What they're not telling you: # STEGANOGRAPHIC GAME PROTOCOL REVEALS HOW INTELLIGENCE AGENCIES HIDE COMMUNICATIONS INSIDE MUNDANE FILE SYSTEMS A Perl-based software package called GobanFTP, publicly posted to GitHub by user molang163 and surfaced on Hacker News, demonstrates a working method for encoding complex sequential data—including real-time communications—entirely within FTP directory structures and filenames, rendering the actual content of files irrelevant to message recovery. The code is live, documented, and functional. No federal agency has issued guidance on detecting or preventing its use in classified networks.

What the Documents Show

The official position from the National Security Agency and the Defense Counterintelligence and Security Agency is that data exfiltration and covert communication within government systems are prevented through content inspection, DLP monitoring, and protocol filtering. That position is now demonstrably incomplete. GobanFTP's core mechanism—storing information exclusively in "enumerable names" rather than file contents, modification times, or byte sequences—means that standard monitoring systems checking for suspicious file transfers will detect nothing. A Go game move encoded as a filename like "move_d4.txt" containing a single space character will pass through every content-filtering system ever deployed. The technical documentation is unambiguous.

🔎 Mainstream angle: The corporate press either ignored this story entirely or buried it in a 3-sentence brief. The framing, when it appeared at all, focused on process rather than impact.

Follow the Money

The README explicitly states that the replay system "ignores file bytes, file size, mtime, listing order, server order, sidecars, projections, and tmp entries." A user can move pieces—and transmit information—using only directory and filename enumeration. FTP listing commands, ordinary and unremarkable on any government network, become a covert channel. The developer, identified only as molang163, has published full source code under a public license with no apparent attempt at obfuscation or restriction of access. What makes this particularly damaging is that GobanFTP was not designed for this purpose. It is a legitimate game engine. But the protocol it demonstrates—treating filesystem metadata as a communication layer—has immediate military and intelligence applications that every CISO at every Three-Letter Agency understands and has done nothing to prevent.

What Else We Know

The National Institute of Standards and Technology has issued no alert. The FBI's Cyber Division has issued no guidance to cleared contractors. The Defense Information Systems Agency has not circulated a memorandum to network administrators at COCOM level or below. Molang163 is a developer in what appears to be Japan or China based on README translations in those languages. There is no evidence the person works for a state intelligence service. There is every indication the code is exactly what it purports to be: a clever proof-of-concept that government security infrastructure cannot stop.

Jordan Calloway
The Jordan Calloway Take
Government Secrets & FOIA

Here is what strikes me: the security apparatus of the United States has spent two decades and hundreds of billions of dollars building systems that cannot defeat something a developer published for free as a game.

The pattern here is institutional paralysis disguised as competence. NIST publishes frameworks. CISA issues alerts about everything except the tools that actually work for exfiltration. The FBI counts arrests. Meanwhile, a Go game sits on GitHub demonstrating that the entire philosophy of endpoint and network security is built around assumptions that no longer hold: that data lives in files, that suspicious traffic looks like suspicious traffic, that content matters more than metadata.

Who benefits? Every foreign intelligence service that reads Hacker News. Every insider at a contractor with a clearance and a grudge. Every person who understands that the loudest security spending often secures the least.

What you should understand: the absence of official acknowledgment of this vulnerability is not a sign it doesn't exist. It is a sign that admitting it would require changes nobody in power wants to fund.

Primary Sources

What are they not saying? Who benefits from this story staying buried? Follow the regulatory filings, the court dockets, and the FOIA releases. The truth is in the paperwork — it always is.

Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.