
Entweet: Securing Twitter - Lukasa
https://github.com/Lukasa/entweet
======
FiloSottile
For the curious and lazy: it works by rendering the signed message to an image
and tweeting that [2].

Then it relies on the fixed grid [0] and font to do a "poor man's OCR" [1]
when decoding.

[0] [http://git.io/vIWll](http://git.io/vIWll) [1]
[http://git.io/vIWln](http://git.io/vIWln) [2]
[https://twitter.com/Lukasaoz/status/607632001210925056](https://twitter.com/Lukasaoz/status/607632001210925056)

~~~
Lukasa
Entirely accurate!

The interesting thing about the poor man's OCR is that it works way better
than out of the box OCR tools. They're all built around handling arbitrary,
often quite noisy input, so their handling of 1s and ls in this data is often
not great.

Doing the cheap OCR works really well because we can overfit our data: we know
the font, we know the grid, and we know the orientation, so our problem is way
simpler than generic OCR.

------
johnrob
Why not use the pixel values themselves to encode the data? Each pixel's RGB
can encode three characters (one for each byte value). The resulting image
would be much smaller.

(Not sure how twitter might alter the image though, which would corrupt the
data).

~~~
Lukasa
Twitter re-compresses the image, sadly, so that doesn't work.

As I said elsewhere, there are other options, like QR codes or high capacity
colour barcodes, but those aren't funny.

------
untog
Not knowing much about the encryption used, would it end up using extra
characters over a normal tweet?

~~~
dewey
No, it's just taking up the space used to post an image. Here's an example
tweet:

[https://twitter.com/shazow/status/605748307688890368](https://twitter.com/shazow/status/605748307688890368)

~~~
untog
Huh. Surely there's a better way to do that than post text in an image? Even
just using pixels to encode the text.

~~~
dewey
I don't think it's a serious suggestion. It's just a fun hack.

~~~
untog
Oh I know. But I can still want hacks to make the most efficient use of space
:)

~~~
Lukasa
So you can't do a direct 1-to-1 mapping of pixels to bytes, because Twitter
re-compresses the image. You cannot rely on the binary representation of the
image to make that work.

However, there are plenty of other, less funny, options, like QR codes or High
Capacity Colour Barcodes.

------
shockzzz
Hah! Twitter for Enterprise, Bizniz, and Secrets!

Revolt and rejoice!

But... if this relies on fixed-ish protocol (fixed grid & font), can't The Man
Upstairs censor it just as easily?

~~~
Lukasa
Yes.

Remember, signing/encryption do not ensure that you can communicate, only that
_if_ you communicate you can do so with integrity, authenticity, and privacy.
The same limitation applies here, with the added bonus of this particular
method being _totally stupid_.

------
higherpurpose
Twitter wanted to do end-to-end encrypted DMs once, until it gave up on the
project with no explanation:

[http://www.theverge.com/2014/3/19/5523656/twitter-gives-
up-o...](http://www.theverge.com/2014/3/19/5523656/twitter-gives-up-on-
encrypting-direct-messages-at-least-for-now)

------
7ewis
Could someone explain like I'm 5 how this works?

Is it just standard public/private key?

~~~
dewey
Yes, just like regular encrypted email would work.

Instead of sending the encrypted text this script is rendering an image (just
like the screenshot of an encrypted email) and posting that. The other party
is just running OCR on that image (Just like a regular scanner software would
do) to convert the text visible in the posted image back to text which will be
decrypted and displayed to the user.

------
AndrewDMcG
LOL at "GPG is famously easy to use"

------
flockonus
_inconvenient_ cannot be stressed enough

------
nchelluri
It seems that companion browser extensions should be first on the TODO list.

