What would you do if you had magic (agile) wand?

I am almost at the end of my journey towards the ICP-ACC learning path. To decode that – I am learning and acquiring new skills to become a better coach. My goal now is not to brag but to share a great thing I learned.

One of the stages of a coaching session is “Exploring.” As the title says, the goal is to help your coachee explore the problem area and get to the “aha” moment. 

To do that, I guide them with a series of questions using the knowledge from the previous steps. I found one of those questions very powerful. 

What would you do if you had a magic wand?

At first, I thought this was a stupid question and refused to ask it during my coaching exercise. Magic wand, right? Who am I? Gandalf?

Then I pushed myself to ask the question, and I was surprised by the result.

I asked the coachee why it happened like that. When he was in the middle of the problem root cause discovery, he realized he had some constraints set.

By asking this question, the coachee was encouraged to think wild, to forget about those constraints for a while. He was able to describe his ideal situation and path forward. He realized that those constraints are artificial, and he can ignore them. 

So what?

We often set limitations like that for ourselves, and most of the time, they are why we don’t take the step that could make us more successful. So, what would you do if you had a magic wand?

Steganography API at your service.

Steganography is the art and science of embedding secret messages in a cover message so that no one, apart from the sender and intended recipient, suspects the existence of the message. 

The most common example is to hide a message in an image file without compromising how the image looks. The majority of the people are using the photos to share a fantastic moment or two and don’t know that they can contain a secret message.

What could be the use-case?

Someone can hack your phone and embed your text messages in the pictures you take and share in, say, Instagram. 

A not so happy employee can post a picture on your blog with a secret message embedded in it to share some trade secrets with your competitors. 

Another person can embed an exploit in a PNG ads image; JavaScript code would parse the PNG image, extract the malicious code, and redirect the user to the exploit kit landing page.

Steganography also is a well know method for exchanging information between spies. 

Even if it sounds like science fiction, this is a very viable threat against your systems and you.

Steganography Protector API

I have created a small API (as a Proof of concept) that could discover a secret message hidden in any image file.  

The end-point is here:

https://sapigate.herokuapp.com/steg

It accepts POST requests only. 

The input should be JSON encoded, and it should consist of a binary stream of your image.

Here is a Python example.

import requests
url = 'https://sapigate.herokuapp.com/steg' 
my_img = {'image': open('secret.png', 'rb')}
r = requests.post(url, files=my_img) 
print(r.json())  

The result of the command can be:

{'message': 'Secret Message', 'status': 'sucess'}

I am planning to extend the API by adding more use-cases and documentation, but if you are free to start using it right away.

If you have any questions about it or it seems down, contact me via Twitter – @bogomep

A practical use

You could read all of your images from your blog and via the API to check whether they contain a secret message or not or to check for hidden traces of your last Instagram image.

If you are looking for a picture with a secret message inside – why don’t you test this one:

Involve your team members when you do your threat modeling.

Most of the companies I worked for or know about have a bizarre threat modeling process. They count on the architect or the most knowledgeable person to do the threat modeling. It’s defined as a one-person job!

If your goal is to do it, because it’s one of the required artifacts for your service to go in production or any other stage, it may be the right approach. But this is no threat modeling; it’s a false sense of security. You call for harmful attempts against your system because you put all the eggs in one basket. 

It’s the exact opposite of the goal of a threat modeling session.

Involve your team members when you do your threat modeling.

Every person in your team has a unique perspective and a way of thinking about possible threats against any system. 

Every person has a different experience compared to the others. 

Every person has different emotions and morale. 

All of those qualities play a critical role in the threat modeling process.

Let me give you an example:

I started a fun and useful exercise, explaining the threat modeling goal by bringing people together in front of a virtual whiteboard and doing a threat modeling against a beer tap infrastructure. 

The challenge

We have a yard with a few doors to enter it. We also have the beer tap, a pressure system, key storage, and some power controls. We have two boundaries to protect.

The team members were encouraged to “go wild” and think just for 7 min about all possible threats they see against the infrastructure individually. 

Then I asked them to put virtual “sticky” notes near the components that could be threatened and discuss the findings as a team.

I did that with six groups from different geo-locations, and every time, I received different results. 90% of the threats were common, but 10% of them differed from group to group. This is how you make your modeling better.

To compare, I asked a few people to do this exercise alone for the same time, and the difference I saw was that the wisdom of the crowd identified with 40% more threats than a single individual. If this is not hard proof, which is it?

Involve your team members when you do your threat modeling. It’s the first step into your journey towards creating a bit more secure products.