A Cryptic Education – Substitution and Steganography

As part of the digital technology curriculum, I’ve been tweaking  and testing some lessons on cryptography with my year 9 STEM ICT specialist class.

As an opener, we considered a scenario in which one needed to get a secret message to a friend but couldn’t use the now traditional suite of electronic methods available in the average teenager’s tool belt (perhaps their parents are aggressively monitoring their device use?).

The method had to be very low tech – a handwritten note passed through an intermediary.1

What if, I suggested, the intermediary 2 reads the note and then tells your parents or other people?

Students at this point very reasonably suggested that you hand-deliver the note yourself or, you know, just talk to the person, but I either offered believable excuses or hand-waved them off (depending who you ask).

Suggestions to circumvent Eve’s potential treachery included writing the message in another language, the ol’ lemon juice and fire trick, using the ASCII number representation of each letter 3 and… murder.

I’m reasonably sure the last suggestion was tongue-in-cheek, but I’m watching that particular student a little more closely now.

This is the second time I’ve covered crypto with students around this age and I’m always surprised at how rare it is to find a student familiar with substitution ciphers (commonly Caesar). I guess it’s not a popular option for primary – but it does afford me the a chance to get my students constructing their own cipher tools.

We move on from this to more philosophical ground (with one eye on my assassin student) as I pose the question: “Should we have a right to privacy?”

I’m heartened that after a few minutes conversation, students generally reach a consensus that, yes, people should be able to keep their information private if they wish – no secret fascists here.

To make everyone just a little bit uncomfortable I also force the students to confront the following:

  • If you aren’t doing anything wrong, why should you be able to hide what you do from the government?
  • Now we all agree that privacy is vitally important, how do you personally keep your own data safe?
  • Who knows what websites you visit?

I ask these because I feel it’s necessary to confront three important (in very different ways) concepts.

Where do we draw the line on what should be private?

Students generally fall somewhere in the middle of the spectrum from “Our glorious government intelligence agencies should know everything we think and do” through to “You kent trust the gub’mint! We gots to keep our precious datas safe from EVERONE!”

Which is also heartening, I guess. But they’re ultimately left with the uneasy feeling that there isn’t an easy answer to the question of how we (or our authorities) decide it’s okay to spy on a person’s private communication and the mechanism for doing so.

What action are you taking to keep your data/communication private?

None, that’s what.

Or at least, that’s what the average year 9 decides. They’re a little alarmed to realise that they don’t really think about it.

Who knows what websites you visit?

Students confidently assert that they just use incognito mode or delete their history if they wish to keep their browsing secret.

I point out that their ISP knows everything they do (with timestamps!) unless they first use a tunnel or VPN.

Also, any time they use a gated Internet connection – like the school – the IT staff can summon their browsing history at will.

Some students reconsider their life choices.

Back on track – Steganography

Now that my class has indulged my diversion, we get back on track. I mention that hiding messages – ala the lemon juice, and even arguably using another language – is considered steganography. In steganography, your message is only really secret if the method by which you hid it is kept secret too – if someone knows to look for something hidden, they’ll probably find it. One bright spark suggests writing an innocuous message and then putting the secret, inflammatory message in lemon on top, which is admittedly pretty clever. 4

(I don’t use the word obfuscate even though I want to because we just don’t have time to add it to our vocab list – but I think I regret that now. I’m a little tickled by the idea of my ex students wandering around, whipping out five dollar words they learned in ICT.)

We consider the idea of mirror writing – as that’s often trotted out as an example of keeping writing secret in the context of Leonardo da Vinci.

I’m pleased to note that a few students conclude that Leo probably didn’t use mirror writing to keep his work hidden, based on the fact that it’s not that hard to read backwards writing. A few hardened hold-outs insist that it would stop the average interloper casually reading over his shoulder, which is a fair assessment, but even they grudgingly give way when I point out that most people in his time were illiterate anyway, and he was (crucially) left-handed. We decide for now that his mirror writing was probably more for convenience than an effort to maintain secrecy. 5

As a final nail in the coffin of the effectiveness of mirror writing as a tool of secrecy, I display the following slide, with the commentary that it is actually pretty challenging to read mirror text fluently:


Taylor Swift lyrics, but backwards

This exercise is pretty mundane in and of itself, but in a class of competitive over-achievers, it is a thing of beauty.

All the students spontaneously and simultaneously break forth in a halting reading chant, reminiscent of early years primary students:


I secretly wish for someone important to barge into the room at this point and do a double take at our high-flying yet somehow remedial level reading students.

The competitive chant falls apart around 2/3 of the way through as a sufficiently large number of students realise I’ve tricked them into reading Taylor Swift lyrics under (somewhat) false pretences.

And with this, we’re pretty much out of time.

There’s an opportunity to recap concepts (privacy, hiding messages) before we’re done.

And after a whole lesson on cryptography, we haven’t actually covered any cryptography.

Boring ed stuff: LI 6 SC 7
Looking for a link to the slides? You can find it here.

Official RPi Touch Display – GPIO damaged by improper wiring

Some of my students have access to hardware for their projects and experiments, including various Raspberry Pi-s and alternative 1 operating systems and accessories.

Unfortunately, given the way the Pi interacts with HATs 2 and other similar devices via GPIO 3 pins, there is always the possibility that 5V will go where it shouldn’t and damage will be done.

In the case of the official Raspberry Pi Touchscreen Display, the device can be wired up to either receive or provide power to the Pi via jumper cables through the GPIO pins or provide power to the Pi via an included USB A port in the more “traditional” way.


When it comes to hobbyist hardware (and software!) there is an impetus to err on the side of giving the user as many options as possible.

When it comes to custom wiring, I think Murphy’s Law 4 should take precedence over hobbyist convenience. In other words, don’t even give us the option to power it via a method that will release magic smoke if done wrong.

There is some value in allowing users to power the Pi using the pins – and indeed this appears to be encouraged, as the enclosure that ships with the display only provides access to the Pi usb port.

At any rate, multiple options are available and inevitably, one of my students has configured one of the options that puts power where power should not go. As a result, neither the Pi nor the display are giving me any joy now when wired correctly.

It would seem that the Pi is beyond redemption – there is no display via HDMI and the SD card reader is unable to read cards.

The display is a happier story – there is no possibility to push power to or from it via the pins, but it seems perfectly happy to power on and pass power through via the USB port.

So just a quick note to anyone in a similar position – try your “dead” display with another (known working) Pi using the USB ports to provide power to both and you might find the display still has life yet.

Domain Specific Vocabulary and the Up Goer Five

If you’re not familiar with the “Up Goer Five”, it’s Randall Munroe‘s schematic of the Saturn V rocket annotated using only the ten hundred 1 most commonly used English words.

(I will not embed it in this post, because it’s HUGE, but feel free to click this here link to see it)

The Up Goer Five spawned Munroe’s book, Thing Explainer, which is an excellent resource for puzzling 2 the hell out of students who’ve been studying the topics covered.

Flipping through Thing Explainer got me thinking about how being forced to explain things in absurdly simple terms both often resulted in a more direct and exact description of a component and also (I imagine) challenged the author to avoid the use of domain specific language 3 and consider what, exactly, that vocabulary really means.

Ever since the existence of this text editor, I’ve been keen to throw my students up against the Thing Explainer to force them to really think about what special vocabulary and concepts actually mean – unavoidable if your explanation is to have any real value.

Is there any educational value to this exercise?

I don’t know for sure. But I can think of a few ways in which this might be beneficial:

  • Domain specific knowledge is tested
  • A deeper understanding of the concept
  • Develops the use of literacy skills

Let’s look at how I think the above benefits can be attained.

Tests Domain Specific Knowledge

Students (and teachers!) can become very good at using the right technical language to describe concepts they either don’t understand well or flat out don’t “get” at all. This particularly applies to students who are good at rote learning definitions of things.

Often this regurgitation technique is good enough to get some or all marks for an exam question, but if you don’t understand foundational concepts, you can’t build on those for more advanced concepts.

Removing the use of domain specific language takes away the ability to fudge your answers – in order to explain advanced concepts, the student needs to also explain all the concepts that make it up 4.

Develops a Deeper Understanding

“Rewording” existing texts is a skill, and it’s one that students generally seem to hate practicing. Rewording using a limited vocabulary actually scaffolds this task – instead of pulling out a thesaurus and substituting vocabulary, students are forced to consider re-explaining the concepts in new ways.

Explaining things in genuinely new ways is (as any teacher would know), one of the best ways to deepen one’s understanding of a topic.

Develops Literacy

Wouldn’t simple language be a poor way to develop literacy?

I would suggest that, no, in fact it should improve students’ literacy by forcing the remapping of more complex and domain specific terms into the simpler language that defines that vocabulary.

Examples and Problems

My example for students was as follows:

A box with a round part inside. Bits of the round part can be turned on or off to remember things. When the power goes off, the round part still remembers. An arm can look at the round part and see the bits that are on and off.
Finding or changing the on and off bits on the round part takes a long time.

We’ve been looking at computer hardware for part of this first term and so they were familiar enough with hard drives to be able to correctly identify the component for that description.

I’ll admit I cheated a little here – the use of the word “bit” can be read both as a colloquialism and in its domain specific form 5. In my original explanation, I reversed the use of “part” and “bit” to deliberately avoid this, but ended up switching them back to avoid confusion.

Instead of the usual technical language describing spinning platters and reading heads and so on, we get to the nub of the issue: a hard drive is for long term storage (remembering) and it’s relatively slow. To differentiate it from other forms of secondary storage we look at some implementation terms (platters are round and an arm with a head is used to read them).

Certainly there are limitations here – it might be nice to be able to use concepts like “magnetism” to really hammer home the physical representation of binary data – but it forces a student who has learned the rote definition of hard drive (“secondary storage that uses magnetic fields to blah blah blah”) to actually consider what a hard drive really is.

Let’s have a look at some student examples:

1.A group of memory that mirrors it self on to another group of memory to keep a back up of what is stored on it.

2. A group of memory that puts half of what is known onto another group memory

We’re describing the concept of RAID – certainly level 1 first up and possibly level 0 second, although in this case I would send it back for further clarification.

1.the pretending of another computer that is run on another thing. It can be used to use the computer from another place.

2.the storing of stuff in many different places so that stuff can’t be lost, and it is easy to get.

3.the same way that a computer is made to be used in work, this means a place for work can have an even and matching thing for use for people.

The first item in this list is a beautiful example of what can be produced using Thing Explainer vocabulary – we’ve avoided all use of the term “simulation” or “virtualisation” to explain what virtual machines are.

As we get towards the bottom of the list, we run into the frustrations or limitations that some students encounter when trying this for the first time – the temptation to overuse words such as “stuff” (when explaining data in cloud storage) or to become fixated on a particular aspect of a concept (when explaining a standard operating environment) can cause an explanation to miss its mark.

When lots of stuff is put into a place so that if the stuff goes away then the stuff can be gotten again.

Despite the overuse of “stuff” in this one, all it really needs is a little context to help clarify that we’re referring to a backup of data.

Worth Pursuing?

All in all, I’m pleased with the results thus far. Students were satisfied with my justification of the activity and quickly saw the value in using this as a revision technique.

Would this work for younger students? I’m not sure, but the opportunity should present itself in the near future.

Command Line History Search in Ubuntu Desktop

Just a quick note: I usually use server only Linux installs, but I’ve been trying out deb based desktops lately.

Ubuntu desktop doesn’t seem to honour the .inputrc file in the home directory – I usually use this to allow command line history searching:

"\e[A": history-search-background
"\e[B": history-search-forward

With my server installs, that’ll let you use the up and down arrows to go back and forth through your history as usual, but if you start to type a command it’ll only go through the commands in your history that match what you’ve typed so far.

I find this behaviour to be really intuitive, to the point that it’s frustrating to use terminals without it.

It took some experimenting to find the solution, but in Ubuntu Desktop, the right file to edit is .bashrc and the lines are a little different – explicitly binding the functionality of the keys:

bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'

Ah – such a relief to have this working again in all my terminals!

ISPConfig & Let’s Encrypt

The guys at ISPConfig do good work – although it can sometimes get in the way of my own server configuration, the vast majority of the time it saves a huge amount of effort on what would otherwise be mundane and routine tasks.

With FOSS solutions like this though, “must-have” features don’t always come quickly – CPanel implemented Let’s Encrypt functionality very early on, but ISPConfig users had to wait 6 months (which is pretty fast considering the circumstances).

I needed a solution immediately though, which is why I rolled this (reasonably awful) automation to integrate.

The solution has worked well enough for the past 12 months or so (although implementation on slave servers wasn’t easy or pretty), but I figured it was time to upgrade to ISPConfig 3.1 – with built-in Let’s Encrypt support.

It’s almost always best to stick with the native solution rather than a third party one (particularly when the third party one is developed by a time-poor hacker), and that rule largely applies here. Continue Reading…

Python: The value of “with”

I never learned to code with Python; my first forays into development were with batch files (I kid you not) and then Visual Basic (which taught me many things I spent years unlearning).

Python is, in many respects, a great language for learners (which I’m not going to discuss today).

There is however, a great deal of… less than intuitive show-off code that can be, nay is encouraged to be, written using the language. Solutions are deemed to be “Pythonic”, a term as nebulous as “elegant” and often resulting in code just as unreadable to the casual observer or Python learner.

In some respects, this is about reducing the number of lines written – something fraught with peril for someone new to coding.

But there is a seductive element to Pythonic solutions – they don’t require you to twist yourself up in lines of boilerplate just to overcome a (often commonly encountered) problem.

The “with” keyword is not especially unique to Python, but is actively encouraged, and with good reason. This is one case where fewer lines is definitely better. Continue Reading…

SSH & HTTPS on the same port: Surprisingly easy

If you’re stuck behind a school or university firewall, you’ll often find that they’re unreasonably restrictive (as a user – as an administrator, well actually, most of the admins probably think it’s a bit over the top too, given it really doesn’t stop much untoward behaviour for the inconvenience caused).

As long as you want web traffic to sites that haven’t been blacklisted or have restricted keywords in the URL (sigh), you’ll be fine. But if, for example, you need SSH access to a *nix server offsite, you’re stuck using various web based SSH console solutions.

As always, there are a variety of ways around it: some more complex than others. But a good place to start is the fact that most corporate firewalls are not only unreasonably restrictive – they’re also lazy.

Port 443 is used for secure web traffic, and the firewall can’t really do much to inspect the back-and-forth through that port (you know, by design), so in many cases, they just let traffic through without even bothering to check that it’s actually HTTPS.

I mean, really. If someone is trying to get access through port 22, they can probably figure out how to achieve the same end through 443 (this post, case-in-point).

Enter the demultiplexers – software tools to simply listen on 443 and direct SSH traffic to sshd and HTTPS traffic to httpd (the two kinds of traffic are trivially and flawlessly distinguishable).

Continue Reading…

Hosted Exchange – Auto-forwarding to external domains

A Very Sensible policy, enforced by default in Exchange Server is to ignore rules automatically forwarding mail to external domains.

It’s fairly easy to see why this is, in fact, Very Sensible:
Your organisation assigned email addresses to people who have agreed to be bound by its policies (right?) – allowing auto-forwarding to any address outside that domain risks you being responsible for a breach of confidence.

I’m all for having the “secure” option be the default and for discouraging or preventing users from breaking that security in the name of convenience.

But there are times when other, less sensible policies are in place that I feel the users should have recourse to implement workarounds. One such policy might be (for example), having an email quota set to (purely hypothetically), 100MB.

This is ample space for email in 1997. This is hilariously limited space in 2016. Continue Reading…

Android – Location Based Reminders

Just a quick one:

I’ve had issues with Google Now’s reminders since I first owned a Nexus 4 (a few years back) and the issue persists with my Nexus 5X. The trouble is in having reminders trigger at a particular location, rather than a particular time.

For example, if I know I need to pick something up next time I visit my in-laws, but don’t know when I’ll next be at their house, I can set a reminder and select “place” instead of time. In theory, entering their address is all that is needed to make it work.


This image was stolen wholesale from this article: http://www.makeuseof.com/tag/8-amazing-life-improving-uses-google-now-reminders/

In practice… nothing. Just… nothing. Continue Reading…