquarters or a standard text readme file, attackers are successfully bypassing traditional security perimeters. Analyzing recent threat actor behaviors reveals that this is no longer a niche academic curiosity but a foundational component of modern malware delivery and data exfiltration strategies.

    The primary danger of digital steganography lies in its exploitation of trust and the inherent limitations of automated scanning tools. Most Security Operations Centers (SOCs) are tuned to identify known malicious file signatures, suspicious executable behavior, or anomalies in encrypted traffic. However, a JPEG or PNG file is generally viewed as benign, often passing through email gateways and firewalls with minimal scrutiny beyond a basic virus scan. When a hacker hides data inside these files, they are leveraging the “noise” of the digital world to mask their signal. This methodology allows for a level of persistence that is difficult to combat, as the malicious content does not reside in a separate file that can be easily quarantined, but is woven into the fabric of legitimate business assets. As we move further into a landscape defined by zero-trust architectures, understanding the technical mechanics of how these hidden channels operate is a prerequisite for any robust defense strategy.

    The Mechanics of Deception: How Least Significant Bit (LSB) Encoding Exploits Image Data

    To understand how a hacker compromises a digital image, one must first understand the underlying structure of digital color representation. Most common image formats, such as $24$-bit BMP or PNG, represent pixels using three color channels: Red, Green, and Blue (RGB). Each of these channels is typically allocated $8$ bits, allowing for a value range from $0$ to $255$. When an attacker utilizes Least Significant Bit (LSB) encoding, they are targeting the rightmost bit in that $8$-bit sequence. Because this bit represents the smallest incremental value in the color intensity, changing it from a $0$ to a $1$ (or vice versa) results in a color shift so infinitesimal that it is mathematically and visually indistinguishable to the human eye. For instance, a pixel with a Red value of $255$ ($11111111$ in binary) that is changed to $254$ ($11111110$) remains, for all practical purposes, the same shade of red to any casual observer or standard display monitor.

    By systematically replacing these least significant bits across thousands of pixels, an attacker can embed an entire secondary file—such as a PowerShell script or a Cobalt Strike beacon—within the “carrier” image. The process begins by converting the malicious payload into a binary stream and then iterating through the pixel array of the target image, swapping the LSB of each color channel with a bit from the payload. A standard $1080\text{p}$ image contains over two million pixels, which provides ample “real estate” to hide significant amounts of data without causing the type of visual artifacts or “noise” that would trigger a manual review. Furthermore, because the overall file structure and headers of the image remain intact, the file continues to function perfectly as an image, successfully deceiving both the end-user and many signature-based detection systems that only verify if a file matches its declared extension.

    The technical sophistication of LSB encoding can be further heightened through the use of pseudo-random number generators (PRNGs). Instead of embedding the data in a linear fashion from the first pixel to the last—which creates a detectable statistical pattern—the attacker can use a secret key to seed a PRNG that determines a non-linear path through the pixel map. This effectively scatters the hidden bits throughout the image in a way that appears as natural “entropy” or sensor noise to basic statistical analysis tools. Consequently, without the specific algorithm and the corresponding key used to embed the data, extracting the payload becomes a significant cryptographic challenge. This layer of complexity ensures that even if a file is suspected of harboring a payload, proving its existence and retrieving the contents requires specialized steganalysis techniques that are often outside the scope of standard incident response.

    Beyond Pixels: Hiding Payloads in Image Metadata and Headers

    While LSB encoding focuses on the visual data of an image, a more straightforward and increasingly common method involves the exploitation of non-visual data segments, specifically headers and metadata fields. Every modern image file contains a variety of metadata, such as Exchangeable Image File Format (EXIF) data, which stores information about the camera settings, GPS coordinates, and timestamps. Attackers have recognized that these fields, intended for descriptive text, are essentially unregulated storage bins that can hold malicious strings. By injecting base64-encoded commands or encrypted URLs into the “Artist,” “Software,” or “Copyright” tags of an image, a threat actor can provide instructions to a piece of malware already residing on a victim’s machine. The malware simply “phones home” by downloading a benign-looking image from a public site like Imgur or GitHub and then parses the EXIF data to find its next set of instructions.

    This technique is particularly effective for maintaining Command and Control (C2) infrastructure because it mimics legitimate web traffic. A firewall is unlikely to block an internal workstation from reaching a common image-hosting domain, and the payload itself is never “executed” in the traditional sense; it is merely read as a string by a separate process. Beyond standard metadata, hackers also target the internal structure of the file format itself, such as the “Comment” segments in JPEGs or the “chunks” in a PNG file. PNG files are organized into discrete blocks of data—such as IHDR for header information and IDAT for the actual image data—but the specification also allows for “ancillary chunks” (like tEXt or zTXt) which are ignored by most image viewers. An attacker can create custom, non-critical chunks that contain large volumes of data, effectively turning a simple icon into a delivery vehicle for a multi-stage malware dropper.

    One of the most dangerous manifestations of this header manipulation is the creation of “polyglot” files. A polyglot is a file that is valid under two different file formats simultaneously. For example, a skilled attacker can craft a file that begins with the “Magic Bytes” of a GIF file (e.g., 47 49 46 38), ensuring that any image viewer or web browser treats it as a graphic, but also contains a valid Java Archive (JAR) or a web-based script further down in its structure. When this file is handled by a browser, it displays as an image, but if it is passed to a script interpreter or a specific application vulnerability, it executes as code. This dual-identity approach creates a massive blind spot for security products that rely on file-type identification to apply security policies. By blending the executable logic with the static data of an image, hackers have successfully created “stealth” files that are nearly impossible to categorize correctly without deep, byte-level inspection of the entire file body.

    Text-Based Subversion: Linguistic Steganography and Zero-Width Characters

    While the manipulation of high-entropy image files provides a vast playground for hiding data, hackers often prefer the simplicity and ubiquity of text files to evade modern detection engines. Text-based steganography is particularly dangerous because it exploits the very foundation of digital communication: the way we render characters on a screen. One of the most sophisticated methods involves the use of Unicode zero-width characters. These are non-printing characters, such as the Zero-Width Joiner (U+200D) or the Zero-Width Space (U+200B), which are designed to handle complex ligatures or invisible word breaks. Because these characters have no visual width, they are completely invisible to a human reading a text file or an administrator viewing a configuration script. However, to a computer, they are distinct pieces of data. An attacker can map these invisible characters to binary values—for instance, using a Zero-Width Joiner to represent a ‘1’ and a Zero-Width Non-Joiner to represent a ‘0’—allowing them to embed an entire encoded script inside a perfectly normal-looking README.txt file or even a social media post.

    Beyond the use of “invisible” characters, hackers frequently leverage whitespace steganography, a technique that hides information in the trailing spaces and tabs of a document. In environments where source code is frequently moved between developers, a file containing extra spaces at the end of lines is rarely viewed with suspicion; it is usually dismissed as poor formatting or a byproduct of different text editors. Tools like “Snow” have long been used to conceal messages in this manner, effectively turning the “empty” space of a document into a covert storage medium. This is particularly effective in bypassing Data Loss Prevention (DLP) systems that are programmed to look for specific keywords or patterns of sensitive data like credit card numbers. By breaking a sensitive string into binary and hiding it as a series of tabs and spaces within a large corporate policy document, the data can be exfiltrated without triggering any signature-based alarms, as the document’s visible content remains entirely benign and policy-compliant.

    Linguistic steganography represents the peak of this deceptive art, shifting the focus from bit-level manipulation to the nuances of human language itself. Rather than relying on technical “glitches” or hidden characters, this method involves altering the structure of sentences to carry a hidden message. By using a pre-defined dictionary and specific grammatical variations, an attacker can construct sentences that appear natural but encode specific data points based on word choice or sentence length. For example, a seemingly innocent email about a lunch meeting could, through a specific arrangement of adjectives and nouns, encode the IP address of a new Command and Control server. This form of “mimicry” is incredibly difficult for automated systems to detect because it does not involve any unusual file properties or illegal characters. It relies on the semantic flexibility of language, making it one of the most resilient forms of covert communication available to sophisticated threat actors who need to maintain long-term, low-profile access to a target network.

    Real-World Weaponization: Case Studies in Malware and Data Exfiltration

    The transition of steganography from a theoretical concept to a primary weapon in the wild is best illustrated by the evolution of exploit kits and state-sponsored campaigns. One of the most notorious examples is the Stegano exploit kit, which gained notoriety for hiding its malicious logic within the alpha channel of PNG images used in banner advertisements. The alpha channel, which controls the transparency of pixels, provides a perfect hiding spot because small variations in transparency are virtually impossible for a human to see against a standard web background. By embedding encrypted code in these advertisements, the attackers were able to redirect users to malicious landing pages without the users ever clicking a link or the ad-networks ever detecting the payload. This “malvertising” campaign demonstrated that steganography could be scaled to target millions of users simultaneously, turning the visual infrastructure of the internet into a delivery system for ransomware and banking trojans.

    Advanced Persistent Threat (APT) groups, such as the North Korean-linked Lazarus Group, have refined these techniques to maintain persistence within highly secured environments. In several documented campaigns, Lazarus utilized BMP (bitmap) files to deliver second-stage malware. These images, often disguised as legitimate documents or icons, contained encrypted DLL files hidden within their pixel data. Once the initial dropper was executed on a victim’s machine, it would download the BMP file, extract the hidden bytes from the image data, and load the malicious DLL directly into memory. This “fileless” approach is a nightmare for traditional antivirus solutions because the malicious code never exists as a standalone file on the disk; it is only reconstructed at runtime from the components hidden within the benign image. This method effectively neutralizes most perimeter defenses that rely on file-scanning, as the image file itself is technically valid and non-executable.

    The use of steganography is not limited to the delivery of malware; it is equally effective for the silent exfiltration of sensitive data. During a major breach of a global financial institution, investigators discovered that insiders were using high-resolution digital photographs to smuggle proprietary trading algorithms out of the network. By using LSB encoding to hide the source code within the photos of “office pets” and “company outings,” the attackers were able to bypass DLP systems that were specifically tuned to block the transmission of code-like text or large archives. Because the files remained valid JPEGs, they were permitted to be uploaded to personal cloud storage and social media accounts. This highlights a critical flaw in many modern security architectures: the assumption that if a file looks like an image and acts like an image, it is nothing more than an image. These real-world cases prove that steganography is the ultimate tool for bypassing the “secure” perimeters that organizations rely on.

    Detection and Defiance: The Technical Challenges of Steganalysis

    Detecting the presence of hidden data within a carrier file, a field known as steganalysis, is a game of statistical probability rather than binary certainty. Unlike traditional virus detection, which relies on matching a file’s hash or signature against a database of known threats, steganalysis must look for anomalies in the file’s expected data distribution. One of the most common technical approaches is the use of Chi-squared ($\chi^2$) tests, which analyze the distribution of pixel values in an image. In a natural, unmodified image, the frequency of adjacent color values tends to follow a predictable pattern. However, when an attacker injects a binary payload into the Least Significant Bits, they introduce a level of artificial entropy that flattens this distribution. This statistical “signature” of randomness is often the only clue that an image has been tampered with. Specialized tools can scan directories of images, flagging those with an unusually high degree of LSB entropy for further investigation by forensic analysts.

    Despite the power of statistical analysis, defenders face a significant hurdle known as the “Clean Image” problem. Steganalysis is exponentially more accurate when the analyst has access to the original, unmodified version of the file for comparison. Without this baseline, it is remarkably difficult to prove that a slight color variation or a specific metadata string is a malicious injection rather than a byproduct of the camera’s sensor noise or a specific compression algorithm. Furthermore, as attackers shift toward more sophisticated embedding methods—such as spread-spectrum steganography, which distributes the payload across many different frequencies within the image data—traditional statistical tests often fail. These techniques mimic the natural noise of the medium so closely that the signal-to-noise ratio becomes nearly impossible to decipher without the original key. This mathematical reality means that for many organizations, detection is not a scalable solution; instead, the focus must shift toward proactive neutralization.

    Proactive defense, or “active warden” strategies, involve the automated sanitization of all incoming media files to ensure that any potential hidden channels are destroyed. Rather than trying to detect if a file is “guilty,” security gateways can be configured to “clean” every file by default. For images, this might involve re-compressing a JPEG, which slightly alters pixel values and effectively wipes out LSB-embedded data. For text files, a “sanitizer” can strip out all non-printing Unicode characters and normalize whitespace, effectively neutralizing zero-width character attacks. In high-security environments, some organizations go as far as “image flattening,” where an image is rendered into a canvas and then re-captured as a completely new file, ensuring that only the visual information survives and any hidden binary logic in the headers or metadata is discarded. This “zero-trust” approach to media handling is the only way to reliably defeat an adversary that specializes in hiding in plain sight.

    Conclusion: The Future of Covert Channels in an AI-Driven World

    The arms race between steganographers and security researchers is entering a new, more volatile phase driven by the rise of generative artificial intelligence. We are moving beyond the era of simply “hiding” data in existing files toward the era of “generative steganography,” where AI models can create entirely new, high-fidelity images or text blocks specifically designed to house a hidden payload from their very inception. These AI-generated carriers can be engineered to be statistically perfect, matching the expected entropy of a natural file so precisely that traditional steganalysis tools are rendered obsolete. As attackers begin to use Large Language Models (LLMs) to generate “innocent” emails that encode complex command-and-control instructions within the very flow of the prose, the challenge for defenders will shift from technical detection to semantic analysis. The “invisible” threat is becoming smarter, more adaptive, and more integrated into the standard tools of digital communication.

    Ultimately, the resurgence of steganography serves as a critical reminder that cybersecurity is as much about psychology and subversion as it is about bits and bytes. By focusing exclusively on the “gates” of our networks—the firewalls, the encryptions, and the passwords—we have left the “windows” of our daily digital interactions wide open. A JPEG is rarely just a JPEG, and a text file is rarely just text. As long as there is a medium for communication, there will be a way to subvert it for covert purposes. For the modern security professional, the lesson is clear: true security requires a healthy skepticism of even the most benign-looking assets. Implementing deep-file inspection, automated media sanitization, and a rigorous zero-trust policy for all file types is no longer an optional luxury; it is a fundamental necessity in a world where the most dangerous threats are the ones you can’t see.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    NIST SP 800-101 Rev. 1: Guidelines on Mobile Device Forensics (Steganography Overview)
    MITRE ATT&CK: Steganography (T1027.003)
    CISA Analysis Report (AR21-013A): Malicious Steganography in SolarWinds Aftermath
    Verizon 2024 Data Breach Investigations Report (DBIR)
    Kaspersky: Steganography in Contemporary Cyberattacks
    Mandiant: Sophisticated Steganography in Targeted Attacks
    SentinelOne: Digital Steganography and Malware Persistence
    Krebs on Security: Malware Hides in Plain Sight via Steganography
    Palo Alto Unit 42: Steganography in the Wild
    McAfee Labs: The Art of Hiding Data Within Data
    SANS Institute: Steganography – Hiding Data Within Data
    Dark Reading: Why Steganography is the Next Frontier
    Center for Internet Security (CIS): The Basics of Steganography
    IEEE Xplore: A Review on Image Steganography Techniques

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #APTTechniques #binaryEncoding #C2Channels #chiSquaredTest #CISAReports #commandAndControl #covertCommunication #cyberDefense #cyberThreats #cyberWarfare #cybersecurity #dataExfiltration #dataLossPrevention #digitalForensics #digitalWatermarking #DLPBypass #encryptionVsSteganography #entropyAnalysis #EXIFData #exploitKits #fileSanitization #filelessMalware #forensicAnalysis #GIFAR #hiddenPayloads #hiddenScripts #imageSteganography #informationHiding #LazarusGroup #leastSignificantBit #linguisticSteganography #LSBEncoding #maliciousImages #malwareDetection #malwarePersistence #memoryInjection #metadataExploitation #MITREATTCK #networkSecurity #NISTSP800101 #obfuscation #payloadDelivery #pixelManipulation #polyglotFiles #RGBPixelData #securityResearch #SOCAnalyst #statisticalAnalysis #steganalysis #SteganoExploitKit #steganography #technicalDeepDive #textSteganography #threatHunting #UnicodeExploits #whitespaceSteganography #zeroTrust #zeroWidthCharacters

    #zerowidthcharacters #zerotrust #whitespacesteganography #unicodeexploits #threathunting #textsteganography