Anonymous ID: 745039 PixelKnot General July 31, 2018, 8:28 a.m. No.2371258   🗄️.is 🔗kun   >>1388 >>1551 >>1566 >>1604 >>1666 >>3486 >>5171 >>0484 >>9136 >>6299 >>7842 >>4389 >>2860 >>7954

PIXELKNOT GENERAL

 

1_m2TxftKgufz3i_CvdybVJg

/qresearch/

https://archive.is/HchFi

 

You'd be amazed how much is shared on /pol/

 

0_PDlwBQSymrdu7_5D[1].jpg

https://archive.4plebs.org/pol/thread/170109703/ Hello I am a reporter from CBS.

 

1_Wu-LPq1zKK-R5lsT67nRYA.jpg

https://archive.4plebs.org/pol/thread/179461614/#179476204

 

and on medium.com

 

1_agrJgMO-s-RsbCy6Eepp8Q.jpeg

https://web.archive.org/web/20180730212802/https://medium.com/@jamesmcavoy09/5-interesting-things-everyone-should-know-about-cigars-6100d6a1a6ac

https://medium.com/@jamesmcavoy09/5-interesting-things-everyone-should-know-about-cigars-6100d6a1a6ac

 

0_kg8VD6qd0xL1M5-X.jpg

https://web.archive.org/save/https://medium.com/pedophiles-about-pedophilia/you-say-potato-i-say-pedophile-5a9ad0ee0f99

https://medium.com/pedophiles-about-pedophilia/you-say-potato-i-say-pedophile-5a9ad0ee0f99

 

1-lRz-cOnX2WtHdqwo5BWf-Q.jpg

https://web.archive.org/save/https://medium.com/@allanishac/body-language-experts-say-trump-often-flashes-triangle-of-satan-hand-gesture-5b592002c1e8

https://medium.com/@allanishac/body-language-experts-say-trump-often-flashes-triangle-of-satan-hand-gesture-5b592002c1e8

 

1*WkosvaZ2ARJ2hnmXFs02Ow.jpg

https://medium.com/@nathanielhebert/around-the-world-with-phineas-phileas-fogg-11b23048550e

https://web.archive.org/save/https://medium.com/@nathanielhebert/around-the-world-with-phineas-phileas-fogg-11b23048550e

 

0_xFDd1jWKzAU7BI6v.jpg

https://web.archive.org/save/https://onehallyu.com/topic/690975-%E2%80%98incredibles-2%E2%80%99-smashing-records-with-174m/

https://onehallyu.com/topic/690975-‘incredibles-2’-smashing-records-with-174m/

 

PIXELKNOT STORY

q drop about pixelknot

>https://8ch.net/qresearch/res/2298164.html#q2298508

>>2298508

 

anons found pixel knot messages posted on /qresearch/ before Q drop

>>2347619

>https://nofile.io/f/PR5CxvthaYp/jpeg_ffd8_ffdb_0084.zip

 

sha256 hashes

>https://pastebin.com/4e6Eswvc

 

>>2350592

pages they were posted

>https://pastebin.com/z4cXBLMv

 

html files of pages

>https://nofile.io/f/vQUoqymbq79/original_htmls.zip

 

original filenames of the images

>https://pastebin.com/qnieJg81

 

original weird filenames

>https://nofile.io/f/czFOXr2wYBF/out.zip

 

YOU CAN HELP

look at the old posts, at the id of the post and replies

find the originals

figure out clues for the keys

hiding in plain sight?

 

examples

https://8ch.net/qresearch/res/624511.html#q625298

>>625298

https://8ch.net/qresearch/res/1828419.html#q1829054

>>1829054

https://8ch.net/qresearch/res/1531874.html#q1532685

>>1532685

https://8ch.net/qresearch/res/1508591.html#q1509109

>>1509109

https://8ch.net/qresearch/res/1477025.html#q1477588

>>1477588

https://8ch.net/qresearch/res/2313270.html#q2314068

>>2314068 Exodus Chapter 8

 

BREAKING THE ENCRYPTION

none of the images have been cracked yet

these methods are confirmed to work on test images

 

PixelKnot on Bluestacks

>https://www.bluestacks.com/

>https://guardianproject.info/releases/PixelKnot-0.3.2-RC-1.apk

>>2298508

>https://guardianproject.info/apps/pixelknot/

 

use the last 1/3 of the password to crack first layer of f5 encryption

PixelUnknot

>>2311401

>https://github.com/banona/PixelUnknot

 

f5.jar

>>2325105

>curl https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/f5-steganography/f5.jar –output f5.jar

>java -jar f5.jar x -p plan -e out.txt Q4example.jpg

>cat out.txt

Anonymous ID: 745039 July 31, 2018, 8:38 a.m. No.2371388   🗄️.is 🔗kun   >>2226 >>3544 >>8143 >>7734 >>9895

>>2371258

 

>>2365916

>It is possible that somewhere in the world there exist a piece of editing or conversion software that outputs jpeg headers in exactly same way?

 

great question!

 

f5Android library was ported in 2012

https://github.com/harlo/F5Android/commits/master

 

it was modified in 2/10/17 to remove the JFIF header (on line 666)

 

that change was merged to guardianproject f5Android 2/15/17

https://github.com/guardianproject/F5Android/commits/master

 

the pixel knot versions on the download page do NOT have the change (all 2015 and earlier)

 

so ONLY the play store version has the change

 

AND

 

the two devs involved in removing that header don't commit very often to the project, it's a strange change to make…

 

https://github.com/guardianproject/F5Android/commits?author=n8fr8

 

https://github.com/guardianproject/F5Android/commits?author=harlo

 

especially by this person

https://freedom.press/people/harlo-holmes/

 

this is not a popular library

 

0% CHANCE ANOTHER PIECE OF SOFTWARE IS USING THIS LIBRARY

Anonymous ID: 745039 July 31, 2018, 8:51 a.m. No.2371551   🗄️.is 🔗kun   >>7152 >>9295

>>2371258

 

PixelKnot posted to /pol/

Q predicted this

 

0_PDlwBQSymrdu7_5D[1].jpg

 

https://archive.4plebs.org/pol/thread/170109703/ Hello I am a reporter from CBS.

 

1_Wu-LPq1zKK-R5lsT67nRYA.jpg

 

https://archive.4plebs.org/pol/thread/179461614/#179476204

Anonymous ID: 745039 July 31, 2018, 8:58 a.m. No.2371636   🗄️.is 🔗kun   >>1713

f5 detected in all of these with the PixelKnot header

 

00c9c0a7f1e16262b2fc85bda8bf7f35d87777fa4ce17aedf2cb111be3fa8c19.jpg : f51.487972

18e535c2558973824cf2f11ea009066d0cd1fe3ac6c8b4bc0d5fa687d89da67a.jpg : f51.077547

1b01e2fbd7483fe2167a417ed605269fa0fc8aaf9bbd1859898ea13b22ba4dee.jpg : f50.754573

252ff478b5b8fff4c1f21d2a2fc1e7fb7fe63567f97c0d48f8015554c238f95f.jpeg : f50.629857

262033564a1203326fea09ce1690e6466d577eb328c2f701a38781041a95f865.jpeg : f50.635810

27cbddbc07d9b2e1fd99e4a79027b84f7dfbfc036fc446e216c8c5d79c524f45.jpeg : f51.069136

310f67a6d8347ca66d1f9834c57590f0d848599155233ced507339e12dff764f.jpeg : f51.430104

3acfcd9010a0c4ac35b0094eba3091edd503c8567e19245bf4439d933783d499.jpg : f51.762944

419a76281780faaba70a562eadb3259afa20f110bde50d6b3a59611a1990c63e.jpeg : f50.652062

43cade15e74ea33de94fe1e348366276d52b586f3e3cc37aa5c78740730282dd.jpg : f50.672636

593888383f3b0cb45830b446e147fb0a63fa2323f2d5cae0fa667f432537ad7f.jpeg : f51.720412

595033569a40a6b9371eec9374ee85f5f9f15cb795abcb231d743c632ca8c8e2.jpeg : f51.646860

66e906944458a8e86480d8a5a167d8d59d7439f1a50a7606990ecaff2d875d1a.jpg : f50.313252

68ccb4146da74068a0d8749ac6bd3dab249e1a6d947c8ee106ef5bfdc0c9cf6e.jpeg : f53.026896

8956211e37873f95544dc8411b96cec78ab9015e5ab1bfb32e77dcf7e23efffa.jpg : f50.385592

9a63066551a3fb4c3372b0de92d1f2765f5e3282407a9eff8f02bda18abc19f0.jpeg : f50.646259

a1677d3d755fabf1c73b1786f5ac39f714c59cf72fc288029c166f9be119b7cf.jpg : f51.687834

a5e5c137d0b352d8dbacaf8e2802f62bf59dac5dbd2b6af2d8379ac308b7b3d8.jpg : f50.369714

be471d6d62109bc5be47082d1cf9a537777d9f6de5b1d777d4ee113a9c47ab63.jpg : f51.220465

c17f5a9d1c3a40b5a866c68c964919f0e9dd29cd22f65d42817e6fb98f9baade.jpeg : f50.531815

ce753f2d52183cbfa45b036d424ae516ce052f7b5b199b9f104db4f3b2ebc33d.jpg : f51.233975

da6e9b4af508b04b76ec9882d59d6e85477e56f0c099914cf0f28f6a78f4b1c4.jpg : f51.661258

db993b32deab77deff84aed2d656da90f820e6e0a86419368c7fddf3a3399557.jpeg : f50.540917

e32140dca7b6a613fc23e47d7c7fb80ee953ae905328bff12a63afbade44cddc.jpeg : f51.664398

e5393fba4fcca1dab2d66f98e520503ca942e3bf42bae78de2aa08c8576fa024.jpg : f51.590077

e6b8db63781c16e82f72a5ed3fea3bfda5913bcd4b8bc881a81641b4b803ba8e.jpg : f51.484567

ec1a0995e2b221546988a8e79fd4432f4464bef83a01b625a29b28192f2a083e.jpg : f50.366998

ee59b2d2e90904a33d5176302c4982d0496a1536cf16aa73f6029d4ff0734878.jpg : f51.828625

f5ee16710b749e2c4dd3e95a1f725723b322f9963010256dc3cffad0eddff752.jpg : f51.235872

fb4155bf04f4b1dbe5cd387772dd7b02c33165c5cd8d4f244ff89743e9dfdeb6.jpg : f50.626920

Anonymous ID: c69a4f July 31, 2018, 9:04 a.m. No.2371688   🗄️.is 🔗kun   >>2513 >>6299

The identified pxlknot images I looked at were all 96dpi and 24bit color.

 

A general approach to decryption is to start with the simplest image, and then encode one character. Examine the resulting image. Do it again with the same characterto see if there is a change.

 

Then sequentially encode '1','2', '3', etc. and see if there is a predictable pattern.

 

What you're looking for is a way to brute-force decode the image.

 

Also try to find the original images before they were subjected to pxlknot.

Anonymous ID: c69a4f July 31, 2018, 9:35 a.m. No.2372025   🗄️.is 🔗kun

Here is source code for determining entropy of a file. Can be used in connection with brute force decrypter to identify results with significantly different entropies.

 

https://pastebin.com/raw/Gx34MNZF

Anonymous ID: 35f05f July 31, 2018, 9:53 a.m. No.2372226   🗄️.is 🔗kun   >>2349

>>2371388

 

So just so to be sure, are you are saying the app store version is incompatible with the F5 library that is used with say tools built on linux?

 

I can't seem to extract data on linux that I embeded with the appstore apk (that I built from the source). I can't figure out why, but it mimic's some of the other responses from the previous bread.

 

Huffman decoding starts

Permutation starts

921600 indices shuffled

Extraction starts

Length of embedded file: 1798344 bytes

(1, 8388607, -9) code used

Incomplete file: only 0 of 1798344 bytes extracted

Anonymous ID: 745039 July 31, 2018, 10:03 a.m. No.2372349   🗄️.is 🔗kun   >>2815

>>2372226

>are you are saying the app store version is incompatible with the F5 library

no

 

the change looks compatible, the header is optional

 

I have decoded the Q4example.jpg with google code f5.jar build in 2011 (where f5Android was ported from) and from the most recent source on windows using sun jdk 1.8

 

not sure if openjdk or linux would be different

 

java -jar f5.jar x -p plan Q4example.jpg -e msg.txt; cat msg.txt

Huffman decoding starts

Permutation starts

172800 indices shuffled

Extraction starts

Length of embedded file: 88 bytes

(1, 127, 7) code used

—- PK v 1.0 REQUIRES PASSWORD —-X2InRnMHwOY+GdUR

TO35nRz9oRcsyttLFXwY/4eNcONHaSTS

Anonymous ID: fa9e7b July 31, 2018, 10:51 a.m. No.2372909   🗄️.is 🔗kun   >>3165 >>3244

I ran the pixelknot python detection script that was on here in the last few days on my cache of qresearch image files and found there was a few of them.

 

Uploaded what i found so far to https://anonfile.com/h8k8Adf3b6/pkfiles.zip as i don't have the computing power to tinker with them.

Anonymous ID: 745039 July 31, 2018, 11 a.m. No.2373016   🗄️.is 🔗kun   >>4860 >>1942

>>2372815

 

f5 layer with last 1/3 (non)

 

java -jar f5.jar x -p non -e msg.txt ../../Downloads/760ba9dfcb03613b2db84902b7dec4c2edba182945542a18456b9a18cda2a857.jpg; cat msg.txt

Huffman decoding starts

Permutation starts

1238400 indices shuffled

Extraction starts

Length of embedded file: 104 bytes

(1, 127, 7) code used

—- PK v 1.0 REQUIRES PASSWORD —-vNOvTv6i78CsQvHg

WUnqE8Qmo0GnUuJ/Gj52/pRgCjCkPGuRF00t8+Kd0w+ccVU=

 

PixelUnknot

 

CORRECT PASSWORD qanon

==

Evil Everywhere …

==

Anonymous ID: 745039 July 31, 2018, 11:18 a.m. No.2373244   🗄️.is 🔗kun   >>3593 >>4887

>>2372909

great work anon, this image is small enough i can try 2000 passwords/second -

 

tried all 3 combos (rules out all passwords < 10)

 

takes 7 hours to go through all 4 char combinations (all password < 13 chars)

 

if we crack one image it might give us a clue on the passwords for the other

Anonymous ID: 745039 July 31, 2018, 11:36 a.m. No.2373486   🗄️.is 🔗kun

>>2371258

ANOTHER WEBSITE WITH PIXELKNOT

 

0_SVRAr3qJsZsv1Z4H.jpg

https://web.archive.org/web/20171027003748/https://nyulocal.com/love-and-no-other-drugs-how-big-pharma-is-screwing-us-7d7445db7b38

https://nyulocal.com/love-and-no-other-drugs-how-big-pharma-is-screwing-us-7d7445db7b38

Anonymous ID: 35f05f July 31, 2018, 1:22 p.m. No.2374860   🗄️.is 🔗kun   >>4957

>>2373016

 

Thanks for your help. I think I'm missing something, PixelUnknot is needed to decode the output from f5?

 

After getting bounced around in the 'bouncy castle' I was able to run PixelUnknot, but not sure how to get the message decoded.

Anonymous ID: 8a1878 July 31, 2018, 1:24 p.m. No.2374887   🗄️.is 🔗kun   >>4957

>>2373244

 

Honestly, the only way I know of to speed this up would be to do what the bitcoin miners do and find a way to shunt the data into a graphics card to 'render' out the solution.

 

Not knowledgeable enough on this topic though to even wrap my head around how this gets done on a mathematical level, I just know that a graphics card can pump out hashes like there's no tomorrow.

Anonymous ID: 745039 July 31, 2018, 1:30 p.m. No.2374957   🗄️.is 🔗kun   >>5031 >>4816

>>2374860

you need two files, the image and text file with the list of passwords to try

 

you can run in intellij with this run config (see pic)

 

or command line

 

jar -cp "<classpath crap>" q.Main Q4example.txt passwords.txt

 

>>2374887

i wish, need to have java's secure random and that won't run on a GPU

Anonymous ID: 745039 July 31, 2018, 1:35 p.m. No.2375023   🗄️.is 🔗kun

>>2373544

it's a stretch, jpeg header can come in any order this is unique. only way to know for sure is to decode one of these or find another piece of software that does the same.

 

look at the images - they are creepy - and some of them are unique enough to find the sources - different websites images with the same naming convention 1_XXXX_XXXXXX that were posted on qresearch over the last few months

Anonymous ID: 35f05f July 31, 2018, 1:35 p.m. No.2375031   🗄️.is 🔗kun   >>6493

>>2374957

 

Huffman decoding starts

non good byte - at 0

non good byte - at 1

non good byte - at 2

non good byte - at 3

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

 

I'm not getting the message … Since in my case I just added qanon to the passwords.txt

Anonymous ID: 745039 July 31, 2018, 1:38 p.m. No.2375089   🗄️.is 🔗kun   >>5234

>>2374970

james is an implementation of f5 jpeg encoder, so if it is another program it'd probably be a f5 steg program too

 

https://github.com/otuncelli/f5-steganography/blob/master/F5Lib/James/JpegEncoder.cs

Anonymous ID: 745039 July 31, 2018, 1:43 p.m. No.2375174   🗄️.is 🔗kun

these look like ports of the original java both write the JFIF header on encoding

 

java

https://code.google.com/archive/p/f5-steganography/

 

c#

https://github.com/otuncelli/f5-steganography

 

python

https://github.com/jackfengji/f5-steganography/

Anonymous ID: 21c507 July 31, 2018, 1:46 p.m. No.2375234   🗄️.is 🔗kun   >>5351 >>5392

>>2375089

Yes, it's probably used by nothing else than the F5 library, but James JPEG Encoder actually predates F5.

 

https://web.archive.org/web/20100111121336/https://www.obrador.com/essentialjpeg/jpeg.htm

Anonymous ID: 745039 July 31, 2018, 1:52 p.m. No.2375351   🗄️.is 🔗kun   >>5392

>>2375234

hmm pretty widespread, still all write JFIF

 

https://github.com/lxyu/52pai/blob/master/j2me/src/me/zhaoren/JpegEncoder.java

https://github.com/abronte/f5-steganography/blob/master/src/james/JpegEncoder.java

https://www.media.mit.edu/pia/Research/deepview/src/JpegEncoder.java

 

weird that somebody would move it down to line 666 and comment it out

Anonymous ID: 35f05f July 31, 2018, 1:55 p.m. No.2375416   🗄️.is 🔗kun   >>5458

Not sure which is more important, trying to decipher hidden messaging/files in Q's posts are PixelKnot comms.

 

We are going to have to start from scratch if try to extract (if any) hidden data from Q's images.

Anonymous ID: 745039 July 31, 2018, 1:58 p.m. No.2375458   🗄️.is 🔗kun   >>5498 >>5588

>>2375416

it's not Q using PixelKnot it's them…

 

they are trading information over these images posted places, on /pol/ …on /qresearch/… on medium.com

 

they are using them to identify each other

Anonymous ID: e511db July 31, 2018, 2:05 p.m. No.2375569   🗄️.is 🔗kun   >>5707

>>2375402

I used the f5.jar to add a message to a picture, and to extract it again for verification.

That encoded picture does have JFIF in it and does not have that FF C0 00 11 @ 88

Anonymous ID: 35f05f July 31, 2018, 2:13 p.m. No.2375683   🗄️.is 🔗kun

>>2375616

 

Marker Identifier 2 bytes 0xff, 0xc0 to identify SOF0 marker.

 

My hex compare using PixelKnot app, the image with message is 0xff, 0xc0, and the image without is 0xff, 0xc2

Anonymous ID: 35f05f July 31, 2018, 2:22 p.m. No.2375793   🗄️.is 🔗kun   >>5858 >>6618

>>2375702

 

If I specify the full password to f5.jar it chokes, if I specify the last 3 digits I get (in out.txt):

 

—- PK v 1.0 REQUIRES PASSWORD —-vNOvTv6i78CsQvHg

WUnqE8Qmo0GnUuJ/Gj52/pRgCjCkPGuRF00t8+Kd0w+ccVU=

Anonymous ID: 35f05f July 31, 2018, 2:25 p.m. No.2375858   🗄️.is 🔗kun   >>6618

>>2375793

 

By choke I get this instead:

 

java -jar f5.jar x -p qanon ~/Downloads/goods.jpg

 

Huffman decoding starts

Permutation starts

1238400 indices shuffled

Extraction starts

Length of embedded file: 485098 bytes

(1, 67108863, -6) code used

Incomplete file: only 0 of 485098 bytes extracted

Anonymous ID: ccc1fa July 31, 2018, 2:31 p.m. No.2375964   🗄️.is 🔗kun   >>6447

>>2375402

This is not a consistent way to find f5 images. In fact, it doesn't even work with the q test image available in this thread. Also, I see the same patterns in images I've created myself. Also if you use a hex editor to examine various images that are implicated as f5 this pattern does not fit. If you want to start comparing I recommend using beyondcompare and renaming the jpg to txt.

Anonymous ID: ccc1fa July 31, 2018, 2:34 p.m. No.2376015   🗄️.is 🔗kun   >>6447

>>2375386

 

Still trying to determine that consistently. I saw someone here using stegdetect but I haven't tried it yet and it looks like based on settings you use can result in a high rate of false positives

Anonymous ID: 757a03 July 31, 2018, 2:55 p.m. No.2376405   🗄️.is 🔗kun

I imagine someone has already caught on to this.

Just in case though, there seems to be a punisher image hidden in the Silverman image brought out with image filters.

Also what looks like a navy seal eagle image on the nose of the punisher skull.

 

Both images have significant meaning to this group of patriots.

 

I'll try and get it clearer.

Password may be blackwater, Erik Prince or Frontier Group

Anonymous ID: 35f05f July 31, 2018, 3:07 p.m. No.2376582   🗄️.is 🔗kun   >>6678

>>2376493

 

Thanks, I get this when I build with your changes …

 

java -jar PixelUnknot-1.0-SNAPSHOT.jar ~/Downloads/goods.jpg passwords.txt

 

Huffman decoding starts

non good byte - at 0

non good byte - at 1

non good byte - at 2

non good byte - at 3

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon

java.security.InvalidKeyException: Illegal key size

at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)

at javax.crypto.Cipher.init(Cipher.java:1393)

at javax.crypto.Cipher.init(Cipher.java:1327)

at q.Main.DecryptWithPassword(Main.java:45)

at q.Main.extract(Main.java:107)

at q.Main.lambda$main$0(Main.java:153)

at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)

at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)

at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)

at java.util.stream.ForEachOps$ForEachTask.compute(ForEachOps.java:291)

at java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)

at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)

at java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:401)

at java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:734)

at java.util.stream.ForEachOps$ForEachOp.evaluateParallel(ForEachOps.java:160)

at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateParallel(ForEachOps.java:174)

at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)

at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)

at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:583)

at q.Main.main(Main.java:151)

Anonymous ID: 745039 July 31, 2018, 3:09 p.m. No.2376618   🗄️.is 🔗kun   >>6757

>>2375793

>>2375858

exactly right

 

pixelknot uses the last 1/3 of the password for the f5 encryption

 

the rest is for the AES encryption layer after

 

if we can find the last 1/3 of the password we can PROVE there is a pixelknot message in one of these images

Anonymous ID: 4d00ef July 31, 2018, 3:18 p.m. No.2376757   🗄️.is 🔗kun   >>6809 >>6851

>>2376618

Working on pic related

Have searched this keyspace up to length of 3 chars for the F5 seed

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 .,:;!?()-+*/[]{}@_><#~=^`'"&%$

space included

No hits - proceeding to length of 4 - will report back in a few days

Anonymous ID: 35f05f July 31, 2018, 3:21 p.m. No.2376795   🗄️.is 🔗kun

>>2376678

 

I'll check, but someone was able to extract the message in the image I uploaded earlier. So there is some difference with my runtime vs. anon's runtime, or some bug someplace.

 

I want to make sure that I can verify results from PK app and then extract then on my box, this way I know for sure I have something that's reliable. I'm using 1.8 on mac, I was thinking about switching to VB vm instead (I have a couple different VMs aready setup), but I'm just puzzled why I'm not getting the same results as the other anon.

Anonymous ID: 745039 July 31, 2018, 3:22 p.m. No.2376809   🗄️.is 🔗kun   >>6829 >>7012 >>7313 >>1530

>>2376757

don't forget single and double quotes

 

I'm running this on all the images

 

crunch_win.exe 1 3 'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+=-[]\|}{,./<>?" '"'"

 

and running

 

crunch_win.exe 4 4 'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+=-[]\|}{,./<>?" '"'"

 

on evil eye

Anonymous ID: 4d00ef July 31, 2018, 3:24 p.m. No.2376829   🗄️.is 🔗kun   >>7012

>>2376809

I haz both. I started on the evil eye but I noticed the rate was way low on that image (in comparison to test images)… you may want to check yourself. Much faster against illumipepe

Anonymous ID: ccc1fa July 31, 2018, 3:24 p.m. No.2376835   🗄️.is 🔗kun   >>6887

>>2376447

 

You got the fellow anon part right but sliding, in the same thread?

 

Yours is the first I've seen that matches that cap (just started working on this today). Do you have other images that fit this pattern? Otherwise, I haven't found any yet and the other version of the q example image had the FF C0 starting at 9E not 88, something isn't fitting here.

 

As for the python script its looking for files that begin with 'ff d8 ff db 00 84' which I also haven't found any images posted as examples on the board fitting this format.

 

This is also just one implementation of f5 with the missing jfif header. There are many from my understanding.

 

The CBS eye everyone keeps posting is 9E not 88 and has a header.

 

many others are FF C2 around 9E instead of C0.

Anonymous ID: 35f05f July 31, 2018, 3:25 p.m. No.2376851   🗄️.is 🔗kun

>>2376757

 

Would be nice to have a distributed setup for this, because if we crack one, we have many others that probably won't have the same password.

Anonymous ID: ed2885 Silverman passcode July 31, 2018, 3:26 p.m. No.2376856   🗄️.is 🔗kun

New avenue…the instructions to decode are in the original message. Google, Yandex, iqdb. What do they have in common? Reverse image search. Use the Silverman image to reverse search. Now what pictures? Is it given right in the image number? IMG_382. Third pic Google, eighth pic Yandex, 2nd pic iqdb. What info from these three pics? Hit a wall, run with it.

Anonymous ID: ed2885 July 31, 2018, 3:29 p.m. No.2376914   🗄️.is 🔗kun

>>23768>>2376856

>Silverman passcode

>New avenue…the instructions to decode are in the original message. Google, Yandex, iqdb. What do they have in common? Reverse image search. Use the Silverman image to reverse search. Now what pictures? Is it given right in the image number? IMG_382. Third pic Google, eighth pic Yandex, 2nd pic iqdb. What info from these three pics? Hit a wall, run with it.

 

WAIT also stands for what anime is this, and has reverse image search

Anonymous ID: ccc1fa July 31, 2018, 3:36 p.m. No.2377022   🗄️.is 🔗kun   >>7210

>>2376887

No it looks like its just how I've been downloading the image to check it.

 

Thanks for the example and showing me what I was doing wrong, perhaps you'd like to confirm.

 

Without expanding the image, right-click and save image as. View the hex.

 

Then expand or use the direct link above the image and you get that header.

J.TrIDr3ESpPJEs ID: ee4cfa July 31, 2018, 3:57 p.m. No.2377313   🗄️.is 🔗kun   >>7440 >>7671

>>2376809

>don't forget single and double quotes

 

Assuming the password accepts unicode, you may have a much bigger fight ahead of you. Consider other symbols like the pound sign (£) or the euro found on keyboards from other countries.

 

If it's unicode, you can safely assume UTF-8, given it's a pretty widespread standard.

 

Also, I recommend avoiding random character generators, but having a pre-computed array/table (for 3 characters).

 

If you're looking at additional bruteforcing power, a couple of recommendations:

1) Each of you should pick one picture each and specify what image you are trying to decode, and how. That way you're not duplicating each other's work.

 

2) If failed, specify what you tried and the 'results', if any.

 

For bringing hardware resources to bear:

 

1) Consider modded PS3s (some of you might have one or two lurking around), they're ideal for bruteforcing

2) Trial periods on cloud hosting repurposed (or alternately rent out some rackspace)

3) Dust off some old laptops, machines, and set them to work continuously whilst you do other things

4) Get some programmerfags to rewrite the testing code in bare metal (like C++) which would see mild performance improvements

 

Alternatively, if exhausting the three character space is too much, assign each of yourselves a single first character, and brute force all characters under that character.

 

So if one of you was to do 'A' (A), the next person would do 'B' (B).

 

Brute forcing isn't just about power but also efficient allocation of resources.

 

PS, Bitcoin's algorithm is SHA256. So if you're looking to break SHA256, look no further than your own noses. ; )

Anonymous ID: 745039 July 31, 2018, 4:05 p.m. No.2377440   🗄️.is 🔗kun   >>7671

>>2377313

>If it's unicode, you can safely assume UTF-8, given it's a pretty widespread standard.

 

yeah great point … looked at the code and no reason why unicode passwords wouldn't work

Anonymous ID: 1b4548 July 31, 2018, 4:30 p.m. No.2378143   🗄️.is 🔗kun   >>0484 >>0486

>>2371388

>the pixel knot versions on the download page do NOT have the change (all 2015 and earlier)

>so ONLY the play store version has the change

Reposting from last bread, possibly relevant.

Are the brute force tools developed here based on the most recent github resources?

 

>>2348169

>…/PixelKnot/blob/version_2/PixelKnot/

https://play.google.com/store/apps/details?id=info.guardianproject.pixelknot&hl=en_US

>Updated: February 17, 2017

>Current Version:1.0.1

https://github.com/guardianproject/PixelKnot/releases/tag/1.0.1

>n8fr8 released this on Feb 16, 2017 · 0 commits to version_2 since this release

I'm probably tired or a dumbass, maybe both. But is version 2 in github the same as the one on in the play store right now?

Anonymous ID: 1b4548 July 31, 2018, 6:05 p.m. No.2380484   🗄️.is 🔗kun   >>1600 >>7890

>>2378143

>>2371258

THERE IS SOMETHING DIFFERENT IN THE APK THAN WHAT'S FOUND ON GITHUB

 

Took the apk, put it through a decompiler and found an additional file

F5buffers.java

import info.guardianproject.f5android.C0217R;

import info.guardianproject.f5android.plugins.PluginNotificationListener;

 

C0217R

package info.guardianproject.f5android;

 

public final class C0217R {

 

public static final class drawable {

public static final int ic_launcher = 2130837601;

}

 

public static final class string {

public static final int app_name = 2131165211;

public static final int cleaning_up = 2131165272;

public static final int downsampling_components = 2131165273;

public static final int init_coeffs = 2131165274;

public static final int init_huffman_buffer = 2131165275;

public static final int init_permutation = 2131165276;

public static final int querying_image = 2131165277;

public static final int reading_huffman_buffer = 2131165278;

public static final int setting_huffman_buffer = 2131165279;

}

 

public static final class style {

public static final int AppBaseTheme = 2131296416;

public static final int AppTheme = 2131296417;

}

}

Anonymous ID: 1eb45a July 31, 2018, 6:05 p.m. No.2380486   🗄️.is 🔗kun

>>2378143

I think so. The test image I created with Pixelknot (from the Play store) is missing the JFIF at the beginning of the file. The "pixelunknot" brute force tool (almost) works on my test image.

 

I say "almost" because I ended up modifying the loop (pic related). My test image's password was "test", so that's a seed string of "st". The loop wouldn't try it even though I had "test" in the dictionary file. On a side note, I also added a HashSet that keeps track of everything attempted, to avoid re-trying common word endings.

Anonymous ID: 1b4548 July 31, 2018, 6:59 p.m. No.2381600   🗄️.is 🔗kun

>>2380484

 

I'm using

https://www.javadecompilers.com/apk

to obtain the source code directly from the android app, not github.

 

>https://guardianproject.info/releases/PixelKnot-0.3.2-RC-1.apk

 

Again, even the older version /pol/ shared also has an additional file in the F5 bundle

 

F5buffers.java

import info.guardianproject.f5android.C0064R;

import info.guardianproject.f5android.plugins.PluginNotificationListener;

 

C0064R.java

package info.guardianproject.f5android;

 

public final class C0064R {

 

public static final class drawable {

public static final int ic_launcher = 2130837631;

}

 

public static final class string {

public static final int app_name = 2131361805;

public static final int cleaning_up = 2131361806;

public static final int downsampling_components = 2131361813;

public static final int init_coeffs = 2131361809;

public static final int init_huffman_buffer = 2131361808;

public static final int init_permutation = 2131361807;

public static final int querying_image = 2131361810;

public static final int reading_huffman_buffer = 2131361812;

public static final int setting_huffman_buffer = 2131361811;

}

 

public static final class style {

public static final int AppBaseTheme = 2131427417;

public static final int AppTheme = 2131427418;

}

}

Anonymous ID: bbb839 July 31, 2018, 7:39 p.m. No.2382513   🗄️.is 🔗kun   >>6299

>>2371688

I don't understand all the details but F5 stegnography encodes data by altering the DCT coefficients per 8x8 pixel block, those coefficients are stored with Huffman compression. The method of encoding is why the output image is always a JPEG. You would have to do statistical analysis of the JPEG coefficients… (assuming the software wasn't comprimised to leak additional info as well, the absence of JFIF header appears to be such a case)

Anonymous ID: 0016c5 July 31, 2018, 9:42 p.m. No.2384816   🗄️.is 🔗kun   >>5149 >>1957

>>2374957

We might be able to put the GPU to some use. The decoding part obviously has too much conditional branching for it to be of any use there. But the Permutation generation step is highly linear. It should be well suited to parallelization. It could be sent perspective passwords and a sizeN and send back an arrays. However, it would be memory bound. And the huge bandwidth requirements to send those arrays back to the main memory might be an issue.

I found the source for all the parts of SecureRandom and plan on making a perfect replica of it in C as a stepping stone to a possible GPU implementation. That is extremely ambitious for someone with my coding skill-level. But I can to it… eventually.

Anonymous ID: e15c71 July 31, 2018, 9:45 p.m. No.2384880   🗄️.is 🔗kun

Not a code flag, but is it possible code/key/password is John Podesta's password p@ssw0rd ? Q said future/news unlocks past?!?idk maybe iz just a baboon loose on board.

Anonymous ID: 0016c5 July 31, 2018, 10:14 p.m. No.2385219   🗄️.is 🔗kun   >>5265 >>5325

>>2385149

The Huffman decoding part is a non issue. You only need to do that once for an unlimited number of password attempts.

It's calling the SHA-based psudorandom number generator a million times in series (can't be paralleled) to decide which integers to shuffle around that takes most of the work.

Anonymous ID: 4d00ef July 31, 2018, 10:24 p.m. No.2385325   🗄️.is 🔗kun   >>5604

>>2385219

Sorry that's for the AES decryption portion… still, I think we could use the existing hashcat code for the SHA portion of PRNG. SHA1/256 on hashcat is stupid fast. Something like 600m hashes/s on my old ass card.

Anonymous ID: 0016c5 July 31, 2018, 10:42 p.m. No.2385604   🗄️.is 🔗kun   >>5732

>>2385325

Hashcat is doing something totally different. It's trying to find the passwords that produced a set of hashes. It does this by hashing lots for trial passwords once in parallel'. We need to take one password, use it to set the state of the SHA algo, and then cycle the output back in many many times. This is an unavoidably serial process. If I indeed go down this rabbit hole it will probably involved reading the HashCat code as a way of learning how CPU<->GPU coding works. I might even use some parts from it. But beyond that programs like HashCat and John the Ripper are not useful to us.

Anonymous ID: 4d00ef July 31, 2018, 10:52 p.m. No.2385732   🗄️.is 🔗kun   >>6063

>>2385604

I know. Rather than shooting for one target hash, we try 1k passwords at once and run each serially with however many iterations required, in parallel. I don't see a problem here. I still think it can be modified to our purpose.

Anonymous ID: 0016c5 July 31, 2018, 11:12 p.m. No.2386063   🗄️.is 🔗kun   >>6109 >>6525

>>2385732

We are not really looking for one target hash. It would be nice if it were that simple. Here is the annoying chunk of code in question. 'random.getNextValue' calls 'SecureRandom' which was previously seeded using the password under test. Inside 'SecureRandom" there is a SHA hash function at the heart of it. 'size' is typically around a million.[code]public Permutation(int size, F5Random random) {

int i, randomIndex, tmp;

shuffled = new int[size];

 

// To create the shuffled sequence, we initialise an array

// with the integers 0 … (size-1).

for (i=0; i<size; i++) // initialise with size integers

shuffled[i] = i;

int maxRandom = size; // set number of entries to shuffle

for (i=0; i<size; i++) { // shuffle entries

randomIndex = random.getNextValue(maxRandom–);

tmp = shuffled[randomIndex];

shuffled[randomIndex] = shuffled[maxRandom];

shuffled[maxRandom] = tmp;

}[code] It's serial. And it's memory intensive. But at least there need be little conditional branching (which GPUs suck at). So this would use all of the GPUs RAM long before you got enough processes in parallel to use all of its computing power. It can't hurt to have a few hundred more cores helping the main CPU (as long as there are no memory bandwidth issues). But we're not going to get the same astronomical performance boost that HashCat gets.

Anonymous ID: 0016c5 July 31, 2018, 11:15 p.m. No.2386109   🗄️.is 🔗kun

>>2386063

Oops, for got the /

for (i=0; i<size; i++) { // shuffle entries randomIndex = random.getNextValue(maxRandom–); tmp = shuffled[randomIndex]; shuffled[randomIndex] = shuffled[maxRandom]; shuffled[maxRandom] = tmp; }

Anonymous ID: 4d00ef July 31, 2018, 11:35 p.m. No.2386525   🗄️.is 🔗kun   >>6742

>>2386063

Is size the size of the decompressed bitmap? Or is it something else?

PS tells me that's about 303K for illumipepe.

Even if it's 1MB as you say, that's still 1500 instances of the image.

With my lame 1.5GB graphics card that's still almost 5K potential instances

Anonymous ID: 0016c5 July 31, 2018, 11:50 p.m. No.2386742   🗄️.is 🔗kun   >>6850

>>2386525

Its the size of the DCT coefficient list.. which works out to be the same as the number of pixels * channels (RGB). But, practically, yes. Many of the images are larger than that one.

>With my lame 1.5GB graphics card that's still almost 5K potential instances

Indeed. I just need to work out how it will handle all the out of order loading and storing.

Anonymous ID: 4d00ef July 31, 2018, 11:58 p.m. No.2386850   🗄️.is 🔗kun   >>6977

>>2386742

The DCT coefficient list only gets computed once, correct? If so, we only need to push one copy of the data to the graphics card and we should be able to copy it as many times as we want, no? And if we manage to implement it all on the graphics card, then all we really care about getting back is the rate of attempts and the valid key, if any. And yes, I understand many images are larger but essentially it would work out to max available GPU mem divided by decompressed image size in terms of threads. I'm willing to bet that's still a fuckton more than we've got going currently.

Anonymous ID: 0016c5 Aug. 1, 2018, 12:08 a.m. No.2386977   🗄️.is 🔗kun   >>7120 >>7183

>>2386850

Uh-huh. That is why I'm currently reading up on GPU programming.

The stumbling block I foresee is that there is a lot or random accessing going on after very short work segments will very short arrays. This is really not what GPUs are good at.

 

Disclaimer: I have no experience with this kind of stuff and I'm mostly just talking out my ass. So if anyone who has ever done anything in CUDA or OpenCL would like to weigh in it would be much appreciated.

Anonymous ID: 4d00ef Aug. 1, 2018, 12:29 a.m. No.2387183   🗄️.is 🔗kun

>>2386977

Roger that.If there's one thing I'm certain of though, it's that we drastically need to speed things up. Perhaps a pure-C implementation would be enough. IDK. I'm gonna sleep on it. G'night anon.

Anonymous ID: bb8fea Aug. 1, 2018, 2:15 a.m. No.2387734   🗄️.is 🔗kun   >>7811 >>0758

>>2371388

So the only people stupid enough to use that app are media types. Well, that's interesting. So when we crack this, there is a slightly less chance of finding CP from perverts and more of a chance finding gamer gate type collusion between media personal and/or leaks to the press from stupid gov members. Perfect. I knew there had to be a reason why Q pointed us to such a trash app.

 

I guess a good project, for those who aren't skilled at writing efficient code for password cracking, would be to work at better detecting PK images and scrapping them from the archives of /pol/, 4/pol/, perhaps QResearch, and all the social media of the various media figures/known government leakers. Perhaps even look at some of the pizza gate dumps for stego. And as always, If you do start finding PK images from journalists on their social media, archive and backup everything before you blow your load, so they don't delete more than they already have once they find out we know.

Anonymous ID: fa9e7b Aug. 1, 2018, 2:51 a.m. No.2387890   🗄️.is 🔗kun   >>0679

>>2380484

I do android programming and the C0217R code you psoted looks like resource ids compiled by the either android studio or gradle. They must be manually added because usually they are in R.java or sometimes in BuildConfig.java (in the final apk)

Anonymous ID: fa9e7b Aug. 1, 2018, 3:06 a.m. No.2387952   🗄️.is 🔗kun

I ran the apk version 1.0.1 (last version listed on the playstore) and couldn't find the C0217R class, ran it through two decompilers and neither had it in its output set of files.

Anonymous ID: 1eb45a Aug. 1, 2018, 3:26 a.m. No.2388029   🗄️.is 🔗kun

I wondered if the first 100 bytes of jpeg files we're looking for is not unique to PixelKnot. So I made a "find-pixelknot.sh" shell script to recursively search directories on my computer. I searched a backup from an old hard drive to see if any jpeg files that predate PixelKnot could be found. There were no matches out of 17k jpeg files. I'm leaving it here in case any anons find it useful.

 

Usage:

./find-pixelknot.sh <path to search recursively from>

 

#!/bin/bashPN_HASH_DESIRED_OUTPUT="3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -"INPUT_PATH=$1cd "$INPUT_PATH"# Make sure globstar is enabled to support recursively searchingshopt -s globstardeclare -i FILES_EXAMINED=0declare -i MATCHES_FOUND=0echo "Searching for jpeg files to see if it looks like Pixelknot created them."function exit_output { echo ""; echo "Terminated. Jpeg files examined: ${FILES_EXAMINED}, matches found: ${MATCHES_FOUND}.";}trap exit_output EXITfor filename in /.jp; do ((FILES_EXAMINED++)) FILE_HEADER_SHASUM_OUTPUT=$(head -c 100 "$filename" | shasum) if [[ $FILE_HEADER_SHASUM_OUTPUT = $PN_HASH_DESIRED_OUTPUT ]]; then echo "File $filename looks like a Pixelknot image."; ((MATCHES_FOUND++)) fi;done

Anonymous ID: 745039 Aug. 1, 2018, 8:59 a.m. No.2390758   🗄️.is 🔗kun   >>3746

>>2387734

>only people stupid enough to use that app are media types. Well, that's interesting

 

started in 2012

n8fr8 and harlo are contributors up until 2015

sep/nov 2016 N-Pex starts updating and 2.0 is released 11/20/2016

 

out of the blue on feb 15 2017, n8fr8 updates the f5Android "update F5 to latest with fix"

 

but that "FIX" is only the removal of the JFIF header making it possible to easily identify PixelKnot images

 

without that "FIX" PixelKnot images would not be easy to detect

would look like any other images from software that uses james jpg encoder or f5 encoding

 

and that change was pushed down to line 666

 

intentional?

 

>scrapping them from the archives of /pol/, 4/pol/, perhaps QResearch

THIS

brute forcing encryption is the worst way to figure this out

search for more images

look where they come from

find patterns

Anonymous ID: 745039 Aug. 1, 2018, 9:50 a.m. No.2391530   🗄️.is 🔗kun   >>1563 >>1741

>>2376809

>>2377012

 

no decode on 2c19435a6c6d0b75661f8bed4269e540bdea162d20426e2865fa99473d164863 (scroll wheel)

 

with

 

crunch 4 4 'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+=-[]\|}{,./<>?" '"'"

 

no decode on any with default passwords

 

currently running 1 to 3 char combos on all from smallest to largest

 

imghunt/11dc6ed351634c39a8faee69dc8c85b5a8a83c8f58485d69711a71a68e19783d.jpg

Huffman decoding starts

count: 12378 elapsed: 60s = rate: 206 pw/s

Anonymous ID: 0016c5 Aug. 1, 2018, 10:06 a.m. No.2391741   🗄️.is 🔗kun   >>2853 >>5061

>>2391530

I picked a random file and tried generating a 4 letter list using only the characters in a files filename. Nothing.

But occurred to me last night that it was a 13 char filename. If it done by shuffling the filename somehow then I'd be looking for a 5 char key. I don't have the horsepower to attack that in a reasonable time. So when I get home today I'm gonna write a filter that reduces the set to only those that use any single char no more than the number of time it appears in the source filename, unless you want try it first. If you do then let me know so I don't reinvent a bad wheel.

Anonymous ID: 745039 Aug. 1, 2018, 11:01 a.m. No.2392853   🗄️.is 🔗kun

>>2391741

the 13 char filenames are the hashes from qresearch, you have to find the original filenames

 

>first batch

https://nofile.io/f/PR5CxvthaYp/jpeg_ffd8_ffdb_0084.zip

 

original filenames of the images

>https://pastebin.com/qnieJg81

 

we don't have filenames for the second batch

>https://anonfile.com/h8k8Adf3b6/pkfiles.zip

Anonymous ID: 1b4548 Aug. 1, 2018, 11:45 a.m. No.2393967   🗄️.is 🔗kun

Interesting review from Jan 11 2018 from a user called "The45Guy 1776"

 

The45Guy 1776

January 11, 2018

I tried to send 2 pics thru mms and facebook messenger and niether were hidden they showed just the way they were. Deleted

 

https://play.google.com/store/apps/details?id=info.guardianproject.pixelknot&hl=en_US&reviewId=gp%3AAOqpTOFaK4o4HlT8qDSRPSzYY-6whXi9qJUR2uAyIPaCeCBh7fFp49zqG2rPX4BcXyNGIkU7qIiz1jl-0e2COOg

Anonymous ID: 745039 Aug. 1, 2018, 11:52 a.m. No.2394093   🗄️.is 🔗kun   >>4128 >>4381 >>0732

>>2393746

 

Another suspect change on 1/7/17

 

https://github.com/harlo/F5Android/commit/1f99dcd6cb30c47bf10ab4d6e8358475664d917b#diff-800464caea7ea0476f99b839816c41d5

 

why add jni c++ buffers for performance?

quietly change the encoded quality from 80 to 90?

 

were they TRYING to make the PixelKnot images detectable on 1/7?

 

did it not work so so then they made the change on 2/10 to remove the the JFIF header?

 

spidey senses are tingly

Anonymous ID: 35f05f Aug. 1, 2018, 12:05 p.m. No.2394381   🗄️.is 🔗kun   >>0732

>>2394093

 

I was hoping that the quality that the image was encoded with was written to the file, unfortunately that's not the case. I think the header removal change is all we need for now anyways.

 

The road is steep from here though, something tells me they aren't going to use a complex password, and I have a feeling that the password will unlock many images.

Anonymous ID: 745039 Aug. 1, 2018, 12:13 p.m. No.2394535   🗄️.is 🔗kun   >>4586 >>9798

>>2394128

 

before 2/10/2017 pixelknot f5 encryption layer had a fixed password of abcdefg123

 

it was ALWAYS possible to detect a pixelknot image, the method just changed on 2/10/17

 

there might be .jpg with JFIF header out there that can recognized with f5.jar with the password abcdefg123

 

https://github.com/harlo/F5Android/commit/08ebe47b1a0bba6ccc3fcc5f8f9edc467192d224#diff-97fa33d4b689c96d713de0b334e82b14

Anonymous ID: 745039 Aug. 1, 2018, 12:15 p.m. No.2394586   🗄️.is 🔗kun

>>2394535

can somebody with an archive of images download f5.jar and run

 

for F in .jpg .jpeg; do java -jar ./f5.jar x -p 'abcdefg123' -e $F.msg.txt $F; done

strings *.txt

 

i do find some images lock up the f5 decrypt, you may need to kill some java processes along the way

Anonymous ID: 745039 Aug. 1, 2018, 12:39 p.m. No.2395061   🗄️.is 🔗kun   >>6389 >>6481

>>2391741

 

the original filenames we have found all start with a number.. the PixelKnot source will append a _1 when it is writing out if the file already exists

 

are the filenames reversed?

 

D5_7udrmySQBwlDP_0

v6IB7UAzKWj1dDFx_0

wO20sFXmnh2JRA2ZavsokW*1

Q8ppeE6yCbsR-s-OMgJrga_1

gJVbydvC_i3zfugKtfxT2m_1

wlqIcDQso-BEvuD3OVvv3v_1

AYRn76Tsl5R-KKz1qPL-uW_1

A9L8gltaIdq3w_MhPqx-vx_1

A7B0i_E8uMhRJp9Cv2r2V0-1

g9k2Pll-RU8LzVao0UMvqA-1

Q-fWB5owqdHtW2XnOc-zRl-1

Anonymous ID: 745039 Aug. 1, 2018, 1:39 p.m. No.2396389   🗄️.is 🔗kun   >>6481 >>6863 >>7994

WAIT ANONS AM I CRAZY??

>>2371666

>>2395061

 

>You'd be amazed how much is shared on /pol/

 

https://archive.4plebs.org/pol/thread/170109703/

0_PDlwBQSymrdu7_5D[1].jpg

 

Hello I am a reporter from CBS.

 

>0_PDlwBQSymrdu7_5D.jpg

 

think mirror

 

>D5_7udrmySQBwlDP_0

 

evil eye posted on 5/1/18

Q drop 1332 about D5 was on 5/10/18

>The snowball has begun rolling

 

D5 = Checkmate

 

https://qanon.pub/?q=D5

 

Q drops about D5 4 time in may

 

and then again RIGHT AFTER we figure out the f5 layer of PixelKnot

Anonymous ID: 5c991a Aug. 1, 2018, 1:44 p.m. No.2396481   🗄️.is 🔗kun   >>6504 >>6613

>>2396389

>>2395061

Very nice finds.

So yes, the filenames are reversed, and perhaps the images are as well.

Try flipping the images horizontally before trying to extract the data from them.

 

As for what the passwords are.. try the filename without any number appended to the end, both regular and reversed.

Let me know if that works for you… I still haven't found a way to test these out on my own computer.. MacOS.

Anyone know of a way? If so then I can help.

Anonymous ID: 5c991a Aug. 1, 2018, 1:46 p.m. No.2396504   🗄️.is 🔗kun   >>6613

>>2396481

Actually I'm not sure if flipping the image changes the ability to extract data from it or not - that would be the first thing to test with an image we already know has data and already know the password to.

Anonymous ID: 745039 Aug. 1, 2018, 1:51 p.m. No.2396613   🗄️.is 🔗kun   >>6723

>>2396481

 

install java

 

open terminal

 

download f5 jar from google code

 

curl https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/f5-steganography/f5.jar –output f5.jar

 

here's how to test a password on the f5 layer (this will only be the last 1/3 of the full password)

 

java -jar f5.jar x -p plan -e out.txt Q4example.jpg

cat out.txt

 

>>2396504

 

scaling, flipping, or modifying in any way will remove the hidden data

Anonymous ID: 5c991a Aug. 1, 2018, 1:58 p.m. No.2396723   🗄️.is 🔗kun

>>2396613

Thank you anon I will set things up in a few hours and try and see if I can get anything out of these images.

I'll report back with any important findings.

Anonymous ID: 745039 Aug. 1, 2018, 2:58 p.m. No.2397994   🗄️.is 🔗kun   >>8004 >>0605

>>2396389

 

PIXELKNOT IMAGE ENDS IN -Q

 

this was posted to /qresearch/ 07/08/18 during 20 days of silence

 

1-lRz-cOnX2WtHdqwo5BWf-Q.jpeg

 

filename ends in -Q (extra group from other filenames)

pixelknot header

 

same image on

https://medium.com/@allanishac/body-language-experts-say-trump-often-flashes-triangle-of-satan-hand-gesture-5b592002c1e8

 

posted 7/11/18

 

filename is diffferent

 

1_FCAsiu79H2b2aUGLdD7mBw

 

both PixelKnot

not the same files

Anonymous ID: 745039 Aug. 1, 2018, 3:02 p.m. No.2398080   🗄️.is 🔗kun

>>2398004

all these images on

 

https://medium.com/@allanishac/body-language-experts-say-trump-often-flashes-triangle-of-satan-hand-gesture-5b592002c1e8

 

have pixelknot headers

Anonymous ID: c5ee9d Aug. 1, 2018, 3:21 p.m. No.2398467   🗄️.is 🔗kun   >>8717 >>8947

Lmao, you guys are stupid.

 

All JPEG images uploaded to medium.com meet the criteria set out in the OP (no JFIF, xFF xC0 x00 x11 @ 0x88).

 

Good job, everyone! You have been collecting and brute-forcing random images originally hosted on medium.com.

Anonymous ID: 745039 Aug. 1, 2018, 3:33 p.m. No.2398717   🗄️.is 🔗kun   >>8936 >>0605

>>2398467

 

yeah

 

here's an article written before the PixelKnot header change:

 

Jan 31, 2017

 

https://medium.com/@lewispants/i-was-fired-from-my-journalism-job-ten-days-into-trump-c3bc014ce51d

 

missing JFIF and has the second sig

Anonymous ID: 4d00ef Aug. 1, 2018, 3:44 p.m. No.2398936   🗄️.is 🔗kun

>>2398717

 

K so all we need to do is image search medium.com for an image with that header. If no results found (and the original filename isn't like medium's random naming bullshit) then we probably have a PK image.

Anonymous ID: 745039 Aug. 1, 2018, 3:45 p.m. No.2398947   🗄️.is 🔗kun   >>9125

>>2398467

 

not all of these were posted on medium.com

 

there is (at least) one other piece of software that makes the same header

 

stegdetect doesn't find any f5 data in medium.com images

1_b3jcMKfQQzl0t56L1kiuZQ.jpeg : negative

1_OF9MABBWU8CN6Dmyu1N32w.jpeg : negative

1_V7KBi6mUHK914qssJEFwfw.jpeg : negative

 

others do

1_FCAsiu79H2b2aUGLdD7mBw.jpeg : f51.949593

1_S72sax0zPtFX7yE-9hlxYg.jpeg : f51.565821

1_Wu-LPq1zKK-R5lsT67nRYA.jpeg : f50.652062

1-0V2r2vC9pJRhMu8E_i0B7A.jpg : f51.590077

 

CBS evil eye

0_PDlwBQSymrdu7_5D.jpg : f51.687834

Anonymous ID: 5c991a Aug. 1, 2018, 3:46 p.m. No.2398957   🗄️.is 🔗kun

Alright I am testing now.

I can confirm that flipping a test image horizontally (or doing anything to it) breaks the stenography. But putting it back in place, or back the right way even after saving makes it work again.

So flipping the images could be the right way to go.

 

Another thing I found online:

mention of f5 in clinton emails

 

https://archive.4plebs.org/pol/thread/159001495/

"nf weder 1 noch 3"

its in the source code for huffman

https://github.com/abronte/f5-steganography/blob/master/src/net/f5/ortega/HuffmanDecode.java

 

This pixelknot stuff might be bigger than we know.

Anonymous ID: 745039 Aug. 1, 2018, 3:53 p.m. No.2399125   🗄️.is 🔗kun   >>9203 >>9560

>>2398947

 

STEGDETECT F5 IMAGES

 

the missing header is not unique to PixelKnot (doh)

images with the missing header that stegdetect thinks have f5 data

 

https://nofile.io/f/UCGFkYAMMxN/f5-detected.zip

 

https://nofile.io/f/UCGFkYAMMxN/f5-detected.zip

 

https://nofile.io/f/UCGFkYAMMxN/f5-detected.zip

Anonymous ID: 4d00ef Aug. 1, 2018, 3:57 p.m. No.2399203   🗄️.is 🔗kun   >>9442 >>9450

>>2399125

Does stegdetect hit false positives?

Here's a medium article with the exact illumipepe image [positive ID by SHA] that's in your list.

https://medium. com/@Freequincy/right-wing-dove-squad-how-trash-dove-became-the-symbol-of-the-alt-right-c7794b84a48d

Anonymous ID: 5c991a Aug. 1, 2018, 4:03 p.m. No.2399313   🗄️.is 🔗kun   >>9620

Alright guys I played around with it more. I learned that if you get near the actual password with f5.jar, it starts spitting out some bytes of data and extracting some stuff instead of giving nothing.

 

With this attached image (I flipped it horizontally) and a password of BwlDP I was able to extract some nonsense data. I think it means we are getting close, but I don't have pixelknot in order to try actually getting the real message out.

I'm not able to get a clean file out that says "pixelknot v1.0 password required" etc.

Will update.

Anonymous ID: c5ee9d Aug. 1, 2018, 4:10 p.m. No.2399442   🗄️.is 🔗kun   >>9498 >>9532

>>2399203

And it is before the header change.

 

So we have now established that stegdetect gives false positives, and all medium.com JPEGs meet the other criteria.

 

A new approach is needed. Perhaps focus less on finding PixelKnot images and more on Q's images.

Anonymous ID: 745039 Aug. 1, 2018, 4:10 p.m. No.2399450   🗄️.is 🔗kun   >>9880

>>2399203

 

"The results obtained shows that

the ratio of false positive generated by Stegdetect depends highly on setting the sensitivity value, and it

is generally quite high"

 

https://researchportal.port.ac.uk/portal/files/187568/Microsoft_Word_-Stegdetect_article-_Final.pdf

Anonymous ID: 745039 Aug. 1, 2018, 4:14 p.m. No.2399498   🗄️.is 🔗kun   >>9532

>>2399442

not sure this image is after the change this is right at the same time

when was the build was pushed to the store?

 

stegdetect really things there is something but with a small image like that who knows

 

68ccb4146da74068a0d8749ac6bd3dab249e1a6d947c8ee106ef5bfdc0c9cf6e.jpeg : f53.026896

Anonymous ID: 323ec5 Aug. 1, 2018, 4:31 p.m. No.2399798   🗄️.is 🔗kun

>>2394535

This and several other posts…

 

The tech literate have always known spy agencies cripple publicly available encryption but good grief! We aren't even experts at this stuff, just code monkeys poking through an open source repo. The whole thing is vulnerable! It's only a matter of time before we crack this.

Anonymous ID: 4d00ef Aug. 1, 2018, 4:47 p.m. No.2400150   🗄️.is 🔗kun   >>0585

The pedo jewelry is the smallest image I can find that has the correct headers, gets a positive from stegdetect, and is not found on medium.com

J.TrIDr3ESpPJEs ID: ee4cfa Aug. 1, 2018, 5:56 p.m. No.2401525   🗄️.is 🔗kun   >>2218

I had posted to this thread, but my post appears to have mysteriously (?) gone missing.

 

I mentioned to factor in symbols from international keyboards (£, euro sign), dusting off old hardware to assist in brute-forcing, and divying up tasks between yourselves (and let each other know) so you're not all trying to brute force the same issue.

 

It's curious my suggestions on ways to improve the efficiency of detecting PixelKnot 'magically disappeared', given no other post I've written so far has.

I had posted to this thread, but my ID: ee4cfa Aug. 1, 2018, 5:58 p.m. No.2401556   🗄️.is 🔗kun   >>2218

Oh yeah, don't forget to factor in unicode (if the password supports it and isn't just ASCII). Most format common is UTF-8 (non-BOM), and would exponentially increase the number of characters you'd need to check before solving.

 

But I digress.

Anonymous ID: b2ea3f Aug. 1, 2018, 6:10 p.m. No.2401778   🗄️.is 🔗kun   >>2121

I'd like to help out (two 16 core machines) but I don't know any java. A lot of these images run through f5 seem to hang at a German error message from HuffmanDecode.java. Also f5 doesn't seem to take "jpeg" but needs "jpg"

Does this header need to be repaired or is that part of the processing in some other way?

How do I setup the workflow for password brute forcing?

Anonymous ID: 4d00ef Aug. 1, 2018, 6:29 p.m. No.2402121   🗄️.is 🔗kun   >>9199

>>2401778

https://anonfile.com/EaG3B8fbb8/PKunknot.zip

This is what I'm using anon - single thread per instance though. You'll have to manually split your wordlists. It will automatically generate every permutation for a given charset and exit if a correct solution is found.

Run by calling the following on your command line:

java -cp bcprov-jdk15on-160.jar; q.Main %IMGNAME% %CHARSETFILE% %STARTINGWORD%

Anonymous ID: 11b051 Aug. 1, 2018, 6:47 p.m. No.2402460   🗄️.is 🔗kun

>>2372815

 

I'm losing my mind, I cannot decode my own image from the app, but another anon could UGH!

 

What's somewhat strange when I download the image from 8chan, it has the header even though the app removes it.

 

Also, I thought I saw someplace in the code where there is maximum dimensions for an image, but I can't seem to find it.

Anonymous ID: 4ee9d4 Aug. 1, 2018, 9:16 p.m. No.2405387   🗄️.is 🔗kun   >>7136

You know how a bunch of qposts have weird codes in them? Any way we could incorporate a line for line, raw text record of all drops as a password list?

 

I think this would be especially applicable to any knotted images found in the drops themselves, if there are any.

Anonymous ID: 0146c4 Aug. 1, 2018, 11:05 p.m. No.2407136   🗄️.is 🔗kun

>>2405387

It's weird how similar the filenames are to the stringers, no idea if they encoded the passwords this way, but it's possible. How else would DS operators share passwords? and if they could share passwords why not share messages that way? why F5?

Anonymous ID: 0016c5 Aug. 2, 2018, 12:25 a.m. No.2407861   🗄️.is 🔗kun   >>8637

Wait a second… files that I uploaded yesterday that were encoded with PK are no longer so.

 

Check 'em. Their sha256 hashes no longer match their sha256 filenames. CodeMonkey must have heard about what we've discovered and not liked that his site is being used for such purposes.

Anonymous ID: 0016c5 Aug. 2, 2018, 2:08 a.m. No.2408637   🗄️.is 🔗kun   >>9640

>>2407861

How much you wanna bet half-chan is doing the same thing? We shouldn't have announced our finds so publicly. Now we can't scrape pages to find more such images. That spoils all my fun.

I discovered this while testing a python script to scrape and quickly check all the images on a page. It detected 36 images on this page on one test and none on a subsequent test without changing anything in that section of code. They must be checking and reencoding old images when accessed.

 

Here is my code to scrape and scan a chan and forum type sites (anything without fancy-shmancy frames or JS). Doesn't work on Pinterest, Instagram, Medium, etc.

I don't know what good it will do now that the word is out about how easy it is to find this kind of stenago. Damnit. If we find another way to detect such hidden messages let's swap PGP keys and discuss it privately.

 

https://pastebin.com/yAFSVY86

Anonymous ID: 0016c5 Aug. 2, 2018, 4:54 a.m. No.2409560   🗄️.is 🔗kun   >>9701

>>2399125

It's not just the missing header. The first 139 bytes of nearly every file in Medium is identical.

The "James" that wrote the JPEG encoder in f5.jar and PK used to sell/license that same code. It may have found it way into the Medium back end. And it's conceivable that someone annoyed by the default comment that it normally produces got a little over zealous when they went in to shut-up that section and also commented out the JFIF part.

Alternately, Medium is know to be badguy territory. Maybe they either use stegano extensively. Or perhaps they know that PK images are easily recognizable and are intentionally sowing innocuous images with same signature to create cover for people using PK.

Anonymous ID: 11b051 Aug. 2, 2018, 5:08 a.m. No.2409640   🗄️.is 🔗kun   >>9668

>>2408637

 

I will verify this myself here soon, I believe this is a huge discovery.

 

So imageboard must reference the original uploaded file in the database for the site. Likely , someone has written some script to re-encode/change headers of all the jpg files that have been uploaded.

 

I know when I uploaded my PK image it didn't have the header, and now it does! I believe this is going to be the case for every stego file on 4&8.

 

This is a potential huge FU to all of us, this is why we archive offline, but it means that we cannot pass jpgs around on here since the headers (at least) have been changed or the files have been re-encoded.

 

IF this is indeed the case the question is why?

Anonymous ID: c25bbb Aug. 2, 2018, 9:13 a.m. No.2411942   🗄️.is 🔗kun   >>4691

>>2373016

 

Can you download the jpg from my test again, and compare against your original download from Tuesday? (Sadly I don't have the original)

 

Also, can you even decode it – once you download the new copy of it?

Anonymous ID: 59cecc Aug. 2, 2018, 9:24 a.m. No.2412101   🗄️.is 🔗kun   >>4834

Might be nothing, but "Sarah" is posting again over on halfchan. Figured I'd let you pixelfags take a look.

 

https://boards.4chan.org/pol/thread/180896139

Anonymous ID: 0016c5 Aug. 2, 2018, 10 a.m. No.2412561   🗄️.is 🔗kun   >>2677

>>2409701

Medium.com

 

One of the spoopy images we found on QResearch was traced back to hear:

https://medium.com/pedophiles-about-pedophilia/you-say-potato-i-say-pedophile-5a9ad0ee0f99

Anonymous ID: 0146c4 Aug. 2, 2018, 12:13 p.m. No.2414834   🗄️.is 🔗kun   >>6423

>>2412101

>https://boards.4chan.org/pol/thread/180896139

steg detect was positive, these aren't following the filename formats though, i think they are changing password exchange up.

Anonymous ID: 71686a Aug. 2, 2018, 1:48 p.m. No.2416423   🗄️.is 🔗kun   >>6626 >>7299

>>2414834

Did you notice the Nazi photo with a squirrel on his shoulder? Look at filename "1_07NuaT7Ds4D5eaufbUMVnA.png".

 

It is a PNG image instead of a JPEG though, it would not have F5 in it (if anything). The contents could have been scrubbed already but uploaded a ZIP file. https://anonfile.com/c90fCef1b5/img.zip

 

We don't know if the real SS is involed or just her likeness used again, but the OP's 4 posts do sound like a Jew (they know the talking points). The Nazi-bashing is ridiculous but someone might talk that way… :/

Anonymous ID: c25bbb Aug. 2, 2018, 2:29 p.m. No.2417121   🗄️.is 🔗kun   >>7299 >>8768 >>9895

>>2414691

 

There is an image called goods.jpg (pw: qanon) - that was extracted previously (not by me). Something tells me the image that was uploaded then, is no longer the same as it is now.

 

This refers back to >2408637, when I uploaded this other pick and re-downloaded it, it still has the header.

 

This likely means that some script was run around Tuesday sometime, that altered the images stored here and would have had to be done by someone on the back end. So if anyone was able to decode any images earlier in the bread, and have the source files (before they were uploaded), could verify that there was changes done on the back-end to those files that would be great.

 

If the files were re-encoded then the stego is gone, and that is a huge blow to finding more images here and on half-chan. (I'm assuming the same was done on half too)

Anonymous ID: 0146c4 Aug. 2, 2018, 2:39 p.m. No.2417299   🗄️.is 🔗kun   >>8536

>>2417121

I think this is the case. The photos of the letter 'Q' for example only partially worked when I was looking at these last night. avenger.jpg didn't work but GreatAwakening.jpeg still did. maybe it missed the .jpeg extensions..

 

>>2416423

Interesting, I'm starting to think the filenames are a result of tooling or cache systems rather than being an autokey cipher of sorts. Back to the drawing board I guess. Maybe Q will help us out later with the 'key'.

Anonymous ID: 745039 Aug. 2, 2018, 3:54 p.m. No.2418536   🗄️.is 🔗kun

>>2417299

 

running 3 char combos on these files

 

>https://nofile.io/f/UCGFkYAMMxN/f5-detected.zip

 

'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+=-[]\|}{,./<>?" '"'"

 

these files done scanning with all 3 char combos and no matche

 

f5-detected/a5e5c137d0b352d8dbacaf8e2802f62bf59dac5dbd2b6af2d8379ac308b7b3d8.jpg

f5-detected/2c19435a6c6d0b75661f8bed4269e540bdea162d20426e2865fa99473d164863.jpg

f5-detected/51122a1f8b76dbb185dfcece22a900a07165f4f270f414afd4e4eef183863cf8.jpg

f5-detected/a1677d3d755fabf1c73b1786f5ac39f714c59cf72fc288029c166f9be119b7cf.jpg

f5-detected/abbbd389003d0b2b919ac73fcb490239be4570effacacd9c653ebbe2e2940fc8.jpg

f5-detected/11dc6ed351634c39a8faee69dc8c85b5a8a83c8f58485d69711a71a68e19783d.jpg

f5-detected/8b74493ae9233d7ed319efe95b96f9d1e16a3975c3a8d9ab1361b3fe5be4b5a8.jpg

f5-detected/18e535c2558973824cf2f11ea009066d0cd1fe3ac6c8b4bc0d5fa687d89da67a.jpg

f5-detected/1b01e2fbd7483fe2167a417ed605269fa0fc8aaf9bbd1859898ea13b22ba4dee.jpg

f5-detected/b4ffa2fe6ba7c7b732e36af3595e33a38893146d1411be202c3bc259c2d5b2ec.jpg

f5-detected/be471d6d62109bc5be47082d1cf9a537777d9f6de5b1d777d4ee113a9c47ab63.jpg

f5-detected/f5ee16710b749e2c4dd3e95a1f725723b322f9963010256dc3cffad0eddff752.jpg

f5-detected/9d65a2f8806914b900b7e51e3a16500b60b7f48dc3f52cf82958761c8aac3e96.jpg

f5-detected/57139014c39d5726885d566ad5ba134c275f7fd90ac920f7a171a4adb7dcd095.jpg

f5-detected/ef56efafa8857c6bd9f3e80f5fcdc24749ff27a95dfc0f9313cee0f4b0687c79.jpg

f5-detected/e5393fba4fcca1dab2d66f98e520503ca942e3bf42bae78de2aa08c8576fa024.jpg

f5-detected/60162fec45db2cd5f40b130fbf24f8b921748c965d297816850fb3035ca57904.jpg

Anonymous ID: bb8fea Aug. 2, 2018, 4:05 p.m. No.2418768   🗄️.is 🔗kun   >>9895

>>2417121

Yeah, all the files that I had earlier, and the ones still in my browser cache, would decode fine. After a hard refresh, and a clearing of the cache, the new images showed. They are indeed re encoded and don't work. tip stego

Anonymous ID: 1b4548 Aug. 2, 2018, 5:02 p.m. No.2419895   🗄️.is 🔗kun   >>5587

>>2371388

>>2417121

>>2401017

>>2418768

Yup, reencoded to cover their asses. Not only to write in the JFIF in the initial line, but going back to this post

>>2345073

notice that between yesterday's and today's downloads the string after the DQT header is absent

 

a writeup on an online information security exercise points this out as a clue to get to the next level of the exercise

https://lonewolfzero.wordpress.com/2015/03/12/n00bs-ctf-labs-infosec-institute-teddy-zugana/

 

>could be contain malware or steganography on line

>()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

>()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

>inside alien picture

>use the application Steghide to extract data from the picture:

>steghide.exe extract -sf aliens.jpg -xf out.txt

example pic

https://ctf.infosecinstitute.com/img/aliens.jpg

Anonymous ID: 745039 Aug. 2, 2018, 9:36 p.m. No.2424756   🗄️.is 🔗kun   >>7826

I went through the rest of the f5 detected images and did google image searches and ruled out images that I could find somewhere else and was left with 3. The CBS eye I left in because it was posted on /pol/ and has 5D (D5 mirror) in the filename

 

focusing on these three now

 

https://nofile.io/f/au6mKPYtznQ/f5-remain-2.zip

Anonymous ID: 0016c5 Aug. 2, 2018, 10:37 p.m. No.2425587   🗄️.is 🔗kun   >>2888 >>9002

>>2419895

I think Evil Eye one is a false positive. Steg detection works by finding what should be sharp lines and checking for if they are not. A image like this has no business ever being encode with JPEG. You get too much buzzing around the sharp edges.

I just manufactured a test image as closely as I could to the a1 file using a PNG of the same logo at high rez and GIMP and quality 70. Stegdetect -t F gives me 1.711036. I think it's because if the very similar buzzing you see when you zoom in (use Pix, it doesn't smooth pixels).

Anonymous ID: b95bf4 Aug. 3, 2018, 3:44 a.m. No.2428579   🗄️.is 🔗kun   >>3919 >>3945

Remember the Wikileaks that contained Antarctica photos that John Kerry took of the ice? Didn't JA/Wikileaks put a tweet out prior to the dump with a hash code? I always wondered why photos of the ice were of significance. I am looking for the photos and the hash code tweet to see if anything is there now that I am aware of pixelknot. Any assistance would be appreciated.

Anonymous ID: 745039 Aug. 3, 2018, 10:40 a.m. No.2432888   🗄️.is 🔗kun

>>2425587

 

makes sense… these drops keep coming to mind though

 

https://qanon.pub/?q=EYE%20OF%20RA

EYE OF RA.

Left eye [marker].

Symbolism.

 

https://qanon.pub/?q=clear%20sight

How do you hide a message in clear sight?

 

https://qanon.pub/?q=%2Fpol%2F#1715

You'd be amazed how much is shared on /pol/.

Data exchange.

https://guardianproject.info/apps/pixelknot/

Anonymous ID: 745039 Aug. 3, 2018, 3:36 p.m. No.2438149   🗄️.is 🔗kun   >>8967 >>2019

>>2437477

>Huma interviewed by FBI on Jan 6 2017

 

>Harlo code change on 2/10/17 (gradle build #5)

merge of all harlo's local changes for the last 3 years she pushed to gitlab.. removed the JFIF header then merged into guardian project F5Android, then consumed by PixelKnot and playstore image was updated (but not the .apk on the download page)

 

>John Podesta joins The Washington Post as a contributing columnist February 23, 2017

https://www.washingtonpost.com/pr/wp/2017/02/23/john-podesta-joins-the-washington-post-as-a-contributing-columnist/?noredirect=on&utm_term=.448a78f09f96

Anonymous ID: 1b4548 Aug. 3, 2018, 4:22 p.m. No.2438967   🗄️.is 🔗kun

>>2438149

>build for all archs

Refers to a make file for the app to compile shared object .so files for the architecture the OS is running on. ARM for phones and tablets x86 for the PC port of android. Not sure if Androidx86 and linux are directly compatible. Open the app's apk as a zip file and it shows libF5Buffers.so for different archs

Anonymous ID: 1b4548 Aug. 4, 2018, 2:01 a.m. No.2446299   🗄️.is 🔗kun   >>8673

>>2371688

>>2382513

>>2371258

 

Has anyone tried the experiment to estimate the original/cover image DCT that these two pointed out.

>>2388204

>>2388161

 

Not going to lie it was way too much post-grad statistical math for me to understand completely. Found a summary paper which made reference to it.

https://www.iosrjournals.org/iosr-jce/papers/Vol16-issue1/Version-3/M016137073.pdf

 

Steps for the F5 Steganalysis algorithm [3][4][6].

Step 1: Input the stego image for performing Steganalysis. (get steg quantization parameters)

Step 2: Decompressed the stego image.

Step 3: Crop the image by 4ҳ4 column from all sides.

Step 4: Apply blurring operation to remove artifacts.

Step 5: Then re- compressed the image. (using quantization parameters from step 1)

Step 6: Count the different histogram value for the stego image and cover image.

Step 7: Calculate the difference

Difference = stego image value – cover image value.

Anonymous ID: 745039 Aug. 4, 2018, 8:34 a.m. No.2448673   🗄️.is 🔗kun

>>2446299

good thinking anon

 

been using stegdetect which does this exact thing for f5

 

what we know:

  • images made by PixelKnot before 2/10/17 were f5 encoded with the password abcdefg123 (these would not be compatible with the latest version of PixelKnot)

  • images made by the version after 2/10/17 (on play store) are missing the JFIF header (a few websites like medium.com match the same signature, not sure why) and are decoded with the last 1/3 of the full password

 

anon with archive of jpg from qresearch or pol

might be worth it to try to decode any jpg with f5.jar using password abcdefg123

 

for F in .jpg; do java -jar f5.jar x -p abcdefg123 -o msg.txt $F; cat msg.txt; done

Anonymous ID: 745039 Aug. 4, 2018, 9:04 a.m. No.2449002   🗄️.is 🔗kun   >>9249

>>2425587

 

ruled out 54,700,816 4 letter combos on evil eye

 

/crunch 4 4 'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+=-[]\|}{,./<>?" '"'"

 

either false positive or password is longer than 12 chars

 

found the pedo ring image on walmart.com, looks like they strip the 'JFIF' header too

 

https://www.walmart.com/ip/14K-White-Gold-amp-Diamond-Triangle-Spiral-Ring-size-5-5/191794612

Anonymous ID: 745039 Aug. 4, 2018, 9:25 a.m. No.2449226   🗄️.is 🔗kun   >>9514

found the vineyard jpg on medium with the missing header

 

https://medium.com/@Levi.Smith/did-john-podesta-just-tweet-out-an-admission-to-justice-scalias-murder-69f9ba941a1b

 

found the evil eye too

 

https://landonbuford.com/press/0_pdlwbqsymrdu7_5d/#.W2XS4yhKj-g

https://web.archive.org/web/20180804162236/https://landonbuford.com/press/0_pdlwbqsymrdu7_5d/#.W2XS4yhKj-g

Anonymous ID: 745039 Aug. 4, 2018, 9:28 a.m. No.2449249   🗄️.is 🔗kun   >>3024

>>2449002

 

crunch string was missing a few chars ~-`

 

should be

 

crunch 1 4 'abcdefghijklmnopqrstuvABCDFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-+=-`~[]\|}{,./<>?" '"'"

 

trying all 1-4 combos with those missing chars on the evil eye (8m should take about 6 hours)

Anonymous ID: 745039 Aug. 4, 2018, 9:56 a.m. No.2449514   🗄️.is 🔗kun   >>9706

>>2449226

 

landon uploaded the evil eye may 2018, same month it showed up on pol

 

BUT - the landon photo with the same filename does not have the pixelknot header (and doesn't decode with abcdefg123)

 

found cbs-logo.jpg that is the same size on from 2018

 

https://www.neowin.net/news/cbs-launches-ios-app-windows-8-version-coming

 

it doesn't not have the JFIF string but doesn't match the PixelKnot header

Anonymous ID: 0146c4 Aug. 4, 2018, 7:32 p.m. No.2457804   🗄️.is 🔗kun   >>3526

Does anybody have more details on the underlying implementation of SecureRandom? Depending on the psuedo random number generator we may be able to reduce the search space to the possible values of the seed (ex, 0 to maxint).

Anonymous ID: 0e2334 Aug. 5, 2018, 12:49 a.m. No.2461532   🗄️.is 🔗kun   >>9199

>>2450617

Beyond 4 chars we are going to have to get a lot smarter with how we pick what passwords to try. It not hard to imaging a 20 char passphrase.

One way to do this is to try the endings of long dictionary world and short words with a space and short random prefix. Then run the same set through 1337 speak substitutions. And then add ending punctuations.

Another idea I had is to score perspective random passwords based on the combinatorial frequency of character pairs. "TH" is more common than "ZD". We could have crunch generate a 100, 000 times as many passwords as we could directly check and then filter them down to the top 99.999th percentile.

Obviously the optimizing it from the start would be better. But I don't think I'm smart enough to work out all of the patterns in how people chooses passwords and phrases or to build a highly optimized generator (I could eventually, but I'm not going to spend the rest of my life on this).

In the short term we could keep a file of all failed password. Diff might get awfully bogged down comparing TB scale sets. But if the archive is kept asciibetically presorted then a custom tool could be it efficiently enough for it to be worthwhile.

Anonymous ID: 0146c4 Aug. 5, 2018, 6:42 a.m. No.2463119   🗄️.is 🔗kun   >>3526

>>2427826

Did you just realize the same attack vector I did? There a way we can group up outside public space? Here's a quick rundown, use your key.

 

https://pastebin.com/DP7avPrx

Anonymous ID: 0e2334 Aug. 5, 2018, 7:24 a.m. No.2463526   🗄️.is 🔗kun   >>3615 >>7100 >>9199

>>2463119

>>2457804

SecureRandom basically works by taking the password, hashing it with SHA1 to set the initial state (160 bits, 20 bytes), passing these bytes out as requested, and rehashing the state to create a new state when it runs out of bytes. It does this as many times as needed to create as many psudorandom bytes as requested.

This data is first used to shuffle a list of integers (0 to the number of DCT coefficents, which is also happens to be the number of pixels) which is used as a secret treasure map to scatter bits the message throughout the image. Further output of SecureRandom acts as a simple XOR cypher upon the payload message.

Without the password we don't even know which bit of what pixels and in what order contain the encrypted message. We are not even sure there IS a message. It could just be a wonky JPEG encoder.

Any kind of REAL cryptanalysis, linear or differential, is waayyyyy out of our league. And the password is always going to be the weakest part of the system. Efficient and smart password guessing is really the only option.

If you want to see the exact details you can download it directly from Oracle. https://download.java.net/openjdk/jdk8/

Anonymous ID: 0146c4 Aug. 5, 2018, 7:37 a.m. No.2463615   🗄️.is 🔗kun   >>3782

>>2463526

Thanks for the reply. I noticed the message byte XOR with a random byte after the fact, so yea I don't think we can reconstruct the first steps of 'the map'. If we are to take the brute force approach tho, I would suggest we patch F5.jar to short circuit if the first message byte doesn't come out as expected. We can also make it retry different passwords without reloading too to save some more time (instead of decompressing the image over and over again, reading disk, etc). Just some ideas.

Anonymous ID: 0e2334 Aug. 5, 2018, 7:56 a.m. No.2463782   🗄️.is 🔗kun   >>3803 >>9749

>>2463615

That is exactly what I did immediately.

Lines 147 to 149. I also early abort if the 32bit message length comes out as an unreasonable number. It should never be more then a couple kilobytes.

 

BruteCrackPK.java. Give it a file and feed it lines through STDIN. I haven't got around to multithreading it. So just run it in four terminals.

https://pastebin.com/hu1nZLLn

 

When ( if ) I ever stop getting distracted by side projects, I intend to make a C based implementation. There are a lot of steps between the five state integers in the SHA algo and the permutation table could be trimmed down.

Anonymous ID: 0e2334 Aug. 5, 2018, 7:59 a.m. No.2463803   🗄️.is 🔗kun

>>2463782

  • Add the above to the F5-steganography files from here. Drop in next to Embed and Extract compile.

https://github.com/matthewgao/F5-steganography

Anonymous ID: d68afe Aug. 5, 2018, 9:39 a.m. No.2464928   🗄️.is 🔗kun

 

ANONS

 

Found an old password used by Robert the Bruce in Aberdeen….

 

"Bon-Appart" tgry with and without dash. Try capital and lower-case. try backwards.

 

==Please try for password on all Q pics you can and POTUS tweet pics"

Anonymous ID: fb35f4 Aug. 5, 2018, 12:20 p.m. No.2467100   🗄️.is 🔗kun   >>7430

>>2463526

This paper talks about detecting F5 by analyzing the histogram of DCT coefficients. I suspect this may be a more accurate means than stegdetect.

https://ws2.binghamton.edu/fridrich/Research/f5.pdf

Anonymous ID: 1b4548 Aug. 5, 2018, 2:31 p.m. No.2469199   🗄️.is 🔗kun   >>9375 >>9702 >>9816

>>2376493

>>2463526

>>2402121

>>2461532

With PixelUnknot code, is this kind of the workflow it's taking?

 

get wordlist string ~ "lovely8unch0fcoconut$"

test last third string "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

if matched, test DecryptWithPassword with string "lovely8unch0fcoconut$"

return secret message

else, get new wordlist string

 

or ist it doing this?

 

get wordlist string1 ~ "oconut$"

test string1 "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

if matched, crunch wordlist string2 with 2x length of string "oconut$" ~ "lovely8unch0fc"

test DecryptWithPassword with string "lovely8unch0fc"+"oconut$"

return secret message

else get new string2

else get new string1

Anonymous ID: 745039 Aug. 5, 2018, 2:36 p.m. No.2469295   🗄️.is 🔗kun   >>2406

>>2371551

>>2371666

>0_PDlwBQSymrdu7_5D[1].jpg

 

can't get over this filename…

what software renames files with square brackets [1]?

seems more like a Q post

 

[1]D5 7udrmySQBwlDP 0

 

found an automated cryptogram solver https://quipqiup.com/

 

7udrmySQBwlDP = 7in the COMpaNY

 

Q says less than 10 can confirm, read somewhere that 3 were non-military, would leave 7 in the company

 

[1]D5_7in the COMpaNY_0

 

maybe reading tea leaves here

 

still brute forcing…

 

(pic unrelated)

Anonymous ID: 745039 Aug. 5, 2018, 2:40 p.m. No.2469375   🗄️.is 🔗kun

>>2469199

 

right now the code

https://github.com/banona/PixelUnknot/blob/master/src/q/Main.java

loads the words from the file and tries it (and every substring of the end over 3 chars) to decode the f5 layer. it early exits if the chars don't match the PixelKnot special string '—-*' and if it finds one it will print out the pass and exit. this would be the last 1/3 of the password and we can change the code back to try to decode the rest

 

this code is a little better, tries the word backward and forward and prints out the progress

 

https://pastebin.com/ZRUAzEPh

Anonymous ID: fb35f4 Aug. 5, 2018, 2:57 p.m. No.2469702   🗄️.is 🔗kun   >>9816

>>2469199

Neither. For detecting F5 it's analyzing the DCT histogram of the image in comparison to the (predicted) histogram of the original image before F5 data was embedded.

Anonymous ID: 745039 Aug. 5, 2018, 2:59 p.m. No.2469749   🗄️.is 🔗kun

>>2463782

 

anon multithread it like this:

 

Files.readAllLines(filePath, StandardCharsets.ISO_8859_1)

.parallelStream()

.forEach(line -{

// your code

});

 

see https://pastebin.com/ZRUAzEPh

Anonymous ID: fb35f4 Aug. 5, 2018, 3:03 p.m. No.2469816   🗄️.is 🔗kun

>>2469199

>>2469702

Fuck sorry answering the wrong question… apparently I have two IDs but still getting my (you)s

 

>get wordlist string ~ "lovely8unch0fcoconut$"

>test last third string "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

>if matched, test DecryptWithPassword with string "lovely8unch0fcoconut$"

>return secret message

>else, get new wordlist string

What I uploaded is like this, except it is modified to only do the F5 seed portion - the output of the string generator gets passed directly

<e.extract(coeff, ostream, mPassword)

Anonymous ID: 745039 Aug. 5, 2018, 3:47 p.m. No.2470605   🗄️.is 🔗kun

>>2397994

>>2398717

 

java has supported writing jpeg in imageio since 5

why do medium.com images look like they written by a modified james jpeg encoder?

they didn't always have the same header, changed after 2013

f5 encoding something in the images?

Anonymous ID: 0146c4 Aug. 5, 2018, 5:50 p.m. No.2472406   🗄️.is 🔗kun   >>9397

>>2469295

The [1] is new actually. When I first pulled the file it was not there. Only after 'scrubpocalypse' last teusday evening did I look again and saw [1] added on the chan archives. Was strange.

Anonymous ID: d68afe Aug. 6, 2018, 2:27 a.m. No.2477411   🗄️.is 🔗kun

 

passwordFags

 

Try Vanguard or vanguard (backwards/mirrored also) on ALL NXIVM or Allison Mack pixelKnot images dealing with them… run it on auto if possible on everything

Anonymous ID: 745039 Aug. 6, 2018, 8 a.m. No.2479397   🗄️.is 🔗kun   >>9932 >>1143 >>1502

>>2472406

 

https://archive.4plebs.org/pol/thread/170109703/

 

it was [1] on the /pol/ post

 

HERE is the evil eye on medium

 

different size same filename

 

https://medium.com/fgd1-the-archive/cbs-logo-1951-510fe0d2607b

 

that makes all of the images that anon have found matching the pixelknot header that were originally on medium.com

Anonymous ID: 0146c4 Aug. 6, 2018, 8:53 a.m. No.2479932   🗄️.is 🔗kun

>>2479397

I mean that it wasn't one on the archives before Tuesday. They CHANGED the archives. PixelKnot adds '_#' for conflicting filenames, so it wasn't from that. I literally downloaded a steg'd version from the archive without the [1]. plz no gaslight.

Anonymous ID: 0e2334 Aug. 6, 2018, 10:29 a.m. No.2481143   🗄️.is 🔗kun

>>2479397

That's odd. I found the same image on Medium last week and it had the same hash as the one from /pol/. Now it doesn't. It has indeed been changed. And the archive now has one with yet a different hash.

Someone is cleaning up. Good thing we have offline backups.

Anonymous ID: 0e2334 Aug. 6, 2018, 10:53 a.m. No.2481502   🗄️.is 🔗kun

>>2479397

All of the files from our reduced set all traced back to Medium, Motherboard, or Flipboard. And I spot checked a few of them last week; and the files from there had the same hashes as on their source sites.

Anonymous ID: 9db91f Aug. 6, 2018, 10:57 a.m. No.2481567   🗄️.is 🔗kun

It’s amazing the pushback I get from my own, they think I’m crazy when sharing Q. They give me every reason to prove the Great Awakening false. But I know better than they and push that they might also consider. They don’t believe me when i speak about the gospel either or the covenant our True God made with mankind.

 

“A prophet is not without honor, except in his own country, and his own kin, and in his own house.”

Anonymous ID: 0146c4 Aug. 6, 2018, 11:27 a.m. No.2482058   🗄️.is 🔗kun   >>2651 >>0756

Heads UP, they may be changing the stego in their comms:

https://boards.4chan.org/pol/thread/181352394

https://boards.4chan.org/pol/thread/181366397

Filenames have a funny ~2 at the end, ironically they re-used the photo from a previously identified stego in their 'screenshot'.

Anonymous ID: 745039 Aug. 6, 2018, 12:05 p.m. No.2482637   🗄️.is 🔗kun   >>5792

Going back to Q Silverman drop

>>2305975

 

the file in the drop is IMG_382.jpg which didn't have the PixelKnot header or stegdetect didn't find anything… but the next day this post shows up on pol with IMG_0457.jpg and stegdetect thinks it has something (maybe false positive, not pixelknot header)

Anonymous ID: 0146c4 Aug. 6, 2018, 12:06 p.m. No.2482651   🗄️.is 🔗kun

>>2482058

another one:

https://boards.4chan.org/pol/thread/181352041

 

https://boards.4chan.org/pol/thread/181367598

 

$ md5sum 1533557639424.png

9f4a2a5c8b07b183e2de8fd4908c77aa 1533557639424.png

$ md5sum 1533557639424~2.png

1831a96086323b3994c9caa924467cb4 1533557639424~2.png

 

The ~2 may actually be the chan's way of handling duplicate filenames.. odd the md5s are different however. saw something said something.

Anonymous ID: 745039 Aug. 6, 2018, 2:52 p.m. No.2485093   🗄️.is 🔗kun   >>6032

LOOKS LIKE A TRAP

 

Reddit post about PixelKnot looks like a honeypot

 

USE A VPN/PROXY/TOR

 

CORRECT PASSWORD Red Pill

==

Do you have the skills to handle dangerous files? Want to help take down the cabal? Go here - <URL SHORTENED>

==

 

leads to https://pinkbunnies.club/whiterabbit/blog/12/the-final-countdown

 

picture has the JFIF header so it was made with an older version of PixelKnot (from the download page)

 

seems like a huge time waste or trap to catch people like us

be aware

Anonymous ID: 0e2334 Aug. 6, 2018, 8:14 p.m. No.2490756   🗄️.is 🔗kun   >>0855

>>2482058

CM has been doing that here too, but without changing the filenames. After we found a easy way to spot the products of the weird JPEG encoder used by PixelKnot (hash the first 100 bytes) images posted here with that characteristic started being reencoded behind the scenes. 4Chan has probably heard by now and is doing the same.

Anonymous ID: 0b6cd6 Aug. 6, 2018, 8:20 p.m. No.2490855   🗄️.is 🔗kun   >>1957 >>2592 >>3839 >>1648

>>2490756

FYI - CM / 8ch is NOT altering originals.

 

It's CloudFlare. When snagging the originals gotta make sure to bust the caching front ends.

 

A simple "?13245123" or something random at the end of the filename will help.

 

Also: curl -H -vvvv is your friend.

 

Finally: the jpeg header hex signature isn't a 100% guarantee it's PixelKnot. All it says is that the image has been through some sort of image editing tool.

 

The more you know…

Anonymous ID: 0e2334 Aug. 6, 2018, 9:45 p.m. No.2491957   🗄️.is 🔗kun   >>2592 >>2625

>>2490855

I posted this image that I made with PK,

>>2384816

 

It has been totally reencoded. It's not a case of them appending a few bytes.

8chan uses the SHA256 sums of files when they're uploaded to uniquely identify them. Grab a random file from around here and check it. The SHA256 hash of the above impostor is now

e27a833560d84ee9260920b61f8ec4de287386b2eddd22774c885b929b32b38b

They would never just stick extra bytes onto the end of a file. And they have no reason to "bust the cache" for guaranteed uniquely named static content. It's only files missing their JFIF headers that are mysteriously changing.

Anonymous ID: 0146c4 Aug. 6, 2018, 10:42 p.m. No.2492592   🗄️.is 🔗kun

>>2490855

failed to confirm, avatar.jpg still doesn't extract correctly when fetching uncached with ?blablabla.

 

>>2491957

did you post the password somewhere for that photo? I can run a test on my end to confirm.

Anonymous ID: ea52ce Aug. 7, 2018, 1:01 a.m. No.2493839   🗄️.is 🔗kun

>>2490855

 

The more you know, you mean? I have confirmed this myself, files were altered on here on last Tuesday sometime. Someone got worried and started re-encoding files on the back-end. AFAIK they only did it in once, on last Tuesday, this was to prevent us from finding more images that were uploaded. So basically we have whatever we have archived, everything beyond that point is likely lost forever.

Anonymous ID: 745039 Aug. 7, 2018, 1:19 p.m. No.2499435   🗄️.is 🔗kun

playing with medium.com images, the URL has the maxfilesize and you can change it to get different size images. all of the results have headers exactly matching the PixelKnot header (only the image size changes)

 

https://cdn-images-1.medium.com/max/300/1*WkosvaZ2ARJ2hnmXFs02Ow.jpeg

 

https://cdn-images-1.medium.com/max/1024/1*WkosvaZ2ARJ2hnmXFs02Ow.jpeg

 

https://cdn-images-1.medium.com/max/4000/1*WkosvaZ2ARJ2hnmXFs02Ow.jpeg

 

must be a server side transcoder doing the header stripping (or adding f5 steg?)

 

a little weird that some .png images are actually .jpg

 

https://cdn-images-1.medium.com/max/2000/1*QbhKIMLavtBdrZI_-DJxtQ.png

 

https://cdn-images-1.medium.com/max/500/1*QbhKIMLavtBdrZI_-DJxtQ.png

Anonymous ID: 1eb45a Aug. 9, 2018, 12:19 a.m. No.2521648   🗄️.is 🔗kun   >>1685 >>5416

>>2490855

I agree. I uploaded a test image last bread. The hash hasn't changed (I checked against my own copy). Downloading the file and running sha256sum returns an identical hash.

 

>>2346641

Test image I uploaded in this comment still works. sha256sum starts with 3b51fbf. Right clicking on the file link, pasting the link to download with wget works. Use the link on the left side (with a hash). Using the one on the right side (user-friendly filename) resulted in a different sha256sum.

 

Downloading using the link on the right side had a different hash.

$ cd /tmp$ wget https://media.8ch.net/file_dl/3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg/pixelknot_test_image.jpg--2018-08-09 00:13:11-- https://media.8ch.net/file_dl/3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg/pixelknot_test_image.jpgResolving media.8ch.net (media.8ch.net)... 104.20.44.57, 104.20.43.57Connecting to media.8ch.net (media.8ch.net)|104.20.44.57|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 21247 (21K) [image/jpeg]Saving to: ‘pixelknot_test_image.jpg’pixelknot_test_image.jpg 100%[=>] 20.75K 62.1KB/s in 0.3s 2018-08-09 00:13:13 (62.1 KB/s) - ‘pixelknot_test_image.jpg’ saved [21247/21247]

 

Downloading using the link on the left side had the correct hash.

$ sha256sum pixelknot_test_image.jpgb8fb084705fb6301e6313c5207e8a71d39d4bbd850fc568dfd90bf99006c0b01 pixelknot_test_image.jpg$ $ wget https://media.8ch.net/file_store/3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg--2018-08-09 00:14:13-- https://media.8ch.net/file_store/3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpgResolving media.8ch.net (media.8ch.net)... 104.20.43.57, 104.20.44.57Connecting to media.8ch.net (media.8ch.net)|104.20.43.57|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 28771 (28K) [image/jpeg]Saving to: ‘3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg’3b51fbf8b6a2597e1e31ca33c6b8 100%[=>] 28.10K --.-KB/s in 0.1s 2018-08-09 00:14:13 (223 KB/s) - ‘3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg’ saved [28771/28771]$ sha256sum 3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98 3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg$

Anonymous ID: 1eb45a Aug. 9, 2018, 12:25 a.m. No.2521685   🗄️.is 🔗kun

>>2521648

Oops, I split the terminal output at the wrong spot. The first line in the second section should have been at the end of the previous section. Also, extra characters were added to the beginning of the download urls by the board apparently. So not the best example, but the point is to download using the left link (the one with the hash, not the user-friendly filename).

Anonymous ID: 66c715 Aug. 9, 2018, 10:29 a.m. No.2525416   🗄️.is 🔗kun   >>5792 >>9049

>>2521648

Curious. The originals have all been restored.

 

Anyway, this thing seems to have fizzled. There is a legitimate explanation for all of the spoopyness that we have been examining. It's coming from Medium's weird backend image resizing code. They appear to be using the same funky Java-based encoder library from the late '90s that's only other use was in the F5 stegano demo code, also from the late '90s, which is what PixelKnot is based around.

So I think I might switch teams and instead work on patching all the problems with F5 and PixelKnot. ;)

Anonymous ID: 745039 Aug. 9, 2018, 11:03 a.m. No.2525792   🗄️.is 🔗kun   >>3601 >>7164

>>2525416

>this thing seems to have fizzled

 

in the first thread the shills were full force when we were digging on the silverman photo but after we started brute forcing the images .zip that anon posted with the medium.com images the clowns went away

 

time to circle back, figure out where we got off course

>>2300468

 

>>2298335

Put to death, therefore, whatever belongs to your earthly nature: sexual immorality, impurity, lust, evil desires and greed, which is idolatry. 6 Because of these, the wrath of God is coming.

-Colossians 3:5

Your evil has no place in this world.

Q

 

>>2298388

The author of the post…..

The face is never the author.

Direct comms come in many different forms.

Q

 

>>2298430

How do you hide a message in clear sight?

Q

 

>>2298508

You'd be amazed how much is shared on /pol/.

Data exchange.

https://guardianproject.info/apps/pixelknot/

Q

 

Q didn't say if /pol/ was 8ch or halfchan

 

the silverman photo in the drop is IMG_182.jpg, i haven't been able to find that one. every one i have found stegdetect comes up negative

 

the inverted one posted on /pol/ IMG_0457.jpg though does

 

>>2482637

Anonymous ID: 128651 Aug. 9, 2018, 3:49 p.m. No.2529049   🗄️.is 🔗kun   >>3601

>>2525416

 

Very strange indeed. The fuckery occurred on Tuesday July 31st. I believe the following day I uploaded an image here and downloaded it the following day, and it was unchanged from the OG (still had PK header – missing JIFF). The following days I downloaded an image that I had uploaded prior to the 'fuckery', and it had the JIFF header (and wasn't a PK file). I just downloaded the same image now, and it's been restored and is the same as the one I uploaded prior to the 'fuckery' on July 31st.

 

Hard to know if all the files have returned to the originals, maybe some of the F5 files that had important messages were never restored.

 

I think we should work on a distributed BF tool, would be great if it could be done is JS, so we can have people just visit a website and have it go. There is a f5 JS stego, but it's not compatible with this one, but perhaps it could be altered to be compatible.

Anonymous ID: 66c715 Aug. 9, 2018, 8:33 p.m. No.2533601   🗄️.is 🔗kun

>>2525792

>time to circle back, figure out where we got off course

Agreed. If we are to continue then we should focus on the SS photo. And we should look beyond PK and F5. Other stegano programs may leave telltale traces on the structure of their output JPEGs that could help narrow the search for the right method.

As far as I know this (pic related) is the original SS file. It was being passed around early and it's size matches the 4Chan screen caps.

SHA1: f1335a1095a3ae15094e0a09e1cb83e5679dda26

 

>>2529049

We can tell that they are originals if their SHA256 hash matches the links in archived threads (8chan hashes all uploaded files and uses that hash on the back end as a easy way to eliminate redundancy what the same memes keep getting uploaded numerous times). I haven't noticed links to the file_store ever changing, not even what the files stored under a given hash have changed.

Anonymous ID: 71ccb4 Aug. 9, 2018, 9:16 p.m. No.2534389   🗄️.is 🔗kun

>>2371258

>YOU CAN HELP

 

>look at the old posts, at the id of the post and replies

>find the originals

>figure out clues for the keys

 

Or, alternately, you could just go to 4chan where Q gets all his info and get it yourself. You're in a messageboard roleplaying game and you don't even know it. But oh well, carry on detectives

Anonymous ID: 757a03 Aug. 10, 2018, 2:31 p.m. No.2544659   🗄️.is 🔗kun

8 char password.

So he wanted it hackable or he is fake. why wouldn't an intel person add another char or 2?

That would make it infinitely harder to crack. So either Q is a genius or a complete moron.

 

Pamphlet is a moron soooooo… who knows?

Anonymous ID: 757a03 Aug. 10, 2018, 2:34 p.m. No.2544712   🗄️.is 🔗kun

>>2541994

I think this was done on purpose by Q's Peeps to give some insight or help with hacking the STEG images. We have been asking for help, maybe this is it!

Anonymous ID: 66c715 Aug. 12, 2018, 3:43 a.m. No.2567164   🗄️.is 🔗kun   >>0246 >>3936 >>2913 >>4497 >>4509

>>2525792

I finally quit screwing around and got that C-based cracker I've been talking about to a (unfinished but) usable state. It's a bit faster than the Java code, but not by as much as I had thought. I have newfound respect for the JIT compiler.

(You can probably tell from my folk-code that I'm not a professional programmer. I'm a welder and machinist at a widget factory. All that I know about coding I learned through many late segfault filled evenings. )

 

https://nofile.io/f/NB4x9EOZYd3/BruteCrackF5.zip

Anonymous ID: 66c715 Aug. 12, 2018, 4:35 a.m. No.2567296   🗄️.is 🔗kun   >>3936

>>2567227

…because we don't know what software was used… or if there is even anything there.

Q linked to the PixelKnot app. PK leaves behind a very distinctive signature in the JPEG file that does not exist in the Sarah Silverman pic. So either 1) it's a modified version of PK made to fix its weaknesses, it's and entirely different program, or there is no hidden data and Q was simply citing PK as an example of the sort of thing that is widely uses on the Chans.

If there is an expectation that were are to crack this thing then we are going to need more clues.

Anonymous ID: 745039 Aug. 12, 2018, 3:08 p.m. No.2573936   🗄️.is 🔗kun   >>6121 >>0354 >>4497 >>4509

>>2567164

 

might be able to easily turn this into CUDA code and run on a GPU

 

>To do this, all I have to do is add the specifier global to the function, which tells the CUDA C++ compiler that this is a function that runs on the GPU and can be called from CPU code.

>add the specifier global to the function

>The key is in CUDA’s <<<1, 1>>>syntax. >tells the CUDA runtime how many parallel threads to use for the launch on the GPU

 

https://devblogs.nvidia.com/even-easier-introduction-cuda/

 

>>2567296

 

or the silverman pic was a clue to an actual encoded images, or we're going get some images later

 

until we find find what Q was pointing us to we can keep working on the tools to decode/detect them

 

>>2567296

 

>silently abandoned (because the approach was ill-defined and doomed to fail)

 

still here, still digging

keep calm, clown on

Anonymous ID: 745039 Aug. 15, 2018, 9:31 p.m. No.2622913   🗄️.is 🔗kun   >>4497 >>8550 >>4509

had to travel

scary all the airplane/airport goings on

 

>>2580354

no when i saw the silverman pic wasn't made by pixelknot i stopped

i did all rockyou (suffixes + reverse) on the evil eye

 

>>2576121

751+250 = 1001 posts into this dig

previous bread >>2300468

and now…

 

>>2567164

looked closely and I think what you did is perfect for GPU

This Coudl Be A Game Changer

setting up a CUDA dev environment now

my plan:

>rip the guts out of your code

>fill array with coeff and initial scramble

>fill array with passwords to try

>decode<<<>>>()

>returns array with 16 bytes of decode for each pass

>if any decodes start with PKZIP password string then bingo

 

still need more target images

 

what if the pixelknot header was changed to help them blend into the medium.com images?

Anonymous ID: 96faf4 Aug. 16, 2018, 1 a.m. No.2624689   🗄️.is 🔗kun

>>2576121

They just want to be spoon feed now, liked zoo animals who have lost the talent to hunt and are just bored and lazy.

 

Then they can still tell all their friends about how they researched and gave it to Q to a take action.

 

After all do you think Lenin & Trotsky did any street fighting in their revolution?

Anonymous ID: 9c0fb3 Aug. 16, 2018, 9:48 a.m. No.2628550   🗄️.is 🔗kun

>>2622913

>looked closely and I think what you did is perfect for GPU

Really? The random series generation is pretty straight forward. But the permutation stage is all out-of-order memory access. And the decrypt stage is very heavy in conditional branching.

 

>still need more target images

https://pastebin.com/Mj4d1jXM

Anonymous ID: 9c0fb3 Aug. 17, 2018, 8:05 a.m. No.2643661   🗄️.is 🔗kun   >>6329

It doesn't look like spidering through chan sites looking for PK images is going to work. 8chan has started reencoding again. And I tested halfchan: they don't fully reencode, but do add the missing JFIF header. Game forums are likely going to be the same way.

So until Q points at a image and says, "This pic contains a hidden message and was used by No Name to arrange a weapons sale. Have at it boys!" then I don't think there is anything left for us to do with this.

Anonymous ID: 745039 Aug. 17, 2018, 12:06 p.m. No.2646329   🗄️.is 🔗kun   >>6891 >>1955 >>4509

>>2624497

the initial code port to CUDA can decode a test image!

 

F5 BRUTE FORCE FOR NVIDIA GPU

F5 BRUTE FORCE FOR NVIDIA GPU

F5 BRUTE FORCE FOR NVIDIA GPU

https://anonfile.com/abW6X6fdb1/F5CUDA.zip

https://anonfile.com/abW6X6fdb1/F5CUDA.zip

https://anonfile.com/abW6X6fdb1/F5CUDA.zip

F5 BRUTE FORCE FOR NVIDIA GPU

F5 BRUTE FORCE FOR NVIDIA GPU

F5 BRUTE FORCE FOR NVIDIA GPU

 

>>2643661

>they don't fully reencode, but do add the missing JFIF header

 

did you post a pixelknot image to halfchan and then download the resulting image? could you zip both and post?

Anonymous ID: 9c0fb3 Aug. 17, 2018, 8:16 p.m. No.2651955   🗄️.is 🔗kun   >>7461 >>2077

>>2646329

>could you zip both and post?

https://nofile.io/f/RjoJ4qr4dXX/4chan_transmogrification.zip.zip

Same DQT and DHT chunks. And the image scan is (or at least starts out) identical. They must have some little script that slips in the APP0 chunk if it's missing.

 

>>2646891

Wow. How does this compare with the CPU alone? I know you have a monster of a system.

Anonymous ID: 3b8834 Aug. 17, 2018, 9:43 p.m. No.2652801   🗄️.is 🔗kun   >>2077

>>2650867

 

I hacked together a makefile from the CUDA samples and compiled it, but I'm having issues running CUDA samples so I can't tell if the program works.

 

I'll post more once I verify it's working.

Anonymous ID: a24eff Aug. 17, 2018, 9:49 p.m. No.2652860   🗄️.is 🔗kun

>>2371258

 

Q Said "These people are dumb" a thousand times.

 

Has anyone looked to see if they openly emailed the password for Pixelnot when trying on the Wikileaks Podesta leaks pictures?

Anonymous ID: 66b620 Aug. 18, 2018, 4:17 a.m. No.2655048   🗄️.is 🔗kun

You have More Than You Know.

 

Has anyone used Pixelknot on Q Proofs or posts?

I don’t know how or I would.

Anonymous ID: 745039 Aug. 18, 2018, 11:47 a.m. No.2657955   🗄️.is 🔗kun   >>7981 >>8832 >>4366

7/26/18

>>2298508

You'd be amazed how much is shared on /pol/.

Data exchange.

https://guardianproject.info/apps/pixelknot/

Q

 

7/25/18

this infographic has pixelknot header posted in 8ch/pol meta info thread

>>>/pol/11622450

>>>/pol/11910255

https://8ch.net/pol/res/11622450.html#q11910255

Anonymous ID: 63e9b0 Aug. 18, 2018, 12:28 p.m. No.2658285   🗄️.is 🔗kun   >>8485

Hi anons heres one to check ? the attachments on podesta emails linked in Q1917 just white rectangle or just placeholder for missing data or something?

https://wikileaks.org/podesta-emails/emailid/50428

Anonymous ID: 7fd60f Aug. 19, 2018, 1:03 a.m. No.2664366   🗄️.is 🔗kun   >>4509

Some new computer parts arrived (pic related). New case doesn't fit where the old one did, which set off a cascade of furniture rearranging and reorganizing that spread to three rooms. So I've been busy.

 

>>2657955

>>2657981

F5.jar doesn't support progressive-scan JPEGs and handles them ungracefully. That's probably what it is.

 

>>2658832

That Raid on is interesting. I found a version of that pic without a JFIF header but a different hash here:

https://www.mantiseyes.com/bug-repellent-for-house.html

And another version with a JFIF header but the same hash-like filename as the above here,

https://www.dollargeneral.com/raid-flying-insect-killer-18-oz.html

 

The Google reverse image search also weirdly leads to these sketchy links, which bounce of a rotation of domain names an ultimately lead to a porn game:

https://sceneups.com/buy-mosquito-killer-spray-inspired.aspx

https://cancer-treatment.info/cancer/raid-day-and-night-instructions/

Anonymous ID: 7fd60f Aug. 19, 2018, 1:12 a.m. No.2664402   🗄️.is 🔗kun

>>2658832

The notebook one is from here, a Medium satellite site:

https://amandagrimmett.com/keeping-notebooks-organized-915f4488f594

I was able to find it despite 8ch reencodeing it (but the hash of the file from the Medium site matches the 8chan filename.)

I know that I was that first person to open the Raid image link because the file I got, the first time, matched its hash and was without its JFIF header. 8chan's reencoding appears to be triggered after a file is first accessed.

Anonymous ID: 43ad21 Aug. 19, 2018, 11:27 a.m. No.2667764   🗄️.is 🔗kun   >>5870

>>2373165

Sorry to bother. Seems you're talking about images from elsewhere when you say pixleknot. I think this pic is using stenography. posted twice on research board and noone's picked it up. Look a the the hand. Who would take a selfie of THAT hand? Medallion belong there? What is the appropriate term for a hidden image-in-image when it's directly related to board topics? Thank you.

Anonymous ID: 7fd60f Aug. 19, 2018, 4:06 p.m. No.2670779   🗄️.is 🔗kun

>>2658832

For us to be successful in eavesdropping on the badguys' comms we need three things: Software, Image, and Password.

If we have a password then we can crawl image boards and game forums and try it against a millions of images. If We are given a single image with assurances from on high that it is a target then we can try billions of passwords. But we cannot try billions of passwords against millions of images. That is simply beyond the resources of a few guys with desktops. And we can't do anything if we don't have access to the same software that they are using. Q pointed to PixelKnot. But that could have been merely an example. The C_A would likely have developed their own stego system; and this could have been shared with their civilians cohorts.

But even if we assume on variable we cannot solve for the remaining two with the resources available. It would require an awful lot of luck. If any wizards or warlocks would like to give us a hint, they have my PGP key (they also have the secret key that I use for this. I emailed it to myself knowing there is nothing yummier to the NSA's systems than a PGP secret key packet transmitted in the clear).

 

The only stone left for me to turn over is this variant of the F5 algo I found on GitHub:

https://desudesutalk.github.io/f5stegojs/

https://github.com/desudesutalk/desudesutalk/wiki/How-to-use-this-script

While testing various stego programs with long and short messages in large and small files in search of clues to how the SS pic might be encoded, F5steg.js stood out. I've never written a line of JavaScript in my life. But perusing the code, it looks like it's doing basically the same thing as the baseline F5 algo. So it's strange that stegdetect can barely catch a whiff of it, even when a image is loaded to max payload capacity. I found that stegdetect can find F5 even with very sort messages in very large files. (passwords "redhead" and "pepe"). I haven't worked out yet what F5steg.js is doing so differently to evade detection. But given that this is specifically designed for image boards and is available as a browser plugin I think we should find a way to detect its handywork and make an efficient cracking program similar to the one for PK/baselineF5.

Anonymous ID: 745039 Aug. 23, 2018, 8:14 a.m. No.2712077   🗄️.is 🔗kun

>>2652801

compile like so

>nvcc kernel.cu -o kernel

 

>>2651955

 

using a 1080 but it's my main display so it gives me trouble

 

fired up an aws instance with a Nvidia Tesla M60 with the cuda and it's slower than my i9

 

waiting for access to a V100

Anonymous ID: 745039 Aug. 24, 2018, 9:15 a.m. No.2723413   🗄️.is 🔗kun

still sifting through 8ch/pol images and found 2 more which led me to figure out where the RAAID image came from - walmart.com - images from walmart.com are false positives for detect.py but when you look closer at the rest of the header doesn't match

 

https://www.walmart.com/ip/Raid-Flying-Insect-Killer-18-oz/14862629

 

https://www.walmart.com/ip/Christmas-Lightshow-Projection-Points-of-Light-with-Remote-114-Programs/710904858

Anonymous ID: 745039 Aug. 24, 2018, 9:26 a.m. No.2723486   🗄️.is 🔗kun

it is 1 month after Q posts about pixelknot and /pol/ Data Exchange and we've learned

 

  • pixelknot on jpeg, header has unique signature and only last 1/3 of pass needed break f5 layer

  • halfchan re-encodes images, breaks f5 steno and can't be used for data exchange

  • false positive images from medium.com (and affiliates) and walmart

  • qresearch images found were from medium.com

  • 8ch /pol/ images found were from walmart

  • sara silverman pictures are not pixelknot

 

wild goose chase?

Anonymous ID: 745039 Aug. 25, 2018, 1:47 p.m. No.2734509   🗄️.is 🔗kun   >>7975

>>2664366

>>2646329

>>2646891

>>2624497

>>2622913

>>2573936

>>2570246

>>2567164

f5 cuda brute force using hashcat sha1

realized that hashcat has a faster implementation of sha1

it's in opencl, spent the morning porting to cuda

https://github.com/hashcat/hashcat/blob/master/OpenCL/inc_hash_sha1.cl

this version of the f5-cuda is more than 50% faster, get it while you can

 

https://anonfile.com/edn9xag8b2/f5-cuda.zip

https://anonfile.com/edn9xag8b2/f5-cuda.zip

https://anonfile.com/edn9xag8b2/f5-cuda.zip

 

compile with

nvcc kernel.cu -o kernel

 

looking for more target images, think I've ruled out everything I've seen so far

Anonymous ID: 745039 Aug. 25, 2018, 3:13 p.m. No.2735242   🗄️.is 🔗kun   >>5651 >>6327

here's is what i don't get - Q links to halfchan /pol/ image IMG_382.jpg and says data exchange on /pol/ with pixelknot

 

but half chan re-transcodes images breaking the stego, which is why that image didn't look like a pixelknot image

 

https://anonfile.com/U137x1g1b9/IMG_382.zip

 

so okay… MAYBE the silverman picture was made by pixelknot BEFORE it was posted to halfchan but it wouldn't be a way to exchange data

Anonymous ID: 3fc3ff Aug. 25, 2018, 3:59 p.m. No.2735651   🗄️.is 🔗kun

>>2735242

It's possible that {{{they}}} use their own system cooked-up by the C_A for use by their own spies and that PixelKnot was only a generic example of steganography.

Anonymous ID: 745039 Aug. 26, 2018, 1:10 p.m. No.2746327   🗄️.is 🔗kun   >>6706

>>2735242

 

played around with halfchan and Q4example.jpg - halfchan does re-encode the image but the message is still decodable

 

updated the pixelknot detection script to detect pixelknot image uploaded to halfchan along with those not, this will probably hit many false positives

 

it does detect the silverman picture as pixelknot

 

https://pastebin.com/Va79YcvC

Anonymous ID: 745039 Aug. 26, 2018, 1:42 p.m. No.2746706   🗄️.is 🔗kun   >>7276 >>9627

>>2746327

new pixelknot detection script

>detect pixelknot uploaded to halfchan

>https://pastebin.com/Va79YcvC

https://pastebin.com/Va79YcvC

>https://pastebin.com/Va79YcvC

https://pastebin.com/Va79YcvC

I was expecting more false positives, this is actually a sensible list of images that the script detected

new possible pixelknot images

https://anonfile.com/zaA300g3be/matches.zip

>https://anonfile.com/zaA300g3be/matches.zip

https://anonfile.com/zaA300g3be/matches.zip

>https://anonfile.com/zaA300g3be/matches.zip

Anonymous ID: 745039 Aug. 26, 2018, 3:48 p.m. No.2748092   🗄️.is 🔗kun   >>8657

>>2747975

sweet anon!

 

here's an updated version, I made a couple memory optimizations and added command line flags

 

>https://anonfile.com/B6O203gabc/f5-cuda-memopt.zip

 

coeff files for the new images

>https://anonfile.com/64O106g8b3/PixelKnotDetectCoeff.zip

Anonymous ID: 745039 Aug. 26, 2018, 4:45 p.m. No.2748657   🗄️.is 🔗kun

>>2747975

>>2748092

on the smallest coeff file i'm getting 6600 pass/sec on 1080 ti and 4900 on 1080

using –blocks 32 –threads 64

 

had to do the tdrdelay thing

https:// www.pugetsystems.com/labs/hpc/Working-around-TDR-in-Windows-for-a-better-GPU-computing-experience-777/

Anonymous ID: 8a5cb0 Aug. 26, 2018, 5:25 p.m. No.2749064   🗄️.is 🔗kun

There is also a Steg tool called Outguess. It is a linux command line tool. Not sure if anyone here has tried to use it to find stuff on pictures here…

Anonymous ID: 3fc3ff Aug. 26, 2018, 6:16 p.m. No.2749627   🗄️.is 🔗kun   >>3991 >>4886

>>2746706

Wait a sec… all you are checking for is that they are either missing the normal JFIF header, or have the normal header and are encoded with a 94% quantification table, like the SS pic. Then you check to see that they have the standard Huffman tables from the JPEG spec that is used by 99.9% of all the color JPEGs in existence.

But PK is hardcoded to always encode at 90%. And 4chan's JPEG recombobulator does not change the compression quality.

94% is not a number that a developer would hardcode as a default. That is a number from someone moving a GUI slider when exporting an image from Photoshop or GIMP. So if there is stego in the SS pic then it was done with a program that does not change the quality level.

You are forcing a match on the Sarah Silverman pic without explaining why that DQT is indicative of PixelKnot.

Anonymous ID: 745039 Aug. 27, 2018, 7:20 a.m. No.2753991   🗄️.is 🔗kun

>>2749627

uploaded q4example to halfchan and inspected what was the same, the order and location of the DQT and huffman table along some bytes of the huffman table

 

waiting on your improved version ;)

Anonymous ID: 745039 Aug. 27, 2018, 9:20 a.m. No.2754886   🗄️.is 🔗kun   >>6444

>>2749627

 

just for (You), updated the detect script to be more discriminating - no longer detects the silverman pic though

 

https://pastebin.com/MTGtP5gM

 

images that match

 

https://www.anonfiles.cc/file/7f26cd16e7b1826bd2992e320e6d1492

Anonymous ID: 745039 Aug. 27, 2018, 3:31 p.m. No.2757806   🗄️.is 🔗kun   >>7852

wget -P 4chan -nd -np -r -l 1 -e robots=off -H -D is2.4chan.org -A jpg,jpeg https://boards.4chan.org/pol/thread/<THREADID>

for F in 4chan/.jpg; do python detect.py $F; done

Anonymous ID: 96faf4 Aug. 27, 2018, 3:31 p.m. No.2757815   🗄️.is 🔗kun

>>2756489

Should be banned for incoherent rants.

 

Personal gratification that has no value for others

 

"Notice me - I am special"

 

Simply narcissist vanity

Anonymous ID: 745039 Aug. 27, 2018, 3:42 p.m. No.2757908   🗄️.is 🔗kun   >>8088

>>2757877

downloaded 1000 jpg from halfchan /pol/ and 5% of them match PK header, probably a bunch of false positives in there

 

58 more images

https://www.anonfiles.cc/file/5d851d451d0ab1ff888ef21d2f66b7a5

Anonymous ID: 745039 Aug. 28, 2018, 1:53 a.m. No.2764174   🗄️.is 🔗kun

>>2761102

post em and i'll take a look

 

the PK file sign is fairly uncommon, i've only found 178 jpg that match it

 

all the test images i have have the same DQT table, what i wonder is if pixelknot could have generated a different table like the silverman

Anonymous ID: 745039 Aug. 28, 2018, 2:27 a.m. No.2764328   🗄️.is 🔗kun   >>7218

>>2764199

 

out of a few thousand scanned jpg from halfchan, 178 matches

 

https://anonfiles.com/Z0ga55gab5/matches-178.zip

https://www.anonfiles.cc/file/a55807d2e7060a1e4e5e444a5c3d9f45

 

here's how

wget -P 4chan -nd -np -r -l 1 -e robots=off -H -D is2.4chan.org -A jpg,jpeg https://boards.4chan.org/pol/thread/<THREADID>

 

for F in 4chan/.jpg; do python detect.py $F; done

Anonymous ID: 3fc3ff Aug. 29, 2018, 8:22 p.m. No.2792806   🗄️.is 🔗kun

>>2786451

>>2783440

We can't tell with the naked eye. Re-encoding for whatever reason would do that. Have you checked that ONLY the non-zero AC coefficients have changed? If any DC coeff is different or if any AC coeff was was zero is non-zero, or vise versa, then you are looking at a false positive.

Anonymous ID: 745039 Aug. 31, 2018, 10:09 a.m. No.2817954   🗄️.is 🔗kun   >>6539

>>2371258

 

GOING OFF DUTY

 

can another codeanon take the ball?

need to care for self and family

 

updated pixelunknot github with my code changes

added gather.sh, detect.py, BruteCrackF5 and F5CUDA

 

https://github.com/banona/PixelUnknot

>https://github.com/banona/PixelUnknot

https://github.com/banona/PixelUnknot

>https://github.com/banona/PixelUnknot

 

GOING OFF DUTY

Anonymous ID: 3fc3ff Aug. 31, 2018, 7:54 p.m. No.2826539   🗄️.is 🔗kun   >>9316 >>7680

>>2817954

I'd take up the torch if I still believed this was feasible. But we have too many unknowns to solve for.

We can test a known password against millions of pics from image boards. Or we can try a billion passwords against a (confidently) known target image. But when trying to solve both unknowns the problem size increases beyond what is feasible for two guys with high-end desktops.

Anonymous ID: 745039 Sept. 3, 2018, 9:51 a.m. No.2859316   🗄️.is 🔗kun   >>7680

>>2826539

maebe this will help?

 

>>2858984

The cult color codes are

 

Green Forrest = "I am your plant"

Yellow Sunshine= "Gold/Reward"

Blue Ocean= "Info/Surveillance"

Red Fire= "Anger/Smear"

Orange Sunset= "End this now"

Anonymous ID: 9969c2 Sept. 11, 2018, 3:53 p.m. No.2981121   🗄️.is 🔗kun

Tried this too.

4767 5774 6a7a 4d6c 6330 666b 314a 3453 0000 0907 84b4 f787 7616 86f7 a737 5707 5736

https://www.rt.com/viral/363016-wikileaks-codes-assange-death/

Anonymous ID: f6d946 Oct. 2, 2018, 12:20 a.m. No.3291536   🗄️.is 🔗kun   >>1607 >>1018

This sucks, that this hasn’t gotten anywhere… Did anyone ever try passwords that anons without androids, have suggested? If breaking the code isn’t possible, then there must be clues. I was gonna try to get the app, but the day I decided to charge an old android, I met a stray, who needed a phone. Too cosmic, couldn’t resist.

Anonymous ID: c3c0f7 Oct. 2, 2018, 12:39 a.m. No.3291646   🗄️.is 🔗kun   >>6244

>>3291607

and securedrop

 

Maybe JPB stood for something different than the cabal

 

The doc of SecureDrop assumes the Organization Hosting SecureDrop (in

this case FPF)

• The organization wants to preserve the anonymity of its sources.

• The organization acts in the interest of allowing sources to submit documents, regardless of the contents of these documents.

• The users of the system, and those with physical access to the servers, can be trusted to uphold the previous assumptions unless the entire organization has been compromised.

• The organization is prepared to push back on any and all requests to compromise the integrity of the system and its users, including requests to deanonymize sources, block document submissions, or hand over encrypted or decrypted submissions.

 

What if the above is assumed, but the assumption's incorrect?

 

Sauce https://docs.securedrop.org/en/latest/threat_model/threat_model.html

Anonymous ID: 179bd7 Oct. 2, 2018, 3:31 p.m. No.3301018   🗄️.is 🔗kun

>>3291536

Long-time lurker, first time poster. No android, or stenanography exp but one "keystone" that sticks in my head is the masonic keystone.

>>>2336488 (pb)

Has HTWSSTKS been tried?

Ty for the work anons. Back to lurking…

Anonymous ID: cbacdb Oct. 5, 2018, 10:29 a.m. No.3348866   🗄️.is 🔗kun

When Washington and his troops crossed the Delaware and landed, the sentry troops we're told not to let anyone through that didn't have the password. The password was Victory or Death. Don't know if anyone has tried it yet.

Anonymous ID: 5fb619 Oct. 7, 2018, 6:41 a.m. No.3379774   🗄️.is 🔗kun   >>4298

This thread is still upsetting me. Q made it seem kinda easy, right? I gotta get my hands on this thing. For the pics, we have to find the original? Posting here changes it?

Anonymous ID: 42f321 Oct. 8, 2018, 11:37 a.m. No.3395995   🗄️.is 🔗kun   >>4063

>>3384298

I was thinking someone said reposting images here, changes the file, so then I thought we had to go outside the Chans to find the original… But if /pol is the point of data exchange, none of that makes sense. The only thing us new fags can offer you, is fresh perspective: brand new eyes. An eye for an eye is fine, if you give me yours and I give you mine.

 

Anyhoo… this whole thing is worth a read, but things start heating up in July (Coincidence? Pic related): https://8ch.net/pol/res/11847601.html#12010876

 

7/12: Syrian Electric Army

7/13: Coincidence pic: a sign? ID: adad33, def chosen.

7/15: Someone complaining about “gigantic pics about nothing”, says please stop in /crypto posts too. Did anyone find a correlation between file size?

7/22: “…most corrupt images have steg” = Good to know, anymore helpful tidbits floating around?

9/7: Post re: steg, poster ID: 000000, def chosen. Clearly someone with knowledge, lurking and checking images. Follow them? There are few real humans, choices limited. Also, this exchange almost seems scripted, dropping hints? The whole thread could be a set up, but who’s the trap set for? Us or them?

 

We’re trying to intercept black hat comms, right? They hang where it’s easy to mix with bots. Spot the difference, people are jaded and quick to dismiss. “How do you hide a message in clear sight?” Amongst other random images, possibly on a thread dedicated to such. These people are stupid, right? How do they get the password to each other? Always the same? I’d say try: JEWS, but that’s too easy. What’s one step up from “too stupid”? PW is file name?

 

Or else we’re being led to pol, to get the answers on HOW to crack the code/spot the images. Q doesn’t have to be “Q”, white hats have to have a way of being known too. Dark/Light, Mirror, blah blah blah… Haven’t gotten ahold of PK yet, handing off until then. If this is repeat info, super duper my bad. Am phonefag, hard to scroll. Using “find on page” tool to dig = annoying to the maxxxxx.

Anonymous ID: 42f321 Oct. 8, 2018, 11:56 a.m. No.3396244   🗄️.is 🔗kun   >>4063

>>3291646

I thought this was a good line of thinking too. But not sure where it leads. Good guys or bad guys? Did you get murdered as you were writing this? On the bright side, at least that means you’re over target.

Anonymous ID: 42f321 Oct. 8, 2018, 12:06 p.m. No.3396366   🗄️.is 🔗kun

>>3389253

Step 1: Get pixel knot at App Store/Google Play?

Step 2: Try that buddah image I posted, with the pw as the image file name. (Save from the original, within the thread that I linked below)

Step 3: Go through /pol yourself and see if you find any images/ideas OR scroll through everybody else’s ideas.

Step 4: Throw anything, see what sticks. Much appreciated.

Anonymous ID: 09f21a Oct. 11, 2018, 6:13 a.m. No.3437327   🗄️.is 🔗kun   >>7561

Non code fag here, apologize in advance if this is retarded. With the CBS logo. It should be pretty simple black and white. Can you overlay a "good" one and compare to the messaged one? Wouldn't there be differences in pixels from the "original" picture to the messaged picture? Can you test it by making a picture, putting in a simple message and comparing both.

Anonymous ID: 5e2135 Oct. 11, 2018, 8:56 p.m. No.3447338   🗄️.is 🔗kun

Hello pixelfag anon steganon fresh out the psych ward ( that ntv world order post got me sonically targetted) bantz

Anonymous ID: 09f21a Oct. 13, 2018, 5:57 p.m. No.3468757   🗄️.is 🔗kun

Been thinking about the pixel knot thing for a while. Non

code monkey/crypto fag.I am not sure you would need a

password to decrypt. I don't know alot of the language so it

may be rough in translation, I am more of a visual type.

 

Experiment: take a picture and run it through pixelknot.

Create new picture with the changes between the original and

the new pixelknot photo. This will create a template of the

changes to work with on the experiment. This may not be

necessary in the future, but it is a starting point. Run it

through an algorythm/formula and create a new pic. Do this

with 10K-100K algorythms.

 

It is my hypothesis that the static overlay will behave

slightly different than the hardcoded message. Maybe less

than 1/10th%. Create a program that looks for anomalies. A

couple of pixels in a straight line or curve. Overlay the

pics, all 10-100K and look for letters based on anomalies

that form possible letters in a stacked formation in the top

50% (or whatever).

 

I would liken it to creating waves in the picture and much

like looking for subs as the Chinese satelites are purported

to do with wave photographs. Or, like tuning into UHF, there

is alot of static, but you can see the words or image even

though it is not crystal clear. After doing this a few

hundred times, you may be able to analyze which algorythms

are more successful.

 

I don't know how much computing power that would take or if

anyone has that much. If this is viable, there is no need

to send anyone to knock on my door, I am just working on a

puzzle.

Anonymous ID: c3c0f7 Oct. 19, 2018, 1:03 p.m. No.3534063   🗄️.is 🔗kun

>>3396244

 

Thanks. Leads to the bad guys (some of them, anyway)

 

I think you are correct in >>3395995 re: hiding in plain sight where "people are jaded and quick to dismiss" and that the password is a simple one.

 

Admire you persistent Anons trying to crack the code.

Anonymous ID: 162c77 Oct. 24, 2018, 12:01 p.m. No.3588616   🗄️.is 🔗kun   >>3002

Dunno if anybody has suggested fotoforensic.com yet. Not necessarily helpful for the PK problem, but good for checking if images have been altered in general. The tutorials/challenges page was super helpful, if you don’t know much about what to look for/what the data tells you.

 

I haven’t found any other threads on /pol that look promising besides “lost content”, which is pretty dead now. There was mention of “crypto posts”, but haven’t looked beyond /pol. Cryptofags, where y’all hang out?

 

Do you think after all is said and done, if we haven’t gotten it by then, Q will throw us a bone?!?! This feels like a puzzle, when your dog eats half the pieces.