Yahoo mail blocked me from sending a program I wrote, what can I do?

[sysprog]

Is now the time to point out that if the program were mailed on Saturday the recipient would be getting it around now? Sometimes low tech is best.

I think that having a way to email files without the email provider snooping their contents and blocking the ones deemed to be possibly dangerous is useful.

USPS small package service is not an acceptable substitute for being able to send program files via email.

Back when I could just rename .zip or .exe file extensions, e.g. to .zip.dat or .exe.remove-this-extension and send them, I didn't mind gmail blocking files the extensions of which rendered them executable, but I think that if a recipient has to manually rename a file at the extension level (and go past the usability warning prompt for doing that) to get it to be executable or otherwise potentially dangerous, that's a sufficient safety mechanism against inadvertent or casual opening of a harmful email-attached file.

 

[pbuk]

You could use http://www.nirsoft.net/utils/xorfiles.html
It XORs two files, saving the result in a third file. For the second file, you can use any file of a non-blocked type, and of a length that is equal to or greater than that of the .exe file, e.g. a .jpg file.
...
Your recipient will then have a copy of your program.exe file.

That's only going to work if the munged .jpg file still parses as a .jpg otherwise any intelligent malware filter is going to see what you are trying to do.

The only way I know of to reliably send arbitrary binary files via email is by manually converting to and from hex at each end and sending as a text file.

But nobody sends exe files by email anyway, there are many ways you can put this on t'internet for downloading via either a protected or public link: OneDrive, Dropbox, attached to a Wordpress.org blog, GitHub releases...

 

[Vanadium 50]

USPS small package service is not an acceptable substitute for being able to send program files via email.

I was actually thinking first class mail. The point is to get some code to the guy's grandson. And we're talking about jpeg steganography?

 

[jedishrfu]

Is now the time to point out that if the program were mailed on Saturday the recipient would be getting it around now? Sometimes low tech is best.

There is a great story about TIme magazine shipping their content back and forth via courier to Hong Kong and New York for their Far East edition using a disk pack in the 1970's. A disk pack was a portable (it had a handle) magnetic storage device that weighed 10 lbs rather like a USB stick today.

Mgmt decided to speed up the process by using a satellite connection. However, the slow speed and error correction took more time than it did to just fly the courier to Hong Kong and back weekly and so they reluctantly reinstated the courier for a few more years.

 

[sysprog]

That's only going to work if the munged .jpg file still parses as a .jpg otherwise any intelligent malware filter is going to see what you are trying to do.

I just tried it and it worked $-$ I ran the procedure on everything.exe (a lightweight and fast directory search utility available at https://www.voidtools.com/downloads/ $-$ I use the portable version) with a pdf as the mask file and the destination file with a .dat extension. The filters look for 'signature' byte patterns to detect known possibly-dangerous file types; they don't reject 'bit soup' files.

The only way I know of to reliably send arbitrary binary files via email is by manually converting to and from hex at each end and sending as a text file.

That would work, but it's not the only way. You can use base64 encoding, for example, and the method decribed in my post #28 works fine.

But nobody sends exe files by email anyway, there are many ways you can put this on t'internet for downloading via either a protected or public link: OneDrive, Dropbox, attached to a Wordpress.org blog, GitHub releases...

I send .exe files now and then. For any non-third-party file, including .exe files, I normally would rather send an attachment than a link. I use google drive only when a file is too large for gmail or the number of recipients is more than a few.

 

[sysprog]

I was actually thinking first class mail. The point is to get some code to the guy's grandson. And we're talking about jpeg steganography?

USPS small package service is a 'species' of first-class mail $--$
from https://www.usps.com/ship/mail-shipping-services.htm:

First-Class Mail® is an affordable mail service for standard-sized, single-piece envelopes weighing up to 3.5 oz and large envelopes and small packages weighing up to 13 oz with delivery in 3 business days or less.​

​

(emphasis added)​

The method is not steganography; it's simply XOR masking -- if a .jpg file is used as the mask, it's sent without alteration. The .exe file is XORed against the mask file (of the same or greater length), and the resulting data file is sent along with the mask. Then at the receiving end, the data file is XORed against the mask file, and the result is the .exe file.

The method is the same as that used for a one-time pad cipher, except that it sends the mask file with the data file instead of by separate transmission, the mask doesn't have to be random, and it can be used more than once $-$ the goal here isn't imperviousness to cryptanalysis; it's getting past a filter by eliminating the characteristic patterns that the filter searches for.

For real one-time pad security, you could use two DVDs filled with identical random data, send one to your correspondent, and then send XOR-masked data files, each with an offset number for how far into the DVD was up next for use as a mask. Then a script could copy bytes from the DVD, beginning at the current offset, and running the length of the data file. The new offset for the next file to be sent, in either direction, would be the offset just used plus the length of the data file just sent. With a standard 4.6GB DVD, that would allow for 460 program or other files of 10MB length each, or a lot of smaller files.

 

[jedishrfu]

Perhaps we should be looking at google drive file sharing now. We wouldn't want to hide the data from the feds (who likely know about XOR masking already).

 

[sysprog]

Perhaps we should be looking at google drive file sharing now. We wouldn't want to hide the data from the feds (who likely know about XOR masking already).

The method described in my post #28 here is not secure against government cryptanalysis, and there are difficulties in practical implemention of genuine one-time pad cryptography, not the least of which is rapid and reliable generation of 'truly random' data.

 

[Vanadium 50]

The method described in my post #28 here is not secure against government cryptanalysis

It's OK. He's sending something to his grandson. It doesn't need to be secure against major world governments.

 

[berkeman]

I got an e-mail from a foreign government official (I'm not at liberty to say which country) requesting that I temporarily lock this thread for Moderation...

 

[PeterDonis]

I am sure people send .exe by email, or else how can programmers work at home!

You must be joking. The usual way of sharing source code is by distributed version control systems such as git. The usual way of sharing executables is by providing them via properly secured download links or packages shipped with operating systems. Nobody shares code or executables by email.

 

[berkeman]

You must be joking. The usual way of sharing source code is by distributed version control systems such as git. The usual way of sharing executables is by providing them via properly secured download links or packages shipped with operating systems. Nobody shares code or executables by email.

Well, to be fair. We used to do this all the time 5-10+ years ago in my company. But with more strict (and justified) security measures in place, we no longer can do that, so we use OneDrive or our internal servers, etc. to do it as I've already posted in this thread.

 

[jedishrfu]

As @berkeman has said in a prior post, it’s time to close off this thread. We have explored the breadth and depth of the problem and find that once we have over engineered our answers. We have given the OP multiple avenues to try out while his grandson is anxiously awaiting its arrival by email or snail mail.

As @PeterDonis has intimated professionals use professional methods while the rest of us use whatever works. Oh how times have changed in the software world from simple file backups to SCCS, RCS, CVS, SVN, and now GIT. For my own projects, I tend to use Google Drive for large zip files and email for scripts. I’ve not had a need to develop exe files in a long time But would likely use the drive approach to bypass the email block. The drive approach allows me to change the file while keeping the email reference intact.

Thank you all for contributing here and without further ado will close this thread forever.