lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: HPR Knowledge Base MCP Server

Browse Source 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
2025-10-26 10:54:13 +00:00
commit 7c8efd2228
4494 changed files with 1705541 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
hpr_transcripts/hpr2707.txt Normal file
View File

@@ -0,0 +1,155 @@
Episode: 2707
Title: HPR2707: Steganalysis 101
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2707/hpr2707.mp3
Transcribed: 2025-10-19 07:52:47
---
This is HPR Episode 2777 entitled Teganalysis 101.
It is hosted by first-time post-Tegward Miro and is about 14 minutes long and carrying a clean flag.
The summary is Teganalysis is the process of identifying the premise and decrypting Teganography.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
Hello folks, K. Wisher here to remind you that it's that time of year again.
Time for the Hacker Public Radio New Year's Eve Show.
For those who don't know, on New Year's Eve December 31, 2018, at 10am UTC, that is 5am Eastern Standard Time,
we will have a recording going on the HPR Mumble Server for anyone to come on and say happy New Year and talk about whatever they want.
We will leave the recording going until January 1, 2019, 12am UTC, that will be 7am Eastern Standard Time, or until the conversation stops.
Please visit hackerpublicradio.org to find all the details and links about how to set up the PC Mumble client, your favorite mobile app, the mobile server connection details.
Our Etherpad show notes and the live audio stream if you only prefer to listen in on the lively banter.
So please stop and say hi and maybe join in the conversation with other HPR listeners and contributors. It's always a good time.
Thank you very much.
Hello and welcome to Hacker Public Radio. I'm Edward Miro and I've been a fan of HPR for a while now and really love its collaborative and random nature.
It's always been important for me to support the hacking community. I always take any opportunity to give back to this community who has given me so much throughout the years.
And I've always subscribed to the idea that the best way to learn something is by teaching and I hope to do a good job for you today.
This talk is on the mystical art of Stagenalysis, which is the process of identifying the presence of and decrypting, hopefully, Staganography.
Well, personally, I'm into hacking, but I'm not a professional hacker. Usually I call myself a hobbyist. I like CTFs or Capture the Flags, Crypto Challenges, Stuff like Vuln Hub or Over the Wire, things like that.
And I'll provide some links in the end if anyone is interested, but for those who aren't familiar with CTF or Capture the Flag, it's a kind of game that helps you get better at hacking.
These days, there are tons of VMs that are set up to be intentionally vulnerable to different techniques or attacks.
And you load the VM and pretend it's a server you want to attack and follow your standard hacking protocols.
Some are set up to be boot-to-root challenges where you win when you get root and some are set up with flags that you can find hidden throughout the target and there are worth various points.
And there are in-person and online CTFs, and they've gotten pretty popular with the National Cyber League, being a major competition.
Some are easy, some are really hard, and most have really good write-ups that can teach you so much about infosec, penetration testing, and actually let you practice the techniques in a relatively easy and legal way.
Or Stagnography comes into this discussion is that it's an element you sometimes see used in these kinds of challenges I mentioned previously, and also in alternate reality games, online recruitment challenges by national agencies, big tech companies, militaries.
They are even used in the real world, that's being auditioned, intelligence work, or super spooky secret challenges like Chicaida 3301, YouTube that if you want to be spooked out for sure.
Simply put Stagnography, and I'm pasting this straight out of Wikipedia, is the practice of concealing a file message image or video within another file message image or video.
Stagnography is used to hide secrets in plain sight.
It's a way to send a message without anyone detecting that a message is even being sent.
I'll give you more examples in the next section, but imagine a letter that has a secret written in invisible ink.
Excuse me. Only the sender and receiver should know about the invisible ink and any eavesdroppers should be none the wiser.
This simple example has been used by countless prisoners whose mail is routinely read and examined.
Terrorists and spies, the world over, also used Stagnography and are known to embed messages and images and post them online.
With how many image hosting sites there are, with millions of people posting to them, billions of images day in, day out, you can see why Stagnography can be such a challenge to combat.
Before I move on to some more specific examples, I want to stress again that I'm not an expert on cryptography or Stagnography, and while researching this for this podcast, it's overwhelmingly clear that you could spend your whole career focused on only Stagnography.
This talk is just the primer on the subject and only the tip of the iceberg.
Some examples of Stagnography that you might be familiar with actually goes back into antiquity with Roman soldiers having their head shaved and a message written on their head, maybe tattooed, and then sent to deliver the message and their hair grows back covering up the message.
If the enemy doesn't find the message, then they make it through and then hiding it in plain sight, using invisible ink, using knots tied into ropes at certain frequencies, like imagine Morse code, people hiding messages under the stamps on envelopes, using a mixed-type face, using a grill cipher,
which is where you think of the picture of a page of text and then someone holds a card over it with holes cut out in specific areas that when placed over the text only reveals certain letters and messages hidden within the larger text.
People have been known to send messages via newspaper classifies.
If you want to be able to communicate to a clandestine agent and you can't meet them in real life, you can write a newspaper classified ad with a title or a piece of text that only the agent would recognize and you could decide beforehand what words mean what.
And millions of people might see these classified ads and have no idea that their message is being sent back and forth.
These days with technology, now we have a lot of digital stagonyography and this is kind of what we're going to be focusing on, at least the stagony analysis portion of it, that is, using the noise or the metadata, the least common bit to hide information in images or sound files.
Commenting out text in a source code for an HTML document or any other type of code, if you were just to look at a website, you could hide a message in the code that's commented out that unless you viewed the code or viewed the source, which is a common technique that we use when we're playing CTF or trying to practice our hacking.
Always check the source code for things that are commented out, sometimes these are intentional stagonyography, sometimes accidental.
Using different color text, so you can imagine a website or a document and they just select a piece of text and change it to the white color and most people who browse and look at the document aren't going to think to do select all to look for hidden text that way.
And this goes on and on and on, and the possibilities for how the philosophy of stagonyography can be implemented in the real world.
So when we're doing our CTF or crypto challenges and we're presented with an image or a media file, well we're pretty sure well assured there's something in there, though not every image you find while doing a challenger CTF will utilize stagonyography, so you could possibly overanalyze.
Though, you know, we're assuming that we're doing a challenge, stagonyography is known, so you got to be careful.
I've known people who are really into alternate reality games and they spend hundreds of hours doing spectrographic analysis and for our purpose in the scope of this podcast, there should be some clue that stagonyography is being used.
The challenge then becomes how we direct our workflow as to not waste any time and be the most efficient and cracking that part of the puzzle.
And there are many stagotools out there and some of them are home brewed and unless the designer puts a clue into the challenge, you could spend hours trying different algorithms or tools.
And even if you do have stagonyography, there's no guarantee you're going to get anything out of it and if you don't know which tool is user or which process to decrypt.
And a lot of the tools that we'll be mentioning here in the next section rely on fingerprinting how known algorithms process data and this is not only a big problem for hackers like us with our CTFs and silly games, but even more so for governments who are charged with keeping us safe.
So if you're looking at possible stagonyography, you need to build a good workflow.
And I noticed a post on Reddit a few weeks ago with a user asking about image forensics.
And there was a comment posted that was so good.
I forwarded all my hacking friends and inspired me to do this podcast.
And I'm using the comment as a potential framework for my own personal work with images and stagonyography.
And it helped me to develop my own kind of protocol and I wanted to share it with you all.
And if anyone wants to expand on it or improve it, please do so.
And let me see the pool of the sky's name up here.
His username is Alex En, A-L-E-X-E-Y-A-N.
I asked him if it was cool if I shouted him out on here and used his comment and he was totally down.
So I just wanted to give him a shout out, pretty cool comments here.
So this is coming straight out of the post on Reddit.
And I thought about rewriting it, but it didn't seem necessary.
And I'll be given the authorful credit.
So I added a couple more tools on at the bottom and a few closing thoughts.
So here's what he says.
I'm not going to get into the tools very specifically.
Like I said, I'm going to be providing all the text through this.
So you can look into it and each tool has its own man page.
Or you guys are smart, you can Google it.
OK, so first, just look at the image.
And maybe it tells you something important.
Maybe there's something obvious.
Like I said, if this is part of a CTF or a crypto challenge, it's there for a reason.
Maybe it's something very obvious.
Like the context of the picture could be relevant.
Maybe there's something written in the background.
Who knows?
So don't look past that most obvious level.
Use BinWalk to check for other file type signatures in the image file.
Use the XIF tool to check for any interesting metadata.
Use stake solps, which through the layers look for abnormalities.
Maybe the flag is part of the least significant bit.
Or is some kind of QR code hidden in there.
Maybe there are random pixels that look strange in a certain layer.
That's a hint for Bitstago.
Use ZStack to automatically test the most common Bitstagos and sort by all the different results.
That one says here this one solves about 50% of all image-stago challenges.
And if the file is a PNG, you can check if the IDAT chunks are all correct and correctly ordered.
Check with the strings tools or parts of the flag.
If you found, for example, in quotes, CTF, squirrely bracket, whatever the nomenclature is for the flag,
see if that's in any other position.
So see what that is on any other chunks.
The harder ones can be a lot more tricky though.
JPEG co-efficiency manipulation, frequency analysis.
But usually those are frowned upon because they require a lot of guessing.
And if no hiding tools provided, you know.
Some of the other go-to tools that weren't mentioned that I like to look at, or at least, you know, have in my arsenal.
Stagdetect, the digital invisible ink tool kit. Stag secret.
I look investigator. That's one for law enforcement.
And one thing you need to remember is that detecting staganography is kind of hard work.
For the purposes of CTFs or staganography, they're going to be some pretty blatant clues as to what tools you're going to need.
If not, it's going to be one of these major ones.
And this workflow, I think, is really good.
So I'm going to start using it for any challenges that I do.
There are computer scientists who only do this.
Like, while we aren't at that level for the information being presented here,
it will require a lot of digging and trying different tools.
Hopefully following these steps will help identify the more common techniques in an easier way than just trial and error.
You know, when I first started working on these challenges, I would have an image or a file,
and I wouldn't know really where to start.
And finding this post really kind of helped me put together this checklist.
And I don't know about you guys, but I'm all about checklists.
And, you know, I thought I'd share this with you guys, because it helps me a lot.
One last thing I want to mention is that part of how I see detecting staganography in CTFs or crypto challenges,
is having a certain mindset.
And always looking at things in various layers.
I try to look at everything within the challenge as if there could be something right in front of my eyes.
I mentally flip through different layers and see the codes within the codes.
And I'm really good at finding patterns, which I'm sure most of you are as well,
if you're into this kind of stuff.
And, you know, it's important to find a good balance where you're not seeing patterns where they don't exist,
but you're also not missing obvious clues.
And remember, if you're playing an alternate reality game or a CTF or a crypto challenge,
generally speaking, the designers want you to play through the game.
They will leave clues if you need them.
They want the players to get to the end, so don't spend hours doing spectrographic analysis on,
you know, things that aren't obviously part of the challenge that you're working on.
Don't overthink things.
Well, that's all I've got for today.
I hope you enjoyed this podcast and got something useful out of it.
Like I said in the introduction, I'm Edward Miro.
Have fun, good luck, and have a good day.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the Infonomicon Computer Club,
and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly,
leave a comment on the website or record a follow-up episode yourself.
On this otherwise status, today's show is released on the earth,
Creative Commons, Attribution, Share a Life, 3.0 license.