Hiding Links In Plain Sight With Bookmark Knocking

Have you ever been looking for a screwdriver, USB stick, or your keys, only to find them right where you left them in plain sight? We have. As many prolific geocachers know, hiding things out in the open is a great way to make sure that people overlook them. 

[Jacob Strieb] has been researching various ways to password protect and hide browser bookmarks in plain sight. He calls his latest technique “Bookmark Knocking” and he’s made a demonstration available on his Github account.

Why hide bookmarks to begin with? A browser’s bookmark collection can give away the habits, interests, and needs of the person who put them there. Bookmarks to gifts, domestic abuse support websites, and other private destinations might be best kept away from prying eyes.

Inspired by port knocking — opening connections to specific network ports in sequence to gain access through a firewall — bookmark knocking requires clicking bookmarks in a specific order to open a link. When the bookmarks are accessed in the proper order, the third bookmark reveals a hidden site. It’s not only a novel approach to hiding things in plain sight, it’s very cool to use! 

We especially appreciate [Jacob]’s motivation: Helping those who are vulnerable to protect themselves in any way possible. It’s a solid reminder that technology can be elevated to a higher stature when put to a noble use. Be sure to check out the demonstration so you can try it for yourself!

If camouflaging data flips your bits, you may want to look at a neat way to embed data right into bash scripts, or conceal a WiFi enabled microcontroller in a USB cable. Do you have your own favorite “hidden in plain sight” hack? Be sure to let us know through the Tip Line.

 

 

 

Linux Fu: Shell Script File Embedding

You need to package up a bunch of files, send them somewhere, and do something with them at the destination. It isn’t an uncommon scenario. The obvious answer is to create an archive — a zip or tar file, maybe — and include a shell script that you have to tell the user to run after unpacking.

That may be obvious, but it assumes a lot on the part of the remote user. They need to know how to unpack the file and they also need to know to run your magic script of commands after the unpack. However, you can easily create a shell script that contains a file — even an archive of many files — and then retrieve the file and act on it at run time. This is much simpler from the remote user’s point of view. You get one file, you execute it, and you are done.

In theory, this isn’t that hard to do, but there are a lot of details. Shell scripts are not compiled — at least, not typically — so the shell only reads what it needs to do the work. That means if your script is careful to exit, you can add as much “garbage” to the end of it as you like. The shell will never look at it, so it’s possible to store the payload there.

Continue reading “Linux Fu: Shell Script File Embedding”