In case anyone wants to create a similar reminder for a specific image, a while ago I created a small utility that does just that: https://github.com/mhe/visualmoo

This is very cool, thanks for sharing!

Which is the classic illustration that ECB is _not_ indistinguishable from random, even to a casual observer.

I think "casual observer" and "shove deliberately patterned data through the system then render it so that I can see if the patterns show through" aren't the same thing.

In the Tux data maybe 03038F12128F0303 turns into 49DC195026F3300A and that looks pretty random. It's only visible as the Tux image because every 03038F12128F0303 turns into 49DC195026F3300A, thus preserving the very bold overall pattern of the image.

If you shove a photograph of a kitten through it, that looks like noise, but Tux is made of these big bold shapes and so the resulting pattern is big enough to "show through" the ECB encryption.

You're basically implying that a casual observer would look at AES all by itself and then say things are good. And I think you're correct to imply that.

But that means that ECB isn't actually passing the smoke test, because the casual observer isn't analyzing AES+ECB. They're only analyzing AES.

These kinds of patterns are present in input data quite often - eg fixed headers, markup etc.

As usual, there’s even an xkcd on it: https://xkcd.com/1286/

I think when people say that a block cipher is indistinguishable from random they mean that for a given key k, the permutation 0 -> cipher(0, k), 1 -> cipher(1, k), ..., 2^n-1 -> cipher(2^n-1, k) where n is the block length in bits is indistinguishable from a random permutation of (0, 1, 2, ..., 2^n-1).

That’s an ok(ish) definition of indistinguishability for a block cipher, but not for a mode of operation like ECB.