zlacker

[parent] [thread] 10 comments
1. oh_sig+(OP)[view] [source] 2020-04-02 22:12:52
This is exactly what I worked on ~10 years ago at amazon, embedding steganographic information into a certain internal app that reported confidential sales numbers. Ended up catching the person who leaked this: https://techcrunch.com/2011/10/04/leaked-sales-data-puts-kin...
replies(2): >>JorgeG+A5 >>mavsma+J5
2. JorgeG+A5[view] [source] 2020-04-02 23:05:32
>>oh_sig+(OP)
Out of curiosity, can you share a ballpark of how many different variations can you generate per, say, paragraph of text?
replies(2): >>throwa+R6 >>oh_sig+X8
3. mavsma+J5[view] [source] 2020-04-02 23:06:41
>>oh_sig+(OP)
Curious how you feel about that now. Any guilt about building that? Pride? Ambivalence?
replies(1): >>oh_sig+98
◧◩
4. throwa+R6[view] [source] [discussion] 2020-04-02 23:18:37
>>JorgeG+A5
If you choose N words to alternate with one synonym each, you can make 2^n unique versions.
replies(1): >>JorgeG+X6
◧◩◪
5. JorgeG+X6[view] [source] [discussion] 2020-04-02 23:19:40
>>throwa+R6
Oh, I was thinking in more subtle things such as spacing, punctuation, sizing, kerning, etc.
replies(1): >>throwa+57
◧◩◪◨
6. throwa+57[view] [source] [discussion] 2020-04-02 23:20:58
>>JorgeG+X6
Ideally you don't want to count on a screenshot being published.
replies(1): >>london+4q
◧◩
7. oh_sig+98[view] [source] [discussion] 2020-04-02 23:29:26
>>mavsma+J5
No guilt at all - mostly ambivalence. It was actually my idea to put it into the specific product, but it's not like I invented the technique or anything. It was only one small thing I worked on, 98% of my time was on something else.

I think the ability to leak information about the wrongdoing of corporations or governments is extremely important, but most of the leaks I see coming out of the tech industry seem designed just to score points in some internal political war or push the company in the direction that the leaker wants it to go. Or just for some weird form of self-aggrandizement

replies(1): >>throwa+ma
◧◩
8. oh_sig+X8[view] [source] [discussion] 2020-04-02 23:38:45
>>JorgeG+A5
What I worked on was more like a spreadsheet, so I didn't use any of the text-oriented steganographic techniques like replacing words with synonyms, etc.

I was able to develop enough variations that vastly outnumbered our users though, so even with just a portion of a screenshot, you could fairly easily figure out where it came from.

Just looking at possible CSS rules and you can see where the variations come into play - cell width, border width and styles, font color(e.g. the specific green or red that represents gain/loss), kerning, column placement , etc.

On top of that, I only fudged with display elements - the numbers were never changed. However, the numbers were updated on a near-continuous basis by ingesting various logs, so any column that was live(year/month-to-date, etc) would have only a very small time range where that number could have been displayed to the user.

◧◩◪
9. throwa+ma[view] [source] [discussion] 2020-04-02 23:55:49
>>oh_sig+98
Having done the same kind of work - yeah, that. For every Edward Snowden, there's at least ten thousand Frank Underwoods and Michael Scotts.
replies(1): >>chowar+Vm1
◧◩◪◨⬒
10. london+4q[view] [source] [discussion] 2020-04-03 03:21:43
>>throwa+57
For numbers like this, you can add a small amount of random variation to each number, and then save whatever variations you used to a database whenever someone views the stats.

Now when a leak happens of a specific number, you just check the logs to see who saw those exact numbers.

◧◩◪◨
11. chowar+Vm1[view] [source] [discussion] 2020-04-03 14:49:05
>>throwa+ma
This is the difference between leaking and whistleblowing. Leaking is for one's own personal benefit. Whistleblowing is to expose something you feel is wrong for no personal gain.

I wouldn't call this a leak unless the news agency paid him or something else that benefited him.

[go to top]